From 394200cc4020ea705700038c2e58846cdaf23515 Mon Sep 17 00:00:00 2001 From: Faisal <36720657+primal0xF7@users.noreply.github.com> Date: Mon, 31 Jan 2022 11:14:09 -0500 Subject: [PATCH 1/3] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9f287eb..d5deab5 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ This tool requires Python 3 and was written with Python 3.6 in mind. Refer to th ## Usage -* Run `git clone https://github.com/depthsecurity/passpr3y.git`. +* Run `git clone https://github.com/primal0xF7/passpr3y.git`. * Run `chmod 755 passpr3y`. * Create a users file containing all users you'd like you spray. Name the file `usernames.txt`. * Create a passwords file containing all the passwords you'd like to attempt, such as Summer2018. Name the file `passwords.txt`. From ca21d4ed892d45bf4fada90bb7746afd0b8e824c Mon Sep 17 00:00:00 2001 From: Faisal <36720657+primal0xF7@users.noreply.github.com> Date: Mon, 31 Jan 2022 11:29:45 -0500 Subject: [PATCH 2/3] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d5deab5..6b4933f 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ This tool requires Python 3 and was written with Python 3.6 in mind. Refer to th * Run `chmod 755 passpr3y`. * Create a users file containing all users you'd like you spray. Name the file `usernames.txt`. * Create a passwords file containing all the passwords you'd like to attempt, such as Summer2018. Name the file `passwords.txt`. -* Create a requests file that uses the Burp proxy request format. Simply copy over the request to a file called `request.txt`. +* Create a requests file straight from Burp's proxy 'request' tab. Simply copy over the request to a file called `request.txt`. * In request.txt, replace the username parameter you would like to spray with `USERPR3Y`. * In request.txt, replace the password parameter you would like to spray with `PASSPR3Y`. * Run `./passpr3y --ssl --duration=3600` if you'd like to spray every hour. Default is 7200 seconds (two hours). From cb5c0b6f96fd1e7313fdef9b9de5f1628388f2f0 Mon Sep 17 00:00:00 2001 From: davidmckennirey <--global> Date: Mon, 31 Jan 2022 17:32:28 +0000 Subject: [PATCH 3/3] update to python3.7+ --- .gitignore | 158 ++++++++++++++++++++++++++++++++++++++++++++++- README.md | 9 +-- passpr3y.py | 21 +++++-- requirements.txt | 13 ++++ 4 files changed, 191 insertions(+), 10 deletions(-) create mode 100644 requirements.txt diff --git a/.gitignore b/.gitignore index 4a9fba9..f3c93b7 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,160 @@ *usernames.txt *passwords.txt logs/* -passpr3y_output.txt +passpr3y_*.txt + +.vscode +logs/ + +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintainted in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ diff --git a/README.md b/README.md index 6b4933f..e20bd42 100644 --- a/README.md +++ b/README.md @@ -5,15 +5,16 @@ This is a fire-and-forget long-running password spraying tool. You hand it a list of usernames and passwords and walk away. It will perform a horizontal login attack while keeping in mind lockout times, erroneous responses, etc... Set it up on your attack box at the beginning of an assessment and check back for creds gradually over time. Output is intended to be easy to read through and grep. Focus is on simplicity. ## Requirements -This tool requires Python 3 and was written with Python 3.6 in mind. Refer to the file header for any needed modules. +This tool requires Python 3. ## Usage -* Run `git clone https://github.com/primal0xF7/passpr3y.git`. +* Run `git clone https://github.com/depthsecurity/passpr3y.git`. * Run `chmod 755 passpr3y`. -* Create a users file containing all users you'd like you spray. Name the file `usernames.txt`. +* `pip install -r requirements.txt` +* Create a users file containing all users you'd like you spray. Name the file `usernames.txt`. The usernames should be in the format `domain\username`. * Create a passwords file containing all the passwords you'd like to attempt, such as Summer2018. Name the file `passwords.txt`. -* Create a requests file straight from Burp's proxy 'request' tab. Simply copy over the request to a file called `request.txt`. +* Create a requests file that uses the Burp proxy request format. Simply copy over the request to a file called `request.txt`. * In request.txt, replace the username parameter you would like to spray with `USERPR3Y`. * In request.txt, replace the password parameter you would like to spray with `PASSPR3Y`. * Run `./passpr3y --ssl --duration=3600` if you'd like to spray every hour. Default is 7200 seconds (two hours). diff --git a/passpr3y.py b/passpr3y.py index 8d3602a..e3f58d1 100755 --- a/passpr3y.py +++ b/passpr3y.py @@ -1,4 +1,4 @@ -#!/usr/bin/python3.6 +#!/usr/bin/python3 # 1. This program comes with no promises, warranties, or apologies. # 2. Use this program at your own risk and responsibility. @@ -10,6 +10,7 @@ import argparse import collections +from typing import Collection, List import requests from requests_ntlm import HttpNtlmAuth from smb.SMBConnection import SMBConnection @@ -30,8 +31,8 @@ streamtologger.redirect(target="./passpr3y_output.txt") # Get rid of dem warnings, this a gottam hak tool -from requests.packages.urllib3.exceptions import InsecureRequestWarning -requests.packages.urllib3.disable_warnings(InsecureRequestWarning) +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Disable logging from pysmb logging.getLogger('SMB').setLevel(logging.CRITICAL) @@ -50,6 +51,15 @@ with open(PASSPR3Y_HITS_FILE, 'a'): os.utime(PASSPR3Y_HITS_FILE, None) +def get_dict_from_headers(lineList: List) -> collections.OrderedDict: + d = collections.OrderedDict() + for line in map(str.strip, lineList[1:-1]): + if line != "": + header, value = line.split(": ") + d[header] = value + return d + + class Passpr3y: def __init__(self, requestFile, usernameFile, passwordFile, duration=7200, ssl=False, shotgun=False, proxy=None, ntlm=False, smb=False, ip="127.0.0.1", domain="."): @@ -87,7 +97,8 @@ def __init__(self, requestFile, usernameFile, passwordFile, duration=7200, ssl=F elif self.ntlm: requestFile = open(self.requestFile, 'r') lineList = requestFile.readlines() - self.headerDict = collections.OrderedDict(item.split(': ') for item in map(str.strip, lineList[1:-1])) + # self.headerDict = collections.OrderedDict(item.split(': ') for item in map(str.strip, lineList[1:-1])) + self.headerDict = get_dict_from_headers(lineList) requestFile.close() @@ -188,7 +199,7 @@ def performSpray(self): else: try: response = self.performSMBRequest(self.domain, username, password, self.ip) - except(Exception e): + except Exception as e: print("\tSMB exception: " + e.strerror) continue diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..2d24975 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,13 @@ +certifi==2021.10.8 +cffi==1.15.0 +charset-normalizer==2.0.11 +cryptography==36.0.1 +idna==3.3 +ntlm-auth==1.5.0 +pyasn1==0.4.8 +pycparser==2.21 +pysmb==1.2.7 +requests==2.27.1 +requests-ntlm==1.1.0 +streamtologger==2017.1 +urllib3==1.26.8