=============== BForCoderz v1.0 =============== Introduction ------------ IRCoderZ encrypts hostnames with a MD2 and MD5 hash. For example : Hostname: sunigav.vaginus.org Crypted: 72CE7A3B.vaginus.org This is a stupid hostname hash, and if the first char is divisible by 2, we use MD2 a hash, in other case we use a MD5 hash... From the four uint32, we add them together to get an other uint32. Finally, we put it hexadecimal value in the first part of hostname (before the first '.'). Now we can easily imagine how to decrypt them witm a bruteforce attack. We try all strings from 'a' to 'Z' (including digits and '-'), and we go on with 'aa' to 'ZZ', etc. Installation ------------ Please read the INSTALL file. Using it -------- To find an hostname from a encrypted hostname, it can take long time. To distribute tasks, the BForCoderz architecture is: - A server which get clients connections and wait for a request from an user. - Some bones which look for uncrypted hostnames when the server asks it. - An user who can connect with `telnet' client to ask server to bruteforce an encrypted hostname. .--------. | User |<--------. .--------------. '--------' 4| | | | | |3 .-------. | 1 .--------v---. .-->| Bone4 | '-------->| Server |---'2 '-------' '------------'----. 2.----' '---.2 |2 .-------. .---v---. .--v----. '->| Bone3 | | Bone1 | | Bone2 | '-------' '-------' '-------' 1. User->Server: "RUN CACA.vaginus.org %{1,3}$" 2. Server->Bone1: "CACA.vaginus.org a$" Server->Bone2: "CACA.vaginus.org b$" Server->Bone3: "CACA.vaginus.org c$" Server->Bone4: "CACA.vaginus.org d$" .. 3. Bone4->Server: "FOUND! d138.vaginus.org" 4. Server->User: "Found! z138.vaginus.org IN x seconds" Now, to use it you can install bforcoderz on several hosts, and create a server with: me@host1$ ./bforcoderz -s Run bforcoderz on all hosts (host1 too) with: me@hostx$ ./bforcoderz -c host1 Finally, to launch a bruteforce session, connect to host1 with: me@laptop$ telnet host1 1337 Trying 192.168.0.2... Connected to sunigav. Escape character is '^]'. and type: RUN 6A9DF01.cust.tele2.fr %?-?-?-? Server will answer you: STARTED bruteforce on 6A9DF01.cust.tele2.fr (mask=%?-?-?-?), with currently 6 bones And when it finds an hostname: FOUND! b13-145-44-142.cust.tele2.fr (in 1237s) FOUND! c59-182-96-132.cust.tele2.fr (in 2653s) ... Masks ----- The mask is used only on the hidden part of host, and can contain the following characters: % : one char in [a-z] ^ : one char in [A-Z] ! : one char in [a-zA-Z] * : one char in [a-zA-Z0-9-] $ : a number between 0 and 9 ? : an ip (number between 0 and 255) %, ^, ! and * are strings based, and $ and ? are integers. Strings: Default values for min and max are 1 and 1. min and max are used length of strings. You can change it by adding after char this: {,} For example: %{1,3} :here there is one, two or three chars between 'a' and 'z' *{1,} :all chars, at less 1 char. Integers: min and max values aren't the length of string, but the minimal and maximal value that integer can have. For $, the default values are min=0 and max=9. ? is an alias for ${0,255} Constants: You can add an other char in host which will be constant. For example: %${1,3}-?-?-? :in this mask, - is constant. More information ---------------- Author: Romain Bignon Website: http://bforcoderz.vaginus.org Useless: Yes