Grey bar Blue bar
Share this:

Tue, 1 Jan 2008

vbscript bruteforcing

When we first wrote the vbscripting bruteforcer i thought it was marginally cute and a real last shot type of tool. In the past 2 months its saved our ass twice so i thought id post it again..

The situation.. Uninstalling Pointsec from our machines.. the install needs 2 admin passwords (spadmin1 && spadmin2).

The 2 guys who managed the rollout seem to recall that the passwords were Aaaaaa69Bbbb69Ccccccc (or some variation of it) for spadmin1 and Xxxxxxx69Yyyyyy69Zzzzzzz (or some variation of it). (variation could be uppercase, lowercase, 68 instead of 69, camelcaps) all of this in an unpredictable permutation.. ie.. cld be aaaaaa69bbbb69ccccc && Xxxx68Yyyy68Zzzz.

Clearly this is perfect for automation.. and perfect for my lame vbs scripting trick..

So.. i mangled the ffg script:

-snip-

‘Quick and Dirty .vbs bruteforcer ‘haroon@sensepost.com

Dim objFSO, objTS, s, aFile Set objFSO = CreateObject(”Scripting.FileSystemObject”) Set objTS = objFSO.OpenTextFile(”words.txt”)

‘Now, read the contents of the file into a string s = objTS.ReadAll ‘Now, use split to load the contents of the file into an array aFile = split(s, vbCrLf) bFile = aFile

Msgbox “Passwords Loaded..”,,”Dirty Script”

set WshShell = CreateObject(”WScript.Shell”)

For Each pass in aFile For Each pass2 in bFile Msgbox “pass1 = ” & pass & vbCRLF & “pass2 = ” & pass2

‘Bring the application to the foreground WshShell.AppActivate “InstallShield Wizard - Pointsec Uninstallation” WScript.Sleep 200

While WshShell.AppActivate(”InstallShield Wizard - Pointsec Uninstallation”) = FALSE wscript.sleep 1000 Wend

’send tab WshShell.SendKeys “{TAB}” WshShell.SendKeys pass WshShell.SendKeys “{TAB}” WshShell.SendKeys “{TAB}” WshShell.SendKeys pass2 WshShell.SendKeys “{TAB}” WshShell.SendKeys “{ENTER}”

wscript.sleep 1000 if WshShell.AppActivate(”Pointsec : Error”) = True then WshShell.SendKeys “{ENTER}” Else Msgbox “Password1 = ” & pass &vbCRLF & “Password2 = ” & pass2,,”Gotcha!!!” wscript.quit End if

Next Next

-snip-

The result.. about 4 seconds from click to success! :>

Loaded.png
" Then it loops….

Error.png
" Till finally…

gotcha.png
"

Like i mentioned previously.. the thing that makes it cool is that it abstracts the underlying complexity.. i dont need protocol dumps / traffic analysis to brute a strange server.. i just need their own client.. my vbs might totally suck, and is probably super inefficient.. and since ive used this excuse before, its prolly time to get a decent .vbs book :>

/mh