int go(sLogin* logins, int argc, char *argv[])
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "** Module was not properly built. Are the afpfs-ng headers and static library installed correctly? **");
writeVerbose(VB_NONE, "");
return FAILURE;
}
int go(sLogin* logins, int argc, char *argv[])
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "** Module was not properly built. Is OPENSSL installed correctly? **");
writeVerbose(VB_NONE, "");
return FAILURE;
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, " EHLO:? (optional)");
writeVerbose(VB_NONE, " Sets the name sent via the EHLO command.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " Usage example: \"-M smtp-vrfy -m EHLO:g3rg3 -U accounts.txt -p domain.com\"");
writeVerbose(VB_NONE, "");
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, " DIR:? ");
writeVerbose(VB_NONE, " Sets target directory name. If left unset, the default is \"/root\"");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " Usage example: \"-M cvs -m DIR:/some_project\"");
writeVerbose(VB_NONE, "");
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, " MODE:? (NORMAL, AS400) [optional]");
writeVerbose(VB_NONE, " Sets the mode for error detection.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " Usage example: \"-M telnet -m MODE:AS400 -U accounts.txt -p password\"");
writeVerbose(VB_NONE, "");
}
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "** Module was not properly built. Are the afpfs-ng headers and static library installed correctly? **");
writeVerbose(VB_NONE, "");
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, " TAG:? (Default: gerg)");
writeVerbose(VB_NONE, " AUTH:? (Authentication Type (LOGIN/PLAIN/NTLM). Default: automatic)");
writeVerbose(VB_NONE, " DOMAIN:? [optional]");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "Usage example: \"-M imap -m TAG:A0001 -m AUTH:PLAIN");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "The DOMAIN option should supply the specified domain appropriately,");
writeVerbose(VB_NONE, "regardless of authentication type. The domain can also be supplied ");
writeVerbose(VB_NONE, "via the username field, but the format appears to differ by auth type.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "Example 1: NTLM authentication with DOMAIN option");
writeVerbose(VB_NONE, " \"medusa -M imap -m AUTH:NTLM -m DOMAIN:FOODOM -h host -u foo -p bar\"");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "Example 2: NTLM authentication with domain via username");
writeVerbose(VB_NONE, " \"medusa -M imap -m AUTH:NTLM -h host -u foo@domain -p bar\"");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "* If no domain is specified when using NTLM authentication, the server");
writeVerbose(VB_NONE, "supplied value will be used.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "Example 3: LOGIN authentication with domain via username");
writeVerbose(VB_NONE, " \"medusa -M imap -m AUTH:LOGIN -h host -u 'domain\\\\foo' -p bar\"");
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, " CONTEXT:? ");
writeVerbose(VB_NONE, " Sets user context information.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "It should be noted that libncp does not by default automatically specific a user context.");
writeVerbose(VB_NONE, "If it fails to resolve the name provided it appends the server's context to the username and attempts");
writeVerbose(VB_NONE, "to resolve that value. It is advised that users specify a context for each account being tested.");
writeVerbose(VB_NONE, "A global context can be specified using the CONTEXT option. A per-user context can be defined");
writeVerbose(VB_NONE, "as part of the account name within a file containing usernames or the username passed via the ");
writeVerbose(VB_NONE, "command-line.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " Usage example: \"-M ncp -m CONTEXT:.OU=administrators.O=foofus -u username\"");
writeVerbose(VB_NONE, " Usage example: \"-M ncp -u username.OU=administrators.O=foofus\"");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "Libncp, by default, also uses both the NDS and BIND authenticators. Unfortunately, the only");
writeVerbose(VB_NONE, "error message returned to the module is that of the BIND authenticator. These messages are not");
writeVerbose(VB_NONE, "as descriptive as NDS and only seem to report success or failure. In order to have more useful");
writeVerbose(VB_NONE, "messages (account disabled/max logons exceeded/etc.), create a ~/.nwclient or /etc/ncpfs.conf");
writeVerbose(VB_NONE, "file with the following text:");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " [Requester]");
writeVerbose(VB_NONE, " NetWare Protocol = NDS");
writeVerbose(VB_NONE, "");
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, " PASS:? (PASSWORD*, HASH)");
writeVerbose(VB_NONE, " PASSWORD: Use normal password.");
writeVerbose(VB_NONE, " HASH: Use a hash rather than a password. (non-SHA1 hashes only)");
writeVerbose(VB_NONE, "\n(*) Default value");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "Usage examples:");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "1: Normal boring check...");
writeVerbose(VB_NONE, " medusa -M mysql -h somehost -u someuser -p somepassword");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "2: Using an old-style MySQL hash...");
writeVerbose(VB_NONE, " medusa -M mysql -h somehost -U users.txt -p 39b52a209cf03d62 -m PASS:HASH");
writeVerbose(VB_NONE, "");
}
int medusaConnectInternal(unsigned long nHost, int nPort, int nProtocol, int nType, int nWaitTime, int nRetries, int nRetryWait,unsigned long nProxyStringIP, int nProxyStringPort, char* szProxyAuthentication, int nSourcePort)
{
int s, ret = -1;
int nFail = 0;
struct sockaddr_in target, source;
char *buf, *tmpptr = NULL;
char out[16];
long flag;
int nOpt, nSize;
fd_set myset;
struct timeval tv;
int nUseProxy = nProxyStringIP > 0 ? 1 : 0;
s = socket(PF_INET, nProtocol, nType);
if (s >= 0)
{
/* Handle a source port request from a module */
if ( nSourcePort != 0 ) {
int bind_ok=0;
source.sin_family = PF_INET;
source.sin_port = htons(nSourcePort);
source.sin_addr.s_addr = INADDR_ANY;
/* We will try to find a free port down to 512 */
while (!bind_ok && nSourcePort >= 512)
{
if (bind(s, (struct sockaddr *)&source, sizeof(source))==-1)
{
if (errno == EADDRINUSE)
{
writeError(ERR_DEBUG, "Port %d in use trying next lower port.", nSourcePort);
nSourcePort--;
source.sin_port = htons(nSourcePort);
}
else
{
if (errno == EACCES && (getuid() > 0))
{
writeError(ERR_ERROR, "Source port for this service requires root privileges.");
return FAILURE;
}
}
}
else
bind_ok=1;
}
}
/* End of source port fun */
if (nUseProxy > 0)
{
target.sin_port = htons(nProxyStringPort);
memcpy(&target.sin_addr.s_addr, &nProxyStringIP, sizeof(unsigned long));
}
else
{
target.sin_port = htons(nPort);
memcpy(&target.sin_addr.s_addr, &nHost, sizeof(unsigned long));
}
target.sin_family = AF_INET;
// Set non-blocking
if((flag = fcntl(s, F_GETFL, NULL)) < 0)
{
writeError(ERR_ERROR, "Error fcntl(..., F_GETFL) (%s)", strerror(errno));
return -1;
}
flag |= O_NONBLOCK;
if(fcntl(s, F_SETFL, flag) < 0)
{
writeError(ERR_ERROR, "Error fcntl(..., F_SETFL) (%s)", strerror(errno));
return -1;
}
nFail = 0;
ret = connect(s, (struct sockaddr*)&target, sizeof(struct sockaddr_in));
if (errno == EINPROGRESS)
{
do
{
if (nFail > 0 && nFail <= nRetries)
{
writeError(ERR_ERROR, "Thread %X: Host: %s Cannot connect [unreachable], retrying (%d of %d retries)", (int)pthread_self(), inet_ntop(AF_INET, &target.sin_addr, out, sizeof(out)), nFail, nRetries);
sleep(nRetryWait);
}
else if (nFail > nRetries)
return -1;
tv.tv_sec = nWaitTime;
tv.tv_usec = 0;
FD_ZERO(&myset);
FD_SET(s, &myset);
ret = select(s + 1, NULL, &myset, NULL, &tv);
if (ret < 0 && errno != EINTR)
{
writeError(ERR_ERROR, "Error connecting to host: %s", strerror(errno));
return -1;
}
else if (ret > 0)
{
nSize = sizeof(int);
if (getsockopt(s, SOL_SOCKET, SO_ERROR, (void*)(&nOpt), &nSize) < 0)
{
writeError(ERR_ERROR, "Error in getsockopt() %s", strerror(errno));
return -1;
}
if (nOpt != 0)
{
// Socket is not valid - connection failed
writeVerbose(VB_GENERAL, "Unable to connect (invalid socket): unreachable destination");
return -1;
}
// If we get here, the socket should be valid
ret = 0;
break;
}
else
{
nFail++;
}
} while (1);
}
if (ret != 0 || nFail > nRetries)
{
writeVerbose(VB_GENERAL, "Unable to connect: unreachable destination");
ret = -1;
return ret;
}
// Set the socket to be blocking again
if((flag = fcntl(s, F_GETFL, NULL)) < 0)
{
writeError(ERR_ERROR, "Error fcntl(..., F_GETFL) (%s)", strerror(errno));
return -1;
}
flag &= ~O_NONBLOCK;
if(fcntl(s, F_SETFL, flag) < 0)
{
writeError(ERR_ERROR, "Error fcntl(..., F_SETFL) (%s)", strerror(errno));
return -1;
}
ret = s;
writeError(ERR_DEBUG, "Connected (internal)");
if (nUseProxy > 0)
{
buf = malloc(4096);
memset(buf, 0, 4096);
memset(&target, 0, sizeof(struct sockaddr_in));
memcpy(&target.sin_addr.s_addr, &nHost, sizeof(unsigned long));
target.sin_family = AF_INET;
if (szProxyAuthentication == NULL)
snprintf(buf, 4095, "CONNECT %s:%d HTTP/1.0\r\n\r\n", inet_ntop(AF_INET, &target.sin_addr, out, sizeof(out)), nPort);
else
snprintf(buf, 4095, "CONNECT %s:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", inet_ntop(AF_INET, &target.sin_addr, out, sizeof(out)), nPort,
szProxyAuthentication);
send(s, buf, strlen(buf), 0);
recv(s, buf, 4096, 0);
if (strncmp("HTTP/", buf, strlen("HTTP/")) == 0 && (tmpptr = index(buf, ' ')) != NULL && *++tmpptr == '2')
{
writeError(ERR_DEBUG, "Connected (with proxy)");
}
else
{
//writeError(ERR_DEBUG, "Unable to connect using SSL (Code: %c%c%c)", *tmpptr, *(tmpptr + 1), *(tmpptr + 2));
writeError(ERR_ERROR, "CONNECT call to proxy failed with code %c%c%c", *tmpptr, *(tmpptr + 1), *(tmpptr + 2));
close(s);
ret = -1;
free(buf);
return ret;
}
free(buf);
}
nFail = 0;
return ret;
}
return ret;
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, " TYPE:? (SINGLE, STDIN)");
writeVerbose(VB_NONE, " Option sets type of script being called by module. See included sample scripts");
writeVerbose(VB_NONE, " for ideas how to use this module.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " SINGLE: Script expects all user input comes from original command line.");
writeVerbose(VB_NONE, " STDIN: Host and user information passed to script via command line.");
writeVerbose(VB_NONE, " Passwords to test are passed via STDIN to script.");
writeVerbose(VB_NONE, " ");
writeVerbose(VB_NONE, " PROG:? ");
writeVerbose(VB_NONE, " Option for setting path to executable file.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " ARGS:? ");
writeVerbose(VB_NONE, " Option for setting executable parameters. The following substitutions can be used:");
writeVerbose(VB_NONE, " %H: Replaced with target IP address.");
writeVerbose(VB_NONE, " %U: Replaced with username to test.");
writeVerbose(VB_NONE, " %P: Replaced with password to test.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "Usage example: \'-M wrapper -m TYPE:SINGLE -m PROG:./foo.pl -m ARGS:\"-h %H -u %U -p %P\"\'");
writeVerbose(VB_NONE, "Usage example: \'-M wrapper -m TYPE:STDIN -m PROG:./bar.pl -m ARGS:\"--host %H --user %U\"\'");
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, " EHLO:? [optional] ");
writeVerbose(VB_NONE, " Specify the EHLO greeting.");
writeVerbose(VB_NONE, " AUTH:? (Authentication Type (PLAIN/LOGIN/NTLM). Default: automatic)");
writeVerbose(VB_NONE, " Module will query service for accepted methods via an \"AUTH\" request.");
writeVerbose(VB_NONE, " PLAIN, LOGIN, and NTLM authentication methods are supported.");
writeVerbose(VB_NONE, " DOMAIN:? [optional]");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "The DOMAIN option should supply the specified domain appropriately,");
writeVerbose(VB_NONE, "regardless of authentication type. The domain can also be supplied ");
writeVerbose(VB_NONE, "via the username field, but the format appears to differ by auth type.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " Usage example: ");
writeVerbose(VB_NONE, " \"medusa -M smtp -m AUTH:NTLM -U accounts.txt -p password\"");
writeVerbose(VB_NONE, " \"medusa -M smtp -m EHLO:world -U accounts.txt -p password\"");
writeVerbose(VB_NONE, "");
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, " USER-AGENT:? User-agent value. Default: \"I'm not Mozilla, I'm Ming Mong\".");
writeVerbose(VB_NONE, " FORM:? Target form to request. Default: \"/\"");
writeVerbose(VB_NONE, " DENY-SIGNAL:? Authentication failure message. Attempt flagged as successful if text is not present in");
writeVerbose(VB_NONE, " server response. Default: \"Login incorrect\"");
writeVerbose(VB_NONE, " FORM-DATA:<METHOD>?<FIELDS>");
writeVerbose(VB_NONE, " Methods and fields to send to web service. Valid methods are GET and POST. The actual form");
writeVerbose(VB_NONE, " data to be submitted should also be defined here. Specifically, the fields: username and");
writeVerbose(VB_NONE, " password. The username field must be the first, followed by the password field.");
writeVerbose(VB_NONE, " Default: \"post?username=&password=\"");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "Usage example: \"-M web-form -m USER-AGENT:\"g3rg3 gerg\" -m FORM:\"webmail/index.php\" -m DENY-SIGNAL:\"deny!\"");
writeVerbose(VB_NONE, " -m FORM-DATA:\"post?user=&pass=&submit=True\"");
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Rsh is a service where you either have .rhosts/hosts.equiv access\nfrom the source host or you don't. Passwords really don't matter.\nSo the best way to use this module is with a single dummy password and a\nlist of users you suspect may have .rhosts/hosts.equiv allows for your source.\nGood luck.");
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, " MODE:? (NORMAL, AS400) [optional]");
writeVerbose(VB_NONE, " Sets the mode for error detection.");
writeVerbose(VB_NONE, " AUTH:? (Authentication Type (USER/PLAIN/LOGIN/NTLM). Default: automatic)");
writeVerbose(VB_NONE, " Module will query service for accepted methods via an \"AUTH\" request.");
writeVerbose(VB_NONE, " USER (clear-text), SASL PLAIN, SASL LOGIN, and SASL NTLM authentication methods are supported.");
writeVerbose(VB_NONE, " DOMAIN:? [optional]");
writeVerbose(VB_NONE, " AUTH USER - Appends domain to username (e.g. [email protected]).");
writeVerbose(VB_NONE, " AUTH NTLM - Supplies specified domain during NTLM authentication. The default");
writeVerbose(VB_NONE, " behaviour is to use the server supplied domain value.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " Usage example: ");
writeVerbose(VB_NONE, " \"medusa -M pop3 -m MODE:AS400 -U accounts.txt -p password\"");
writeVerbose(VB_NONE, " \"medusa -M pop3 -m DOMAIN:foo.com -U accounts.txt -p password\"");
writeVerbose(VB_NONE, "");
}
int initModule(_MODULE_DATA *_psSessionData, sLogin* psLogin)
{
enum MODULE_STATE nState = MSTATE_NEW;
char *pPass, *szTmp, *szCmdTmp;
sUser* user = psLogin->psUser;
int iRet, nCmdLength, nCmdPartLength;
if (user != NULL)
{
writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s user: '******'", MODULE_NAME, psLogin->psServer->pHostIP, user->pUser);
}
else
{
writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s", MODULE_NAME, psLogin->psServer->pHostIP);
}
pPass = getNextPass(psLogin->psServer->psAudit, user);
if (pPass == NULL)
{
writeVerbose(VB_GENERAL, "[%s] out of passwords for user '%s' at host '%s', bailing", MODULE_NAME, user->pUser, psLogin->psServer->pHostIP);
}
while(NULL != pPass)
{
switch(nState)
{
case MSTATE_NEW:
/* perform parameter substitution -- this is messy... */
writeError(ERR_DEBUG_MODULE, "User-supplied parameters: %s", _psSessionData->szCmdParam);
/* --host %H --user %U --pass %P */
if (_psSessionData->nType == TYPE_SINGLE)
{
nCmdLength = strlen(_psSessionData->szCmdParam);
nCmdLength -= 6;
nCmdLength += strlen(psLogin->psServer->pHostIP);
nCmdLength += strlen(user->pUser);
nCmdLength += strlen(pPass);
}
/* --host %H --user %U */
else
{
nCmdLength = strlen(_psSessionData->szCmdParam);
nCmdLength -= 4;
nCmdLength += strlen(psLogin->psServer->pHostIP);
nCmdLength += strlen(user->pUser);
}
_psSessionData->szCmdParamFull = malloc(nCmdLength + 1);
memset(_psSessionData->szCmdParamFull, 0, nCmdLength + 1);
szCmdTmp = malloc(nCmdLength + 1);
memset(szCmdTmp, 0, nCmdLength + 1);
if (szTmp = strstr(_psSessionData->szCmdParam, "%H"))
{
nCmdPartLength = (int) szTmp - (int) _psSessionData->szCmdParam;
writeError(ERR_DEBUG_MODULE, "Processing \%H... Copying (%d) parameter characters.", nCmdPartLength);
strncpy(szCmdTmp, _psSessionData->szCmdParam, nCmdPartLength);
strncpy(szCmdTmp + nCmdPartLength, psLogin->psServer->pHostIP, strlen(psLogin->psServer->pHostIP));
strncpy(szCmdTmp + nCmdPartLength + strlen(psLogin->psServer->pHostIP), szTmp + 2, strlen(szTmp) - 2);
}
else
{
writeError(ERR_ERROR, "Invalid command parameter format. Missing %H format.");
psLogin->iResult = LOGIN_RESULT_UNKNOWN;
psLogin->iStatus = LOGIN_FAILED;
FREE(szCmdTmp);
nState = MSTATE_EXITING;
break;
}
writeError(ERR_DEBUG_MODULE, "Parameters (pass 1): %s", szCmdTmp);
if (szTmp = strstr(szCmdTmp, "%U"))
{
nCmdPartLength = (int) szTmp - (int) szCmdTmp;
writeError(ERR_DEBUG_MODULE, "Processing \%U... Copying (%d) parameter characters.", nCmdPartLength);
strncpy(_psSessionData->szCmdParamFull, szCmdTmp, nCmdPartLength);
strncpy(_psSessionData->szCmdParamFull + nCmdPartLength, user->pUser, strlen(user->pUser));
strncpy(_psSessionData->szCmdParamFull + nCmdPartLength + strlen(user->pUser), szTmp + 2, strlen(szTmp) - 2);
}
int initModule(sLogin* psLogin, _MODULE_DATA *_psSessionData)
{
int hSocket = -1;
enum MODULE_STATE nState = MSTATE_NEW;
char* bufReceive;
int nReceiveBufferSize = 0, nFirstPass = 0, nFoundPrompt = 0;
int i = 0;
char *pPass;
sUser* user = psLogin->psUser;
sConnectParams params;
memset(¶ms, 0, sizeof(sConnectParams));
params.nPort = PORT_SMTP;
initConnectionParams(psLogin, ¶ms);
if (user != NULL)
{
writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s user: '******'", MODULE_NAME, psLogin->psServer->pHostIP, user->pUser);
}
else
{
writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s", MODULE_NAME, psLogin->psServer->pHostIP);
}
pPass = getNextPass(psLogin->psServer->psAudit, user);
if (pPass == NULL)
{
writeVerbose(VB_GENERAL, "[%s] out of passwords for user '%s' at host '%s', bailing", MODULE_NAME, user->pUser, psLogin->psServer->pHostIP);
}
if (_psSessionData->szEHLO == NULL)
{
_psSessionData->szEHLO = malloc(7);
memset(_psSessionData->szEHLO, 0, 7);
sprintf(_psSessionData->szEHLO, "MEDUSA");
}
writeError(ERR_DEBUG, "[%s] Set EHLO value: %s", MODULE_NAME, _psSessionData->szEHLO);
while(NULL != pPass)
{
switch(nState)
{
case MSTATE_NEW:
if (hSocket > 0)
medusaDisconnect(hSocket);
if (psLogin->psServer->psHost->iUseSSL > 0)
hSocket = medusaConnectSSL(¶ms);
else
hSocket = medusaConnect(¶ms);
if (hSocket < 0)
{
writeError(ERR_NOTICE, "%s: failed to connect, port %d was not open on %s", MODULE_NAME, params.nPort, psLogin->psServer->pHostIP);
psLogin->iResult = LOGIN_RESULT_UNKNOWN;
psLogin->iStatus = LOGIN_FAILED;
return FAILURE;
}
writeError(ERR_DEBUG_MODULE, "Connected");
/* send EHLO */
writeError(ERR_DEBUG_MODULE, "[%s] Sending EHLO command.", MODULE_NAME);
if (sayEHLO(hSocket, _psSessionData) == SUCCESS)
nState = MSTATE_RUNNING;
else
nState = MSTATE_EXITING;
break;
case MSTATE_RUNNING:
nState = tryLogin(hSocket, &psLogin, _psSessionData, pPass, user->pUser);
if (psLogin->iResult != LOGIN_RESULT_UNKNOWN)
pPass = getNextPass(psLogin->psServer->psAudit, user);
break;
case MSTATE_EXITING:
sayQUIT(hSocket);
if (hSocket > 0)
medusaDisconnect(hSocket);
hSocket = -1;
pPass = NULL;
break;
default:
writeError(ERR_CRITICAL, "Unknown %s module state %d", MODULE_NAME, nState);
if (hSocket > 0)
medusaDisconnect(hSocket);
hSocket = -1;
psLogin->iResult = LOGIN_RESULT_UNKNOWN;
psLogin->iStatus = LOGIN_FAILED;
return FAILURE;
}
}
psLogin->iStatus = LOGIN_DONE;
return SUCCESS;
}
int initModule(sLogin* psLogin)
{
int hSocket = -1;
enum MODULE_STATE nState = MSTATE_NEW;
char* bufReceive;
int nReceiveBufferSize = 0, nFirstPass = 0, nFoundPrompt = 0;
int i = 0;
char *pPass;
sUser* user = psLogin->psUser;
sConnectParams params;
memset(¶ms, 0, sizeof(sConnectParams));
if (psLogin->psServer->psAudit->iPortOverride > 0)
params.nPort = psLogin->psServer->psAudit->iPortOverride;
else if (psLogin->psServer->psHost->iUseSSL > 0)
writeError(ERR_DEBUG_MODULE, "[%s] module asked for RLOGIN/SSL. Don't know if such a thing exists...\n");
else
params.nPort = PORT_RLOGIN;
params.nSourcePort = 1023;
initConnectionParams(psLogin, ¶ms);
if (user != NULL)
{
writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s user: '******'", MODULE_NAME, psLogin->psServer->pHostIP, user->pUser);
}
else
{
writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s", MODULE_NAME, psLogin->psServer->pHostIP);
}
pPass = getNextPass(psLogin->psServer->psAudit, user);
if (pPass == NULL)
{
writeVerbose(VB_GENERAL, "[%s] out of passwords for user '%s' at host '%s', bailing", MODULE_NAME, user->pUser, psLogin->psServer->pHostIP);
}
while(NULL != pPass)
{
switch(nState)
{
case MSTATE_NEW:
// Already have an open socket - close it
if (hSocket > 0)
medusaDisconnect(hSocket);
if (psLogin->psServer->psHost->iUseSSL > 0)
hSocket = medusaConnectSSL(¶ms);
else
hSocket = medusaConnect(¶ms);
if (hSocket < 0)
{
writeError(ERR_NOTICE, "%s: failed to connect, port %d was not open on %s", MODULE_NAME, params.nPort, psLogin->psServer->pHostIP);
psLogin->iResult = LOGIN_RESULT_UNKNOWN;
psLogin->iStatus = LOGIN_FAILED;
return FAILURE;
}
writeError(ERR_DEBUG_MODULE, "Connected");
nState = MSTATE_RUNNING;
break;
case MSTATE_RUNNING:
nState = tryLogin(hSocket, &psLogin, user->pUser, pPass);
if (psLogin->iResult != LOGIN_RESULT_UNKNOWN)
pPass = getNextPass(psLogin->psServer->psAudit, user);
break;
case MSTATE_EXITING:
if (hSocket > 0)
medusaDisconnect(hSocket);
hSocket = -1;
pPass = NULL;
break;
default:
writeError(ERR_CRITICAL, "Unknown %s module state %d", MODULE_NAME, nState);
if (hSocket > 0)
medusaDisconnect(hSocket);
hSocket = -1;
psLogin->iResult = LOGIN_RESULT_UNKNOWN;
psLogin->iStatus = LOGIN_FAILED;
return FAILURE;
}
}
psLogin->iStatus = LOGIN_DONE;
return SUCCESS;
}
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "** Module was not properly built. Is OPENSSL installed correctly? **");
writeVerbose(VB_NONE, "");
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, "MODE:? (NORMAL*, EXPLICIT, IMPLICIT)");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " EXPLICIT: AUTH TLS Mode as defined in RFC 4217");
writeVerbose(VB_NONE, " Explicit FTPS (FTP/SSL) connects to a FTP service in the clear. Prior to");
writeVerbose(VB_NONE, " sending any credentials, however, an \"AUTH TLS\" command is issued and a");
writeVerbose(VB_NONE, " SSL session is negotiated.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " IMPLICIT: FTP over SSL (990/tcp)");
writeVerbose(VB_NONE, " Implicit FTPS requires a SSL handshake to be performed before any FTP");
writeVerbose(VB_NONE, " commands are sent. This service typically resides on tcp/990. If the user");
writeVerbose(VB_NONE, " specifies this option or uses the \"-n\" (SSL) option, the module will");
writeVerbose(VB_NONE, " default to this mode and tcp/990.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, " NORMAL");
writeVerbose(VB_NONE, " The default behaviour if no MODE is specified. Authentication is attempted");
writeVerbose(VB_NONE, " in the clear. If the server requests encryption for the given user,");
writeVerbose(VB_NONE, " Explicit FTPS is utilized.");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "Example Usage:");
writeVerbose(VB_NONE, " medusa -M ftp -h host -u username -p password");
writeVerbose(VB_NONE, " medusa -M ftp -s -h host -u username -p password");
writeVerbose(VB_NONE, " medusa -M ftp -m MODE:EXPLICIT -h host -u username -p password");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "(*) Default value");
writeVerbose(VB_NONE, "");
}
int initModule(sLogin* _psLogin, _MODULE_DATA *_psSessionData)
{
int hSocket = -1;
enum MODULE_STATE nState = MSTATE_NEW;
char* bufReceive;
int nReceiveBufferSize = 0, nFoundPrompt = PROMPT_UNKNOWN;
int i = 0;
sCredentialSet *psCredSet = NULL;
sConnectParams params;
psCredSet = malloc( sizeof(sCredentialSet) );
memset(psCredSet, 0, sizeof(sCredentialSet));
if (getNextCredSet(_psLogin, psCredSet) == FAILURE)
{
writeError(ERR_ERROR, "[%s] Error retrieving next credential set to test.", MODULE_NAME);
nState = MSTATE_COMPLETE;
}
else if (psCredSet->psUser)
{
writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s user: %s", MODULE_NAME, _psLogin->psServer->pHostIP, psCredSet->psUser->pUser);
}
else
{
writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s - no more available users to test.", MODULE_NAME);
nState = MSTATE_COMPLETE;
}
memset(¶ms, 0, sizeof(sConnectParams));
if (_psLogin->psServer->psAudit->iPortOverride > 0)
params.nPort = _psLogin->psServer->psAudit->iPortOverride;
else if (_psLogin->psServer->psHost->iUseSSL > 0)
params.nPort = PORT_TELNETS;
else
params.nPort = PORT_TELNET;
initConnectionParams(_psLogin, ¶ms);
while (nState != MSTATE_COMPLETE)
{
switch (nState)
{
case MSTATE_NEW:
// Already have an open socket - close it
if (hSocket > 0)
medusaDisconnect(hSocket);
if (_psLogin->psServer->psHost->iUseSSL > 0)
hSocket = medusaConnectSSL(¶ms);
else
hSocket = medusaConnect(¶ms);
if (hSocket <= 0)
{
writeError(ERR_ERROR, "[%s] Failed to connect, port %d was not open on %s", MODULE_NAME, params.nPort, _psLogin->psServer->pHostIP);
_psLogin->iResult = LOGIN_RESULT_UNKNOWN;
setPassResult(_psLogin, psCredSet->pPass);
return FAILURE;
}
writeError(ERR_DEBUG_MODULE, "Connected");
// Examine the first line returned
nReceiveBufferSize = 0;
bufReceive = medusaReceiveLineDelay(hSocket, &nReceiveBufferSize, RECEIVE_DELAY_1, RECEIVE_DELAY_2);
if (bufReceive == NULL)
return FAILURE;
bufReceive[nReceiveBufferSize] = 0; // Make certain buffer is null-terminated
if (bufReceive == NULL)
{
writeError(ERR_ERROR, "[%s] null response was unexpected from a telnet server (is one running?)", MODULE_NAME);
_psLogin->iResult = LOGIN_RESULT_UNKNOWN;
setPassResult(_psLogin, psCredSet->pPass);
return FAILURE;
}
// Telnet protocol negotiation
do
{
nFoundPrompt = PROMPT_UNKNOWN;
processIAC(hSocket, _psSessionData, &bufReceive, &nReceiveBufferSize);
if (bufReceive != NULL && bufReceive[0] != 0 && (unsigned char)bufReceive[0] != IAC)
makeToLower(bufReceive);
if (bufReceive != NULL)
{
writeError(ERR_DEBUG_MODULE, "Looking for login prompts");
if (_psSessionData->nMode == MODE_AS400)
{
if (strcasestr(bufReceive, (char *)"Sign On") != '\0')
{
writeError(ERR_INFO, "[%s] Detected AS/400 Sign On Screen.", MODULE_NAME);
nFoundPrompt = PROMPT_LOGIN_PASSWORD;
FREE(bufReceive);
if (medusaDataReadyTimed(hSocket, 0, 20000) > 0)
{
// More data waiting
bufReceive = medusaReceiveLineDelay(hSocket, &nReceiveBufferSize, RECEIVE_DELAY_1, RECEIVE_DELAY_2);
if (bufReceive != NULL)
bufReceive[nReceiveBufferSize] = 0; // Make certain buffer is null-terminated
}
break;
}
/*
Sign On
System . . . . . : TSTDBS16
Subsystem . . . . : QINTER
Display . . . . . : QPADEV0001
*/
}
else
{
// Look for known login prompts
for (i = 0; i < KNOWN_LOGIN_SIZE; i++)
{
if (strcasestr(bufReceive, KNOWN_LOGIN_PROMPTS[i]) != '\0')
{
// Do we have a prompt?
writeError(ERR_DEBUG_MODULE, "Found login prompt...");
nFoundPrompt = PROMPT_LOGIN_PASSWORD;
break;
}
}
/* Some systems do not provide a login prompt and go right to password */
for (i = 0; i < KNOWN_PWD_SIZE; i++)
{
if (strcasestr(bufReceive, KNOWN_PWD_PROMPTS[i]) != '\0')
{
// Do we have a prompt?
writeError(ERR_DEBUG_MODULE, "Found a password prompt already...");
nFoundPrompt = PROMPT_PASSWORD;
if (_psLogin->psServer->iLoginsDone < 1 && _psLogin->iId == 0)
writeVerbose(VB_NONE_FILE, "Password Prompt Only: %s\n", _psLogin->psServer->pHostIP);
break;
}
}
if (nFoundPrompt == PROMPT_UNKNOWN)
{
FREE(bufReceive);
if (medusaDataReadyTimed(hSocket, 0, 20000) > 0)
{
// More data waiting
bufReceive = medusaReceiveLineDelay(hSocket, &nReceiveBufferSize, RECEIVE_DELAY_1, RECEIVE_DELAY_2);
if (bufReceive != NULL)
bufReceive[nReceiveBufferSize] = 0; // Make certain buffer is null-terminated
}
}
}
}
}
while (bufReceive != NULL && (unsigned char)bufReceive[0] == IAC && nFoundPrompt == PROMPT_UNKNOWN);
FREE(bufReceive);
if (nFoundPrompt == PROMPT_UNKNOWN)
{
writeError(ERR_ERROR, "[%s] Failed to identify logon prompt.", MODULE_NAME);
_psLogin->iResult = LOGIN_RESULT_UNKNOWN;
setPassResult(_psLogin, psCredSet->pPass);
return FAILURE;
}
else
nState = MSTATE_RUNNING;
break;
case MSTATE_RUNNING:
if (_psSessionData->nMode == MODE_AS400)
nState = tryLoginAS400(hSocket, &_psLogin, _psSessionData, psCredSet->psUser->pUser, psCredSet->pPass);
else
nState = tryLogin(hSocket, &_psLogin, _psSessionData, psCredSet->psUser->pUser, psCredSet->pPass, nFoundPrompt);
if (nState != MSTATE_EXITING)
{
if (processIAClogout(hSocket, _psSessionData) == FAILURE)
{
writeError(ERR_ERROR, "[%s] Failed to close existing Telnet session.", MODULE_NAME);
}
medusaDisconnect(hSocket);
hSocket = -1;
/*
Cisco devices appear to keep sessions open for a brief time after we terminate
the connection. They also seem to ignore "IAC DO LOGOUT" commands. Adding a
sleep() hack here, to give them some time to clean-up.
*/
sleep(1);
if (getNextCredSet(_psLogin, psCredSet) == FAILURE)
{
writeError(ERR_ERROR, "[%s] Error retrieving next credential set to test.", MODULE_NAME);
nState = MSTATE_EXITING;
}
else
{
if (psCredSet->iStatus == CREDENTIAL_DONE)
{
writeError(ERR_DEBUG_MODULE, "[%s] No more available credential sets to test.", MODULE_NAME);
nState = MSTATE_EXITING;
}
else if (psCredSet->iStatus == CREDENTIAL_NEW_USER)
{
writeError(ERR_DEBUG_MODULE, "[%s] Starting testing for new user: %s.", MODULE_NAME, psCredSet->psUser->pUser);
nState = MSTATE_NEW;
}
else
writeError(ERR_DEBUG_MODULE, "[%s] Next credential set - user: %s password: %s", MODULE_NAME, psCredSet->psUser->pUser, psCredSet->pPass);
}
}
break;
case MSTATE_EXITING:
if (hSocket > 0)
medusaDisconnect(hSocket);
hSocket = -1;
nState = MSTATE_COMPLETE;
break;
default:
writeError(ERR_CRITICAL, "Unknown %s module (%d) state %d host: %s", MODULE_NAME, _psLogin->iId, nState, _psLogin->psServer->pHostIP);
_psLogin->iResult = LOGIN_RESULT_UNKNOWN;
}
}
FREE(psCredSet);
return SUCCESS;
}
/* Display module usage information */
void showUsage()
{
writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
writeVerbose(VB_NONE, "Available module options:");
writeVerbose(VB_NONE, " DOMAIN:? [optional]");
#if defined(HAVE_LIBFREERDP12) || defined(HAVE_LIBFREERDP11PTH)
writeVerbose(VB_NONE, " PASS:? (PASSWORD*, HASH)");
writeVerbose(VB_NONE, " PASSWORD: Use normal password.");
writeVerbose(VB_NONE, " HASH: Use a NTLM hash rather than a password.");
#endif
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "Usage example: \"-M rdp\"");
#if defined(HAVE_LIBFREERDP12) || defined(HAVE_LIBFREERDP11PTH)
writeVerbose(VB_NONE, "Usage example: \"-M rdp -m PASS:HASH -u Administrator -p 31D78236327B9619B14ED8EC9AB454C1");
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "Note: This module does NOT work against Microsoft Windows 2003/XP and earlier.");
#endif
writeVerbose(VB_NONE, "");
writeVerbose(VB_NONE, "*** There appears to be thread-safety issues within the FreeRDP library and/or this module. ***");
writeVerbose(VB_NONE, "*** It is recommended that you avoid using concurrent hosts/users (i.e., -T/-t).");
writeVerbose(VB_NONE, "");
}
