int start_rexec(int s,int port, unsigned char options,char *miscptr,FILE *fp) {
    char *empty = "";
    char *login, *pass, buffer[300] = "", buffer2[100], *bptr = buffer2;
    int ret;

    if (strlen(login = hydra_get_next_login()) == 0) login = empty;
    if (strlen(pass = hydra_get_next_password()) == 0) pass = empty;

    memset(buffer2, 0, sizeof(buffer2));
    bptr++;
    
    strcpy(bptr, login);
    bptr += 1 + strlen(login);

    strcpy(bptr, pass);
    bptr += 1 + strlen(pass);
    
    strcpy(bptr, COMMAND);
    
    if (hydra_send(s, buffer2, 4 + strlen(login) + strlen(pass) + strlen(COMMAND), 0) < 0) {
        return 1;
    }

    ret = hydra_recv(s, buffer, sizeof(buffer));

    if (ret > 0 && buffer[0] == 0) {
        hydra_report_found(port, "rexec", fp);
        hydra_completed_pair_found();
    } else
        hydra_completed_pair();

    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
    return 1;
}
Beispiel #2
0
/*
   NBS Session Request
   Function: Request a new session from the server
   Returns: TRUE on success else FALSE.
*/
int
NBSSessionRequest(int s)
{
  char nb_name[32];             /* netbiosname */
  char nb_local[32];            /* netbios localredirector */
  unsigned char rqbuf[7] = { 0x81, 0x00, 0x00, 0x48, 0x20, 0x00, 0x20 };
  char *buf;
  unsigned char rbuf[400];

  /* if we are running in native mode (aka port 445) don't do netbios */
  if (protoFlag == WIN2000_NATIVEMODE)
    return 0;
  
  /* convert computer name to netbios name */
  memset(nb_name, 0, 32);
  memset(nb_local, 0, 32);
  memcpy(nb_name, "CKFDENECFDEFFCFGEFFCCACACACACACA", 32);      /* *SMBSERVER */
  memcpy(nb_local, "EIFJEEFCEBCACACACACACACACACACACA", 32);     /* HYDRA */

  buf = (char *) malloc(100);
  memset(buf, 0, 100);
  memcpy(buf, (char *) rqbuf, 5);
  memcpy(buf + 5, nb_name, 32);
  memcpy(buf + 37, (char *) rqbuf + 5, 2);
  memcpy(buf + 39, nb_local, 32);
  memcpy(buf + 71, (char *) rqbuf + 5, 1);

  hydra_send(s, buf, 76, 0);
  free(buf);

  memset(rbuf, 0, 400);
  hydra_recv(s, (char *) rbuf, sizeof(rbuf));

  if (rbuf[0] == 0x82)
    return 0;                   /* success */
  else
    return -1;                  /* failed */
}
int start_pcanywhere(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass;
  char buffer[2048] = "";
  char clogin[128] = "";
  char cpass[128] = "";
  int ret, i;

  char *client[4];
  char *server[5];
  int clientsize[4];

  client[0] = "\x00\x00\x00\x00";
  clientsize[0] = 4;
  client[1] = "\x6F\x06\xff";
  clientsize[1] = 3;
  client[2] = "\x6f\x61\x00\x09\x00\xfe\x00\x00\xff\xff\x00\x00\x00\x00";
  clientsize[2] = 14;
  client[3] = "\x6f\x62\x01\x02\x00\x00\x00";
  clientsize[3] = 7;

  server[0] = "nter";
  server[1] = "\x1B\x61";
  server[2] = "\0x1B\0x62";
  server[3] = "Enter login name";
  server[4] = "denying connection";


  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  debugprintf("dans pcanywhere start");

  /*printf("testing %s:%s\n",login,pass); */

  strcpy(clogin, login);
  strcpy(cpass, pass);

  pca_encrypt(clogin);
  pca_encrypt(cpass);

  for (i = 0; i < 4; i++) {
    if (hydra_send(s, client[i], clientsize[i], 0) < 0) {
      return 1;
    }

    ret = hydra_recv(s, buffer, sizeof(buffer));
    if (ret == -1) {
      return 1;
    }

    if (i == 3) {
      if (ret == 3) {
        /*one more to get the login prompt */
        ret = hydra_recv(s, buffer, sizeof(buffer));
      }
    }

    if (i == 0 || i == 3)
      clean_buffer(buffer, ret);

    /*show_buffer(buffer,ret); */

    if (i == 2) {
      clean_buffer(buffer, ret);
      if (strstr(buffer, server[i + 2]) != NULL) {
        fprintf(stderr, "[ERROR] PC Anywhere host denying connection because you have requested a lower encrypt level\n");
        return 3;
      }
    }

    if (strstr(buffer, server[i]) == NULL) {
      if (i == 3) {
        debugprintf("problem receiving login banner");
      }
      return 1;
    }
  }

  if (send_cstring(s, clogin) < 0) {
    return 1;
  }
  ret = hydra_recv(s, buffer, sizeof(buffer));
  if (ret == -1) {
    return 1;
  }
  clean_buffer(buffer, ret);
  /*show_buffer(buffer,ret); */
  if (strstr(buffer, "Enter password:"******"problem receiving password banner");
    return 1;
  }

  if (send_cstring(s, cpass) < 0) {
    return 1;
  }

  ret = hydra_recv(s, buffer, sizeof(buffer));
  if (ret == -1) {
    return 1;
  }

  clean_buffer(buffer, ret);
  /*show_buffer(buffer,ret); */

  if ((strstr(buffer, "Invalid login") != NULL) || (strstr(buffer, "Enter password") != NULL)) {
    debugprintf("login/passwd wrong");

    hydra_completed_pair();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 2;
  } else {
    debugprintf("cool find login/passwd");

    hydra_report_found_host(port, ip, "pcanywhere", fp);
    hydra_completed_pair_found();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 2;
  }
  return 1;
}
Beispiel #4
0
int
start_nntp(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp)
{
  char *empty = "\"\"";
  char *login, *pass, buffer[300];
  int i = 1;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (i > 0 && hydra_data_ready(s) > 0)
    i = hydra_recv(s, buffer, 300);

#ifdef PALM
  sprintf(buffer, "AUTHINFO USER %s\r\n", login);
#else
  sprintf(buffer, "AUTHINFO USER %.250s\r\n", login);
#endif
  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  buf = hydra_receive_line(s);
  if (buf == NULL)
    return 1;
  if (buf[0] != '3') {
    hydra_report(stderr, "Error: Not an NNTP protocol or service shutdown: %s\n", buf);
    free(buf);
    return (3);
  }
  free(buf);

#ifdef PALM
  sprintf(buffer, "AUTHINFO PASS %s\r\n", pass);
#else
  sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass);
#endif

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  buf = hydra_receive_line(s);
  if (buf == NULL)
    return 1;
  if (buf[0] == '2') {
    hydra_report_found_host(port, ip, "nntp", fp);
    hydra_completed_pair_found();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    free(buf);
    return 1;
  }

  free(buf);
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 2;
}
Beispiel #5
0
void
service_nntp(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port)
{
  int run = 1, next_run, sock = -1;
  int myport = PORT_NNTP, mysslport = PORT_NNTP_SSL;

  hydra_register_socket(sp);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return;
  while (1) {
    switch (run) {
    case 1:                    /* connect and service init function */
      if (sock >= 0)
        sock = hydra_disconnect(sock);
//      usleep(300000);
      if ((options & OPTION_SSL) == 0) {
        if (port != 0)
          myport = port;
        sock = hydra_connect_tcp(ip, myport);
        port = myport;
      } else {
        if (port != 0)
          mysslport = port;
        sock = hydra_connect_ssl(ip, mysslport);
        port = mysslport;
      }
      if (sock < 0) {
        hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
        hydra_child_exit(1);
      }
//      usleep(300000);
      buf = hydra_receive_line(sock);
      if (buf == NULL || buf[0] != '2') {       /* check the first line */
        hydra_report(stderr, "Error: Not an NNTP protocol or service shutdown: %s\n", buf);
        hydra_child_exit(2);
        free(buf);
#ifdef PALM
	return;
#else
        exit(-1);
#endif
      }
      free(buf);

/*                    buf = hydra_receive_line(sock); */

/*                    free(buf);                      */
//      usleep(1500000);
      usleep(25000);
      buf = malloc(1024);
      while (hydra_data_ready(sock) > 0)
        hydra_recv(sock, buf, 1024);
      free(buf);
      next_run = 2;
      break;
    case 2:                    /* run the cracking function */
      next_run = start_nntp(sock, ip, port, options, miscptr, fp);
      break;
    case 3:                    /* clean exit */
      if (sock >= 0)
        sock = hydra_disconnect(sock);
      hydra_child_exit(0);
      return;
    default:
      hydra_report(stderr, "Caught unknown return code, exiting!\n");
      hydra_child_exit(0);
#ifdef PALM
	return;
#else
        exit(-1);
#endif
    }
    run = next_run;
  }
}
Beispiel #6
0
/*
  SMBSessionSetup
  Function: Send username + response to the challenge from
            the server.
       Currently we're sendin ZEROES for the LMHASH since
       NT4/2000 doesn't seem to look at this if we got a
       valid NTLM hash.
  Returns: TRUE on success else FALSE.
*/
short
SMBSessionSetup(int s, char *user, char *pass, char *miscptr)
{
  unsigned char b[137] = {
    0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d,
    0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c,
    0x7d, 0x00, 0x00, 0x01, 0x00, 0x0d, 0xff, 0x00,
    0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x3c, 0x7d,
    0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00,
    0x48, 0x00, 0xdf, 0x82, 0xb9, 0x2f, 0xda, 0xdb,
    0x43, 0x47, 0x09, 0xdb, 0x7f, 0xfc, 0xb0, 0xa8,
    0xf0, 0x46, 0xe2, 0xfe, 0x64, 0x6d, 0x67, 0x58,
    0xe0, 0xf9, 0xca, 0x9f, 0x5e, 0xdb, 0xe0, 0x15,
    0x80, 0xf8, 0x54, 0xe3, 0x6e, 0xe9, 0xf8, 0x88,
    0x80, 0x19, 0xb6, 0xf9, 0xae, 0xb7, 0xa6, 0x62,
    0x14, 0xfc, 0x54, 0x45, 0x53, 0x54, 0x00, 0x4d,
    0x59, 0x47, 0x52, 0x4f, 0x55, 0x50, 0x00, 0x55,
    0x6e, 0x69, 0x78, 0x00, 0x53, 0x61, 0x6d, 0x62,
    0x61, 0x00
  };

  unsigned char buf[512];
  unsigned char *NTLMhash;
  unsigned char LMhash[24];
  unsigned char rbuf[400];
  unsigned char sess_key[2];
  int userlen;

  NTLMhash = (unsigned char *) malloc(24);

  memset(NTLMhash, 0, 24);
  memset(LMhash, 0, 24);
  memset(rbuf, 0, 400);

  if (accntFlag == 0) {
    strcpy((char *) workgroup, "localhost");
  } else if (accntFlag == 2) {
    memset(workgroup, 0, 16);
  }

  HashNTLM(&NTLMhash, (unsigned char *) pass, (unsigned char *) challenge, miscptr);

  memset(buf, 0, 512);
  memcpy(buf, b, 89);
  memcpy(buf + 65, LMhash, 24);
  memcpy(buf + 89, NTLMhash, 24);

  /* set session key */
  sess_key[1] = getpid() / 100;
  sess_key[0] = getpid() - (100 * sess_key[1]);
  memcpy(buf + 30, sess_key, 2);
  
  userlen = strlen(user);

  memcpy(buf + 113, user, userlen);
  memset(buf + (113 + userlen), 0, 1);
  memcpy(buf + (114 + userlen), workgroup, strlen((char *) workgroup));
  memcpy(buf + (114 + userlen + strlen((char *) workgroup)), b + 125, 12);

  /* set the header length */
  buf[3] = (userlen + strlen((char *) workgroup) + 0x7A) % 256;
  buf[2] = (userlen + strlen((char *) workgroup) + 0x7A) / 256;

  /* set data length */
  buf[63] = 0x1F + strlen((char *) workgroup) + userlen;

  hydra_send(s, (char *) buf, 126 + userlen + strlen((char *) workgroup), 0);
  hydra_recv(s, (char *) rbuf, sizeof(rbuf));

  /* 41 - Action (Guest/Non-Guest Account) */
  /*  9 - NT Status (Error code) */
  return ((rbuf[41] << 8) | rbuf[9]);
}
Beispiel #7
0
/*
   SMBNegProt
   Function: Negotiate protocol with server ...
       Actually a pseudo negotiation since the whole
       program counts on NTLM support :)

    The challenge is retrieved from the answer
    No error checking is performed i.e cross your fingers....
*/
int
SMBNegProt(int s)
{
  unsigned char buf[168] = {
    0x00, 0x00, 0x00, 0xa4, 0xff, 0x53, 0x4d, 0x42,
    0x72, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0x40,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x7d,
    0x00, 0x00, 0x01, 0x00, 0x00, 0x81, 0x00, 0x02,
    0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
    0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
    0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
    0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46,
    0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52,
    0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00,
    0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f,
    0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
    0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00,
    0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31,
    0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e,
    0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x53,
    0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, 0x4e, 0x54,
    0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20,
    0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20,
    0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00
  };

  unsigned char rbuf[400];
  unsigned char sess_key[2];
  unsigned char userid[2] = {0xCD, 0xEF};
  int i = 0, j = 0;

  memset((char *) rbuf, 0, 400);

  /* set session key */
  sess_key[1] = getpid() / 100;
  sess_key[0] = getpid() - (100 * sess_key[1]);
  memcpy(buf + 30, sess_key, 2);
  memcpy(buf + 32, userid, 2);
  
  hydra_send(s, (char *) buf, 168, 0);
  hydra_recv(s, (char *) rbuf, sizeof(rbuf));

  /* retrieve the challenge */
  memcpy(challenge, (char *) rbuf + 73, sizeof(challenge));

  /* find the primary domain/workgroup name */
  memset(workgroup, 0, 16);
  memset(machine_name, 0, 16);

  while ((rbuf[81 + i * 2] != 0) && (i < 16)) {
    workgroup[i] = rbuf[81 + i * 2];
    i++;
  }

  while ((rbuf[81 + (i + j + 1) * 2] != 0) && (j < 16)) {
    machine_name[j] = rbuf[81 + (i + j + 1) * 2];
    j++;
  }

  return 2;
}
Beispiel #8
0
int start_teamspeak(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass;
  char buf[100];
  struct team_speak teamspeak;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  memset(&teamspeak, 0, sizeof(struct team_speak));

  memcpy(&teamspeak.header, "\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00", 16);

  teamspeak.clientlen = 9;
  strcpy((char *) &teamspeak.client, "TeamSpeak");

  teamspeak.oslen = 11;
  strcpy((char *) &teamspeak.os, "Linux 2.6.9");

  memcpy(&teamspeak.misc, "\x02\x00\x00\x00\x20\x00\x3c\x00\x01\x02", 10);

  teamspeak.userlen = strlen(login);
  strncpy((char *) &teamspeak.user, login, 29);

  teamspeak.passlen = strlen(pass);
  strncpy((char *) &teamspeak.pass, pass, 29);

  teamspeak.loginlen = 0;
  strcpy((char *) &teamspeak.login, "");

#ifdef HAVE_ZLIB
  teamspeak.crc = crc32(0L, (const Bytef *)&teamspeak, sizeof(struct team_speak));
#else
  teamspeak.crc = crc32(&teamspeak, sizeof(struct team_speak));
#endif

  if (hydra_send(s, (char *) &teamspeak, sizeof(struct team_speak), 0) < 0) {
    return 3;
  }

  if (hydra_data_ready_timed(s, 5, 0) > 0) {
    hydra_recv(s, (char *) buf, sizeof(buf));
    if (buf[0x58] == 1) {
      hydra_report_found_host(port, ip, "teamspeak", fp);
      hydra_completed_pair_found();
    }
    if (buf[0x4B] != 0) {
      hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
      hydra_child_exit(1);
    }
  } else {
    hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
    hydra_child_exit(1);
  }

  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 1;
}
Beispiel #9
0
int start_rlogin(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[300] = "", buffer2[100], *bptr = buffer2;
  int ret;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  memset(buffer2, 0, sizeof(buffer2));
  bptr++;

  strcpy(bptr, login);
  bptr += 1 + strlen(login);

  strcpy(bptr, login);
  bptr += 1 + strlen(login);

  strcpy(bptr, TERM);

  if (hydra_send(s, buffer2, 4 + strlen(login) + strlen(login) + strlen(TERM), 0) < 0) {
    return 4;
  }
  ret = hydra_recv(s, buffer, sizeof(buffer));
  /* 0x00 is sent but hydra_recv transformed it */
  if (strlen(buffer) == 0)
    ret = hydra_recv(s, buffer, sizeof(buffer));

  if (ret > 0 && (strstr(buffer, "rlogind:") != NULL))
    return 1;

  if (ret > 0 && (strstr(buffer, "ssword") != NULL)) {
    if (strlen(pass = hydra_get_next_password()) == 0)
      pass = empty;
    sprintf(buffer2, "%s\r", pass);
    if (hydra_send(s, buffer2, 1 + strlen(pass), 0) < 0) {
      return 1;
    }
    memset(buffer, 0, sizeof(buffer));
    ret = hydra_recv(s, buffer, sizeof(buffer));
    if (strcmp(buffer, "\r\n"))
      ret = hydra_recv(s, buffer, sizeof(buffer));
  }
  /* Authentication failure */

  if (ret > 0 && (strstr(buffer, "ssword") == NULL)) {
#ifdef HAVE_PCRE
    if (!hydra_string_match(buffer, "\\s(failure|incorrect|denied)")) {
#else
    /* check for failure and incorrect msg */
    if ((strstr(buffer, "ailure") == NULL) && (strstr(buffer, "ncorrect") == NULL) && (strstr(buffer, "denied") == NULL)) {
#endif
      hydra_report_found_host(port, ip, "rlogin", fp);
      hydra_completed_pair_found();
    } else {
      hydra_completed_pair();
    }
  } else {
    /* if password is asked a second time, it means the pass we provided is wrong */
    hydra_completed_pair();
  }

  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;
}

void service_rlogin(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
  int run = 1, next_run = 1, sock = -1;
  int myport = PORT_RLOGIN, mysslport = PORT_RLOGIN_SSL;

  hydra_register_socket(sp);

  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return;
  while (1) {
    next_run = 0;
    switch (run) {
    case 1:                    /* connect and service init function */
      {
        /* 512 -> 1023 */
        hydra_set_srcport(1023);
        if (sock >= 0)
          sock = hydra_disconnect(sock);
//        usleep(275000);
        if ((options & OPTION_SSL) == 0) {
          if (port != 0)
            myport = port;
          sock = hydra_connect_tcp(ip, myport);
          port = myport;
        } else {
          if (port != 0)
            mysslport = port;
          sock = hydra_connect_ssl(ip, mysslport);
          port = mysslport;
        }
        if (sock < 0) {
          hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
          hydra_child_exit(1);
        }
        next_run = 2;
        break;
      }
    case 2:                    /* run the cracking function */
      next_run = start_rlogin(sock, ip, port, options, miscptr, fp);
      break;
    case 3:                    /* clean exit */
      if (sock >= 0)
        sock = hydra_disconnect(sock);
      hydra_child_exit(0);
      return;
    default:
      hydra_report(stderr, "Caught unknown return code, exiting!\n");
      hydra_child_exit(0);
    }
    run = next_run;
  }
}
Beispiel #10
0
int internal__hydra_connect(char *host, int port, int protocol, int type) {
  int s, ret = -1, ipv6 = 0;

#ifdef AF_INET6
  struct sockaddr_in6 target6;
  struct sockaddr_in6 sin6;
#endif
  struct sockaddr_in target;
  struct sockaddr_in sin;
  char *buf, *tmpptr = NULL;
  int err = 0;

#ifdef AF_INET6
  memset(&target6, 0, sizeof(target6));
  memset(&sin6, 0, sizeof(sin6));
  if ((host[0] == 16 && proxy_string_ip[0] != 4) || proxy_string_ip[0] == 16)
    ipv6 = 1;
#endif

#ifdef AF_INET6
  if (ipv6)
    s = socket(AF_INET6, protocol, type);
  else
#endif
    s = socket(PF_INET, protocol, type);
  if (s >= 0) {
    if (src_port != 0) {
      int bind_ok = 0;

#ifdef AF_INET6
      if (ipv6) {
        sin6.sin6_family = AF_INET6;
        sin6.sin6_port = htons(src_port);
      } else
#endif
      {
        sin.sin_family = PF_INET;
        sin.sin_port = htons(src_port);
        sin.sin_addr.s_addr = INADDR_ANY;
      }

      //we will try to find a free port down to 512
      while (!bind_ok && src_port >= 512) {
#ifdef AF_INET6
        if (ipv6)
          ret = bind(s, (struct sockaddr *) &sin6, sizeof(sin6));
        else
#endif
          ret = bind(s, (struct sockaddr *) &sin, sizeof(sin));

        if (ret == -1) {
          if (verbose)
            perror("internal_hydra_connect error");
          if (errno == EADDRINUSE) {
            src_port--;
#ifdef AF_INET6
            if (ipv6)
              sin6.sin6_port = htons(src_port);
            else
#endif
              sin.sin_port = htons(src_port);
          } else {
            if (errno == EACCES && (getuid() > 0)) {
              fprintf(stderr, "[ERROR] You need to be root to test this service\n");
              close(s);
              return -1;
            }
          }
        } else
          bind_ok = 1;
      }
    }
    if (use_proxy > 0) {
      if (proxy_string_ip[0] == 4) {
        memcpy(&target.sin_addr.s_addr, &proxy_string_ip[1], 4);
        target.sin_family = AF_INET;
        target.sin_port = htons(proxy_string_port);
      }
#ifdef AF_INET6
      if (proxy_string_ip[0] == 16) {
        memcpy(&target6.sin6_addr, &proxy_string_ip[1], 16);
        target6.sin6_family = AF_INET6;
        target6.sin6_port = htons(proxy_string_port);
      }
#endif
    } else {
      if (host[0] == 4) {
        memcpy(&target.sin_addr.s_addr, &host[1], 4);
        target.sin_family = AF_INET;
        target.sin_port = htons(port);
      }
#ifdef AF_INET6
      if (host[0] == 16) {
        memcpy(&target6.sin6_addr, &host[1], 16);
        target6.sin6_family = AF_INET6;
        target6.sin6_port = htons(port);
      }
#endif
    }
    signal(SIGALRM, alarming);
    do {
      if (fail > 0)
        sleep(WAIT_BETWEEN_CONNECT_RETRY);
      alarm_went_off = 0;
      alarm(waittime);
#ifdef AF_INET6
#ifdef SO_BINDTODEVICE
      if (host[17] != 0) {
        setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE, &host[17], strlen(&host[17]) + 1);
      }
#else
#ifdef IP_FORCE_OUT_IFP
      if (host[17] != 0) {
        setsockopt(s, SOL_SOCKET, IP_FORCE_OUT_IFP, &host[17], strlen(&host[17]) + 1);
      }
#endif
#endif

      if (ipv6)
        ret = connect(s, (struct sockaddr *) &target6, sizeof(target6));
      else
#endif
        ret = connect(s, (struct sockaddr *) &target, sizeof(target));
      alarm(0);
      if (ret < 0 && alarm_went_off == 0) {
        fail++;
        if (verbose && fail <= MAX_CONNECT_RETRY)
          fprintf(stderr, "Process %d: Can not connect [unreachable], retrying (%d of %d retries)\n", (int) getpid(), fail, MAX_CONNECT_RETRY);
      }
    } while (ret < 0 && fail <= MAX_CONNECT_RETRY);
    if (ret < 0 && fail > MAX_CONNECT_RETRY) {
      if (debug)
        printf("DEBUG_CONNECT_UNREACHABLE\n");

/* we wont quit here, thats up to the module to decide what to do 
 *              fprintf(stderr, "Process %d: Can not connect [unreachable], process exiting\n", (int)getpid());
 *              hydra_child_exit(1);
 */
      extern_socket = -1;
      close(s);
      ret = -1;
      return ret;
    }
    ret = s;
    extern_socket = s;
    if (debug)
      printf("DEBUG_CONNECT_OK\n");

    err = 0;
    if (use_proxy == 2) {
      if ((buf = malloc(4096)) == NULL) {
        fprintf(stderr, "[ERROR] could not malloc()\n");
        close(s);
        return -1;
      }
      memset(&target, 0, sizeof(target));
      if (host[0] == 4) {
        memcpy(&target.sin_addr.s_addr, &host[1], 4);
        target.sin_family = AF_INET;
        target.sin_port = htons(port);
      }
#ifdef AF_INET6
      memset(&target6, 0, sizeof(target6));
      if (host[0] == 16) {
        memcpy(&target6.sin6_addr, &host[1], 16);
        target6.sin6_family = AF_INET6;
        target6.sin6_port = htons(port);
      }
#endif

      if (hydra_strcasestr(proxy_string_type, "connect") || hydra_strcasestr(proxy_string_type, "http")) {
        if (proxy_authentication == NULL)
          if (host[0] == 16)
            snprintf(buf, 4096, "CONNECT [%s]:%d HTTP/1.0\r\n\r\n", hydra_address2string(host), port);
          else
            snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\n\r\n", hydra_address2string(host), port);
        else if (host[0] == 16)
          snprintf(buf, 4096, "CONNECT [%s]:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication);
        else
          snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication);

        send(s, buf, strlen(buf), 0);
        recv(s, buf, 4096, 0);
        if (strncmp("HTTP/", buf, 5) == 0 && (tmpptr = index(buf, ' ')) != NULL && *++tmpptr == '2') {
          if (debug)
            printf("DEBUG_CONNECT_PROXY_OK\n");
        } else {
          if (debug)
            printf("DEBUG_CONNECT_PROXY_FAILED (Code: %c%c%c)\n", *tmpptr, *(tmpptr + 1), *(tmpptr + 2));
          if (verbose)
            fprintf(stderr, "[ERROR] CONNECT call to proxy failed with code %c%c%c\n", *tmpptr, *(tmpptr + 1), *(tmpptr + 2));
          err = 1;
        }
//        free(buf);
      } else {
        if (hydra_strcasestr(proxy_string_type, "socks5")) {
//          char buf[1024];
          size_t cnt, wlen;

          /* socks v5 support */
          buf[0] = SOCKS_V5;
          buf[1] = 1;
          if (proxy_authentication == NULL)
            buf[2] = SOCKS_NOAUTH;
          else
            buf[2] = SOCKS_PASSAUTH;
          cnt = hydra_send(s, buf, 3, 0);
          if (cnt != 3) {
            hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/3)\n", cnt);
            err = 1;
          } else {
            cnt = hydra_recv(s, buf, 2);
            if (cnt != 2) {
              hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/2)\n", cnt);
              err = 1;
            }
            if ((unsigned int) buf[1] == SOCKS_NOMETHOD) {
              hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication method negotiation failed\n");
              err = 1;
            }
            /* SOCKS_DOMAIN not supported here, do we need it ? */
            if (err != 1) {
              /* send user/pass */
              if (proxy_authentication != NULL) {
                //format was checked previously
                char *login = strtok(proxy_authentication, ":");
                char *pass = strtok(NULL, ":");

                snprintf(buf, sizeof(buf), "\x01%c%s%c%s", (char) strlen(login), login, (char) strlen(pass), pass);

                cnt = hydra_send(s, buf, strlen(buf), 0);
                if (cnt != strlen(buf)) {
                  hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/3)\n", cnt);
                  err = 1;
                } else {
                  cnt = hydra_recv(s, buf, 2);
                  if (cnt != 2) {
                    hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/2)\n", cnt);
                    err = 1;
                  }
                  if (buf[1] != 0) {
                    hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication failure\n");
                    err = 1;
                  } else {
                    if (debug)
                      hydra_report(stderr, "[DEBUG] SOCKS5 proxy authentication success\n");
                  }
                }
              }
#ifdef AF_INET6
              if (ipv6) {
                /* Version 5, connect: IPv6 address */
                buf[0] = SOCKS_V5;
                buf[1] = SOCKS_CONNECT;
                buf[2] = 0;
                buf[3] = SOCKS_IPV6;
                memcpy(buf + 4, &target6.sin6_addr, sizeof target6.sin6_addr);
                memcpy(buf + 20, &target6.sin6_port, sizeof target6.sin6_port);
                wlen = 22;
              } else {
#endif
                /* Version 5, connect: IPv4 address */
                buf[0] = SOCKS_V5;
                buf[1] = SOCKS_CONNECT;
                buf[2] = 0;
                buf[3] = SOCKS_IPV4;
                memcpy(buf + 4, &target.sin_addr, sizeof target.sin_addr);
                memcpy(buf + 8, &target.sin_port, sizeof target.sin_port);
                wlen = 10;
#ifdef AF_INET6
              }
#endif
              cnt = hydra_send(s, buf, wlen, 0);
              if (cnt != wlen) {
                hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/%zu)\n", cnt, wlen);
                err = 1;
              } else {
                cnt = hydra_recv(s, buf, 10);
                if (cnt != 10) {
                  hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/10)\n", cnt);
                  err = 1;
                }
                if (buf[1] != 0) {
                  /* 0x05 = connection refused by destination host */
                  if (buf[1] == 5)
                    hydra_report(stderr, "[ERROR] SOCKS proxy request failed\n");
                  else
                    hydra_report(stderr, "[ERROR] SOCKS error %d\n", buf[1]);
                  err = 1;
                }
              }
            }
          }
        } else {
          if (hydra_strcasestr(proxy_string_type, "socks4")) {
            if (ipv6) {
              hydra_report(stderr, "[ERROR] SOCKS4 proxy does not support IPv6\n");
              err = 1;
            } else {
//              char buf[1024];
              size_t cnt, wlen;

              /* socks v4 support */
              buf[0] = SOCKS_V4;
              buf[1] = SOCKS_CONNECT;   /* connect */
              memcpy(buf + 2, &target.sin_port, sizeof target.sin_port);
              memcpy(buf + 4, &target.sin_addr, sizeof target.sin_addr);
              buf[8] = 0;       /* empty username */
              wlen = 9;
              cnt = hydra_send(s, buf, wlen, 0);
              if (cnt != wlen) {
                hydra_report(stderr, "[ERROR] SOCKS4 proxy write failed (%zu/%zu)\n", cnt, wlen);
                err = 1;
              } else {
                cnt = hydra_recv(s, buf, 8);
                if (cnt != 8) {
                  hydra_report(stderr, "[ERROR] SOCKS4 proxy read failed (%zu/8)\n", cnt);
                  err = 1;
                }
                if (buf[1] != 90) {
                  /* 91 = 0x5b = request rejected or failed */
                  if (buf[1] == 91)
                    hydra_report(stderr, "[ERROR] SOCKS proxy request failed\n");
                  else
                    hydra_report(stderr, "[ERROR] SOCKS error %d\n", buf[1]);
                  err = 1;
                }
              }
            }
          } else {
            hydra_report(stderr, "[ERROR] Unknown proxy type: %s, valid type are \"connect\", \"socks4\" or \"socks5\"\n", proxy_string_type);
            err = 1;
          }
        }
      }
      free(buf);
    }
    if (err) {
      close(s);
      extern_socket = -1;
      ret = -1;
      close(s);
      return ret;
    }
    fail = 0;
    return ret;
  }
  return ret;
}
Beispiel #11
0
int start_sip(int s, char *ip, char *lip, int port, int lport, unsigned char options, char *miscptr, FILE * fp) {
  char *login, *pass, *host, buffer[SIP_MAX_BUF];
  int i;
  char buf[SIP_MAX_BUF];

  if (strlen(login = hydra_get_next_login()) == 0)
    login = NULL;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = NULL;

  if (external_ip_addr[0])
    lip = external_ip_addr;

  host = miscptr;
  cseq = 1;

  empty_register(buffer, host, lip, port, lport, login);
  cseq++;

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 3;
  }

  int has_sip_cred = 0;
  int try = 0;

  /* We have to check many times because server may begin to send "100 Trying"
   * before "401 Unauthorized" */
  while (try < 2 && !has_sip_cred) {
    try++;
    if (hydra_data_ready_timed(s, 3, 0) > 0) {
      i = hydra_recv(s, (char *) buf, sizeof(buf));
      buf[sizeof(buf) - 1] = '\0';
      if (strncmp(buf, "SIP/2.0 404", 11) == 0) {
	hydra_report(stdout, "[ERROR] Get error code 404 : user '%s' not found\n", login);
	return 2;
      }
      if (strncmp(buf, "SIP/2.0 606", 11) == 0) {
        char *ptr=NULL;
        int i = 0;

        // if we already tried to connect, exit
        if (external_ip_addr[0]) {
          hydra_report(stdout, "[ERROR] Get error code 606 : session is not acceptable by the server\n");          
          return 2;
        }
        
        if (verbose)
          hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not acceptable by the server,\n"
                                          "maybe it's an addressing issue as you are using NAT, trying to reconnect\n"
                                          "using addr from the server reply\n");
        /* 
        SIP/2.0 606 Not Acceptable
        Via: SIP/2.0/UDP 192.168.0.21:46759;received=82.227.229.137
        */
#ifdef HAVE_PCRE
        if (hydra_string_match(buf, "Via: SIP.*received=")) {
          ptr=strstr(buf, "received=");
#else
        if ((ptr=strstr(buf, "received="))) {
#endif
        strncpy(external_ip_addr, ptr+strlen("received="), sizeof(external_ip_addr));
        external_ip_addr[sizeof(external_ip_addr) - 1] = '\0';
        for (i = 0; i < strlen(external_ip_addr); i++) {
          if (external_ip_addr[i] <= 32) {
            external_ip_addr[i] = '\0';
          }
        }
        if (verbose)
          hydra_report(stderr, "[VERBOSE] Will reconnect using external IP address %s\n", external_ip_addr);
        return 1;
        }
        hydra_report(stderr, "[ERROR] Could not find external IP address in server answer\n");
        return 2;
      }
    }
  }
  if (!strstr(buf, "WWW-Authenticate: Digest")) {
    hydra_report(stderr, "[ERROR] no www-authenticate header found!\n");
    return -1;
  }
  if (verbose)
    hydra_report(stderr, "[INFO] S: %s\n", buf);
  char buffer2[512];
  sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL);

  memset(buffer, 0, SIP_MAX_BUF);
  snprintf(buffer, SIP_MAX_BUF,
           "REGISTER sip:%s SIP/2.0\n"
           "Via: SIP/2.0/UDP %s:%i\n"
           "From: <sip:%s@%s>\n"
           "To: <sip:%s@%s>\n"
           "Call-ID: 1337@%s\n"
           "CSeq: %i REGISTER\n"
           "Authorization: Digest %s\n"
           "Content-Length: 0\n\n", host, lip, lport, login, host, login, host, host, cseq, buffer2);

  cseq++;
  if (verbose)
    hydra_report(stderr, "[INFO] C: %s\n", buffer);
  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 3;
  }
  try = 0;
  int has_resp = 0;
  int sip_code = 0;

  while (try < 2 && !has_resp) {
    try++;
    if (hydra_data_ready_timed(s, 5, 0) > 0) {
      memset(buf, 0, sizeof(buf));
      i = hydra_recv(s, (char *) buf, sizeof(buf));
      if (verbose)
        hydra_report(stderr, "[INFO] S: %s\n", buf);
      sip_code = get_sip_code(buf);
      if (sip_code >= 200 && sip_code < 300) {
        hydra_report_found_host(port, ip, "sip", fp);
        hydra_completed_pair_found();
        has_resp = 1;
      }
      if (sip_code >= 400 && sip_code < 500) {
        has_resp = 1;
      }
    }
  }

  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 1;
}

void service_sip(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
  int run = 1, next_run = 1, sock = -1;
  int myport = PORT_SIP, mysslport = PORT_SIP_SSL;

  char *lip = get_iface_ip((int) *(&ip[1]));
  hydra_register_socket(sp);

  // FIXME IPV6
  if (ip[0] != 4) {
    fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are appreciated.\n");
    hydra_child_exit(2);
  }

  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    run = 3;

  int lport = 0;

  while (1) {
    switch (run) {
    case 1:
      if (sock < 0) {
        if (port != 0)
          myport = port;
        lport = rand() % (65535 - 1024) + 1024;
        hydra_set_srcport(lport);

        if ((options & OPTION_SSL) == 0) {
          if (port != 0)
            myport = port;
          sock = hydra_connect_udp(ip, myport);
          port = myport;
        } else {
          if (port != 0)
            mysslport = port;
          sock = hydra_connect_ssl(ip, mysslport);
          port = mysslport;
        }

        if (sock < 0) {
          if (verbose || debug)
            hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
          free(lip);
          hydra_child_exit(1);
        }
      }
      next_run = start_sip(sock, ip, lip, port, lport, options, miscptr, fp);
      break;
    case 2:
      if (sock >= 0)
        sock = hydra_disconnect(sock);
      free(lip);
      hydra_child_exit(2);
      break;
    case 3:
      if (sock >= 0)
        sock = hydra_disconnect(sock);
      free(lip);
      hydra_child_exit(2);
      return;
    default:
      hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
      free(lip);
      hydra_child_exit(2);
    }
    run = next_run;
  }
}

char *get_iface_ip(unsigned long int ip) {

  int sfd;

  sfd = socket(AF_INET, SOCK_DGRAM, 0);

  struct sockaddr_in tparamet;

  tparamet.sin_family = AF_INET;
  tparamet.sin_port = htons(2000);
  tparamet.sin_addr.s_addr = ip;

  if (connect(sfd, (const struct sockaddr *) &tparamet, sizeof(struct sockaddr_in))) {
    perror("connect");
    close(sfd);
    return NULL;
  }
  struct sockaddr_in *local = malloc(sizeof(struct sockaddr_in));
  int size = sizeof(struct sockaddr_in);

  if (getsockname(sfd, (void *) local, (socklen_t *) & size)) {
    perror("getsockname");
    close(sfd);
    free(local);
    return NULL;
  }
  close(sfd);

  char buff[32];

  if (!inet_ntop(AF_INET, (void *) &local->sin_addr, buff, 32)) {
    perror("inet_ntop");
    free(local);
    return NULL;
  }
  char *str = malloc(sizeof(char) * (strlen(buff) + 1));

  strcpy(str, buff);
  free(local);
  return str;
}

#endif

int service_sip_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
  // called before the childrens are forked off, so this is the function
  // which should be filled if initial connections and service setup has to be
  // performed once only.
  //
  // fill if needed.
  // 
  // return codes:
  //   0 all OK
  //   -1  error, hydra will exit, so print a good error message here

  return 0;
}
Beispiel #12
0
char *nntp_read_server_capacity(int sock) {
  char *ptr = NULL;
  int resp = 0;
  char *buf = NULL;

  do {
    if (buf != NULL)
      free(buf);
    ptr = buf = hydra_receive_line(sock);
    if (buf != NULL) {
      if (isdigit((int) buf[0]) && buf[3] == ' ')
        resp = 1;
      else {
        if (buf[strlen(buf) - 1] == '\n')
          buf[strlen(buf) - 1] = 0;
        if (buf[strlen(buf) - 1] == '\r')
          buf[strlen(buf) - 1] = 0;
#ifdef NO_RINDEX
        if ((ptr = strrchr(buf, '\n')) != NULL) {
#else
        if ((ptr = rindex(buf, '\n')) != NULL) {
#endif
          ptr++;
          if (isdigit((int) *ptr) && *(ptr + 3) == ' ')
            resp = 1;
        }
      }
    }
  } while (buf != NULL && resp == 0);
  return buf;
}

int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "\"\"";
  char *login, *pass, buffer[300], buffer2[500];
  int i = 1;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (i > 0 && hydra_data_ready(s) > 0)
    i = hydra_recv(s, buffer, 300);

  switch (nntp_auth_mechanism) {
  case AUTH_LOGIN:
    sprintf(buffer, "AUTHINFO SASL LOGIN\r\n");
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (buf == NULL || strstr(buf, "383") == NULL) {
      hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    strcpy(buffer2, login);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

    sprintf(buffer, "%.250s\r\n", buffer2);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (buf == NULL || strstr(buf, "383") == NULL) {
      hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    strcpy(buffer2, pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
    sprintf(buffer, "%.250s\r\n", buffer2);
    break;
  case AUTH_PLAIN:
    sprintf(buffer, "AUTHINFO SASL PLAIN\r\n");
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (buf == NULL || strstr(buf, "383") == NULL) {
      hydra_report(stderr, "[ERROR] NNTP PLAIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);

    memset(buffer, 0, sizeof(buffer));
    sasl_plain(buffer, login, pass);
    sprintf(buffer, "%.250s\r\n", buffer);
    break;
#ifdef LIBOPENSSL
  case AUTH_CRAMMD5:{
      int rc = 0;
      char *preplogin;

      rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
      if (rc) {
        return 3;
      }

      sprintf(buffer, "AUTHINFO SASL CRAM-MD5\r\n");
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      //get the one-time BASE64 encoded challenge
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (buf == NULL || strstr(buf, "383") == NULL) {
        hydra_report(stderr, "[ERROR] NNTP CRAM-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }

      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 4);
      free(buf);

      memset(buffer2, 0, sizeof(buffer2));
      sasl_cram_md5(buffer2, pass, buffer);

      sprintf(buffer, "%s %.250s", preplogin, buffer2);
      hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
      sprintf(buffer, "%.250s\r\n", buffer);
      free(preplogin);
    }
    break;

  case AUTH_DIGESTMD5:{
      sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n");

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (buf == NULL || strstr(buf, "383") == NULL) {
        hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 4);
      free(buf);

      if (verbose)
        hydra_report(stderr, "DEBUG S: %s\n", buffer);
      sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL);
      if (buffer2 == NULL)
        return 3;

      if (verbose)
        hydra_report(stderr, "DEBUG C: %s\n", buffer2);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      sprintf(buffer, "%s\r\n", buffer2);
    }
    break;

#endif

  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];

      //send auth and receive challenge
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
      sprintf(buffer, "AUTHINFO SASL NTLM %s\r\n", (char*)buf1);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (buf == NULL || strstr(buf, "383") == NULL) {
        hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      //recover challenge
      from64tobits((char *) buf1, buf + 4);
      free(buf);

      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
      sprintf(buffer, "%s\r\n", (char*)buf1);
    }
    break;

  default:{
      sprintf(buffer, "AUTHINFO USER %.250s\r\n", login);

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      buf = hydra_receive_line(s);
      if (buf == NULL)
        return 1;
      if (buf[0] != '3') {
        if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf);
        free(buf);
        return (3);
      }
      free(buf);
      sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass);
    }
    break;
  }


  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  buf = hydra_receive_line(s);
  if (buf == NULL)
    return 1;

  if (buf[0] == '2') {
    hydra_report_found_host(port, ip, "nntp", fp);
    hydra_completed_pair_found();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }

  free(buf);
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 2;
}