Fastly scans open ports on large networks and bruteforce login mechanism of found services
Masspwn is a bash script that takes adventage of the power and efficiency of masscan tool for finding open ports in large networks. Masscan is much faster than nmap for doing that work. Once masscan found specified open ports on specified hosts, pass this output to nmap for scan the services versions of open ports found by masscan. In this way nmap only scan versions of active ports on active hosts, avoiding wasting a lot of time finding active hosts and ports trought nmap. Then nmap pass this output to brutespray tool, that automatically brute-forces services login mechanism with default credentials using Medusa. Brutespray can bruteforce authentication mechanism of ssh, ftp, telnet, vnc, mssql, mysql, postgresql, rsh, imap, nntp, pcanywhere, pop3, rexec, rlogin, smbnt, smtp, svn, vmauthd and snmp protocols.
The installation is quite simple. This script checks for dependences and download them if not present in your OS. Open a terminal in Kali Linux and type the following commands:
git clone https://github.com/JuanSchallibaum/masspwn
cd masspwn
chmod +x masspwn.sh
./masspwn.sh --help
./masspwn.sh -h [CIDR | HOSTS LIST] -p[PORT RANGE] -o [OUTPUT DIRECTORY] <OPTIONS>-u | --users [USERS WORDLIST] Specify custom wordlist for users bruteforce
-pw | --passwords [PASSWORDS WORDLIST] Specify custom wordlist for passwords bruteforce
--help Show this help message and exit
-r | --rate [PACKETS PER SECCOND] Set packets per seccond send to find open ports
-t | --threads [BRUTEFORCE THREADS] Set the number of threads used for bruteforce with bruespray"
./masspwn.sh -h 172.217.0.0/16 -p1-65535 -r 10000 -t 100 -o googleThe previous command scan all ports of Google hosts sending 10000 packets per seccond, bruteforce found services login with brutespray default credentials with 100 threads, and saves results in 'google' folder.
./masspwn.sh -h host_list.txt -p1-1000 -u /usr/share/wordlists/users.txt -p /usr/share/wordlists/passwords.txt -o resultsThe previous command scan port range of 1 to 1000 of hosts listed in host_list.txt sending 600 packets per seccond, bruteforce found services login with customs wordlists for users and passwords with 6 threads, and saves results in 'results' folder.
This bash script is quite simple, but very powerfull thanks to previously mentioned tools used by it:
masscan made by Robert David Graham
nmap made by Gordon Lyon
brutespray made by Shane Young
Medusa made by Joe Mondloch
and the workflow approached in this script is inspired by Jason Haddix in your Bug Bounty Hunter Methodology v3 speaking.
Usage of masspwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.