legba: multiprotocol credentials bruteforcer / password sprayer and enumerator

legba

Legba is a multiprotocol credentials bruteforcer / password sprayer and enumerator built with Rust and the Tokio asynchronous runtime to achieve better performances and stability while consuming fewer resources than similar tools.

Supported Protocols/Features:

AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM, and Solace), Cassandra/ScyllaDB, DNS subdomain enumeration, FTP, HTTP (basic authentication, NTLMv1, NTLMv2, multipart form, custom requests with CSRF support, files/folders enumeration, virtual host enumeration), IMAP, Kerberos pre-authentication and user enumeration, LDAP, MongoDB, MQTT, Microsoft SQL, MySQL, Oracle, PostgreSQL, POP3, RDP, Redis, Samba, SSH / SFTP, SMTP, Socks5, STOMP (ActiveMQ, RabbitMQ, HornetQ and OpenMQ), TCP port scanning, Telnet, VNC.

Usage

The tool requires a plugin name, a –target argument specifying the ip, hostname, and (optionally) the port of the target (optional whenever it matches the default port for the given protocol), and, depending on the selected plugin, a pair of –username and –password arguments or a single –data argument (like in the case of the dns.enum plugin which requires a single enumeration element).

The –username/–data and –password/–key arguments all support the same logic depending on the value passed to them:

  • If the value provided is an existing file name, it’ll be loaded as a wordlist.
  • If the value provided is in the form of @/some/path/*.txt it’ll be used as a glob expression to iterate matching files.
  • If the value provided is in the form of #<NUMBER>-<NUMBER>:<OPTIONAL CHARSET>, it’ll be used to generate all possible permutations of the given charset (or the default one if not provided) and of the given length. For instance: #1-3 will generate all permutations from 1 to 3 characters using the default ASCII printable charset, while #4-5:0123456789 will generate all permutations of digits of 4 and 5 characters.
  • Anything else will be considered as a constant string.

For instance:

  • legba <plugin name> –username admin –password data/passwords.txt will always use admin as username while loading the passwords from a wordlist.
  • legba <plugin name> –username data/users.txt –password data/passwords.txt will load both from wordlists and use all combinations.
  • legba <plugin name> –username admin will always use admin as username and attempt all permutations of the default printable ASCII charset between 4 and 8 characters (this is the default behaviour when a value is not passed).
  • legba <plugin name> –username data/users.txt –password ‘@/some/path/*.key’ will load users from a wordlist while testing all key files inside /some/path.
  • legba <plugin name> –username data/users.txt –password ‘#4-5:abcdef’ will load users from a wordlist while testing all permutations of the charaters abcdef 4 and 5 characters long.

Install

Copyright (C) 2023 evilsocket