-
-
Notifications
You must be signed in to change notification settings - Fork 86
Recipes
Legba recipes are YAML files wrapping specific command line options and use cases, you can look at them as a templating engine for Legba. They are a convenient tool to alias otherwise complex arguments as a single mnemonic word.
A "cookbook" with a few examples is available here. For instance, this is the recipe to bruteforce a MS Exchange server via its auth.owa endpoint:
description: Microsoft Exchange bruteforce via OWA endpoint.
author: evilsocket
plugin: http
args:
target: "{$schema or https}://{$host}:{$port or 443}/owa/auth.owa"
http-method: POST
http-success-codes: 302
http-success-string: set-cookie
http-payload: destination={$schema or https}://{$host}:{$port or 443}/&flags=4&username={USERNAME}&password={PASSWORD}
This complex command line can now be executed simply via:
legba \
-R cookbook/http/ms-exchange/owa.yml \
-U users.txt \
-P passwords.txt \
"host=ms-server.local"
Recipes support a minimal template engine with the {$variable_name or default_value}
syntax (or just {$variable_name}
to make it mandatory for the user to provide). Each variable can be set via command line as:
legba \
-R cookbook/http/ms-exchange/owa.yml \
-U users.txt \
-P passwords.txt \
"host=ms-server.local&port=8443"
Another way of using recipes is including common dictionaries within their folder and referencing them in the YAML so that everything for that use case is self contained.
For instance, the CVE-2023-46805 recipe contains a payloads.txt file that's being referenced like this:
description: Tests one or multiple hosts for CVE-2023-46805.
author: https://twitter.com/assetnote/status/1747525904551842097
plugin: http.enum
args:
target: "{$schema or https}://{$host}:{$port or 443}{$path or /}"
payloads: "{$recipe.path}/payloads.txt"
http-success-codes: "{$success_code or 200}"
http-success-string: "Destination host"
http-method: POST
Another example is the LFI vulnerability testing recipe:
description: Performs common local file inclusion (LFI) vulnerabilities fuzzing.
author: evilsocket
plugin: http.enum
args:
target: "{$schema or https}://{$host}:{$port or 443}{$path or /}"
payloads: "{$recipe.path}/dictionary.txt"
http-success-codes: "{$success_code or 200}"
http-success-string: "root:"
- Installation and Building
- Usage & Main Options
- REST API
- Recipes
- Plugins
- AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace)
- DNS
- FTP
- HTTP
- IMAP
- Kerberos
- LDAP
- MongoDB
- MQTT
- Microsoft SQL
- MySQL
- Oracle
- Port Scanner
- PostgreSQL
- POP3
- RDP
- Redis
- Samba
- ScyllaDB / Cassandra
- SSH / SFTP
- SMTP
- SOCKS5
- STOMP (ActiveMQ, RabbitMQ, HornetQ and OpenMQ)
- Telnet
- VNC
- Custom Binary