void service_xmpp(char *target, char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1, tls = 0;
char buffer[500];
int myport = PORT_XMPP, mysslport = PORT_XMPP_SSL, disable_tls = 0;
char *enddomain = NULL;
//we have to pass the target here as the reverse dns resolution is not working for some servers
//try to extract only the domain name from the target
//so for o.nimbuzz.com will get nimbuzz.com
//and hermes.jabber.org will get jabber.org
domain = strchr(target, '.');
if (!domain) {
hydra_report(stderr, "[ERROR] can't extract the domain name, you have to specify a fqdn xmpp server, the domain name will be used in the jabber init request\n");
hydra_child_exit(1);
}
enddomain = strrchr(target, '.');
//check if target is not already a domain name aka only . char in the string
if (enddomain && (enddomain == domain)) {
domain = target;
} else {
//moving to pass the . char
domain = domain + 1;
}
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
memset(buffer, 0, sizeof(buffer));
snprintf(buffer, sizeof(buffer), "%s%s%s", JABBER_CLIENT_INIT_STR, domain, JABBER_CLIENT_INIT_END_STR);
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
hydra_child_exit(1);
}
//some server is longer to answer
usleep(300000);
buf = hydra_receive_line(sock);
if (buf == NULL)
hydra_child_exit(1);
if (strstr(buf, "<stream:stream") == NULL) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not an xmpp protocol or service shutdown: %s\n", buf);
free(buf);
hydra_child_exit(1);
}
if (strstr(buf, "<stream:error")) {
if (strstr(buf, "<host-unknown"))
hydra_report(stderr, "[ERROR] %s host unknown, you have to specify a fqdn xmpp server, the domain name will be used in the jabber init request : %s\n", domain, buf);
else
hydra_report(stderr, "[ERROR] xmpp protocol : %s\n", buf);
free(buf);
hydra_child_exit(1);
}
/* try to identify which features is supported */
if (strstr(buf, ":xmpp-tls") != NULL) {
tls = 1;
}
if (strstr(buf, ":xmpp-sasl") != NULL) {
if (strstr(buf, "<mechanism>SCRAM-SHA-1</mechanism>") != NULL) {
xmpp_auth_mechanism = AUTH_SCRAMSHA1;
}
if (strstr(buf, "<mechanism>CRAM-MD5</mechanism>") != NULL) {
xmpp_auth_mechanism = AUTH_CRAMMD5;
}
if (strstr(buf, "<mechanism>DIGEST-MD5</mechanism>") != NULL) {
xmpp_auth_mechanism = AUTH_DIGESTMD5;
}
if (strstr(buf, "<mechanism>PLAIN</mechanism>") != NULL) {
xmpp_auth_mechanism = AUTH_PLAIN;
}
if (strstr(buf, "<mechanism>LOGIN</mechanism>") != NULL) {
xmpp_auth_mechanism = AUTH_LOGIN;
}
}
if (xmpp_auth_mechanism == AUTH_ERROR) {
/* no auth method identified */
hydra_report(stderr, "[ERROR] no authentication methods can be identified %s\n", buf);
free(buf);
hydra_child_exit(1);
}
free(buf);
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
int i;
for (i = 0; i < strlen(miscptr); i++)
miscptr[i] = (char) toupper((int) miscptr[i]);
if (strncmp(miscptr, "LOGIN", 5) == 0)
xmpp_auth_mechanism = AUTH_LOGIN;
if (strncmp(miscptr, "PLAIN", 5) == 0)
xmpp_auth_mechanism = AUTH_PLAIN;
#ifdef LIBOPENSSL
if (strncmp(miscptr, "CRAM-MD5", 8) == 0)
xmpp_auth_mechanism = AUTH_CRAMMD5;
if (strncmp(miscptr, "SCRAM-SHA1", 10) == 0)
xmpp_auth_mechanism = AUTH_SCRAMSHA1;
if (strncmp(miscptr, "DIGEST-MD5", 10) == 0)
xmpp_auth_mechanism = AUTH_DIGESTMD5;
#endif
}
if (verbose) {
switch (xmpp_auth_mechanism) {
case AUTH_LOGIN:
hydra_report(stderr, "[VERBOSE] using XMPP LOGIN AUTH mechanism\n");
break;
case AUTH_PLAIN:
hydra_report(stderr, "[VERBOSE] using XMPP PLAIN AUTH mechanism\n");
break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:
hydra_report(stderr, "[VERBOSE] using XMPP CRAM-MD5 AUTH mechanism\n");
break;
case AUTH_SCRAMSHA1:
hydra_report(stderr, "[VERBOSE] using XMPP SCRAM-SHA1 AUTH mechanism\n");
break;
case AUTH_DIGESTMD5:
hydra_report(stderr, "[VERBOSE] using XMPP DIGEST-MD5 AUTH mechanism\n");
break;
#endif
}
}
#ifdef LIBOPENSSL
//check if tls is not wanted and if tls is available
if (!disable_tls && tls) {
char *STARTTLS = "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>";
hydra_send(sock, STARTTLS, strlen(STARTTLS), 0);
usleep(300000);
buf = hydra_receive_line(sock);
if (buf == NULL || strstr(buf, "<failure") != NULL) {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS negotiation failed\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock) == -1)) {
if (verbose)
hydra_report(stderr, "[ERROR] Can't use TLS\n");
disable_tls = 1;
run = 1;
break;
} else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
/* we have to resend the init stream */
memset(buffer, 0, sizeof(buffer));
snprintf(buffer, sizeof(buffer), "%s%s%s", JABBER_CLIENT_INIT_STR, domain, JABBER_CLIENT_INIT_END_STR);
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
hydra_child_exit(1);
}
//some server is longer to answer
usleep(300000);
buf = hydra_receive_line(sock);
if ((buf == NULL) || (strstr(buf, "<stream:stream") == NULL))
hydra_child_exit(1);
}
free(buf);
}
#endif
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_xmpp(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
int start_rlogin(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[300] = "", buffer2[100], *bptr = buffer2;
int ret;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
memset(buffer2, 0, sizeof(buffer2));
bptr++;
strcpy(bptr, login);
bptr += 1 + strlen(login);
strcpy(bptr, login);
bptr += 1 + strlen(login);
strcpy(bptr, TERM);
if (hydra_send(s, buffer2, 4 + strlen(login) + strlen(login) + strlen(TERM), 0) < 0) {
return 4;
}
buffer[0] = 0;
if ((ret = hydra_recv(s, buffer, sizeof(buffer) - 1)) >= 0)
buffer[ret] = 0;
/* 0x00 is sent but hydra_recv transformed it */
if (strlen(buffer) == 0) {
ret = hydra_recv(s, buffer, sizeof(buffer) - 1);
}
if (ret >= 0)
buffer[ret] = 0;
if (ret > 0 && (strstr(buffer, "rlogind:") != NULL))
return 1;
if (ret > 0 && (strstr(buffer, "ssword") != NULL)) {
if (strlen((pass = hydra_get_next_password())) == 0)
pass = empty;
sprintf(buffer2, "%s\r", pass);
if (hydra_send(s, buffer2, 1 + strlen(pass), 0) < 0) {
return 1;
}
memset(buffer, 0, sizeof(buffer));
ret = hydra_recv(s, buffer, sizeof(buffer));
if (strcmp(buffer, "\r\n"))
ret = hydra_recv(s, buffer, sizeof(buffer) - 1);
if (ret >= 0)
buffer[ret] = 0;
}
/* Authentication failure */
if (ret > 0 && (strstr(buffer, "ssword") == NULL)) {
#ifdef HAVE_PCRE
if (!hydra_string_match(buffer, "\\s(failure|incorrect|denied)")) {
#else
/* check for failure and incorrect msg */
if ((strstr(buffer, "ailure") == NULL) && (strstr(buffer, "ncorrect") == NULL) && (strstr(buffer, "denied") == NULL)) {
#endif
hydra_report_found_host(port, ip, "rlogin", fp);
hydra_completed_pair_found();
} else {
hydra_completed_pair();
}
} else {
/* if password is asked a second time, it means the pass we provided is wrong */
hydra_completed_pair();
}
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
void service_rlogin(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_RLOGIN, mysslport = PORT_RLOGIN_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
/* 512 -> 1023 */
hydra_set_srcport(1023);
if (sock >= 0)
sock = hydra_disconnect(sock);
// sleepn(275);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_rlogin(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
int start_http_proxy(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
char url[210], host[30];
char *header = ""; /* XXX TODO */
char *ptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (miscptr == NULL) {
strcpy(url, "http://www.microsoft.com/");
strcpy(host, "Host: www.microsoft.com\r\n");
} else {
sprintf(url, "%.200s", miscptr);
ptr = strstr(miscptr, "://"); // :// check is in hydra.c
sprintf(host, "Host: %.200s", ptr + 3);
if ((ptr = index(host, '/')) != NULL)
*ptr = 0;
if ((ptr = index(host + 6, ':')) != NULL && host[0] != '[')
*ptr = 0;
strcat(host, "\r\n");
}
if (http_proxy_auth_mechanism == AUTH_ERROR) {
//send dummy request
sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive first 40x
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (debug)
hydra_report(stderr, "S:%s\n", buf);
//after the first query we should have been disconnected from web server
s = hydra_disconnect(s);
if ((options & OPTION_SSL) == 0) {
s = hydra_connect_tcp(ip, port);
} else {
s = hydra_connect_ssl(ip, port);
}
}
if (hydra_strcasestr(buf, "Proxy-Authenticate: Basic") != NULL) {
http_proxy_auth_mechanism = AUTH_BASIC;
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
//if server cut the connection, just exit cleanly or
//this will be an infinite loop
if (buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Server did not answer\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", buf);
} else {
if (hydra_strcasestr(buf, "Proxy-Authenticate: NTLM") != NULL) {
unsigned char buf1[4096];
unsigned char buf2[4096];
char *pos = NULL;
http_proxy_auth_mechanism = AUTH_NTLM;
//send auth and receive challenge
//send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
/* to be portable, no snprintf, buffer is big enough so it cant overflow */
//send the first..
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive challenge
buf = hydra_receive_line(s);
while (buf != NULL && (pos = hydra_strcasestr(buf, "Proxy-Authenticate: NTLM ")) == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (pos != NULL) {
char *str;
pos+=25;
if ((str=strchr(pos, '\r')) != NULL) {
pos[str - pos] = 0;
}
if ((str=strchr(pos, '\n')) != NULL) {
pos[str - pos] = 0; }
}
//recover challenge
if (buf != NULL) {
from64tobits((char *) buf1, pos);
free(buf);
}
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (buf == NULL)
return 1;
} else {
#ifdef LIBOPENSSL
if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) {
char *pbuffer;
http_proxy_auth_mechanism = AUTH_DIGESTMD5;
pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest ");
strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (buffer2 == NULL)
return 3;
if (debug)
hydra_report(stderr, "C:%s\n", buffer2);
if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0)
return 1;
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (debug && buf != NULL)
hydra_report(stderr, "S:%s\n", buf);
if (buf == NULL)
return 1;
} else
#endif
{
if (buf != NULL) {
buf[strlen(buf) - 1] = '\0';
hydra_report(stderr, "Unsupported Auth type:\n%s\n", buf);
} else {
hydra_report(stderr, "Unsupported Auth type\n");
}
return 3;
}
}
}
ptr = ((char *) index(buf, ' ')) + 1;
if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2')) {
hydra_report_found_host(port, ip, "http-proxy", fp);
hydra_completed_pair_found();
} else {
if (*ptr != '4')
hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass);
else
if (verbose && *(ptr + 2) == '3')
hydra_report(stderr, "[INFO] Potential success, could be false positive: %s:%s\n", login, pass);
hydra_completed_pair();
}
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
void service_vnc(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_VNC, mysslport = PORT_VNC_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
usleep(300000);
buf = hydra_receive_line(sock);
if (buf == NULL || (strncmp(buf, "RFB", 3) != 0)) { /* check the first line */
hydra_report(stderr, "[ERROR] Not a VNC protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
if (strstr(buf, " security failures") != NULL) { /* check the first line */
/*
VNC has a 'blacklisting' scheme that blocks an IP address after five unsuccessful connection attempts.
The IP address is initially blocked for ten seconds,
but this doubles for each unsuccessful attempt thereafter.
A successful connection from an IP address resets the blacklist timeout.
This is built in to VNC Server and does not rely on operating system support.
*/
failed_auth++;
hydra_report(stderr, "VNC server reported too many authentication failures, have to wait some seconds ...\n");
sleep(12 * failed_auth);
free(buf);
next_run = 1;
break;
}
if (verbose)
hydra_report(stderr, "[VERBOSE] Server banner is %s\n", buf);
if (((strstr(buf, "RFB 004.001") != NULL) || (strstr(buf, "RFB 003.007") != NULL) || (strstr(buf, "RFB 003.008") != NULL))) {
//using proto version 003.008 to talk to server 004.001 same for 3.7 and 3.8
vnc_client_version = RFB37;
free(buf);
buf = strdup("RFB 003.007\n");
} else {
//for RFB 3.3 and fake 3.5
vnc_client_version = RFB33;
free(buf);
buf = strdup("RFB 003.003\n");
}
hydra_send(sock, buf, strlen(buf), 0);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_vnc(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 4:
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *type) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
char header[64] = "Content-Length: 0\r\n";
char *ptr, *fooptr;
int32_t complete_line = 0;
char tmpreplybuf[1024] = "", *tmpreplybufptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (strcmp(type, "POST") != 0)
header[0] = 0;
// we must reset this if buf is NULL and we do MD5 digest
if (http_buf == NULL && http_auth_mechanism == AUTH_DIGESTMD5)
http_auth_mechanism = AUTH_BASIC;
if (use_proxy > 0 && proxy_count > 0)
selected_proxy = random() % proxy_count;
switch (http_auth_mechanism) {
case AUTH_BASIC:
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
/* again: no snprintf to be portable. don't worry, buffer can't overflow */
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buffer2, header);
else
sprintf(buffer, "%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header);
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
break;
#ifdef LIBOPENSSL
case AUTH_DIGESTMD5:{
char *pbuffer;
pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest ");
strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header);
if (fooptr == NULL) {
return 3;
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer2);
strcpy(buffer, buffer2);
}
break;
#endif
case AUTH_NTLM:{
unsigned char buf1[4096];
unsigned char buf2[4096];
char *pos = NULL;
//send auth and receive challenge
//send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
/* to be portable, no snprintf, buffer is big enough so it can't overflow */
//send the first..
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, header);
else
sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget,
buf1, header);
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive challenge
if (http_buf != NULL)
free(http_buf);
http_buf = hydra_receive_line(s);
while (http_buf != NULL && (pos = hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM ")) == NULL) {
free(http_buf);
http_buf = hydra_receive_line(s);
}
if (http_buf == NULL)
return 1;
if (pos != NULL) {
char *str;
pos += 23;
if ((str = strchr(pos, '\r')) != NULL) {
pos[str - pos] = 0;
}
if ((str = strchr(pos, '\n')) != NULL) {
pos[str - pos] = 0;
}
}
//recover challenge
from64tobits((char *) buf1, pos);
free(http_buf);
http_buf = NULL;
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
//create the auth response
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, header);
else
sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget,
buf1, header);
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
}
break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if (http_buf != NULL)
free(http_buf);
http_buf = hydra_receive_line(s);
complete_line = 0;
tmpreplybuf[0] = 0;
while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (index(http_buf, '\n') == NULL && complete_line == 0))) {
if (debug) printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf);
if (tmpreplybuf[0] == 0 && strstr(http_buf, "HTTP/1.") != NULL) {
strncpy(tmpreplybuf, http_buf, sizeof(tmpreplybuf) - 1);
tmpreplybuf[sizeof(tmpreplybuf) - 1] = 0;
free(http_buf);
http_buf = hydra_receive_line(s);
} else if (tmpreplybuf[0] != 0) {
complete_line = 1;
if ((tmpreplybufptr = malloc(strlen(tmpreplybuf) + strlen(http_buf) + 1)) != NULL) {
strcpy(tmpreplybufptr, tmpreplybuf);
strcat(tmpreplybufptr, http_buf);
free(http_buf);
http_buf = tmpreplybufptr;
if (debug) printf("http_buf now: %s\n", http_buf);
}
} else {
free(http_buf);
http_buf = hydra_receive_line(s);
}
}
//if server cut the connection, just exit cleanly or
//this will be an infinite loop
if (http_buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Server did not answer\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", http_buf);
ptr = ((char *) index(http_buf, ' '));
if (ptr != NULL)
ptr++;
if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) {
hydra_report_found_host(port, ip, "www", fp);
hydra_completed_pair_found();
if (http_buf != NULL) {
free(http_buf);
http_buf = NULL;
}
} else {
if (ptr != NULL && *ptr != '4')
fprintf(stderr, "[WARNING] Unusual return code: %.3s for %s:%s\n", (char *) ptr, login, pass);
//the first authentication type failed, check the type from server header
if ((hydra_strcasestr(http_buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) {
//seems the auth supported is not Basic shceme so testing further
int32_t find_auth = 0;
if (hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM") != NULL) {
http_auth_mechanism = AUTH_NTLM;
find_auth = 1;
}
#ifdef LIBOPENSSL
if (hydra_strcasestr(http_buf, "WWW-Authenticate: Digest") != NULL) {
http_auth_mechanism = AUTH_DIGESTMD5;
find_auth = 1;
}
#endif
if (find_auth) {
// free(http_buf);
// http_buf = NULL;
return 1;
}
}
hydra_completed_pair();
}
// free(http_buf);
// http_buf = NULL;
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
int32_t run = 1, next_run = 1, sock = -1;
int32_t myport = PORT_IMAP, mysslport = PORT_IMAP_SSL, disable_tls = 1;
char *buffer1 = "1 CAPABILITY\r\n";
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleepn(275);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
hydra_child_exit(1);
}
buf = hydra_receive_line(sock);
if ((buf == NULL) || (strstr(buf, "OK") == NULL && buf[0] != '*')) { /* check the first line */
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not an IMAP protocol or service shutdown:\n");
if (buf != NULL)
free(buf);
hydra_child_exit(2);
}
free(buf);
/* send capability request */
if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0)
exit(-1);
counter = 2;
buf = imap_read_server_capacity(sock);
if (buf == NULL) {
hydra_child_exit(2);
}
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
int32_t i;
for (i = 0; i < strlen(miscptr); i++)
miscptr[i] = (char) toupper((int32_t) miscptr[i]);
if (strstr(miscptr, "TLS") || strstr(miscptr, "SSL") || strstr(miscptr, "STARTTLS")) {
disable_tls = 0;
}
}
#ifdef LIBOPENSSL
if (!disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
if (strstr(buf, "STARTTLS") != NULL) {
hydra_send(sock, "2 STARTTLS\r\n", strlen("2 STARTTLS\r\n"), 0);
counter++;
free(buf);
buf = hydra_receive_line(sock);
if (buf == NULL || (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL)) {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock, hostname) == -1)) {
if (verbose)
hydra_report(stderr, "[ERROR] Can't use TLS\n");
disable_tls = 1;
run = 1;
break;
} else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
/* ask again capability request but in TLS mode */
if (hydra_send(sock, "3 CAPABILITY\r\n", strlen("3 CAPABILITY\r\n"), 0) < 0)
hydra_child_exit(2);
buf = imap_read_server_capacity(sock);
counter++;
if (buf == NULL)
hydra_child_exit(2);
}
} else
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n");
}
#endif
if (verbose)
hydra_report(stderr, "[VERBOSE] CAPABILITY: %s", buf);
//authentication should be listed AUTH= like in the extract below
//STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5
if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=NTLM") != NULL)) {
imap_auth_mechanism = AUTH_NTLM;
}
#ifdef LIBOPENSSL
if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=SCRAM-SHA-1") != NULL)) {
imap_auth_mechanism = AUTH_SCRAMSHA1;
}
if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=DIGEST-MD5") != NULL)) {
imap_auth_mechanism = AUTH_DIGESTMD5;
}
if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=CRAM-SHA256") != NULL)) {
imap_auth_mechanism = AUTH_CRAMSHA256;
}
if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=CRAM-SHA1") != NULL)) {
imap_auth_mechanism = AUTH_CRAMSHA1;
}
if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=CRAM-MD5") != NULL)) {
imap_auth_mechanism = AUTH_CRAMMD5;
}
#endif
if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=PLAIN") != NULL)) {
imap_auth_mechanism = AUTH_PLAIN;
}
if (strstr(buf, "=LOGIN") != NULL) {
imap_auth_mechanism = AUTH_LOGIN;
}
free(buf);
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
if (strstr(miscptr, "CLEAR"))
imap_auth_mechanism = AUTH_CLEAR;
if (strstr(miscptr, "LOGIN"))
imap_auth_mechanism = AUTH_LOGIN;
if (strstr(miscptr, "PLAIN"))
imap_auth_mechanism = AUTH_PLAIN;
#ifdef LIBOPENSSL
if (strstr(miscptr, "CRAM-MD5"))
imap_auth_mechanism = AUTH_CRAMMD5;
if (strstr(miscptr, "CRAM-SHA1"))
imap_auth_mechanism = AUTH_CRAMSHA1;
if (strstr(miscptr, "CRAM-SHA256"))
imap_auth_mechanism = AUTH_CRAMSHA256;
if (strstr(miscptr, "DIGEST-MD5"))
imap_auth_mechanism = AUTH_DIGESTMD5;
if (strstr(miscptr, "SCRAM-SHA1"))
imap_auth_mechanism = AUTH_SCRAMSHA1;
#endif
if (strstr(miscptr, "NTLM"))
imap_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
switch (imap_auth_mechanism) {
case AUTH_CLEAR:
hydra_report(stderr, "[VERBOSE] using IMAP CLEAR LOGIN mechanism\n");
break;
case AUTH_LOGIN:
hydra_report(stderr, "[VERBOSE] using IMAP LOGIN AUTH mechanism\n");
break;
case AUTH_PLAIN:
hydra_report(stderr, "[VERBOSE] using IMAP PLAIN AUTH mechanism\n");
break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:
hydra_report(stderr, "[VERBOSE] using IMAP CRAM-MD5 AUTH mechanism\n");
break;
case AUTH_CRAMSHA1:
hydra_report(stderr, "[VERBOSE] using IMAP CRAM-SHA1 AUTH mechanism\n");
break;
case AUTH_CRAMSHA256:
hydra_report(stderr, "[VERBOSE] using IMAP CRAM-SHA256 AUTH mechanism\n");
break;
case AUTH_DIGESTMD5:
hydra_report(stderr, "[VERBOSE] using IMAP DIGEST-MD5 AUTH mechanism\n");
break;
case AUTH_SCRAMSHA1:
hydra_report(stderr, "[VERBOSE] using IMAP SCRAM-SHA1 AUTH mechanism\n");
break;
#endif
case AUTH_NTLM:
hydra_report(stderr, "[VERBOSE] using IMAP NTLM AUTH mechanism\n");
break;
}
}
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_imap(sock, ip, port, options, miscptr, fp);
counter++;
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
int
start_pop3(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp)
{
char *empty = "\"\"";
char *login, *pass, buffer[300];
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (hydra_data_ready(s) > 0) {
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
free(buf);
}
#ifdef PALM
sprintf(buffer, "USER %s\r\n", login);
#else
sprintf(buffer, "USER %.250s\r\n", login);
#endif
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
if (buf[0] != '+') {
hydra_report(stderr, "Error: POP3 protocol error or service shutdown: %s\n", buf);
free(buf);
return (3);
}
free(buf);
#ifdef PALM
sprintf(buffer, "PASS %s\r\n", pass);
#else
sprintf(buffer, "PASS %.250s\r\n", pass);
#endif
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
if (buf[0] == '+') {
hydra_report_found_host(port, ip, "pop3", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
/* special AS/400 hack */
if (strstr(buf, "CPF2204") != NULL || strstr(buf, "CPF22E3") != NULL || strstr(buf, "CPF22E4") != NULL || strstr(buf, "CPF22E5") != NULL) {
hydra_completed_pair_skip();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
int
start_ldap(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp, char version)
{
char *empty = "";
char *login = "", *pass, buffer[512];
int length;
if (miscptr == NULL) {
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
} else
login = miscptr;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
length = 14 + strlen(login) + strlen(pass);
memset(buffer, 0, sizeof(buffer));
buffer[0] = 48;
buffer[1] = length - 2;
buffer[2] = 2;
buffer[3] = 1;
buffer[4] = counter % 256;
buffer[5] = 96;
buffer[6] = length - 7;
buffer[7] = 2;
buffer[8] = 1;
buffer[9] = version;
buffer[10] = 4;
buffer[11] = strlen(login); /* DN */
memcpy(&buffer[12], login, strlen(login));
buffer[12 + strlen(login)] = (unsigned char) 128;
buffer[13 + strlen(login)] = strlen(pass);
memcpy(&buffer[14 + strlen(login)], pass, strlen(pass)); /* PASS */
if (hydra_send(s, buffer, length, 0) < 0)
return 1;
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
/* success is: 0a 01 00 - failure is: 0a 01 31 */
if ((buf[0] != 0 && buf[9] == 0) || (buf[0] != 32 && buf[9] == 32)) {
hydra_report_found_host(port, ip, "ldap", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 2) {
hydra_report(stderr, "Invalid protocol version, you tried ldap%c, better try ldap%c\n", version + '0', version == 2 ? '3' : '2');
hydra_child_exit(2);
sleep(1);
exit(-1);
}
if (buf[9] != 49 && buf[9] != 2) {
hydra_report(stderr, "Uh, unknown LDAP response, remember, this module is beta! Please report this:\n");
hydra_report(stderr, "Dump: %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x\n",
buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], buf[6], buf[7], buf[8], buf[9], buf[10], buf[11], buf[12], buf[13], buf[14], buf[15]);
return 3;
}
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
int start_cvs(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[1024], pass2[513];
int i;
char *directory = miscptr;
/* evil cvs encryption sheme...
0 111 P 125 p 58
! 120 1 52 A 57 Q 55 a 121 q 113
" 53 2 75 B 83 R 54 b 117 r 32
3 119 C 43 S 66 c 104 s 90
4 49 D 46 T 124 d 101 t 44
% 109 5 34 E 102 U 126 e 100 u 98
& 72 6 82 F 40 V 59 f 69 v 60
' 108 7 81 G 89 W 47 g 73 w 51
( 70 8 95 H 38 X 92 h 99 x 33
) 64 9 65 I 103 Y 71 i 63 y 97
* 76 : 112 J 45 Z 115 j 94 z 62
+ 67 ; 86 K 50 k 93
, 116 < 118 L 42 l 39
- 74 = 110 M 123 m 37
. 68 > 122 N 91 n 61
/ 87 ? 105 O 35 _ 56 o 48
*/
char key[] = { 0, 120, 53, 0, 0, 109, 72, 108, 70, 64, 76, 67, 116, 74, 68, 87,
111, 52, 75, 119, 49, 34, 82, 81, 95, 65, 112, 86, 118, 110, 122, 105,
0, 57, 83, 43, 46, 102, 40, 89, 38, 103, 45, 50, 42, 123, 91, 35,
125, 55, 54, 66, 124, 126, 59, 47, 92, 71, 115, 0, 0, 0, 0, 56,
0, 121, 117, 104, 101, 100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48,
58, 113, 32, 90, 44, 98, 60, 51, 33, 97, 62
};
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
memset(pass2, 0, sizeof(pass2));
strncpy(pass2, pass, 512);
for (i = 0; i < strlen(pass); i++) {
pass2[i] = key[pass2[i] - 0x20];
}
snprintf(buffer, sizeof(buffer), "BEGIN VERIFICATION REQUEST\n%s\n%s\nA%s\nEND VERIFICATION REQUEST\n", directory, login, pass2);
i = 57 + strlen(directory) + strlen(login) + strlen(pass2);
if (hydra_send(s, buffer, i - 1, 0) < 0) {
return 1;
}
if (hydra_data_ready_timed(s, 5, 0) > 0) {
buf = hydra_receive_line(s);
if (strstr(buf, "I LOVE YOU\n")) {
hydra_report_found_host(port, ip, "cvs", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
return 3;
}
} else if (strstr(buf, "no such user") || strstr(buf, "E PAM start error: Critical error - immediate abort\n")) {
if (verbose) {
hydra_report(stderr, "[VERBOSE] User %s does not exist\n", login);
}
hydra_completed_pair_skip();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
return 3;
}
}
/* "I HATE YOU\n" case */
free(buf);
return 3;
}
return 3;
}
void service_cisco(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, failc = 0, retry = 1, next_run = 1, sock = -1;
int myport = PORT_TELNET, mysslport = PORT_TELNET_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
unsigned char *hybuf2;
int f = 0;
if (sock >= 0)
sock = hydra_disconnect(sock);
// sleepn(275);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
if (miscptr != NULL && hydra_strcasestr(miscptr, "enter") != NULL)
hydra_send(sock, "\r\n", 2, 0);
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
do {
if (f != 0)
free(hybuf2);
else
f = 1;
if ((hybuf2 = (unsigned char *) hydra_receive_line(sock)) == NULL) {
if (failc < retry) {
next_run = 1;
failc++;
if (quiet != 1) hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - retrying (%d of %d retries)\n", (int) getpid(), failc, retry);
sleep(3);
break;
} else {
if (quiet != 1) hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - exiting\n", (int) getpid());
hydra_child_exit(0);
}
}
if (hybuf2 != NULL && hydra_strcasestr((char*)hybuf2, "ress ENTER") != NULL)
hydra_send(sock, "\r\n", 2, 0);
} while (strstr((char *) hybuf2, "assw") == NULL);
free(hybuf2);
if (next_run != 0)
break;
failc = 0;
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_cisco(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
#ifdef PALM
return;
#else
hydra_child_exit(2);
#endif
}
run = next_run;
}
}
int start_cisco(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *pass, hybuffer[300];
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
#ifdef PALM
sprintf(hybuffer, "%s\r\n", pass);
#else
sprintf(hybuffer, "%.250s\r\n", pass);
#endif
if (hydra_send(s, hybuffer, strlen(hybuffer), 0) < 0) {
return 1;
}
sleep(1);
hybuf = NULL;
do {
if (hybuf != NULL)
free(hybuf);
if ((hybuf = hydra_receive_line(s)) == NULL)
return 3;
if (hybuf[strlen(hybuf) - 1] == '\n')
hybuf[strlen(hybuf) - 1] = 0;
if (hybuf[strlen(hybuf) - 1] == '\r')
hybuf[strlen(hybuf) - 1] = 0;
} while (strlen(hybuf) <= 1);
if (strstr(hybuf, "assw") != NULL) {
hydra_completed_pair();
free(hybuf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
#ifdef PALM
sprintf(hybuffer, "%s\r\n", pass);
#else
sprintf(hybuffer, "%.250s\r\n", pass);
#endif
if (hydra_send(s, hybuffer, strlen(hybuffer), 0) < 0) {
return 1;
}
hybuf = NULL;
do {
if (hybuf != NULL)
free(hybuf);
if ((hybuf = hydra_receive_line(s)) == NULL)
return 3;
if (hybuf[strlen(hybuf) - 1] == '\n')
hybuf[strlen(hybuf) - 1] = 0;
if (hybuf[strlen(hybuf) - 1] == '\r')
hybuf[strlen(hybuf) - 1] = 0;
} while (strlen(hybuf) <= 1);
if (hybuf != NULL && strstr(hybuf, "assw") != NULL) {
hydra_completed_pair();
free(hybuf);
hybuf = NULL;
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
#ifdef PALM
sprintf(hybuffer, "%s\r\n", pass);
#else
sprintf(hybuffer, "%.250s\r\n", pass);
#endif
if (hydra_send(s, hybuffer, strlen(hybuffer), 0) < 0) {
return 1;
}
hybuf = NULL;
do {
if (hybuf != NULL)
free(hybuf);
hybuf = hydra_receive_line(s);
if (hybuf != NULL) {
if (hybuf[strlen(hybuf) - 1] == '\n')
hybuf[strlen(hybuf) - 1] = 0;
if (hybuf[strlen(hybuf) - 1] == '\r')
hybuf[strlen(hybuf) - 1] = 0;
}
} while (hybuf != NULL && strlen(hybuf) <= 1);
}
}
if (hybuf != NULL && (strstr(hybuf, "assw") != NULL || strstr(hybuf, "ad ") != NULL || strstr(hybuf, "attempt") != NULL || strstr(hybuf, "ailur") != NULL)) {
free(hybuf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
hydra_report_found_host(port, ip, "cisco", fp);
hydra_completed_pair_found();
if (hybuf != NULL)
free(hybuf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
int start_ncp(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp)
{
char* login;
char* pass;
char context[256];
unsigned int ncp_lib_error_code;
struct sockaddr_in remote_ip;
char *empty = "";
int object_type = NCP_BINDERY_USER;
_NCP_DATA* session;
memset(&remote_ip, 0, sizeof(remote_ip));
memcpy(&remote_ip.sin_addr.s_addr, &ip, 4);
remote_ip.sin_family = AF_INET;
session = malloc(sizeof(_NCP_DATA));
memset(session, 0, sizeof(_NCP_DATA));
login=empty;
pass=empty;
if (strlen(login = hydra_get_next_login()) == 0) {
login = empty;
}
else {
if (miscptr) {
if (strlen(miscptr)+strlen(login) > sizeof(context))
{
return 4;
}
memset(context, 0, sizeof(context));
strncpy(context, login, strlen(login));
strncpy(context+strlen(login), miscptr, sizeof(miscptr)+1);
login=context;
}
}
//login and password are case insensitive
//str_upper(login);
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
ncp_lib_error_code = ncp_find_conn_spec3(inet_ntoa((struct in_addr) remote_ip.sin_addr), login, "", 1, getuid(), 0, &session->spec);
if (ncp_lib_error_code)
{ free(session);return 1;}
ncp_lib_error_code = NWCCOpenConnByName(NULL, session->spec.server, NWCC_NAME_FORMAT_BIND, NWCC_OPEN_NEW_CONN, NWCC_RESERVED, &session->conn);
if (ncp_lib_error_code)
{ free(session);return 1;}
memset(session->spec.password, 0, sizeof(session->spec.password));
memcpy(session->spec.password, pass, strlen(pass)+1);
//str_upper(session->spec.password);
ncp_lib_error_code = ncp_login_conn(session->conn, session->spec.user, object_type, session->spec.password);
switch (ncp_lib_error_code & 0x0000FFFF)
{
case 0x0000: /* Success */
#ifdef NCP_DEBUG
printf("Connection success (%s / %s). Error code: %X\n", login, pass, ncp_lib_error_code);
#endif
ncp_close(session->conn);
hydra_report_found_host(port, ip, "ncp", fp); //ok
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3; //exit
free(session);
return 2; //next
break;
case 0x89DE: /* PASSWORD INVALID */
case 0x89F0: /* BIND WILDCARD INVALID */
case 0x89FF: /* NO OBJ OR BAD PASSWORD */
case 0xFD63: /* FAILED_AUTHENTICATION */
case 0xFDA7: /* NO_SUCH_ENTRY */
#ifdef NCP_DEBUG
printf("Incorrect password (%s / %s). Error code: %X\n", login, pass, ncp_lib_error_code);
#endif
ncp_close(session->conn);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
{
free(session);
return 2; //next
}
break;
default:
#ifdef NCP_DEBUG
printf("Failed to open connection. Error code: %X\n",ncp_lib_error_code);
#endif
if (session->conn != NULL) ncp_close(session->conn);
break;
}
free(session);
return 1; //reconnect
}
void
service_ncp(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port)
{
int run = 1, next_run, sock = -1;
int myport = PORT_NCP;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1)
{
switch (run)
{
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
if (sock < 0)
{
fprintf(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
case 2:
/*
* Here we start the password cracking process
*/
next_run = start_ncp(sock, ip, port, options, miscptr, fp);
break;
case 3:
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 4:
fprintf(stderr, "Optional parameter too long!\n");
hydra_child_exit(0);
exit(-1);
default:
fprintf(stderr, "Caught unknown return code, exiting!\n");
hydra_child_exit(0);
exit(-1);
}
run = next_run;
}
}
int start_oracle_sid(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
/*
PP is the packet length
XX is the length of connect data
PP + tns_packet_begin + XX + tns_packet_end
*/
unsigned char tns_packet_begin[22] = {
"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00"
};
unsigned char tns_packet_end[32] = {
"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
};
char *empty = "";
char *login;
char connect_string[200];
char buffer2[260];
int siz = 0;
memset(connect_string, 0, sizeof(connect_string));
memset(buffer2, 0, sizeof(buffer2));
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))", login,
hydra_address2string(ip), port);
siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string);
if (siz > 255) {
buffer2[0] = 1;
buffer2[1] = siz - 256;
} else {
buffer2[1] = siz;
}
memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin));
siz = strlen(connect_string);
if (siz > 255) {
buffer2[2 + sizeof(tns_packet_begin)] = 1;
buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz - 256;
} else {
buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz;
}
memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end));
memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string));
if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
//if no error reported. it should be a resend packet type 00 08 00 00 0b 00 00 00, 4 is refuse
if ((strstr(buf, "ERR=") == NULL) && (buf[4] != 4)) {
hydra_report_found_host(port, ip, "oracle-sid", fp);
hydra_completed_pair_found();
} else
hydra_completed_pair();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
void service_oracle_listener(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_ORACLE, mysslport = PORT_ORACLE_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
strupper(miscptr);
if (strncmp(miscptr, "CLEAR", 5) == 0)
sid_mechanism = AUTH_CLEAR;
}
if (verbose) {
switch (sid_mechanism) {
case AUTH_CLEAR:
hydra_report(stderr, "[VERBOSE] using SID CLEAR mechanism\n");
break;
case AUTH_PLAIN:
hydra_report(stderr, "[VERBOSE] using SID PLAIN mechanism\n");
break;
}
}
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
/* run the cracking function */
next_run = start_oracle_listener(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 4:
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_vmauthd(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_VMAUTHD, mysslport = PORT_VMAUTHD_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = myport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
buf = hydra_receive_line(sock);
//fprintf(stderr, "%s\n",buf);
//220 VMware Authentication Daemon Version 1.00
//220 VMware Authentication Daemon Version 1.10: SSL Required
//220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC ,
if (buf == NULL || strstr(buf, "220 VMware Authentication Daemon Version ") == NULL) {
/* check the first line */
if (verbose || debug) hydra_report(stderr, "[ERROR] Not an vmware authd protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
if ((strstr(buf, "Version 1.00") == NULL) && (strstr(buf, "Version 1.10") == NULL)) {
free(buf);
hydra_report(stderr, "[ERROR] this vmware authd protocol is not supported, please report: %s\n", buf);
hydra_child_exit(2);
}
//by default this service is waiting for ssl connections
if (strstr(buf, "SSL Required") != NULL) {
if ((options & OPTION_SSL) == 0) {
//reconnecting using SSL
if (hydra_connect_to_ssl(sock) == -1) {
free(buf);
hydra_report(stderr, "[ERROR] Can't use SSL\n");
hydra_child_exit(2);
}
}
}
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_vmauthd(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
int start_sip(int s, char *ip, char *lip, int port, int lport, unsigned char options, char *miscptr, FILE * fp) {
char *login, *pass, *host, buffer[SIP_MAX_BUF];
int i;
char buf[SIP_MAX_BUF];
if (strlen(login = hydra_get_next_login()) == 0)
login = NULL;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = NULL;
if (external_ip_addr[0])
lip = external_ip_addr;
host = miscptr;
cseq = 1;
empty_register(buffer, host, lip, port, lport, login);
cseq++;
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 3;
}
int has_sip_cred = 0;
int try = 0;
/* We have to check many times because server may begin to send "100 Trying"
* before "401 Unauthorized" */
while (try < 2 && !has_sip_cred) {
try++;
if (hydra_data_ready_timed(s, 3, 0) > 0) {
i = hydra_recv(s, (char *) buf, sizeof(buf));
buf[sizeof(buf) - 1] = '\0';
if (strncmp(buf, "SIP/2.0 404", 11) == 0) {
hydra_report(stdout, "[ERROR] Get error code 404 : user '%s' not found\n", login);
return 2;
}
if (strncmp(buf, "SIP/2.0 606", 11) == 0) {
char *ptr=NULL;
int i = 0;
// if we already tried to connect, exit
if (external_ip_addr[0]) {
hydra_report(stdout, "[ERROR] Get error code 606 : session is not acceptable by the server\n");
return 2;
}
if (verbose)
hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not acceptable by the server,\n"
"maybe it's an addressing issue as you are using NAT, trying to reconnect\n"
"using addr from the server reply\n");
/*
SIP/2.0 606 Not Acceptable
Via: SIP/2.0/UDP 192.168.0.21:46759;received=82.227.229.137
*/
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "Via: SIP.*received=")) {
ptr=strstr(buf, "received=");
#else
if ((ptr=strstr(buf, "received="))) {
#endif
strncpy(external_ip_addr, ptr+strlen("received="), sizeof(external_ip_addr));
external_ip_addr[sizeof(external_ip_addr) - 1] = '\0';
for (i = 0; i < strlen(external_ip_addr); i++) {
if (external_ip_addr[i] <= 32) {
external_ip_addr[i] = '\0';
}
}
if (verbose)
hydra_report(stderr, "[VERBOSE] Will reconnect using external IP address %s\n", external_ip_addr);
return 1;
}
hydra_report(stderr, "[ERROR] Could not find external IP address in server answer\n");
return 2;
}
}
}
if (!strstr(buf, "WWW-Authenticate: Digest")) {
hydra_report(stderr, "[ERROR] no www-authenticate header found!\n");
return -1;
}
if (verbose)
hydra_report(stderr, "[INFO] S: %s\n", buf);
char buffer2[512];
sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL);
memset(buffer, 0, SIP_MAX_BUF);
snprintf(buffer, SIP_MAX_BUF,
"REGISTER sip:%s SIP/2.0\n"
"Via: SIP/2.0/UDP %s:%i\n"
"From: <sip:%s@%s>\n"
"To: <sip:%s@%s>\n"
"Call-ID: 1337@%s\n"
"CSeq: %i REGISTER\n"
"Authorization: Digest %s\n"
"Content-Length: 0\n\n", host, lip, lport, login, host, login, host, host, cseq, buffer2);
cseq++;
if (verbose)
hydra_report(stderr, "[INFO] C: %s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 3;
}
try = 0;
int has_resp = 0;
int sip_code = 0;
while (try < 2 && !has_resp) {
try++;
if (hydra_data_ready_timed(s, 5, 0) > 0) {
memset(buf, 0, sizeof(buf));
i = hydra_recv(s, (char *) buf, sizeof(buf));
if (verbose)
hydra_report(stderr, "[INFO] S: %s\n", buf);
sip_code = get_sip_code(buf);
if (sip_code >= 200 && sip_code < 300) {
hydra_report_found_host(port, ip, "sip", fp);
hydra_completed_pair_found();
has_resp = 1;
}
if (sip_code >= 400 && sip_code < 500) {
has_resp = 1;
}
}
}
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
void service_sip(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_SIP, mysslport = PORT_SIP_SSL;
char *lip = get_iface_ip((int) *(&ip[1]));
hydra_register_socket(sp);
// FIXME IPV6
if (ip[0] != 4) {
fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are appreciated.\n");
hydra_child_exit(2);
}
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
run = 3;
int lport = 0;
while (1) {
switch (run) {
case 1:
if (sock < 0) {
if (port != 0)
myport = port;
lport = rand() % (65535 - 1024) + 1024;
hydra_set_srcport(lport);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_udp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
free(lip);
hydra_child_exit(1);
}
}
next_run = start_sip(sock, ip, lip, port, lport, options, miscptr, fp);
break;
case 2:
if (sock >= 0)
sock = hydra_disconnect(sock);
free(lip);
hydra_child_exit(2);
break;
case 3:
if (sock >= 0)
sock = hydra_disconnect(sock);
free(lip);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
free(lip);
hydra_child_exit(2);
}
run = next_run;
}
}
char *get_iface_ip(unsigned long int ip) {
int sfd;
sfd = socket(AF_INET, SOCK_DGRAM, 0);
struct sockaddr_in tparamet;
tparamet.sin_family = AF_INET;
tparamet.sin_port = htons(2000);
tparamet.sin_addr.s_addr = ip;
if (connect(sfd, (const struct sockaddr *) &tparamet, sizeof(struct sockaddr_in))) {
perror("connect");
close(sfd);
return NULL;
}
struct sockaddr_in *local = malloc(sizeof(struct sockaddr_in));
int size = sizeof(struct sockaddr_in);
if (getsockname(sfd, (void *) local, (socklen_t *) & size)) {
perror("getsockname");
close(sfd);
free(local);
return NULL;
}
close(sfd);
char buff[32];
if (!inet_ntop(AF_INET, (void *) &local->sin_addr, buff, 32)) {
perror("inet_ntop");
free(local);
return NULL;
}
char *str = malloc(sizeof(char) * (strlen(buff) + 1));
strcpy(str, buff);
free(local);
return str;
}
#endif
int service_sip_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
// return codes:
// 0 all OK
// -1 error, hydra will exit, so print a good error message here
return 0;
}
int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "\"\"";
char *login, *pass, buffer[500], buffer2[500], *fooptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (hydra_data_ready(s) > 0) {
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
free(buf);
}
switch (p->pop3_auth_mechanism) {
#ifdef LIBOPENSSL
case AUTH_APOP:{
MD5_CTX c;
unsigned char md5_raw[MD5_DIGEST_LENGTH];
int i;
char *pbuffer = buffer2;
MD5_Init(&c);
MD5_Update(&c, apop_challenge, strlen(apop_challenge));
MD5_Update(&c, pass, strlen(pass));
MD5_Final(md5_raw, &c);
for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
sprintf(pbuffer, "%02x", md5_raw[i]);
pbuffer += 2;
}
sprintf(buffer, "APOP %s %s\r\n", login, buffer2);
}
break;
#endif
case AUTH_LOGIN:{
sprintf(buffer, "AUTH LOGIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, login);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
}
break;
case AUTH_PLAIN:{
sprintf(buffer, "AUTH PLAIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 PLAIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
memset(buffer, 0, sizeof(buffer));
sasl_plain(buffer, login, pass);
sprintf(buffer, "%.250s\r\n", buffer);
}
break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:
case AUTH_CRAMSHA1:
case AUTH_CRAMSHA256:{
int rc = 0;
char *preplogin;
rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
switch (p->pop3_auth_mechanism) {
case AUTH_CRAMMD5:
sprintf(buffer, "AUTH CRAM-MD5\r\n");
break;
case AUTH_CRAMSHA1:
sprintf(buffer, "AUTH CRAM-SHA1\r\n");
break;
case AUTH_CRAMSHA256:
sprintf(buffer, "AUTH CRAM-SHA256\r\n");
break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
//get the one-time BASE64 encoded challenge
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
switch (p->pop3_auth_mechanism) {
case AUTH_CRAMMD5:
hydra_report(stderr, "[ERROR] POP3 CRAM-MD5 AUTH : %s\n", buf);
break;
case AUTH_CRAMSHA1:
hydra_report(stderr, "[ERROR] POP3 CRAM-SHA1 AUTH : %s\n", buf);
break;
case AUTH_CRAMSHA256:
hydra_report(stderr, "[ERROR] POP3 CRAM-SHA256 AUTH : %s\n", buf);
break;
}
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 2);
free(buf);
memset(buffer2, 0, sizeof(buffer2));
switch (p->pop3_auth_mechanism) {
case AUTH_CRAMMD5:{
sasl_cram_md5(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
case AUTH_CRAMSHA1:{
sasl_cram_sha1(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
case AUTH_CRAMSHA256:{
sasl_cram_sha256(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
}
hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
sprintf(buffer, "%.250s\r\n", buffer);
free(preplogin);
}
break;
case AUTH_DIGESTMD5:{
sprintf(buffer, "AUTH DIGEST-MD5\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 DIGEST-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf);
free(buf);
if (debug)
hydra_report(stderr, "[DEBUG] S: %s\n", buffer);
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "pop", NULL, 0, NULL);
if (fooptr == NULL)
return 3;
if (debug)
hydra_report(stderr, "[DEBUG] C: %s\n", buffer2);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
#endif
case AUTH_NTLM:{
unsigned char buf1[4096];
unsigned char buf2[4096];
//Send auth request
sprintf(buffer, "AUTH NTLM\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 NTLM AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
//send auth and receive challenge
//send auth request: lst the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
sprintf(buffer, "%s\r\n", buf1);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
if ((buf = hydra_receive_line(s)) == NULL || strlen(buf) < 6)
return 4;
//recover challenge
from64tobits((char *) buf1, buf + 2);
free(buf);
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
default:
sprintf(buffer, "USER %.250s\r\n", login);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 4;
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] POP3 protocol or service shutdown: %s\n", buf);
free(buf);
return (3);
}
free(buf);
sprintf(buffer, "PASS %.250s\r\n", pass);
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL) {
return 4;
}
if (buf[0] == '+') {
hydra_report_found_host(port, ip, "pop3", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
/* special AS/400 hack */
if (strstr(buf, "CPF2204") != NULL || strstr(buf, "CPF22E3") != NULL || strstr(buf, "CPF22E4") != NULL || strstr(buf, "CPF22E5") != NULL) {
hydra_completed_pair_skip();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500], *fooptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (hydra_data_ready(s)) {
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
free(buf);
}
switch (imap_auth_mechanism) {
case AUTH_LOGIN:
sprintf(buffer, "%d AUTHENTICATE LOGIN\r\n", counter);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, login);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
break;
case AUTH_PLAIN:
sprintf(buffer, "%d AUTHENTICATE PLAIN\r\n", counter);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
hydra_report(stderr, "[ERROR] IMAP PLAIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
memset(buffer2, 0, sizeof(buffer2));
sasl_plain(buffer2, login, pass);
sprintf(buffer, "%.250s\r\n", buffer2);
break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:
case AUTH_CRAMSHA1:
case AUTH_CRAMSHA256:{
int32_t rc = 0;
char *preplogin;
rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
switch (imap_auth_mechanism) {
case AUTH_CRAMMD5:
sprintf(buffer, "%d AUTHENTICATE CRAM-MD5\r\n", counter);
break;
case AUTH_CRAMSHA1:
sprintf(buffer, "%d AUTHENTICATE CRAM-SHA1\r\n", counter);
break;
case AUTH_CRAMSHA256:
sprintf(buffer, "%d AUTHENTICATE CRAM-SHA256\r\n", counter);
break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
//get the one-time BASE64 encoded challenge
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
switch (imap_auth_mechanism) {
case AUTH_CRAMMD5:
hydra_report(stderr, "[ERROR] IMAP CRAM-MD5 AUTH : %s\n", buf);
break;
case AUTH_CRAMSHA1:
hydra_report(stderr, "[ERROR] IMAP CRAM-SHA1 AUTH : %s\n", buf);
break;
case AUTH_CRAMSHA256:
hydra_report(stderr, "[ERROR] IMAP CRAM-SHA256 AUTH : %s\n", buf);
break;
}
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 2);
free(buf);
memset(buffer2, 0, sizeof(buffer2));
switch (imap_auth_mechanism) {
case AUTH_CRAMMD5:{
sasl_cram_md5(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
case AUTH_CRAMSHA1:{
sasl_cram_sha1(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
case AUTH_CRAMSHA256:{
sasl_cram_sha256(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
}
hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
char tmp_buffer[sizeof(buffer)];
sprintf(tmp_buffer, "%.250s\r\n", buffer);
strcpy(buffer, tmp_buffer);
free(preplogin);
}
break;
case AUTH_DIGESTMD5:{
sprintf(buffer, "%d AUTHENTICATE DIGEST-MD5\r\n", counter);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
hydra_report(stderr, "[ERROR] IMAP DIGEST-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf);
free(buf);
if (debug)
hydra_report(stderr, "DEBUG S: %s\n", buffer);
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "imap", NULL, 0, NULL);
if (fooptr == NULL)
return 3;
if (debug)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
case AUTH_SCRAMSHA1:{
char clientfirstmessagebare[200];
char serverfirstmessage[200];
char *preplogin;
int32_t rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
sprintf(buffer, "%d AUTHENTICATE SCRAM-SHA-1\r\n", counter);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
hydra_report(stderr, "[ERROR] IMAP SCRAM-SHA1 AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin);
free(preplogin);
memset(buffer2, 0, sizeof(buffer2));
sprintf(buffer2, "n,,%.200s", clientfirstmessagebare);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
snprintf(buffer, sizeof(buffer), "%s\r\n", buffer2);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not a valid server challenge\n");
free(buf);
return 1;
} else {
/* recover server challenge */
memset(buffer, 0, sizeof(buffer));
//+ cj1oeWRyYU9VNVZqcHQ5RjNqcmVXRVFWTCxzPWhGbTNnRGw0akdidzJVVHosaT00MDk2
from64tobits((char *) buffer, buf + 2);
free(buf);
strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1);
serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0';
memset(buffer2, 0, sizeof(buffer2));
fooptr = buffer2;
sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage);
if (fooptr == NULL) {
hydra_report(stderr, "[ERROR] Can't compute client response\n");
return 1;
}
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
}
break;
#endif
case AUTH_NTLM:{
unsigned char buf1[4096];
unsigned char buf2[4096];
//Send auth request
sprintf(buffer, "%d AUTHENTICATE NTLM\r\n", counter);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
hydra_report(stderr, "[ERROR] IMAP NTLM AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
//send auth and receive challenge
//send auth request: lst the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
sprintf(buffer, "%s\r\n", buf1);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strlen(buf) < 6) {
free(buf);
return 1;
}
//recover challenge
from64tobits((char *) buf1, buf + 2);
free(buf);
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
default:
//clear authentication
sprintf(buffer, "%d LOGIN \"%.100s\" \"%.100s\"\r\n", counter, login, pass);
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] %s\n", buf);
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
if (counter == 4)
return 1;
return (2);
}
free(buf);
hydra_report_found_host(port, ip, "imap", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
void service_pop3(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
char *ptr = NULL;
//extract data from the pool, ip is the key
if (plist == NULL)
if (service_pop3_init(ip, sp, options, miscptr, fp, port) != 0)
hydra_child_exit(2);
p = list_find(ip);
if (p == NULL) {
hydra_report(stderr, "[ERROR] Could not find ip %s in pool\n", hydra_address2string(ip));
return;
}
if (list_remove(p) != 0)
hydra_report(stderr, "[ERROR] Could not find ip %s in pool to free memory\n", hydra_address2string(ip));
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// sleepn(300);
if ((options & OPTION_SSL) == 0) {
sock = hydra_connect_tcp(ip, port);
} else {
sock = hydra_connect_ssl(ip, port);
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
buf = hydra_receive_line(sock);
if (buf == NULL || buf[0] != '+') { /* check the first line */
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not an POP3 protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
ptr = strstr(buf, "<");
if (ptr != NULL && buf[0] == '+') {
if (ptr[strlen(ptr) - 1] == '\n')
ptr[strlen(ptr) - 1] = 0;
if (ptr[strlen(ptr) - 1] == '\r')
ptr[strlen(ptr) - 1] = 0;
strcpy(apop_challenge, ptr);
}
free(buf);
#ifdef LIBOPENSSL
if (!p->disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
hydra_send(sock, "STLS\r\n", strlen("STLS\r\n"), 0);
buf = hydra_receive_line(sock);
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock) == -1)) {
if (verbose)
hydra_report(stderr, "[ERROR] Can't use TLS\n");
p->disable_tls = 1;
} else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
}
}
#endif
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_pop3(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 4: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void
service_pop3(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port)
{
int run = 1, next_run, sock = -1;
int myport = PORT_POP3, mysslport = PORT_POP3_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = myport;
}
if (sock < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
buf = hydra_receive_line(sock);
if (buf == NULL || buf[0] != '+') { /* check the first line */
hydra_report(stderr, "Error: Not an POP3 protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
#ifdef PALM
return;
#else
exit(-1);
#endif
}
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_pop3(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "Caught unknown return code, exiting!\n");
hydra_child_exit(0);
#ifdef PALM
return;
#else
exit(-1);
#endif
}
run = next_run;
}
}
int start_s7_300(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *pass, buffer[1024];
char context[S7PASSLEN + 1];
unsigned char encoded_password[S7PASSLEN];
char *spaces = " ";
unsigned char len_pass;
int ret = -1;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
// prepare password
memset(context, 0, sizeof(context));
if (strlen(pass) < S7PASSLEN) {
strncpy(context, pass, strlen(pass));
strncat(context, spaces, S7PASSLEN - strlen(pass) );
} else {
strncpy(context, pass, S7PASSLEN);
}
// encode password
encoded_password[0] = context[0] ^ 0x55;
encoded_password[1] = context[1] ^ 0x55;
int i;
for (i = 2; i < S7PASSLEN; i++) {
encoded_password[i] = context[i] ^ encoded_password[i-2] ^ 0x55 ;
}
// send p_cotp and check first 2 bytes of answer
if (hydra_send(s, (char *) p_cotp, 22, 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret=hydra_recv_nb(s, buffer, sizeof(buffer));
if (ret <= 0)
return 3;
if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) )
return 3;
// send p_s7_negotiate_pdu and check first 2 bytes of answer
if (hydra_send(s, (char *) p_s7_negotiate_pdu, 25, 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret=hydra_recv_nb(s, buffer, sizeof(buffer));
if (ret <= 0)
return 3;
if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) )
return 3;
// send p_s7_read_szl and check first 2 bytes of answer
if (hydra_send(s, (char *) p_s7_read_szl, 33, 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret=hydra_recv_nb(s, buffer, sizeof(buffer));
if (ret <= 0)
return 3;
if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) )
return 3;
// so now add encoded_password to p_s7_password_request and send
memset(buffer, 0, sizeof(buffer));
memcpy(buffer, p_s7_password_request, 29);
memcpy(buffer + 29, encoded_password, S7PASSLEN);
if (hydra_send(s, buffer, 29 + S7PASSLEN , 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret=hydra_recv_nb(s, buffer, sizeof(buffer));
if (ret <= 0)
return 3;
// now check answer
// 0x0000 - valid password
// 0xd605 - no password
// 0xd602 - wrong password
if (ret > 30 ) {
if (buffer[27] == '\x00' && buffer[28] == '\x00') {
hydra_report_found_host(port, ip, "s7-300", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
if (buffer[27] == '\xd6' && buffer[28] == '\x05') {
//hydra_report_found_host(port, ip, "s7-300", fp);
hydra_completed_pair_found();
hydra_report(stderr, "[INFO] No password protection enabled\n");
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
}
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
int start_vnc(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *pass;
unsigned char buf2[CHALLENGESIZE + 4];
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
recv(s, buf2, CHALLENGESIZE + 4, 0);
if (vnc_client_version == RFB37) {
int i;
//fprintf(stderr,"number of security types supported: %d\n", buf2[0]);
if (buf2[0] == 0) {
hydra_report(stderr, "[ERROR] VNC server connection failed\n");
hydra_child_exit(0);
}
for (i = 1; i <= buf2[0]; i++) {
//fprintf(stderr,"sec type %u\n",buf2[i]);
//check if weak security types are available
if (buf2[i] <= 0x2) {
buf2[3] = buf2[i];
break;
}
}
}
//supported security type
switch (buf2[3]) {
case 0x0:
hydra_report(stderr, "[ERROR] VNC server told us to quit %c\n", buf[3]);
hydra_child_exit(0);
case 0x1:
hydra_report(fp, "VNC server does not require authentication.\n");
if (fp != stdout)
hydra_report(stdout, "VNC server does not require authentication.\n");
hydra_report_found_host(port, ip, "vnc", fp);
hydra_completed_pair_found();
hydra_child_exit(2);
case 0x2:
//VNC security type supported is the only type supported for now
if (vnc_client_version == RFB37) {
sprintf(buf, "%c", 0x2);
if (hydra_send(s, buf, strlen(buf), 0) < 0) {
return 1;
}
//get authentication challenge from server
if (recv(s, buf2, CHALLENGESIZE, 0) == -1)
return 1;
//send response
vncEncryptBytes(buf2, pass);
if (hydra_send(s, (char *) buf2, CHALLENGESIZE, 0) < 0) {
return 1;
}
} else {
//in old proto, challenge is following the security type
vncEncryptBytes((unsigned char *) buf2 + 4, pass);
if (hydra_send(s, (char *) buf2 + 4, CHALLENGESIZE, 0) < 0) {
return 1;
}
}
break;
default:
hydra_report(stderr, "[ERROR] unknown VNC security type\n");
hydra_child_exit(2);
}
//check security result value
recv(s, buf, 4, 0);
if (buf == NULL)
return 1;
switch (buf[3]) {
case 0x0:
hydra_report_found_host(port, ip, "vnc", fp);
hydra_completed_pair_found();
free(buf);
failed_auth = 0;
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
case 0x1:
free(buf);
if (verbose)
hydra_report(stderr, "[VERBOSE] Authentication failed for password %s\n", pass);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
default:
free(buf);
hydra_report(stderr, "[ERROR] unknown VNC server security result %d\n", buf[3]);
return 1;
}
return 1; /* never reached */
}
char *nntp_read_server_capacity(int sock) {
char *ptr = NULL;
int resp = 0;
char *buf = NULL;
do {
if (buf != NULL)
free(buf);
ptr = buf = hydra_receive_line(sock);
if (buf != NULL) {
if (isdigit((int) buf[0]) && buf[3] == ' ')
resp = 1;
else {
if (buf[strlen(buf) - 1] == '\n')
buf[strlen(buf) - 1] = 0;
if (buf[strlen(buf) - 1] == '\r')
buf[strlen(buf) - 1] = 0;
#ifdef NO_RINDEX
if ((ptr = strrchr(buf, '\n')) != NULL) {
#else
if ((ptr = rindex(buf, '\n')) != NULL) {
#endif
ptr++;
if (isdigit((int) *ptr) && *(ptr + 3) == ' ')
resp = 1;
}
}
}
} while (buf != NULL && resp == 0);
return buf;
}
int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "\"\"";
char *login, *pass, buffer[300], buffer2[500];
int i = 1;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (i > 0 && hydra_data_ready(s) > 0)
i = hydra_recv(s, buffer, 300);
switch (nntp_auth_mechanism) {
case AUTH_LOGIN:
sprintf(buffer, "AUTHINFO SASL LOGIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, login);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
strcpy(buffer2, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
break;
case AUTH_PLAIN:
sprintf(buffer, "AUTHINFO SASL PLAIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP PLAIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
memset(buffer, 0, sizeof(buffer));
sasl_plain(buffer, login, pass);
sprintf(buffer, "%.250s\r\n", buffer);
break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:{
int rc = 0;
char *preplogin;
rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
sprintf(buffer, "AUTHINFO SASL CRAM-MD5\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
//get the one-time BASE64 encoded challenge
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP CRAM-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 4);
free(buf);
memset(buffer2, 0, sizeof(buffer2));
sasl_cram_md5(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
sprintf(buffer, "%.250s\r\n", buffer);
free(preplogin);
}
break;
case AUTH_DIGESTMD5:{
sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 4);
free(buf);
if (verbose)
hydra_report(stderr, "DEBUG S: %s\n", buffer);
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL);
if (buffer2 == NULL)
return 3;
if (verbose)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
#endif
case AUTH_NTLM:{
unsigned char buf1[4096];
unsigned char buf2[4096];
//send auth and receive challenge
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
sprintf(buffer, "AUTHINFO SASL NTLM %s\r\n", (char*)buf1);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf);
free(buf);
return 3;
}
//recover challenge
from64tobits((char *) buf1, buf + 4);
free(buf);
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "%s\r\n", (char*)buf1);
}
break;
default:{
sprintf(buffer, "AUTHINFO USER %.250s\r\n", login);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
if (buf[0] != '3') {
if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf);
free(buf);
return (3);
}
free(buf);
sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass);
}
break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
if (buf[0] == '2') {
hydra_report_found_host(port, ip, "nntp", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname, char *type) {
int32_t run = 1, next_run = 1, sock = -1;
int32_t myport = PORT_HTTP, mysslport = PORT_HTTP_SSL;
char *ptr, *ptr2;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
if ((webtarget = strstr(miscptr, "://")) != NULL) {
webtarget += strlen("://");
if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */
*ptr2 = 0;
ptr2++;
ptr = ptr2;
if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL)
miscptr = ptr;
else
miscptr = slash; /* to make things easier to user */
} else if ((ptr2 = index(webtarget, '/')) != NULL) {
miscptr = malloc(strlen(ptr2) + 1);
freemischttp = 1;
strcpy(miscptr, ptr2);
*ptr2 = 0;
} else
webtarget = hostname;
} else
if (strlen(miscptr) == 0)
miscptr = strdup("/");
if (webtarget == NULL)
webtarget = hostname;
if (port != 0)
webport = port;
else if ((options & OPTION_SSL) == 0)
webport = myport;
else
webport = mysslport;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
}
if (sock < 0) {
if (freemischttp)
free(miscptr);
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_http(sock, ip, port, options, miscptr, fp, type);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttp)
free(miscptr);
hydra_child_exit(0);
return;
default:
if (freemischttp)
free(miscptr);
fprintf(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_nntp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int i = 0, run = 1, next_run = 1, sock = -1;
int myport = PORT_NNTP, mysslport = PORT_NNTP_SSL, disable_tls = 0;
char *buffer1 = "CAPABILITIES\r\n";
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
// usleep(300000);
buf = hydra_receive_line(sock);
if (buf == NULL || buf[0] != '2') { /* check the first line */
if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
free(buf);
/* send capability request */
if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0)
hydra_child_exit(2);
buf = nntp_read_server_capacity(sock);
if (buf == NULL) {
hydra_child_exit(2);
}
#ifdef LIBOPENSSL
if (!disable_tls) {
/* if we got a positive answer */
if (strstr(buf, "STARTTLS") != NULL) {
hydra_send(sock, "STARTTLS\r\n", strlen("STARTTLS\r\n"), 0);
free(buf);
buf = hydra_receive_line(sock);
/* 382 Begin TLS negotiation now */
if (buf == NULL || strstr(buf, "382") == NULL) {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS negotiation failed\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock) == -1)) {
if (verbose)
hydra_report(stderr, "[ERROR] Can't use TLS\n");
disable_tls = 1;
run = 1;
break;
} else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
/* ask again capability request but in TLS mode */
if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0)
hydra_child_exit(2);
/* we asking again cause often plain and login can only
be negociate in SSL tunnel
*/
buf = nntp_read_server_capacity(sock);
if (buf == NULL) {
hydra_child_exit(2);
}
}
}
}
#endif
/*
AUTHINFO USER SASL
SASL PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5
*/
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "SASL\\s.*NTLM")) {
#else
if (strstr(buf, "NTLM") != NULL) {
#endif
nntp_auth_mechanism = AUTH_NTLM;
}
#ifdef LIBOPENSSL
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "SASL\\s.*DIGEST-MD5")) {
#else
if (strstr(buf, "DIGEST-MD5") != NULL) {
#endif
nntp_auth_mechanism = AUTH_DIGESTMD5;
}
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "SASL\\s.*CRAM-MD5")) {
#else
if (strstr(buf, "CRAM-MD5") != NULL) {
#endif
nntp_auth_mechanism = AUTH_CRAMMD5;
}
#endif
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "SASL\\s.*PLAIN")) {
#else
if (strstr(buf, "PLAIN") != NULL) {
#endif
nntp_auth_mechanism = AUTH_PLAIN;
}
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "SASL\\s.*LOGIN")) {
#else
if (strstr(buf, "LOGIN") != NULL) {
#endif
nntp_auth_mechanism = AUTH_LOGIN;
}
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "AUTHINFO\\sUSER")) {
#else
if (strstr(buf, "AUTHINFO USER") != NULL) {
#endif
nntp_auth_mechanism = AUTH_CLEAR;
}
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
for (i = 0; i < strlen(miscptr); i++)
miscptr[i] = (char) toupper((int) miscptr[i]);
if (strncmp(miscptr, "USER", 4) == 0)
nntp_auth_mechanism = AUTH_CLEAR;
if (strncmp(miscptr, "LOGIN", 5) == 0)
nntp_auth_mechanism = AUTH_LOGIN;
if (strncmp(miscptr, "PLAIN", 5) == 0)
nntp_auth_mechanism = AUTH_PLAIN;
#ifdef LIBOPENSSL
if (strncmp(miscptr, "CRAM-MD5", 8) == 0)
nntp_auth_mechanism = AUTH_CRAMMD5;
if (strncmp(miscptr, "DIGEST-MD5", 10) == 0)
nntp_auth_mechanism = AUTH_DIGESTMD5;
#endif
if (strncmp(miscptr, "NTLM", 4) == 0)
nntp_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
switch (nntp_auth_mechanism) {
case AUTH_CLEAR:
hydra_report(stderr, "[VERBOSE] using NNTP AUTHINFO USER mechanism\n");
break;
case AUTH_LOGIN:
hydra_report(stderr, "[VERBOSE] using NNTP LOGIN AUTH mechanism\n");
break;
case AUTH_PLAIN:
hydra_report(stderr, "[VERBOSE] using NNTP PLAIN AUTH mechanism\n");
break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:
hydra_report(stderr, "[VERBOSE] using NNTP CRAM-MD5 AUTH mechanism\n");
break;
case AUTH_DIGESTMD5:
hydra_report(stderr, "[VERBOSE] using NNTP DIGEST-MD5 AUTH mechanism\n");
break;
#endif
case AUTH_NTLM:
hydra_report(stderr, "[VERBOSE] using NNTP NTLM AUTH mechanism\n");
break;
}
}
usleep(25000);
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_nntp(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
int service_nntp_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
// return codes:
// 0 all OK
// -1 error, hydra will exit, so print a good error message here
return 0;
}
int start_ssh(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, keep_login[300];
int auth_state = 0, rc = 0, i = 0;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (new_session) {
if (session) {
ssh_disconnect(session);
ssh_finalize();
ssh_free(session);
}
session = ssh_new();
ssh_options_set(session, SSH_OPTIONS_PORT, &port);
ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
ssh_options_set(session, SSH_OPTIONS_USER, login);
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
if (ssh_connect(session) != 0) {
//if the connection was drop, exit and let hydra main handle it
if (verbose)
hydra_report(stderr, "[ERROR] could not connect to target port %d\n", port);
return 3;
}
if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) {
return 3;
} else if (rc == SSH_AUTH_SUCCESS) {
hydra_report_found_host(port, ip, "ssh", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
else
return 1;
}
} else
new_session = 1;
auth_state = ssh_auth_list(session);
if ((auth_state & SSH_AUTH_METHOD_PASSWORD) > 0) {
auth_state = ssh_userauth_password(session, NULL, pass);
} else if ((auth_state & SSH_AUTH_METHOD_INTERACTIVE) > 0) {
auth_state = ssh_userauth_kbdint(session, NULL, NULL);
while (auth_state == SSH_AUTH_INFO) {
rc = ssh_userauth_kbdint_getnprompts(session);
for (i = 0; i < rc; i++)
ssh_userauth_kbdint_setanswer(session, i, pass);
auth_state = ssh_userauth_kbdint(session, NULL, NULL);
}
} else {
return 4;
}
if (auth_state == SSH_AUTH_ERROR) {
new_session = 1;
return 1;
}
if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) {
hydra_report_found_host(port, ip, "ssh", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
} else {
strncpy(keep_login, login, sizeof(keep_login) - 1);
keep_login[sizeof(keep_login) - 1] = '\0';
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
login = hydra_get_next_login();
if (strcmp(login, keep_login) == 0)
new_session = 0;
return 1;
}
/* not reached */
return 1;
}
int start_oracle_listener(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
unsigned char tns_packet_begin[22] = {
"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00"
};
unsigned char tns_packet_end[32] = {
"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
};
char *empty = "";
char *pass;
char connect_string[200];
char buffer2[260];
int siz = 0;
memset(connect_string, 0, sizeof(connect_string));
memset(buffer2, 0, sizeof(buffer2));
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (sid_mechanism == AUTH_PLAIN) {
if ((hash = malloc(HASHSIZE)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n");
return 1;
}
memset(hash, 0, HASHSIZE);
if (ora_hash_password(pass)) {
hydra_report(stderr, "[ERROR] generating Oracle hash\n");
free(hash);
return 1;
}
pass = (char *) hash;
}
snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE=)(VERSION=169869568)))", pass);
if (hash != NULL)
free(hash);
if (verbose)
hydra_report(stderr, "[VERBOSE] using connectiong string: %s\n", connect_string);
siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string);
if (siz > 255) {
buffer2[0] = 1;
buffer2[1] = siz - 256;
} else {
buffer2[1] = siz;
}
memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin));
siz = strlen(connect_string);
if (siz > 255) {
buffer2[2 + sizeof(tns_packet_begin)] = 1;
buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz - 256;
} else {
buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz;
}
memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end));
memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string));
if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (verbose || debug)
hydra_report(stderr, "[VERBOSE] Server answer: %s\n", buf);
if (strstr(buf, "ERR=0") != NULL) {
hydra_report_found_host(port, ip, "oracle-listener", fp);
hydra_completed_pair_found();
} else
hydra_completed_pair();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
void
service_telnet(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port)
{
int run = 1, next_run, sock = -1;
int myport = PORT_TELNET, mysslport = PORT_TELNET_SSL;
int fck=0;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
if (miscptr != NULL)
make_to_lower(miscptr);
while (1) {
int first;
int old_waittime = waittime;
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
no_line_mode = 0;
first = 0;
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
if ((buf = hydra_receive_line(sock)) == NULL) { /* check the first line */
hydra_report(stderr, "Error: Not a TELNET protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
#ifdef PALM
return;
#else
exit(-1);
#endif
}
if (strstr(buf, "ogin") != NULL || strstr(buf, "sername:") != NULL) {
waittime = 6;
if (debug)
hydra_report(stdout, "DEBUG: waittime set to %d\n", waittime);
}
do {
unsigned char *buf2 = (unsigned char *) buf;
while (*buf2 == IAC) {
if (first == 0) {
if (debug)
hydra_report(stdout, "DEBUG: requested line mode\n");
#ifdef PALM
hydra_send(sock, "\xff\xfb\x22", 3, 0);
#else
fck=write(sock, "\xff\xfb\x22", 3);
#endif
first = 1;
}
if ((buf[1] == '\xfc' || buf[1] == '\xfe') && buf2[2] == '\x22') {
no_line_mode = 1;
if (debug)
hydra_report(stdout, "DEBUG: TELNETD peer does not like linemode!\n");
}
if (buf2[1] == WILL || buf2[1] == WONT) {
buf2[1] = DONT;
#ifdef PALM
hydra_send(sock, buf2, 3, 0);
#else
fck=write(sock, buf2, 3);
#endif
} else if (buf2[1] == DO || buf2[1] == DONT) {
buf2[1] = WONT;
#ifdef PALM
hydra_send(sock, buf2, 3, 0);
#else
fck=write(sock, buf2, 3);
#endif
}
buf2 = buf2 + 3;
}
if (buf2 != (unsigned char *) buf) {
free(buf);
buf = hydra_receive_line(sock);
} else {
buf[0] = 0;
}
if (buf != NULL && buf[0] != 0 && (unsigned char) buf[0] != IAC)
make_to_lower(buf);
} while (buf != NULL && (unsigned char) buf[0] == IAC && strstr(buf, "ogin:") == NULL && strstr(buf, "sername:") == NULL);
free(buf);
waittime = old_waittime;
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_telnet(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "Caught unknown return code, exiting!\n");
hydra_child_exit(0);
#ifdef PALM
return;
#else
exit(-1);
#endif
}
run = next_run;
}
}
int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "\"\"";
char *login, *pass, buffer[500], buffer2[500];
char *AUTH_STR = "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='";
char *AUTH_STR_END = "'/>";
char *CHALLENGE_STR = "<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>";
char *CHALLENGE_STR2 = "<challenge xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">";
char *CHALLENGE_END_STR = "</challenge>";
char *RESPONSE_STR = "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>";
char *RESPONSE_END_STR = "</response>";
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
switch (xmpp_auth_mechanism) {
case AUTH_SCRAMSHA1:
sprintf(buffer, "%s%s%s", AUTH_STR, "SCRAM-SHA-1", AUTH_STR_END);
break;
case AUTH_CRAMMD5:
sprintf(buffer, "%s%s%s", AUTH_STR, "CRAM-MD5", AUTH_STR_END);
break;
case AUTH_DIGESTMD5:
sprintf(buffer, "%s%s%s", AUTH_STR, "DIGEST-MD5", AUTH_STR_END);
break;
case AUTH_PLAIN:
sprintf(buffer, "%s%s%s", AUTH_STR, "PLAIN", AUTH_STR_END);
break;
default:
sprintf(buffer, "%s%s%s", AUTH_STR, "LOGIN", AUTH_STR_END);
break;
}
hydra_send(s, buffer, strlen(buffer), 0);
usleep(300000);
buf = hydra_receive_line(s);
if (verbose)
hydra_report(stderr, "DEBUG S: %s\n", buf);
if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) {
/*
the challenge string is sent depending of the
auth chosen it's the case for login auth
*/
char *ptr = strstr(buf, CHALLENGE_STR);
if (!ptr)
ptr = strstr(buf, CHALLENGE_STR2);
char *ptr_end = strstr(ptr, CHALLENGE_END_STR);
int chglen = ptr_end - ptr - strlen(CHALLENGE_STR);
if ((chglen > 0) && (chglen < sizeof(buffer2))) {
strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen);
buffer2[chglen] = '\0';
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buffer2);
if (verbose)
hydra_report(stderr, "DEBUG S: %s\n", buffer);
}
switch (xmpp_auth_mechanism) {
case AUTH_LOGIN:{
if (strstr(buffer, "sername") != NULL) {
strncpy(buffer2, login, sizeof(buffer2) - 1);
buffer2[sizeof(buffer2) - 1] = '\0';
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
if (verbose)
hydra_report(stderr, "DEBUG C: %s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
free(buf);
return 1;
}
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
/* server now would ask for the password */
if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) {
char *ptr = strstr(buf, CHALLENGE_STR);
if (!ptr)
ptr = strstr(buf, CHALLENGE_STR2);
char *ptr_end = strstr(ptr, CHALLENGE_END_STR);
int chglen = ptr_end - ptr - strlen(CHALLENGE_STR);
if ((chglen > 0) && (chglen < sizeof(buffer2))) {
strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen);
buffer2[chglen] = '\0';
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buffer2);
if (strstr(buffer, "assword") != NULL) {
strncpy(buffer2, pass, sizeof(buffer2) - 1);
buffer2[sizeof(buffer2) - 1] = '\0';
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
}
} else {
hydra_report(stderr, "[ERROR] xmpp could not extract challenge from server\n");
free(buf);
return 1;
}
free(buf);
}
}
}
break;
#ifdef LIBOPENSSL
case AUTH_PLAIN:{
memset(buffer2, 0, sizeof(buffer));
sasl_plain(buffer2, login, pass);
sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
if (verbose)
hydra_report(stderr, "DEBUG C: %s\n", buffer);
}
break;
case AUTH_CRAMMD5:{
int rc = 0;
char *preplogin;
memset(buffer2, 0, sizeof(buffer2));
sasl_cram_md5(buffer2, pass, buffer);
rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
sprintf(buffer, "%.200s %.250s", preplogin, buffer2);
if (verbose)
hydra_report(stderr, "DEBUG C: %s\n", buffer);
hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
sprintf(buffer2, "%s%.250s%s", RESPONSE_STR, buffer, RESPONSE_END_STR);
strncpy(buffer, buffer2, sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\0';
free(preplogin);
}
break;
case AUTH_DIGESTMD5:{
memset(buffer2, 0, sizeof(buffer2));
sasl_digest_md5(buffer2, login, pass, buffer, domain, "xmpp", NULL, 0, NULL);
if (buffer2 == NULL)
return 3;
if (verbose)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
}
break;
case AUTH_SCRAMSHA1:{
/*client-first-message */
char clientfirstmessagebare[200];
char *preplogin;
int rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin);
free(preplogin);
sprintf(buffer2, "n,,%.200s", clientfirstmessagebare);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) {
char serverfirstmessage[200];
char *ptr = strstr(buf, CHALLENGE_STR);
if (!ptr)
ptr = strstr(buf, CHALLENGE_STR2);
char *ptr_end = strstr(ptr, CHALLENGE_END_STR);
int chglen = ptr_end - ptr - strlen(CHALLENGE_STR);
if ((chglen > 0) && (chglen < sizeof(buffer2))) {
strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen);
buffer2[chglen] = '\0';
} else {
hydra_report(stderr, "[ERROR] xmpp could not extract challenge from server\n");
free(buf);
return 1;
}
/*server-first-message */
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buffer2);
strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1);
serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0';
memset(buffer2, 0, sizeof(buffer2));
sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage);
if (buffer2 == NULL) {
hydra_report(stderr, "[ERROR] Can't compute client response\n");
free(buf);
return 1;
}
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
} else {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not a valid server challenge\n");
free(buf);
return 1;
}
free(buf);
}
break;
#endif
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
usleep(50000);
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
//we test the challenge tag as digest-md5 when connected is sending "rspauth" value
//so if we are receiving a second challenge we assume the auth is good
if ((strstr(buf, "<success") != NULL) || (strstr(buf, "<challenge ") != NULL)) {
hydra_report_found_host(port, ip, "xmpp", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
if (verbose)
hydra_report(stderr, "[ERROR] %s\n", buf);
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
if (strstr(buf, "<failure")) {
hydra_report(stderr, "[ERROR] Protocol failure, try using another auth method. %s\n", strstr(buf, "<failure"));
}
return 3;
}