Legba is a multiprotocol credential bruteforcer and password sprayer designed for performance and resource efficiency, targeting security professionals and penetration testers. It leverages Rust and the Tokio asynchronous runtime to significantly outperform traditional tools like thc-hydra across various protocols.

How It Works

Built with Rust and Tokio, Legba utilizes an asynchronous, non-blocking I/O model. This allows it to manage a high number of concurrent network connections and operations efficiently, minimizing resource consumption (CPU, memory) compared to thread-per-connection or synchronous models. This approach is key to its claimed performance gains, especially in scenarios with many simultaneous connection attempts.

Quick Start & Requirements

• Install via cargo install legba.
• Requires Rust toolchain and Cargo.
• Official Wiki for building and usage: https://github.com/evilsocket/legba/wiki
• Recipes available at: https://github.com/evilsocket/legba-cookbook

Highlighted Details

• Supports over 20 protocols including HTTP (with CSRF support), SSH, RDP, SMB, Kerberos, and various databases.
• Claims up to 55x performance improvement over thc-hydra in benchmarks, particularly for SSH and HTTP basic auth.
• Includes DNS subdomain enumeration and TCP/UDP port scanning with banner grabbing.
• Can function as an MCP server for AI integration.

Maintenance & Community

• Active development indicated by recent feature additions (AI integration).
• Community server link provided in README.
• Star History link available.

Licensing & Compatibility

• Licensed under GPL-3.0.
• GPL-3.0 is a strong copyleft license, requiring derivative works to also be open-sourced under GPL-3.0. This may restrict commercial use or integration into closed-source applications without careful consideration.

Limitations & Caveats

The GPL-3.0 license may impose significant restrictions on commercial use or integration into proprietary software. The benchmark, while impressive, is limited to specific scenarios and hardware.