// // dirty workaround here: miscptr is the ptr to the logins, and the first one is used // to test if password authentication is enabled!! // int service_ssh_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. // // return codes: // 0 all OK // 1 skip target without generating an error // 2 skip target because of protocol problems // 3 skip target because its unreachable #ifdef LIBSSH int rc, method; ssh_session session = ssh_new(); if (verbose || debug) printf("[INFO] Testing if password authentication is supported by ssh://%s:%d\n", hydra_address2string(ip), port); ssh_options_set(session, SSH_OPTIONS_PORT, &port); ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip)); if (miscptr == NULL) ssh_options_set(session, SSH_OPTIONS_USER, "hydra"); else ssh_options_set(session, SSH_OPTIONS_USER, miscptr); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none"); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none"); if (ssh_connect(session) != 0) { fprintf(stderr, "[ERROR] could not connect to ssh://%s:%d - %s\n", hydra_address2string(ip), port, ssh_get_error(session)); return 2; } rc = ssh_userauth_none(session, NULL); method = ssh_userauth_list(session, NULL); ssh_disconnect(session); ssh_finalize(); ssh_free(session); if ((method & SSH_AUTH_METHOD_INTERACTIVE) || (method & SSH_AUTH_METHOD_PASSWORD)) { if (verbose || debug) printf("[INFO] Successful, password authentication is supported by ssh://%s:%d\n", hydra_address2string(ip), port); return 0; } fprintf(stderr, "[ERROR] target ssh://%s:%d/ does not support password authentication.\n", hydra_address2string(ip), port); return 1; #else return 0; #endif }
int start_firebird(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass; char database[256]; char connection_string[1024]; isc_db_handle db; /* database handle */ ISC_STATUS_ARRAY status; /* status vector */ char *dpb = NULL; /* DB parameter buffer */ short dpb_length = 0; if (miscptr) strncpy(database, miscptr, sizeof(database)); else strncpy(database, DEFAULT_DB, sizeof(database)); if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; dpb_length = (short) (1 + strlen(login) + 2 + strlen(pass) + 2); if ((dpb = (char *) malloc(dpb_length)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } /* Add user and password to dpb */ *dpb = isc_dpb_version1; dpb_length = 1; isc_modify_dpb(&dpb, &dpb_length, isc_dpb_user_name, login, strlen(login)); isc_modify_dpb(&dpb, &dpb_length, isc_dpb_password, pass, strlen(pass)); /* Create connection string */ snprintf(connection_string, sizeof(connection_string), "%s:%s", hydra_address2string(ip), database); if (isc_attach_database(status, 0, connection_string, &db, dpb_length, dpb)) { /* for debugging perpose */ if (verbose) { hydra_report(stderr, "[VERBOSE] "); isc_print_status(status); } isc_free(dpb); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; } else { isc_detach_database(status, &db); isc_free(dpb); hydra_report_found_host(port, ip, "firebird", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } return 1; }
int start_afp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, mlogin[AFP_MAX_USERNAME_LEN], mpass[AFP_MAX_PASSWORD_LEN]; struct afp_url tmpurl; /* Build AFP authentication request */ libafpclient_register(&afpclient); afp_main_quick_startup(NULL); init_uams(); afp_default_url(&tmpurl); if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; strncpy(tmpurl.servername, hydra_address2string(ip), AFP_SERVER_NAME_LEN - 1); tmpurl.servername[AFP_SERVER_NAME_LEN] = 0; strncpy(mlogin, login, AFP_MAX_USERNAME_LEN - 1); mlogin[AFP_MAX_USERNAME_LEN - 1] = 0; strncpy(mpass, pass, AFP_MAX_PASSWORD_LEN - 1); mpass[AFP_MAX_PASSWORD_LEN - 1] = 0; memcpy(&tmpurl.username, mlogin, AFP_MAX_USERNAME_LEN); memcpy(&tmpurl.password, mpass, AFP_MAX_PASSWORD_LEN); if (server_subconnect(tmpurl) == 0) { hydra_report_found_host(port, ip, "afp", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } else { hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; } return 1; }
int start_sshkey(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *key, keep_login[300]; int auth_state = 0, rc = 0, i = 0; ssh_private_key privkey; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(key = hydra_get_next_password()) == 0) key = empty; if (new_session) { if (session) { ssh_disconnect(session); ssh_finalize(); ssh_free(session); } session = ssh_new(); ssh_options_set(session, SSH_OPTIONS_PORT, &port); ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip)); ssh_options_set(session, SSH_OPTIONS_USER, login); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none"); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none"); if (ssh_connect(session) != 0) { //if the connection was drop, exit and let hydra main handle it if (verbose) hydra_report(stderr, "[ERROR] could not connect to target port %d\n", port); return 3; } if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) { return 3; } else if (rc == SSH_AUTH_SUCCESS) { hydra_report_found_host(port, ip, "sshkey", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; else return 1; } } else new_session = 1; auth_state = ssh_auth_list(session); if ((auth_state & SSH_AUTH_METHOD_PUBLICKEY) > 0) { privkey = privatekey_from_file(session, key, 0, NULL); if (!privkey) { hydra_report(stderr, "[ERROR] skipping invalid private key: \"%s\"\n", key); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } auth_state = ssh_userauth_pubkey(session, NULL, NULL, privkey); } else { return 4; } if (auth_state == SSH_AUTH_ERROR) { new_session = 1; return 1; } if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) { hydra_report_found_host(port, ip, "sshkey", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } else { strncpy(keep_login, login, sizeof(keep_login) - 1); keep_login[sizeof(keep_login) - 1] = '\0'; hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; login = hydra_get_next_login(); if (strcmp(login, keep_login) == 0) new_session = 0; return 1; } /* not reached */ return 1; }
int start_postgres(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass; char database[256]; char connection_string[1024]; PGconn *pgconn; if (miscptr) strncpy(database, miscptr, sizeof(database)); else strncpy(database, DEFAULT_DB, sizeof(database)); if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; /* * Building the connection string */ snprintf(connection_string, sizeof(connection_string), "host = '%s' dbname = '%s' user = '******' password = '******' ", hydra_address2string(ip), database, login, pass); if (verbose) hydra_report(stderr, "connection string: %s\n", connection_string); pgconn = PQconnectdb(connection_string); if (PQstatus(pgconn) == CONNECTION_OK) { PQfinish(pgconn); hydra_report_found_host(port, ip, "postgres", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } else { PQfinish(pgconn); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; } return 1; }
/* int analyze_server_response(int socket) return 0 or 1 when the cond regex is matched return -1 if no response from server */ int analyze_server_response(int s) { int runs = 0; while ((buf = hydra_receive_line(s)) != NULL) { runs++; //check for http redirection if (strstr(buf, "HTTP/1.1 3") != NULL || strstr(buf, "HTTP/1.0 3") != NULL || strstr(buf, "Status: 3") != NULL) { redirected_flag = 1; } else if (strstr(buf, "HTTP/1.1 401") != NULL || strstr(buf, "HTTP/1.0 401") != NULL) { auth_flag = 1; } else if ((strstr(buf, "HTTP/1.1 403") != NULL) || (strstr(buf, "HTTP/1.1 404") != NULL) || (strstr(buf, "HTTP/1.0 403") != NULL) || (strstr(buf, "HTTP/1.0 404") != NULL)) { return 0; } if (hydra_strcasestr(buf, "Location: ") != NULL) { char *startloc, *endloc; char str[2048]; startloc = hydra_strcasestr(buf, "Location: ") + strlen("Location: "); strncpy(str, startloc, sizeof(str) - 1); str[sizeof(str) - 1] = 0; endloc = strchr(str, '\n'); if (endloc != NULL) *endloc = 0; endloc = strchr(str, '\r'); if (endloc != NULL) *endloc = 0; strcpy(redirected_url_buff, str); } //there can be multiple cookies if (hydra_strcasestr(buf, "Set-Cookie: ") != NULL) { char *cookiebuf = buf; do { char *startcookie, *endcookie1, *endcookie2; char str[1024], tmpcookie[4096] = "", tmpname[128] = "", *ptr, *ptr2; memset(str, 0, sizeof(str)); startcookie = hydra_strcasestr(cookiebuf, "Set-Cookie: ") + strlen("Set-Cookie: "); strncpy(str, startcookie, sizeof(str) - 1); str[sizeof(str) - 1] = 0; endcookie1 = strchr(str, '\n'); endcookie2 = strchr(str, ';'); //terminate string after cookie data if (endcookie1 != NULL && endcookie1 < endcookie2) *endcookie1 = 0; else if (endcookie2 != NULL) *endcookie2 = 0; // is the cookie already there? if yes, remove it! if (index(startcookie, '=') != NULL && (ptr = index(startcookie, '=')) - startcookie + 1 <= sizeof(tmpname)) { strncpy(tmpname, startcookie, sizeof(tmpname) - 2); tmpname[sizeof(tmpname) - 2] = 0; ptr = index(tmpname, '='); *(++ptr) = 0; // is the cookie already in the cookiejar? (so, does it have to be replaced?) if ((ptr = hydra_strcasestr(cookie, tmpname)) != NULL) { // yes it is. // if the cookie is not in the beginning of the cookiejar, copy the ones before if (ptr != cookie && *(ptr - 1) == ' ') { strncpy(tmpcookie, cookie, ptr - cookie - 2); tmpcookie[ptr - cookie - 2] = 0; } ptr += strlen(tmpname); // if there are any cookies after this one in the cookiejar, copy them over if ((ptr2 = strstr(ptr, "; ")) != NULL) { ptr2 += 2; strncat(tmpcookie, ptr2, sizeof(tmpcookie) - strlen(tmpcookie) - 1); } if (debug) printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: %s\n", tmpname, cookie, tmpcookie); strcpy(cookie, tmpcookie); } } ptr = index(str, '='); // only copy the cookie if it has a value (otherwise the server wants to delete the cookie if (ptr != NULL && *(ptr + 1) != ';' && *(ptr + 1) != 0 && *(ptr + 1) != '\n' && *(ptr + 1) != '\r') { if (strlen(cookie) > 0) strncat(cookie, "; ", sizeof(cookie) - strlen(cookie) - 1); strncat(cookie, str, sizeof(cookie) - strlen(cookie) - 1); } cookiebuf = startcookie; } while (hydra_strcasestr(cookiebuf, "Set-Cookie: ") != NULL); } #ifdef HAVE_PCRE if (hydra_string_match(buf, cond) == 1) { #else if (strstr(buf, cond) != NULL) { #endif free(buf); // printf("DEBUG: STRING %s FOUND!!:\n%s\n", cond, buf); return 1; } // else printf("DEBUG: STRING %s NOT FOUND:\n%s\n", cond, buf); free(buf); } if (runs == 0) { if (debug) hydra_report(stderr, "DEBUG: no response from server\n"); return -1; } return 0; } void hydra_reconnect(int s, char *ip, int port, unsigned char options) { if (s >= 0) s = hydra_disconnect(s); if ((options & OPTION_SSL) == 0) { s = hydra_connect_tcp(ip, port); } else { s = hydra_connect_ssl(ip, port); } } int start_http_form(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) { char *empty = ""; char *login, *pass, buffer[9000]; char header[8096], *upd3variables; int found = !success_cond, i, j; memset(header, 0, sizeof(header)); cookie[0] = 0; // reset cookies from potential previous attempt if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; upd3variables = strrep(variables, "^PASS^", pass); upd3variables = strrep(upd3variables, "^USER^", login); /* again: no snprintf to be portable. dont worry, buffer cant overflow */ if (use_proxy == 1 && proxy_authentication != NULL) { // proxy with authentication if (getcookie) { //doing a GET to save cookies sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla 5.0 (Hydra Proxy Auth)\r\n%s%s\r\n", webtarget, webport, cookieurl, webtarget, proxy_authentication, header, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } i = analyze_server_response(s); // return value ignored if (strlen(cookie) > 0) { sprintf(header, "Cookie: %s\r\n", cookie); } hydra_reconnect(s, ip, port, options); } if (strcmp(type, "POST") == 0) { sprintf(buffer, "POST http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy Auth)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s", webtarget, webport, url, webtarget, proxy_authentication, (int) strlen(upd3variables), header, userheader, upd3variables); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } else { sprintf(buffer, "GET http://%s:%d%.600s?%s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy Auth)\r\n%s%s\r\n", webtarget, webport, url, upd3variables, webtarget, proxy_authentication, header, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } } else { if (use_proxy == 1) { // proxy without authentication if (getcookie) { //doing a GET to get cookies sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy)\r\n%s%s\r\n", webtarget, webport, cookieurl, webtarget, header, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } i = analyze_server_response(s); // ignore result if (strlen(cookie) > 0) { sprintf(header, "Cookie: %s\r\n", cookie); } hydra_reconnect(s, ip, port, options); } if (strcmp(type, "POST") == 0) { sprintf(buffer, "POST http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s", webtarget, webport, url, webtarget, (int) strlen(upd3variables), header, userheader, upd3variables); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } else { sprintf(buffer, "GET http://%s:%d%.600s?%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s%s\r\n", webtarget, webport, url, upd3variables, webtarget, header, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } } else { // direct web server, no proxy if (getcookie) { //doing a GET to save cookies sprintf(buffer, "GET %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s\r\n", cookieurl, webtarget, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } i = analyze_server_response(s); // ignore result if (strlen(cookie) > 0) { sprintf(header, "Cookie: %s\r\n", cookie); } hydra_reconnect(s, ip, port, options); } if (strcmp(type, "POST") == 0) { sprintf(buffer, "POST %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s", url, webtarget, (int) strlen(upd3variables), header, userheader, upd3variables); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } else { sprintf(buffer, "GET %.600s?%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s%s\r\n", url, upd3variables, webtarget, header, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } } } found = analyze_server_response(s); if (auth_flag) { // we received a 401 error - user using wrong module hydra_report(stderr, "[ERROR] the target is using HTTP auth, not a web form, received HTTP error code 401. Use module \"http%s-get\" instead.\n", (options & OPTION_SSL) > 0 ? "s" : ""); return 4; } if (strlen(cookie) > 0) { sprintf(header, "Cookie: %.1000s\r\n", cookie); } //if page was redirected, follow the location header redirected_cpt = MAX_REDIRECT; if (debug) printf("[DEBUG] attempt result: found %d, redirect %d, location: %s\n", found, redirected_flag, redirected_url_buff); while (found == 0 && redirected_flag && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) { //we have to split the location char *startloc, *endloc; char str[2048]; char str2[2048]; char str3[2048]; redirected_cpt--; redirected_flag = 0; //check if the redirect page contains the fail/success condition #ifdef HAVE_PCRE if (hydra_string_match(redirected_url_buff, cond) == 1) { #else if (strstr(redirected_url_buff, cond) != NULL) { #endif found = success_cond; } else { //location could be either absolute http(s):// or / something //or relative startloc = strstr(redirected_url_buff, "://"); if (startloc != NULL) { startloc += strlen("://"); if ((endloc=strchr(startloc, '\r')) != NULL) { startloc[endloc - startloc] = 0; } if ((endloc=strchr(startloc, '\n')) != NULL) { startloc[endloc - startloc] = 0; } strcpy(str, startloc); endloc = strchr(str, '/'); if (endloc != NULL) { strncpy(str2, str, endloc - str); str2[endloc - str] = 0; } else strncpy(str2, str, sizeof(str)); if (strlen(str) - strlen(str2) == 0) { strcpy(str3, "/"); } else { strncpy(str3, str + strlen(str2), strlen(str) - strlen(str2) - 1); str3[strlen(str) - strlen(str2) - 1] = 0; } } else { strncpy(str2, webtarget, sizeof(str2)); if (redirected_url_buff[0] != '/') { //it's a relative path, so we have to concatenate it //with the path from the first url given char *urlpath; char urlpath_extracted[2048]; memset(urlpath_extracted, 0, sizeof(urlpath_extracted)); urlpath=strrchr(url, '/'); if (urlpath != NULL) { strncpy(urlpath_extracted, url, urlpath-url); sprintf(str3, "%.1000s/%.1000s", urlpath_extracted, redirected_url_buff); } else { sprintf(str3, "%.1000s/%.1000s", url, redirected_url_buff); } } else strncpy(str3, redirected_url_buff, sizeof(str3)); if (debug) hydra_report(stderr, "[DEBUG] host=%s redirect=%s origin=%s\n", str2, str3,url); } if (str3[0] != '/') { j = strlen(str3); str3[j + 1] = 0; for (i = j; i > 0; i--) str3[i] = str3[i - 1]; str3[0] = '/'; } if (verbose) hydra_report(stderr, "[VERBOSE] Page redirected to http://%s%s\n", str2, str3); //re-use the code above to check for proxy use if (use_proxy == 1 && proxy_authentication != NULL) { // proxy with authentication sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", webtarget, webport, str3, str2, proxy_authentication, header); } else { if (use_proxy == 1) { // proxy without authentication sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", webtarget, webport, str3, str2, header); } else { //direct web server, no proxy sprintf(buffer, "GET %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", str3, str2, header); } } hydra_reconnect(s, ip, port, options); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } found = analyze_server_response(s); if (strlen(cookie) > 0) { sprintf(header, "Cookie: %s\r\n", cookie); } } } //if the last status is still 3xx, set it as a false if (found != -1 && found == success_cond && redirected_flag == 0 && redirected_cpt >= 0) { hydra_report_found_host(port, ip, "www-form", fp); hydra_completed_pair_found(); } else { hydra_completed_pair(); } return 1; } void service_http_form(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *type) { int run = 1, next_run = 1, sock = -1; int myport = PORT_HTTP, mysslport = PORT_HTTP_SSL; char *ptr, *ptr2; hydra_register_socket(sp); if (webtarget != NULL && (webtarget = strstr(miscptr, "://")) != NULL) { webtarget += strlen("://"); if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */ *ptr2 = 0; ptr2++; ptr = ptr2; if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL) miscptr = ptr; else miscptr = slash; /* to make things easier to user */ } else if ((ptr2 = index(webtarget, '/')) != NULL) { if (freemischttpform == 0) { freemischttpform = 1; miscptr = malloc(strlen(ptr2) + 1); strcpy(miscptr, ptr2); *ptr2 = 0; } } else webtarget = NULL; } if (cmdlinetarget != NULL && webtarget == NULL) webtarget = cmdlinetarget; else if (webtarget == NULL && cmdlinetarget == NULL) webtarget = hydra_address2string(ip); if (port != 0) webport = port; else if ((options & OPTION_SSL) == 0) webport = myport; else webport = mysslport; sprintf(bufferurl, "%.1000s", miscptr); url = strtok(bufferurl, ":"); variables = strtok(NULL, ":"); cond = strtok(NULL, ":"); sprintf(cookieurl, "%.1000s", url); //condition now have to contain F or S to set the fail or success condition if (cond && (strpos(cond, "F=") == 0)) { success_cond = 0; cond += 2; } else if (cond && (strpos(cond, "S=") == 0)) { success_cond = 1; cond += 2; } else { //by default condition is a fail success_cond = 0; } while ((optional1 = strtok(NULL, ":")) != NULL) { switch(optional1[0]) { case 'c': // fall through case 'C': sprintf(cookieurl, "%.1000s", optional1 + 2); break; case 'h': // fall through case 'H': if (sizeof(userheader) - strlen(userheader) > 4) { strncat(userheader, optional1 + 2, sizeof(userheader) - strlen(userheader) - 4); strcat(userheader, ":"); optional1 = strtok(NULL, ":"); strncat(userheader, optional1, sizeof(userheader) - strlen(userheader) - 3); strcat(userheader, "\r\n"); } break; // no default } } while (1) { if (run == 2) { if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { if (freemischttpform) free(miscptr); freemischttpform = 0; hydra_child_exit(1); } } switch (run) { case 1: /* connect and service init function */ { if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); if (freemischttpform) free(miscptr); freemischttpform = 0; hydra_child_exit(1); } next_run = 2; break; } case 2: /* run the cracking function */ next_run = start_http_form(sock, ip, port, options, miscptr, fp, type); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); if (freemischttpform) free(miscptr); freemischttpform = 0; hydra_child_exit(0); break; case 4: /* silent error exit */ if (sock >= 0) sock = hydra_disconnect(sock); if (freemischttpform) free(miscptr); freemischttpform = 0; hydra_child_exit(1); break; default: if (freemischttpform) free(miscptr); freemischttpform = 0; hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } if (freemischttpform) free(miscptr); }
int start_oracle_sid(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { /* PP is the packet length XX is the length of connect data PP + tns_packet_begin + XX + tns_packet_end */ unsigned char tns_packet_begin[22] = { "\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00" }; unsigned char tns_packet_end[32] = { "\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00" }; char *empty = ""; char *login; char connect_string[200]; char buffer2[260]; int siz = 0; memset(connect_string, 0, sizeof(connect_string)); memset(buffer2, 0, sizeof(buffer2)); if (strlen(login = hydra_get_next_login()) == 0) login = empty; snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))", login, hydra_address2string(ip), port); siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string); if (siz > 255) { buffer2[0] = 1; buffer2[1] = siz - 256; } else { buffer2[1] = siz; } memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin)); siz = strlen(connect_string); if (siz > 255) { buffer2[2 + sizeof(tns_packet_begin)] = 1; buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz - 256; } else { buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz; } memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end)); memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string)); if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; //if no error reported. it should be a resend packet type 00 08 00 00 0b 00 00 00, 4 is refuse if ((strstr(buf, "ERR=") == NULL) && (buf[4] != 4)) { hydra_report_found_host(port, ip, "oracle-sid", fp); hydra_completed_pair_found(); } else hydra_completed_pair(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { ptr_header_node ptr_head = NULL; char *ptr, *ptr2, *proxy_string; if (webtarget != NULL && (webtarget = strstr(miscptr, "://")) != NULL) { webtarget += strlen("://"); if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */ *ptr2 = 0; ptr2++; ptr = ptr2; if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL) miscptr = ptr; else miscptr = slash; /* to make things easier to user */ } else if ((ptr2 = index(webtarget, '/')) != NULL) { if (freemischttpform == 0) { if ((miscptr = malloc(strlen(ptr2) + 1)) != NULL) { freemischttpform = 1; strcpy(miscptr, ptr2); *ptr2 = 0; } } } else webtarget = NULL; } if (cmdlinetarget != NULL && webtarget == NULL) webtarget = cmdlinetarget; else if (webtarget == NULL && cmdlinetarget == NULL) webtarget = hydra_address2string(ip); if (port != 0) webport = port; else if ((options & OPTION_SSL) == 0) webport = PORT_HTTP; else webport = PORT_HTTP_SSL; sprintf(bufferurl, "%.1000s", miscptr); url = bufferurl; ptr = url; while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) ptr++; if (*ptr != 0) *ptr++ = 0; variables = ptr; while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) ptr++; if (*ptr != 0) *ptr++ = 0; cond = ptr; while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) ptr++; if (*ptr != 0) *ptr++ = 0; optional1 = ptr; if (strstr(url, "\\:") != NULL) { if ((ptr = malloc(strlen(url))) != NULL) { strcpy(ptr, hydra_strrep(url, "\\:", ":")); url = ptr; } } if (strstr(variables, "\\:") != NULL) { if ((ptr = malloc(strlen(variables))) != NULL) { strcpy(ptr, hydra_strrep(variables, "\\:", ":")); variables = ptr; } } if (strstr(cond, "\\:") != NULL) { if ((ptr = malloc(strlen(cond))) != NULL) { strcpy(ptr, hydra_strrep(cond, "\\:", ":")); cond = ptr; } } if (url == NULL || variables == NULL || cond == NULL /*|| optional1 == NULL */ ) hydra_child_exit(2); if (*cond == 0) { fprintf(stderr, "[ERROR] invalid number of parameters in module option\n"); return NULL; } sprintf(cookieurl, "%.1000s", url); //conditions now have to contain F or S to set the fail or success condition if (*cond != 0 && (strpos(cond, "F=") == 0)) { success_cond = 0; cond += 2; } else if (*cond != 0 && (strpos(cond, "S=") == 0)) { success_cond = 1; cond += 2; } else { //by default condition is a fail success_cond = 0; } /* * Parse the user-supplied options. * Beware of the backslashes (\)! */ while (*optional1 != 0) { switch (optional1[0]) { case 'c': // fall through case 'C': ptr = optional1 + 2; while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) ptr++; if (*ptr != 0) *ptr++ = 0; sprintf(cookieurl, "%.1000s", hydra_strrep(optional1 + 2, "\\:", ":")); optional1 = ptr; break; case 'h': // add a new header at the end ptr = optional1 + 2; while (*ptr != 0 && *ptr != ':') ptr++; if (*(ptr - 1) == '\\') *(ptr - 1) = 0; if (*ptr != 0){ *ptr = 0; ptr += 2; } ptr2 = ptr; while (*ptr2 != 0 && (*ptr2 != ':' || *(ptr2 - 1) == '\\')) ptr2++; if (*ptr2 != 0) *ptr2++ = 0; /* * At this point: * - (optional1 + 2) contains the header's name * - ptr contains the header's value */ if (add_header(&ptr_head, optional1 + 2, hydra_strrep(ptr, "\\:", ":"), HEADER_TYPE_USERHEADER)) { // Success: break the switch and go ahead optional1 = ptr2; break; } // Error: abort execution hydra_report(stderr, "[ERROR] Out of memory for HTTP headers."); return NULL; case 'H': // add a new header, or replace an existing one's value ptr = optional1 + 2; while (*ptr != 0 && *ptr != ':') ptr++; if (*(ptr - 1) == '\\') *(ptr - 1) = 0; if (*ptr != 0){ *ptr = 0; ptr += 2; } ptr2 = ptr; while (*ptr2 != 0 && (*ptr2 != ':' || *(ptr2 - 1) == '\\')) ptr2++; if (*ptr2 != 0) *ptr2++ = 0; /* * At this point: * - (optional1 + 2) contains the header's name * - ptr contains the header's value */ if (add_header(&ptr_head, optional1 + 2, hydra_strrep(ptr, "\\:", ":"), HEADER_TYPE_USERHEADER_REPL)) { // Success: break the switch and go ahead optional1 = ptr2; break; } // Error: abort execution hydra_report(stderr, "[ERROR] Out of memory for HTTP headers."); return NULL; // no default } } /* again: no snprintf to be portable. dont worry, buffer cant overflow */ if (use_proxy == 1 && proxy_authentication != NULL) { // proxy with authentication add_header(&ptr_head, "Host", webtarget, HEADER_TYPE_DEFAULT); add_header(&ptr_head, "User-Agent", "Mozilla 5.0 (Hydra Proxy Auth)", HEADER_TYPE_DEFAULT); proxy_string = (char *) malloc(strlen(proxy_authentication) + 6); if (proxy_string) { strcpy(proxy_string, "Basic "); strncat(proxy_string, proxy_authentication, strlen(proxy_authentication) - 6); add_header(&ptr_head, "Proxy-Authorization", proxy_string, HEADER_TYPE_DEFAULT); } else { hydra_report(stderr, "Out of memory for \"Proxy-Authorization\" header."); return NULL; } if (getcookie) { //doing a GET to save cookies cookie_request = stringify_headers(&ptr_head); } normal_request = stringify_headers(&ptr_head); } else { if (use_proxy == 1) { // proxy without authentication add_header(&ptr_head, "Host", webtarget, HEADER_TYPE_DEFAULT); add_header(&ptr_head, "User-Agent", "Mozilla/5.0 (Hydra Proxy)", HEADER_TYPE_DEFAULT); if (getcookie) { //doing a GET to get cookies cookie_request = stringify_headers(&ptr_head); } normal_request = stringify_headers(&ptr_head); } else { // direct web server, no proxy add_header(&ptr_head, "Host", webtarget, HEADER_TYPE_DEFAULT); add_header(&ptr_head, "User-Agent", "Mozilla/5.0 (Hydra)", HEADER_TYPE_DEFAULT); if (getcookie) { //doing a GET to save cookies cookie_request = stringify_headers(&ptr_head); } normal_request = stringify_headers(&ptr_head); } } return ptr_head; }
int start_ssh(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, keep_login[300]; int auth_state = 0, rc = 0, i = 0; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (new_session) { if (session) { ssh_disconnect(session); ssh_finalize(); ssh_free(session); } session = ssh_new(); ssh_options_set(session, SSH_OPTIONS_PORT, &port); ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip)); ssh_options_set(session, SSH_OPTIONS_USER, login); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none"); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none"); if (ssh_connect(session) != 0) { //if the connection was drop, trying to reconnect if (verbose) hydra_report(stderr, "Error: could not connect to target port %d\n", port); return 1; } if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) { return 3; } else if (rc == SSH_AUTH_SUCCESS) { hydra_report_found_host(port, ip, "ssh", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; else return 1; } } else new_session = 1; auth_state = ssh_auth_list(session); if ((auth_state & SSH_AUTH_METHOD_PASSWORD) > 0) { auth_state = ssh_userauth_password(session, NULL, pass); } else if ((auth_state & SSH_AUTH_METHOD_INTERACTIVE) > 0) { auth_state = ssh_userauth_kbdint(session, NULL, NULL); while (auth_state == SSH_AUTH_INFO) { rc = ssh_userauth_kbdint_getnprompts(session); for (i = 0; i < rc; i++) ssh_userauth_kbdint_setanswer(session, i, pass); auth_state = ssh_userauth_kbdint(session, NULL, NULL); } } else { return 4; } if (auth_state == SSH_AUTH_ERROR) { new_session = 1; return 1; } if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) { hydra_report_found_host(port, ip, "ssh", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } else { strncpy(keep_login, login, sizeof(keep_login) - 1); keep_login[sizeof(keep_login) - 1] = '\0'; hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; login = hydra_get_next_login(); if (strcmp(login, keep_login) == 0) new_session = 0; return 1; } /* not reached */ return 1; }
void service_http(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *type) { int run = 1, next_run = 1, sock = -1; int myport = PORT_HTTP, mysslport = PORT_HTTP_SSL; char *ptr, *ptr2; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; if ((webtarget = strstr(miscptr, "://")) != NULL) { webtarget += strlen("://"); if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */ *ptr2 = 0; ptr2++; ptr = ptr2; if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL) miscptr = ptr; else miscptr = slash; /* to make things easier to user */ } else if ((ptr2 = index(webtarget, '/')) != NULL) { miscptr = malloc(strlen(ptr2) + 1); freemischttp = 1; strcpy(miscptr, ptr2); *ptr2 = 0; } else webtarget = NULL; } if (cmdlinetarget != NULL && webtarget == NULL) webtarget = cmdlinetarget; else if (webtarget == NULL && cmdlinetarget == NULL) webtarget = hydra_address2string(ip); if (port != 0) webport = port; else if ((options & OPTION_SSL) == 0) webport = myport; else webport = mysslport; while (1) { next_run = 0; switch (run) { case 1: /* connect and service init function */ { if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { if (freemischttp) free(miscptr); fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } next_run = 2; break; } case 2: /* run the cracking function */ next_run = start_http(sock, ip, port, options, miscptr, fp, type); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); if (freemischttp) free(miscptr); hydra_child_exit(0); return; default: if (freemischttp) free(miscptr); fprintf(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } }
void service_pop3(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) { int run = 1, next_run = 1, sock = -1, i; char *ptr = NULL; //extract data from the pool, ip is the key if (plist == NULL) if (service_pop3_init(ip, sp, options, miscptr, fp, port) != 0) hydra_child_exit(2); p = list_find(ip); if (p == NULL) { hydra_report(stderr, "[ERROR] Could not find ip %s in pool\n", hydra_address2string(ip)); return; } if (list_remove(p) != 0) hydra_report(stderr, "[ERROR] Could not find ip %s in pool to free memory\n", hydra_address2string(ip)); hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); // usleep(300000); if ((options & OPTION_SSL) == 0) { sock = hydra_connect_tcp(ip, port); } else { sock = hydra_connect_ssl(ip, port); } if (sock < 0) { if (verbose || debug) hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } buf = hydra_receive_line(sock); if (buf == NULL || buf[0] != '+') { /* check the first line */ if (verbose || debug) hydra_report(stderr, "[ERROR] Not an POP3 protocol or service shutdown: %s\n", buf); hydra_child_exit(2); } ptr = strstr(buf, "<"); if (ptr != NULL && buf[0] == '+') { if (ptr[strlen(ptr) - 1] == '\n') ptr[strlen(ptr) - 1] = 0; if (ptr[strlen(ptr) - 1] == '\r') ptr[strlen(ptr) - 1] = 0; strcpy(apop_challenge, ptr); } free(buf); #ifdef LIBOPENSSL if (!p->disable_tls) { /* check for STARTTLS, if available we may have access to more basic auth methods */ hydra_send(sock, "STLS\r\n", strlen("STLS\r\n"), 0); buf = hydra_receive_line(sock); if (buf[0] != '+') { hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n"); } else { free(buf); if ((hydra_connect_to_ssl(sock) == -1)) { if (verbose) hydra_report(stderr, "[ERROR] Can't use TLS\n"); p->disable_tls = 1; } else { if (verbose) hydra_report(stderr, "[VERBOSE] TLS connection done\n"); } } } #endif next_run = 2; break; case 2: /* run the cracking function */ next_run = start_pop3(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; case 4: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } }
int start_sapr3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { RFC_HANDLE handle; char *empty = ""; char *login, *pass, buffer[1024]; char *buf; int i; int sysnr = port % 100; char opts[] = "RFCINI=N RFCTRACE=N BALANCE=N DEBUG=N TRACE=0 ABAP_DEBUG=0"; // char opts[] = "RFCINI=N RFCTRACE=Y BALANCE=N DEBUG=Y TRACE=Y ABAP_DEBUG=Y"; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (strlen(login) > 0) for (i = 0; i < strlen(login); i++) login[i] = (char) toupper(login[i]); if (strlen(pass) > 0) for (i = 0; i < strlen(pass); i++) pass[i] = (char) toupper(pass[i]); memset(buffer, 0, sizeof(buffer)); memset(&error_info, 0, sizeof(error_info)); //strcpy(buf, "mvse001"); snprintf(buffer, sizeof(buffer), "ASHOST=%s SYSNR=%02d CLIENT=%03d USER=\"%s\" PASSWD=\"%s\" LANG=DE %s", hydra_address2string(ip), sysnr, atoi(miscptr), login, pass, opts); /* USER=SAPCPIC PASSWORD=admin USER=SAP* PASSWORD=PASS ## do we need these options? SAPSYS=3 SNC_MODE=N SAPGUI=N INVISIBLE=N GUIATOPEN=Y NRCALL=00001 CLOSE=N ASHOST= // IP SYSNR= // port - 3200, scale 2 CLIENT= // miscptr, scale 2 ABAP_DEBUG=0 USER= PASSWD= LANG=DE */ //printf ("DEBUG: %d Connectstring \"%s\"\n",sizeof(error_info),buffer); handle = RfcOpenEx(buffer, &error_info); //printf("DEBUG: handle %d, key %s, message %s\n", handle, error_info.key, error_info.message); if (handle <= RFC_HANDLE_NULL) return 3; if (strstr(error_info.message, "sapgui") != NULL || strlen(error_info.message) == 0) { hydra_report_found_host(port, ip, "sapr3", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } else { if (strstr(error_info.key, "ERROR_COMMUNICATION") != NULL) { /* sysnr does not exist, report as port closed */ return 3; } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; } return 1; }
int internal__hydra_connect(char *host, int port, int protocol, int type) { int s, ret = -1, ipv6 = 0; #ifdef AF_INET6 struct sockaddr_in6 target6; struct sockaddr_in6 sin6; #endif struct sockaddr_in target; struct sockaddr_in sin; char *buf, *tmpptr = NULL; int err = 0; #ifdef AF_INET6 memset(&target6, 0, sizeof(target6)); memset(&sin6, 0, sizeof(sin6)); if ((host[0] == 16 && proxy_string_ip[0] != 4) || proxy_string_ip[0] == 16) ipv6 = 1; #endif #ifdef AF_INET6 if (ipv6) s = socket(AF_INET6, protocol, type); else #endif s = socket(PF_INET, protocol, type); if (s >= 0) { if (src_port != 0) { int bind_ok = 0; #ifdef AF_INET6 if (ipv6) { sin6.sin6_family = AF_INET6; sin6.sin6_port = htons(src_port); } else #endif { sin.sin_family = PF_INET; sin.sin_port = htons(src_port); sin.sin_addr.s_addr = INADDR_ANY; } //we will try to find a free port down to 512 while (!bind_ok && src_port >= 512) { #ifdef AF_INET6 if (ipv6) ret = bind(s, (struct sockaddr *) &sin6, sizeof(sin6)); else #endif ret = bind(s, (struct sockaddr *) &sin, sizeof(sin)); if (ret == -1) { if (verbose) perror("internal_hydra_connect error"); if (errno == EADDRINUSE) { src_port--; #ifdef AF_INET6 if (ipv6) sin6.sin6_port = htons(src_port); else #endif sin.sin_port = htons(src_port); } else { if (errno == EACCES && (getuid() > 0)) { fprintf(stderr, "[ERROR] You need to be root to test this service\n"); close(s); return -1; } } } else bind_ok = 1; } } if (use_proxy > 0) { if (proxy_string_ip[0] == 4) { memcpy(&target.sin_addr.s_addr, &proxy_string_ip[1], 4); target.sin_family = AF_INET; target.sin_port = htons(proxy_string_port); } #ifdef AF_INET6 if (proxy_string_ip[0] == 16) { memcpy(&target6.sin6_addr, &proxy_string_ip[1], 16); target6.sin6_family = AF_INET6; target6.sin6_port = htons(proxy_string_port); } #endif } else { if (host[0] == 4) { memcpy(&target.sin_addr.s_addr, &host[1], 4); target.sin_family = AF_INET; target.sin_port = htons(port); } #ifdef AF_INET6 if (host[0] == 16) { memcpy(&target6.sin6_addr, &host[1], 16); target6.sin6_family = AF_INET6; target6.sin6_port = htons(port); } #endif } signal(SIGALRM, alarming); do { if (fail > 0) sleep(WAIT_BETWEEN_CONNECT_RETRY); alarm_went_off = 0; alarm(waittime); #ifdef AF_INET6 #ifdef SO_BINDTODEVICE if (host[17] != 0) { setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE, &host[17], strlen(&host[17]) + 1); } #else #ifdef IP_FORCE_OUT_IFP if (host[17] != 0) { setsockopt(s, SOL_SOCKET, IP_FORCE_OUT_IFP, &host[17], strlen(&host[17]) + 1); } #endif #endif if (ipv6) ret = connect(s, (struct sockaddr *) &target6, sizeof(target6)); else #endif ret = connect(s, (struct sockaddr *) &target, sizeof(target)); alarm(0); if (ret < 0 && alarm_went_off == 0) { fail++; if (verbose && fail <= MAX_CONNECT_RETRY) fprintf(stderr, "Process %d: Can not connect [unreachable], retrying (%d of %d retries)\n", (int) getpid(), fail, MAX_CONNECT_RETRY); } } while (ret < 0 && fail <= MAX_CONNECT_RETRY); if (ret < 0 && fail > MAX_CONNECT_RETRY) { if (debug) printf("DEBUG_CONNECT_UNREACHABLE\n"); /* we wont quit here, thats up to the module to decide what to do * fprintf(stderr, "Process %d: Can not connect [unreachable], process exiting\n", (int)getpid()); * hydra_child_exit(1); */ extern_socket = -1; close(s); ret = -1; return ret; } ret = s; extern_socket = s; if (debug) printf("DEBUG_CONNECT_OK\n"); err = 0; if (use_proxy == 2) { if ((buf = malloc(4096)) == NULL) { fprintf(stderr, "[ERROR] could not malloc()\n"); close(s); return -1; } memset(&target, 0, sizeof(target)); if (host[0] == 4) { memcpy(&target.sin_addr.s_addr, &host[1], 4); target.sin_family = AF_INET; target.sin_port = htons(port); } #ifdef AF_INET6 memset(&target6, 0, sizeof(target6)); if (host[0] == 16) { memcpy(&target6.sin6_addr, &host[1], 16); target6.sin6_family = AF_INET6; target6.sin6_port = htons(port); } #endif if (hydra_strcasestr(proxy_string_type, "connect") || hydra_strcasestr(proxy_string_type, "http")) { if (proxy_authentication == NULL) if (host[0] == 16) snprintf(buf, 4096, "CONNECT [%s]:%d HTTP/1.0\r\n\r\n", hydra_address2string(host), port); else snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\n\r\n", hydra_address2string(host), port); else if (host[0] == 16) snprintf(buf, 4096, "CONNECT [%s]:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication); else snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication); send(s, buf, strlen(buf), 0); recv(s, buf, 4096, 0); if (strncmp("HTTP/", buf, 5) == 0 && (tmpptr = index(buf, ' ')) != NULL && *++tmpptr == '2') { if (debug) printf("DEBUG_CONNECT_PROXY_OK\n"); } else { if (debug) printf("DEBUG_CONNECT_PROXY_FAILED (Code: %c%c%c)\n", *tmpptr, *(tmpptr + 1), *(tmpptr + 2)); if (verbose) fprintf(stderr, "[ERROR] CONNECT call to proxy failed with code %c%c%c\n", *tmpptr, *(tmpptr + 1), *(tmpptr + 2)); err = 1; } // free(buf); } else { if (hydra_strcasestr(proxy_string_type, "socks5")) { // char buf[1024]; size_t cnt, wlen; /* socks v5 support */ buf[0] = SOCKS_V5; buf[1] = 1; if (proxy_authentication == NULL) buf[2] = SOCKS_NOAUTH; else buf[2] = SOCKS_PASSAUTH; cnt = hydra_send(s, buf, 3, 0); if (cnt != 3) { hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/3)\n", cnt); err = 1; } else { cnt = hydra_recv(s, buf, 2); if (cnt != 2) { hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/2)\n", cnt); err = 1; } if ((unsigned int) buf[1] == SOCKS_NOMETHOD) { hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication method negotiation failed\n"); err = 1; } /* SOCKS_DOMAIN not supported here, do we need it ? */ if (err != 1) { /* send user/pass */ if (proxy_authentication != NULL) { //format was checked previously char *login = strtok(proxy_authentication, ":"); char *pass = strtok(NULL, ":"); snprintf(buf, sizeof(buf), "\x01%c%s%c%s", (char) strlen(login), login, (char) strlen(pass), pass); cnt = hydra_send(s, buf, strlen(buf), 0); if (cnt != strlen(buf)) { hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/3)\n", cnt); err = 1; } else { cnt = hydra_recv(s, buf, 2); if (cnt != 2) { hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/2)\n", cnt); err = 1; } if (buf[1] != 0) { hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication failure\n"); err = 1; } else { if (debug) hydra_report(stderr, "[DEBUG] SOCKS5 proxy authentication success\n"); } } } #ifdef AF_INET6 if (ipv6) { /* Version 5, connect: IPv6 address */ buf[0] = SOCKS_V5; buf[1] = SOCKS_CONNECT; buf[2] = 0; buf[3] = SOCKS_IPV6; memcpy(buf + 4, &target6.sin6_addr, sizeof target6.sin6_addr); memcpy(buf + 20, &target6.sin6_port, sizeof target6.sin6_port); wlen = 22; } else { #endif /* Version 5, connect: IPv4 address */ buf[0] = SOCKS_V5; buf[1] = SOCKS_CONNECT; buf[2] = 0; buf[3] = SOCKS_IPV4; memcpy(buf + 4, &target.sin_addr, sizeof target.sin_addr); memcpy(buf + 8, &target.sin_port, sizeof target.sin_port); wlen = 10; #ifdef AF_INET6 } #endif cnt = hydra_send(s, buf, wlen, 0); if (cnt != wlen) { hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/%zu)\n", cnt, wlen); err = 1; } else { cnt = hydra_recv(s, buf, 10); if (cnt != 10) { hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/10)\n", cnt); err = 1; } if (buf[1] != 0) { /* 0x05 = connection refused by destination host */ if (buf[1] == 5) hydra_report(stderr, "[ERROR] SOCKS proxy request failed\n"); else hydra_report(stderr, "[ERROR] SOCKS error %d\n", buf[1]); err = 1; } } } } } else { if (hydra_strcasestr(proxy_string_type, "socks4")) { if (ipv6) { hydra_report(stderr, "[ERROR] SOCKS4 proxy does not support IPv6\n"); err = 1; } else { // char buf[1024]; size_t cnt, wlen; /* socks v4 support */ buf[0] = SOCKS_V4; buf[1] = SOCKS_CONNECT; /* connect */ memcpy(buf + 2, &target.sin_port, sizeof target.sin_port); memcpy(buf + 4, &target.sin_addr, sizeof target.sin_addr); buf[8] = 0; /* empty username */ wlen = 9; cnt = hydra_send(s, buf, wlen, 0); if (cnt != wlen) { hydra_report(stderr, "[ERROR] SOCKS4 proxy write failed (%zu/%zu)\n", cnt, wlen); err = 1; } else { cnt = hydra_recv(s, buf, 8); if (cnt != 8) { hydra_report(stderr, "[ERROR] SOCKS4 proxy read failed (%zu/8)\n", cnt); err = 1; } if (buf[1] != 90) { /* 91 = 0x5b = request rejected or failed */ if (buf[1] == 91) hydra_report(stderr, "[ERROR] SOCKS proxy request failed\n"); else hydra_report(stderr, "[ERROR] SOCKS error %d\n", buf[1]); err = 1; } } } } else { hydra_report(stderr, "[ERROR] Unknown proxy type: %s, valid type are \"connect\", \"socks4\" or \"socks5\"\n", proxy_string_type); err = 1; } } } free(buf); } if (err) { close(s); extern_socket = -1; ret = -1; close(s); return ret; } fail = 0; return ret; } return ret; }
int start_oracle(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[200], sid[100]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; strncpy(sid, miscptr, sizeof(sid)); snprintf(buffer, sizeof(buffer), "//%s:%d/%s", hydra_address2string(ip), port, sid); /* To use the Easy Connect naming method, PHP must be linked with Oracle 10g or greater Client libraries. The Easy Connect string for Oracle 10g is of the form: [//]host_name[:port][/service_name]. With Oracle 11g, the syntax is: [//]host_name[:port][/service_name][:server_type][/instance_name]. Service names can be found by running the Oracle utility lsnrctl status on the database server machine. The tnsnames.ora file can be in the Oracle Net search path, which includes $ORACLE_HOME/network/admin and /etc. Alternatively set TNS_ADMIN so that $TNS_ADMIN/tnsnames.ora is read. Make sure the web daemon has read access to the file. */ if (OCIInitialize(OCI_DEFAULT, NULL, NULL, NULL, NULL)) { print_oracle_error("OCIInitialize"); return 4; } if (OCIEnvInit(&o_environment, OCI_DEFAULT, 0, NULL)) { print_oracle_error("OCIEnvInit"); return 4; } if (OCIEnvInit(&o_environment, OCI_DEFAULT, 0, NULL)) { print_oracle_error("OCIEnvInit 2"); return 4; } if (OCIHandleAlloc(o_environment, (dvoid **) & o_error, OCI_HTYPE_ERROR, (size_t) 0, NULL)) { print_oracle_error("OCIHandleAlloc"); return 4; } if (OCILogon(o_environment, o_error, &o_servicecontext, (const OraText *) login, strlen(login), (const OraText *) pass, strlen(pass), (const OraText *) buffer, strlen(buffer))) { OCIErrorGet(o_error, 1, NULL, &o_errorcode, o_errormsg, sizeof(o_errormsg), OCI_HTYPE_ERROR); //database: oracle_error: ORA-01017: invalid username/password; logon denied //database: oracle_error: ORA-12514: TNS:listener does not currently know of service requested in connect descriptor //database: oracle_error: ORA-28000: the account is locked //Failed login attempts is set to 10 by default if (verbose) { hydra_report(stderr, "[VERBOSE] database: oracle_error: %s\n", o_errormsg); } if (strstr((const char *) o_errormsg, "ORA-12514") != NULL) { hydra_report(stderr, "[ERROR] ORACLE SID is not valid, you should try to enumerate them.\n"); } if (strstr((const char *) o_errormsg, "ORA-28000") != NULL) { hydra_report(stderr, "[ERROR] ORACLE account %s is locked.\n", login); } if (o_error) { OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR); } hydra_completed_pair(); //by default, set in sqlnet.ora, the trace file is generated in pwd to log any errors happening, //as we don't care, we are deleting the file //set these parameters to not generate the file //LOG_DIRECTORY_CLIENT = /dev/null //LOG_FILE_CLIENT = /dev/null unlink("sqlnet.log"); return 2; } else { OCILogoff(o_servicecontext, o_error); if (o_error) { OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR); } hydra_report_found_host(port, ip, "oracle", fp); hydra_completed_pair_found(); } if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *hostname) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500], mlogin[260], mpass[260], mhost[260]; char url[260], host[30]; char *header = ""; /* XXX TODO */ char *ptr; int auth = 0; login = hydra_get_next_login(); if (login == NULL || strlen(login) == 0 || strstr(login, "://") == NULL) { hydra_completed_pair(); return 1; } pass = hydra_get_next_password(); pass = empty; // ignored strncpy(url, login, sizeof(url) - 1); url[sizeof(url) - 1] = 0; ptr = strstr(login, "://") + 3; if (ptr[0] == '[') ptr++; strncpy(mhost, ptr, sizeof(mhost) - 1); mhost[sizeof(mhost) - 1] = 0; if ((ptr = index(mhost, '/')) != NULL) *ptr = 0; if ((ptr = index(mhost, ']')) != NULL) *ptr = 0; else if ((ptr = index(mhost, ':')) != NULL) *ptr = 0; if (miscptr != NULL && index(miscptr, ':') != NULL) { strncpy(mlogin, miscptr, sizeof(mlogin) - 1); mlogin[sizeof(mlogin) - 1] = 0; ptr = index(mlogin, ':'); *ptr++ = 0; strncpy(mpass, ptr, sizeof(mpass) - 1); mpass[sizeof(mpass) - 1] = 0; auth = 1; } if (http_proxy_auth_mechanism == AUTH_ERROR) { //send dummy request sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, mhost, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive first 40x buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/") == NULL) { free(buf); buf = hydra_receive_line(s); } if (debug) hydra_report(stderr, "S:%s\n", buf); //after the first query we should have been disconnected from web server s = hydra_disconnect(s); if ((options & OPTION_SSL) == 0) { s = hydra_connect_tcp(ip, port); } else { s = hydra_connect_ssl(ip, port, hostname); } } if (auth) { if (hydra_strcasestr(buf, "Proxy-Authenticate: Basic") != NULL) { http_proxy_auth_mechanism = AUTH_BASIC; sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; free(buf); buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); buf = hydra_receive_line(s); } //if server cut the connection, just exit cleanly or //this will be an infinite loop if (buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } if (debug) hydra_report(stderr, "S:%s\n", buf); } else { if (hydra_strcasestr(buf, "Proxy-Authenticate: NTLM") != NULL) { unsigned char buf1[4096]; unsigned char buf2[4096]; char *pos = NULL; http_proxy_auth_mechanism = AUTH_NTLM; //send auth and receive challenge //send auth request: let the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); /* to be portable, no snprintf, buffer is big enough so it cant overflow */ //send the first.. sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive challenge free(buf); buf = hydra_receive_line(s); while (buf != NULL && (pos = hydra_strcasestr(buf, "Proxy-Authenticate: NTLM ")) == NULL) { free(buf); buf = hydra_receive_line(s); } if (pos != NULL) { char *str; pos += 25; if ((str = strchr(pos, '\r')) != NULL) { pos[str - pos] = 0; } if ((str = strchr(pos, '\n')) != NULL) { pos[str - pos] = 0; } } //recover challenge if (buf != NULL) { if (strlen(buf) >= 4) from64tobits((char *) buf1, pos); free(buf); } //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); buf = hydra_receive_line(s); } if (buf == NULL) return 1; } else { #ifdef LIBOPENSSL if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) { char *pbuffer; http_proxy_auth_mechanism = AUTH_DIGESTMD5; pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; pbuffer = buffer2; sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header); if (pbuffer == NULL) return 3; if (debug) hydra_report(stderr, "C:%s\n", buffer2); if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0) return 1; free(buf); buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); buf = hydra_receive_line(s); } if (debug && buf != NULL) hydra_report(stderr, "S:%s\n", buf); if (buf == NULL) return 1; } else #endif { if (buf != NULL) { buf[strlen(buf) - 1] = '\0'; hydra_report(stderr, "Unsupported Auth type:\n%s\n", buf); } else { hydra_report(stderr, "Unsupported Auth type\n"); } return 3; } } } } // result analysis ptr = ((char *) index(buf, ' ')) + 1; if (*ptr == '2' || (*ptr == '3' && (*(ptr + 2) == '1' || *(ptr + 2) == '2')) || strncmp(ptr, "404", 4) == 0 || strncmp(ptr, "403", 4) == 0) { hydra_report_found_host(port, ip, "http-proxy", fp); if (fp != stdout) fprintf(fp, "[%d][http-proxy-urlenum] host: %s url: %s\n", port, hydra_address2string(ip), url); printf("[%d][http-proxy-urlenum] host: %s url: %s\n", port, hydra_address2string(ip), url); hydra_completed_pair_found(); } else { if (strncmp(ptr, "407", 3) == 0 /*|| strncmp(ptr, "401", 3) == 0 */ ) { hydra_report(stderr, "[ERROR] Proxy reports bad credentials!\n"); return 3; } hydra_completed_pair(); } free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }