/* RFC 4013: SASLprep: Stringprep Profile for User Names and Passwords code based on gsasl_saslprep from GSASL project */ int sasl_saslprep(const char *in, sasl_saslprep_flags flags, char **out) { #if LIBIDN int rc; rc = stringprep_profile(in, out, "SASLprep", (flags & SASL_ALLOW_UNASSIGNED) ? STRINGPREP_NO_UNASSIGNED : 0); if (rc != STRINGPREP_OK) { *out = NULL; return -1; } #if defined HAVE_PR29_H if (pr29_8z(*out) != PR29_SUCCESS) { free(*out); *out = NULL; return -1; } #endif #else size_t i, inlen = strlen(in); for (i = 0; i < inlen; i++) { if (in[i] & 0x80) { *out = NULL; hydra_report(stderr, "Error: Can't convert UTF-8, you should install libidn\n"); return -1; } } *out = malloc(inlen + 1); if (!*out) { hydra_report(stderr, "Error: Can't allocate memory\n"); return -1; } strcpy(*out, in); #endif return 0; }
int ora_descrypt(unsigned char **rs, unsigned char *result, int siz) { int i = 0; char lastkey[8]; des_key_schedule ks1; unsigned char key1[8] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF }; unsigned char ivec1[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; unsigned char *desresult; memset(ivec1, 0, sizeof(ivec1)); if ((desresult = malloc(siz)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } des_key_sched((C_Block *) key1, ks1); des_ncbc_encrypt(result, desresult, siz, ks1, &ivec1, DES_ENCRYPT); for (i = 0; i < 8; i++) { lastkey[i] = desresult[siz - 8 + i]; } des_key_sched((C_Block *) lastkey, ks1); memset(desresult, 0, siz); memset(ivec1, 0, sizeof(ivec1)); des_ncbc_encrypt(result, desresult, siz, ks1, &ivec1, DES_ENCRYPT); if ((*rs = malloc(siz)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); free(desresult); return 1; } memcpy(*rs, desresult, siz); return 0; }
void service_socks5(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) { int run = 1, next_run = 1, sock = -1; int myport = PORT_SOCKS5, mysslport = PORT_SOCKS5_SSL; hydra_register_socket(sp); if (port != 0) myport = port; if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); // sleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport, hostname); port = mysslport; } if (sock < 0) { if (verbose || debug) hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } next_run = 2; break; case 2: /* run the cracking function */ next_run = start_socks5(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; case 4: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); return; case 5: /* clean exit, server may blocking connections */ hydra_report(stderr, "[ERROR] Server may blocking connections\n"); if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } }
void service_asterisk(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1; int myport = PORT_ASTERISK, mysslport = PORT_ASTERISK_SSL; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); // sleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { if (verbose || debug) hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } buf = hydra_receive_line(sock); //fprintf(stderr, "%s\n",buf); //banner should look like: //Asterisk Call Manager/1.1 if (buf == NULL || strstr(buf, "Asterisk Call Manager/") == NULL) { /* check the first line */ if (verbose || debug) hydra_report(stderr, "[ERROR] Not an Asterisk Call Manager protocol or service shutdown: %s\n", buf); hydra_child_exit(2); } free(buf); next_run = 2; break; case 2: /* run the cracking function */ next_run = start_asterisk(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); } run = next_run; } }
int start_firebird(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass; char database[256]; char connection_string[1024]; isc_db_handle db; /* database handle */ ISC_STATUS_ARRAY status; /* status vector */ char *dpb = NULL; /* DB parameter buffer */ short dpb_length = 0; if (miscptr) strncpy(database, miscptr, sizeof(database)); else strncpy(database, DEFAULT_DB, sizeof(database)); if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; dpb_length = (short) (1 + strlen(login) + 2 + strlen(pass) + 2); if ((dpb = (char *) malloc(dpb_length)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } /* Add user and password to dpb */ *dpb = isc_dpb_version1; dpb_length = 1; isc_modify_dpb(&dpb, &dpb_length, isc_dpb_user_name, login, strlen(login)); isc_modify_dpb(&dpb, &dpb_length, isc_dpb_password, pass, strlen(pass)); /* Create connection string */ snprintf(connection_string, sizeof(connection_string), "%s:%s", hydra_address2string(ip), database); if (isc_attach_database(status, 0, connection_string, &db, dpb_length, dpb)) { /* for debugging perpose */ if (verbose) { hydra_report(stderr, "[VERBOSE] "); isc_print_status(status); } isc_free(dpb); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; } else { isc_detach_database(status, &db); isc_free(dpb); hydra_report_found_host(port, ip, "firebird", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } return 1; }
void service_rexec(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run, sock = -1; int myport = PORT_REXEC, mysslport = PORT_REXEC_SSL; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { next_run = 0; switch (run) { case 1: /* connect and service init function */ { if (sock >= 0) sock = hydra_disconnect(sock); // usleep(275000); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } next_run = 2; break; } case 2: /* run the cracking function */ next_run = start_rexec(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; default: hydra_report(stderr, "Caught unknown return code, exiting!\n"); hydra_child_exit(0); #ifdef PALM return; #else exit(-1); #endif } run = next_run; } }
void service_cvs(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) { int run = 1, next_run = 1, sock = -1; int myport = PORT_CVS, mysslport = PORT_CVS_SSL; hydra_register_socket(sp); if ((miscptr == NULL) || (strlen(miscptr) == 0)) { miscptr = "/root"; } while (1) { if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport, hostname); port = mysslport; } if (sock < 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } next_run = start_cvs(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); } run = next_run; } }
int start_asterisk(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; char *login, *pass, buffer[1024]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s) > 0) { if ((buf = hydra_receive_line(s)) == NULL) return (1); free(buf); } memset(buffer, 0, sizeof(buffer)); sprintf(buffer, "Action: Login\r\nUsername: %.250s\r\nSecret: %.250s\r\n\r\n", login, pass); if (debug) hydra_report(stderr, "[DEBUG] C: %s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (debug) hydra_report(stderr, "[DEBUG] S: %s\n", buf); if (buf == NULL || (strstr(buf, "Response: ") == NULL)) { hydra_report(stderr, "[ERROR] Asterisk Call Manager protocol error or service shutdown: %s\n", buf); free(buf); return 4; } if (strstr(buf, "Response: Success") != NULL) { hydra_report_found_host(port, ip, "asterisk", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
void service_sapr3(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ next_run = start_sapr3(sock, ip, port, options, miscptr, fp); break; case 2: hydra_child_exit(0); case 3: /* clean exit */ fprintf(stderr, "Error: could not connect to target port %d\n", port); hydra_child_exit(1); case 4: hydra_child_exit(2); default: hydra_report(stderr, "Caught unknown return code, exiting!\n"); hydra_child_exit(2); } run = next_run; } }
void service_oracle(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1; int myport = PORT_ORACLE; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; if ((miscptr == NULL) || (strlen(miscptr) == 0)) { //SID is required as miscptr hydra_report(stderr, "[ERROR] Oracle SID is required, using ORCL as default\n"); miscptr = "ORCL"; } while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; if (sock < 0) { if (verbose || debug) hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } next_run = 2; break; case 2: next_run = start_oracle(sock, ip, port, options, miscptr, fp); hydra_child_exit(0); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); } run = next_run; } }
void service_http_post_form(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { ptr_header_node ptr_head = initialize(ip, options, miscptr); if (ptr_head) service_http_form(ip, sp, options, miscptr, fp, port, "POST", &ptr_head); else { hydra_report(stderr, "[ERROR] Could not launch head. Error while initializing.\n"); hydra_child_exit(1); } }
int start_vmauthd(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; char *login, *pass, buffer[300]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s) > 0) { if ((buf = hydra_receive_line(s)) == NULL) return (1); free(buf); } sprintf(buffer, "USER %.250s\r\n", login); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); if (strncmp(buf, "331 ", 4) != 0) { hydra_report(stderr, "[ERROR] vmware authd protocol or service shutdown: %s\n", buf); free(buf); return (3); } free(buf); sprintf(buffer, "PASS %.250s\r\n", pass); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); //fprintf(stderr, "%s\n", buf); //230 User test logged in. //530 Login incorrect. if (strncmp(buf, "230 ", 4) == 0) { hydra_report_found_host(port, ip, "vmauthd", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int ora_hash(unsigned char **orahash, unsigned char *buf, int len) { int i; if ((*orahash = malloc(HASHSIZE)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } for (i = 0; i < 8; i++) { sprintf(((char *) *orahash) + i * 2, "%02X", buf[len - 8 + i]); } return 0; }
int initial_permutation(unsigned char **result, char *p_str, int *sz) { int k = 0; int i = strlen(p_str); char *buff; //expand the string with zero so that length is a multiple of 4 while ((i % 4) != 0) { i = i + 1; } *sz = 2 * i; if ((buff = malloc(i)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } memset(buff, 0, i); strncpy(buff, p_str, strlen(p_str)); //swap the order of every byte pair for (k = 0; k < i; k += 2) { char bck = buff[k + 1]; buff[k + 1] = buff[k]; buff[k] = bck; } //convert to unicode if ((*result = malloc(2 * i)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); free(buff); return 1; } memset(*result, 0, 2 * i); for (k = 0; k < i; k++) { (*result)[2 * k] = buff[k]; } free(buff); return 0; }
void service_teamspeak(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) { int run = 1, next_run = 1, sock = -1; int myport = PORT_TEAMSPEAK; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) run = 3; while (1) { switch (run) { case 1: /* connect and service init function */ // if (sock >= 0) // sock = hydra_disconnect(sock); // usleepn(300); if (sock < 0) { if (port != 0) myport = port; sock = hydra_connect_udp(ip, myport); port = myport; if (sock < 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } } next_run = start_teamspeak(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); } run = next_run; } }
void service_s7_300(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1; int s7port = PORT_S7_300; if (port != 0) s7port = port; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ sock = hydra_connect_tcp(ip, s7port); if (sock < 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } next_run = start_s7_300(sock, ip, s7port, options, miscptr, fp); sock = hydra_disconnect(sock); break; case 2: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); } run = next_run; } }
int ora_hash_password(char *pass) { // secret hash function comes here, and written to char *hash int siz = 0; unsigned char *desresult; unsigned char *result; char buff[strlen(pass) + 5]; memset(buff, 0, sizeof(buff)); //concatenate Arb string and convert the resulting string to uppercase snprintf(buff, sizeof(buff), "Arb%s", pass); strupper(buff); if (initial_permutation(&result, buff, &siz)) { hydra_report(stderr, "[ERROR] ora_hash_password: in initial_permutation\n"); return 1; } if (convert_byteorder(&result, siz)) { hydra_report(stderr, "[ERROR] ora_hash_password: in convert_byteorder\n"); return 1; } if (ora_descrypt(&desresult, result, siz)) { hydra_report(stderr, "[ERROR] ora_hash_password: in DES crypt\n"); return 1; } free(result); if (ora_hash(&result, desresult, siz)) { hydra_report(stderr, "[ERROR] ora_hash_password: in extracting Oracle hash\n"); return 1; } memcpy(hash, result, HASHSIZE); free(desresult); free(result); return 0; }
/* * Replace the value of the default header named 'hdrname'. */ void hdrrepv(ptr_header_node * ptr_head, char *hdrname, char *new_value) { ptr_header_node cur_ptr = NULL; for (cur_ptr = *ptr_head; cur_ptr; cur_ptr = cur_ptr->next) { if ((cur_ptr->type == HEADER_TYPE_DEFAULT) && strcmp(cur_ptr->header, hdrname) == 0) { cur_ptr->value = (char *) realloc(cur_ptr->value, strlen(new_value)); if (cur_ptr->value) strcpy(cur_ptr->value, new_value); else { hydra_report(stderr, "[ERROR] Out of memory"); hydra_child_exit(0); } } } }
/* * Replace in all headers' values every occurrence of oldvalue by newvalue. * Only user-defined headers are considered. */ void hdrrep(ptr_header_node * ptr_head, char *oldvalue, char *newvalue) { ptr_header_node cur_ptr = NULL; for (cur_ptr = *ptr_head; cur_ptr; cur_ptr = cur_ptr->next) { if ((cur_ptr->type == HEADER_TYPE_USERHEADER || cur_ptr->type == HEADER_TYPE_USERHEADER_REPL) && strstr(cur_ptr->value, oldvalue)) { cur_ptr->value = (char *) realloc(cur_ptr->value, strlen(newvalue)); if (cur_ptr->value) strcpy(cur_ptr->value, newvalue); else { hydra_report(stderr, "[ERROR] Out of memory."); hydra_child_exit(0); } } } }
int start_postgres(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass; char database[256]; char connection_string[1024]; PGconn *pgconn; if (miscptr) strncpy(database, miscptr, sizeof(database)); else strncpy(database, DEFAULT_DB, sizeof(database)); if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; /* * Building the connection string */ snprintf(connection_string, sizeof(connection_string), "host = '%s' dbname = '%s' user = '******' password = '******' ", hydra_address2string(ip), database, login, pass); if (verbose) hydra_report(stderr, "connection string: %s\n", connection_string); pgconn = PQconnectdb(connection_string); if (PQstatus(pgconn) == CONNECTION_OK) { PQfinish(pgconn); hydra_report_found_host(port, ip, "postgres", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } else { PQfinish(pgconn); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; } return 1; }
void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ next_run = start_ssh(sock, ip, port, options, miscptr, fp); break; case 2: ssh_disconnect(session); ssh_finalize(); ssh_free(session); hydra_child_exit(0); break; case 3: ssh_disconnect(session); ssh_finalize(); ssh_free(session); if (verbose) fprintf(stderr, "[ERROR] ssh protocol error\n"); hydra_child_exit(2); break; case 4: ssh_disconnect(session); ssh_finalize(); ssh_free(session); fprintf(stderr, "[ERROR] ssh target does not support password auth\n"); hydra_child_exit(2); break; default: ssh_disconnect(session); ssh_finalize(); ssh_free(session); hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); } run = next_run; } }
int convert_byteorder(unsigned char **result, int size) { int i = 0; char *buff; if ((buff = malloc(size)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } memcpy(buff, *result, size); while (i < size) { buff[i + 0] = (*result)[i + 3]; buff[i + 1] = (*result)[i + 2]; buff[i + 2] = (*result)[i + 1]; buff[i + 3] = (*result)[i + 0]; i += 4; } memcpy(*result, buff, size); free(buff); return 0; }
/* int analyze_server_response(int socket) return 0 or 1 when the cond regex is matched return -1 if no response from server */ int analyze_server_response(int s) { int runs = 0; while ((buf = hydra_receive_line(s)) != NULL) { runs++; //check for http redirection if (strstr(buf, "HTTP/1.1 3") != NULL || strstr(buf, "HTTP/1.0 3") != NULL || strstr(buf, "Status: 3") != NULL) { redirected_flag = 1; } else if (strstr(buf, "HTTP/1.1 401") != NULL || strstr(buf, "HTTP/1.0 401") != NULL) { auth_flag = 1; } else if ((strstr(buf, "HTTP/1.1 403") != NULL) || (strstr(buf, "HTTP/1.1 404") != NULL) || (strstr(buf, "HTTP/1.0 403") != NULL) || (strstr(buf, "HTTP/1.0 404") != NULL)) { return 0; } if (hydra_strcasestr(buf, "Location: ") != NULL) { char *startloc, *endloc; char str[2048]; startloc = hydra_strcasestr(buf, "Location: ") + strlen("Location: "); strncpy(str, startloc, sizeof(str) - 1); str[sizeof(str) - 1] = 0; endloc = strchr(str, '\n'); if (endloc != NULL) *endloc = 0; endloc = strchr(str, '\r'); if (endloc != NULL) *endloc = 0; strcpy(redirected_url_buff, str); } //there can be multiple cookies if (hydra_strcasestr(buf, "Set-Cookie: ") != NULL) { char *cookiebuf = buf; do { char *startcookie, *endcookie1, *endcookie2; char str[1024], tmpcookie[4096] = "", tmpname[128] = "", *ptr, *ptr2; memset(str, 0, sizeof(str)); startcookie = hydra_strcasestr(cookiebuf, "Set-Cookie: ") + strlen("Set-Cookie: "); strncpy(str, startcookie, sizeof(str) - 1); str[sizeof(str) - 1] = 0; endcookie1 = strchr(str, '\n'); endcookie2 = strchr(str, ';'); //terminate string after cookie data if (endcookie1 != NULL && endcookie1 < endcookie2) *endcookie1 = 0; else if (endcookie2 != NULL) *endcookie2 = 0; // is the cookie already there? if yes, remove it! if (index(startcookie, '=') != NULL && (ptr = index(startcookie, '=')) - startcookie + 1 <= sizeof(tmpname)) { strncpy(tmpname, startcookie, sizeof(tmpname) - 2); tmpname[sizeof(tmpname) - 2] = 0; ptr = index(tmpname, '='); *(++ptr) = 0; // is the cookie already in the cookiejar? (so, does it have to be replaced?) if ((ptr = hydra_strcasestr(cookie, tmpname)) != NULL) { // yes it is. // if the cookie is not in the beginning of the cookiejar, copy the ones before if (ptr != cookie && *(ptr - 1) == ' ') { strncpy(tmpcookie, cookie, ptr - cookie - 2); tmpcookie[ptr - cookie - 2] = 0; } ptr += strlen(tmpname); // if there are any cookies after this one in the cookiejar, copy them over if ((ptr2 = strstr(ptr, "; ")) != NULL) { ptr2 += 2; strncat(tmpcookie, ptr2, sizeof(tmpcookie) - strlen(tmpcookie) - 1); } if (debug) printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: %s\n", tmpname, cookie, tmpcookie); strcpy(cookie, tmpcookie); } } ptr = index(str, '='); // only copy the cookie if it has a value (otherwise the server wants to delete the cookie if (ptr != NULL && *(ptr + 1) != ';' && *(ptr + 1) != 0 && *(ptr + 1) != '\n' && *(ptr + 1) != '\r') { if (strlen(cookie) > 0) strncat(cookie, "; ", sizeof(cookie) - strlen(cookie) - 1); strncat(cookie, str, sizeof(cookie) - strlen(cookie) - 1); } cookiebuf = startcookie; } while (hydra_strcasestr(cookiebuf, "Set-Cookie: ") != NULL); } #ifdef HAVE_PCRE if (hydra_string_match(buf, cond) == 1) { #else if (strstr(buf, cond) != NULL) { #endif free(buf); // printf("DEBUG: STRING %s FOUND!!:\n%s\n", cond, buf); return 1; } // else printf("DEBUG: STRING %s NOT FOUND:\n%s\n", cond, buf); free(buf); } if (runs == 0) { if (debug) hydra_report(stderr, "DEBUG: no response from server\n"); return -1; } return 0; } void hydra_reconnect(int s, char *ip, int port, unsigned char options) { if (s >= 0) s = hydra_disconnect(s); if ((options & OPTION_SSL) == 0) { s = hydra_connect_tcp(ip, port); } else { s = hydra_connect_ssl(ip, port); } } int start_http_form(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) { char *empty = ""; char *login, *pass, buffer[9000]; char header[8096], *upd3variables; int found = !success_cond, i, j; memset(header, 0, sizeof(header)); cookie[0] = 0; // reset cookies from potential previous attempt if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; upd3variables = strrep(variables, "^PASS^", pass); upd3variables = strrep(upd3variables, "^USER^", login); /* again: no snprintf to be portable. dont worry, buffer cant overflow */ if (use_proxy == 1 && proxy_authentication != NULL) { // proxy with authentication if (getcookie) { //doing a GET to save cookies sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla 5.0 (Hydra Proxy Auth)\r\n%s%s\r\n", webtarget, webport, cookieurl, webtarget, proxy_authentication, header, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } i = analyze_server_response(s); // return value ignored if (strlen(cookie) > 0) { sprintf(header, "Cookie: %s\r\n", cookie); } hydra_reconnect(s, ip, port, options); } if (strcmp(type, "POST") == 0) { sprintf(buffer, "POST http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy Auth)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s", webtarget, webport, url, webtarget, proxy_authentication, (int) strlen(upd3variables), header, userheader, upd3variables); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } else { sprintf(buffer, "GET http://%s:%d%.600s?%s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy Auth)\r\n%s%s\r\n", webtarget, webport, url, upd3variables, webtarget, proxy_authentication, header, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } } else { if (use_proxy == 1) { // proxy without authentication if (getcookie) { //doing a GET to get cookies sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy)\r\n%s%s\r\n", webtarget, webport, cookieurl, webtarget, header, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } i = analyze_server_response(s); // ignore result if (strlen(cookie) > 0) { sprintf(header, "Cookie: %s\r\n", cookie); } hydra_reconnect(s, ip, port, options); } if (strcmp(type, "POST") == 0) { sprintf(buffer, "POST http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s", webtarget, webport, url, webtarget, (int) strlen(upd3variables), header, userheader, upd3variables); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } else { sprintf(buffer, "GET http://%s:%d%.600s?%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s%s\r\n", webtarget, webport, url, upd3variables, webtarget, header, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } } else { // direct web server, no proxy if (getcookie) { //doing a GET to save cookies sprintf(buffer, "GET %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s\r\n", cookieurl, webtarget, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } i = analyze_server_response(s); // ignore result if (strlen(cookie) > 0) { sprintf(header, "Cookie: %s\r\n", cookie); } hydra_reconnect(s, ip, port, options); } if (strcmp(type, "POST") == 0) { sprintf(buffer, "POST %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s", url, webtarget, (int) strlen(upd3variables), header, userheader, upd3variables); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } else { sprintf(buffer, "GET %.600s?%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s%s\r\n", url, upd3variables, webtarget, header, userheader); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } } } } found = analyze_server_response(s); if (auth_flag) { // we received a 401 error - user using wrong module hydra_report(stderr, "[ERROR] the target is using HTTP auth, not a web form, received HTTP error code 401. Use module \"http%s-get\" instead.\n", (options & OPTION_SSL) > 0 ? "s" : ""); return 4; } if (strlen(cookie) > 0) { sprintf(header, "Cookie: %.1000s\r\n", cookie); } //if page was redirected, follow the location header redirected_cpt = MAX_REDIRECT; if (debug) printf("[DEBUG] attempt result: found %d, redirect %d, location: %s\n", found, redirected_flag, redirected_url_buff); while (found == 0 && redirected_flag && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) { //we have to split the location char *startloc, *endloc; char str[2048]; char str2[2048]; char str3[2048]; redirected_cpt--; redirected_flag = 0; //check if the redirect page contains the fail/success condition #ifdef HAVE_PCRE if (hydra_string_match(redirected_url_buff, cond) == 1) { #else if (strstr(redirected_url_buff, cond) != NULL) { #endif found = success_cond; } else { //location could be either absolute http(s):// or / something //or relative startloc = strstr(redirected_url_buff, "://"); if (startloc != NULL) { startloc += strlen("://"); if ((endloc=strchr(startloc, '\r')) != NULL) { startloc[endloc - startloc] = 0; } if ((endloc=strchr(startloc, '\n')) != NULL) { startloc[endloc - startloc] = 0; } strcpy(str, startloc); endloc = strchr(str, '/'); if (endloc != NULL) { strncpy(str2, str, endloc - str); str2[endloc - str] = 0; } else strncpy(str2, str, sizeof(str)); if (strlen(str) - strlen(str2) == 0) { strcpy(str3, "/"); } else { strncpy(str3, str + strlen(str2), strlen(str) - strlen(str2) - 1); str3[strlen(str) - strlen(str2) - 1] = 0; } } else { strncpy(str2, webtarget, sizeof(str2)); if (redirected_url_buff[0] != '/') { //it's a relative path, so we have to concatenate it //with the path from the first url given char *urlpath; char urlpath_extracted[2048]; memset(urlpath_extracted, 0, sizeof(urlpath_extracted)); urlpath=strrchr(url, '/'); if (urlpath != NULL) { strncpy(urlpath_extracted, url, urlpath-url); sprintf(str3, "%.1000s/%.1000s", urlpath_extracted, redirected_url_buff); } else { sprintf(str3, "%.1000s/%.1000s", url, redirected_url_buff); } } else strncpy(str3, redirected_url_buff, sizeof(str3)); if (debug) hydra_report(stderr, "[DEBUG] host=%s redirect=%s origin=%s\n", str2, str3,url); } if (str3[0] != '/') { j = strlen(str3); str3[j + 1] = 0; for (i = j; i > 0; i--) str3[i] = str3[i - 1]; str3[0] = '/'; } if (verbose) hydra_report(stderr, "[VERBOSE] Page redirected to http://%s%s\n", str2, str3); //re-use the code above to check for proxy use if (use_proxy == 1 && proxy_authentication != NULL) { // proxy with authentication sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", webtarget, webport, str3, str2, proxy_authentication, header); } else { if (use_proxy == 1) { // proxy without authentication sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", webtarget, webport, str3, str2, header); } else { //direct web server, no proxy sprintf(buffer, "GET %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", str3, str2, header); } } hydra_reconnect(s, ip, port, options); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } found = analyze_server_response(s); if (strlen(cookie) > 0) { sprintf(header, "Cookie: %s\r\n", cookie); } } } //if the last status is still 3xx, set it as a false if (found != -1 && found == success_cond && redirected_flag == 0 && redirected_cpt >= 0) { hydra_report_found_host(port, ip, "www-form", fp); hydra_completed_pair_found(); } else { hydra_completed_pair(); } return 1; } void service_http_form(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *type) { int run = 1, next_run = 1, sock = -1; int myport = PORT_HTTP, mysslport = PORT_HTTP_SSL; char *ptr, *ptr2; hydra_register_socket(sp); if (webtarget != NULL && (webtarget = strstr(miscptr, "://")) != NULL) { webtarget += strlen("://"); if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */ *ptr2 = 0; ptr2++; ptr = ptr2; if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL) miscptr = ptr; else miscptr = slash; /* to make things easier to user */ } else if ((ptr2 = index(webtarget, '/')) != NULL) { if (freemischttpform == 0) { freemischttpform = 1; miscptr = malloc(strlen(ptr2) + 1); strcpy(miscptr, ptr2); *ptr2 = 0; } } else webtarget = NULL; } if (cmdlinetarget != NULL && webtarget == NULL) webtarget = cmdlinetarget; else if (webtarget == NULL && cmdlinetarget == NULL) webtarget = hydra_address2string(ip); if (port != 0) webport = port; else if ((options & OPTION_SSL) == 0) webport = myport; else webport = mysslport; sprintf(bufferurl, "%.1000s", miscptr); url = strtok(bufferurl, ":"); variables = strtok(NULL, ":"); cond = strtok(NULL, ":"); sprintf(cookieurl, "%.1000s", url); //condition now have to contain F or S to set the fail or success condition if (cond && (strpos(cond, "F=") == 0)) { success_cond = 0; cond += 2; } else if (cond && (strpos(cond, "S=") == 0)) { success_cond = 1; cond += 2; } else { //by default condition is a fail success_cond = 0; } while ((optional1 = strtok(NULL, ":")) != NULL) { switch(optional1[0]) { case 'c': // fall through case 'C': sprintf(cookieurl, "%.1000s", optional1 + 2); break; case 'h': // fall through case 'H': if (sizeof(userheader) - strlen(userheader) > 4) { strncat(userheader, optional1 + 2, sizeof(userheader) - strlen(userheader) - 4); strcat(userheader, ":"); optional1 = strtok(NULL, ":"); strncat(userheader, optional1, sizeof(userheader) - strlen(userheader) - 3); strcat(userheader, "\r\n"); } break; // no default } } while (1) { if (run == 2) { if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { if (freemischttpform) free(miscptr); freemischttpform = 0; hydra_child_exit(1); } } switch (run) { case 1: /* connect and service init function */ { if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); if (freemischttpform) free(miscptr); freemischttpform = 0; hydra_child_exit(1); } next_run = 2; break; } case 2: /* run the cracking function */ next_run = start_http_form(sock, ip, port, options, miscptr, fp, type); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); if (freemischttpform) free(miscptr); freemischttpform = 0; hydra_child_exit(0); break; case 4: /* silent error exit */ if (sock >= 0) sock = hydra_disconnect(sock); if (freemischttpform) free(miscptr); freemischttpform = 0; hydra_child_exit(1); break; default: if (freemischttpform) free(miscptr); freemischttpform = 0; hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } if (freemischttpform) free(miscptr); }
void service_telnet(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1, fck; int myport = PORT_TELNET, mysslport = PORT_TELNET_SSL; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; if (miscptr != NULL) make_to_lower(miscptr); while (1) { int first = 0; int old_waittime = waittime; switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); // usleep(300000); no_line_mode = 0; first = 0; if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } if ((buf = hydra_receive_line(sock)) == NULL) { /* check the first line */ hydra_report(stderr, "[ERROR] Not a TELNET protocol or service shutdown\n"); hydra_child_exit(2); // hydra_child_exit(2); } if (hydra_strcasestr(buf, "ress ENTER") != NULL) { hydra_send(sock, "\r\n", 2, 0); free(buf); if ((buf = hydra_receive_line(sock)) == NULL) { hydra_report(stderr, "[ERROR] Not a TELNET protocol or service shutdown\n"); hydra_child_exit(2); } } if (hydra_strcasestr(buf, "login") != NULL || hydra_strcasestr(buf, "sername:") != NULL) { waittime = 6; if (debug) hydra_report(stdout, "DEBUG: waittime set to %d\n", waittime); } do { unsigned char *buf2 = (unsigned char *) buf; while (*buf2 == IAC) { if (first == 0) { if (debug) hydra_report(stdout, "DEBUG: requested line mode\n"); fck = write(sock, "\xff\xfb\x22", 3); first = 1; } if ((buf[1] == '\xfc' || buf[1] == '\xfe') && buf2[2] == '\x22') { no_line_mode = 1; if (debug) hydra_report(stdout, "DEBUG: TELNETD peer does not like linemode!\n"); } if (buf2[2] != '\x22') { if (buf2[1] == WILL || buf2[1] == WONT) { buf2[1] = DONT; } else if (buf2[1] == DO || buf2[1] == DONT) { buf2[1] = WONT; } fck = write(sock, buf2, 3); } buf2 = buf2 + 3; } if (buf2 != (unsigned char *) buf) { free(buf); buf = hydra_receive_line(sock); } else { buf[0] = 0; } if (buf != NULL && buf[0] != 0 && (unsigned char) buf[0] != IAC) make_to_lower(buf); } while (buf != NULL && (unsigned char) buf[0] == IAC && hydra_strcasestr(buf, "ogin:") == NULL && hydra_strcasestr(buf, "sername:") == NULL); free(buf); waittime = old_waittime; next_run = 2; break; case 2: /* run the cracking function */ next_run = start_telnet(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } }
int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s) > 0) { if ((buf = hydra_receive_line(s)) == NULL) return (1); free(buf); } switch (smtp_auth_mechanism) { case AUTH_PLAIN: sprintf(buffer, "AUTH PLAIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP PLAIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); memset(buffer, 0, sizeof(buffer)); sasl_plain(buffer, login, pass); sprintf(buffer, "%.250s\r\n", buffer); break; #ifdef LIBOPENSSLNEW case AUTH_CRAMMD5:{ int rc = 0; char *preplogin; rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } sprintf(buffer, "AUTH CRAM-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } //get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP CRAM-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); memset(buffer2, 0, sizeof(buffer2)); sasl_cram_md5(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer, "%.250s\r\n", buffer); free(preplogin); } break; case AUTH_DIGESTMD5:{ sprintf(buffer, "AUTH DIGEST-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL); if (buffer2 == NULL) return 3; if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; //send auth and receive challenge buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); sprintf(buffer, "AUTH NTLM %s\r\n", buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP NTLM AUTH : %s\n", buf); free(buf); return 3; } //recover challenge from64tobits((char *) buf1, buf + 4); free(buf); buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "%s\r\n", buf1); } break; default: /* by default trying AUTH LOGIN */ sprintf(buffer, "AUTH LOGIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; /* 504 5.7.4 Unrecognized authentication type */ if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH, either this auth is disabled\nor server is not using auth: %s\n", buf); free(buf); return 3; } free(buf); sprintf(buffer2, "%.250s", login); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH : %s\n", buf); free(buf); return (3); } free(buf); sprintf(buffer2, "%.250s", pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); #ifdef LIBOPENSSLNEW if (smtp_auth_mechanism == AUTH_DIGESTMD5) { if (strstr(buf, "334") != NULL) { memset(buffer2, 0, sizeof(buffer2)); from64tobits((char *) buffer2, buf + 4); if (strstr(buffer2, "rspauth=") != NULL) { hydra_report_found_host(port, ip, "smtp", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } } } else #endif { if (strstr(buf, "235") != NULL) { hydra_report_found_host(port, ip, "smtp", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
void service_smtp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1, i = 0; int myport = PORT_SMTP, mysslport = PORT_SMTP_SSL, disable_tls = 0; char *buffer1 = "EHLO hydra\r\n"; char *buffer2 = "HELO hydra\r\n"; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = myport; } if (sock < 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } /* receive initial header */ if ((buf = hydra_receive_line(sock)) == NULL) hydra_child_exit(2); if (strstr(buf, "220") == NULL) { hydra_report(stderr, "[WARNING] SMTP does not allow to connect: %s\n", buf); free(buf); hydra_child_exit(2); } while (strstr(buf, "220 ") == NULL) { free(buf); buf = hydra_receive_line(sock); } free(buf); /* send ehlo and receive/ignore reply */ if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0) hydra_child_exit(2); buf = smtp_read_server_capacity(sock); if (buf == NULL) hydra_child_exit(2); #ifdef LIBOPENSSLNEW if (!disable_tls) { /* if we got a positive answer */ if (buf[0] == '2') { if (strstr(buf, "STARTTLS") != NULL) { hydra_send(sock, "STARTTLS\r\n", strlen("STARTTLS\r\n"), 0); free(buf); buf = hydra_receive_line(sock); if (buf[0] != '2') { if (verbose) hydra_report(stderr, "[VERBOSE] TLS negotiation failed\n"); } else { free(buf); if ((hydra_connect_to_ssl(sock) == -1)) { if (verbose) hydra_report(stderr, "[ERROR] Can't use TLS\n"); disable_tls = 1; run = 1; break; } else { if (verbose) hydra_report(stderr, "[VERBOSE] TLS connection done\n"); } /* ask again capability request but in TLS mode */ if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0) hydra_child_exit(2); buf = smtp_read_server_capacity(sock); if (buf == NULL) hydra_child_exit(2); } } } } #endif if (buf[0] != '2') { if (hydra_send(sock, buffer2, strlen(buffer2), 0) < 0) hydra_child_exit(2); free(buf); buf = smtp_read_server_capacity(sock); if (buf == NULL) hydra_child_exit(2); } if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "NTLM") != NULL)) { smtp_auth_mechanism = AUTH_NTLM; } #ifdef LIBOPENSSLNEW if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "DIGEST-MD5") != NULL)) { smtp_auth_mechanism = AUTH_DIGESTMD5; } if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "CRAM-MD5") != NULL)) { smtp_auth_mechanism = AUTH_CRAMMD5; } #endif if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "PLAIN") != NULL)) { smtp_auth_mechanism = AUTH_PLAIN; } if ((miscptr != NULL) && (strlen(miscptr) > 0)) { for (i = 0; i < strlen(miscptr); i++) miscptr[i] = (char) toupper((int) miscptr[i]); if (strncmp(miscptr, "LOGIN", 5) == 0) smtp_auth_mechanism = AUTH_LOGIN; if (strncmp(miscptr, "PLAIN", 5) == 0) smtp_auth_mechanism = AUTH_PLAIN; #ifdef LIBOPENSSLNEW if (strncmp(miscptr, "CRAM-MD5", 8) == 0) smtp_auth_mechanism = AUTH_CRAMMD5; if (strncmp(miscptr, "DIGEST-MD5", 10) == 0) smtp_auth_mechanism = AUTH_DIGESTMD5; #endif if (strncmp(miscptr, "NTLM", 4) == 0) smtp_auth_mechanism = AUTH_NTLM; } if (verbose) { switch (smtp_auth_mechanism) { case AUTH_LOGIN: hydra_report(stderr, "[VERBOSE] using SMTP LOGIN AUTH mechanism\n"); break; case AUTH_PLAIN: hydra_report(stderr, "[VERBOSE] using SMTP PLAIN AUTH mechanism\n"); break; #ifdef LIBOPENSSLNEW case AUTH_CRAMMD5: hydra_report(stderr, "[VERBOSE] using SMTP CRAM-MD5 AUTH mechanism\n"); break; case AUTH_DIGESTMD5: hydra_report(stderr, "[VERBOSE] using SMTP DIGEST-MD5 AUTH mechanism\n"); break; #endif case AUTH_NTLM: hydra_report(stderr, "[VERBOSE] using SMTP NTLM AUTH mechanism\n"); break; } } free(buf); next_run = 2; break; case 2: /* run the cracking function */ next_run = start_smtp(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) { sock = hydra_disconnect(sock); } hydra_child_exit(0); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } }
int start_socks5(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[300]; int pport, fud = 0; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; memcpy(buffer, "\x05\x02\x00\x02", 4); if (hydra_send(s, buffer, 4, 0) < 0) { return 1; } if ((buf = (unsigned char *) hydra_receive_line(s)) == NULL) { fail_cnt++; if (fail_cnt >= 10) return 5; return (1); } fail_cnt = 0; if (buf[0] != 5) { if (buf[0] == 4) { hydra_report(stderr, "[ERROR] Sorry Socks4 / Socks4a ident is not supported\n"); } else { hydra_report(stderr, "[ERROR] Socks5 protocol or service shutdown: %s\n", buf); } free(buf); return (4); } if (buf[1] == 0 || buf[1] == 32) { hydra_report(stderr, "[INFO] Socks5 server does NOT require any authentication!\n"); free(buf); return (4); } if (buf[1] != 0x2) { hydra_report(stderr, "[ERROR] Socks5 protocol or service shutdown: %s\n", buf); free(buf); return (4); } free(buf); /* RFC 1929 For username/password authentication the client's authentication request is field 1: version number, 1 byte (must be 0x01) */ snprintf(buffer, sizeof(buffer), "\x01%c%s%c%s", (char) strlen(login), login, (char) strlen(pass), pass); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; if ((buf = (unsigned char *) hydra_receive_line(s)) == NULL) return (1); if (buf[1] != 255) { /* new: false positive check */ free(buf); pport = htons(port); if (ip[0] == 16) { memcpy(buffer, "\x05\x01\x00\x04", 4); memcpy(buffer + 4, &ip[1], 16); memcpy(buffer + 20, &pport, 2); hydra_send(s, buffer, 22, 0); } else { memcpy(buffer, "\x05\x01\x00\x01", 4); memcpy(buffer + 4, &ip[1], 4); memcpy(buffer + 8, &pport, 2); hydra_send(s, buffer, 10, 0); } if ((buf = (unsigned char *) hydra_receive_line(s)) != NULL) { if (buf[1] == 0 || buf[1] == 32) { hydra_report_found_host(port, ip, "socks5", fp); hydra_completed_pair_found(); fud = 1; } else if (buf[1] != 2) { hydra_report_found_host_msg(port, ip, "socks5", fp, "might be a false positive!"); } } } if (buf != NULL) free(buf); if (fud == 0) hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_oracle_listener(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { unsigned char tns_packet_begin[22] = { "\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00" }; unsigned char tns_packet_end[32] = { "\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00" }; char *empty = ""; char *pass; char connect_string[200]; char buffer2[260]; int siz = 0; memset(connect_string, 0, sizeof(connect_string)); memset(buffer2, 0, sizeof(buffer2)); if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (sid_mechanism == AUTH_PLAIN) { if ((hash = malloc(HASHSIZE)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } if (ora_hash_password(pass)) { hydra_report(stderr, "[ERROR] generating Oracle hash\n"); free(hash); return 1; } pass = (char *) hash; } snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE=)(VERSION=169869568)))", pass); if (hash != NULL) free(hash); if (verbose) hydra_report(stderr, "[VERBOSE] using connectiong string: %s\n", connect_string); siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string); if (siz > 255) { buffer2[0] = 1; buffer2[1] = siz - 256; } else { buffer2[1] = siz; } memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin)); siz = strlen(connect_string); if (siz > 255) { buffer2[2 + sizeof(tns_packet_begin)] = 1; buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz - 256; } else { buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz; } memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end)); memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string)); if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (verbose) hydra_report(stderr, "[VERBOSE] Server answer: %s\n", buf); if (strstr(buf, "ERR=0") != NULL) { hydra_report_found_host(port, ip, "oracle-listener", fp); hydra_completed_pair_found(); } else hydra_completed_pair(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_sshkey(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *key, keep_login[300]; int auth_state = 0, rc = 0, i = 0; ssh_private_key privkey; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(key = hydra_get_next_password()) == 0) key = empty; if (new_session) { if (session) { ssh_disconnect(session); ssh_finalize(); ssh_free(session); } session = ssh_new(); ssh_options_set(session, SSH_OPTIONS_PORT, &port); ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip)); ssh_options_set(session, SSH_OPTIONS_USER, login); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none"); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none"); if (ssh_connect(session) != 0) { //if the connection was drop, exit and let hydra main handle it if (verbose) hydra_report(stderr, "[ERROR] could not connect to target port %d\n", port); return 3; } if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) { return 3; } else if (rc == SSH_AUTH_SUCCESS) { hydra_report_found_host(port, ip, "sshkey", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; else return 1; } } else new_session = 1; auth_state = ssh_auth_list(session); if ((auth_state & SSH_AUTH_METHOD_PUBLICKEY) > 0) { privkey = privatekey_from_file(session, key, 0, NULL); if (!privkey) { hydra_report(stderr, "[ERROR] skipping invalid private key: \"%s\"\n", key); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } auth_state = ssh_userauth_pubkey(session, NULL, NULL, privkey); } else { return 4; } if (auth_state == SSH_AUTH_ERROR) { new_session = 1; return 1; } if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) { hydra_report_found_host(port, ip, "sshkey", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } else { strncpy(keep_login, login, sizeof(keep_login) - 1); keep_login[sizeof(keep_login) - 1] = '\0'; hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; login = hydra_get_next_login(); if (strcmp(login, keep_login) == 0) new_session = 0; return 1; } /* not reached */ return 1; }
void service_oracle_listener(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1; int myport = PORT_ORACLE, mysslport = PORT_ORACLE_SSL; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; if ((miscptr != NULL) && (strlen(miscptr) > 0)) { strupper(miscptr); if (strncmp(miscptr, "CLEAR", 5) == 0) sid_mechanism = AUTH_CLEAR; } if (verbose) { switch (sid_mechanism) { case AUTH_CLEAR: hydra_report(stderr, "[VERBOSE] using SID CLEAR mechanism\n"); break; case AUTH_PLAIN: hydra_report(stderr, "[VERBOSE] using SID PLAIN mechanism\n"); break; } } while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); // usleep(300000); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } /* run the cracking function */ next_run = start_oracle_listener(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; case 4: if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } }