Scriptable network authentication cracker
badtouch is a scriptable network authentication cracker. While the space for common service bruteforce is already very well saturated, you may still end up writing your own python scripts when testing credentials for web applications.
The scope of badtouch is specifically cracking custom services. This is done by writing scripts that are loaded into a lua runtime. Those scripts represent a single service and provide a
verify(user, password)function that returns either true or false. Concurrency, progress indication and reporting is magically provided by the badtouch runtime.
If you are on an archlinux based system, use
pacman -S badtouch
If you are on Mac OSX, use
brew install badtouch
To build from source, make sure you have rust and
libssl-devinstalled and run
cargo install
Verify your setup is complete with
badtouch --help
sudo apt-get update && sudo apt-get dist-upgrade sudo apt-get install build-essential libssl-dev pkg-config
curl -sf -L https://static.rust-lang.org/rustup.sh | sh source $HOME/.cargo/env
cd /path/to/badtouch cargo install
A simple script could look like this:
descr = "example.com"function verify(user, password) session = http_mksession()
-- get csrf token req = http_request(session, 'GET', 'https://example.com/login', {}) resp = http_send(req) if last_err() then return end -- parse token from html html = resp['text'] csrf = html_select(html, 'input[name="csrf"]') token = csrf["attrs"]["value"] -- send login req = http_request(session, 'POST', 'https://example.com/login', { form={ user=user, password=password, csrf=token } }) resp = http_send(req) if last_err() then return end -- search response for successful login html = resp['text'] return html:find('Login successful') != nil
end
Please see the reference and examples for all available functions. Keep in mind that you can use
print(x)and
badtouch oneshotto debug your script.
Decode a base64 string.
lua base64_decode("ww==")
Encode a binary array with base64.
lua base64_encode("\x00\xff")
Clear all recorded errors to prevent a requeue.
lua if last_err() then clear_err() return false else return true end
Execute an external program. Returns the exit code.
lua execve("myprog", {"arg1", "arg2", "--arg", "3"})
Hex encode a list of bytes.
lua hex("\x6F\x68\x61\x69\x0A\x00")
Calculate an hmac with md5. Returns a binary array.
lua hmac_md5("secret", "my authenticated message")
Calculate an hmac with sha1. Returns a binary array.
lua hmac_sha1("secret", "my authenticated message")
Calculate an hmac with sha2256. Returns a binary array. ```lua hmacsha2_256("secret", "my authenticated message") ```
Calculate an hmac with sha2512. Returns a binary array. ```lua hmacsha2_512("secret", "my authenticated message") ```
Calculate an hmac with sha3256. Returns a binary array. ```lua hmacsha3_256("secret", "my authenticated message") ```
Calculate an hmac with sha3512. Returns a binary array. ```lua hmacsha3_512("secret", "my authenticated message") ```
Parses an html document and returns the first element that matches the css selector. The return value is a table with
textbeing the inner text and
attrsbeing a table of the elements attributes.
lua csrf = html_select(html, 'input[name="csrf"]') token = csrf["attrs"]["value"]
html_selectbut returns all matches instead of the first one.
lua html_select_list(html, 'input[name="csrf"]')
Sends a
GETrequest with basic auth. Returns
trueif no
WWW-Authenticateheader is set and the status code is not
401.
lua http_basic_auth("https://httpbin.org/basic-auth/foo/buzz", user, password)
Create a session object. This is similar to
requests.Sessionin python-requests and keeps track of cookies.
lua session = http_mksession()
Prepares an http request. The first argument is the session reference and cookies from that session are copied into the request. After the request has been sent, the cookies from the response are copied back into the session.
The next arguments are the
method, the
urland additional options. Please note that you still need to specify an empty table
{}even if no options are set. The following options are available:
query- a map of query parameters that should be set on the url
headers- a map of headers that should be set
basic_auth- configure the basic auth header with
{"user, "password"}
user_agent- overwrite the default user agent with a string
json- the request body that should be json encoded
form- the request body that should be form encoded
body- the raw request body as string
req = http_request(session, 'POST', 'https://httpbin.org/post', { json={ user=user, password=password, } }) resp = http_send(req) if last_err() then return end if resp["status"] ~= 200 then return "invalid status code" end
Send the request that has been built with
http_request. Returns a table with the following keys:
status- the http status code
headers- a table of headers
text- the response body as string
req = http_request(session, 'POST', 'https://httpbin.org/post', { json={ user=user, password=password, } }) resp = http_send(req) if last_err() then return end if resp["status"] ~= 200 then return "invalid status code" end
Decode a lua value from a json string.
lua json_decode("{\"data\":{\"password\":\"fizz\",\"user\":\"bar\"},\"list\":[1,3,3,7]}")
Encode a lua value to a json string. Note that empty tables are encoded to an empty object
{}instead of an empty list
[].
lua x = json_encode({ hello="world", almost_one=0.9999, list={1,3,3,7}, data={ user=user, password=password, empty=nil } })
Returns
nilif no error has been recorded, returns a string otherwise.
lua if last_err() then return end
Connect to an ldap server and try to authenticate with the given user.
lua ldap_bind("ldaps://ldap.example.com/", "cn=\"" .. ldap_escape(user) .. "\",ou=users,dc=example,dc=com", password)
Escape an attribute value in a relative distinguished name.
lua ldap_escape(user)
Connect to an ldap server, log into a search user, search for the target user and then try to authenticate with the first DN that was returned by the search.
lua ldap_search_bind("ldaps://ldap.example.com/", -- the user we use to find the correct DN "cn=search_user,ou=users,dc=example,dc=com", "searchpw", -- base DN we search in "dc=example,dc=com", -- the user we test user, password)
Hash a byte array with md5 and return the results as bytes.
lua hex(md5("\x00\xff"))
Connect to a mysql database and try to authenticate with the provided credentials. Returns a mysql connection on success.
lua sock = mysql_connect("127.0.0.1", 3306, user, password)
Run a query on a mysql connection. The 3rd parameter is for prepared statements.
lua rows = mysql_query(sock, 'SELECT VERSION(), :foo as foo', { foo='magic' })
Prints the value of a variable. Please note that this bypasses the regular writer and may interfer with the progress bar. Only use this for debugging.
lua print({ data={ user=user, password=password } })
Returns a random
u32with a minimum and maximum constraint. The return value can be greater or equal to the minimum boundary, and always lower than the maximum boundary. This function has not been reviewed for cryptographic security.
lua rand(0, 256)
Generate the specified number of random bytes.
lua randombytes(16)
Hash a byte array with sha1 and return the results as bytes.
lua hex(sha1("\x00\xff"))
Hash a byte array with sha2256 and return the results as bytes. ```lua hex(sha2256("\x00\xff")) ```
Hash a byte array with sha2512 and return the results as bytes. ```lua hex(sha2512("\x00\xff")) ```
Hash a byte array with sha3256 and return the results as bytes. ```lua hex(sha3256("\x00\xff")) ```
Hash a byte array with sha3512 and return the results as bytes. ```lua hex(sha3512("\x00\xff")) ```
Pauses the thread for the specified number of seconds. This is mostly used to debug concurrency.
lua sleep(3)
Create a tcp connection.
lua sock = sock_connect("127.0.0.1", 1337)
Send data to the socket.
lua sock_send(sock, "hello world")
Receive up to 4096 bytes from the socket.
lua x = sock_recv(sock)
Send a string to the socket. A newline is automatically appended to the string.
lua sock_sendline(sock, line)
Receive a line from the socket. The line includes the newline.
lua x = sock_recvline(sock)
Receive all data from the socket until EOF.
lua x = sock_recvall(sock)
Receive lines from the server until a line contains the needle, then return this line.
lua x = sock_recvline_contains(sock, needle)
Receive lines from the server until a line matches the regex, then return this line.
lua x = sock_recvline_regex(sock, "^250 ")
Receive exactly n bytes from the socket.
lua x = sock_recvn(sock, 4)
Receive until the needle is found, then return all data including the needle.
lua x = sock_recvuntil(sock, needle)
Receive until the needle is found, then write data to the socket.
lua sock_sendafter(sock, needle, data)
Overwrite the default
\nnewline.
lua sock_newline(sock, "\r\n")
You can place a config file at
~/.config/badtouch.tomlto set some defaults.
[runtime] user_agent = "w3m/0.5.3+git20180125"
[runtime] # requires CAP_SYS_RESOURCE # sudo setcap 'CAP_SYS_RESOURCE=+ep' /usr/bin/badtouch rlimit_nofile = 64000
The badtouch runtime is still very bare bones, so you might have to shell out to your regular python script occasionally. Your wrapper may look like this:
descr = "example.com"function verify(user, password) ret = execve("./docs/test.py", {user, password}) if last_err() then return end
if ret == 2 then return "script signaled an exception" end return ret == 0
end
Your python script may look like this:
import systry: if sys.argv[1] == "foo" and sys.argv[2] == "bar": # correct credentials sys.exit(0) else: # incorrect credentials sys.exit(1) except: # signal an exception # this requeues the attempt instead of discarding it sys.exit(2)
GPLv3+