Note: Keep in mind that each command outlined below can be supplied via YAML file, making it significantly easier to manage complex lockout configurations.
pip3 install bl-bfgView them by running this command. A section titled "Brute Force Modules"
will be displayed. I'll use testing.fake as an example, which allows us
to sample BFG/BruteLoops functionality without attacking a live service.
bfg cli brute-force --helpUse the manage-db subcommand to insert values into an SQLite database.
There are quite a few import methods here, but I'll demonstrate use of
import-spray-values for simplicity:
bfg cli manage-db import-spray-values -db /tmp/test.db \
--usernames username1 username2 \
--passwords password1 password2Use the brute-force subcommand to start the attack.
bfg cli brute-force -db /tmp/test.db \
--parallel-guess-count 4 \
--threshold-jitter-min 15s --threshold-jitter-max 30s \
testing.fake \
--username username1 --password password2This should result in an attack being executed where a 15-30 second wait occurs between guess attempts for each user.