/Bronson

Smartish HTTP file discovery brute force scanning tool

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

Bronson

Bronson is a HTTP brute force path scanning tool. It uses wordlists and permutations of those lists to discover objects on a target webserver with a variety of measures to hamper blocking or detection..

Awwww yeah

Support is offered for generation of permutations of filenames, by using the filename and extension lists. All filenames are combined with all extensions to generate a complete list.

Bronson uses requests-futures to very quickly cover a large number of requests in parallel and as a result is quite fast.

Creating an attack

A Bronson attack is started by running the command like so: ./bronson.py --domain site-to-attack.example.com --config ./config.example.yaml

Configuration

⚠️ For Bronson to be useful, configure it with more extensive wordlists than the ones provided. ⚠️

Bronson supports configuration via a YAML file - see config.example.yaml for an example. This file is largely comprised of definitions of wordlists and related files.

Files will be scanned for based on the permutations of the filename and extension lists - for example, a filename list of ["test", "lol", "derp"] and an extension list of ["txt", "html"] will result in a file list of ["test.txt", "test.html", "lol.txt", "lol.html", "derp.txt", "derp.html"].

User agents

Multiple user agents can be configured via the user_agents stanza which allows a list of agents. A random user agent will be chosen on a per-request basis by default. If no user agents are configured, a very obvious user agent will be used as an alternative.

In order to evade some basic WAF detection methods, the "jitter" factor with which user agents are selected can be customised. The user_agent_jitter configuration option controls how often a new user agent will be selected - a jitter factor of 3 will change UA every 3 requests. The speed at which concurrent requests are made means that it cannot be guaranteed that the requests will be strongly ordered, but the requests will be limited in their spread.

Proxies

In the same fashion as user agents, proxies can be configued to be randomly used - if multiple proxies are included in the proxies key in the configuration file, one proxy will be randomly selected per request. If this section is empty or absent, no proxy will be used. Ensure that if using proxies that your selection of proxies corresponds to that of the site you are scanning - if no appropriate proxy is available, the proxy will simply be bypassed.

HTTP methods

By default the HTTP method used for file discovery is a GET. A HEAD can be also used, or the special method "mix" may be used for the discovery_method config option which will randomly choose between the two. POST is also available for use but will result in strange results in most cases.

Cookies

Cookes can be passed on a per-attack basis via the --cookie switch. This can be provided multiple times to add multiple cookies.

Blacklist

If a path is to be skipped (sensitive path, very large file etc), config.yaml accepts a list of files to ignore under the blacklist heading. Currently only full paths are supported.

HTTP authentication

HTTP authentication headers can be set as a key:value pair via the --auth command line argument.

Arbitrary headers

Similar to HTTP auth and cookies, arbitrary headers can be set via the --header switch as key:value arguments.

To scan a host on a paticular IP address that doesn't correspond to a domain (for example a host behind a CDN or anti-DDoS system), use the IP address in the --domain switch and set the Host header to the domain using --header.

Output

Currently JSON and plaintext are supported for output (via the --output command line switch), with plaintext being the default.

Dependencies

Bronson relies on requests, requests-futures and other libraries. The dependencies can be installed in a virtualenv by running make virtualenv_run and the virtualenv can then be activated by running source virtualenv_run/bin/activate.

Bronson requires python3.