badtouch
badtouch is a scriptable network authentication cracker. While the space for common service bruteforce is already very well saturated, you may still end up writing your own python scripts when testing credentials for web applications.
The scope of badtouch is specifically cracking custom services. This is done by
writing scripts that are loaded into a lua runtime. Those scripts represent a
single service and provide a verify(user, password)
function that returns
either true or false. Concurrency, progress indication and reporting is
magically provided by the badtouch runtime.
Installation
If you are on an archlinux based system, use
pacman -S badtouch
To build from source, make sure you have rust and libssl-dev
installed and run
cargo install
Verify your setup is complete with
badtouch --help
Reference
- base64_decode
- base64_encode
- clear_err
- execve
- hex
- hmac_md5
- hmac_sha1
- hmac_sha2_256
- hmac_sha2_512
- hmac_sha3_256
- hmac_sha3_512
- html_select
- html_select_list
- http_basic_auth
- http_mksession
- http_request
- http_send
- json_decode
- json_encode
- last_err
- ldap_bind
- ldap_escape
- ldap_search_bind
- md5
- mysql_connect
- mysql_query
- rand
- randombytes
- sha1
- sha2_256
- sha2_512
- sha3_256
- sha3_512
- sleep
- sock_connect
- sock_send
- sock_recv
- sock_sendline
- sock_recvline
- sock_recvall
- sock_recvline_contains
- sock_recvline_regex
- sock_recvn
- sock_recvuntil
- sock_sendafter
- sock_newline
- Examples
- Configuration
- Wrapping python scripts
base64_decode
Decode a base64 string.
base64_decode
base64_encode
Encode a binary array with base64.
base64_encode
clear_err
Clear all recorded errors to prevent a requeue.
if last_err
execve
Execute an external program. Returns the exit code.
execve
hex
Hex encode a list of bytes.
hex
hmac_md5
Calculate an hmac with md5. Returns a binary array.
hmac_md5
hmac_sha1
Calculate an hmac with sha1. Returns a binary array.
hmac_sha1
hmac_sha2_256
Calculate an hmac with sha2_256. Returns a binary array.
hmac_sha2_256
hmac_sha2_512
Calculate an hmac with sha2_512. Returns a binary array.
hmac_sha2_512
hmac_sha3_256
Calculate an hmac with sha3_256. Returns a binary array.
hmac_sha3_256
hmac_sha3_512
Calculate an hmac with sha3_512. Returns a binary array.
hmac_sha3_512
html_select
Parses an html document and returns the first element that matches the css
selector. The return value is a table with text
being the inner text and
attrs
being a table of the elements attributes.
csrf = html_select
token = csrf
html_select_list
Same as html_select
but returns all matches instead of the
first one.
html_select_list
http_basic_auth
Sends a GET
request with basic auth. Returns true
if no WWW-Authenticate
header is set and the status code is not 401
.
http_basic_auth
http_mksession
Create a session object. This is similar to requests.Session
in
python-requests and keeps track of cookies.
session = http_mksession
http_request
Prepares an http request. The first argument is the session reference and cookies from that session are copied into the request. After the request has been sent, the cookies from the response are copied back into the session.
The next arguments are the method
, the url
and additional options. Please
note that you still need to specify an empty table {}
even if no options are
set. The following options are available:
query
- a map of query parameters that should be set on the urlheaders
- a map of headers that should be setbasic_auth
- configure the basic auth header with{"user, "password"}
user_agent
- overwrite the default user agent with a stringjson
- the request body that should be json encodedform
- the request body that should be form encodedbody
- the raw request body as string
req = http_request
resp = http_send
if last_err
if resp ~= 200
http_send
Send the request that has been built with http_request
.
Returns a table with the following keys:
status
- the http status codeheaders
- a table of headerstext
- the response body as string
req = http_request
resp = http_send
if last_err
if resp ~= 200
json_decode
Decode a lua value from a json string.
json_decode
json_encode
Encode a lua value to a json string. Note that empty tables are encoded to an
empty object {}
instead of an empty list []
.
x = json_encode
last_err
Returns nil
if no error has been recorded, returns a string otherwise.
if last_err
ldap_bind
Connect to an ldap server and try to authenticate with the given user.
ldap_bind
ldap_escape
Escape an attribute value in a relative distinguished name.
ldap_escape
ldap_search_bind
Connect to an ldap server, log into a search user, search for the target user and then try to authenticate with the first DN that was returned by the search.
ldap_search_bind
md5
Hash a byte array with md5 and return the results as bytes.
hex
mysql_connect
Connect to a mysql database and try to authenticate with the provided credentials. Returns a mysql connection on success.
sock = mysql_connect
mysql_query
Run a query on a mysql connection. The 3rd parameter is for prepared statements.
rows = mysql_query
Prints the value of a variable. Please note that this bypasses the regular writer and may interfer with the progress bar. Only use this for debugging.
print
rand
Returns a random u32
with a minimum and maximum constraint. The return value
can be greater or equal to the minimum boundary, and always lower than the
maximum boundary. This function has not been reviewed for cryptographic
security.
rand
randombytes
Generate the specified number of random bytes.
randombytes
sha1
Hash a byte array with sha1 and return the results as bytes.
hex
sha2_256
Hash a byte array with sha2_256 and return the results as bytes.
hex
sha2_512
Hash a byte array with sha2_512 and return the results as bytes.
hex
sha3_256
Hash a byte array with sha3_256 and return the results as bytes.
hex
sha3_512
Hash a byte array with sha3_512 and return the results as bytes.
hex
sleep
Pauses the thread for the specified number of seconds. This is mostly used to debug concurrency.
sleep
sock_connect
Create a tcp connection.
sock = sock_connect
sock_send
Send data to the socket.
sock_send
sock_recv
Receive up to 4096 bytes from the socket.
x = sock_recv
sock_sendline
Send a string to the socket. A newline is automatically appended to the string.
sock_sendline
sock_recvline
Receive a line from the socket. The line includes the newline.
x = sock_recvline
sock_recvall
Receive all data from the socket until EOF.
x = sock_recvall
sock_recvline_contains
Receive lines from the server until a line contains the needle, then return this line.
x = sock_recvline_contains
sock_recvline_regex
Receive lines from the server until a line matches the regex, then return this line.
x = sock_recvline_regex
sock_recvn
Receive exactly n bytes from the socket.
x = sock_recvn
sock_recvuntil
Receive until the needle is found, then return all data including the needle.
x = sock_recvuntil
sock_sendafter
Receive until the needle is found, then write data to the socket.
sock_sendafter
sock_newline
Overwrite the default \n
newline.
sock_newline
Configuration
You can place a config file at ~/.config/badtouch.toml
to set some defaults.
Global user agent
[]
= "w3m/0.5.3+git20180125"
RLIMIT_NOFILE
[]
# requires CAP_SYS_RESOURCE
# sudo setcap 'CAP_SYS_RESOURCE=+ep' /usr/bin/badtouch
= 64000
Wrapping python scripts
The badtouch runtime is still very bare bones, so you might have to shell out to your regular python script occasionally. Your wrapper may look like this:
descr = "example.com"
Your python script may look like this:
# correct credentials
# incorrect credentials
# signal an exception
# this requeues the attempt instead of discarding it
License
GPLv3+