A multiprotocol credentials bruteforcer / password sprayer and enumerator.

Related tags

Cryptography legba
Overview

Legba is a multiprotocol credentials bruteforcer / password sprayer and enumerator built with Rust and the Tokio asynchronous runtime in order to achieve better performances and stability while consuming less resources than similar tools.

Work in progress: while the tool is functioning well overall, it still requires some testing and the integration of more protocols. If you want to contribute with code and/or testing, feel free to check the list of TODOs with grep -ri --include "*.rs" TODO ^_^

Currently supported protocols / plugins (use legba --list-plugins to print this list):

Plugin Name Description
dns DNS subdomain enumeration.
ftp FTP password authentication.
http HTTP request for custom web logins supporting CSRF.
http.basic HTTP basic authentication.
http.enum Web pages enumeration.
http.form HTTP multipart form request.
http.ntlm1 NTLMv1 authentication over HTTP.
http.ntlm2 NTLMv2 authentication over HTTP.
imap IMAP password authentication.
kerberos Kerberos 5 (pre)authentication and users enumeration.
ldap LDAP password authentication.
mongodb MongoDB password authentication.
mssql Microsoft SQL Server password authentication.
mysql MySQL password authentication.
pgsql PostgreSQL password authentication.
pop3 POP3 password authentication.
rdp Microsoft Remote Desktop password authentication.
sftp SFTP password authentication.
smtp SMTP password authentication.
ssh SSH password authentication.
telnet Telnet password authentication.
vnc VNC password authentication.

Building From Sources

Building the project from sources requires Rust to be installed:

cargo build --release

The binary will be compiled inside the ./target/release folder.

Docker Image

Alternatively it is possible to build a Docker container:

docker build -t legba .

And then run it via:

docker run legba --help # or any other command line

Usage

The tool requires a plugin name, a --target argument specifying the ip, hostname and (optionally) the port of the target and, depending on the selected plugin, a pair of --username and --password arguments or a single --data argument (like in the case of the dns.enum plugin which requires a single enumeration element).

The --username, --password and --data arguments all support the same logic depending on the value passed to them:

  • If the value provided is an existing file name, it'll be loaded as a wordlist.
  • If instead the value provided is in the form of #<NUMBER>-<NUMBER>:<OPTIONAL CHARSET>, it'll be used to generate all possible permutations of the given charset (or the default one if not provided) and of the given length. For instance: #1-3 will generate all permutations from 1 to 3 characters using the default ASCII printable charset, while #4-5:0123456789 will generate all permutations of digits of 4 and 5 characters.
  • Anything else will be considered as a constant string.

For instance:

  • legba <plugin name> --username admin --password data/passwords.txt will always use admin as username while loading the passwords from a wordlist.
  • legba <plugin name> --username data/users.txt --password data/passwords.txt will load both from wordlists and use all combinations.
  • legba <plugin name> --username admin will always use admin as username and attempt all permutations of the default printable ASCII charset between 4 and 8 characters (this is the default behaviour when a value is not passed).
  • legba <plugin name> --username data/users.txt --passwords '#4-5:abcdef' will load users from a wordlist while testing all permutations of the charaters abcdef 4 and 5 characters long.

For the full list of arguments run legba --help.

Examples

NOTE: The port in the --target argument is optional whenever it matches the default port for the given protocol.

HTTP Basic Authentication 

legba http.basic \
    --username admin \
    --password wordlists/passwords.txt \
    --target http://localhost:8888/

HTTP Post Request (Wordpress wp-login.php page): 

legba http \
    --username admin \
    --password wordlists/passwords.txt \
    --target http://localhost:8888/wp-login.php \
    --http-method POST \
    --http-success-codes 302 \ # wordpress redirects on successful login
    --http-payload 'log={USERNAME}&pwd={PASSWORD}'

HTTP Post Request (Wordpress xmlrpc.php) 

legba http \
    --username admin \
    --password wordlists/passwords.txt \
    --target http://localhost:8888/xmlrpc.php \
    --http-method POST \
    --http-payload '<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>{USERNAME}</string></value></param><param><value><string>{PASSWORD}</string></value></param></params></methodCall>' \
    --http-success-string 'isAdmin' # what string successful response will contain

Or using the @ syntax to load the payload from a file:

legba http \
    --username admin \
    --password wordlists/passwords.txt \
    --target http://localhost:8888/xmlrpc.php \
    --http-method POST \
    --http-payload @xmlrpc-payload.xml \
    --http-success-string 'isAdmin'

HTTP Post Request with CSRF Token grabbing: 

legba http \
    --username admin \
    --password wordlists/passwords.txt \
    --target http://localhost:8888/ \
    --http-csrf-page http://localhost:8888/ \ # where to grab the CSRF token from, or empty if it's the same as --target
    --http-csrf-regexp '<input type="hidden" name="(token)" value="([^\"]+)"' \ # regular expression to extract it
    --http-method POST \
    --http-payload 'user={USERNAME}&pass={PASSWORD}'

HTTP Request with NTLMv1 Authentication: 

legba http.ntlm1 \
    --domain example.org \
    --workstation client \
    --username admin \
    --password wordlists/passwords.txt \
    --target https://localhost:8888/

HTTP Request with NTLMv2 Authentication: 

legba http.ntlm2 \
    --domain example.org \
    --workstation client \
    --username admin \
    --password wordlists/passwords.txt \
    --target https://localhost:8888/

HTTP Pages Enumeration: 

legba http.enum \
    --data data/pages.txt \
    --target http://localhost:8888/ \
    --http-enum-ext php \ # php is the default value for file extensions
    --http-success-codes 200

DNS Subdomain Enumeration: 

legba dns \
    --data data/200k-dns.txt \
    --target something.com \
    --dns-resolvers "1.1.1.1" # comma separated list of DNS resolvers, do not pass to use the system resolver

SSH Password Authentication: 

legba ssh \
    --username admin \
    --password wordlists/passwords.txt \
    --target localhost:22

SFTP Password Authentication: 

legba sftp \
    --username admin \
    --password wordlists/passwords.txt \
    --target localhost:22

FTP Password Authentication: 

legba ftp \
    --username admin \
    --password wordlists/passwords.txt \
    --target localhost:21

Telnet Password Authentication: 

legba telnet \
    --username admin \
    --password wordlists/passwords.txt \
    --target localhost:23 \
    --telnet-user-prompt "login: " \
    --telnet-pass-prompt "Password: " \
    --telnet-prompt ":~$ " \
    --single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin

SMTP Password Authentication: 

legba smtp \
    --username [email protected] \
    --password wordlists/passwords.txt \
    --target localhost:25

POP3 Password Authentication:

Insecure:

legba pop3 \
    --username [email protected] \
    --password wordlists/passwords.txt \
    --target localhost:110

Via SSL:

legba pop3 \
    --username [email protected] \
    --password wordlists/passwords.txt \
    --target localhost:995 \
    --pop3-ssl

MySQL Password Authentication: 

legba mysql \
    --username root \
    --password wordlists/passwords.txt \
    --target localhost:3306

Microsoft SQL Server Password Authentication: 

legba mssql \
    --username SA \
    --password wordlists/passwords.txt \
    --target localhost:1433

PostgresSQL Password Authentication: 

legba pgsql \
    --username admin \
    --password wordlists/passwords.txt \
    --target localhost:5432

Oracle Password Authentication

NOTE: this is an optional feature that is not compiled by default, enable during compilation with by using cargo build --release -F oracle.

legba oracle \
    --target localhost:1521 \
    --oracle-database SYSTEM \
    --username admin \
    --password data/passwords.txt

LDAP Password Authentication: 

legba ldap \
    --target 127.0.0.1:389 \
    --username admin \
    --password @wordlists/passwords.txt \
    --ldap-domain example.org \
    --single-match

Kerberos 5 Pre Auth (users enumeration and password authentication):

NOTE: due to the way that the realm string is uppercase'd in order to generate the cryptographic salt for Microsoft domain controllers, you'll need to add the --kerberos-linux argument when targeting Linux Kerberos servers.

legba kerberos \
    --target 127.0.0.1 \
    --username admin \
    --password wordlists/passwords.txt \
    --kerberos-realm example.org

VNC Password Authentication: 

legba vnc \
    --target localhost:5901 \
    --password data/passwords.txt

License

Legba was made with ♥ by Simone Margaritelli and it's released under the GPL 3 license.

To see the licenses of the project dependencies, install cargo license with cargo install cargo-license and then run cargo license.

You might also like...
🐴 RusTOTPony — CLI manager of one-time password generators aka Google Authenticator

🐴 RusTOTPony CLI manager of time-based one-time password generators. It is a desktop alternative for Google Authenticator. Installation Arch Linux Pa

German Lashevich 23 Jan 5, 2023
A simple password manager written in rust

Passman - A password manager written in rust. How to use?: USAGE: passman option Currently available options are: new - initalize passman with a new m

Strawkage 7 Aug 26, 2021
A simple password manager written in Rust
A simple password manager written in Rust

ripasso A simple password manager written in Rust. The root crate ripasso is a library for accessing and decrypting passwords stored in pass format (G

Joakim Lundborg 550 Dec 30, 2022
Ruo is a dictionary-based password cracker written in rust 🦀 .

Ruo is a dictionary-based password cracker written in rust 🦀 . The primary purpose is to crack weak hashes/commonly used passwords.

Asjid Kalam 10 Mar 6, 2022
A password manager coded in rust

pasman A password manager coded in rust Install Dependency rust Shell git clone https://github.com/AMTitan/pasman.git cd pasman cargo build --release

Arthur Melton 4 Nov 8, 2021
A password entropy calculator.

paspio — pasvorta entropio A (naive) password entropy calculator. Refrain from using this as a sole measure of password strength, it should be used in

Aziz Ben Ali 3 Mar 8, 2022
Password-Authenticated Key Agreement protocols

RustCrypto: PAKEs Password-Authenticated Key Agreement protocols implementation. Warnings Crates in this repository have not yet received any formal c

Rust Crypto 81 Dec 5, 2022
Password hashing functions / KDFs

RustCrypto: Password Hashes Collection of password hashing algorithms, otherwise known as password-based key derivation functions, written in pure Rus

Rust Crypto 387 Dec 28, 2022
A Rust port of the password primitives used in Django Project.

Rust DjangoHashers A Rust port of the password primitives used in Django Project. Django's django.contrib.auth.models.User class has a few methods to

Ronaldo Ferreira 52 Nov 17, 2022
Owner
Simone Margaritelli
Simone Margaritelli
GitHub
A mini CLI tool to detect secrets & credentials in source code

Fencer Fencer is a mini-CLI tool that can used to scan various kind of secrets/credentials that are hardcoded into a project source code files Feature

Naresh Balaji 17 Aug 23, 2022
A safe implementation of the secure remote password authentication and key-exchange protocol (SRP), SRP6a and legacy are as features available.

Secure Remote Password (SRP 6 / 6a) A safe implementation of the secure remote password authentication and key-exchange protocol (SRP version 6a). Ver

Sven Assmann 10 Nov 3, 2022
CLI password manager with encryption: AES256, Salsa20 and Chacha20, with cross platform and exclusive features

Keep My House (CLI) CLI password manager with encryption: AES256, Salsa20 and Chacha20, with cross platform and exclusive features Features AES256 GCM

null 4 Sep 7, 2023
A lightning-fast password generator and manager written in Rust

Passlane A lightning-fast password manager for the command line Features Generate passwords Place the generated password into the clipboard Save previ

Anssi Piirainen 4 Dec 15, 2022
A blazingly fast and memory safe password cracker with user interface.

HashVat A blazingly fast and memory safe password cracker with user interface. HashVat runs with user interface and is capable of cracking the 1.000.0

JBLDSKY 2 Dec 6, 2022
A terminal-based password manager, generator, and importer/exporter (Firefox, Chrome) backed with a concurrent hashmap

rucksack A terminal-based password manager, generator, and importer/exporter (Firefox, Chrome) backed with a concurrent hashmap Features Password gene

null 6 Jan 18, 2023
An implementation of the OPAQUE password-authenticated key exchange protocol

The OPAQUE key exchange protocol OPAQUE is an asymmetric password-authenticated key exchange protocol. It allows a client to authenticate to a server

Novi 178 Jan 9, 2023
Master Password in Pure Rust

Master Password •••| This is the Rust version of the original found here. This can be used as a drop-in replacement for the reference C version, offer

Rust India 34 Apr 13, 2022
A Rust port of the password primitives used in Django Project.

Rust DjangoHashers A Rust port of the password primitives used in Django Project. Django's django.contrib.auth.models.User class has a few methods to

Ronaldo Ferreira 52 Nov 17, 2022
The simple password manager for geeks, built with Rust.

Rooster Rooster is a simple password manager for geeks (it works in the terminal). Rooster is made available free of charge. You can support its devel

Conrad Kleinespel 131 Dec 25, 2022