[HN Gopher] Bjorn: A powerful network scanning and offensive sec...
___________________________________________________________________
Bjorn: A powerful network scanning and offensive security tool for
Raspberry Pi
Author : ulrischa
Score : 145 points
Date : 2024-11-10 18:30 UTC (1 days ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| notsofast24 wrote:
| Preparing my honeypot right now:
| https://github.com/infinition/Bjorn/blob/9ea706ccc03437a9dd1...
| neilv wrote:
| Nice catch. IMHO, it's a little too obvious, so probably not a
| bugdoor. Maybe someone who knows better wasn't getting enough
| sleep.
| IshKebab wrote:
| Python is a pretty big "I don't know what I'm doing" flag so
| I wouldn't be too surprised. Not always of course - there are
| plenty of well written Python projects - but Python and
| JavaScript are so popular for beginners that projects written
| by beginners tend to concentrate in those languages.
| 2-3-7-43-1807 wrote:
| and you know what you're doing, aren't you? lol
| IshKebab wrote:
| Yes I do know how to avoid basic string injection
| vulnerabilities.
| handwarmers wrote:
| sit down rust boy.
| mikeweiss wrote:
| Can someone explain for those of us who aren't as savvy?
| tecleandor wrote:
| I know just a little bit of python and that looks like it
| does what the description says. Maybe I wouldn't use
| subprocess but do it via the standard lib.
|
| What should we be looking for in the code?
| craigds wrote:
| shell=True is a security risk unless you're very careful
| with escaping inputs. In this case any filename with a
| `;` in it (or various other shell characters) will run
| arbitrary commands on the attacker's computer.
|
| best to pass a list of arguments to subprocess rather
| than a string, and avoid shell=True
| sandreas wrote:
| I never understood why there even is an api for using a
| string...
|
| Same for SQL statements, single quotes in a query string
| should generate a warning to just use prepared statements
| instead :-)
| tapanih wrote:
| With a well-crafted filename, you can run arbitrary
| commands on the attackers computer.
| pvitz wrote:
| For the brute-force attack, THC's hydra could be used instead of
| reinventing the wheel. Or are there licensing issues involved?
| 3abiton wrote:
| I don't see the "selling value" of this, can you give me a qrd?
| StrauXX wrote:
| Hydra unifies brute forcing dozens of protocols into a
| singular (cli) API. It is useful in that you don't have to
| have dozens of tools for each kind of service you might want
| to enumerate, each with their own interfaces.
| pstoll wrote:
| If it ends up living up to the promise of the quality of the
| documentation (ie the README), I can't wait to try it. Also
| screenshots of the display look cool.
| insomagent wrote:
| The documentation looks a bit LLMish to me.
| alisaleh88 wrote:
| Which is good tbh, we get quality write down. LLMs are around
| for 2 years now, but not all the documentations use them.
| bjored wrote:
| Looking at the SSH actions, the "brute force" attack is just
| iterating through a list of usernames and passwords from an
| external file. Wow. Much impress. So Hacker.
| ipnon wrote:
| Is there a simpler approach than dictionary attack?
| PhilipRoman wrote:
| Take a look at the list of CVEs and start hammering, chances
| are the SSH server was last updated some time around 2010.
| assanineass wrote:
| I know I'm just a troll account but I can't believe all it takes
| to get 1k stars on GitHub is just rewriting an automated file
| transfer script using five different protocols and claiming it's
| some powerful offensive capability lmfao
| Fuzzwah wrote:
| You are more than a troll account.
| tveita wrote:
| There's also a cute display which I assume is much of the
| appeal.
|
| The sophistication of the scanner seems a bit oversold at the
| moment.
| miah_ wrote:
| If this integrated with Metasploit or some other tooling I might
| be impressed.the graphics are cool though.
| boomskats wrote:
| Ahh yeah Bjorn, my pwnagotchi's new older brother. I really hope
| he can cheer him up - the little guy hasn't been the same ever
| since daddy decided he was more interested in penetrating that
| cups server.
___________________________________________________________________
(page generated 2024-11-11 23:02 UTC)