DonationCoder.com Software > N.A.N.Y. 2013

N.A.N.Y. 2013 Submission - FreeNAS Brute Forcer

(1/3) > >>

Renegade:
NANY 2013 Entry Information
Application Name FreeNAS Brute Forcer Version v1 Short Description Recover lost user names and passwords for FreeNAS Supported OSes Windows XP SP3, Windows Vista, Windows 7, Windows 8 Web Page http://cynic.me/2012/11/21/recover-lost-freenas-user-and-password/ Download Link http://cynic.me/wp-content/uploads/2012/11/FreeNAS-Brute-Forcer.zip System Requirements
* .NET 4Version History
* First release - v1Author https://www.donationcoder.com/forum/index.php?action=profile;u=2492;sa=summary

Description
I thought that I had forgotten my FreeNAS user name and password, so I wrote this little utility.

It is very simple - enter many possible user names and many possible passwords, and this will find the right combination of the 2 for you.

Instructions are in the program itself.

Check my blog post above (the program page) for more information about the program and why I wrote it.

Features
Brute forces the FreeNAS web interface to find your correct user name and password.

Planned Features
No future features are planned as it does what it is intended to do. If there is any interest in it, I may polish some more, depending on user feedback.

I will not turn this into a general brute force utility as that is too open to abuse.

Screenshots



Usage
Installation
Unzip the ZIP file then run the program. No installer. Source code is included.

Using the Application
There are directions in the program. Simply follow them. i.e.:

INSTRUCTIONS - IMPORTANT - READ THEM ALL:

1) Enter a list of possible user names.
2) Enter a list of possible passwords.
3) Enter the IP address of your FreeNAS box on your local network.
4) Click GO to load the login page.
5) Click the "Start Brute Force" button.

Once you are logged in:

1) Check the title bar for a user name/password pair.
2) Find that in the "User/password pairs" text box.
3) Your proper login is on the line above that.
4) Test it in your regular Internet browser.

SECURITY PRECAUTIONS:

1) To log out, click the "Clear Cookies" button.
2) When you are finished, click the "Securely Remove Users/Passwords" button so that you do not leave any traces of usernames/passwords. The program stores them in plain text while you are using it, and for the next time that you use it.

For more information, check http://cynic.me/.

Cheers,

Ryan

--- End quote ---

Uninstallation
Simply delete the file. No uninstallation is required.

HOWEVER - read the instructions... it saves your user names and passwords in plain text, but also includes a way to delete them.

Tips
If you have any problems, simply close the program, then reload it. Enter the proper IP address again and try again. It saves your users/passwords as they are longer.

Known Issues
No known issues with the software. However, the .NET WebBrowser control is based on the Trident engine (IE), and the FreeNAS web interface doesn't really like it, so once you are logged in, you need to go to your normal browser and login there to actually use FreeNAS.

wraith808:
Just a suggestion- you might want to limit it to local ips to even further close it off from abuse.

i.e.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
169.254.0.0 -169.254.255.255

Renegade:
Just a suggestion- you might want to limit it to local ips to even further close it off from abuse.

i.e.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
169.254.0.0 -169.254.255.255
-wraith808 (November 20, 2012, 11:50 PM)
--- End quote ---

Well, the source is available... so, it wouldn't be hard to change.  And it's unlikely that anyone has a front-facing FreeNAS box, so I kind of doubt that it can be reasonably used to attack off the LAN and on the WAN.

I thought about some additional features to make it more versatile, but decided that it does what it does, and anyone who wants to make it more general can easily do so. (e.g. I could turn it into a brute forcer for pretty much any web site pretty easily.) And the spammers already know all this stuff, so it's really only going to limit the low-grade spammer wannabes and script kiddies by not adding in more versatility - which is pretty much enough - you can't stop the more sophisticated professionals - they already have all this kind of stuff done anyways. e.g. A while back I needed a bunch of email addresses, so I slapped together a program to automatically create Gmail, Hotmail, and Yahoo email accounts from a list of usernames and passwords in a couple hours. It's not hard.

The only really cool thing in there is a tidbit of code to create N-ary Cartesian products. Found that at another site. It's pretty darn slick.

Ath:
Sounds useful, but I hope I don't need it... :huh:

Renegade:
Sounds useful, but I hope I don't need it... :huh:
-Ath (November 21, 2012, 03:23 AM)
--- End quote ---

Well, I posted it over at the FreeNAS forums... then found out that if you actually connect to the FreeNAS box, you can use option 7 to reset the WebGUI admin account.

So, this utility is really only useful for 2 things:

1) You want to get back the original login, i.e. NOT reset the login. (Which I wanted.)
2) You don't want to connect a monitor/keyboard because you hate cables. (Like me.)

I had set the root and WebGUI admin passwords to be the same, so I needed to get that back. Resetting won't do that for you.

Anyways, less useful than I originally thought, but still servers *some* purpose.

With some minor modifications, it could easily work on other web sites though.

Navigation

[0] Message Index

[#] Next page