RSYaba

From aldeid
Jump to navigation Jump to search
VoirAussi.png
You might also see: Thc-hydra, Medusa

Description

RandStorm Yet Another Brute Attacker aka RSYaba is developed by Robin Wood from www.randomstorm.com. It is tool to run brute force attacks against various services in a similar way to Thc-hydra and Medusa. The tool was written after bad experiences at getting existing tools working correctly with HTTP and SSH so it was decided to make a tool that would be easier to configure. Following protocols are handled in version 1.0:

  • http
  • https
  • mysql
  • ssh

Installation

Pre-requisites

Ssh-img013.png
Warning
Ssh module is at this time not compatible with version 1.9.1 of Ruby (http, https and mysql work). To ensure a full compatibility of the tool, rather install Ruby 1.8.

First thing, you will need Ruby and Gems:

$ sudo apt-get install ruby1.9.1-full rubygems1.9.1

Then use Gem to install Ruby dependencies:

$ sudo gem1.9.1 install hpricot net-ssh mysql

To be able to brute-force mysql, you will also need mysql-client libraries:

$ sudo apt-get install libmysqlclient-dev

At the end of the installation process, check that all needed libraries have been successfully installed:

$ sudo gem1.9.1 list

*** LOCAL GEMS ***

hpricot (0.8.2)
mysql (2.8.1)
net-ssh (2.0.23)

Installation of RSYaba

$ cd /data/src/
$ wget http://www.randomstorm.com/tools/rsyaba_1.0.tar.bz2
$ bzip2 -cd rsyaba_1.0.tar.bz2 | tar xf -
$ cd rsyaba/

Usage

Basic usage

Show basic help:

ruby1.9.1 rsyaba.rb --help, -?

List all supported protocols:

ruby1.9.1 rsyaba.rb --list_protocols, -l

Get help for the specified protocol:

ruby1.9.1 rsyaba.rb <protocol> --help

Syntax for HTTP and HTTPS

--help, -?
show help
--host, -h
host
--path, -P
path
--max_threads <x>, -t <x>
maximum number of threads, more isn't always better, default 5
-U <username>
the username (if already known)
--wordlist x, -w x
the wordlist to use, either a file or - for STDIN
--ua x
user agent string to use
--referrer x
set the referrer
--get_cookie, -c
do a GET before the POST and use the returned session cookie in the POSt
--port, -p
Port number
--token_field
the name of a field containing a token that must be returned
--username_field
the name of the username field, default = username
--password_field
the name of the password field, default = password
--success_message
the message received on success
--failure_message
the message received on failure
-v
verbose mode

MySQL and SSH

--help, -?
show help
--host, -h
host
-U <username>
the username (if already known)
--max_threads x, -t x
maximumn number of threads, more isn't always better, default 5
--wordlist x, -w x
the wordlist to use, either a file or - for STDIN
--port, -p
Port number
-v
verbose mode

Examples

HTTP

Given following code:

<?php
if(isset($_POST["username"]) && isset($_POST["password"])) {
  if($_POST["username"]=="admin" && $_POST["password"]=="password") {
    echo("GRANTED");
  } else {
    echo("DENIED");
  }
}
?>
<form method="post" action="index.php">
  <input type="text" name="username" />
  <input type="password" name="password" />
  <input type="submit" name="submit" />
</form>

If we already know the user (admin), we can issue following command:

$ ruby1.9.1 rsyaba.rb http \
-w dict.txt \
-U admin \
-h localhost \
-P /admin/index.php \
--success_message "GRANTED"

It will return:

Success with admin password

SSH

Info.png
Note
This example has been done with Ruby v1.8.7 since SSH module is at this time not compatible with v1.9.1.
Info.png
Note
Following example makes use of -t 1 to limit to 1 thread since probed server was limited to 1 connection.
$ ./rsyaba.rb ssh \
-h 192.168.1.1 \
-U test \
-w dict.txt \
-t 1 \
-v
Starting with test oops
Failure with test oops
Starting with test admin
Failure with test admin
Starting with test nimda
Failure with test nimda
Starting with test elephant
Success with test elephant
Host: test

MySQL

Following command will brute-force the "test" account on MySQL service:

$ ruby1.9.1 rsyaba.rb mysql \
-w dict.txt \
-U test \
-h localhost \
--max_threads 1 \
-v
Starting with test oops
Starting with test 123
Starting with test 1234
Starting with test all
Starting with test nimda
Starting with test administrator
Starting with test admin
Starting with test pass
Starting with test passwd
Starting with test password
Starting with test elephant
Success with test elephant

Comments