int service_s7_300_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
// return codes:
// 0 all OK
// -1 error, hydra will exit, so print a good error message here
int sock = -1;
int s7port = PORT_S7_300;
char *empty = "";
char *pass, buffer[1024];
char context[S7PASSLEN + 1];
unsigned char encoded_password[S7PASSLEN];
char *spaces = " ";
unsigned char len_pass;
int ret = -1;
int i;
if (port != 0)
s7port = port;
if (debug || verbose)
printf("[INFO] Checking authentication setup...\n");
sock = hydra_connect_tcp(ip, s7port);
if (sock < 0) {
hydra_report(stderr, "[ERROR] Can not connect to port %d on the target\n", s7port);
return -1;
}
pass = empty;
// prepare password
memset(context, 0, sizeof(context));
strncat(context, spaces, S7PASSLEN - strlen(pass));
// encode password
encoded_password[0] = context[0] ^ 0x55;
encoded_password[1] = context[1] ^ 0x55;
for (i = 2; i < S7PASSLEN; i++) {
encoded_password[i] = context[i] ^ encoded_password[i-2] ^ 0x55 ;
}
// send p_cotp and check first 2 bytes of answer
if (hydra_send(sock, (char *) p_cotp, 22, 0) < 0) {
fprintf(stderr, "[ERROR] can not send data to service\n");
return -1;
}
memset(buffer, 0, sizeof(buffer));
if ((ret = hydra_recv_nb(sock, buffer, sizeof(buffer))) <= 0) {
fprintf(stderr, "[ERROR] did not received data from the service\n");
return -1;
}
if (ret < 2 || (buffer[0] != 0x03 && buffer[1] != 0x00)) {
fprintf(stderr, "[ERROR] invalid reply to init packet\n");
return -1;
}
// send p_s7_negotiate_pdu and check first 2 bytes of answer
if (hydra_send(sock, (char *) p_s7_negotiate_pdu, 25, 0) < 0) {
fprintf(stderr, "[ERROR] can not send data to service (2)\n");
return -1;
}
memset(buffer, 0, sizeof(buffer));
if ((ret = hydra_recv_nb(sock, buffer, sizeof(buffer))) <= 0) {
fprintf(stderr, "[ERROR] did not received data from the service (2)\n");
return -1;
}
if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00)) {
fprintf(stderr, "[ERROR] invalid reply to init packet (2)\n");
return -1;
}
// send p_s7_read_szl and check first 2 bytes of answer
if (hydra_send(sock, (char *) p_s7_read_szl, 33, 0) < 0) {
fprintf(stderr, "[ERROR] can not send data to service (3)\n");
return -1;
}
memset(buffer, 0, sizeof(buffer));
if ((ret = hydra_recv_nb(sock, buffer, sizeof(buffer))) >= 0) {
fprintf(stderr, "[ERROR] did not received data from the service (3)\n");
return -1;
}
if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) ) {
fprintf(stderr, "[ERROR] invalid reply to init packet (3)\n");
return -1;
}
// so now add encoded_password to p_s7_password_request and send
memset(buffer, 0, sizeof(buffer));
memcpy(buffer, p_s7_password_request, 29);
memcpy(buffer + 29, encoded_password, S7PASSLEN);
if (hydra_send(sock, buffer, 29 + S7PASSLEN , 0) < 0) {
fprintf(stderr, "[ERROR] can not send data to service (4)\n");
return -1;
}
memset(buffer, 0, sizeof(buffer));
if ((ret = hydra_recv_nb(sock, buffer, sizeof(buffer))) <= 0) {
fprintf(stderr, "[ERROR] did not received data from the service (4)\n");
return -1;
}
// now check answer
// 0x0000 - valid password
// 0xd605 - no password
// 0xd602 - wrong password
if (ret > 30) {
if ((buffer[27] == '\x00' && buffer[28] == '\x00') || (buffer[27] == '\xd6' && buffer[28] == '\x05')) {
hydra_report(stderr, "[INFO] No password protection enabled!\n");
return -1;
}
}
sock = hydra_disconnect(sock);
return 0;
}
int start_s7_300(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *pass, buffer[1024];
char context[S7PASSLEN + 1];
unsigned char encoded_password[S7PASSLEN];
char *spaces = " ";
unsigned char len_pass;
int ret = -1;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
// prepare password
memset(context, 0, sizeof(context));
if (strlen(pass) < S7PASSLEN) {
strncpy(context, pass, strlen(pass));
strncat(context, spaces, S7PASSLEN - strlen(pass) );
} else {
strncpy(context, pass, S7PASSLEN);
}
// encode password
encoded_password[0] = context[0] ^ 0x55;
encoded_password[1] = context[1] ^ 0x55;
int i;
for (i = 2; i < S7PASSLEN; i++) {
encoded_password[i] = context[i] ^ encoded_password[i-2] ^ 0x55 ;
}
// send p_cotp and check first 2 bytes of answer
if (hydra_send(s, (char *) p_cotp, 22, 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret=hydra_recv_nb(s, buffer, sizeof(buffer));
if (ret <= 0)
return 3;
if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) )
return 3;
// send p_s7_negotiate_pdu and check first 2 bytes of answer
if (hydra_send(s, (char *) p_s7_negotiate_pdu, 25, 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret=hydra_recv_nb(s, buffer, sizeof(buffer));
if (ret <= 0)
return 3;
if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) )
return 3;
// send p_s7_read_szl and check first 2 bytes of answer
if (hydra_send(s, (char *) p_s7_read_szl, 33, 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret=hydra_recv_nb(s, buffer, sizeof(buffer));
if (ret <= 0)
return 3;
if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) )
return 3;
// so now add encoded_password to p_s7_password_request and send
memset(buffer, 0, sizeof(buffer));
memcpy(buffer, p_s7_password_request, 29);
memcpy(buffer + 29, encoded_password, S7PASSLEN);
if (hydra_send(s, buffer, 29 + S7PASSLEN , 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret=hydra_recv_nb(s, buffer, sizeof(buffer));
if (ret <= 0)
return 3;
// now check answer
// 0x0000 - valid password
// 0xd605 - no password
// 0xd602 - wrong password
if (ret > 30 ) {
if (buffer[27] == '\x00' && buffer[28] == '\x00') {
hydra_report_found_host(port, ip, "s7-300", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
if (buffer[27] == '\xd6' && buffer[28] == '\x05') {
//hydra_report_found_host(port, ip, "s7-300", fp);
hydra_completed_pair_found();
hydra_report(stderr, "[INFO] No password protection enabled\n");
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
}
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[1024];
char ms_login[MSLEN + 1];
char ms_pass[MSLEN + 1];
unsigned char len_login, len_pass;
int32_t ret = -1;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (strlen(login) > MSLEN)
login[MSLEN - 1] = 0;
if (strlen(pass) > MSLEN)
pass[MSLEN - 1] = 0;
len_login = strlen(login);
len_pass = strlen(pass);
memset(ms_login, 0, MSLEN + 1);
memset(ms_pass, 0, MSLEN + 1);
strcpy(ms_login, login);
strcpy(ms_pass, pass);
memset(buffer, 0, sizeof(buffer));
memcpy(buffer, p_hdr, 39);
memcpy(buffer + 39, ms_login, MSLEN);
memcpy(buffer + MSLEN + 39, &len_login, 1);
memcpy(buffer + MSLEN + 1 + 39, ms_pass, MSLEN);
memcpy(buffer + MSLEN + 1 + 39 + MSLEN, &len_pass, 1);
memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1, p_pk2, 110);
memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110, &len_pass, 1);
memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1, ms_pass, MSLEN);
memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN, p_pk3, 270);
if (hydra_send(s, buffer, MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN + 270, 0) < 0)
return 1;
if (hydra_send(s, (char *) p_lng, 71, 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret = hydra_recv_nb(s, buffer, sizeof(buffer));
if (ret <= 0)
return 3;
if (ret > 10 && buffer[8] == '\xe3') {
hydra_report_found_host(port, ip, "mssql", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
