Author: Wiseman (wiseman@spray.se)
Filename: da_ipc_ftp.pl (former w2kbf.pl)
Current Version: 1.04
Created: 10th of November 2000
Last Changed: 4th of November 2004
-------------------------------------------------------------------------
Description:
------------------------------------------------------------------------
da_ipc_ftp.pl enumerates the Administrator password by targeting either
FTP or the IPC$ share with wordlists.
This works best on a Windows 2000 target or higher,
but will work on NT 4 too, but much slower.
------------------------------------------------------------------------
Change History
------------------------------------------------------------------------

 1.04:
 Changed the name...
 Minor changes to improve speed. Actually this Perl-script is quite
 dated now 4 years after writing. There are other programs that
 targets FTP or IPC, for instance "hydra" from "The Hackers Choice"
 [http://www.thc.org/] but I couldn't get it to work as expected
 against SMB. I mailed the author, but he didn't get back to me so
 I stick with my own code for the time being.

 1.03: Minor bug fixed...again
 Added digits check to the mutatelevel...must have overlooked this one.

 I was in Washington DC and tried my script on NT4. I am not really sure
 if it is NT4 or that it was an American NT machine, but trying a
 blank password, that is a blank line n the passwordfile, gives and error.
 If you experience this, just delete the blank line in the passwordfile.

 It works for me though, but hey, I'm Swedish!

 1.02: Minor bugs fixed
 What can I say...A few bugs found again :-)
 Version 1.02 fixes the following bugs:

 An empty mutationlevel parameter (-m with no number after) will now show
 the correct syntax instead of generating an error.

 There was a minor bug that could - under certain circumstances -
 use the unmutated password, regardless of what mutatelevel the user
 choosed. This is now fixed, for both FTP and IPC


 1.01: Fixed Nasty Bug
 The script no longer uses the Win32:Lanman library due to a strange
 bug:

 Even though a password on a target system indeed exist in the
 password file that my Perl-script uses, sometimes the script cannot
 discover this. Sometimes it can though and God knows why.
 I suspect the Servicepack 1 for Windows NT 2000 but have no real evidence
 for this. It doesn't matter though since this new, *improved* :-)
 version takes care of this. Sadly, the improved version is much slower against the IPC$-share
 :-(

 0.99:
 First version

 ------------------------------------------------------------------------
 Known Issues: 1
 ------------------------------------------------------------------------
 The script doesn't like certain characters in the password file and
 may behave strangely if encountered.
 The characters that produces these strange effects can be placed after
 a \ which will partly resolve the problem. The * character mess things
 up regardless whether a \ is placed in front of it or not.

 ------------------------------------------------------------------------
 Known Issues: 2
 ------------------------------------------------------------------------
 The sanitization routine doesnt work as it should. When I tried to
 preceede the characters mentioned above with a \ in the textfile
 everything is OK, but in the array in memory is doesnt work
 as it should.
  For now dont use special characters in the password list.

 ------------------------------------------------------------------------
 The Usual Disclaimer:
 ------------------------------------------------------------------------
 This script is written AS-IS and will not be supported
 Wiseman is not responsible for the script's misuse and is not responsible
 for any damage resulting from running this script.
 It is *not* my fault so stop complaining


 ------------------------------------------------------------------------
 Syntax:
 ------------------------------------------------------------------------

 perl da_ipc_ftp.pl -i <IP-address of target> -p <name of passwordfile> [-sort -m <0-7> ]\n";
    
	Mandatory switches:
        -------------------
    	-i <IP-address of target>
    	-p <name of passwordfile>
      
	Optional switches:
	------------------
    	-sort    : Sorts password *in memory only*
    	-m <0-7> : Mutates the passwords
    
	Mutate Level Description:
	-------------------------
    	Mutate Level 0 - password (Default)
    	Mutate Level 1 - password, Password
    	Mutate Level 2 - password, password0 -> password9
    	Mutate Level 3 - Level 1+2 combined
    	Mutate Level 4 - password, password0 -> password99
    	Mutate Level 5 - Level 1+4 combined
    	Mutate Level 6 - password, password0 -> password999
    	Mutate Level 7 - Level 1+6 combined


 By mutating in memory from the script instead of saving the mutation in a
 file on disk you can keep the disk and memory demands lower





