This is a personal exploration into brute-forcing Sophos login credentials. It's meant for educational purposes and to understand the mechanics behind brute-force attacks.
This project attempts to brute-force the Sophos login credentials for university students. The underlying idea at the core is that everyone's passwords are picked from a repeating set of finite randomized combinations, and hence are not truly random. The script goes through every username for a given password to find matches.
-
It requires atleast one correct credential pair which are taken from the Environment Variables
SOPHOS_USERNAME
andSOPHOS_PASSWORD
. -
Potential passwords are read from
passwords.csv
and successful logins are written tomatched.csv
. -
It tries logging in with different username and password combinations and logs the results, parsing the XML responses to check the login status.
-
Iterates through each username and password combination. Sidesteps getting rate-limited by logging in and logging out with the legitimate credentials to reset the state after a few wrong attempts.
for the lolz :P
- Go: Make sure you have Go installed. If not, you can download it from here.
- Environment Variables: Set
SOPHOS_USERNAME
andSOPHOS_PASSWORD
with your correct credentials. - Should be connected to a Sophos Network.
-
Clone the Repository:
git clone https://github.com/exitflynn/gophos cd gophos
-
Prepare CSV Files:
- Create a
passwords.csv
file in the root directory with potential passwords. - Ensure you have a
matched.csv
file where successful logins will be recorded.
- Create a
-
Run the Script:
go run main.go