int start_rexec(int s,int port, unsigned char options,char *miscptr,FILE *fp) { char *empty = ""; char *login, *pass, buffer[300] = "", buffer2[100], *bptr = buffer2; int ret; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; memset(buffer2, 0, sizeof(buffer2)); bptr++; strcpy(bptr, login); bptr += 1 + strlen(login); strcpy(bptr, pass); bptr += 1 + strlen(pass); strcpy(bptr, COMMAND); if (hydra_send(s, buffer2, 4 + strlen(login) + strlen(pass) + strlen(COMMAND), 0) < 0) { return 1; } ret = hydra_recv(s, buffer, sizeof(buffer)); if (ret > 0 && buffer[0] == 0) { hydra_report_found(port, "rexec", fp); hydra_completed_pair_found(); } else hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
/* NBS Session Request Function: Request a new session from the server Returns: TRUE on success else FALSE. */ int NBSSessionRequest(int s) { char nb_name[32]; /* netbiosname */ char nb_local[32]; /* netbios localredirector */ unsigned char rqbuf[7] = { 0x81, 0x00, 0x00, 0x48, 0x20, 0x00, 0x20 }; char *buf; unsigned char rbuf[400]; /* if we are running in native mode (aka port 445) don't do netbios */ if (protoFlag == WIN2000_NATIVEMODE) return 0; /* convert computer name to netbios name */ memset(nb_name, 0, 32); memset(nb_local, 0, 32); memcpy(nb_name, "CKFDENECFDEFFCFGEFFCCACACACACACA", 32); /* *SMBSERVER */ memcpy(nb_local, "EIFJEEFCEBCACACACACACACACACACACA", 32); /* HYDRA */ buf = (char *) malloc(100); memset(buf, 0, 100); memcpy(buf, (char *) rqbuf, 5); memcpy(buf + 5, nb_name, 32); memcpy(buf + 37, (char *) rqbuf + 5, 2); memcpy(buf + 39, nb_local, 32); memcpy(buf + 71, (char *) rqbuf + 5, 1); hydra_send(s, buf, 76, 0); free(buf); memset(rbuf, 0, 400); hydra_recv(s, (char *) rbuf, sizeof(rbuf)); if (rbuf[0] == 0x82) return 0; /* success */ else return -1; /* failed */ }
int start_pcanywhere(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass; char buffer[2048] = ""; char clogin[128] = ""; char cpass[128] = ""; int ret, i; char *client[4]; char *server[5]; int clientsize[4]; client[0] = "\x00\x00\x00\x00"; clientsize[0] = 4; client[1] = "\x6F\x06\xff"; clientsize[1] = 3; client[2] = "\x6f\x61\x00\x09\x00\xfe\x00\x00\xff\xff\x00\x00\x00\x00"; clientsize[2] = 14; client[3] = "\x6f\x62\x01\x02\x00\x00\x00"; clientsize[3] = 7; server[0] = "nter"; server[1] = "\x1B\x61"; server[2] = "\0x1B\0x62"; server[3] = "Enter login name"; server[4] = "denying connection"; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; debugprintf("dans pcanywhere start"); /*printf("testing %s:%s\n",login,pass); */ strcpy(clogin, login); strcpy(cpass, pass); pca_encrypt(clogin); pca_encrypt(cpass); for (i = 0; i < 4; i++) { if (hydra_send(s, client[i], clientsize[i], 0) < 0) { return 1; } ret = hydra_recv(s, buffer, sizeof(buffer)); if (ret == -1) { return 1; } if (i == 3) { if (ret == 3) { /*one more to get the login prompt */ ret = hydra_recv(s, buffer, sizeof(buffer)); } } if (i == 0 || i == 3) clean_buffer(buffer, ret); /*show_buffer(buffer,ret); */ if (i == 2) { clean_buffer(buffer, ret); if (strstr(buffer, server[i + 2]) != NULL) { fprintf(stderr, "[ERROR] PC Anywhere host denying connection because you have requested a lower encrypt level\n"); return 3; } } if (strstr(buffer, server[i]) == NULL) { if (i == 3) { debugprintf("problem receiving login banner"); } return 1; } } if (send_cstring(s, clogin) < 0) { return 1; } ret = hydra_recv(s, buffer, sizeof(buffer)); if (ret == -1) { return 1; } clean_buffer(buffer, ret); /*show_buffer(buffer,ret); */ if (strstr(buffer, "Enter password:"******"problem receiving password banner"); return 1; } if (send_cstring(s, cpass) < 0) { return 1; } ret = hydra_recv(s, buffer, sizeof(buffer)); if (ret == -1) { return 1; } clean_buffer(buffer, ret); /*show_buffer(buffer,ret); */ if ((strstr(buffer, "Invalid login") != NULL) || (strstr(buffer, "Enter password") != NULL)) { debugprintf("login/passwd wrong"); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } else { debugprintf("cool find login/passwd"); hydra_report_found_host(port, ip, "pcanywhere", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } return 1; }
int start_nntp(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; char *login, *pass, buffer[300]; int i = 1; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (i > 0 && hydra_data_ready(s) > 0) i = hydra_recv(s, buffer, 300); #ifdef PALM sprintf(buffer, "AUTHINFO USER %s\r\n", login); #else sprintf(buffer, "AUTHINFO USER %.250s\r\n", login); #endif if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if (buf[0] != '3') { hydra_report(stderr, "Error: Not an NNTP protocol or service shutdown: %s\n", buf); free(buf); return (3); } free(buf); #ifdef PALM sprintf(buffer, "AUTHINFO PASS %s\r\n", pass); #else sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass); #endif if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if (buf[0] == '2') { hydra_report_found_host(port, ip, "nntp", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; free(buf); return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
void service_nntp(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run, sock = -1; int myport = PORT_NNTP, mysslport = PORT_NNTP_SSL; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); // usleep(300000); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } // usleep(300000); buf = hydra_receive_line(sock); if (buf == NULL || buf[0] != '2') { /* check the first line */ hydra_report(stderr, "Error: Not an NNTP protocol or service shutdown: %s\n", buf); hydra_child_exit(2); free(buf); #ifdef PALM return; #else exit(-1); #endif } free(buf); /* buf = hydra_receive_line(sock); */ /* free(buf); */ // usleep(1500000); usleep(25000); buf = malloc(1024); while (hydra_data_ready(sock) > 0) hydra_recv(sock, buf, 1024); free(buf); next_run = 2; break; case 2: /* run the cracking function */ next_run = start_nntp(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; default: hydra_report(stderr, "Caught unknown return code, exiting!\n"); hydra_child_exit(0); #ifdef PALM return; #else exit(-1); #endif } run = next_run; } }
/* SMBSessionSetup Function: Send username + response to the challenge from the server. Currently we're sendin ZEROES for the LMHASH since NT4/2000 doesn't seem to look at this if we got a valid NTLM hash. Returns: TRUE on success else FALSE. */ short SMBSessionSetup(int s, char *user, char *pass, char *miscptr) { unsigned char b[137] = { 0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x7d, 0x00, 0x00, 0x01, 0x00, 0x0d, 0xff, 0x00, 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x3c, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x48, 0x00, 0xdf, 0x82, 0xb9, 0x2f, 0xda, 0xdb, 0x43, 0x47, 0x09, 0xdb, 0x7f, 0xfc, 0xb0, 0xa8, 0xf0, 0x46, 0xe2, 0xfe, 0x64, 0x6d, 0x67, 0x58, 0xe0, 0xf9, 0xca, 0x9f, 0x5e, 0xdb, 0xe0, 0x15, 0x80, 0xf8, 0x54, 0xe3, 0x6e, 0xe9, 0xf8, 0x88, 0x80, 0x19, 0xb6, 0xf9, 0xae, 0xb7, 0xa6, 0x62, 0x14, 0xfc, 0x54, 0x45, 0x53, 0x54, 0x00, 0x4d, 0x59, 0x47, 0x52, 0x4f, 0x55, 0x50, 0x00, 0x55, 0x6e, 0x69, 0x78, 0x00, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00 }; unsigned char buf[512]; unsigned char *NTLMhash; unsigned char LMhash[24]; unsigned char rbuf[400]; unsigned char sess_key[2]; int userlen; NTLMhash = (unsigned char *) malloc(24); memset(NTLMhash, 0, 24); memset(LMhash, 0, 24); memset(rbuf, 0, 400); if (accntFlag == 0) { strcpy((char *) workgroup, "localhost"); } else if (accntFlag == 2) { memset(workgroup, 0, 16); } HashNTLM(&NTLMhash, (unsigned char *) pass, (unsigned char *) challenge, miscptr); memset(buf, 0, 512); memcpy(buf, b, 89); memcpy(buf + 65, LMhash, 24); memcpy(buf + 89, NTLMhash, 24); /* set session key */ sess_key[1] = getpid() / 100; sess_key[0] = getpid() - (100 * sess_key[1]); memcpy(buf + 30, sess_key, 2); userlen = strlen(user); memcpy(buf + 113, user, userlen); memset(buf + (113 + userlen), 0, 1); memcpy(buf + (114 + userlen), workgroup, strlen((char *) workgroup)); memcpy(buf + (114 + userlen + strlen((char *) workgroup)), b + 125, 12); /* set the header length */ buf[3] = (userlen + strlen((char *) workgroup) + 0x7A) % 256; buf[2] = (userlen + strlen((char *) workgroup) + 0x7A) / 256; /* set data length */ buf[63] = 0x1F + strlen((char *) workgroup) + userlen; hydra_send(s, (char *) buf, 126 + userlen + strlen((char *) workgroup), 0); hydra_recv(s, (char *) rbuf, sizeof(rbuf)); /* 41 - Action (Guest/Non-Guest Account) */ /* 9 - NT Status (Error code) */ return ((rbuf[41] << 8) | rbuf[9]); }
/* SMBNegProt Function: Negotiate protocol with server ... Actually a pseudo negotiation since the whole program counts on NTLM support :) The challenge is retrieved from the answer No error checking is performed i.e cross your fingers.... */ int SMBNegProt(int s) { unsigned char buf[168] = { 0x00, 0x00, 0x00, 0xa4, 0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x7d, 0x00, 0x00, 0x01, 0x00, 0x00, 0x81, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00 }; unsigned char rbuf[400]; unsigned char sess_key[2]; unsigned char userid[2] = {0xCD, 0xEF}; int i = 0, j = 0; memset((char *) rbuf, 0, 400); /* set session key */ sess_key[1] = getpid() / 100; sess_key[0] = getpid() - (100 * sess_key[1]); memcpy(buf + 30, sess_key, 2); memcpy(buf + 32, userid, 2); hydra_send(s, (char *) buf, 168, 0); hydra_recv(s, (char *) rbuf, sizeof(rbuf)); /* retrieve the challenge */ memcpy(challenge, (char *) rbuf + 73, sizeof(challenge)); /* find the primary domain/workgroup name */ memset(workgroup, 0, 16); memset(machine_name, 0, 16); while ((rbuf[81 + i * 2] != 0) && (i < 16)) { workgroup[i] = rbuf[81 + i * 2]; i++; } while ((rbuf[81 + (i + j + 1) * 2] != 0) && (j < 16)) { machine_name[j] = rbuf[81 + (i + j + 1) * 2]; j++; } return 2; }
int start_teamspeak(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass; char buf[100]; struct team_speak teamspeak; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; memset(&teamspeak, 0, sizeof(struct team_speak)); memcpy(&teamspeak.header, "\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00", 16); teamspeak.clientlen = 9; strcpy((char *) &teamspeak.client, "TeamSpeak"); teamspeak.oslen = 11; strcpy((char *) &teamspeak.os, "Linux 2.6.9"); memcpy(&teamspeak.misc, "\x02\x00\x00\x00\x20\x00\x3c\x00\x01\x02", 10); teamspeak.userlen = strlen(login); strncpy((char *) &teamspeak.user, login, 29); teamspeak.passlen = strlen(pass); strncpy((char *) &teamspeak.pass, pass, 29); teamspeak.loginlen = 0; strcpy((char *) &teamspeak.login, ""); #ifdef HAVE_ZLIB teamspeak.crc = crc32(0L, (const Bytef *)&teamspeak, sizeof(struct team_speak)); #else teamspeak.crc = crc32(&teamspeak, sizeof(struct team_speak)); #endif if (hydra_send(s, (char *) &teamspeak, sizeof(struct team_speak), 0) < 0) { return 3; } if (hydra_data_ready_timed(s, 5, 0) > 0) { hydra_recv(s, (char *) buf, sizeof(buf)); if (buf[0x58] == 1) { hydra_report_found_host(port, ip, "teamspeak", fp); hydra_completed_pair_found(); } if (buf[0x4B] != 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } } else { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_rlogin(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[300] = "", buffer2[100], *bptr = buffer2; int ret; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; memset(buffer2, 0, sizeof(buffer2)); bptr++; strcpy(bptr, login); bptr += 1 + strlen(login); strcpy(bptr, login); bptr += 1 + strlen(login); strcpy(bptr, TERM); if (hydra_send(s, buffer2, 4 + strlen(login) + strlen(login) + strlen(TERM), 0) < 0) { return 4; } ret = hydra_recv(s, buffer, sizeof(buffer)); /* 0x00 is sent but hydra_recv transformed it */ if (strlen(buffer) == 0) ret = hydra_recv(s, buffer, sizeof(buffer)); if (ret > 0 && (strstr(buffer, "rlogind:") != NULL)) return 1; if (ret > 0 && (strstr(buffer, "ssword") != NULL)) { if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; sprintf(buffer2, "%s\r", pass); if (hydra_send(s, buffer2, 1 + strlen(pass), 0) < 0) { return 1; } memset(buffer, 0, sizeof(buffer)); ret = hydra_recv(s, buffer, sizeof(buffer)); if (strcmp(buffer, "\r\n")) ret = hydra_recv(s, buffer, sizeof(buffer)); } /* Authentication failure */ if (ret > 0 && (strstr(buffer, "ssword") == NULL)) { #ifdef HAVE_PCRE if (!hydra_string_match(buffer, "\\s(failure|incorrect|denied)")) { #else /* check for failure and incorrect msg */ if ((strstr(buffer, "ailure") == NULL) && (strstr(buffer, "ncorrect") == NULL) && (strstr(buffer, "denied") == NULL)) { #endif hydra_report_found_host(port, ip, "rlogin", fp); hydra_completed_pair_found(); } else { hydra_completed_pair(); } } else { /* if password is asked a second time, it means the pass we provided is wrong */ hydra_completed_pair(); } if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } void service_rlogin(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1; int myport = PORT_RLOGIN, mysslport = PORT_RLOGIN_SSL; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { next_run = 0; switch (run) { case 1: /* connect and service init function */ { /* 512 -> 1023 */ hydra_set_srcport(1023); if (sock >= 0) sock = hydra_disconnect(sock); // usleep(275000); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } next_run = 2; break; } case 2: /* run the cracking function */ next_run = start_rlogin(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; default: hydra_report(stderr, "Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } }
int internal__hydra_connect(char *host, int port, int protocol, int type) { int s, ret = -1, ipv6 = 0; #ifdef AF_INET6 struct sockaddr_in6 target6; struct sockaddr_in6 sin6; #endif struct sockaddr_in target; struct sockaddr_in sin; char *buf, *tmpptr = NULL; int err = 0; #ifdef AF_INET6 memset(&target6, 0, sizeof(target6)); memset(&sin6, 0, sizeof(sin6)); if ((host[0] == 16 && proxy_string_ip[0] != 4) || proxy_string_ip[0] == 16) ipv6 = 1; #endif #ifdef AF_INET6 if (ipv6) s = socket(AF_INET6, protocol, type); else #endif s = socket(PF_INET, protocol, type); if (s >= 0) { if (src_port != 0) { int bind_ok = 0; #ifdef AF_INET6 if (ipv6) { sin6.sin6_family = AF_INET6; sin6.sin6_port = htons(src_port); } else #endif { sin.sin_family = PF_INET; sin.sin_port = htons(src_port); sin.sin_addr.s_addr = INADDR_ANY; } //we will try to find a free port down to 512 while (!bind_ok && src_port >= 512) { #ifdef AF_INET6 if (ipv6) ret = bind(s, (struct sockaddr *) &sin6, sizeof(sin6)); else #endif ret = bind(s, (struct sockaddr *) &sin, sizeof(sin)); if (ret == -1) { if (verbose) perror("internal_hydra_connect error"); if (errno == EADDRINUSE) { src_port--; #ifdef AF_INET6 if (ipv6) sin6.sin6_port = htons(src_port); else #endif sin.sin_port = htons(src_port); } else { if (errno == EACCES && (getuid() > 0)) { fprintf(stderr, "[ERROR] You need to be root to test this service\n"); close(s); return -1; } } } else bind_ok = 1; } } if (use_proxy > 0) { if (proxy_string_ip[0] == 4) { memcpy(&target.sin_addr.s_addr, &proxy_string_ip[1], 4); target.sin_family = AF_INET; target.sin_port = htons(proxy_string_port); } #ifdef AF_INET6 if (proxy_string_ip[0] == 16) { memcpy(&target6.sin6_addr, &proxy_string_ip[1], 16); target6.sin6_family = AF_INET6; target6.sin6_port = htons(proxy_string_port); } #endif } else { if (host[0] == 4) { memcpy(&target.sin_addr.s_addr, &host[1], 4); target.sin_family = AF_INET; target.sin_port = htons(port); } #ifdef AF_INET6 if (host[0] == 16) { memcpy(&target6.sin6_addr, &host[1], 16); target6.sin6_family = AF_INET6; target6.sin6_port = htons(port); } #endif } signal(SIGALRM, alarming); do { if (fail > 0) sleep(WAIT_BETWEEN_CONNECT_RETRY); alarm_went_off = 0; alarm(waittime); #ifdef AF_INET6 #ifdef SO_BINDTODEVICE if (host[17] != 0) { setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE, &host[17], strlen(&host[17]) + 1); } #else #ifdef IP_FORCE_OUT_IFP if (host[17] != 0) { setsockopt(s, SOL_SOCKET, IP_FORCE_OUT_IFP, &host[17], strlen(&host[17]) + 1); } #endif #endif if (ipv6) ret = connect(s, (struct sockaddr *) &target6, sizeof(target6)); else #endif ret = connect(s, (struct sockaddr *) &target, sizeof(target)); alarm(0); if (ret < 0 && alarm_went_off == 0) { fail++; if (verbose && fail <= MAX_CONNECT_RETRY) fprintf(stderr, "Process %d: Can not connect [unreachable], retrying (%d of %d retries)\n", (int) getpid(), fail, MAX_CONNECT_RETRY); } } while (ret < 0 && fail <= MAX_CONNECT_RETRY); if (ret < 0 && fail > MAX_CONNECT_RETRY) { if (debug) printf("DEBUG_CONNECT_UNREACHABLE\n"); /* we wont quit here, thats up to the module to decide what to do * fprintf(stderr, "Process %d: Can not connect [unreachable], process exiting\n", (int)getpid()); * hydra_child_exit(1); */ extern_socket = -1; close(s); ret = -1; return ret; } ret = s; extern_socket = s; if (debug) printf("DEBUG_CONNECT_OK\n"); err = 0; if (use_proxy == 2) { if ((buf = malloc(4096)) == NULL) { fprintf(stderr, "[ERROR] could not malloc()\n"); close(s); return -1; } memset(&target, 0, sizeof(target)); if (host[0] == 4) { memcpy(&target.sin_addr.s_addr, &host[1], 4); target.sin_family = AF_INET; target.sin_port = htons(port); } #ifdef AF_INET6 memset(&target6, 0, sizeof(target6)); if (host[0] == 16) { memcpy(&target6.sin6_addr, &host[1], 16); target6.sin6_family = AF_INET6; target6.sin6_port = htons(port); } #endif if (hydra_strcasestr(proxy_string_type, "connect") || hydra_strcasestr(proxy_string_type, "http")) { if (proxy_authentication == NULL) if (host[0] == 16) snprintf(buf, 4096, "CONNECT [%s]:%d HTTP/1.0\r\n\r\n", hydra_address2string(host), port); else snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\n\r\n", hydra_address2string(host), port); else if (host[0] == 16) snprintf(buf, 4096, "CONNECT [%s]:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication); else snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication); send(s, buf, strlen(buf), 0); recv(s, buf, 4096, 0); if (strncmp("HTTP/", buf, 5) == 0 && (tmpptr = index(buf, ' ')) != NULL && *++tmpptr == '2') { if (debug) printf("DEBUG_CONNECT_PROXY_OK\n"); } else { if (debug) printf("DEBUG_CONNECT_PROXY_FAILED (Code: %c%c%c)\n", *tmpptr, *(tmpptr + 1), *(tmpptr + 2)); if (verbose) fprintf(stderr, "[ERROR] CONNECT call to proxy failed with code %c%c%c\n", *tmpptr, *(tmpptr + 1), *(tmpptr + 2)); err = 1; } // free(buf); } else { if (hydra_strcasestr(proxy_string_type, "socks5")) { // char buf[1024]; size_t cnt, wlen; /* socks v5 support */ buf[0] = SOCKS_V5; buf[1] = 1; if (proxy_authentication == NULL) buf[2] = SOCKS_NOAUTH; else buf[2] = SOCKS_PASSAUTH; cnt = hydra_send(s, buf, 3, 0); if (cnt != 3) { hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/3)\n", cnt); err = 1; } else { cnt = hydra_recv(s, buf, 2); if (cnt != 2) { hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/2)\n", cnt); err = 1; } if ((unsigned int) buf[1] == SOCKS_NOMETHOD) { hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication method negotiation failed\n"); err = 1; } /* SOCKS_DOMAIN not supported here, do we need it ? */ if (err != 1) { /* send user/pass */ if (proxy_authentication != NULL) { //format was checked previously char *login = strtok(proxy_authentication, ":"); char *pass = strtok(NULL, ":"); snprintf(buf, sizeof(buf), "\x01%c%s%c%s", (char) strlen(login), login, (char) strlen(pass), pass); cnt = hydra_send(s, buf, strlen(buf), 0); if (cnt != strlen(buf)) { hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/3)\n", cnt); err = 1; } else { cnt = hydra_recv(s, buf, 2); if (cnt != 2) { hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/2)\n", cnt); err = 1; } if (buf[1] != 0) { hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication failure\n"); err = 1; } else { if (debug) hydra_report(stderr, "[DEBUG] SOCKS5 proxy authentication success\n"); } } } #ifdef AF_INET6 if (ipv6) { /* Version 5, connect: IPv6 address */ buf[0] = SOCKS_V5; buf[1] = SOCKS_CONNECT; buf[2] = 0; buf[3] = SOCKS_IPV6; memcpy(buf + 4, &target6.sin6_addr, sizeof target6.sin6_addr); memcpy(buf + 20, &target6.sin6_port, sizeof target6.sin6_port); wlen = 22; } else { #endif /* Version 5, connect: IPv4 address */ buf[0] = SOCKS_V5; buf[1] = SOCKS_CONNECT; buf[2] = 0; buf[3] = SOCKS_IPV4; memcpy(buf + 4, &target.sin_addr, sizeof target.sin_addr); memcpy(buf + 8, &target.sin_port, sizeof target.sin_port); wlen = 10; #ifdef AF_INET6 } #endif cnt = hydra_send(s, buf, wlen, 0); if (cnt != wlen) { hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/%zu)\n", cnt, wlen); err = 1; } else { cnt = hydra_recv(s, buf, 10); if (cnt != 10) { hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/10)\n", cnt); err = 1; } if (buf[1] != 0) { /* 0x05 = connection refused by destination host */ if (buf[1] == 5) hydra_report(stderr, "[ERROR] SOCKS proxy request failed\n"); else hydra_report(stderr, "[ERROR] SOCKS error %d\n", buf[1]); err = 1; } } } } } else { if (hydra_strcasestr(proxy_string_type, "socks4")) { if (ipv6) { hydra_report(stderr, "[ERROR] SOCKS4 proxy does not support IPv6\n"); err = 1; } else { // char buf[1024]; size_t cnt, wlen; /* socks v4 support */ buf[0] = SOCKS_V4; buf[1] = SOCKS_CONNECT; /* connect */ memcpy(buf + 2, &target.sin_port, sizeof target.sin_port); memcpy(buf + 4, &target.sin_addr, sizeof target.sin_addr); buf[8] = 0; /* empty username */ wlen = 9; cnt = hydra_send(s, buf, wlen, 0); if (cnt != wlen) { hydra_report(stderr, "[ERROR] SOCKS4 proxy write failed (%zu/%zu)\n", cnt, wlen); err = 1; } else { cnt = hydra_recv(s, buf, 8); if (cnt != 8) { hydra_report(stderr, "[ERROR] SOCKS4 proxy read failed (%zu/8)\n", cnt); err = 1; } if (buf[1] != 90) { /* 91 = 0x5b = request rejected or failed */ if (buf[1] == 91) hydra_report(stderr, "[ERROR] SOCKS proxy request failed\n"); else hydra_report(stderr, "[ERROR] SOCKS error %d\n", buf[1]); err = 1; } } } } else { hydra_report(stderr, "[ERROR] Unknown proxy type: %s, valid type are \"connect\", \"socks4\" or \"socks5\"\n", proxy_string_type); err = 1; } } } free(buf); } if (err) { close(s); extern_socket = -1; ret = -1; close(s); return ret; } fail = 0; return ret; } return ret; }
int start_sip(int s, char *ip, char *lip, int port, int lport, unsigned char options, char *miscptr, FILE * fp) { char *login, *pass, *host, buffer[SIP_MAX_BUF]; int i; char buf[SIP_MAX_BUF]; if (strlen(login = hydra_get_next_login()) == 0) login = NULL; if (strlen(pass = hydra_get_next_password()) == 0) pass = NULL; if (external_ip_addr[0]) lip = external_ip_addr; host = miscptr; cseq = 1; empty_register(buffer, host, lip, port, lport, login); cseq++; if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 3; } int has_sip_cred = 0; int try = 0; /* We have to check many times because server may begin to send "100 Trying" * before "401 Unauthorized" */ while (try < 2 && !has_sip_cred) { try++; if (hydra_data_ready_timed(s, 3, 0) > 0) { i = hydra_recv(s, (char *) buf, sizeof(buf)); buf[sizeof(buf) - 1] = '\0'; if (strncmp(buf, "SIP/2.0 404", 11) == 0) { hydra_report(stdout, "[ERROR] Get error code 404 : user '%s' not found\n", login); return 2; } if (strncmp(buf, "SIP/2.0 606", 11) == 0) { char *ptr=NULL; int i = 0; // if we already tried to connect, exit if (external_ip_addr[0]) { hydra_report(stdout, "[ERROR] Get error code 606 : session is not acceptable by the server\n"); return 2; } if (verbose) hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not acceptable by the server,\n" "maybe it's an addressing issue as you are using NAT, trying to reconnect\n" "using addr from the server reply\n"); /* SIP/2.0 606 Not Acceptable Via: SIP/2.0/UDP 192.168.0.21:46759;received=82.227.229.137 */ #ifdef HAVE_PCRE if (hydra_string_match(buf, "Via: SIP.*received=")) { ptr=strstr(buf, "received="); #else if ((ptr=strstr(buf, "received="))) { #endif strncpy(external_ip_addr, ptr+strlen("received="), sizeof(external_ip_addr)); external_ip_addr[sizeof(external_ip_addr) - 1] = '\0'; for (i = 0; i < strlen(external_ip_addr); i++) { if (external_ip_addr[i] <= 32) { external_ip_addr[i] = '\0'; } } if (verbose) hydra_report(stderr, "[VERBOSE] Will reconnect using external IP address %s\n", external_ip_addr); return 1; } hydra_report(stderr, "[ERROR] Could not find external IP address in server answer\n"); return 2; } } } if (!strstr(buf, "WWW-Authenticate: Digest")) { hydra_report(stderr, "[ERROR] no www-authenticate header found!\n"); return -1; } if (verbose) hydra_report(stderr, "[INFO] S: %s\n", buf); char buffer2[512]; sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL); memset(buffer, 0, SIP_MAX_BUF); snprintf(buffer, SIP_MAX_BUF, "REGISTER sip:%s SIP/2.0\n" "Via: SIP/2.0/UDP %s:%i\n" "From: <sip:%s@%s>\n" "To: <sip:%s@%s>\n" "Call-ID: 1337@%s\n" "CSeq: %i REGISTER\n" "Authorization: Digest %s\n" "Content-Length: 0\n\n", host, lip, lport, login, host, login, host, host, cseq, buffer2); cseq++; if (verbose) hydra_report(stderr, "[INFO] C: %s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 3; } try = 0; int has_resp = 0; int sip_code = 0; while (try < 2 && !has_resp) { try++; if (hydra_data_ready_timed(s, 5, 0) > 0) { memset(buf, 0, sizeof(buf)); i = hydra_recv(s, (char *) buf, sizeof(buf)); if (verbose) hydra_report(stderr, "[INFO] S: %s\n", buf); sip_code = get_sip_code(buf); if (sip_code >= 200 && sip_code < 300) { hydra_report_found_host(port, ip, "sip", fp); hydra_completed_pair_found(); has_resp = 1; } if (sip_code >= 400 && sip_code < 500) { has_resp = 1; } } } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } void service_sip(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1; int myport = PORT_SIP, mysslport = PORT_SIP_SSL; char *lip = get_iface_ip((int) *(&ip[1])); hydra_register_socket(sp); // FIXME IPV6 if (ip[0] != 4) { fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are appreciated.\n"); hydra_child_exit(2); } if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) run = 3; int lport = 0; while (1) { switch (run) { case 1: if (sock < 0) { if (port != 0) myport = port; lport = rand() % (65535 - 1024) + 1024; hydra_set_srcport(lport); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_udp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { if (verbose || debug) hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); free(lip); hydra_child_exit(1); } } next_run = start_sip(sock, ip, lip, port, lport, options, miscptr, fp); break; case 2: if (sock >= 0) sock = hydra_disconnect(sock); free(lip); hydra_child_exit(2); break; case 3: if (sock >= 0) sock = hydra_disconnect(sock); free(lip); hydra_child_exit(2); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); free(lip); hydra_child_exit(2); } run = next_run; } } char *get_iface_ip(unsigned long int ip) { int sfd; sfd = socket(AF_INET, SOCK_DGRAM, 0); struct sockaddr_in tparamet; tparamet.sin_family = AF_INET; tparamet.sin_port = htons(2000); tparamet.sin_addr.s_addr = ip; if (connect(sfd, (const struct sockaddr *) &tparamet, sizeof(struct sockaddr_in))) { perror("connect"); close(sfd); return NULL; } struct sockaddr_in *local = malloc(sizeof(struct sockaddr_in)); int size = sizeof(struct sockaddr_in); if (getsockname(sfd, (void *) local, (socklen_t *) & size)) { perror("getsockname"); close(sfd); free(local); return NULL; } close(sfd); char buff[32]; if (!inet_ntop(AF_INET, (void *) &local->sin_addr, buff, 32)) { perror("inet_ntop"); free(local); return NULL; } char *str = malloc(sizeof(char) * (strlen(buff) + 1)); strcpy(str, buff); free(local); return str; } #endif int service_sip_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here return 0; }
char *nntp_read_server_capacity(int sock) { char *ptr = NULL; int resp = 0; char *buf = NULL; do { if (buf != NULL) free(buf); ptr = buf = hydra_receive_line(sock); if (buf != NULL) { if (isdigit((int) buf[0]) && buf[3] == ' ') resp = 1; else { if (buf[strlen(buf) - 1] == '\n') buf[strlen(buf) - 1] = 0; if (buf[strlen(buf) - 1] == '\r') buf[strlen(buf) - 1] = 0; #ifdef NO_RINDEX if ((ptr = strrchr(buf, '\n')) != NULL) { #else if ((ptr = rindex(buf, '\n')) != NULL) { #endif ptr++; if (isdigit((int) *ptr) && *(ptr + 3) == ' ') resp = 1; } } } } while (buf != NULL && resp == 0); return buf; } int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; char *login, *pass, buffer[300], buffer2[500]; int i = 1; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (i > 0 && hydra_data_ready(s) > 0) i = hydra_recv(s, buffer, 300); switch (nntp_auth_mechanism) { case AUTH_LOGIN: sprintf(buffer, "AUTHINFO SASL LOGIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, login); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); break; case AUTH_PLAIN: sprintf(buffer, "AUTHINFO SASL PLAIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP PLAIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); memset(buffer, 0, sizeof(buffer)); sasl_plain(buffer, login, pass); sprintf(buffer, "%.250s\r\n", buffer); break; #ifdef LIBOPENSSL case AUTH_CRAMMD5:{ int rc = 0; char *preplogin; rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } sprintf(buffer, "AUTHINFO SASL CRAM-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } //get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP CRAM-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); memset(buffer2, 0, sizeof(buffer2)); sasl_cram_md5(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer, "%.250s\r\n", buffer); free(preplogin); } break; case AUTH_DIGESTMD5:{ sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL); if (buffer2 == NULL) return 3; if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; //send auth and receive challenge buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); sprintf(buffer, "AUTHINFO SASL NTLM %s\r\n", (char*)buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf); free(buf); return 3; } //recover challenge from64tobits((char *) buf1, buf + 4); free(buf); buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "%s\r\n", (char*)buf1); } break; default:{ sprintf(buffer, "AUTHINFO USER %.250s\r\n", login); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if (buf[0] != '3') { if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf); free(buf); return (3); } free(buf); sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass); } break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if (buf[0] == '2') { hydra_report_found_host(port, ip, "nntp", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }