Author: Wiseman (wiseman@spray.se) Filename: da_ipc_ftp.pl (former w2kbf.pl) Current Version: 1.04 Created: 10th of November 2000 Last Changed: 4th of November 2004 ------------------------------------------------------------------------- Description: ------------------------------------------------------------------------ da_ipc_ftp.pl enumerates the Administrator password by targeting either FTP or the IPC$ share with wordlists. This works best on a Windows 2000 target or higher, but will work on NT 4 too, but much slower. ------------------------------------------------------------------------ Change History ------------------------------------------------------------------------ 1.04: Changed the name... Minor changes to improve speed. Actually this Perl-script is quite dated now 4 years after writing. There are other programs that targets FTP or IPC, for instance "hydra" from "The Hackers Choice" [http://www.thc.org/] but I couldn't get it to work as expected against SMB. I mailed the author, but he didn't get back to me so I stick with my own code for the time being. 1.03: Minor bug fixed...again Added digits check to the mutatelevel...must have overlooked this one. I was in Washington DC and tried my script on NT4. I am not really sure if it is NT4 or that it was an American NT machine, but trying a blank password, that is a blank line ín the passwordfile, gives and error. If you experience this, just delete the blank line in the passwordfile. It works for me though, but hey, I'm Swedish! 1.02: Minor bugs fixed What can I say...A few bugs found again :-) Version 1.02 fixes the following bugs: An empty mutationlevel parameter (-m with no number after) will now show the correct syntax instead of generating an error. There was a minor bug that could - under certain circumstances - use the unmutated password, regardless of what mutatelevel the user choosed. This is now fixed, for both FTP and IPC 1.01: Fixed Nasty Bug The script no longer uses the Win32:Lanman library due to a strange bug: Even though a password on a target system indeed exist in the password file that my Perl-script uses, sometimes the script cannot discover this. Sometimes it can though and God knows why. I suspect the Servicepack 1 for Windows NT 2000 but have no real evidence for this. It doesn't matter though since this new, *improved* :-) version takes care of this. Sadly, the improved version is much slower against the IPC$-share :-( 0.99: First version ------------------------------------------------------------------------ Known Issues: 1 ------------------------------------------------------------------------ The script doesn't like certain characters in the password file and may behave strangely if encountered. The characters that produces these strange effects can be placed after a \ which will partly resolve the problem. The * character mess things up regardless whether a \ is placed in front of it or not. ------------------------------------------------------------------------ Known Issues: 2 ------------------------------------------------------------------------ The sanitization routine doesnt work as it should. When I tried to preceede the characters mentioned above with a \ in the textfile everything is OK, but in the array in memory is doesnt work as it should. For now dont use special characters in the password list. ------------------------------------------------------------------------ The Usual Disclaimer: ------------------------------------------------------------------------ This script is written AS-IS and will not be supported Wiseman is not responsible for the script's misuse and is not responsible for any damage resulting from running this script. It is *not* my fault so stop complaining ------------------------------------------------------------------------ Syntax: ------------------------------------------------------------------------ perl da_ipc_ftp.pl -i -p [-sort -m <0-7> ]\n"; Mandatory switches: ------------------- -i -p Optional switches: ------------------ -sort : Sorts password *in memory only* -m <0-7> : Mutates the passwords Mutate Level Description: ------------------------- Mutate Level 0 - password (Default) Mutate Level 1 - password, Password Mutate Level 2 - password, password0 -> password9 Mutate Level 3 - Level 1+2 combined Mutate Level 4 - password, password0 -> password99 Mutate Level 5 - Level 1+4 combined Mutate Level 6 - password, password0 -> password999 Mutate Level 7 - Level 1+6 combined By mutating in memory from the script instead of saving the mutation in a file on disk you can keep the disk and memory demands lower