• Stars
    star
    359
  • Rank 118,537 (Top 3 %)
  • Language
    Rust
  • License
    GNU General Publi...
  • Created over 6 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Scriptable network authentication cracker (formerly `badtouch`)

authoscope Crates.io

authoscope is a scriptable network authentication cracker. While the space for common service bruteforce is already very well saturated, you may still end up writing your own python scripts when testing credentials for web applications.

The scope of authoscope is specifically cracking custom services. This is done by writing scripts that are loaded into a lua runtime. Those scripts represent a single service and provide a verify(user, password) function that returns either true or false. Concurrency, progress indication and reporting is magically provided by the authoscope runtime.

asciicast

Installation

Packaging status

If you are on an Arch Linux based system, use

pacman -S authoscope

If you are on Mac OSX, use

brew install authoscope

To build from source, make sure you have rust and libssl-dev installed and run

cargo install

Verify your setup is complete with

authoscope --help

Debian

  1. Install essential build tools
sudo apt-get update && sudo apt-get dist-upgrade
sudo apt-get install build-essential libssl-dev pkg-config
  1. Install rust
curl -sf -L https://static.rust-lang.org/rustup.sh | sh
source $HOME/.cargo/env
  1. Install authoscope
cd /path/to/authoscope
cargo install

Scripting

A simple script could look like this:

descr = "example.com"

function verify(user, password)
    session = http_mksession()

    -- get csrf token
    req = http_request(session, 'GET', 'https://example.com/login', {})
    resp = http_send(req)
    if last_err() then return end

    -- parse token from html
    html = resp['text']
    csrf = html_select(html, 'input[name="csrf"]')
    token = csrf["attrs"]["value"]

    -- send login
    req = http_request(session, 'POST', 'https://example.com/login', {
        form={
            user=user,
            password=password,
            csrf=token
        }
    })
    resp = http_send(req)
    if last_err() then return end

    -- search response for successful login
    html = resp['text']
    return html:find('Login successful') != nil
end

Please see the reference and examples for all available functions. Keep in mind that you can use print(x) and authoscope oneshot to debug your script.

Reference

base64_decode

Decode a base64 string.

base64_decode("ww==")

base64_encode

Encode a binary array with base64.

base64_encode("\x00\xff")

clear_err

Clear all recorded errors to prevent a requeue.

if last_err() then
    clear_err()
    return false
else
    return true
end

execve

Execute an external program. Returns the exit code.

execve("myprog", {"arg1", "arg2", "--arg", "3"})

hex

Hex encode a list of bytes.

hex("\x6F\x68\x61\x69\x0A\x00")

hmac_md5

Calculate an hmac with md5. Returns a binary array.

hmac_md5("secret", "my authenticated message")

hmac_sha1

Calculate an hmac with sha1. Returns a binary array.

hmac_sha1("secret", "my authenticated message")

hmac_sha2_256

Calculate an hmac with sha2_256. Returns a binary array.

hmac_sha2_256("secret", "my authenticated message")

hmac_sha2_512

Calculate an hmac with sha2_512. Returns a binary array.

hmac_sha2_512("secret", "my authenticated message")

hmac_sha3_256

Calculate an hmac with sha3_256. Returns a binary array.

hmac_sha3_256("secret", "my authenticated message")

hmac_sha3_512

Calculate an hmac with sha3_512. Returns a binary array.

hmac_sha3_512("secret", "my authenticated message")

html_select

Parses an html document and returns the first element that matches the css selector. The return value is a table with text being the inner text and attrs being a table of the elements attributes.

csrf = html_select(html, 'input[name="csrf"]')
token = csrf["attrs"]["value"]

html_select_list

Same as html_select but returns all matches instead of the first one.

html_select_list(html, 'input[name="csrf"]')

http_basic_auth

Sends a GET request with basic auth. Returns true if no WWW-Authenticate header is set and the status code is not 401.

http_basic_auth("https://httpbin.org/basic-auth/foo/buzz", user, password)

http_mksession

Create a session object. This is similar to requests.Session in python-requests and keeps track of cookies.

session = http_mksession()

http_request

Prepares an http request. The first argument is the session reference and cookies from that session are copied into the request. After the request has been sent, the cookies from the response are copied back into the session.

The next arguments are the method, the url and additional options. Please note that you still need to specify an empty table {} even if no options are set. The following options are available:

  • query - a map of query parameters that should be set on the url
  • headers - a map of headers that should be set
  • basic_auth - configure the basic auth header with {"user, "password"}
  • user_agent - overwrite the default user agent with a string
  • json - the request body that should be json encoded
  • form - the request body that should be form encoded
  • body - the raw request body as string
req = http_request(session, 'POST', 'https://httpbin.org/post', {
    json={
        user=user,
        password=password,
    }
})
resp = http_send(req)
if last_err() then return end
if resp["status"] ~= 200 then return "invalid status code" end

http_send

Send the request that has been built with http_request. Returns a table with the following keys:

  • status - the http status code
  • headers - a table of headers
  • text - the response body as string
req = http_request(session, 'POST', 'https://httpbin.org/post', {
    json={
        user=user,
        password=password,
    }
})
resp = http_send(req)
if last_err() then return end
if resp["status"] ~= 200 then return "invalid status code" end

json_decode

Decode a lua value from a json string.

json_decode("{\"data\":{\"password\":\"fizz\",\"user\":\"bar\"},\"list\":[1,3,3,7]}")

json_encode

Encode a lua value to a json string. Note that empty tables are encoded to an empty object {} instead of an empty list [].

x = json_encode({
    hello="world",
    almost_one=0.9999,
    list={1,3,3,7},
    data={
        user=user,
        password=password,
        empty=nil
    }
})

last_err

Returns nil if no error has been recorded, returns a string otherwise.

if last_err() then return end

ldap_bind

Connect to an ldap server and try to authenticate with the given user.

ldap_bind("ldaps://ldap.example.com/",
    "cn=\"" .. ldap_escape(user) .. "\",ou=users,dc=example,dc=com", password)

ldap_escape

Escape an attribute value in a relative distinguished name.

ldap_escape(user)

ldap_search_bind

Connect to an ldap server, log into a search user, search for the target user and then try to authenticate with the first DN that was returned by the search.

ldap_search_bind("ldaps://ldap.example.com/",
    -- the user we use to find the correct DN
    "cn=search_user,ou=users,dc=example,dc=com", "searchpw",
    -- base DN we search in
    "dc=example,dc=com",
    -- the user we test
    user, password)

md5

Hash a byte array with md5 and return the results as bytes.

hex(md5("\x00\xff"))

mysql_connect

Connect to a mysql database and try to authenticate with the provided credentials. Returns a mysql connection on success.

sock = mysql_connect("127.0.0.1", 3306, user, password)

mysql_query

Run a query on a mysql connection. The 3rd parameter is for prepared statements.

rows = mysql_query(sock, 'SELECT VERSION(), :foo as foo', {
    foo='magic'
})

print

Prints the value of a variable. Please note that this bypasses the regular writer and may interfer with the progress bar. Only use this for debugging.

print({
    data={
        user=user,
        password=password
    }
})

rand

Returns a random u32 with a minimum and maximum constraint. The return value can be greater or equal to the minimum boundary, and always lower than the maximum boundary. This function has not been reviewed for cryptographic security.

rand(0, 256)

randombytes

Generate the specified number of random bytes.

randombytes(16)

sha1

Hash a byte array with sha1 and return the results as bytes.

hex(sha1("\x00\xff"))

sha2_256

Hash a byte array with sha2_256 and return the results as bytes.

hex(sha2_256("\x00\xff"))

sha2_512

Hash a byte array with sha2_512 and return the results as bytes.

hex(sha2_512("\x00\xff"))

sha3_256

Hash a byte array with sha3_256 and return the results as bytes.

hex(sha3_256("\x00\xff"))

sha3_512

Hash a byte array with sha3_512 and return the results as bytes.

hex(sha3_512("\x00\xff"))

sleep

Pauses the thread for the specified number of seconds. This is mostly used to debug concurrency.

sleep(3)

sock_connect

Create a tcp connection.

sock = sock_connect("127.0.0.1", 1337)

sock_send

Send data to the socket.

sock_send(sock, "hello world")

sock_recv

Receive up to 4096 bytes from the socket.

x = sock_recv(sock)

sock_sendline

Send a string to the socket. A newline is automatically appended to the string.

sock_sendline(sock, line)

sock_recvline

Receive a line from the socket. The line includes the newline.

x = sock_recvline(sock)

sock_recvall

Receive all data from the socket until EOF.

x = sock_recvall(sock)

sock_recvline_contains

Receive lines from the server until a line contains the needle, then return this line.

x = sock_recvline_contains(sock, needle)

sock_recvline_regex

Receive lines from the server until a line matches the regex, then return this line.

x = sock_recvline_regex(sock, "^250 ")

sock_recvn

Receive exactly n bytes from the socket.

x = sock_recvn(sock, 4)

sock_recvuntil

Receive until the needle is found, then return all data including the needle.

x = sock_recvuntil(sock, needle)

sock_sendafter

Receive until the needle is found, then write data to the socket.

sock_sendafter(sock, needle, data)

sock_newline

Overwrite the default \n newline.

sock_newline(sock, "\r\n")

Configuration

You can place a config file at ~/.config/authoscope.toml to set some defaults.

Global user agent

[runtime]
user_agent = "w3m/0.5.3+git20180125"

RLIMIT_NOFILE

[runtime]
# requires CAP_SYS_RESOURCE
# sudo setcap 'CAP_SYS_RESOURCE=+ep' /usr/bin/authoscope
rlimit_nofile = 64000

Wrapping python scripts

The authoscope runtime is still very bare bones, so you might have to shell out to your regular python script occasionally. Your wrapper may look like this:

descr = "example.com"

function verify(user, password)
    ret = execve("./docs/test.py", {user, password})
    if last_err() then return end

    if ret == 2 then
        return "script signaled an exception"
    end

    return ret == 0
end

Your python script may look like this:

import sys

try:
    if sys.argv[1] == "foo" and sys.argv[2] == "bar":
        # correct credentials
        sys.exit(0)
    else:
        # incorrect credentials
        sys.exit(1)
except:
    # signal an exception
    # this requeues the attempt instead of discarding it
    sys.exit(2)

License

GPLv3+

More Repositories

1

sn0int

Semi-automatic OSINT framework and package manager
Rust
1,559
star
2

sniffglue

Secure multithreaded packet sniffer
Rust
958
star
3

rshijack

tcp connection hijacker, rust rewrite of shijack
Rust
395
star
4

rebuilderd

Independent verification of binary packages - reproducible builds
Rust
327
star
5

mini-docker-rust

Very small rust docker image
Dockerfile
171
star
6

spotify-launcher

Client for spotify's apt repository in Rust for Arch Linux
Rust
168
star
7

i-probably-didnt-backdoor-this

A practical experiment on supply-chain security using reproducible builds
Dockerfile
149
star
8

nude-rs

High performance nudity detection in rust
Rust
125
star
9

sh4d0wup

Signing-key abuse and update exploitation framework
Rust
118
star
10

libredefender

Imagine the information security compliance guideline says you need an antivirus but you run Arch Linux
Rust
114
star
11

ipfs.ink

PROJECT HAS BEEN SHUTDOWN - Publish and render markdown essays to and from ipfs
JavaScript
109
star
12

pacman-bintrans

Experimental binary transparency for pacman with sigstore and rekor
Rust
83
star
13

boxxy-rs

Linkable sandbox explorer
Rust
70
star
14

acme-redirect

Tiny http daemon that answers acme challenges and redirects everything else to https
Rust
68
star
15

arch-audit-gtk

Arch Linux Security Update Notifications
Rust
55
star
16

narnia

🚧 EXPERIMENTAL 🚧 Secure hidden service webserver
Rust
49
star
17

yrd

cjdns swiss army knife
Python
48
star
18

repro-env

Dependency lockfiles for reproducible build environments 📦🔒
Rust
33
star
19

archlinux-userland-fs-cmp

Forensic tool to read all installed packages from a mounted Arch Linux drive and compare the filesystem to a trusted source
Rust
33
star
20

what-the-src

Source code of https://whatsrc.org/
Rust
29
star
21

defcon26-pow

Fast defcon 26 quals pow solver
Rust
26
star
22

backseat-signed

Authenticate the cryptographic chain-of-custody of Linux distributions (like Arch Linux and Debian) to their source code inputs
Rust
26
star
23

progpick

Bruteforce with a stream of permutations of a specific pattern
Rust
23
star
24

syscallz-rs

Simple seccomp library for rust
Rust
22
star
25

sn0int-modules

Lua
21
star
26

cargo-debstatus

cargo-tree for debian packaging
Rust
20
star
27

forensic-adb

Tokio based client library for the Android Debug Bridge (adb) based on mozdevice
Rust
18
star
28

tr1pd

tamper resistant audit log
Rust
17
star
29

snail

Parasitic network manager
Rust
15
star
30

rocket_failure

Semantic error handling for rocket applications
Rust
15
star
31

auth-tarball-from-git

Authenticate a tarball through a signed tag in a git repository (with reproducible builds)
Rust
15
star
32

apt-swarm

🥸 p2p gossip network for update transparency, based on pgp 🥸
Rust
15
star
33

worker-ratelimit

General purpose rate limiting library for Cloudflare Workers
Rust
15
star
34

laundry5

Shuffles your socks - rotating proxy frontend server
Rust
13
star
35

kmod-rs

Bindings to libkmod to manage linux kernel modules
Rust
13
star
36

ismyarchverifiedyet

🚧 Experimental script to query rebuilderd for results 🚧
Python
13
star
37

chrootable-https

Sandbox+chroot friendly https client
Rust
12
star
38

brchd

Data exfiltration toolkit
Rust
12
star
39

nmcssh

Solving Zooko's triangle for ssh authentication
Python
11
star
40

updlockfiles

Manage lockfiles in PKGBUILDs for upstreams that don't ship them, `updpkgsums` for dependency trees (Arch Linux tooling)
Rust
11
star
41

burritun

Wrap a tun device in a tap device
Rust
10
star
42

archlinux-inputs-fsck

Lint repository of PKGBUILDs for cryptographically pinned inputs
Rust
10
star
43

booty

Minimal forensic/exfiltration/evil-maid/rescue live boot system
Shell
10
star
44

rp2040-37c3-oled

Pure Rust firmware for 37c3 logo animation (waveshare-rp2040-zero with 128x64 oled screen - i2c sda: gpio14, scl: gpio15)
Rust
10
star
45

nessus-rs

Nessus Vulnerability Scanner API client
Rust
8
star
46

a2p

fancy html5 file upload, webrtc seeding swarm, auto torrent and scp interface
JavaScript
7
star
47

summarize-cli

Attempt to summarize text from `stdin`, using a large language model (locally and offline), to `stdout`
Rust
7
star
48

homeassistant-rs

home-assistant api client
Rust
6
star
49

masshype

Util for massive cjdns routers
JavaScript
6
star
50

memry

mem'ry, tar pipe curl
JavaScript
6
star
51

stalkerware-indicators-rs

Parser for Echap's stalkerware-indicators repo
Rust
6
star
52

signal-whois

Resolve a signal username or link to a signal uuid
Rust
6
star
53

rebuilderd-debian-buildinfo-crawler

Reproducible Builds: Scraper/Parser for https://buildinfos.debian.net into structured data
Rust
5
star
54

sloppy-rfc4880

Pure rust parser for RFC-4880 (OpenPGP Message Format)
Rust
5
star
55

syrup-rs

Simple abstraction around pancurses for chat-like interfaces
Rust
5
star
56

autovoice

irc bot to automatically give +v to users after they've been in the channel for some time
Rust
5
star
57

signal-doh-ech

🚧 Experimental source dump for pluggable transport for signal-desktop, not fully implemented, do not use in production 🚧
Rust
5
star
58

archlinux-linux-reproducible

Binary reproducible fork of the Arch Linux kernel package
Shell
4
star
59

46snihdnat

4 to 6 server name indication hybrid destination network address translation
JavaScript
4
star
60

mrsc

mpsc with requests
Rust
4
star
61

cjdns-rs

Admin API implementation of cjdns
Rust
4
star
62

os-version

Rust
4
star
63

tls.li

Hardened TLS configuration examples
CSS
4
star
64

webhook-server

Multiprocess sandboxed webhook daemon
Rust
4
star
65

ipfs-mirror

ipfs mirror utils with leveldb cache for immutable files
Python
4
star
66

archlinux-scan-malloc-usable-size

Scan the symbols of all ELF binaries in all Arch Linux packages for usage of malloc_usable_size (-D_FORTIFY_SOURCE=3 compatibility)
Rust
4
star
67

game-dont-panic

Pure Rust firmware, bare metal Space Invaders/Endoparasitic crossover game for waveshare-rp2040-zero, with a 128x64 OLED i2c screen, a rotary encoder and a button
Rust
4
star
68

elf2nucleus

Integrate micronucleus into the cargo buildsystem, flash an AVR firmware from an elf file
Rust
4
star
69

apt-vulns-xyz

The source code for a reproducible apt repository
Rust
3
star
70

promisc

cjdns peering bot
Python
3
star
71

jenkins-debian

personal fork of jenkins.debian.net
Shell
3
star
72

onionjson

Tor2Web for json
HTML
3
star
73

wrbt-web

Web implementation of wrbt
HTML
3
star
74

csrf.fun

Cross Site Request Forgery Debugger
JavaScript
3
star
75

hype-qr

QRify cjdns connect strings
JavaScript
3
star
76

d3xs

Physical access control (Rust firmware)
Rust
3
star
77

annex-accumulate

Super folder for git-annex drives
Python
3
star
78

cloudflare-worker-rust

Build a Hello World WebAssembly web-service with Rust and run it locally with Cloudflare's workerd
Rust
3
star
79

attiny85-hello-world

Hello World Rust firmware for digispark attiny85 microcontroller
Rust
3
star
80

sn0int-signal

Rust
2
star
81

huesaverd

Rust
2
star
82

abuild-reusesig

Rust
2
star
83

s2ws

Expose Spawn to WebSockets
JavaScript
2
star
84

embedded-triple

Embed the target triple into the binary
Rust
2
star
85

aur-repro

Reproducible Builds for packages in the Arch User Repository (AUR)
Shell
2
star
86

ysf-sn0int-modules

my sn0int modules or patches
Lua
2
star
87

BadCrypto

A challenge for my future self
Python
1
star
88

shepard

The hackers monitoring
Python
1
star
89

labsh

Restricted shell for docker build server
Rust
1
star
90

waflz

Link preview irc bot
Rust
1
star
91

dotfiles

Shell
1
star
92

PKGBUILD-acmetool

Shell
1
star
93

rust-diesel-bug-2365

Rust
1
star
94

kpcyrd

1
star
95

pkgbuild-signal-desktop

Send pull requests for the signal-desktop Arch Linux package here
Shell
1
star
96

updvcspins

Manage pinned VCS repositories in PKGBUILDs (Arch Linux tooling)
Rust
1
star
97

wrbt-httpd

Authorize peering requests on remote servers
Python
1
star
98

namecoin-zones

Converts the namecoin blockchain to dns zones
Python
1
star
99

not-butter

there is no butter
JavaScript
1
star
100

iam

Simple whois server implementation
Shell
1
star