Chimera Remote Password Cracking Tool

Chimera was designed to be a fast, thread based, remote password cracking tool. It currently supports ftp, http, http-proxy, imap, ldap, mysql, nntp, pop3, telnet protocols. Since version 0.29.9 Chimera supports IPv6. SSL is also supported (through openssl). You can use passwords from wordlists, feed them from stdin or use a variety of brute force methods. You can supply a user-defined charset of use a pre-defined one. You can also manage the number of threads used, as well as the connection timing, max connection errors, thread creation speed and other values.

The http, http-proxy, imap, ldap, nntp and telnet modules are still in beta, so please don't bitch at me, just send in bug reports.

Similar Programs

Hydra - the best remote passwd cracking tool out there. Unfortunately it uses fork() to do it's job, making it a lot less efficient. Support a wide variety of protocols. My goal is to implement most of them in chimera. Find it a http://www.thc.org. Chimera WILL NOT eat up 100% CPU time under normal conditions (as Hydra often likes to).

Current stable version is 0.29.9

md5sum: 35ff128bff9305b258af82ad8c156ab4  chimera-0.29.9.tar.gz
Previous versions (for the sake of completion) 
md5sum: 2a4cf0ff2cc72f6068c2131e4a44203a  chimera-0.29.6.tar.gz
md5sum: 35c8e37597300e40038af7b96c0a99ea  chimera-0.29.2.tar.gz
md5sum: ec0927a4e4501cfcdc63856797de1b70  chimera-0.28.2.tar.gz
md5sum: a080b7041ccd7e95bd25c943f1a0faf8  chimera-0.28.1.tar.gz
md5sum: aa2e3a5cd6580271b1d20a390a57a35d  chimera-0.28.tar.gz
md5sum: c51a82405181a91013d27aed8983f6d8  chimera-0.27.tar.gz

Usage

Lets jump right in and see how to use this great tool. There are a couple of things that chimera need to know before it starts it work. These things include: What am I attacking? Who am I attacking? What's the name of the account I'm attacking? What passwords do you want me to check?

What am I attacking? - this one is pretty straight forward. You need to tell chimera the protocol that u want to attack. Currently pop3, ftp, mysql and http_auth are supported.

Syntax:
	-s ftp, http, http-proxy, imap, ldap, mysql, nntp, pop3, telnet

Who am I attacking? - similar to the previous one. Chimera needs to know what host you want to attack. This can in fact be a list of hosts. If you want to use a list of hosts, you need to use the -H option and supply a file that's every line is one hostname. If the service you are attacking is listening on an non-std port you can set the correct port with the -e option. Also if you want to use SSL you have to use the -l option

Syntax:
	-h www.example.com
or
	-H /home/sd/hostname_list

optional:
	-e port
	-l use SSL

default port numbers:

	service      no-SSL      SSL
	#######      ######      ###

	pop3         110         995
	ftp          21          990
	telnet       23          992
	mysql        3306        3306
	http         80          443
	http-proxy   8080        3128
	imap         143         993
	nntp         119         563
	ldap         389         636

What's the name of the account I'm attacking? - this simply means that we need to have a username to start our attack. As with host names you can use a single users name of or a list of them that chimera will read from a file.

Syntax:
	-u kaszqa
or
	-U /home/sd/user_list

What passwords do you want me to check? - the most important question of all. You have couple of options here. First you can check for -p single passwords, second you can use a -P list of passwords from a file or from stdin. Finally you can brute force. In order to make chimera run a brute force attack you must choose a charset. You can use a pre-defined one or supply your own. The options -m and -M are used to set the minimum and maximum password length. If you need more options when brute forcing you'll have to use an external tool to generate the passwords and feed chimera from stdin. Use -n, -y and -r to check for null passwords, passwords same as user names and passwords same as the reversed user name. Please note that you can use all the above methods at the same time. If more then one is given chimera will check them in this order: null passwords, passwords same as user name, passwords same as reversed user name, single passwords, password list, brute force.

Syntax:
	-n check for null passwords
or/and
	-y check for passwords same as the user name
or/and
	-r check for passwords same as the reversed user name
or/and
	-p single_password
or/and
	-P /home/sd/wordlists/full_dic_en
  or
  	-P stdin (feed chimera from stdin)
or/and
	-c 1 | 2 | 3 | 4
    case 1:
abcdefghijklmnopqrstuvwyxz

    case 2:
abcdefghijklmnopqrstuvwyxzABCDEFGHIJKLMNOPQRSTUVWYXZ

    case 3:
abcdefghijklmnopqrstuvwyxzABCDEFGHIJKLMNOPQRSTUVWYXZ1234567890

    case 4:
abcdefghijklmnopqrstuvwyxzABCDEFGHIJKLMNOPQRSTUVWYXZ1234567890
!@#$%^&*()_-+=]}[{'";:/?.>,<\|
  or
	-C qwerty (example of a user supplied charset)

optional:
	-m minimal brute force password length
	-M maximal brute force password length

Other settings include changing the number of used threads (default: 256), reducing/increasing the connection timeout (default: 60s), changing the number of microseconds between creating new threads (default: 250), making chimera not reduce the number of threads when connection errors occur (experts only) and adding verbosity to the output.

-t number of threads to use (default: 64)
-T set connection timeout (default: 60)
-B set max connection errors (default: 5)
-b number of microseconds between creating new threads (default: 2500)
-a do not reduce thread number on connection errors (experts only)
-q quiet mode - output only successfully cracked accounts
-v verbose mode - output every password attempt

Example - when you run chimera, if no errors occurred you should eventually get a cracked user name + password for the service and host you where attacking. If chimera exits and generates no output this means that no user name + password pair was matched to the service and host you where attacking. If you used the -v option you might get a lot more output before the user name + password for the service you where attacking.

sd@infinity ~ $ chimera -s pop3 -u silentdeath -h poczta.interia.pl
-P /home/sd/tech/wordlists/full
service: pop3 host: poczta.interia.pl port: 110 user: silentdeath password: death

Help

sd@infinity:0 ~/web/sd/trash/res/chimera $ chimera
chimera - remote passwd cracking tool v0.29.9
(c) 2003,2004,2005 by Lukasz Tomicki 
 usage: chimera [-s service] [-h host/IP] [-u/-U user/userlist]
   [-p/-P/-c/-C password/passwordlist/charset/user-charset] 

 options:
  -s sets the service you want to attack to the given type
     ftp, http, http-proxy, imap, ldap, mysql, nntp, pop3, telnet
  -h host to attack
  -H sets a file of hosts to attack
  -e port to attack on the remote host (if not standard)
  -6 use IPv6 (default: no)
  -u sets the user name for the service we are attacking
  -U sets a file of user names to use
  -p sets a passwd to check
  -P sets a file of passwds to check
     use 'stdin' to feed from standard input
  -n check for null passwords
  -y check for passwodrs same as the user name
  -r check for passwords same as the reversed user name
  -c  use pre-defined charset
      1 abcdefghijklmnopqrstuvwyxz
      2 abcdefghijklmnopqrstuvwyxzABCDEFGHIJKLMNOPQRSTUVWYXZ
      3 abcdefghijklmnopqrstuvwyxzABCDEFGHIJKLMNOPQRSTUVWYXZ1234567890
      4 abcdefghijklmnopqrstuvwyxzABCDEFGHIJKLMNOPQRSTUVWYXZ1234567890
        !@#$%^&*()_-+=]}[{'";:/?.>,<\|

  -C sets a user-defined brute force charset
     example: -C qwerty1234567890

  -m mininum number of characters to use (default: 1)
  -M maximum number of characters to use (default: 8)
  -l use ssl (default: no)
  -t number of threads to use (default: 64)
  -T set connection timeout (default: 60) setting to zero means unlimited
  -B set max connection errors (default: 5) setting to zero means unlimited
  -b number of microseconds between creating new threads (default: 2500)
  -a do not reduce thread number on connection errors (experts only)
  -q quiet mode - output only successfully cracked accounts
  -v verbose mode - output every password attempt
  -g http request (only applicable for http and http-proxy attacks)
     mandatory for http attacks, optional for http-proxy
     format: http://remote_server/remote_path/
     default for http-proxy: http://www.google.com/

License

Chimera is distributed on the terms of the GNU GENERAL PUBLIC LICENSE.

Disclaimer

This program was written only for educational purposes. Reading other people's code is one of the best ways to learn programming. This is especially true when learning advanced topics like making multi-threading save, working with non-blocking sockets, etc. ABSOLUTELY NO WARRANTY is provided. I am not responsible for any harm the use of this tool may bring.


"The mountains are high and the emperor far away."

Last update: Thursday, 19th September, 2024
Copyright © 2001-2025 by Lukasz Tomicki