Ejemplo n.º 1
0
int go(sLogin* logins, int argc, char *argv[])
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "** Module was not properly built. Are the afpfs-ng headers and static library installed correctly? **");
  writeVerbose(VB_NONE, "");
  return FAILURE;
}
Ejemplo n.º 2
0
int go(sLogin* logins, int argc, char *argv[])
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "** Module was not properly built. Is OPENSSL installed correctly? **");
  writeVerbose(VB_NONE, "");
  return FAILURE;
}
Ejemplo n.º 3
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, "  EHLO:? (optional)");
  writeVerbose(VB_NONE, "    Sets the name sent via the EHLO command.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "  Usage example: \"-M smtp-vrfy -m EHLO:g3rg3 -U accounts.txt -p domain.com\"");
  writeVerbose(VB_NONE, "");
}
Ejemplo n.º 4
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, "  DIR:? ");
  writeVerbose(VB_NONE, "    Sets target directory name. If left unset, the default is \"/root\"");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "  Usage example: \"-M cvs -m DIR:/some_project\"");
  writeVerbose(VB_NONE, "");
}
Ejemplo n.º 5
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, "  MODE:? (NORMAL, AS400) [optional]");
  writeVerbose(VB_NONE, "    Sets the mode for error detection.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "  Usage example: \"-M telnet -m MODE:AS400 -U accounts.txt -p password\"");
  writeVerbose(VB_NONE, "");
}
Ejemplo n.º 6
0
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "** Module was not properly built. Are the afpfs-ng headers and static library installed correctly? **");
  writeVerbose(VB_NONE, "");
} 
Ejemplo n.º 7
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
}
Ejemplo n.º 8
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, "  TAG:? (Default: gerg)");
  writeVerbose(VB_NONE, "  AUTH:? (Authentication Type (LOGIN/PLAIN/NTLM). Default: automatic)");
  writeVerbose(VB_NONE, "  DOMAIN:? [optional]");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "Usage example: \"-M imap -m TAG:A0001 -m AUTH:PLAIN");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "The DOMAIN option should supply the specified domain appropriately,");
  writeVerbose(VB_NONE, "regardless of authentication type. The domain can also be supplied ");
  writeVerbose(VB_NONE, "via the username field, but the format appears to differ by auth type.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "Example 1: NTLM authentication with DOMAIN option");
  writeVerbose(VB_NONE, "   \"medusa -M imap -m AUTH:NTLM -m DOMAIN:FOODOM -h host -u foo -p bar\"");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "Example 2: NTLM authentication with domain via username");
  writeVerbose(VB_NONE, "   \"medusa -M imap -m AUTH:NTLM -h host -u foo@domain -p bar\"");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "* If no domain is specified when using NTLM authentication, the server");
  writeVerbose(VB_NONE, "supplied value will be used.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "Example 3: LOGIN authentication with domain via username");
  writeVerbose(VB_NONE, "   \"medusa -M imap -m AUTH:LOGIN -h host -u 'domain\\\\foo' -p bar\"");
}
Ejemplo n.º 9
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, "  CONTEXT:? ");
  writeVerbose(VB_NONE, "    Sets user context information.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "It should be noted that libncp does not by default automatically specific a user context.");
  writeVerbose(VB_NONE, "If it fails to resolve the name provided it appends the server's context to the username and attempts");
  writeVerbose(VB_NONE, "to resolve that value. It is advised that users specify a context for each account being tested.");
  writeVerbose(VB_NONE, "A global context can be specified using the CONTEXT option. A per-user context can be defined");
  writeVerbose(VB_NONE, "as part of the account name within a file containing usernames or the username passed via the ");
  writeVerbose(VB_NONE, "command-line.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "  Usage example: \"-M ncp -m CONTEXT:.OU=administrators.O=foofus -u username\"");
  writeVerbose(VB_NONE, "  Usage example: \"-M ncp -u username.OU=administrators.O=foofus\"");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "Libncp, by default, also uses both the NDS and BIND authenticators. Unfortunately, the only");
  writeVerbose(VB_NONE, "error message returned to the module is that of the BIND authenticator. These messages are not");
  writeVerbose(VB_NONE, "as descriptive as NDS and only seem to report success or failure. In order to have more useful");
  writeVerbose(VB_NONE, "messages (account disabled/max logons exceeded/etc.), create a ~/.nwclient or /etc/ncpfs.conf");
  writeVerbose(VB_NONE, "file with the following text:");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "  [Requester]");
  writeVerbose(VB_NONE, "  NetWare Protocol = NDS");
  writeVerbose(VB_NONE, "");
}
Ejemplo n.º 10
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, "  PASS:?  (PASSWORD*, HASH)");
  writeVerbose(VB_NONE, "    PASSWORD: Use normal password.");
  writeVerbose(VB_NONE, "    HASH:     Use a hash rather than a password. (non-SHA1 hashes only)");
  writeVerbose(VB_NONE, "\n(*) Default value");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "Usage examples:");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "1: Normal boring check...");
  writeVerbose(VB_NONE, "    medusa -M mysql -h somehost -u someuser -p somepassword");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "2: Using an old-style MySQL hash...");
  writeVerbose(VB_NONE, "    medusa -M mysql -h somehost -U users.txt -p 39b52a209cf03d62 -m PASS:HASH");
  writeVerbose(VB_NONE, "");
}
Ejemplo n.º 11
0
int medusaConnectInternal(unsigned long nHost, int nPort, int nProtocol, int nType, int nWaitTime, int nRetries, int nRetryWait,unsigned long nProxyStringIP, int nProxyStringPort, char* szProxyAuthentication, int nSourcePort)
{
  int s, ret = -1;
  int nFail = 0;
  struct sockaddr_in target, source;
  char *buf, *tmpptr = NULL;
  char out[16];
  long flag;
  int nOpt, nSize;
  fd_set myset; 
  struct timeval tv;
  int nUseProxy = nProxyStringIP > 0 ? 1 : 0;

  s = socket(PF_INET, nProtocol, nType);
  if (s >= 0) 
  {
    /* Handle a source port request from a module */
    if ( nSourcePort != 0 ) {
      int bind_ok=0;
       
      source.sin_family = PF_INET;
      source.sin_port = htons(nSourcePort);
      source.sin_addr.s_addr = INADDR_ANY;
  
      /* We will try to find a free port down to 512 */
      while (!bind_ok && nSourcePort >= 512)
      {   
        if (bind(s, (struct sockaddr *)&source, sizeof(source))==-1)
        {
          if (errno == EADDRINUSE)
          {
            writeError(ERR_DEBUG, "Port %d in use trying next lower port.", nSourcePort);
            nSourcePort--;
            source.sin_port = htons(nSourcePort);
          }
          else
          {
            if (errno == EACCES && (getuid() > 0))
            {
              writeError(ERR_ERROR, "Source port for this service requires root privileges.");
              return FAILURE;
            }
          }
        }
        else
          bind_ok=1;
      }
    }
    /* End of source port fun */

    if (nUseProxy > 0)
    {
      target.sin_port = htons(nProxyStringPort);
      memcpy(&target.sin_addr.s_addr, &nProxyStringIP, sizeof(unsigned long));
    }
    else
    {
      target.sin_port = htons(nPort);
      memcpy(&target.sin_addr.s_addr, &nHost, sizeof(unsigned long));
    }
    target.sin_family = AF_INET;

    // Set non-blocking 
    if((flag = fcntl(s, F_GETFL, NULL)) < 0) 
    { 
      writeError(ERR_ERROR, "Error fcntl(..., F_GETFL) (%s)", strerror(errno)); 
      return -1; 
    } 
    flag |= O_NONBLOCK; 
    if(fcntl(s, F_SETFL, flag) < 0) 
    { 
      writeError(ERR_ERROR, "Error fcntl(..., F_SETFL) (%s)", strerror(errno)); 
      return -1; 
    } 
 
    nFail = 0;    
    ret = connect(s, (struct sockaddr*)&target, sizeof(struct sockaddr_in));
    if (errno == EINPROGRESS) 
    { 
      do 
      { 
          if (nFail > 0 && nFail <= nRetries)
          {
            writeError(ERR_ERROR, "Thread %X: Host: %s Cannot connect [unreachable], retrying (%d of %d retries)", (int)pthread_self(), inet_ntop(AF_INET, &target.sin_addr, out, sizeof(out)), nFail, nRetries);
            sleep(nRetryWait);
          }
          else if (nFail > nRetries)
            return -1;
            
          tv.tv_sec = nWaitTime; 
          tv.tv_usec = 0; 
          FD_ZERO(&myset); 
          FD_SET(s, &myset); 
          ret = select(s + 1, NULL, &myset, NULL, &tv); 
          if (ret < 0 && errno != EINTR) 
          { 
            writeError(ERR_ERROR, "Error connecting to host: %s", strerror(errno)); 
            return -1; 
          } 
          else if (ret > 0) 
          { 
            nSize = sizeof(int);
            if (getsockopt(s, SOL_SOCKET, SO_ERROR, (void*)(&nOpt), &nSize) < 0) 
            { 
              writeError(ERR_ERROR, "Error in getsockopt() %s", strerror(errno)); 
              return -1;
            } 
            if (nOpt != 0) 
            { 
              // Socket is not valid - connection failed
              writeVerbose(VB_GENERAL, "Unable to connect (invalid socket): unreachable destination"); 
              return -1; 
            }
            
            // If we get here, the socket should be valid
            ret = 0;
            break; 
          } 
          else 
          { 
            nFail++; 
          } 
      } while (1); 
    }       
    if (ret != 0 || nFail > nRetries)
    {
      writeVerbose(VB_GENERAL, "Unable to connect: unreachable destination");

      ret = -1;
      return ret;
    }

    // Set the socket to be blocking again
    if((flag = fcntl(s, F_GETFL, NULL)) < 0) 
    { 
      writeError(ERR_ERROR, "Error fcntl(..., F_GETFL) (%s)", strerror(errno)); 
      return -1; 
    } 
    flag &= ~O_NONBLOCK; 
    if(fcntl(s, F_SETFL, flag) < 0) 
    { 
      writeError(ERR_ERROR, "Error fcntl(..., F_SETFL) (%s)", strerror(errno)); 
      return -1; 
    } 
    ret = s;

    writeError(ERR_DEBUG, "Connected (internal)");

    if (nUseProxy > 0)
    {
      buf = malloc(4096);
      memset(buf, 0, 4096);
      memset(&target, 0, sizeof(struct sockaddr_in));
      memcpy(&target.sin_addr.s_addr, &nHost, sizeof(unsigned long));
      target.sin_family = AF_INET;

      if (szProxyAuthentication == NULL)
        snprintf(buf, 4095, "CONNECT %s:%d HTTP/1.0\r\n\r\n", inet_ntop(AF_INET, &target.sin_addr, out, sizeof(out)), nPort);
      else
        snprintf(buf, 4095, "CONNECT %s:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", inet_ntop(AF_INET, &target.sin_addr, out, sizeof(out)), nPort,
                 szProxyAuthentication);

      send(s, buf, strlen(buf), 0);
      recv(s, buf, 4096, 0);

      if (strncmp("HTTP/", buf, strlen("HTTP/")) == 0 && (tmpptr = index(buf, ' ')) != NULL && *++tmpptr == '2')
      {
        writeError(ERR_DEBUG, "Connected (with proxy)");
      }
      else
      {
        //writeError(ERR_DEBUG, "Unable to connect using SSL (Code: %c%c%c)", *tmpptr, *(tmpptr + 1), *(tmpptr + 2));
        writeError(ERR_ERROR, "CONNECT call to proxy failed with code %c%c%c", *tmpptr, *(tmpptr + 1), *(tmpptr + 2));

        close(s);
        ret = -1;
        free(buf);

        return ret;
      }
      free(buf);
    }
    nFail = 0;

    return ret;
  }

  return ret;
}
Ejemplo n.º 12
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, "  TYPE:? (SINGLE, STDIN)");
  writeVerbose(VB_NONE, "    Option sets type of script being called by module. See included sample scripts");
  writeVerbose(VB_NONE, "    for ideas how to use this module.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "    SINGLE: Script expects all user input comes from original command line.");
  writeVerbose(VB_NONE, "    STDIN:  Host and user information passed to script via command line.");
  writeVerbose(VB_NONE, "            Passwords to test are passed via STDIN to script.");
  writeVerbose(VB_NONE, " ");
  writeVerbose(VB_NONE, "  PROG:? ");
  writeVerbose(VB_NONE, "    Option for setting path to executable file.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "  ARGS:? ");
  writeVerbose(VB_NONE, "    Option for setting executable parameters. The following substitutions can be used:");
  writeVerbose(VB_NONE, "    %H:  Replaced with target IP address.");
  writeVerbose(VB_NONE, "    %U:  Replaced with username to test.");
  writeVerbose(VB_NONE, "    %P:  Replaced with password to test.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "Usage example: \'-M wrapper -m TYPE:SINGLE -m PROG:./foo.pl -m ARGS:\"-h %H -u %U -p %P\"\'");
  writeVerbose(VB_NONE, "Usage example: \'-M wrapper -m TYPE:STDIN  -m PROG:./bar.pl -m ARGS:\"--host %H --user %U\"\'");
}
Ejemplo n.º 13
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, " EHLO:? [optional] ");
  writeVerbose(VB_NONE, "    Specify the EHLO greeting.");
  writeVerbose(VB_NONE, " AUTH:? (Authentication Type (PLAIN/LOGIN/NTLM). Default: automatic)");
  writeVerbose(VB_NONE, "    Module will query service for accepted methods via an \"AUTH\" request.");
  writeVerbose(VB_NONE, "    PLAIN, LOGIN, and NTLM authentication methods are supported.");
  writeVerbose(VB_NONE, "  DOMAIN:? [optional]");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "The DOMAIN option should supply the specified domain appropriately,");
  writeVerbose(VB_NONE, "regardless of authentication type. The domain can also be supplied ");
  writeVerbose(VB_NONE, "via the username field, but the format appears to differ by auth type.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "  Usage example: ");
  writeVerbose(VB_NONE, "    \"medusa -M smtp -m AUTH:NTLM -U accounts.txt -p password\"");
  writeVerbose(VB_NONE, "    \"medusa -M smtp -m EHLO:world -U accounts.txt -p password\"");
  writeVerbose(VB_NONE, "");
}
Ejemplo n.º 14
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, "  USER-AGENT:?       User-agent value. Default: \"I'm not Mozilla, I'm Ming Mong\".");
  writeVerbose(VB_NONE, "  FORM:?             Target form to request. Default: \"/\"");
  writeVerbose(VB_NONE, "  DENY-SIGNAL:?      Authentication failure message. Attempt flagged as successful if text is not present in");
  writeVerbose(VB_NONE, "                     server response. Default: \"Login incorrect\"");
  writeVerbose(VB_NONE, "  FORM-DATA:<METHOD>?<FIELDS>");
  writeVerbose(VB_NONE, "                     Methods and fields to send to web service. Valid methods are GET and POST. The actual form");
  writeVerbose(VB_NONE, "                     data to be submitted should also be defined here. Specifically, the fields: username and");
  writeVerbose(VB_NONE, "                     password. The username field must be the first, followed by the password field.");
  writeVerbose(VB_NONE, "                     Default: \"post?username=&password=\"");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "Usage example: \"-M web-form -m USER-AGENT:\"g3rg3 gerg\" -m FORM:\"webmail/index.php\" -m DENY-SIGNAL:\"deny!\"");
  writeVerbose(VB_NONE, "                 -m FORM-DATA:\"post?user=&pass=&submit=True\"");
}
Ejemplo n.º 15
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Rsh is a service where you either have .rhosts/hosts.equiv access\nfrom the source host or you don't. Passwords really don't matter.\nSo the best way to use this module is with a single dummy password and a\nlist of users you suspect may have .rhosts/hosts.equiv allows for your source.\nGood luck.");
}
Ejemplo n.º 16
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, "  MODE:? (NORMAL, AS400) [optional]");
  writeVerbose(VB_NONE, "    Sets the mode for error detection.");
  writeVerbose(VB_NONE, " AUTH:? (Authentication Type (USER/PLAIN/LOGIN/NTLM). Default: automatic)");
  writeVerbose(VB_NONE, "    Module will query service for accepted methods via an \"AUTH\" request.");
  writeVerbose(VB_NONE, "    USER (clear-text), SASL PLAIN, SASL LOGIN, and SASL NTLM authentication methods are supported.");
  writeVerbose(VB_NONE, "  DOMAIN:? [optional]");
  writeVerbose(VB_NONE, "    AUTH USER - Appends domain to username (e.g. [email protected]).");
  writeVerbose(VB_NONE, "    AUTH NTLM - Supplies specified domain during NTLM authentication. The default");
  writeVerbose(VB_NONE, "                behaviour is to use the server supplied domain value.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "  Usage example: ");
  writeVerbose(VB_NONE, "    \"medusa -M pop3 -m MODE:AS400 -U accounts.txt -p password\"");
  writeVerbose(VB_NONE, "    \"medusa -M pop3 -m DOMAIN:foo.com -U accounts.txt -p password\"");
  writeVerbose(VB_NONE, "");
}
Ejemplo n.º 17
0
int initModule(_MODULE_DATA *_psSessionData, sLogin* psLogin)
{
  enum MODULE_STATE nState = MSTATE_NEW;
  char *pPass, *szTmp, *szCmdTmp;
  sUser* user = psLogin->psUser;
  int iRet, nCmdLength, nCmdPartLength;

  if (user != NULL) 
  {
    writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s user: '******'", MODULE_NAME, psLogin->psServer->pHostIP, user->pUser);
  }
  else 
  {
    writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s", MODULE_NAME, psLogin->psServer->pHostIP);
  }

  pPass = getNextPass(psLogin->psServer->psAudit, user);
  if (pPass == NULL)
  {
    writeVerbose(VB_GENERAL, "[%s] out of passwords for user '%s' at host '%s', bailing", MODULE_NAME, user->pUser, psLogin->psServer->pHostIP);
  }

  while(NULL != pPass)
  {  
    switch(nState)
    {
      case MSTATE_NEW:
        /* perform parameter substitution -- this is messy... */
        writeError(ERR_DEBUG_MODULE, "User-supplied parameters: %s", _psSessionData->szCmdParam);

        /* --host %H --user %U --pass %P */
        if (_psSessionData->nType == TYPE_SINGLE)
        {
          nCmdLength = strlen(_psSessionData->szCmdParam);
          nCmdLength -= 6;
          nCmdLength += strlen(psLogin->psServer->pHostIP);
          nCmdLength += strlen(user->pUser);
          nCmdLength += strlen(pPass);
        }
        /* --host %H --user %U */
        else
        {
          nCmdLength = strlen(_psSessionData->szCmdParam);
          nCmdLength -= 4;
          nCmdLength += strlen(psLogin->psServer->pHostIP);
          nCmdLength += strlen(user->pUser);
        }
        
        _psSessionData->szCmdParamFull = malloc(nCmdLength + 1);
        memset(_psSessionData->szCmdParamFull, 0, nCmdLength + 1);
        szCmdTmp = malloc(nCmdLength + 1);
        memset(szCmdTmp, 0, nCmdLength + 1);
       
        if (szTmp = strstr(_psSessionData->szCmdParam, "%H"))
        {
          nCmdPartLength = (int) szTmp - (int) _psSessionData->szCmdParam;
          writeError(ERR_DEBUG_MODULE, "Processing \%H... Copying (%d) parameter characters.", nCmdPartLength);
          strncpy(szCmdTmp, _psSessionData->szCmdParam, nCmdPartLength); 
          strncpy(szCmdTmp + nCmdPartLength, psLogin->psServer->pHostIP, strlen(psLogin->psServer->pHostIP)); 
          strncpy(szCmdTmp + nCmdPartLength + strlen(psLogin->psServer->pHostIP), szTmp + 2, strlen(szTmp) - 2);
        }
        else
        {
          writeError(ERR_ERROR, "Invalid command parameter format. Missing %H format.");            
          psLogin->iResult = LOGIN_RESULT_UNKNOWN;
          psLogin->iStatus = LOGIN_FAILED;
          FREE(szCmdTmp);
          nState = MSTATE_EXITING;
          break;
        }
        
        writeError(ERR_DEBUG_MODULE, "Parameters (pass 1): %s", szCmdTmp);
        
        if (szTmp = strstr(szCmdTmp, "%U"))
        {
          nCmdPartLength = (int) szTmp - (int) szCmdTmp;
          writeError(ERR_DEBUG_MODULE, "Processing \%U... Copying (%d) parameter characters.", nCmdPartLength);
          strncpy(_psSessionData->szCmdParamFull, szCmdTmp, nCmdPartLength); 
          strncpy(_psSessionData->szCmdParamFull + nCmdPartLength, user->pUser, strlen(user->pUser)); 
          strncpy(_psSessionData->szCmdParamFull + nCmdPartLength + strlen(user->pUser), szTmp + 2, strlen(szTmp) - 2); 
        }
Ejemplo n.º 18
0
int initModule(sLogin* psLogin, _MODULE_DATA *_psSessionData)
{
  int hSocket = -1;
  enum MODULE_STATE nState = MSTATE_NEW;
  char* bufReceive;
  int nReceiveBufferSize = 0, nFirstPass = 0, nFoundPrompt = 0;
  int i = 0;
  char *pPass;
  sUser* user = psLogin->psUser;
  sConnectParams params;

  memset(&params, 0, sizeof(sConnectParams));
  params.nPort = PORT_SMTP;
  initConnectionParams(psLogin, &params);

  if (user != NULL) 
  {
    writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s user: '******'", MODULE_NAME, psLogin->psServer->pHostIP, user->pUser);
  }
  else 
  {
    writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s", MODULE_NAME, psLogin->psServer->pHostIP);
  }

  pPass = getNextPass(psLogin->psServer->psAudit, user);
  if (pPass == NULL)
  {
    writeVerbose(VB_GENERAL, "[%s] out of passwords for user '%s' at host '%s', bailing", MODULE_NAME, user->pUser, psLogin->psServer->pHostIP);
  }

  if (_psSessionData->szEHLO == NULL)
  {
    _psSessionData->szEHLO = malloc(7);
    memset(_psSessionData->szEHLO, 0, 7);
    sprintf(_psSessionData->szEHLO, "MEDUSA");
  }

  writeError(ERR_DEBUG, "[%s] Set EHLO value: %s", MODULE_NAME, _psSessionData->szEHLO);

  while(NULL != pPass)
  {  
    switch(nState)
    {
      case MSTATE_NEW:
        if (hSocket > 0)
          medusaDisconnect(hSocket);

        if (psLogin->psServer->psHost->iUseSSL > 0)
          hSocket = medusaConnectSSL(&params);
        else
          hSocket = medusaConnect(&params);

        if (hSocket < 0) 
        {
          writeError(ERR_NOTICE, "%s: failed to connect, port %d was not open on %s", MODULE_NAME, params.nPort, psLogin->psServer->pHostIP);
          psLogin->iResult = LOGIN_RESULT_UNKNOWN;
          psLogin->iStatus = LOGIN_FAILED;
          return FAILURE;
        }

        writeError(ERR_DEBUG_MODULE, "Connected");
        
        /* send EHLO */
        writeError(ERR_DEBUG_MODULE, "[%s] Sending EHLO command.", MODULE_NAME);
        if (sayEHLO(hSocket, _psSessionData) == SUCCESS)
          nState = MSTATE_RUNNING;
        else  
          nState = MSTATE_EXITING;

        break;
      case MSTATE_RUNNING:
        nState = tryLogin(hSocket, &psLogin, _psSessionData, pPass, user->pUser);
        if (psLogin->iResult != LOGIN_RESULT_UNKNOWN)
          pPass = getNextPass(psLogin->psServer->psAudit, user);
        break;
      case MSTATE_EXITING:
        sayQUIT(hSocket);
        if (hSocket > 0)
          medusaDisconnect(hSocket);
        hSocket = -1;
        pPass = NULL;
        break;
      default:
        writeError(ERR_CRITICAL, "Unknown %s module state %d", MODULE_NAME, nState);
        if (hSocket > 0)
          medusaDisconnect(hSocket);
        hSocket = -1;
        psLogin->iResult = LOGIN_RESULT_UNKNOWN;
        psLogin->iStatus = LOGIN_FAILED;
        return FAILURE;
    }  
  }

  psLogin->iStatus = LOGIN_DONE;
  return SUCCESS;
}
Ejemplo n.º 19
0
int initModule(sLogin* psLogin)
{
  int hSocket = -1;
  enum MODULE_STATE nState = MSTATE_NEW;
  char* bufReceive;
  int nReceiveBufferSize = 0, nFirstPass = 0, nFoundPrompt = 0;
  int i = 0;
  char *pPass;
  sUser* user = psLogin->psUser;
  sConnectParams params;

  memset(&params, 0, sizeof(sConnectParams));
  if (psLogin->psServer->psAudit->iPortOverride > 0)
    params.nPort = psLogin->psServer->psAudit->iPortOverride;
  else if (psLogin->psServer->psHost->iUseSSL > 0)
    writeError(ERR_DEBUG_MODULE, "[%s] module asked for RLOGIN/SSL. Don't know if such a thing exists...\n");
  else
    params.nPort = PORT_RLOGIN;
  params.nSourcePort = 1023;
  initConnectionParams(psLogin, &params);

  if (user != NULL) 
  {
    writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s user: '******'", MODULE_NAME, psLogin->psServer->pHostIP, user->pUser);
  }
  else 
  {
    writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s", MODULE_NAME, psLogin->psServer->pHostIP);
  }

  pPass = getNextPass(psLogin->psServer->psAudit, user);
  if (pPass == NULL)
  {
    writeVerbose(VB_GENERAL, "[%s] out of passwords for user '%s' at host '%s', bailing", MODULE_NAME, user->pUser, psLogin->psServer->pHostIP);
  }

  while(NULL != pPass)
  {  
    switch(nState)
    {
      case MSTATE_NEW:
        // Already have an open socket - close it
        if (hSocket > 0)
          medusaDisconnect(hSocket);

        if (psLogin->psServer->psHost->iUseSSL > 0)
          hSocket = medusaConnectSSL(&params);
        else
          hSocket = medusaConnect(&params);
        
        if (hSocket < 0) 
        {
          writeError(ERR_NOTICE, "%s: failed to connect, port %d was not open on %s", MODULE_NAME, params.nPort, psLogin->psServer->pHostIP);
          psLogin->iResult = LOGIN_RESULT_UNKNOWN;
          psLogin->iStatus = LOGIN_FAILED;
          return FAILURE;
        }

        writeError(ERR_DEBUG_MODULE, "Connected");
        nState = MSTATE_RUNNING;
        break;
      case MSTATE_RUNNING:
        nState = tryLogin(hSocket, &psLogin, user->pUser, pPass);
        if (psLogin->iResult != LOGIN_RESULT_UNKNOWN)
          pPass = getNextPass(psLogin->psServer->psAudit, user);
        break;
      case MSTATE_EXITING:
        if (hSocket > 0)
          medusaDisconnect(hSocket);
        hSocket = -1;
        pPass = NULL;
        break;
      default:
        writeError(ERR_CRITICAL, "Unknown %s module state %d", MODULE_NAME, nState);
        if (hSocket > 0)
          medusaDisconnect(hSocket);
        hSocket = -1;
        psLogin->iResult = LOGIN_RESULT_UNKNOWN;
        psLogin->iStatus = LOGIN_FAILED;
        return FAILURE;
    }  
  }
 
  psLogin->iStatus = LOGIN_DONE;
  return SUCCESS;
}
Ejemplo n.º 20
0
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "** Module was not properly built. Is OPENSSL installed correctly? **");
  writeVerbose(VB_NONE, "");
}
Ejemplo n.º 21
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, "MODE:? (NORMAL*, EXPLICIT, IMPLICIT)");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "  EXPLICIT: AUTH TLS Mode as defined in RFC 4217");
  writeVerbose(VB_NONE, "     Explicit FTPS (FTP/SSL) connects to a FTP service in the clear. Prior to");
  writeVerbose(VB_NONE, "     sending any credentials, however, an \"AUTH TLS\" command is issued and a");
  writeVerbose(VB_NONE, "     SSL session is negotiated.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "  IMPLICIT: FTP over SSL (990/tcp)");
  writeVerbose(VB_NONE, "     Implicit FTPS requires a SSL handshake to be performed before any FTP");
  writeVerbose(VB_NONE, "     commands are sent. This service typically resides on tcp/990. If the user");
  writeVerbose(VB_NONE, "     specifies this option or uses the \"-n\" (SSL) option, the module will");
  writeVerbose(VB_NONE, "     default to this mode and tcp/990.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "  NORMAL");
  writeVerbose(VB_NONE, "     The default behaviour if no MODE is specified. Authentication is attempted");
  writeVerbose(VB_NONE, "     in the clear. If the server requests encryption for the given user,");
  writeVerbose(VB_NONE, "     Explicit FTPS is utilized.");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "Example Usage:");
  writeVerbose(VB_NONE, "    medusa -M ftp -h host -u username -p password");
  writeVerbose(VB_NONE, "    medusa -M ftp -s -h host -u username -p password");
  writeVerbose(VB_NONE, "    medusa -M ftp -m MODE:EXPLICIT -h host -u username -p password");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "(*) Default value");
  writeVerbose(VB_NONE, "");
}
Ejemplo n.º 22
0
int initModule(sLogin* _psLogin, _MODULE_DATA *_psSessionData)
{
  int hSocket = -1;
  enum MODULE_STATE nState = MSTATE_NEW;
  char* bufReceive;
  int nReceiveBufferSize = 0, nFoundPrompt = PROMPT_UNKNOWN;
  int i = 0;
  sCredentialSet *psCredSet = NULL;
  sConnectParams params;

  psCredSet = malloc( sizeof(sCredentialSet) );
  memset(psCredSet, 0, sizeof(sCredentialSet));

  if (getNextCredSet(_psLogin, psCredSet) == FAILURE)
  {
    writeError(ERR_ERROR, "[%s] Error retrieving next credential set to test.", MODULE_NAME);
    nState = MSTATE_COMPLETE;
  }
  else if (psCredSet->psUser)
  {
    writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s user: %s", MODULE_NAME, _psLogin->psServer->pHostIP, psCredSet->psUser->pUser);
  }
  else
  {
    writeError(ERR_DEBUG_MODULE, "[%s] module started for host: %s - no more available users to test.", MODULE_NAME);
    nState = MSTATE_COMPLETE;
  }

  memset(&params, 0, sizeof(sConnectParams));
  if (_psLogin->psServer->psAudit->iPortOverride > 0)
    params.nPort = _psLogin->psServer->psAudit->iPortOverride;
  else if (_psLogin->psServer->psHost->iUseSSL > 0)
    params.nPort = PORT_TELNETS;
  else
    params.nPort = PORT_TELNET;
  initConnectionParams(_psLogin, &params);

  while (nState != MSTATE_COMPLETE)
  {
    switch (nState)
    {
    case MSTATE_NEW:
      // Already have an open socket - close it
      if (hSocket > 0)
        medusaDisconnect(hSocket);

      if (_psLogin->psServer->psHost->iUseSSL > 0)
        hSocket = medusaConnectSSL(&params);
      else 
        hSocket = medusaConnect(&params);
      
      if (hSocket <= 0)
      {
        writeError(ERR_ERROR, "[%s] Failed to connect, port %d was not open on %s", MODULE_NAME, params.nPort, _psLogin->psServer->pHostIP);
        _psLogin->iResult = LOGIN_RESULT_UNKNOWN;
        setPassResult(_psLogin, psCredSet->pPass);
        return FAILURE;
      }

      writeError(ERR_DEBUG_MODULE, "Connected");

      // Examine the first line returned
      nReceiveBufferSize = 0;
      bufReceive = medusaReceiveLineDelay(hSocket, &nReceiveBufferSize, RECEIVE_DELAY_1, RECEIVE_DELAY_2);
      if (bufReceive == NULL)
        return FAILURE;

      bufReceive[nReceiveBufferSize] = 0;  // Make certain buffer is null-terminated

      if (bufReceive == NULL)
      {
        writeError(ERR_ERROR, "[%s] null response was unexpected from a telnet server (is one running?)", MODULE_NAME);
        _psLogin->iResult = LOGIN_RESULT_UNKNOWN;
        setPassResult(_psLogin, psCredSet->pPass);
        return FAILURE;
      }

      // Telnet protocol negotiation
      do
      {
        nFoundPrompt = PROMPT_UNKNOWN;
        processIAC(hSocket, _psSessionData, &bufReceive, &nReceiveBufferSize);

        if (bufReceive != NULL && bufReceive[0] != 0 && (unsigned char)bufReceive[0] != IAC)
          makeToLower(bufReceive);

        if (bufReceive != NULL)
        {
          writeError(ERR_DEBUG_MODULE, "Looking for login prompts");

          if (_psSessionData->nMode == MODE_AS400)
          {
            if (strcasestr(bufReceive, (char *)"Sign On") != '\0')
            {
              writeError(ERR_INFO, "[%s] Detected AS/400 Sign On Screen.", MODULE_NAME);
              nFoundPrompt = PROMPT_LOGIN_PASSWORD;
              
              FREE(bufReceive);
              if (medusaDataReadyTimed(hSocket, 0, 20000) > 0)
              {
                // More data waiting
                bufReceive = medusaReceiveLineDelay(hSocket, &nReceiveBufferSize, RECEIVE_DELAY_1, RECEIVE_DELAY_2);
                if (bufReceive != NULL)
                  bufReceive[nReceiveBufferSize] = 0;  // Make certain buffer is null-terminated
              }
 
              break;
            }

            /*
            Sign On
            System  . . . . . :   TSTDBS16
            Subsystem . . . . :   QINTER
            Display . . . . . :   QPADEV0001
            */
          }
          else
          {
            // Look for known login prompts
            for (i = 0; i < KNOWN_LOGIN_SIZE; i++)
            {
              if (strcasestr(bufReceive, KNOWN_LOGIN_PROMPTS[i]) != '\0')
              {
                // Do we have a prompt?
                writeError(ERR_DEBUG_MODULE, "Found login prompt...");
                nFoundPrompt = PROMPT_LOGIN_PASSWORD;
                break;
              }
            }
          
            /* Some systems do not provide a login prompt and go right to password */
            for (i = 0; i < KNOWN_PWD_SIZE; i++)
            {
              if (strcasestr(bufReceive, KNOWN_PWD_PROMPTS[i]) != '\0')
              {
                // Do we have a prompt?
                writeError(ERR_DEBUG_MODULE, "Found a password prompt already...");
                nFoundPrompt = PROMPT_PASSWORD;
                
                if (_psLogin->psServer->iLoginsDone < 1 && _psLogin->iId == 0)
                  writeVerbose(VB_NONE_FILE, "Password Prompt Only: %s\n", _psLogin->psServer->pHostIP);
                
                break;
              }
            }
          
            if (nFoundPrompt == PROMPT_UNKNOWN)
            {
              FREE(bufReceive);
              if (medusaDataReadyTimed(hSocket, 0, 20000) > 0)
              {
                // More data waiting
                bufReceive = medusaReceiveLineDelay(hSocket, &nReceiveBufferSize, RECEIVE_DELAY_1, RECEIVE_DELAY_2);
                if (bufReceive != NULL)
                  bufReceive[nReceiveBufferSize] = 0;  // Make certain buffer is null-terminated
              } 
            }
          }
        }
      }
      while (bufReceive != NULL && (unsigned char)bufReceive[0] == IAC && nFoundPrompt == PROMPT_UNKNOWN);

      FREE(bufReceive);

      if (nFoundPrompt == PROMPT_UNKNOWN)
      {
        writeError(ERR_ERROR, "[%s] Failed to identify logon prompt.", MODULE_NAME); 
        _psLogin->iResult = LOGIN_RESULT_UNKNOWN;
        setPassResult(_psLogin, psCredSet->pPass);
        return FAILURE;
      }
      else
        nState = MSTATE_RUNNING;
      
      break;

    case MSTATE_RUNNING:
      if (_psSessionData->nMode == MODE_AS400)
        nState = tryLoginAS400(hSocket, &_psLogin, _psSessionData, psCredSet->psUser->pUser, psCredSet->pPass);
      else
        nState = tryLogin(hSocket, &_psLogin, _psSessionData, psCredSet->psUser->pUser, psCredSet->pPass, nFoundPrompt);
      
      if (nState != MSTATE_EXITING)
      {
        if (processIAClogout(hSocket, _psSessionData) == FAILURE)
        {
          writeError(ERR_ERROR, "[%s] Failed to close existing Telnet session.", MODULE_NAME);
        }
        medusaDisconnect(hSocket);
        hSocket = -1;
        
        /*
          Cisco devices appear to keep sessions open for a brief time after we terminate 
          the connection. They also seem to ignore "IAC DO LOGOUT" commands. Adding a 
          sleep() hack here, to give them some time to clean-up. 
        */
        sleep(1);

        if (getNextCredSet(_psLogin, psCredSet) == FAILURE)
        {
          writeError(ERR_ERROR, "[%s] Error retrieving next credential set to test.", MODULE_NAME);
          nState = MSTATE_EXITING;
        }
        else
        {
          if (psCredSet->iStatus == CREDENTIAL_DONE)
          {
            writeError(ERR_DEBUG_MODULE, "[%s] No more available credential sets to test.", MODULE_NAME);
            nState = MSTATE_EXITING;
          }
          else if (psCredSet->iStatus == CREDENTIAL_NEW_USER)
          {
            writeError(ERR_DEBUG_MODULE, "[%s] Starting testing for new user: %s.", MODULE_NAME, psCredSet->psUser->pUser);
            nState = MSTATE_NEW;
          }
          else
            writeError(ERR_DEBUG_MODULE, "[%s] Next credential set - user: %s password: %s", MODULE_NAME, psCredSet->psUser->pUser, psCredSet->pPass);
        }
      }
      break;
    case MSTATE_EXITING:
      if (hSocket > 0)
        medusaDisconnect(hSocket);
      hSocket = -1;
      nState = MSTATE_COMPLETE;
      break;
    default:
      writeError(ERR_CRITICAL, "Unknown %s module (%d) state %d host: %s", MODULE_NAME, _psLogin->iId, nState, _psLogin->psServer->pHostIP);
      _psLogin->iResult = LOGIN_RESULT_UNKNOWN;
    }
  }

  FREE(psCredSet);
  return SUCCESS;
}
Ejemplo n.º 23
0
/* Display module usage information */
void showUsage()
{
  writeVerbose(VB_NONE, "%s (%s) %s :: %s\n", MODULE_NAME, MODULE_VERSION, MODULE_AUTHOR, MODULE_SUMMARY_USAGE);
  writeVerbose(VB_NONE, "Available module options:");
  writeVerbose(VB_NONE, "  DOMAIN:? [optional]");
#if defined(HAVE_LIBFREERDP12) || defined(HAVE_LIBFREERDP11PTH)
  writeVerbose(VB_NONE, "  PASS:?  (PASSWORD*, HASH)");
  writeVerbose(VB_NONE, "    PASSWORD: Use normal password.");
  writeVerbose(VB_NONE, "    HASH:     Use a NTLM hash rather than a password.");
#endif
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "Usage example: \"-M rdp\"");
#if defined(HAVE_LIBFREERDP12) || defined(HAVE_LIBFREERDP11PTH)
  writeVerbose(VB_NONE, "Usage example: \"-M rdp -m PASS:HASH -u Administrator -p 31D78236327B9619B14ED8EC9AB454C1");
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "Note: This module does NOT work against Microsoft Windows 2003/XP and earlier.");
#endif
  writeVerbose(VB_NONE, "");
  writeVerbose(VB_NONE, "*** There appears to be thread-safety issues within the FreeRDP library and/or this module. ***");
  writeVerbose(VB_NONE, "*** It is recommended that you avoid using concurrent hosts/users (i.e., -T/-t).");
  writeVerbose(VB_NONE, "");
}