Beispiel #1
0
int
start_http(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type)
{
  char *empty = "";
  char *login, *pass, buffer[500], buffer2[110];
  char *header = "";            /* XXX TODO */
  char *ptr;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  sprintf(buffer2, "%.50s:%.50s", login, pass);
  hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

  /* again: no snprintf to be portable. dont worry, buffer cant overflow */
  if (use_proxy == 1 && proxy_authentication != NULL)
    sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
            type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication, header);
  else {
    if (use_proxy == 1)
      sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
            type, webtarget, webport, miscptr, webtarget, buffer2, header);
    else
      sprintf(buffer, "%s %.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
            type, miscptr, webtarget, buffer2, header);
  }

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }

  buf = hydra_receive_line(s);
  while (strstr(buf, "HTTP/1.") == NULL && buf != NULL)
    buf = hydra_receive_line(s);

  if (buf == NULL)
    return 1;

/*
    while (hydra_data_ready(s) > 0)
      recv(s, buffer, sizeof(buf), 0);
        buf = hydra_receive_line(s);
*/

  ptr = ((char *) index(buf, ' ')) + 1;
  if (ptr != NULL && (*ptr == '2' || strncmp(ptr, "301", 3) == 0)) {
    hydra_report_found_host(port, ip, "www", fp);
    hydra_completed_pair_found();
  } else {
    if (ptr != NULL && *ptr != '4')
      printf("Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass);
    hydra_completed_pair();
  }

  free(buf);

  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;

}
Beispiel #2
0
int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) {
  char *empty = "";
  char *login, *pass, buffer[500], buffer2[500];
  char *header = "";            /* XXX TODO */
  char *ptr;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  switch (http_auth_mechanism) {
  case AUTH_BASIC:
    sprintf(buffer2, "%.50s:%.50s", login, pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

    /* again: no snprintf to be portable. dont worry, buffer cant overflow */
    if (use_proxy == 1 && proxy_authentication != NULL)
      sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
              type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication, header);
    else {
      if (use_proxy == 1)
        sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buffer2, header);
      else
        sprintf(buffer, "%s %.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header);
    }
    if (debug)
      hydra_report(stderr, "C:%s\n", buffer);
    break;

#ifdef LIBOPENSSL
  case AUTH_DIGESTMD5:{
      char *pbuffer;

      pbuffer = hydra_strcasestr(buf, "WWW-Authenticate: Digest ");
      strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer));
      buffer[sizeof(buffer) - 1] = '\0';

      sasl_digest_md5(buffer2, login, pass, buffer, miscptr, type, webtarget, webport, header);
      if (buffer2 == NULL) {
        return 3;
      }

      if (debug)
        hydra_report(stderr, "C:%s\n", buffer2);
      strcpy(buffer, buffer2);
    }
    break;
#endif

  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];
      char *pos = NULL;

      //send auth and receive challenge
      //send auth request: let the server send it's own hostname and domainname
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

      /* to be portable, no snprintf, buffer is big enough so it cant overflow */
      //send the first..
      if (use_proxy == 1 && proxy_authentication != NULL)
        sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication, header);
      else {
        if (use_proxy == 1)
          sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
                  type, webtarget, webport, miscptr, webtarget, buf1, header);
        else
          sprintf(buffer, "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, buf1, header);
      }

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;

      //receive challenge
      buf = hydra_receive_line(s);
      while (buf != NULL && (pos = hydra_strcasestr(buf, "WWW-Authenticate: NTLM ")) == NULL) {
        free(buf);
        buf = hydra_receive_line(s);
      }

      if (buf == NULL)
        return 1;

      if (pos != NULL) {
        char *str;

        pos+=23;
        if ((str=strchr(pos, '\r')) != NULL) {
          pos[str - pos] = 0;
        }
        if ((str=strchr(pos, '\n')) != NULL) {
          pos[str - pos] = 0; }
      }

      //recover challenge
      from64tobits((char *) buf1, pos);
      free(buf);

      //Send response
      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));

      //create the auth response
      if (use_proxy == 1 && proxy_authentication != NULL)
        sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication, header);
      else {
        if (use_proxy == 1)
          sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
                  type, webtarget, webport, miscptr, webtarget, buf1, header);
        else
          sprintf(buffer, "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, buf1, header);
      }

      if (debug)
        hydra_report(stderr, "C:%s\n", buffer);
    }
    break;
  }

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }

  buf = hydra_receive_line(s);
  while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
    free(buf);
    buf = hydra_receive_line(s);
  }

  //if server cut the connection, just exit cleanly or 
  //this will be an infinite loop
  if (buf == NULL) {
    if (verbose)
      hydra_report(stderr, "[ERROR] Server did not answer\n");
    return 3;
  }

  if (debug)
    hydra_report(stderr, "S:%s\n", buf);

  ptr = ((char *) index(buf, ' ')) + 1;
  if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) {
    hydra_report_found_host(port, ip, "www", fp);
    hydra_completed_pair_found();
  } else {
    if (ptr != NULL && *ptr != '4')
      fprintf(stderr, "[WARNING] Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass);

    //the first authentication type failed, check the type from server header
    if ((hydra_strcasestr(buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) {
      //seems the auth supported is not Basic shceme so testing further
      int find_auth = 0;

      if (hydra_strcasestr(buf, "WWW-Authenticate: NTLM") != NULL) {
        http_auth_mechanism = AUTH_NTLM;
        find_auth = 1;
      }
#ifdef LIBOPENSSL
      if (hydra_strcasestr(buf, "WWW-Authenticate: Digest") != NULL) {
        http_auth_mechanism = AUTH_DIGESTMD5;
        find_auth = 1;
      }
#endif

      if (find_auth) {
        free(buf);
        return 1;
      }
    }
    hydra_completed_pair();
  }
  free(buf);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;

}
Beispiel #3
0
int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *type, ptr_header_node ptr_head) {
  char *empty = "";
  char *login, *pass, *buffer, buffer2[500];
  char *header;
  char *ptr, *fooptr;
  int32_t complete_line = 0, buffer_size;
  char tmpreplybuf[1024] = "", *tmpreplybufptr;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  if (strcmp(type, "POST") == 0)
    add_header(&ptr_head, "Content-Length", "0", HEADER_TYPE_DEFAULT);

  header = stringify_headers(&ptr_head);

  buffer_size = strlen(header) + 500;
  if(!(buffer = malloc(buffer_size))) {
    free(header);
    return 3;
  }

  // we must reset this if buf is NULL and we do MD5 digest
  if (http_buf == NULL && http_auth_mechanism == AUTH_DIGESTMD5)
    http_auth_mechanism = AUTH_BASIC;

  if (use_proxy > 0 && proxy_count > 0)
    selected_proxy = random() % proxy_count;

  switch (http_auth_mechanism) {
  case AUTH_BASIC:
    sprintf(buffer2, "%.50s:%.50s", login, pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

    /* again: no snprintf to be portable. don't worry, buffer can't overflow */
    if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
      sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
              type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header);
    else {
      if (use_proxy == 1)
        sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buffer2, header);
      else
        sprintf(buffer, "%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header);
    }
    if (debug)
      hydra_report(stderr, "C:%s\n", buffer);
    break;

#ifdef LIBOPENSSL
  case AUTH_DIGESTMD5:{
      char *pbuffer;

      pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest ");
      strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), buffer_size - 1);
      buffer[buffer_size - 1] = '\0';

      fooptr = buffer2;
      sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header);
      if (fooptr == NULL) {
        free(buffer);
        free(header);
        return 3;
      }

      if (debug)
        hydra_report(stderr, "C:%s\n", buffer2);
      strcpy(buffer, buffer2);
    }
    break;
#endif

  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];
      char *pos = NULL;

      //send auth and receive challenge
      //send auth request: let the server send it's own hostname and domainname
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

      /* to be portable, no snprintf, buffer is big enough so it can't overflow */
      //send the first..
      if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
        sprintf(buffer,
                "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
      else {
        if (use_proxy == 1)
          sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                  type, webtarget, webport, miscptr, webtarget, buf1, header);
        else
          sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget,
                  buf1, header);
      }

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        free(buffer);
        free(header);
        return 1;
      }

      //receive challenge
      if (http_buf != NULL)
        free(http_buf);

      http_buf = hydra_receive_line(s);
      if (http_buf == NULL) {
        if (verbose)
          hydra_report(stderr, "[ERROR] Server did not answer\n");
        free(buffer);
        free(header);
        return 3;
      }

      pos = hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM ");
      if (pos != NULL) {
        char *str;

        pos += 23;
        if ((str = strchr(pos, '\r')) != NULL) {
          pos[str - pos] = 0;
        }
        if ((str = strchr(pos, '\n')) != NULL) {
          pos[str - pos] = 0;
        }
      } else {
        hydra_report(stderr, "[ERROR] It is not NTLM authentication type\n");
        return 3;
      }

      //recover challenge
      from64tobits((char *) buf1, pos);
      free(http_buf);
      http_buf = NULL;

      //Send response
      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));

      //create the auth response
      if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
        sprintf(buffer,
                "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
      else {
        if (use_proxy == 1)
          sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                  type, webtarget, webport, miscptr, webtarget, buf1, header);
        else
          sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget,
                  buf1, header);
      }

      if (debug)
        hydra_report(stderr, "C:%s\n", buffer);
    }
    break;
  }

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    free(buffer);
    free(header);
    return 1;
  }

  if (http_buf != NULL)
    free(http_buf);
  http_buf = hydra_receive_line(s);
  complete_line = 0;
  tmpreplybuf[0] = 0;

  while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (index(http_buf, '\n') == NULL && complete_line == 0))) {
    if (debug) printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf);
    if (tmpreplybuf[0] == 0 && strstr(http_buf, "HTTP/1.") != NULL) {
      strncpy(tmpreplybuf, http_buf, sizeof(tmpreplybuf) - 1);
      tmpreplybuf[sizeof(tmpreplybuf) - 1] = 0;
      free(http_buf);
      http_buf = hydra_receive_line(s);
    } else if (tmpreplybuf[0] != 0) {
      complete_line = 1;
      if ((tmpreplybufptr = malloc(strlen(tmpreplybuf) + strlen(http_buf) + 1)) != NULL) {
        strcpy(tmpreplybufptr, tmpreplybuf);
        strcat(tmpreplybufptr, http_buf);
        free(http_buf);
        http_buf = tmpreplybufptr;
        if (debug) printf("http_buf now: %s\n", http_buf);
      }
    } else {
      free(http_buf);
      http_buf = hydra_receive_line(s);
    }
  }

  //if server cut the connection, just exit cleanly or 
  //this will be an infinite loop
  if (http_buf == NULL) {
    if (verbose)
      hydra_report(stderr, "[ERROR] Server did not answer\n");
    free(buffer);
    free(header);
    return 3;
  }

  if (debug)
    hydra_report(stderr, "S:%s\n", http_buf);

  ptr = ((char *) index(http_buf, ' '));
  if (ptr != NULL)
    ptr++;
  if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) {
    hydra_report_found_host(port, ip, "www", fp);
    hydra_completed_pair_found();
    if (http_buf != NULL) {
      free(http_buf);
      http_buf = NULL;
    }
  } else {
    if (ptr != NULL && *ptr != '4')
      fprintf(stderr, "[WARNING] Unusual return code: %.3s for %s:%s\n", (char *) ptr, login, pass);

    //the first authentication type failed, check the type from server header
    if ((hydra_strcasestr(http_buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) {
      //seems the auth supported is not Basic scheme so testing further
      int32_t find_auth = 0;

      if (hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM") != NULL) {
        http_auth_mechanism = AUTH_NTLM;
        find_auth = 1;
      }
#ifdef LIBOPENSSL
      if (hydra_strcasestr(http_buf, "WWW-Authenticate: Digest") != NULL) {
        http_auth_mechanism = AUTH_DIGESTMD5;
        find_auth = 1;
      }
#endif

      if (find_auth) {
//        free(http_buf);
//        http_buf = NULL;
        free(buffer);
        free(header);
        return 1;
      }
    }
    hydra_completed_pair();
  }
//  free(http_buf);
//  http_buf = NULL;
  free(buffer);
  free(header);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;
}
Beispiel #4
0
int start_sapr3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  RFC_HANDLE handle;
  char *empty = "";
  char *login, *pass, buffer[1024];
  char *buf;
  int i;
  int sysnr = port % 100;
  char opts[] = "RFCINI=N RFCTRACE=N BALANCE=N DEBUG=N TRACE=0 ABAP_DEBUG=0";

//  char opts[] = "RFCINI=N RFCTRACE=Y BALANCE=N DEBUG=Y TRACE=Y ABAP_DEBUG=Y";

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  if (strlen(login) > 0)
    for (i = 0; i < strlen(login); i++)
      login[i] = (char) toupper(login[i]);
  if (strlen(pass) > 0)
    for (i = 0; i < strlen(pass); i++)
      pass[i] = (char) toupper(pass[i]);

  memset(buffer, 0, sizeof(buffer));
  memset(&error_info, 0, sizeof(error_info));

//strcpy(buf, "mvse001");
  snprintf(buffer, sizeof(buffer), "ASHOST=%s SYSNR=%02d CLIENT=%03d USER=\"%s\" PASSWD=\"%s\" LANG=DE %s", hydra_address2string(ip), sysnr, atoi(miscptr), login, pass, opts);

/*
  USER=SAPCPIC PASSWORD=admin
  USER=SAP*    PASSWORD=PASS

  ## do we need these options?
  SAPSYS=3 SNC_MODE=N SAPGUI=N INVISIBLE=N GUIATOPEN=Y NRCALL=00001 CLOSE=N

  ASHOST= //  IP
  SYSNR=  // port - 3200, scale 2
  CLIENT= // miscptr, scale 2
  ABAP_DEBUG=0
  USER=
  PASSWD= 
  LANG=DE
*/
//printf ("DEBUG: %d Connectstring \"%s\"\n",sizeof(error_info),buffer);
  handle = RfcOpenEx(buffer, &error_info);

//printf("DEBUG: handle %d, key %s, message %s\n", handle, error_info.key, error_info.message);

  if (handle <= RFC_HANDLE_NULL)
    return 3;

  if (strstr(error_info.message, "sapgui") != NULL || strlen(error_info.message) == 0) {
    hydra_report_found_host(port, ip, "sapr3", fp);
    hydra_completed_pair_found();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 2;
    return 1;
  } else {
    if (strstr(error_info.key, "ERROR_COMMUNICATION") != NULL) {
      /* sysnr does not exist, report as port closed */
      return 3;
    }
    hydra_completed_pair();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 2;
  }
  return 1;
}
Beispiel #5
0
int start_teamspeak(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass;
  char buf[100];
  struct team_speak teamspeak;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  memset(&teamspeak, 0, sizeof(struct team_speak));

  memcpy(&teamspeak.header, "\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00", 16);

  teamspeak.clientlen = 9;
  strcpy((char *) &teamspeak.client, "TeamSpeak");

  teamspeak.oslen = 11;
  strcpy((char *) &teamspeak.os, "Linux 2.6.9");

  memcpy(&teamspeak.misc, "\x02\x00\x00\x00\x20\x00\x3c\x00\x01\x02", 10);

  teamspeak.userlen = strlen(login);
  strncpy((char *) &teamspeak.user, login, 29);

  teamspeak.passlen = strlen(pass);
  strncpy((char *) &teamspeak.pass, pass, 29);

  teamspeak.loginlen = 0;
  strcpy((char *) &teamspeak.login, "");

#ifdef HAVE_ZLIB
  teamspeak.crc = crc32(0L, (const Bytef *)&teamspeak, sizeof(struct team_speak));
#else
  teamspeak.crc = crc32(&teamspeak, sizeof(struct team_speak));
#endif

  if (hydra_send(s, (char *) &teamspeak, sizeof(struct team_speak), 0) < 0) {
    return 3;
  }

  if (hydra_data_ready_timed(s, 5, 0) > 0) {
    hydra_recv(s, (char *) buf, sizeof(buf));
    if (buf[0x58] == 1) {
      hydra_report_found_host(port, ip, "teamspeak", fp);
      hydra_completed_pair_found();
    }
    if (buf[0x4B] != 0) {
      hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
      hydra_child_exit(1);
    }
  } else {
    hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
    hydra_child_exit(1);
  }

  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 1;
}
Beispiel #6
0
int start_oracle_sid(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  /*
     PP is the packet length
     XX is the length of connect data
     PP + tns_packet_begin + XX + tns_packet_end
   */
  unsigned char tns_packet_begin[22] = {
    "\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00"
  };
  unsigned char tns_packet_end[32] = {
    "\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
  };
  char *empty = "";
  char *login;
  char connect_string[200];
  char buffer2[260];
  int siz = 0;

  memset(connect_string, 0, sizeof(connect_string));
  memset(buffer2, 0, sizeof(buffer2));

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;

  snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))", login,
           hydra_address2string(ip), port);
  siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string);
  if (siz > 255) {
    buffer2[0] = 1;
    buffer2[1] = siz - 256;
  } else {
    buffer2[1] = siz;
  }
  memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin));
  siz = strlen(connect_string);
  if (siz > 255) {
    buffer2[2 + sizeof(tns_packet_begin)] = 1;
    buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz - 256;
  } else {
    buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz;
  }
  memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end));
  memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string));
  if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) {
    return 1;
  }

  if ((buf = hydra_receive_line(s)) == NULL)
    return 1;
  //if no error reported. it should be a resend packet type 00 08 00 00 0b 00 00 00, 4 is refuse
  if ((strstr(buf, "ERR=") == NULL) && (buf[4] != 4)) {
    hydra_report_found_host(port, ip, "oracle-sid", fp);
    hydra_completed_pair_found();
  } else
    hydra_completed_pair();

  free(buf);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;
}
Beispiel #7
0
int start_telnet(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[300];
  int i = 0;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  sprintf(buffer, "%.250s\r", login);

  if (no_line_mode) {
    for (i = 0; i < strlen(buffer); i++) {
      if (strcmp(&buffer[i], "\r") == 0) {
        send(s, "\r\0", 2, 0);
      } else {
        send(s, &buffer[i], 1, 0);
      }
      usleepn(20);
    }
  } else {
    if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) {
      return 1;
    }
  }

  do {
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;

    if (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '%') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL) {
      hydra_report_found_host(port, ip, "telnet", fp);
      hydra_completed_pair_found();
      free(buf);
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
      return 1;
    }
    (void) make_to_lower(buf);

    if (hydra_strcasestr(buf, "asswor") != NULL || hydra_strcasestr(buf, "asscode") != NULL || hydra_strcasestr(buf, "ennwort") != NULL)
      i = 1;
    if (i == 0 && ((strstr(buf, "ogin:") != NULL && strstr(buf, "last login") == NULL) || strstr(buf, "sername:") != NULL)) {
      free(buf);
      hydra_completed_pair();
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
      return 2;
    }
    free(buf);
  } while (i == 0);

  sprintf(buffer, "%.250s\r", pass);
  if (no_line_mode) {
    for (i = 0; i < strlen(buffer); i++) {
      if (strcmp(&buffer[i], "\r") == 0) {
        send(s, "\r\0", 2, 0);
      } else {
        send(s, &buffer[i], 1, 0);
      }
      usleepn(20);
    }
  } else {
    if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) {
      return 1;
    }
  }

  /*win7 answering with do terminal type = 0xfd 0x18 */
  while ((buf = hydra_receive_line(s)) != NULL && make_to_lower(buf) && (strstr(buf, "login:"******"last login:"******"sername:") == NULL) {
    if ((miscptr != NULL && strstr(buf, miscptr) != NULL) || (miscptr == NULL &&
          strstr(buf, "invalid") == NULL && strstr(buf, "failed") == NULL && strstr(buf, "bad ") == NULL &&
          (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL ||
          index(buf, '%') != NULL || ((buf[1] == '\xfd') && (buf[2] == '\x18'))))) {
      hydra_report_found_host(port, ip, "telnet", fp);
      hydra_completed_pair_found();
      free(buf);
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
      return 1;
    }
    free(buf);
  }

  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 2;
}
Beispiel #8
0
int start_cisco(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *pass, hybuffer[300];

  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

#ifdef PALM
  sprintf(hybuffer, "%s\r\n", pass);
#else
  sprintf(hybuffer, "%.250s\r\n", pass);
#endif

  if (hydra_send(s, hybuffer, strlen(hybuffer), 0) < 0) {
    return 1;
  }
  sleep(1);
  hybuf = NULL;
  do {
    if (hybuf != NULL)
      free(hybuf);
    if ((hybuf = hydra_receive_line(s)) == NULL)
      return 3;
    if (hybuf[strlen(hybuf) - 1] == '\n')
      hybuf[strlen(hybuf) - 1] = 0;
    if (hybuf[strlen(hybuf) - 1] == '\r')
      hybuf[strlen(hybuf) - 1] = 0;
  } while (strlen(hybuf) <= 1);
  if (strstr(hybuf, "assw") != NULL) {
    hydra_completed_pair();
    free(hybuf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    if (strlen(pass = hydra_get_next_password()) == 0)
      pass = empty;

#ifdef PALM
    sprintf(hybuffer, "%s\r\n", pass);
#else
    sprintf(hybuffer, "%.250s\r\n", pass);
#endif

    if (hydra_send(s, hybuffer, strlen(hybuffer), 0) < 0) {
      return 1;
    }
    
    hybuf = NULL;
    do {
      if (hybuf != NULL)
        free(hybuf);
      if ((hybuf = hydra_receive_line(s)) == NULL)
        return 3;
      if (hybuf[strlen(hybuf) - 1] == '\n')
        hybuf[strlen(hybuf) - 1] = 0;
      if (hybuf[strlen(hybuf) - 1] == '\r')
        hybuf[strlen(hybuf) - 1] = 0;
    } while (strlen(hybuf) <= 1);
    if (hybuf != NULL && strstr(hybuf, "assw") != NULL) {
      hydra_completed_pair();
      free(hybuf);
      hybuf = NULL;
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
      if (strlen(pass = hydra_get_next_password()) == 0)
        pass = empty;

#ifdef PALM
      sprintf(hybuffer, "%s\r\n", pass);
#else
      sprintf(hybuffer, "%.250s\r\n", pass);
#endif

      if (hydra_send(s, hybuffer, strlen(hybuffer), 0) < 0) {
        return 1;
      }
      hybuf = NULL;
      do {
        if (hybuf != NULL)
          free(hybuf);
        hybuf = hydra_receive_line(s);
        if (hybuf != NULL) {
          if (hybuf[strlen(hybuf) - 1] == '\n')
            hybuf[strlen(hybuf) - 1] = 0;
          if (hybuf[strlen(hybuf) - 1] == '\r')
            hybuf[strlen(hybuf) - 1] = 0;
        }
      } while (hybuf != NULL && strlen(hybuf) <= 1);
    }

  }

  if (hybuf != NULL && (strstr(hybuf, "assw") != NULL || strstr(hybuf, "ad ") != NULL || strstr(hybuf, "attempt") != NULL || strstr(hybuf, "ailur") != NULL)) {
    free(hybuf);
    hydra_completed_pair();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }

  hydra_report_found_host(port, ip, "cisco", fp);
  hydra_completed_pair_found();
  if (hybuf != NULL)
    free(hybuf);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;
}
Beispiel #9
0
int
start_ldap(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp, char version)
{
  char *empty = "";
  char *login = "", *pass, buffer[512];
  int length;

  if (miscptr == NULL) {
    if (strlen(login = hydra_get_next_login()) == 0)
      login = empty;
  } else
    login = miscptr;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  length = 14 + strlen(login) + strlen(pass);

  memset(buffer, 0, sizeof(buffer));
  buffer[0] = 48;
  buffer[1] = length - 2;

  buffer[2] = 2;
  buffer[3] = 1;
  buffer[4] = counter % 256;

  buffer[5] = 96;
  buffer[6] = length - 7;
  buffer[7] = 2;
  buffer[8] = 1;
  buffer[9] = version;

  buffer[10] = 4;
  buffer[11] = strlen(login);   /* DN */
  memcpy(&buffer[12], login, strlen(login));

  buffer[12 + strlen(login)] = (unsigned char) 128;
  buffer[13 + strlen(login)] = strlen(pass);
  memcpy(&buffer[14 + strlen(login)], pass, strlen(pass));      /* PASS */

  if (hydra_send(s, buffer, length, 0) < 0)
    return 1;
  if ((buf = hydra_receive_line(s)) == NULL)
    return 1;

  /* success is: 0a 01 00 - failure is: 0a 01 31 */
  if ((buf[0] != 0 && buf[9] == 0) || (buf[0] != 32 && buf[9] == 32)) {
    hydra_report_found_host(port, ip, "ldap", fp);
    hydra_completed_pair_found();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }

  if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 2) {
    hydra_report(stderr, "Invalid protocol version, you tried ldap%c, better try ldap%c\n", version + '0', version == 2 ? '3' : '2');
    hydra_child_exit(2);
    sleep(1);
    exit(-1);
  }

  if (buf[9] != 49 && buf[9] != 2) {
    hydra_report(stderr, "Uh, unknown LDAP response, remember, this module is beta! Please report this:\n");
    hydra_report(stderr, "Dump: %.2x %.2x %.2x %.2x  %.2x %.2x %.2x %.2x   %.2x %.2x %.2x %.2x  %.2x %.2x %.2x %.2x\n",
            buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], buf[6], buf[7], buf[8], buf[9], buf[10], buf[11], buf[12], buf[13], buf[14], buf[15]);
    return 3;
  }

  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 2;
}
int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "\"\"";
  char *login, *pass, buffer[500], buffer2[500];
  char *AUTH_STR = "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='";
  char *AUTH_STR_END = "'/>";
  char *CHALLENGE_STR = "<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>";
  char *CHALLENGE_STR2 = "<challenge xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">";
  char *CHALLENGE_END_STR = "</challenge>";
  char *RESPONSE_STR = "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>";
  char *RESPONSE_END_STR = "</response>";

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  switch (xmpp_auth_mechanism) {
  case AUTH_SCRAMSHA1:
    sprintf(buffer, "%s%s%s", AUTH_STR, "SCRAM-SHA-1", AUTH_STR_END);
    break;
  case AUTH_CRAMMD5:
    sprintf(buffer, "%s%s%s", AUTH_STR, "CRAM-MD5", AUTH_STR_END);
    break;
  case AUTH_DIGESTMD5:
    sprintf(buffer, "%s%s%s", AUTH_STR, "DIGEST-MD5", AUTH_STR_END);
    break;
  case AUTH_PLAIN:
    sprintf(buffer, "%s%s%s", AUTH_STR, "PLAIN", AUTH_STR_END);
    break;
  default:
    sprintf(buffer, "%s%s%s", AUTH_STR, "LOGIN", AUTH_STR_END);
    break;
  }

  hydra_send(s, buffer, strlen(buffer), 0);
  usleep(300000);
  buf = hydra_receive_line(s);

  if (verbose)
    hydra_report(stderr, "DEBUG S: %s\n", buf);

  if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) {
    /*
       the challenge string is sent depending of the
       auth chosen it's the case for login auth
     */

    char *ptr = strstr(buf, CHALLENGE_STR);

    if (!ptr)
      ptr = strstr(buf, CHALLENGE_STR2);
    char *ptr_end = strstr(ptr, CHALLENGE_END_STR);
    int chglen = ptr_end - ptr - strlen(CHALLENGE_STR);

    if ((chglen > 0) && (chglen < sizeof(buffer2))) {
      strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen);
      buffer2[chglen] = '\0';
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buffer2);
      if (verbose)
        hydra_report(stderr, "DEBUG S: %s\n", buffer);
    }

    switch (xmpp_auth_mechanism) {
    case AUTH_LOGIN:{
        if (strstr(buffer, "sername") != NULL) {
          strncpy(buffer2, login, sizeof(buffer2) - 1);
          buffer2[sizeof(buffer2) - 1] = '\0';

          hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
          sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
          if (verbose)
            hydra_report(stderr, "DEBUG C: %s\n", buffer);
          if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
            free(buf);
            return 1;
          }
          buf = hydra_receive_line(s);
          if (buf == NULL)
            return 1;
          /* server now would ask for the password */
          if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) {
            char *ptr = strstr(buf, CHALLENGE_STR);

            if (!ptr)
              ptr = strstr(buf, CHALLENGE_STR2);
            char *ptr_end = strstr(ptr, CHALLENGE_END_STR);
            int chglen = ptr_end - ptr - strlen(CHALLENGE_STR);

            if ((chglen > 0) && (chglen < sizeof(buffer2))) {
              strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen);
              buffer2[chglen] = '\0';
              memset(buffer, 0, sizeof(buffer));
              from64tobits((char *) buffer, buffer2);
              if (strstr(buffer, "assword") != NULL) {
                strncpy(buffer2, pass, sizeof(buffer2) - 1);
                buffer2[sizeof(buffer2) - 1] = '\0';
                hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
                sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
              }
            } else {
              hydra_report(stderr, "[ERROR] xmpp could not extract challenge from server\n");
              free(buf);
              return 1;
            }
            free(buf);
          }
        }
      }
      break;
#ifdef LIBOPENSSL
    case AUTH_PLAIN:{
        memset(buffer2, 0, sizeof(buffer));
        sasl_plain(buffer2, login, pass);
        sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
        if (verbose)
          hydra_report(stderr, "DEBUG C: %s\n", buffer);

      }
      break;
    case AUTH_CRAMMD5:{
        int rc = 0;
        char *preplogin;

        memset(buffer2, 0, sizeof(buffer2));
        sasl_cram_md5(buffer2, pass, buffer);

        rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
        if (rc) {
          return 3;
        }

        sprintf(buffer, "%.200s %.250s", preplogin, buffer2);
        if (verbose)
          hydra_report(stderr, "DEBUG C: %s\n", buffer);
        hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
        sprintf(buffer2, "%s%.250s%s", RESPONSE_STR, buffer, RESPONSE_END_STR);
        strncpy(buffer, buffer2, sizeof(buffer) - 1);
        buffer[sizeof(buffer) - 1] = '\0';
        free(preplogin);
      }
      break;
    case AUTH_DIGESTMD5:{
        memset(buffer2, 0, sizeof(buffer2));
        sasl_digest_md5(buffer2, login, pass, buffer, domain, "xmpp", NULL, 0, NULL);
        if (buffer2 == NULL)
          return 3;
        if (verbose)
          hydra_report(stderr, "DEBUG C: %s\n", buffer2);
        hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
        snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
      }
      break;
    case AUTH_SCRAMSHA1:{
        /*client-first-message */
        char clientfirstmessagebare[200];
        char *preplogin;
        int rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);

        if (rc) {
          return 3;
        }

        snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin);
        free(preplogin);
        sprintf(buffer2, "n,,%.200s", clientfirstmessagebare);
        hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
        snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);

        if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
          return 1;
        }
        buf = hydra_receive_line(s);
        if (buf == NULL)
          return 1;

        if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) {
          char serverfirstmessage[200];
          char *ptr = strstr(buf, CHALLENGE_STR);

          if (!ptr)
            ptr = strstr(buf, CHALLENGE_STR2);
          char *ptr_end = strstr(ptr, CHALLENGE_END_STR);
          int chglen = ptr_end - ptr - strlen(CHALLENGE_STR);

          if ((chglen > 0) && (chglen < sizeof(buffer2))) {
            strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen);
            buffer2[chglen] = '\0';
          } else {
            hydra_report(stderr, "[ERROR] xmpp could not extract challenge from server\n");
            free(buf);
            return 1;
          }

          /*server-first-message */
          memset(buffer, 0, sizeof(buffer));
          from64tobits((char *) buffer, buffer2);
          strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1);
          serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0';

          memset(buffer2, 0, sizeof(buffer2));
          sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage);
          if (buffer2 == NULL) {
            hydra_report(stderr, "[ERROR] Can't compute client response\n");
            free(buf);
            return 1;
          }
          hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
          snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
        } else {
          if (verbose || debug)
            hydra_report(stderr, "[ERROR] Not a valid server challenge\n");
          free(buf);
          return 1;
        }
        free(buf);
      }
      break;
#endif
    }

    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    usleep(50000);
    buf = hydra_receive_line(s);
    if (buf == NULL)
      return 1;

    //we test the challenge tag as digest-md5 when connected is sending "rspauth" value
    //so if we are receiving a second challenge we assume the auth is good

    if ((strstr(buf, "<success") != NULL) || (strstr(buf, "<challenge ") != NULL)) {
      hydra_report_found_host(port, ip, "xmpp", fp);
      hydra_completed_pair_found();
      free(buf);
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
      return 1;
    }

    if (verbose)
      hydra_report(stderr, "[ERROR] %s\n", buf);

    free(buf);
    hydra_completed_pair();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;

    return 2;
  }
  if (strstr(buf, "<failure")) {
    hydra_report(stderr, "[ERROR] Protocol failure, try using another auth method. %s\n", strstr(buf, "<failure"));
  }
  return 3;
}
Beispiel #11
0
int start_ncp(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp)
{

char* login;
char* pass;
char context[256];
unsigned int ncp_lib_error_code;
struct sockaddr_in remote_ip;
char *empty = "";
int object_type = NCP_BINDERY_USER;

_NCP_DATA* session;


memset(&remote_ip, 0, sizeof(remote_ip));
memcpy(&remote_ip.sin_addr.s_addr, &ip, 4);
remote_ip.sin_family = AF_INET;

session = malloc(sizeof(_NCP_DATA));  
memset(session, 0, sizeof(_NCP_DATA));
login=empty;
pass=empty;


	if (strlen(login = hydra_get_next_login()) == 0) {
		login = empty;
	}
	else {
  if (miscptr) {
		  if (strlen(miscptr)+strlen(login) > sizeof(context))
		  {
				return 4;
		  }
		  memset(context, 0, sizeof(context));
        strncpy(context, login, strlen(login));
        strncpy(context+strlen(login), miscptr, sizeof(miscptr)+1);
		  login=context;
		}
	}

  //login and password are case insensitive
  //str_upper(login);

	if (strlen(pass = hydra_get_next_password()) == 0)
		pass = empty;

ncp_lib_error_code = ncp_find_conn_spec3(inet_ntoa((struct in_addr) remote_ip.sin_addr), login, "", 1, getuid(), 0, &session->spec);
if (ncp_lib_error_code)
{ free(session);return 1;}

ncp_lib_error_code = NWCCOpenConnByName(NULL, session->spec.server, NWCC_NAME_FORMAT_BIND, NWCC_OPEN_NEW_CONN, NWCC_RESERVED, &session->conn);
if (ncp_lib_error_code)
{ free(session);return 1;}

  memset(session->spec.password, 0, sizeof(session->spec.password));
  memcpy(session->spec.password, pass, strlen(pass)+1);
  //str_upper(session->spec.password);

ncp_lib_error_code = ncp_login_conn(session->conn, session->spec.user, object_type, session->spec.password);
 switch (ncp_lib_error_code & 0x0000FFFF)
  {
    case 0x0000:  /* Success */
      #ifdef NCP_DEBUG
		printf("Connection success (%s / %s). Error code: %X\n", login, pass, ncp_lib_error_code);
		#endif
		ncp_close(session->conn);
		hydra_report_found_host(port, ip, "ncp", fp); //ok
		hydra_completed_pair();
		if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
			return 3; //exit
		free(session);
		return 2; //next
      break;
    case 0x89DE: /* PASSWORD INVALID */
    case 0x89F0: /* BIND WILDCARD INVALID */
	 case 0x89FF: /* NO OBJ OR BAD PASSWORD */
    case 0xFD63: /* FAILED_AUTHENTICATION */
	 case 0xFDA7: /* NO_SUCH_ENTRY */
      #ifdef NCP_DEBUG
		printf("Incorrect password (%s / %s). Error code: %X\n", login, pass, ncp_lib_error_code);
		#endif
		ncp_close(session->conn);
     	hydra_completed_pair();
     	if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
		{
						free(session);
            		return 2;    //next
		}
      break;
    default:
		#ifdef NCP_DEBUG
      printf("Failed to open connection. Error code: %X\n",ncp_lib_error_code);
		#endif
	if (session->conn != NULL) ncp_close(session->conn);
      break;
  }
 free(session);
 return 1; //reconnect
}
Beispiel #12
0
int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[1024];
  char ms_login[MSLEN + 1];
  char ms_pass[MSLEN + 1];
  unsigned char len_login, len_pass;
  int32_t ret = -1;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;
  if (strlen(login) > MSLEN)
    login[MSLEN - 1] = 0;
  if (strlen(pass) > MSLEN)
    pass[MSLEN - 1] = 0;
  len_login = strlen(login);
  len_pass = strlen(pass);
  memset(ms_login, 0, MSLEN + 1);
  memset(ms_pass, 0, MSLEN + 1);
  strcpy(ms_login, login);
  strcpy(ms_pass, pass);

  memset(buffer, 0, sizeof(buffer));
  memcpy(buffer, p_hdr, 39);
  memcpy(buffer + 39, ms_login, MSLEN);
  memcpy(buffer + MSLEN + 39, &len_login, 1);
  memcpy(buffer + MSLEN + 1 + 39, ms_pass, MSLEN);
  memcpy(buffer + MSLEN + 1 + 39 + MSLEN, &len_pass, 1);
  memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1, p_pk2, 110);
  memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110, &len_pass, 1);
  memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1, ms_pass, MSLEN);
  memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN, p_pk3, 270);

  if (hydra_send(s, buffer, MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN + 270, 0) < 0)
    return 1;
  if (hydra_send(s, (char *) p_lng, 71, 0) < 0)
    return 1;

  memset(buffer, 0, sizeof(buffer));
  ret = hydra_recv_nb(s, buffer, sizeof(buffer));

  if (ret <= 0)
    return 3;

  if (ret > 10 && buffer[8] == '\xe3') {
    hydra_report_found_host(port, ip, "mssql", fp);
    hydra_completed_pair_found();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 2;
    return 1;
  }

  free(buf);
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 2;

  return 1;
}
Beispiel #13
0
int start_sshkey(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *key, keep_login[300];
  int auth_state = 0, rc = 0;
  ssh_private_key privkey;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(key = hydra_get_next_password()) == 0)
    key = empty;

  if (new_session) {
    if (session) {
      ssh_disconnect(session);
      ssh_finalize();
      ssh_free(session);
    }

    session = ssh_new();
    ssh_options_set(session, SSH_OPTIONS_PORT, &port);
    ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
    ssh_options_set(session, SSH_OPTIONS_USER, login);
    ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
    ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
    if (ssh_connect(session) != 0) {
      //if the connection was drop, exit and let hydra main handle it
      if (verbose)
        hydra_report(stderr, "[ERROR] could not connect to target port %d\n", port);
      return 3;
    }

    if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) {
      return 3;
    } else if (rc == SSH_AUTH_SUCCESS) {
      hydra_report_found_host(port, ip, "sshkey", fp);
      hydra_completed_pair_found();
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 2;
      else
        return 1;
    }
  } else
    new_session = 1;

  auth_state = ssh_auth_list(session);
  if ((auth_state & SSH_AUTH_METHOD_PUBLICKEY) > 0) {
    privkey = privatekey_from_file(session, key, 0, NULL);
    if (!privkey) {
      hydra_report(stderr, "[ERROR] skipping invalid private key: \"%s\"\n", key);
      hydra_completed_pair();
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 2;

      return 1;
    }
    auth_state = ssh_userauth_pubkey(session, NULL, NULL, privkey);
  } else {
    return 4;
  }

  if (auth_state == SSH_AUTH_ERROR) {
    new_session = 1;
    return 1;
  }

  if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) {
    hydra_report_found_host(port, ip, "sshkey", fp);
    hydra_completed_pair_found();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 2;
    return 1;
  } else {
    strncpy(keep_login, login, sizeof(keep_login) - 1);
    keep_login[sizeof(keep_login) - 1] = '\0';
    hydra_completed_pair();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 2;
    login = hydra_get_next_login();
    if (strcmp(login, keep_login) == 0)
      new_session = 0;
    return 1;
  }

  /* not reached */
  return 1;
}
int start_oracle(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[200], sid[100];

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  strncpy(sid, miscptr, sizeof(sid));
  snprintf(buffer, sizeof(buffer), "//%s:%d/%s", hydra_address2string(ip), port, sid);

  /*

     To use the Easy Connect naming method, PHP must be linked with Oracle 10g or greater Client libraries.
     The Easy Connect string for Oracle 10g is of the form: [//]host_name[:port][/service_name].
     With Oracle 11g, the syntax is: [//]host_name[:port][/service_name][:server_type][/instance_name].
     Service names can be found by running the Oracle utility lsnrctl status on the database server machine.

     The tnsnames.ora file can be in the Oracle Net search path, which includes $ORACLE_HOME/network/admin
     and /etc. Alternatively set TNS_ADMIN so that $TNS_ADMIN/tnsnames.ora is read. Make sure the web
     daemon has read access to the file. 

   */

  if (OCIInitialize(OCI_DEFAULT, NULL, NULL, NULL, NULL)) {
    print_oracle_error("OCIInitialize");
    return 4;
  }
  if (OCIEnvInit(&o_environment, OCI_DEFAULT, 0, NULL)) {
    print_oracle_error("OCIEnvInit");
    return 4;
  }
  if (OCIEnvInit(&o_environment, OCI_DEFAULT, 0, NULL)) {
    print_oracle_error("OCIEnvInit 2");
    return 4;
  }
  if (OCIHandleAlloc(o_environment, (dvoid **) & o_error, OCI_HTYPE_ERROR, (size_t) 0, NULL)) {
    print_oracle_error("OCIHandleAlloc");
    return 4;
  }

  if (OCILogon(o_environment, o_error, &o_servicecontext, (const OraText *) login, strlen(login), (const OraText *) pass, strlen(pass), (const OraText *) buffer, strlen(buffer))) {
    OCIErrorGet(o_error, 1, NULL, &o_errorcode, o_errormsg, sizeof(o_errormsg), OCI_HTYPE_ERROR);
    //database: oracle_error: ORA-01017: invalid username/password; logon denied
    //database: oracle_error: ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
    //database: oracle_error: ORA-28000: the account is locked
    //Failed login attempts is set to 10 by default
    if (verbose) {
      hydra_report(stderr, "[VERBOSE] database: oracle_error: %s\n", o_errormsg);
    }
    if (strstr((const char *) o_errormsg, "ORA-12514") != NULL) {
      hydra_report(stderr, "[ERROR] ORACLE SID is not valid, you should try to enumerate them.\n");
    }
    if (strstr((const char *) o_errormsg, "ORA-28000") != NULL) {
      hydra_report(stderr, "[ERROR] ORACLE account %s is locked.\n", login);
    }

    if (o_error) {
      OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR);
    }

    hydra_completed_pair();
    //by default, set in sqlnet.ora, the trace file is generated in pwd to log any errors happening,
    //as we don't care, we are deleting the file
    //set these parameters to not generate the file
    //LOG_DIRECTORY_CLIENT = /dev/null
    //LOG_FILE_CLIENT = /dev/null
    unlink("sqlnet.log");

    return 2;
  } else {
    OCILogoff(o_servicecontext, o_error);
    if (o_error) {
      OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR);
    }
    hydra_report_found_host(port, ip, "oracle", fp);
    hydra_completed_pair_found();
  }
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;
}
Beispiel #15
0
char *smtp_read_server_capacity(int sock) {
  char *ptr = NULL;
  int resp = 0;
  char *buf = NULL;

  do {
    if (buf != NULL)
      free(buf);
    ptr = buf = hydra_receive_line(sock);
    if (buf != NULL) {
      if (isdigit((int) buf[0]) && buf[3] == ' ')
        resp = 1;
      else {
        if (buf[strlen(buf) - 1] == '\n')
          buf[strlen(buf) - 1] = 0;
        if (buf[strlen(buf) - 1] == '\r')
          buf[strlen(buf) - 1] = 0;
#ifdef NO_RINDEX
        if ((ptr = strrchr(buf, '\n')) != NULL) {
#else
        if ((ptr = rindex(buf, '\n')) != NULL) {
#endif
          ptr++;
          if (isdigit((int) *ptr) && *(ptr + 3) == ' ')
            resp = 1;
        }
      }
    }
  } while (buf != NULL && resp == 0);
  return buf;
}

int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[500], buffer2[500], *fooptr, *buf;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (hydra_data_ready(s) > 0) {
    if ((buf = hydra_receive_line(s)) == NULL)
      return (1);
    free(buf);
  }

  switch (smtp_auth_mechanism) {

  case AUTH_PLAIN:
    sprintf(buffer, "AUTH PLAIN\r\n");
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (strstr(buf, "334") == NULL) {
      hydra_report(stderr, "[ERROR] SMTP PLAIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);

    memset(buffer, 0, sizeof(buffer));
    sasl_plain(buffer, login, pass);
    sprintf(buffer, "%.250s\r\n", buffer);
    break;

#ifdef LIBOPENSSL
  case AUTH_CRAMMD5:{
      int rc = 0;
      char *preplogin;

      rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
      if (rc) {
        return 3;
      }

      sprintf(buffer, "AUTH CRAM-MD5\r\n");
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      //get the one-time BASE64 encoded challenge
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, "334") == NULL || strlen(buf) < 8) {
        hydra_report(stderr, "[ERROR] SMTP CRAM-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 4);
      free(buf);

      memset(buffer2, 0, sizeof(buffer2));
      sasl_cram_md5(buffer2, pass, buffer);

      sprintf(buffer, "%s %.250s", preplogin, buffer2);
      hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
      sprintf(buffer, "%.250s\r\n", buffer);
      free(preplogin);
    }
    break;

  case AUTH_DIGESTMD5:{
      sprintf(buffer, "AUTH DIGEST-MD5\r\n");

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, "334") == NULL) {
        hydra_report(stderr, "[ERROR] SMTP DIGEST-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 4);
      free(buf);

      if (debug)
        hydra_report(stderr, "DEBUG S: %s\n", buffer);

      fooptr = buffer2;
      sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL);
      if (fooptr == NULL)
        return 3;

      if (debug)
        hydra_report(stderr, "DEBUG C: %s\n", buffer2);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      sprintf(buffer, "%s\r\n", buffer2);
    }
    break;
#endif

  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];

      //send auth and receive challenge
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
      sprintf(buffer, "AUTH NTLM %s\r\n", buf1);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, "334") == NULL || strlen(buf) < 8) {
        hydra_report(stderr, "[ERROR] SMTP NTLM AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      //recover challenge
      from64tobits((char *) buf1, buf + 4);
      free(buf);

      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
      sprintf(buffer, "%s\r\n", buf1);
    }
    break;

  default:
    /* by default trying AUTH LOGIN */
    sprintf(buffer, "AUTH LOGIN\r\n");
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;

    /* 504 5.7.4 Unrecognized authentication type  */
    if (strstr(buf, "334") == NULL) {
      hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH, either this auth is disabled\nor server is not using auth: %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    sprintf(buffer2, "%.250s", login);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
    sprintf(buffer, "%.250s\r\n", buffer2);

    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return (1);
    if (strstr(buf, "334") == NULL) {
      hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH : %s\n", buf);
      free(buf);
      return (3);
    }
    free(buf);

    sprintf(buffer2, "%.250s", pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
    sprintf(buffer, "%.250s\r\n", buffer2);
  }

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  if ((buf = hydra_receive_line(s)) == NULL)
    return (1);

#ifdef LIBOPENSSL
  if (smtp_auth_mechanism == AUTH_DIGESTMD5) {
    if (strstr(buf, "334") != NULL && strlen(buf) >= 8) {
      memset(buffer2, 0, sizeof(buffer2));
      from64tobits((char *) buffer2, buf + 4);
      if (strstr(buffer2, "rspauth=") != NULL) {
        hydra_report_found_host(port, ip, "smtp", fp);
        hydra_completed_pair_found();
        free(buf);
        if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
          return 3;
        return 1;
      }
    }
  } else
#endif
  {
    if (strstr(buf, "235") != NULL) {
      hydra_report_found_host(port, ip, "smtp", fp);
      hydra_completed_pair_found();
      free(buf);
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
      return 1;
    }
  }
  free(buf);
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 2;
}
int start_s7_300(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
    char *empty = "";
    char *pass, buffer[1024];
    char context[S7PASSLEN + 1];
    unsigned char encoded_password[S7PASSLEN];
    char *spaces = "        ";
    unsigned char len_pass;
    int ret = -1;

    if (strlen(pass = hydra_get_next_password()) == 0)
        pass = empty;

    // prepare password
    memset(context, 0, sizeof(context));
    if (strlen(pass) < S7PASSLEN) {
        strncpy(context, pass, strlen(pass));
        strncat(context, spaces, S7PASSLEN - strlen(pass) );
    } else {
        strncpy(context, pass, S7PASSLEN);
    }

    // encode password
    encoded_password[0] = context[0] ^ 0x55;
    encoded_password[1] = context[1] ^ 0x55;
    int i;
    for (i = 2; i < S7PASSLEN; i++) {
        encoded_password[i] = context[i] ^ encoded_password[i-2] ^ 0x55 ;
    }

    // send p_cotp and check first 2 bytes of answer
    if (hydra_send(s, (char *) p_cotp, 22, 0) < 0)
        return 1;
    memset(buffer, 0, sizeof(buffer));
    ret=hydra_recv_nb(s, buffer, sizeof(buffer));

    if (ret <= 0)
        return 3;

    if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) )
        return 3;

    // send p_s7_negotiate_pdu and check first 2 bytes of answer
    if (hydra_send(s, (char *) p_s7_negotiate_pdu, 25, 0) < 0)
        return 1;
    memset(buffer, 0, sizeof(buffer));
    ret=hydra_recv_nb(s, buffer, sizeof(buffer));

    if (ret <= 0)
        return 3;

    if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) )
        return 3;

    // send p_s7_read_szl and check first 2 bytes of answer
    if (hydra_send(s, (char *) p_s7_read_szl, 33, 0) < 0)
        return 1;
    memset(buffer, 0, sizeof(buffer));
    ret=hydra_recv_nb(s, buffer, sizeof(buffer));

    if (ret <= 0)
        return 3;

    if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) )
        return 3;

    // so now add encoded_password to p_s7_password_request and send
    memset(buffer, 0, sizeof(buffer));
    memcpy(buffer, p_s7_password_request, 29);
    memcpy(buffer + 29, encoded_password, S7PASSLEN);

    if (hydra_send(s, buffer, 29 + S7PASSLEN , 0) < 0)
        return 1;

    memset(buffer, 0, sizeof(buffer));
    ret=hydra_recv_nb(s, buffer, sizeof(buffer));

    if (ret <= 0)
        return 3;

    // now check answer
    // 0x0000 - valid password
    // 0xd605 - no password
    // 0xd602 - wrong password
    if (ret > 30 ) {
        if (buffer[27] == '\x00' && buffer[28] == '\x00') {
            hydra_report_found_host(port, ip, "s7-300", fp);
            hydra_completed_pair_found();
            if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
                return 2;
            return 1;
        }

        if (buffer[27] == '\xd6' && buffer[28] == '\x05') {
            //hydra_report_found_host(port, ip, "s7-300", fp);
            hydra_completed_pair_found();
            hydra_report(stderr, "[INFO] No password protection enabled\n");
            if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
                return 2;
            return 1;
        }
    }

    hydra_completed_pair();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 2;

    return 1;
}
Beispiel #17
0
int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[500], buffer2[500];

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (hydra_data_ready(s)) {
    if ((buf = hydra_receive_line(s)) == NULL)
      return (1);
    free(buf);
  }

  switch (imap_auth_mechanism) {
  case AUTH_LOGIN:
    sprintf(buffer, "%d AUTHENTICATE LOGIN\r\n", counter);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
      hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    strcpy(buffer2, login);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

    sprintf(buffer, "%.250s\r\n", buffer2);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
      hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    strcpy(buffer2, pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
    sprintf(buffer, "%.250s\r\n", buffer2);
    break;

  case AUTH_PLAIN:
    sprintf(buffer, "%d AUTHENTICATE PLAIN\r\n", counter);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
      hydra_report(stderr, "[ERROR] IMAP PLAIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);

    memset(buffer, 0, sizeof(buffer));
    sasl_plain(buffer, login, pass);
    sprintf(buffer, "%.250s\r\n", buffer);
    break;

#ifdef LIBOPENSSLNEW
  case AUTH_CRAMMD5:
  case AUTH_CRAMSHA1:
  case AUTH_CRAMSHA256:{
      int rc = 0;
      char *preplogin;

      rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
      if (rc) {
        return 3;
      }

      switch (imap_auth_mechanism) {

      case AUTH_CRAMMD5:
        sprintf(buffer, "%d AUTHENTICATE CRAM-MD5\r\n", counter);
        break;
      case AUTH_CRAMSHA1:
        sprintf(buffer, "%d AUTHENTICATE CRAM-SHA1\r\n", counter);
        break;
      case AUTH_CRAMSHA256:
        sprintf(buffer, "%d AUTHENTICATE CRAM-SHA256\r\n", counter);
        break;
      }
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      //get the one-time BASE64 encoded challenge
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
        switch (imap_auth_mechanism) {
        case AUTH_CRAMMD5:
          hydra_report(stderr, "[ERROR] IMAP CRAM-MD5 AUTH : %s\n", buf);
          break;
        case AUTH_CRAMSHA1:
          hydra_report(stderr, "[ERROR] IMAP CRAM-SHA1 AUTH : %s\n", buf);
          break;
        case AUTH_CRAMSHA256:
          hydra_report(stderr, "[ERROR] IMAP CRAM-SHA256 AUTH : %s\n", buf);
          break;
        }
        free(buf);
        return 3;
      }

      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 2);
      free(buf);

      memset(buffer2, 0, sizeof(buffer2));

      switch (imap_auth_mechanism) {
      case AUTH_CRAMMD5:{
          sasl_cram_md5(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      case AUTH_CRAMSHA1:{
          sasl_cram_sha1(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      case AUTH_CRAMSHA256:{
          sasl_cram_sha256(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      }
      hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
      sprintf(buffer, "%.250s\r\n", buffer);
      free(preplogin);
    }
    break;
  case AUTH_DIGESTMD5:{
      sprintf(buffer, "%d AUTHENTICATE DIGEST-MD5\r\n", counter);

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
        hydra_report(stderr, "[ERROR] IMAP DIGEST-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf);
      free(buf);

      if (verbose)
        hydra_report(stderr, "DEBUG S: %s\n", buffer);

      sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "imap", NULL, 0, NULL);
      if (buffer2 == NULL)
        return 3;
      if (verbose)
        hydra_report(stderr, "DEBUG C: %s\n", buffer2);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      sprintf(buffer, "%s\r\n", buffer2);

    }
    break;
  case AUTH_SCRAMSHA1:{
      char clientfirstmessagebare[200];
      char serverfirstmessage[200];
      char *preplogin;
      int rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);

      if (rc) {
        return 3;
      }
      sprintf(buffer, "%d AUTHENTICATE SCRAM-SHA-1\r\n", counter);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
        hydra_report(stderr, "[ERROR] IMAP SCRAM-SHA1 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);

      snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin);
      free(preplogin);
      memset(buffer2, 0, sizeof(buffer2));
      sprintf(buffer2, "n,,%.200s", clientfirstmessagebare);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      snprintf(buffer, sizeof(buffer), "%s\r\n", buffer2);

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      buf = hydra_receive_line(s);
      if (buf == NULL)
        return 1;
      if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
        if (verbose || debug) hydra_report(stderr, "[ERROR] Not a valid server challenge\n");
        free(buf);
        return 1;
      } else {
        /* recover server challenge */
        memset(buffer, 0, sizeof(buffer));
        //+ cj1oeWRyYU9VNVZqcHQ5RjNqcmVXRVFWTCxzPWhGbTNnRGw0akdidzJVVHosaT00MDk2
        from64tobits((char *) buffer, buf + 2);
        free(buf);
        strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1);
        serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0';

        memset(buffer2, 0, sizeof(buffer2));
        sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage);
        if (buffer2 == NULL) {
          hydra_report(stderr, "[ERROR] Can't compute client response\n");
          return 1;
        }
        hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
        sprintf(buffer, "%s\r\n", buffer2);
      }
    }
    break;
#endif
  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];

      //Send auth request
      sprintf(buffer, "%d AUTHENTICATE NTLM\r\n", counter);

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
        hydra_report(stderr, "[ERROR] IMAP NTLM AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);
      //send auth and receive challenge
      //send auth request: lst the server send it's own hostname and domainname
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

      sprintf(buffer, "%s\r\n", buf1);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      if ((buf = hydra_receive_line(s)) == NULL)
        return (1);

      //recover challenge
      from64tobits((char *) buf1, buf + 2);
      free(buf);

      //Send response
      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));

      sprintf(buffer, "%s\r\n", buf1);
    }
    break;
  default:
    //clear authentication
    sprintf(buffer, "%d LOGIN \"%.100s\" \"%.100s\"\r\n", counter, login, pass);
  }

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  if ((buf = hydra_receive_line(s)) == NULL)
    return (1);

  if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
    if (verbose)
      hydra_report(stderr, "[ERROR] %s\n", buf);
    free(buf);
    hydra_completed_pair();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    if (counter == 4)
      return 1;
    return (2);
  }
  free(buf);

  hydra_report_found_host(port, ip, "imap", fp);
  hydra_completed_pair_found();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;
}
Beispiel #18
0
char *nntp_read_server_capacity(int sock) {
  char *ptr = NULL;
  int resp = 0;
  char *buf = NULL;

  do {
    if (buf != NULL)
      free(buf);
    ptr = buf = hydra_receive_line(sock);
    if (buf != NULL) {
      if (isdigit((int) buf[0]) && buf[3] == ' ')
        resp = 1;
      else {
        if (buf[strlen(buf) - 1] == '\n')
          buf[strlen(buf) - 1] = 0;
        if (buf[strlen(buf) - 1] == '\r')
          buf[strlen(buf) - 1] = 0;
#ifdef NO_RINDEX
        if ((ptr = strrchr(buf, '\n')) != NULL) {
#else
        if ((ptr = rindex(buf, '\n')) != NULL) {
#endif
          ptr++;
          if (isdigit((int) *ptr) && *(ptr + 3) == ' ')
            resp = 1;
        }
      }
    }
  } while (buf != NULL && resp == 0);
  return buf;
}

int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "\"\"";
  char *login, *pass, buffer[300], buffer2[500];
  int i = 1;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (i > 0 && hydra_data_ready(s) > 0)
    i = hydra_recv(s, buffer, 300);

  switch (nntp_auth_mechanism) {
  case AUTH_LOGIN:
    sprintf(buffer, "AUTHINFO SASL LOGIN\r\n");
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (buf == NULL || strstr(buf, "383") == NULL) {
      hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    strcpy(buffer2, login);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

    sprintf(buffer, "%.250s\r\n", buffer2);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (buf == NULL || strstr(buf, "383") == NULL) {
      hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    strcpy(buffer2, pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
    sprintf(buffer, "%.250s\r\n", buffer2);
    break;
  case AUTH_PLAIN:
    sprintf(buffer, "AUTHINFO SASL PLAIN\r\n");
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (buf == NULL || strstr(buf, "383") == NULL) {
      hydra_report(stderr, "[ERROR] NNTP PLAIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);

    memset(buffer, 0, sizeof(buffer));
    sasl_plain(buffer, login, pass);
    sprintf(buffer, "%.250s\r\n", buffer);
    break;
#ifdef LIBOPENSSL
  case AUTH_CRAMMD5:{
      int rc = 0;
      char *preplogin;

      rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
      if (rc) {
        return 3;
      }

      sprintf(buffer, "AUTHINFO SASL CRAM-MD5\r\n");
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      //get the one-time BASE64 encoded challenge
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (buf == NULL || strstr(buf, "383") == NULL) {
        hydra_report(stderr, "[ERROR] NNTP CRAM-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }

      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 4);
      free(buf);

      memset(buffer2, 0, sizeof(buffer2));
      sasl_cram_md5(buffer2, pass, buffer);

      sprintf(buffer, "%s %.250s", preplogin, buffer2);
      hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
      sprintf(buffer, "%.250s\r\n", buffer);
      free(preplogin);
    }
    break;

  case AUTH_DIGESTMD5:{
      sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n");

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (buf == NULL || strstr(buf, "383") == NULL) {
        hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 4);
      free(buf);

      if (verbose)
        hydra_report(stderr, "DEBUG S: %s\n", buffer);
      sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL);
      if (buffer2 == NULL)
        return 3;

      if (verbose)
        hydra_report(stderr, "DEBUG C: %s\n", buffer2);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      sprintf(buffer, "%s\r\n", buffer2);
    }
    break;

#endif

  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];

      //send auth and receive challenge
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
      sprintf(buffer, "AUTHINFO SASL NTLM %s\r\n", (char*)buf1);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (buf == NULL || strstr(buf, "383") == NULL) {
        hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      //recover challenge
      from64tobits((char *) buf1, buf + 4);
      free(buf);

      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
      sprintf(buffer, "%s\r\n", (char*)buf1);
    }
    break;

  default:{
      sprintf(buffer, "AUTHINFO USER %.250s\r\n", login);

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      buf = hydra_receive_line(s);
      if (buf == NULL)
        return 1;
      if (buf[0] != '3') {
        if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf);
        free(buf);
        return (3);
      }
      free(buf);
      sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass);
    }
    break;
  }


  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  buf = hydra_receive_line(s);
  if (buf == NULL)
    return 1;

  if (buf[0] == '2') {
    hydra_report_found_host(port, ip, "nntp", fp);
    hydra_completed_pair_found();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }

  free(buf);
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 2;
}
Beispiel #19
0
int start_http_proxy(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[500], buffer2[500];
  char url[210], host[30];
  char *header = "";            /* XXX TODO */
  char *ptr, *fooptr;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  if (miscptr == NULL) {
    strcpy(url, "http://www.microsoft.com/");
    strcpy(host, "Host: www.microsoft.com\r\n");
  } else {
    sprintf(url, "%.200s", miscptr);
    ptr = strstr(miscptr, "://");       // :// check is in hydra.c
    sprintf(host, "Host: %.200s", ptr + 3);
    if ((ptr = index(host, '/')) != NULL)
      *ptr = 0;
    if ((ptr = index(host + 6, ':')) != NULL && host[0] != '[')
      *ptr = 0;
    strcat(host, "\r\n");
  }

  if (http_proxy_auth_mechanism != AUTH_BASIC && (http_proxy_auth_mechanism == AUTH_ERROR || http_proxy_buf == NULL)) {
    //send dummy request
    sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, header);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
      return 3;

    //receive first 40x
    http_proxy_buf = hydra_receive_line(s);
    while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/") == NULL) {
      free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
    }

    if (http_proxy_buf == NULL) {
      if (verbose)
        hydra_report(stderr, "[ERROR] Server did not answer\n");
      return 3;
    }

    if (debug)
      hydra_report(stderr, "S:%s\n", http_proxy_buf);

    free(http_proxy_buf);
    http_proxy_buf = hydra_receive_line(s);
    while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) {
      free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
    }

    if (http_proxy_buf == NULL) {
      if (verbose)
        hydra_report(stderr, "[ERROR] Proxy seems not to require authentication\n");
      return 3;
    }

    if (debug)
      hydra_report(stderr, "S:%s\n", http_proxy_buf);

    //after the first query we should have been disconnected from web server
    s = hydra_disconnect(s);
    if ((options & OPTION_SSL) == 0) {
      s = hydra_connect_tcp(ip, port);
    } else {
      s = hydra_connect_ssl(ip, port);
    }
  }

  if (http_proxy_auth_mechanism == AUTH_BASIC || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Basic") != NULL) {
    http_proxy_auth_mechanism = AUTH_BASIC;
    sprintf(buffer2, "%.50s:%.50s", login, pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
    sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
    if (debug)
      hydra_report(stderr, "C:%s\n", buffer);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
      return 3;
    free(http_proxy_buf);
    http_proxy_buf = hydra_receive_line(s);
    while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
      free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
    }

    //if server cut the connection, just exit cleanly or 
    //this will be an infinite loop
    if (http_proxy_buf == NULL) {
      if (verbose)
        hydra_report(stderr, "[ERROR] Server did not answer\n");
      return 3;
    }

    if (debug)
      hydra_report(stderr, "S:%s\n", http_proxy_buf);
  } else {
    if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM") != NULL) {

      unsigned char buf1[4096];
      unsigned char buf2[4096];
      char *pos = NULL;

      http_proxy_auth_mechanism = AUTH_NTLM;
      //send auth and receive challenge
      //send auth request: let the server send it's own hostname and domainname
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

      /* to be portable, no snprintf, buffer is big enough so it cant overflow */
      //send the first..
      sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 3;

      //receive challenge
      free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
      while (http_proxy_buf != NULL && (pos = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM ")) == NULL) {
        free(http_proxy_buf);
        http_proxy_buf = hydra_receive_line(s);
      }
      if (pos != NULL) {
        char *str;

        pos += 25;
        if ((str = strchr(pos, '\r')) != NULL) {
          pos[str - pos] = 0;
        }
        if ((str = strchr(pos, '\n')) != NULL) {
          pos[str - pos] = 0;
        }
      }
      //recover challenge
      if (http_proxy_buf != NULL && strlen(http_proxy_buf) >= 4) {
        from64tobits((char *) buf1, pos);
        free(http_proxy_buf);
        http_proxy_buf = NULL;
        return 3;
      }
      //Send response
      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
      sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
      if (debug)
        hydra_report(stderr, "C:%s\n", buffer);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 3;

      if (http_proxy_buf != NULL)
       free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
      while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
        free(http_proxy_buf);
        http_proxy_buf = hydra_receive_line(s);
      }

      if (http_proxy_buf == NULL)
        return 3;
    } else {
#ifdef LIBOPENSSL
      if (hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest") != NULL) {

        char *pbuffer;

        http_proxy_auth_mechanism = AUTH_DIGESTMD5;
        pbuffer = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest ");
        strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
        buffer[sizeof(buffer) - 1] = '\0';
        pbuffer = NULL;

        fooptr = buffer2;
        sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header);
        if (fooptr == NULL)
          return 3;

        if (debug)
          hydra_report(stderr, "C:%s\n", buffer2);
        if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0)
          return 3;

        free(http_proxy_buf);
        http_proxy_buf = hydra_receive_line(s);
        while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
          free(http_proxy_buf);
          http_proxy_buf = hydra_receive_line(s);
        }

        if (debug && http_proxy_buf != NULL)
          hydra_report(stderr, "S:%s\n", http_proxy_buf);

        if (http_proxy_buf == NULL)
          return 3;

      } else
#endif
      {
        if (http_proxy_buf != NULL) {
//          buf[strlen(http_proxy_buf) - 1] = '\0';
          hydra_report(stderr, "Unsupported Auth type:\n%s\n", http_proxy_buf);
          free(http_proxy_buf);
          http_proxy_buf = NULL;
        } else {
          hydra_report(stderr, "Unsupported Auth type\n");
        }
        return 3;
      }
    }
  }

  ptr = ((char *) index(http_proxy_buf, ' ')) + 1;
  if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2')) {
    hydra_report_found_host(port, ip, "http-proxy", fp);
    hydra_completed_pair_found();
    free(http_proxy_buf);
    http_proxy_buf = NULL;
  } else {
    if (*ptr != '4')
      hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char) *(index(http_proxy_buf, ' ') + 1), login, pass);
    else if (verbose && *(ptr + 2) == '3')
      hydra_report(stderr, "[INFO] Potential success, could be false positive: %s:%s\n", login, pass);
    hydra_completed_pair();
    free(http_proxy_buf);
    http_proxy_buf = hydra_receive_line(s);
    while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) {
      free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
    }
  }

  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  if (http_proxy_buf != NULL)
    return 2;
  else
    return 1;
}
int start_oracle_listener(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  unsigned char tns_packet_begin[22] = {
    "\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00"
  };
  unsigned char tns_packet_end[32] = {
    "\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
  };

  char *empty = "";
  char *pass;
  char connect_string[200];
  char buffer2[260];
  int siz = 0;

  memset(connect_string, 0, sizeof(connect_string));
  memset(buffer2, 0, sizeof(buffer2));

  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  if (sid_mechanism == AUTH_PLAIN) {
    if ((hash = malloc(HASHSIZE)) == NULL) {
      hydra_report(stderr, "[ERROR] Can't allocate memory\n");
      return 1;
    }
    memset(hash, 0, HASHSIZE);
    if (ora_hash_password(pass)) {
      hydra_report(stderr, "[ERROR] generating Oracle hash\n");
      free(hash);
      return 1;
    }
    pass = (char *) hash;
  }
  snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE=)(VERSION=169869568)))", pass);

  if (hash != NULL)
    free(hash);
  if (verbose)
    hydra_report(stderr, "[VERBOSE] using connectiong string: %s\n", connect_string);

  siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string);
  if (siz > 255) {
    buffer2[0] = 1;
    buffer2[1] = siz - 256;
  } else {
    buffer2[1] = siz;
  }
  memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin));
  siz = strlen(connect_string);
  if (siz > 255) {
    buffer2[2 + sizeof(tns_packet_begin)] = 1;
    buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz - 256;
  } else {
    buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz;
  }
  memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end));
  memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string));
  if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) {
    return 1;
  }

  if ((buf = hydra_receive_line(s)) == NULL)
    return 1;
  if (verbose || debug)
    hydra_report(stderr, "[VERBOSE] Server answer: %s\n", buf);

  if (strstr(buf, "ERR=0") != NULL) {
    hydra_report_found_host(port, ip, "oracle-listener", fp);
    hydra_completed_pair_found();
  } else
    hydra_completed_pair();

  free(buf);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;
}
Beispiel #21
0
int start_rlogin(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[300] = "", buffer2[100], *bptr = buffer2;
  int ret;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  memset(buffer2, 0, sizeof(buffer2));
  bptr++;

  strcpy(bptr, login);
  bptr += 1 + strlen(login);

  strcpy(bptr, login);
  bptr += 1 + strlen(login);

  strcpy(bptr, TERM);

  if (hydra_send(s, buffer2, 4 + strlen(login) + strlen(login) + strlen(TERM), 0) < 0) {
    return 4;
  }
  ret = hydra_recv(s, buffer, sizeof(buffer));
  /* 0x00 is sent but hydra_recv transformed it */
  if (strlen(buffer) == 0)
    ret = hydra_recv(s, buffer, sizeof(buffer));

  if (ret > 0 && (strstr(buffer, "rlogind:") != NULL))
    return 1;

  if (ret > 0 && (strstr(buffer, "ssword") != NULL)) {
    if (strlen(pass = hydra_get_next_password()) == 0)
      pass = empty;
    sprintf(buffer2, "%s\r", pass);
    if (hydra_send(s, buffer2, 1 + strlen(pass), 0) < 0) {
      return 1;
    }
    memset(buffer, 0, sizeof(buffer));
    ret = hydra_recv(s, buffer, sizeof(buffer));
    if (strcmp(buffer, "\r\n"))
      ret = hydra_recv(s, buffer, sizeof(buffer));
  }
  /* Authentication failure */

  if (ret > 0 && (strstr(buffer, "ssword") == NULL)) {
#ifdef HAVE_PCRE
    if (!hydra_string_match(buffer, "\\s(failure|incorrect|denied)")) {
#else
    /* check for failure and incorrect msg */
    if ((strstr(buffer, "ailure") == NULL) && (strstr(buffer, "ncorrect") == NULL) && (strstr(buffer, "denied") == NULL)) {
#endif
      hydra_report_found_host(port, ip, "rlogin", fp);
      hydra_completed_pair_found();
    } else {
      hydra_completed_pair();
    }
  } else {
    /* if password is asked a second time, it means the pass we provided is wrong */
    hydra_completed_pair();
  }

  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;
}

void service_rlogin(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
  int run = 1, next_run = 1, sock = -1;
  int myport = PORT_RLOGIN, mysslport = PORT_RLOGIN_SSL;

  hydra_register_socket(sp);

  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return;
  while (1) {
    next_run = 0;
    switch (run) {
    case 1:                    /* connect and service init function */
      {
        /* 512 -> 1023 */
        hydra_set_srcport(1023);
        if (sock >= 0)
          sock = hydra_disconnect(sock);
//        usleep(275000);
        if ((options & OPTION_SSL) == 0) {
          if (port != 0)
            myport = port;
          sock = hydra_connect_tcp(ip, myport);
          port = myport;
        } else {
          if (port != 0)
            mysslport = port;
          sock = hydra_connect_ssl(ip, mysslport);
          port = mysslport;
        }
        if (sock < 0) {
          hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
          hydra_child_exit(1);
        }
        next_run = 2;
        break;
      }
    case 2:                    /* run the cracking function */
      next_run = start_rlogin(sock, ip, port, options, miscptr, fp);
      break;
    case 3:                    /* clean exit */
      if (sock >= 0)
        sock = hydra_disconnect(sock);
      hydra_child_exit(0);
      return;
    default:
      hydra_report(stderr, "Caught unknown return code, exiting!\n");
      hydra_child_exit(0);
    }
    run = next_run;
  }
}
Beispiel #22
0
int start_sip(int s, char *ip, char *lip, int port, int lport, unsigned char options, char *miscptr, FILE * fp) {
  char *login, *pass, *host, buffer[SIP_MAX_BUF];
  int i;
  char buf[SIP_MAX_BUF];

  if (strlen(login = hydra_get_next_login()) == 0)
    login = NULL;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = NULL;

  if (external_ip_addr[0])
    lip = external_ip_addr;

  host = miscptr;
  cseq = 1;

  empty_register(buffer, host, lip, port, lport, login);
  cseq++;

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 3;
  }

  int has_sip_cred = 0;
  int try = 0;

  /* We have to check many times because server may begin to send "100 Trying"
   * before "401 Unauthorized" */
  while (try < 2 && !has_sip_cred) {
    try++;
    if (hydra_data_ready_timed(s, 3, 0) > 0) {
      i = hydra_recv(s, (char *) buf, sizeof(buf));
      buf[sizeof(buf) - 1] = '\0';
      if (strncmp(buf, "SIP/2.0 404", 11) == 0) {
	hydra_report(stdout, "[ERROR] Get error code 404 : user '%s' not found\n", login);
	return 2;
      }
      if (strncmp(buf, "SIP/2.0 606", 11) == 0) {
        char *ptr=NULL;
        int i = 0;

        // if we already tried to connect, exit
        if (external_ip_addr[0]) {
          hydra_report(stdout, "[ERROR] Get error code 606 : session is not acceptable by the server\n");          
          return 2;
        }
        
        if (verbose)
          hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not acceptable by the server,\n"
                                          "maybe it's an addressing issue as you are using NAT, trying to reconnect\n"
                                          "using addr from the server reply\n");
        /* 
        SIP/2.0 606 Not Acceptable
        Via: SIP/2.0/UDP 192.168.0.21:46759;received=82.227.229.137
        */
#ifdef HAVE_PCRE
        if (hydra_string_match(buf, "Via: SIP.*received=")) {
          ptr=strstr(buf, "received=");
#else
        if ((ptr=strstr(buf, "received="))) {
#endif
        strncpy(external_ip_addr, ptr+strlen("received="), sizeof(external_ip_addr));
        external_ip_addr[sizeof(external_ip_addr) - 1] = '\0';
        for (i = 0; i < strlen(external_ip_addr); i++) {
          if (external_ip_addr[i] <= 32) {
            external_ip_addr[i] = '\0';
          }
        }
        if (verbose)
          hydra_report(stderr, "[VERBOSE] Will reconnect using external IP address %s\n", external_ip_addr);
        return 1;
        }
        hydra_report(stderr, "[ERROR] Could not find external IP address in server answer\n");
        return 2;
      }
    }
  }
  if (!strstr(buf, "WWW-Authenticate: Digest")) {
    hydra_report(stderr, "[ERROR] no www-authenticate header found!\n");
    return -1;
  }
  if (verbose)
    hydra_report(stderr, "[INFO] S: %s\n", buf);
  char buffer2[512];
  sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL);

  memset(buffer, 0, SIP_MAX_BUF);
  snprintf(buffer, SIP_MAX_BUF,
           "REGISTER sip:%s SIP/2.0\n"
           "Via: SIP/2.0/UDP %s:%i\n"
           "From: <sip:%s@%s>\n"
           "To: <sip:%s@%s>\n"
           "Call-ID: 1337@%s\n"
           "CSeq: %i REGISTER\n"
           "Authorization: Digest %s\n"
           "Content-Length: 0\n\n", host, lip, lport, login, host, login, host, host, cseq, buffer2);

  cseq++;
  if (verbose)
    hydra_report(stderr, "[INFO] C: %s\n", buffer);
  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 3;
  }
  try = 0;
  int has_resp = 0;
  int sip_code = 0;

  while (try < 2 && !has_resp) {
    try++;
    if (hydra_data_ready_timed(s, 5, 0) > 0) {
      memset(buf, 0, sizeof(buf));
      i = hydra_recv(s, (char *) buf, sizeof(buf));
      if (verbose)
        hydra_report(stderr, "[INFO] S: %s\n", buf);
      sip_code = get_sip_code(buf);
      if (sip_code >= 200 && sip_code < 300) {
        hydra_report_found_host(port, ip, "sip", fp);
        hydra_completed_pair_found();
        has_resp = 1;
      }
      if (sip_code >= 400 && sip_code < 500) {
        has_resp = 1;
      }
    }
  }

  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 1;
}

void service_sip(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
  int run = 1, next_run = 1, sock = -1;
  int myport = PORT_SIP, mysslport = PORT_SIP_SSL;

  char *lip = get_iface_ip((int) *(&ip[1]));
  hydra_register_socket(sp);

  // FIXME IPV6
  if (ip[0] != 4) {
    fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are appreciated.\n");
    hydra_child_exit(2);
  }

  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    run = 3;

  int lport = 0;

  while (1) {
    switch (run) {
    case 1:
      if (sock < 0) {
        if (port != 0)
          myport = port;
        lport = rand() % (65535 - 1024) + 1024;
        hydra_set_srcport(lport);

        if ((options & OPTION_SSL) == 0) {
          if (port != 0)
            myport = port;
          sock = hydra_connect_udp(ip, myport);
          port = myport;
        } else {
          if (port != 0)
            mysslport = port;
          sock = hydra_connect_ssl(ip, mysslport);
          port = mysslport;
        }

        if (sock < 0) {
          if (verbose || debug)
            hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
          free(lip);
          hydra_child_exit(1);
        }
      }
      next_run = start_sip(sock, ip, lip, port, lport, options, miscptr, fp);
      break;
    case 2:
      if (sock >= 0)
        sock = hydra_disconnect(sock);
      free(lip);
      hydra_child_exit(2);
      break;
    case 3:
      if (sock >= 0)
        sock = hydra_disconnect(sock);
      free(lip);
      hydra_child_exit(2);
      return;
    default:
      hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
      free(lip);
      hydra_child_exit(2);
    }
    run = next_run;
  }
}

char *get_iface_ip(unsigned long int ip) {

  int sfd;

  sfd = socket(AF_INET, SOCK_DGRAM, 0);

  struct sockaddr_in tparamet;

  tparamet.sin_family = AF_INET;
  tparamet.sin_port = htons(2000);
  tparamet.sin_addr.s_addr = ip;

  if (connect(sfd, (const struct sockaddr *) &tparamet, sizeof(struct sockaddr_in))) {
    perror("connect");
    close(sfd);
    return NULL;
  }
  struct sockaddr_in *local = malloc(sizeof(struct sockaddr_in));
  int size = sizeof(struct sockaddr_in);

  if (getsockname(sfd, (void *) local, (socklen_t *) & size)) {
    perror("getsockname");
    close(sfd);
    free(local);
    return NULL;
  }
  close(sfd);

  char buff[32];

  if (!inet_ntop(AF_INET, (void *) &local->sin_addr, buff, 32)) {
    perror("inet_ntop");
    free(local);
    return NULL;
  }
  char *str = malloc(sizeof(char) * (strlen(buff) + 1));

  strcpy(str, buff);
  free(local);
  return str;
}

#endif

int service_sip_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
  // called before the childrens are forked off, so this is the function
  // which should be filled if initial connections and service setup has to be
  // performed once only.
  //
  // fill if needed.
  // 
  // return codes:
  //   0 all OK
  //   -1  error, hydra will exit, so print a good error message here

  return 0;
}
Beispiel #23
0
int start_ldap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char version, int auth_method) {
  char *empty = "";
  char *login = "", *pass;
  unsigned char buffer[512];
  int length = 0;
  int ldap_auth_mechanism = auth_method;

  /*
     The LDAP "simple" method has three modes of operation:
     * anonymous= no user no pass
     * unauthenticated= user but no pass
     * user/password authenticated= user and pass  
   */

  if ((miscptr != NULL) && (ldap_auth_mechanism == AUTH_CLEAR)) {
    login = miscptr;
  } else {
    if (strlen(login = hydra_get_next_login()) == 0)
      login = empty;
  }

  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  switch (ldap_auth_mechanism) {
  case AUTH_CLEAR:
    length = 14 + strlen(login) + strlen(pass);
    break;
#ifdef LIBOPENSSLNEW
  case AUTH_CRAMMD5:
    length = 14 + strlen(miscptr) + strlen("CRAM-MD5") + 2;
    break;
  case AUTH_DIGESTMD5:
    length = 14 + strlen(miscptr) + strlen("DIGEST-MD5") + 2;
    break;
#endif
  }

  memset(buffer, 0, sizeof(buffer));
  buffer[0] = 48;
  buffer[1] = length - 2;

  buffer[2] = 2;
  buffer[3] = 1;
  buffer[4] = counter % 256;

  buffer[5] = 96;
  buffer[6] = length - 7;
  buffer[7] = 2;
  buffer[8] = 1;
  buffer[9] = version;
  buffer[10] = 4;

  if (ldap_auth_mechanism == AUTH_CLEAR) {
    buffer[11] = strlen(login); /* DN */
    memcpy(&buffer[12], login, strlen(login));
    buffer[12 + strlen(login)] = (unsigned char) 128;
    buffer[13 + strlen(login)] = strlen(pass);
    memcpy(&buffer[14 + strlen(login)], pass, strlen(pass));    /* PASS */
  } else {
    char *authm = "DIGEST-MD5";

    if (ldap_auth_mechanism == AUTH_CRAMMD5) {
      authm = "CRAM-MD5";
    }

    if ((strlen(miscptr)) > sizeof(buffer) - 16 - strlen(authm)) {
      miscptr[sizeof(buffer) - 16 - strlen(authm)] = '\0';
    }

    buffer[11] = strlen(miscptr);       /* DN */
    memcpy(&buffer[12], miscptr, strlen(miscptr));
    buffer[12 + strlen(miscptr)] = 163;
    buffer[13 + strlen(miscptr)] = 2 + strlen(authm);
    buffer[14 + strlen(miscptr)] = 4;
    buffer[15 + strlen(miscptr)] = strlen(authm);
    memcpy(&buffer[16 + strlen(miscptr)], authm, strlen(authm));
  }
  if (hydra_send(s, (char*)buffer, length, 0) < 0)
    return 1;
  if ((buf = (unsigned char*) hydra_receive_line(s)) == NULL)
    return 1;

  if (buf[0] != 0 && buf[0] != 32 && buf[9] == 2) {
    if (verbose)
      hydra_report(stderr, "[VERBOSE] Protocol invalid\n");
    free(buf);
    return 3;
  }

  if (buf[0] != 0 && buf[0] != 32 && buf[9] == 13) {
    if (verbose)
      hydra_report(stderr, "[VERBOSE] Confidentiality required, TLS has to be enabled\n");
    tls_required = 1;
    free(buf);
    return 1;
  }

  if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 34) {
    hydra_report(stderr, "[ERROR] Invalid DN Syntax\n");
    hydra_child_exit(2);
    free(buf);
    return 3;
  }
#ifdef LIBOPENSSLNEW

/* one more step auth for CRAM and DIGEST */
  if (ldap_auth_mechanism == AUTH_CRAMMD5) {
    /* get the challenge, need to extract it */
    char *ptr;
    char buf2[32];

    ptr = strstr((char*) buf, "<");
    sasl_cram_md5(buf2, pass, ptr);
    if (buf2 == NULL)
      return 1;
    counter++;
    if (strstr(miscptr, "^USER^") != NULL) {
      miscptr = strrep(miscptr, "^USER^", login);
    }

    length = 12 + strlen(miscptr) + 4 + strlen("CRAM-MD5") + 2 + strlen(login) + 1 + strlen(buf2);

    memset(buffer, 0, sizeof(buffer));
    buffer[0] = 48;
    buffer[1] = length - 2;

    buffer[2] = 2;
    buffer[3] = 1;
    buffer[4] = counter % 256;

    buffer[5] = 96;
    buffer[6] = length - 7;
    buffer[7] = 2;
    buffer[8] = 1;
    buffer[9] = version;
    buffer[10] = 4;

    buffer[11] = strlen(miscptr);       /* DN */
    memcpy(&buffer[12], miscptr, strlen(miscptr));
    buffer[12 + strlen(miscptr)] = 163;
    buffer[13 + strlen(miscptr)] = 2 + strlen("CRAM-MD5") + 2 + strlen(login) + 1 + strlen(buf2);
    buffer[14 + strlen(miscptr)] = 4;
    buffer[15 + strlen(miscptr)] = strlen("CRAM-MD5");
    memcpy(&buffer[16 + strlen(miscptr)], "CRAM-MD5", strlen("CRAM-MD5"));
    buffer[16 + strlen(miscptr) + strlen("CRAM-MD5")] = 4;
    buffer[17 + strlen(miscptr) + strlen("CRAM-MD5")] = strlen(login) + 1 + strlen(buf2);
    memcpy(&buffer[18 + strlen(miscptr) + strlen("CRAM-MD5")], login, strlen(login));
    buffer[18 + strlen(miscptr) + strlen("CRAM-MD5") + strlen(login)] = ' ';
    memcpy(&buffer[18 + strlen(miscptr) + strlen("CRAM-MD5") + strlen(login) + 1], buf2, strlen(buf2));

    if (hydra_send(s, (char*)buffer, length, 0) < 0)
      return 1;
    free(buf);
    if ((buf = (unsigned char*) hydra_receive_line(s)) == NULL)
      return 1;
  } else {
    if (ldap_auth_mechanism == AUTH_DIGESTMD5) {
      char *ptr;
      char buffer2[500];
      int ind = 0;

      ptr = strstr((char*)buf, "realm=");

      counter++;
      if (strstr(miscptr, "^USER^") != NULL) {
        miscptr = strrep(miscptr, "^USER^", login);
      }

      sasl_digest_md5(buffer2, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL);
      if (buffer2 == NULL) {
        free(buf);
        return 3;
      }

      length = 26 + strlen(miscptr) + strlen("DIGEST-MD5") + strlen(buffer2);

      memset(buffer, 0, sizeof(buffer));
      ind = 0;
      buffer[ind] = 48;
      ind++;
      buffer[ind] = 130;
      ind++;

      if (length - 4 > 255) {
        buffer[ind] = 1;
        ind++;
        buffer[ind] = length - 256 - 4;
        ind++;
      } else {
        buffer[ind] = 0;
        ind++;
        buffer[ind] = length - 4;
        ind++;
      }

      buffer[ind] = 2;
      ind++;
      buffer[ind] = 1;
      ind++;
      buffer[ind] = counter % 256;
      ind++;
      buffer[ind] = 96;         /*0x60 */
      ind++;
      buffer[ind] = 130;
      ind++;
      if (length - 7 - 4 > 255) {
        buffer[ind] = 1;
        ind++;
        buffer[ind] = length - 256 - 11;
        ind++;
      } else {
        buffer[ind] = 0;
        ind++;
        buffer[ind] = length - 11;
        ind++;
      }

      buffer[ind] = 2;
      ind++;
      buffer[ind] = 1;
      ind++;
      buffer[ind] = version;
      ind++;
      buffer[ind] = 4;
      ind++;
      buffer[ind] = strlen(miscptr);
      ind++;
      memcpy(&buffer[ind], miscptr, strlen(miscptr));
       /*DN*/ buffer[ind + strlen(miscptr)] = 163;      //0xa3
      ind++;
      buffer[ind + strlen(miscptr)] = 130;      //0x82
      ind++;

      if (strlen(buffer2) + 6 + strlen("DIGEST-MD5") > 255) {
        buffer[ind + strlen(miscptr)] = 1;
        ind++;
        buffer[ind + strlen(miscptr)] = strlen(buffer2) + 6 + strlen("DIGEST-MD5") - 256;
      } else {
        buffer[ind + strlen(miscptr)] = 0;
        ind++;
        buffer[ind + strlen(miscptr)] = strlen(buffer2) + 6 + strlen("DIGEST-MD5");
      }
      ind++;

      buffer[ind + strlen(miscptr)] = 4;
      ind++;
      buffer[ind + strlen(miscptr)] = strlen("DIGEST-MD5");
      ind++;
      memcpy(&buffer[ind + strlen(miscptr)], "DIGEST-MD5", strlen("DIGEST-MD5"));
      buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 4;
      ind++;
      buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 130;
      ind++;

      if (strlen(buffer2) > 255) {
        buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 1;
        ind++;
        buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = strlen(buffer2) - 256;
      } else {
        buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 0;
        ind++;
        buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = strlen(buffer2);
      }
      ind++;
      memcpy(&buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")], buffer2, strlen(buffer2));
      ind++;

      if (hydra_send(s, (char*)buffer, length, 0) < 0)
        return 1;
      free(buf);
      if ((buf = (unsigned char*) hydra_receive_line(s)) == NULL)
        return 1;
    }
  }
#endif

  /* success is: 0a 01 00 - failure is: 0a 01 31 */
  if ((buf[0] != 0 && buf[9] == 0) || (buf[0] != 32 && buf[9] == 32)) {
    hydra_report_found_host(port, ip, "ldap", fp);
    hydra_completed_pair_found();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }

  if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 7) {
    hydra_report(stderr, "[ERROR] Unknown authentication method\n");
    free(buf);
    hydra_child_exit(2);
  }

  if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 53) {
    if (verbose)
      hydra_report(stderr, "[VERBOSE] Server unwilling to perform action, maybe deny by server config or too busy when tried login: %s   password: %s\n", login, pass);
    free(buf);
    return 1;
  }

  if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 2) {
    hydra_report(stderr, "[ERROR] Invalid protocol version, you tried ldap%c, better try ldap%c\n", version + '0', version == 2 ? '3' : '2');
    free(buf);
    hydra_child_exit(2);
    sleep(1);
    hydra_child_exit(2);
  }

//0 0x30, 0x84, 0x20, 0x20, 0x20, 0x10, 0x02, 0x01,
//8 0x01, 0x61, 0x84, 0x20, 0x20, 0x20, 0x07, 0x0a,
//16 0x01, 0x20, 0x04, 0x20, 0x04, 0x20, 0x00, 0x00,

  // this is for w2k8 active directory ldap auth
  if (buf[0] == 48 && buf[1] == 132) {
    if (buf[9] == 0x61 && buf[1] == 0x84) {
      if (buf[17] == 0 || buf[17] == 0x20) {
        hydra_report_found_host(port, ip, "ldap", fp);
        hydra_completed_pair_found();
        free(buf);
        if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
          return 3;
        return 1;
      }
    }
  } else {

    if (buf[9] != 49 && buf[9] != 2 && buf[9] != 53) {
      hydra_report(stderr, "[ERROR] Uh, unknown LDAP response! Please report this: \n");
      print_hex((unsigned char *) buf, 24);
      free(buf);
      return 3;
    }
  }

  hydra_completed_pair();
  free(buf);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 2;
}
Beispiel #24
0
int
start_pop3(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp)
{
  char *empty = "\"\"";
  char *login, *pass, buffer[300];

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (hydra_data_ready(s) > 0) {
    if ((buf = hydra_receive_line(s)) == NULL)
      return (1);
    free(buf);
  }

  #ifdef PALM
  sprintf(buffer, "USER %s\r\n", login);
  #else
  sprintf(buffer, "USER %.250s\r\n", login);
  #endif
  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  if ((buf = hydra_receive_line(s)) == NULL)
    return (1);
  if (buf[0] != '+') {
    hydra_report(stderr, "Error: POP3 protocol error or service shutdown: %s\n", buf);
    free(buf);
    return (3);
  }
  free(buf);

  #ifdef PALM
  sprintf(buffer, "PASS %s\r\n", pass);
  #else
  sprintf(buffer, "PASS %.250s\r\n", pass);
  #endif
  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  if ((buf = hydra_receive_line(s)) == NULL)
    return (1);
  if (buf[0] == '+') {
    hydra_report_found_host(port, ip, "pop3", fp);
    hydra_completed_pair_found();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }
  /* special AS/400 hack */
  if (strstr(buf, "CPF2204") != NULL || strstr(buf, "CPF22E3") != NULL || strstr(buf, "CPF22E4") != NULL || strstr(buf, "CPF22E5") != NULL) {
    hydra_completed_pair_skip();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }
  free(buf);
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 2;
}
Beispiel #25
0
int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "\"\"";
  char *login, *pass, buffer[500], buffer2[500];

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (hydra_data_ready(s) > 0) {
    if ((buf = hydra_receive_line(s)) == NULL)
      return 4;
    free(buf);
  }

  switch (p->pop3_auth_mechanism) {
#ifdef LIBOPENSSL
  case AUTH_APOP:{
      MD5_CTX c;
      unsigned char md5_raw[MD5_DIGEST_LENGTH];
      int i;
      char *pbuffer = buffer2;

      MD5_Init(&c);
      MD5_Update(&c, apop_challenge, strlen(apop_challenge));
      MD5_Update(&c, pass, strlen(pass));
      MD5_Final(md5_raw, &c);

      for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
        sprintf(pbuffer, "%02x", md5_raw[i]);
        pbuffer += 2;
      }
      sprintf(buffer, "APOP %s %s\r\n", login, buffer2);
    }
    break;
#endif

  case AUTH_LOGIN:{
      sprintf(buffer, "AUTH LOGIN\r\n");
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;
      if (buf[0] != '+') {
        hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);
      strcpy(buffer2, login);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

      sprintf(buffer, "%.250s\r\n", buffer2);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;

      if (buf[0] != '+') {
        hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);
      strcpy(buffer2, pass);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      sprintf(buffer, "%.250s\r\n", buffer2);
    }
    break;

  case AUTH_PLAIN:{
      sprintf(buffer, "AUTH PLAIN\r\n");
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;
      if (buf[0] != '+') {
        hydra_report(stderr, "[ERROR] POP3 PLAIN AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);

      memset(buffer, 0, sizeof(buffer));
      sasl_plain(buffer, login, pass);
      sprintf(buffer, "%.250s\r\n", buffer);
    }
    break;

#ifdef LIBOPENSSL
  case AUTH_CRAMMD5:
  case AUTH_CRAMSHA1:
  case AUTH_CRAMSHA256:{
      int rc = 0;
      char *preplogin;

      rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
      if (rc) {
        return 3;
      }

      switch (p->pop3_auth_mechanism) {
      case AUTH_CRAMMD5:
        sprintf(buffer, "AUTH CRAM-MD5\r\n");
        break;
      case AUTH_CRAMSHA1:
        sprintf(buffer, "AUTH CRAM-SHA1\r\n");
        break;
      case AUTH_CRAMSHA256:
        sprintf(buffer, "AUTH CRAM-SHA256\r\n");
        break;
      }
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      //get the one-time BASE64 encoded challenge

      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;
      if (buf[0] != '+') {
        switch (p->pop3_auth_mechanism) {
        case AUTH_CRAMMD5:
          hydra_report(stderr, "[ERROR] POP3 CRAM-MD5 AUTH : %s\n", buf);
          break;
        case AUTH_CRAMSHA1:
          hydra_report(stderr, "[ERROR] POP3 CRAM-SHA1 AUTH : %s\n", buf);
          break;
        case AUTH_CRAMSHA256:
          hydra_report(stderr, "[ERROR] POP3 CRAM-SHA256 AUTH : %s\n", buf);
          break;
        }
        free(buf);
        return 3;
      }

      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 2);
      free(buf);

      memset(buffer2, 0, sizeof(buffer2));

      switch (p->pop3_auth_mechanism) {
      case AUTH_CRAMMD5:{
          sasl_cram_md5(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      case AUTH_CRAMSHA1:{
          sasl_cram_sha1(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      case AUTH_CRAMSHA256:{
          sasl_cram_sha256(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      }
      hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
      sprintf(buffer, "%.250s\r\n", buffer);
      free(preplogin);
    }
    break;

  case AUTH_DIGESTMD5:{
      sprintf(buffer, "AUTH DIGEST-MD5\r\n");

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;
      if (buf[0] != '+') {
        hydra_report(stderr, "[ERROR] POP3 DIGEST-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf);
      free(buf);

      if (verbose)
        hydra_report(stderr, "[VERBOSE] S: %s\n", buffer);

      sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "pop", NULL, 0, NULL);
      if (buffer2 == NULL)
        return 3;

      if (verbose)
        hydra_report(stderr, "[VERBOSE] C: %s\n", buffer2);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      sprintf(buffer, "%s\r\n", buffer2);
    }
    break;
#endif

  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];

      //Send auth request
      sprintf(buffer, "AUTH NTLM\r\n");

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;
      if (buf[0] != '+') {
        hydra_report(stderr, "[ERROR] POP3 NTLM AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);
      //send auth and receive challenge
      //send auth request: lst the server send it's own hostname and domainname
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

      sprintf(buffer, "%s\r\n", buf1);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;

      //recover challenge
      from64tobits((char *) buf1, buf + 2);
      free(buf);

      //Send response
      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));

      sprintf(buffer, "%s\r\n", buf1);
    }
    break;
  default:
    sprintf(buffer, "USER %.250s\r\n", login);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 4;
    if (buf[0] != '+') {
      hydra_report(stderr, "[ERROR] POP3 protocol or service shutdown: %s\n", buf);
      free(buf);
      return (3);
    }
    free(buf);
    sprintf(buffer, "PASS %.250s\r\n", pass);
  }

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }

  if ((buf = hydra_receive_line(s)) == NULL) {
    return 4;
 }

  if (buf[0] == '+') {
    hydra_report_found_host(port, ip, "pop3", fp);
    hydra_completed_pair_found();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }
  /* special AS/400 hack */
  if (strstr(buf, "CPF2204") != NULL || strstr(buf, "CPF22E3") != NULL || strstr(buf, "CPF22E4") != NULL || strstr(buf, "CPF22E5") != NULL) {
    hydra_completed_pair_skip();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }
  free(buf);
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 2;
}
Beispiel #26
0
int start_vnc(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
    char *empty = "";
    char *pass;
    unsigned char buf2[CHALLENGESIZE + 4];

    if (strlen(pass = hydra_get_next_password()) == 0)
        pass = empty;

    recv(s, buf2, CHALLENGESIZE + 4, 0);

    if (vnc_client_version == RFB37) {
        int i;

        //fprintf(stderr,"number of security types supported: %d\n", buf2[0]);
        if (buf2[0] == 0) {
            hydra_report(stderr, "[ERROR] VNC server connection failed\n");
            hydra_child_exit(0);
        }

        for (i = 1; i <= buf2[0]; i++) {
            //fprintf(stderr,"sec type %u\n",buf2[i]);
            //check if weak security types are available
            if (buf2[i] <= 0x2) {
                buf2[3] = buf2[i];
                break;
            }
        }
    }
    //supported security type
    switch (buf2[3]) {
    case 0x0:
        hydra_report(stderr, "[ERROR] VNC server told us to quit %c\n", buf[3]);
        hydra_child_exit(0);
    case 0x1:
        hydra_report(fp, "VNC server does not require authentication.\n");
        if (fp != stdout)
            hydra_report(stdout, "VNC server does not require authentication.\n");
        hydra_report_found_host(port, ip, "vnc", fp);
        hydra_completed_pair_found();
        hydra_child_exit(2);
    case 0x2:
        //VNC security type supported is the only type supported for now
        if (vnc_client_version == RFB37) {
            sprintf(buf, "%c", 0x2);
            if (hydra_send(s, buf, strlen(buf), 0) < 0) {
                return 1;
            }
            //get authentication challenge from server
            if (recv(s, buf2, CHALLENGESIZE, 0) == -1)
                return 1;
            //send response
            vncEncryptBytes(buf2, pass);
            if (hydra_send(s, (char *) buf2, CHALLENGESIZE, 0) < 0) {
                return 1;
            }
        } else {
            //in old proto, challenge is following the security type
            vncEncryptBytes((unsigned char *) buf2 + 4, pass);
            if (hydra_send(s, (char *) buf2 + 4, CHALLENGESIZE, 0) < 0) {
                return 1;
            }
        }
        break;
    default:
        hydra_report(stderr, "[ERROR] unknown VNC security type\n");
        hydra_child_exit(2);
    }

    //check security result value
    recv(s, buf, 4, 0);
    if (buf == NULL)
        return 1;

    switch (buf[3]) {
    case 0x0:
        hydra_report_found_host(port, ip, "vnc", fp);
        hydra_completed_pair_found();
        free(buf);
        failed_auth = 0;
        if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
            return 3;
        return 1;
    case 0x1:
        free(buf);
        if (verbose)
            hydra_report(stderr, "[VERBOSE] Authentication failed for password %s\n", pass);
        hydra_completed_pair();
        if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
            return 3;
        return 1;
    default:
        free(buf);
        hydra_report(stderr, "[ERROR] unknown VNC server security result %d\n", buf[3]);
        return 1;
    }

    return 1;                     /* never reached */
}
Beispiel #27
0
int start_smtp_enum(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[500];

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (hydra_data_ready(s) > 0) {
    if ((buf = hydra_receive_line(s)) == NULL)
      return (1);
    free(buf);
  }

  if (smtp_enum_cmd == RCPT) {
    tosent = 0;
    if (pass != empty) {
      snprintf(buffer, sizeof(buffer), "MAIL FROM: root@%s\r\n", pass);
    } else {
      snprintf(buffer, sizeof(buffer), "MAIL FROM: root\r\n");
    }
    if (verbose)
      hydra_report(stderr, "DEBUG C: %s", buffer);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return (1);
    if (verbose)
      hydra_report(stderr, "DEBUG S: %s", buf);
    /* good return values are something like 25x */
#ifdef HAVE_PCRE
    if (hydra_string_match(buf, "^25\\d\\s")) {
#else
    if (strstr(buf, "25") != NULL) {
#endif
      if (pass != empty) {
        snprintf(buffer, sizeof(buffer), "RCPT TO: %s@%s\r\n", login, pass);
      } else {
        snprintf(buffer, sizeof(buffer), "RCPT TO: %s\r\n", login);
      }
      tosent = 1;
    } else {
      err = strstr(buf, "Error");
      if (err) {
        if (verbose) {
          hydra_report(stderr, "Server %s", err);
        }
        free(buf);
        hydra_completed_pair();
        if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
          return 3;
        return 2;
      }
    }
  } else {
    char cmd[5] = "";

    memset(cmd, 0, sizeof(cmd));
    if (smtp_enum_cmd == EXPN)
      strcpy(cmd, "EXPN");
    else
      strcpy(cmd, "VRFY");
    if (pass != empty) {
      snprintf(buffer, sizeof(buffer), "%s %s@%s\r\n", cmd, login, pass);
    } else {
      snprintf(buffer, sizeof(buffer), "%s %s\r\n", cmd, login);
    }
  }
  if (verbose)
    hydra_report(stderr, "DEBUG C: %s", buffer);
  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  if ((buf = hydra_receive_line(s)) == NULL)
    return (1);
  if (verbose)
    hydra_report(stderr, "DEBUG S: %s", buf);
  /* good return values are something like 25x */
#ifdef HAVE_PCRE
  if (hydra_string_match(buf, "^25\\d\\s")) {
#else
  if (strstr(buf, "25") != NULL) {
#endif
    hydra_report_found_host(port, ip, "smtp-enum", fp);
    hydra_completed_pair_found();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }
  err = strstr(buf, "Error");
  if (err || tosent) {
    // we should report command not identified by the server
    //502 5.5.2 Error: command not recognized
#ifdef HAVE_PCRE
    if ((verbose || hydra_string_match(buf, "\\scommand\\snot\\srecognized")) && err) {
#else
    if ((verbose || strstr(buf, "command") != NULL) && err) {
#endif
      hydra_report(stderr, "Server %s", err);
    }
    memset(buffer, 0, sizeof(buffer));
    //503 5.5.1 Error: nested MAIL command
    strncpy(buffer, "RSET\r\n", sizeof(buffer));
    free(buf);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
  }

  free(buf);
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 2;
}

void service_smtp_enum(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
  int run = 1, next_run = 1, sock = -1, i = 0;
  int myport = PORT_SMTP, mysslport = PORT_SMTP_SSL;
  char *buffer = "HELO hydra\r\n";

  hydra_register_socket(sp);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return;
  while (1) {
    switch (run) {
    case 1:                    /* connect and service init function */
      if (sock >= 0)
        sock = hydra_disconnect(sock);
      if ((options & OPTION_SSL) == 0) {
        if (port != 0)
          myport = port;
        sock = hydra_connect_tcp(ip, myport);
        port = myport;
      } else {
        if (port != 0)
          mysslport = port;
        sock = hydra_connect_ssl(ip, mysslport);
        port = myport;
      }
      if (sock < 0) {
        hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
        hydra_child_exit(1);
      }
      /* receive initial header */
      if ((buf = hydra_receive_line(sock)) == NULL)
        hydra_child_exit(2);
      if (strstr(buf, "220") == NULL) {
        hydra_report(stderr, "Warning: SMTP does not allow to connect: %s\n", buf);
        hydra_child_exit(2);
      }
      while (strstr(buf, "220 ") == NULL) {
        free(buf);
        buf = hydra_receive_line(sock);
      }

      if (buf[0] != '2') {
        if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
          free(buf);
          hydra_child_exit(2);
        }
      }

      if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
        for (i = 0; i < strlen(miscptr); i++)
          miscptr[i] = (char) toupper((int) miscptr[i]);

        if (strncmp(miscptr, "EXPN", 4) == 0)
          smtp_enum_cmd = EXPN;

        if (strncmp(miscptr, "RCPT", 4) == 0)
          smtp_enum_cmd = RCPT;
      }
      if (verbose) {
        switch (smtp_enum_cmd) {
        case VRFY:
          hydra_report(stderr, "using SMTP VRFY command\n");
          break;
        case EXPN:
          hydra_report(stderr, "using SMTP EXPN command\n");
          break;
        case RCPT:
          hydra_report(stderr, "using SMTP RCPT TO command\n");
          break;
        }
      }
      free(buf);
      next_run = 2;
      break;
    case 2:                    /* run the cracking function */
      next_run = start_smtp_enum(sock, ip, port, options, miscptr, fp);
      break;
    case 3:                    /* clean exit */
      if (sock >= 0) {
        sock = hydra_disconnect(sock);
      }
      hydra_child_exit(0);
      return;
    default:
      hydra_report(stderr, "Caught unknown return code, exiting!\n");
      hydra_child_exit(0);
    }
    run = next_run;
  }
}
Beispiel #28
0
int start_telnet(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[300];
  int i = 0;

#ifdef PALM
  Err error;
  Int32 AppNetTimeout = SysTicksPerSecond() * 10;
#endif

  no_line_mode = 0;             /* hmmm seems to work anyway */

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

#ifdef PALM
  sprintf(buffer, "%s\r", login);
#else
  sprintf(buffer, "%.250s\r", login);
#endif
  if (no_line_mode) {
    for (i = 0; i < strlen(buffer) + 1; i++) {
#ifdef PALM
      NetLibSend(AppNetRefnum, s, &buffer[i], 1, 0, 0, 0, AppNetTimeout, &error);
#else
      send(s, &buffer[i], 1, 0);
#endif
      usleep(2000);
    }
  } else {
    if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) {
      return 1;
    }
  }

  do {
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '%') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL || index(buf, '%') != NULL) {
      hydra_report_found_host(port, ip, "telnet", fp);
      hydra_completed_pair_found();
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
      free(buf);
      return 1;
    }
    (void) make_to_lower(buf);
    if (strstr(buf, "asswor") != NULL || strstr(buf, "asscode") != NULL || strstr(buf, "ennwort") != NULL)
      i = 1;
    if (i == 0 && ((strstr(buf, "ogin:") != NULL && strstr(buf, "last login") == NULL) || strstr(buf, "sername:") != NULL)) {
      free(buf);
      hydra_completed_pair();
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
      return 2;
    }
    free(buf);
  } while (i == 0);

#ifdef PALM
  sprintf(buffer, "%s\r", pass);
#else
  sprintf(buffer, "%.250s\r", pass);
#endif
  if (no_line_mode) {
    for (i = 0; i < strlen(buffer) + 1; i++) {
#ifdef PALM
      NetLibSend(AppNetRefnum, s, &buffer[i], 1, 0, 0, 0, AppNetTimeout, &error);
#else
      send(s, &buffer[i], 1, 0);
#endif
      usleep(5000);
    }
  } else {
    if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) {
      return 1;
    }
  }

  while ((buf = hydra_receive_line(s)) != NULL && make_to_lower(buf) && (strstr(buf, "login:"******"last login:"******"sername:") == NULL) {
    if ((miscptr != NULL && strstr(buf, miscptr) != NULL) ||(miscptr == NULL && ((index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '%') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL ||
         (strstr(buf, " failed") == NULL  && index(buf, '%') != NULL))))) {
      hydra_report_found_host(port, ip, "telnet", fp);
      hydra_completed_pair_found();
      free(buf);
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
      return 1;
    }
    free(buf);
  }
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 2;
}
Beispiel #29
0
int start_ssh(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, keep_login[300];
  int auth_state = 0, rc = 0, i = 0;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  if (new_session) {
    if (session) {
      ssh_disconnect(session);
      ssh_finalize();
      ssh_free(session);
    }

    session = ssh_new();
    ssh_options_set(session, SSH_OPTIONS_PORT, &port);
    ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
    ssh_options_set(session, SSH_OPTIONS_USER, login);
    ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
    ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
    if (ssh_connect(session) != 0) {
      //if the connection was drop, trying to reconnect
      if (verbose)
        hydra_report(stderr, "Error: could not connect to target port %d\n", port);
      return 1;
    }

    if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) {
      return 3;
    } else if (rc == SSH_AUTH_SUCCESS) {
      hydra_report_found_host(port, ip, "ssh", fp);
      hydra_completed_pair_found();
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 2;
      else
        return 1;
    }
  } else
    new_session = 1;

  auth_state = ssh_auth_list(session);
  if ((auth_state & SSH_AUTH_METHOD_PASSWORD) > 0) {
    auth_state = ssh_userauth_password(session, NULL, pass);
  } else if ((auth_state & SSH_AUTH_METHOD_INTERACTIVE) > 0) {
    auth_state = ssh_userauth_kbdint(session, NULL, NULL);
    while (auth_state == SSH_AUTH_INFO) {
      rc = ssh_userauth_kbdint_getnprompts(session);
      for (i = 0; i < rc; i++)
        ssh_userauth_kbdint_setanswer(session, i, pass);
      auth_state = ssh_userauth_kbdint(session, NULL, NULL);
    }
  } else {
    return 4;
  }

  if (auth_state == SSH_AUTH_ERROR) {
    new_session = 1;
    return 1;
  }

  if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) {
    hydra_report_found_host(port, ip, "ssh", fp);
    hydra_completed_pair_found();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 2;
    return 1;
  } else {
    strncpy(keep_login, login, sizeof(keep_login) - 1);
    keep_login[sizeof(keep_login) - 1] = '\0';
    hydra_completed_pair();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 2;
    login = hydra_get_next_login();
    if (strcmp(login, keep_login) == 0)
      new_session = 0;
    return 1;
  }

  /* not reached */
  return 1;
}
int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *hostname) {
    char *empty = "";
    char *login, *pass, buffer[500], buffer2[500], mlogin[260], mpass[260], mhost[260];
    char url[260], host[30];
    char *header = "";            /* XXX TODO */
    char *ptr;
    int auth = 0;

    login = hydra_get_next_login();
    if (login == NULL || strlen(login) == 0 || strstr(login, "://") == NULL) {
        hydra_completed_pair();
        return 1;
    }
    pass = hydra_get_next_password();
    pass = empty;                 // ignored

    strncpy(url, login, sizeof(url) - 1);
    url[sizeof(url) - 1] = 0;
    ptr = strstr(login, "://") + 3;
    if (ptr[0] == '[')
        ptr++;
    strncpy(mhost, ptr, sizeof(mhost) - 1);
    mhost[sizeof(mhost) - 1] = 0;
    if ((ptr = index(mhost, '/')) != NULL)
        *ptr = 0;
    if ((ptr = index(mhost, ']')) != NULL)
        *ptr = 0;
    else if ((ptr = index(mhost, ':')) != NULL)
        *ptr = 0;

    if (miscptr != NULL && index(miscptr, ':') != NULL) {
        strncpy(mlogin, miscptr, sizeof(mlogin) - 1);
        mlogin[sizeof(mlogin) - 1] = 0;
        ptr = index(mlogin, ':');
        *ptr++ = 0;
        strncpy(mpass, ptr, sizeof(mpass) - 1);
        mpass[sizeof(mpass) - 1] = 0;
        auth = 1;
    }

    if (http_proxy_auth_mechanism == AUTH_ERROR) {
        //send dummy request
        sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, mhost, header);
        if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
            return 1;

        //receive first 40x
        buf = hydra_receive_line(s);
        while (buf != NULL && strstr(buf, "HTTP/") == NULL) {
            free(buf);
            buf = hydra_receive_line(s);
        }

        if (debug)
            hydra_report(stderr, "S:%s\n", buf);

        //after the first query we should have been disconnected from web server
        s = hydra_disconnect(s);
        if ((options & OPTION_SSL) == 0) {
            s = hydra_connect_tcp(ip, port);
        } else {
            s = hydra_connect_ssl(ip, port, hostname);
        }
    }

    if (auth) {
        if (hydra_strcasestr(buf, "Proxy-Authenticate: Basic") != NULL) {
            http_proxy_auth_mechanism = AUTH_BASIC;
            sprintf(buffer2, "%.50s:%.50s", login, pass);
            hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
            sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
            if (debug)
                hydra_report(stderr, "C:%s\n", buffer);
            if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
                return 1;
            free(buf);
            buf = hydra_receive_line(s);
            while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
                free(buf);
                buf = hydra_receive_line(s);
            }

            //if server cut the connection, just exit cleanly or
            //this will be an infinite loop
            if (buf == NULL) {
                if (verbose)
                    hydra_report(stderr, "[ERROR] Server did not answer\n");
                return 3;
            }

            if (debug)
                hydra_report(stderr, "S:%s\n", buf);
        } else {
            if (hydra_strcasestr(buf, "Proxy-Authenticate: NTLM") != NULL) {
                unsigned char buf1[4096];
                unsigned char buf2[4096];
                char *pos = NULL;

                http_proxy_auth_mechanism = AUTH_NTLM;
                //send auth and receive challenge
                //send auth request: let the server send it's own hostname and domainname
                buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
                to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

                /* to be portable, no snprintf, buffer is big enough so it cant overflow */
                //send the first..
                sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
                        header);
                if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
                    return 1;

                //receive challenge
                free(buf);
                buf = hydra_receive_line(s);
                while (buf != NULL && (pos = hydra_strcasestr(buf, "Proxy-Authenticate: NTLM ")) == NULL) {
                    free(buf);
                    buf = hydra_receive_line(s);
                }
                if (pos != NULL) {
                    char *str;

                    pos += 25;
                    if ((str = strchr(pos, '\r')) != NULL) {
                        pos[str - pos] = 0;
                    }
                    if ((str = strchr(pos, '\n')) != NULL) {
                        pos[str - pos] = 0;
                    }
                }
                //recover challenge
                if (buf != NULL) {
                    if (strlen(buf) >= 4)
                        from64tobits((char *) buf1, pos);
                    free(buf);
                }
                //Send response
                buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
                to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
                sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
                        header);
                if (debug)
                    hydra_report(stderr, "C:%s\n", buffer);
                if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
                    return 1;

                buf = hydra_receive_line(s);
                while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
                    free(buf);
                    buf = hydra_receive_line(s);
                }

                if (buf == NULL)
                    return 1;
            } else {
#ifdef LIBOPENSSL
                if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) {
                    char *pbuffer;

                    http_proxy_auth_mechanism = AUTH_DIGESTMD5;
                    pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest ");
                    strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
                    buffer[sizeof(buffer) - 1] = '\0';

                    pbuffer = buffer2;
                    sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header);
                    if (pbuffer == NULL)
                        return 3;

                    if (debug)
                        hydra_report(stderr, "C:%s\n", buffer2);
                    if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0)
                        return 1;

                    free(buf);
                    buf = hydra_receive_line(s);
                    while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
                        free(buf);
                        buf = hydra_receive_line(s);
                    }

                    if (debug && buf != NULL)
                        hydra_report(stderr, "S:%s\n", buf);

                    if (buf == NULL)
                        return 1;

                } else
#endif
                {
                    if (buf != NULL) {
                        buf[strlen(buf) - 1] = '\0';
                        hydra_report(stderr, "Unsupported Auth type:\n%s\n", buf);
                    } else {
                        hydra_report(stderr, "Unsupported Auth type\n");
                    }
                    return 3;
                }
            }
        }
    }
    // result analysis
    ptr = ((char *) index(buf, ' ')) + 1;
    if (*ptr == '2' || (*ptr == '3' && (*(ptr + 2) == '1' || *(ptr + 2) == '2')) || strncmp(ptr, "404", 4) == 0 || strncmp(ptr, "403", 4) == 0) {
        hydra_report_found_host(port, ip, "http-proxy", fp);
        if (fp != stdout)
            fprintf(fp, "[%d][http-proxy-urlenum] host: %s   url: %s\n", port, hydra_address2string(ip), url);
        printf("[%d][http-proxy-urlenum] host: %s   url: %s\n", port, hydra_address2string(ip), url);
        hydra_completed_pair_found();
    } else {
        if (strncmp(ptr, "407", 3) == 0 /*|| strncmp(ptr, "401", 3) == 0 */ ) {
            hydra_report(stderr, "[ERROR] Proxy reports bad credentials!\n");
            return 3;
        }
        hydra_completed_pair();
    }

    free(buf);

    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
    return 1;
}