RSYaba
Description
RandStorm Yet Another Brute Attacker aka RSYaba is developed by Robin Wood from www.randomstorm.com. It is tool to run brute force attacks against various services in a similar way to Thc-hydra and Medusa. The tool was written after bad experiences at getting existing tools working correctly with HTTP and SSH so it was decided to make a tool that would be easier to configure. Following protocols are handled in version 1.0:
- http
- https
- mysql
- ssh
Installation
Pre-requisites
First thing, you will need Ruby and Gems:
$ sudo apt-get install ruby1.9.1-full rubygems1.9.1
Then use Gem to install Ruby dependencies:
$ sudo gem1.9.1 install hpricot net-ssh mysql
To be able to brute-force mysql, you will also need mysql-client libraries:
$ sudo apt-get install libmysqlclient-dev
At the end of the installation process, check that all needed libraries have been successfully installed:
$ sudo gem1.9.1 list *** LOCAL GEMS *** hpricot (0.8.2) mysql (2.8.1) net-ssh (2.0.23)
Installation of RSYaba
$ cd /data/src/ $ wget http://www.randomstorm.com/tools/rsyaba_1.0.tar.bz2 $ bzip2 -cd rsyaba_1.0.tar.bz2 | tar xf - $ cd rsyaba/
Usage
Basic usage
Show basic help:
ruby1.9.1 rsyaba.rb --help, -?
List all supported protocols:
ruby1.9.1 rsyaba.rb --list_protocols, -l
Get help for the specified protocol:
ruby1.9.1 rsyaba.rb <protocol> --help
Syntax for HTTP and HTTPS
- --help, -?
- show help
- --host, -h
- host
- --path, -P
- path
- --max_threads <x>, -t <x>
- maximum number of threads, more isn't always better, default 5
- -U <username>
- the username (if already known)
- --wordlist x, -w x
- the wordlist to use, either a file or - for STDIN
- --ua x
- user agent string to use
- --referrer x
- set the referrer
- --get_cookie, -c
- do a GET before the POST and use the returned session cookie in the POSt
- --port, -p
- Port number
- --token_field
- the name of a field containing a token that must be returned
- --username_field
- the name of the username field, default = username
- --password_field
- the name of the password field, default = password
- --success_message
- the message received on success
- --failure_message
- the message received on failure
- -v
- verbose mode
MySQL and SSH
- --help, -?
- show help
- --host, -h
- host
- -U <username>
- the username (if already known)
- --max_threads x, -t x
- maximumn number of threads, more isn't always better, default 5
- --wordlist x, -w x
- the wordlist to use, either a file or - for STDIN
- --port, -p
- Port number
- -v
- verbose mode
Examples
HTTP
Given following code:
<?php
if(isset($_POST["username"]) && isset($_POST["password"])) {
if($_POST["username"]=="admin" && $_POST["password"]=="password") {
echo("GRANTED");
} else {
echo("DENIED");
}
}
?>
<form method="post" action="index.php">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" name="submit" />
</form>
If we already know the user (admin), we can issue following command:
$ ruby1.9.1 rsyaba.rb http \ -w dict.txt \ -U admin \ -h localhost \ -P /admin/index.php \ --success_message "GRANTED"
It will return:
Success with admin password
SSH
$ ./rsyaba.rb ssh \ -h 192.168.1.1 \ -U test \ -w dict.txt \ -t 1 \ -v Starting with test oops Failure with test oops Starting with test admin Failure with test admin Starting with test nimda Failure with test nimda Starting with test elephant Success with test elephant Host: test
MySQL
Following command will brute-force the "test" account on MySQL service:
$ ruby1.9.1 rsyaba.rb mysql \ -w dict.txt \ -U test \ -h localhost \ --max_threads 1 \ -v Starting with test oops Starting with test 123 Starting with test 1234 Starting with test all Starting with test nimda Starting with test administrator Starting with test admin Starting with test pass Starting with test passwd Starting with test password Starting with test elephant Success with test elephant