Hi gurus, I am trying to do some expect/TCL magic. My goal is to write some kind of password guessing script (nearly similar to dictionary attack against ssh). I read that this could be possible with expect/TCL, I am newbie in this language, its function and its terms so please be patient
The normal process of logging onto server looks like this:
Code:
SU-capitan:/home/unix/wakatana# ssh strom
This server is production server
wakatana's password: [TYPING CORRECT PASSWORD "unix"]
Authentication successful.
Your password has expired. You are now forced to change it.
Last login: Fri Jul 27 2012 15:24:13 +0100 from capitan
Sun Microsystems Inc. SunOS 5.10
Please note the following:
This server is production server
TERM = (unknown) [TYPED "xterm" AND PRESSED ENTER]
[SCREEN CLEARS AND SHELL APPEARS AS EXPECTED]
strom:/home/unix/wakatana$
However (probably due to ssh configuration - correct me if i am wrong) if I make typo in password typing I have another two chances:
Code:
SU-capitan:/home/unix/wakatana# ssh strom
This server is production server
wakatana's password:
wakatana's password:
wakatana's password:
warning: Authentication failed.
Disconnected; no more authentication methods available (No further authentication methods available.).
SU-capitan:/home/unix/wakatana#
So my goal is to try several passwords during login (it would be great to leverage all three chances for typing correct password, to prevent multiple connecting/disconnecting) and save some kind of report of this activity (for further processing).
My 1st attempt was following lines. Problem with this is that this solution "works" only if correct password is in pass1 variable, however I am still not able to catch the output in friendly format. In fact the output is not as straightforward that I can determine if login was successful or not.
Code:
SOURE CODE:
-------------
#!/usr/local/bin/expect
set pass1 "unix1\n";
set pass2 "unix2\n";
set pass3 "unix\n";
set machine [lindex $argv 0];
spawn ssh -q "${machine}" "exit";
expect {
-re "(P|p)assword:" {send ${pass1}; puts ${pass1}}
-re "(P|p)assword:" {send ${pass2}; puts ${pass2}}
-re "(P|p)assword:" {send ${pass3}; puts ${pass3}}
}
interact;
RESULT1:
---------
SU-capitan:/home/unix/wakatana# ./tcl1.tcl strom # pass1 contains WRONG pass
spawn ssh -q strom exit
wakatana's password: unix1
wakatana's password: [AT THIS POINT IT HANGS AND PRESSING ENTER IS REQUIRED]
wakatana's password: [AT THIS POINT IT HANGS AND PRESSING ENTER IS REQUIRED]
RESULT2:
---------
SU-capitan:/home/unix/wakatana# ./tcl1.tcl strom # pass1 contains CORRECT pass
spawn ssh -q strom exit
wakatana's password: unix
unix
Your password has expired. You are now forced to change it.
TERM = (unknown) [TYPED "xterm" AND PRESSED ENTER]
[SCREEN CLEARS AND SHELL APPEARS AS EXPECTED]
2nd try was just simple script which uses exp_continue that is still unclear to me (and I would appreciate if somebody could clear it), however it throws some errors:
Code:
SOURCE CODE:
--------------
#!/usr/local/bin/expect
set pass1 "unix\n";
set machine [lindex $argv 0];
spawn ssh -q "${machine}" "exit" ;
expect {
-re "(P|p)assword:" { send ${pass1}; exp_continue}
}
puts "PASSWORD: ${pass1}"
interact;
RESULT1:
---------
SU-capitan:/home/unix/wakatana# ./tcl2.tcl strom # pass1 contains correct pass
spawn ssh strom exit
This server is production server
wakatana's password:
Authentication successful.
Your password has expired. You are now forced to change it.
PASSWORD: unix
spawn_id: spawn id exp4 not open
while executing
"interact"
(file "./tcl2.tcl" line 13)
SU-capitan:/home/unix/wakatana#
3rd try was this, still some errors and awful output useless for further processing:
Code:
SOURCE CODE:
--------------
#!/usr/local/bin/expect
set pass1 "unix\n";
set machine [lindex $argv 0];
spawn ssh -q "${machine}" "exit" ;
expect {
-re "(P|p)assword:" { send ${pass1}; puts "PASSWORD: ${pass1}"; exp_continue}
}
interact;
RESULT:
--------
SU-capitan:/home/unix/wakatana# ./tcl3.tcl strom
spawn ssh -q strom exit
wakatana's password: PASSWORD: unix
Your password has expired. You are now forced to change it.
spawn_id: spawn id exp4 not open
while executing
"interact"
(file "./tcl3.tcl" line 11)
4th try, after reading somewhere that expect consists of: "expect pattern action pattern action..." and action can include another expect command. But after closer look it is obvious that even if all three passwords will be wrong as a correct solution will be propagated pass3. Also this solutions throws error because it will "expect" password even if the previous (eg. pass2) attempt matched (see Result bellow)
Code:
SOURCE CODE:
--------------
#!/usr/local/bin/expect
global var "";
set pass1 "unix1\n";
set pass2 "unix\n";
set pass3 "unix2\n";
set machine [lindex $argv 0];
spawn ssh -q "${machine}" "exit" ;
expect {
-re "(P|p)assword:" {
send ${pass1};
#puts ${pass1};
set var ${pass1};
expect {
-re "(P|p)assword:" {
send ${pass2};
#puts ${pass2};
set var ${pass2};
expect {
-re "(P|p)assword:" {
send ${pass3};
#puts ${pass3};
set var ${pass3};
}
}
}
}
}
}
puts "CORRECT PASSWORD IS: ${var}"
interact;
RESULT:
--------
SU-capitan:/home/unix/wakatana# ./tcl4.tcl strom
spawn ssh -q strom exit
wakatana's password:
wakatana's password:
Your password has expired. You are now forced to change it.
CORRECT PASSWORD IS: unix
spawn_id: spawn id exp4 not open
while executing
"interact"
(file "./tcl4.tcl" line 33)
Questions
1. How does expect knows when is typing of input possible (when I can invoke send) ?
- eg. Is expect capable to process also text that appears on screen but (user) input is not expected (in normal circumstances) ?
- or in other words, how expect know if app has input available or requires user interaction or what is the correct name
2. Does TCL=Expect ?
- or expect uses TCL ?
3. Does expect supports some kind of looping
- eg. If same text appears on screen which will match "expect" pattern (requesting password) the different "send" action will be called (passing next element from array)?
- in other words: How to "expect" same pattern for several times but "send" another string
4. Does expect supports something opposite to regexp, or negation of regexp ?
- eg. expecting some string in loop and calling send (passing password) but do another action if expect wont match string (password was guessed or chances expired)
- in other words: How to "expect" same pattern for several times and "send" another string but after not matching "expect"
5. In my situation, when I just want to know right password (connecting to server and after exiting) is command "interact" (or statement or whatever it is called) required ?
6. What exactly does exp_continue doing ? It seems like if it wont wait for requested input until "send" is invoked, is there some timeout or something similar ?
- eg. is possible to invoke "exp_continue" to repeat "send" but with different arguments and when "expect" wont match the exp_continue will break ?
7. Is possible to do some basic if else construction in input matching (in "expect")
- I would also handle following message "continue connecting yes/no"
I hope you understand what I am trying to say. If somebody cloud help I hope it will be helpful also for other expect/TCL newbies. Thank you very much.
