Nytro Posted January 9, 2017 Report Posted January 9, 2017 myBFF is a web application brute force framework (currently) Point the framework at a file containing usernames, a host, and give it a password. The framework will determine what type of web application is in use, then attempt to brute force accounts. After brute forcing accounts, myBFF will then do a little more, like enumerating apps available, and reading in important data. Each module is different so try them out! Current modules: HP SiteScope (will attempt to give you a Meterpreter Shell!) Citrix Gateway (also enumerates authorized applications) Juniper Portal (Will look for 2FA bypass and list what is accessible) MobileIron (Unknown. Have to find out what is accessible first!) Outlook/Office365 (will parse email, contacts, and other data from email) Wordpress (Will be adding "SomethingCool" soon) CiscoVPN (Enumerate User accounts (May not work on all configurations)) Okta (Enumerate Applications and check if 2FA is setup for account) Jenkins (Will be adding "Something Cool" soon) SMB (Check if user is an administrator) (must use --domain with this module. for host, use smb://) FTP (List root dir contents) New modules will be added. CONFIGURATION myBFF requires lxml and pysmb. Install using 'sudo apt-get install python-lxml' 'sudo pip install pysmb' Link: https://github.com/MooseDojo/myBFF Quote
