/*
RFC 4013: SASLprep: Stringprep Profile for User Names and Passwords
code based on gsasl_saslprep from GSASL project
*/
int sasl_saslprep(const char *in, sasl_saslprep_flags flags, char **out) {
#if LIBIDN
int rc;
rc = stringprep_profile(in, out, "SASLprep", (flags & SASL_ALLOW_UNASSIGNED) ? STRINGPREP_NO_UNASSIGNED : 0);
if (rc != STRINGPREP_OK) {
*out = NULL;
return -1;
}
#if defined HAVE_PR29_H
if (pr29_8z(*out) != PR29_SUCCESS) {
free(*out);
*out = NULL;
return -1;
}
#endif
#else
size_t i, inlen = strlen(in);
for (i = 0; i < inlen; i++) {
if (in[i] & 0x80) {
*out = NULL;
hydra_report(stderr, "Error: Can't convert UTF-8, you should install libidn\n");
return -1;
}
}
*out = malloc(inlen + 1);
if (!*out) {
hydra_report(stderr, "Error: Can't allocate memory\n");
return -1;
}
strcpy(*out, in);
#endif
return 0;
}
int ora_descrypt(unsigned char **rs, unsigned char *result, int siz) {
int i = 0;
char lastkey[8];
des_key_schedule ks1;
unsigned char key1[8] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF };
unsigned char ivec1[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
unsigned char *desresult;
memset(ivec1, 0, sizeof(ivec1));
if ((desresult = malloc(siz)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n");
return 1;
}
des_key_sched((C_Block *) key1, ks1);
des_ncbc_encrypt(result, desresult, siz, ks1, &ivec1, DES_ENCRYPT);
for (i = 0; i < 8; i++) {
lastkey[i] = desresult[siz - 8 + i];
}
des_key_sched((C_Block *) lastkey, ks1);
memset(desresult, 0, siz);
memset(ivec1, 0, sizeof(ivec1));
des_ncbc_encrypt(result, desresult, siz, ks1, &ivec1, DES_ENCRYPT);
if ((*rs = malloc(siz)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n");
free(desresult);
return 1;
}
memcpy(*rs, desresult, siz);
return 0;
}
void service_socks5(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_SOCKS5, mysslport = PORT_SOCKS5_SSL;
hydra_register_socket(sp);
if (port != 0)
myport = port;
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// sleepn(300);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_socks5(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 4: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
case 5: /* clean exit, server may blocking connections */
hydra_report(stderr, "[ERROR] Server may blocking connections\n");
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_asterisk(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_ASTERISK, mysslport = PORT_ASTERISK_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// sleepn(300);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
buf = hydra_receive_line(sock);
//fprintf(stderr, "%s\n",buf);
//banner should look like:
//Asterisk Call Manager/1.1
if (buf == NULL || strstr(buf, "Asterisk Call Manager/") == NULL) {
/* check the first line */
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not an Asterisk Call Manager protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_asterisk(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
int start_firebird(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass;
char database[256];
char connection_string[1024];
isc_db_handle db; /* database handle */
ISC_STATUS_ARRAY status; /* status vector */
char *dpb = NULL; /* DB parameter buffer */
short dpb_length = 0;
if (miscptr)
strncpy(database, miscptr, sizeof(database));
else
strncpy(database, DEFAULT_DB, sizeof(database));
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
dpb_length = (short) (1 + strlen(login) + 2 + strlen(pass) + 2);
if ((dpb = (char *) malloc(dpb_length)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n");
return 1;
}
/* Add user and password to dpb */
*dpb = isc_dpb_version1;
dpb_length = 1;
isc_modify_dpb(&dpb, &dpb_length, isc_dpb_user_name, login, strlen(login));
isc_modify_dpb(&dpb, &dpb_length, isc_dpb_password, pass, strlen(pass));
/* Create connection string */
snprintf(connection_string, sizeof(connection_string), "%s:%s", hydra_address2string(ip), database);
if (isc_attach_database(status, 0, connection_string, &db, dpb_length, dpb)) {
/* for debugging perpose */
if (verbose) {
hydra_report(stderr, "[VERBOSE] ");
isc_print_status(status);
}
isc_free(dpb);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
} else {
isc_detach_database(status, &db);
isc_free(dpb);
hydra_report_found_host(port, ip, "firebird", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
return 1;
}
void
service_rexec(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port)
{
int run = 1, next_run, sock = -1;
int myport = PORT_REXEC, mysslport = PORT_REXEC_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(275000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_rexec(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "Caught unknown return code, exiting!\n");
hydra_child_exit(0);
#ifdef PALM
return;
#else
exit(-1);
#endif
}
run = next_run;
}
}
void service_cvs(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_CVS, mysslport = PORT_CVS_SSL;
hydra_register_socket(sp);
if ((miscptr == NULL) || (strlen(miscptr) == 0)) {
miscptr = "/root";
}
while (1) {
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleepn(300);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = start_cvs(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
int start_asterisk(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "\"\"";
char *login, *pass, buffer[1024];
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (hydra_data_ready(s) > 0) {
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
free(buf);
}
memset(buffer, 0, sizeof(buffer));
sprintf(buffer, "Action: Login\r\nUsername: %.250s\r\nSecret: %.250s\r\n\r\n", login, pass);
if (debug)
hydra_report(stderr, "[DEBUG] C: %s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (debug)
hydra_report(stderr, "[DEBUG] S: %s\n", buf);
if (buf == NULL || (strstr(buf, "Response: ") == NULL)) {
hydra_report(stderr, "[ERROR] Asterisk Call Manager protocol error or service shutdown: %s\n", buf);
free(buf);
return 4;
}
if (strstr(buf, "Response: Success") != NULL) {
hydra_report_found_host(port, ip, "asterisk", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
void service_sapr3(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
next_run = start_sapr3(sock, ip, port, options, miscptr, fp);
break;
case 2:
hydra_child_exit(0);
case 3: /* clean exit */
fprintf(stderr, "Error: could not connect to target port %d\n", port);
hydra_child_exit(1);
case 4:
hydra_child_exit(2);
default:
hydra_report(stderr, "Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
void service_oracle(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_ORACLE;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
if ((miscptr == NULL) || (strlen(miscptr) == 0)) {
//SID is required as miscptr
hydra_report(stderr, "[ERROR] Oracle SID is required, using ORCL as default\n");
miscptr = "ORCL";
}
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
case 2:
next_run = start_oracle(sock, ip, port, options, miscptr, fp);
hydra_child_exit(0);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
void service_http_post_form(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
ptr_header_node ptr_head = initialize(ip, options, miscptr);
if (ptr_head)
service_http_form(ip, sp, options, miscptr, fp, port, "POST", &ptr_head);
else {
hydra_report(stderr, "[ERROR] Could not launch head. Error while initializing.\n");
hydra_child_exit(1);
}
}
int start_vmauthd(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "\"\"";
char *login, *pass, buffer[300];
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (hydra_data_ready(s) > 0) {
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
free(buf);
}
sprintf(buffer, "USER %.250s\r\n", login);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
if (strncmp(buf, "331 ", 4) != 0) {
hydra_report(stderr, "[ERROR] vmware authd protocol or service shutdown: %s\n", buf);
free(buf);
return (3);
}
free(buf);
sprintf(buffer, "PASS %.250s\r\n", pass);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
//fprintf(stderr, "%s\n", buf);
//230 User test logged in.
//530 Login incorrect.
if (strncmp(buf, "230 ", 4) == 0) {
hydra_report_found_host(port, ip, "vmauthd", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
int ora_hash(unsigned char **orahash, unsigned char *buf, int len) {
int i;
if ((*orahash = malloc(HASHSIZE)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n");
return 1;
}
for (i = 0; i < 8; i++) {
sprintf(((char *) *orahash) + i * 2, "%02X", buf[len - 8 + i]);
}
return 0;
}
int initial_permutation(unsigned char **result, char *p_str, int *sz) {
int k = 0;
int i = strlen(p_str);
char *buff;
//expand the string with zero so that length is a multiple of 4
while ((i % 4) != 0) {
i = i + 1;
}
*sz = 2 * i;
if ((buff = malloc(i)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n");
return 1;
}
memset(buff, 0, i);
strncpy(buff, p_str, strlen(p_str));
//swap the order of every byte pair
for (k = 0; k < i; k += 2) {
char bck = buff[k + 1];
buff[k + 1] = buff[k];
buff[k] = bck;
}
//convert to unicode
if ((*result = malloc(2 * i)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n");
free(buff);
return 1;
}
memset(*result, 0, 2 * i);
for (k = 0; k < i; k++) {
(*result)[2 * k] = buff[k];
}
free(buff);
return 0;
}
void service_teamspeak(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_TEAMSPEAK;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
run = 3;
while (1) {
switch (run) {
case 1: /* connect and service init function */
// if (sock >= 0)
// sock = hydra_disconnect(sock);
// usleepn(300);
if (sock < 0) {
if (port != 0)
myport = port;
sock = hydra_connect_udp(ip, myport);
port = myport;
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
}
next_run = start_teamspeak(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
void service_s7_300(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int s7port = PORT_S7_300;
if (port != 0)
s7port = port;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
sock = hydra_connect_tcp(ip, s7port);
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = start_s7_300(sock, ip, s7port, options, miscptr, fp);
sock = hydra_disconnect(sock);
break;
case 2: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
int ora_hash_password(char *pass) {
// secret hash function comes here, and written to char *hash
int siz = 0;
unsigned char *desresult;
unsigned char *result;
char buff[strlen(pass) + 5];
memset(buff, 0, sizeof(buff));
//concatenate Arb string and convert the resulting string to uppercase
snprintf(buff, sizeof(buff), "Arb%s", pass);
strupper(buff);
if (initial_permutation(&result, buff, &siz)) {
hydra_report(stderr, "[ERROR] ora_hash_password: in initial_permutation\n");
return 1;
}
if (convert_byteorder(&result, siz)) {
hydra_report(stderr, "[ERROR] ora_hash_password: in convert_byteorder\n");
return 1;
}
if (ora_descrypt(&desresult, result, siz)) {
hydra_report(stderr, "[ERROR] ora_hash_password: in DES crypt\n");
return 1;
}
free(result);
if (ora_hash(&result, desresult, siz)) {
hydra_report(stderr, "[ERROR] ora_hash_password: in extracting Oracle hash\n");
return 1;
}
memcpy(hash, result, HASHSIZE);
free(desresult);
free(result);
return 0;
}
/*
* Replace the value of the default header named 'hdrname'.
*/
void hdrrepv(ptr_header_node * ptr_head, char *hdrname, char *new_value) {
ptr_header_node cur_ptr = NULL;
for (cur_ptr = *ptr_head; cur_ptr; cur_ptr = cur_ptr->next) {
if ((cur_ptr->type == HEADER_TYPE_DEFAULT) && strcmp(cur_ptr->header, hdrname) == 0) {
cur_ptr->value = (char *) realloc(cur_ptr->value, strlen(new_value));
if (cur_ptr->value)
strcpy(cur_ptr->value, new_value);
else {
hydra_report(stderr, "[ERROR] Out of memory");
hydra_child_exit(0);
}
}
}
}
/*
* Replace in all headers' values every occurrence of oldvalue by newvalue.
* Only user-defined headers are considered.
*/
void hdrrep(ptr_header_node * ptr_head, char *oldvalue, char *newvalue) {
ptr_header_node cur_ptr = NULL;
for (cur_ptr = *ptr_head; cur_ptr; cur_ptr = cur_ptr->next) {
if ((cur_ptr->type == HEADER_TYPE_USERHEADER || cur_ptr->type == HEADER_TYPE_USERHEADER_REPL) && strstr(cur_ptr->value, oldvalue)) {
cur_ptr->value = (char *) realloc(cur_ptr->value, strlen(newvalue));
if (cur_ptr->value)
strcpy(cur_ptr->value, newvalue);
else {
hydra_report(stderr, "[ERROR] Out of memory.");
hydra_child_exit(0);
}
}
}
}
int start_postgres(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass;
char database[256];
char connection_string[1024];
PGconn *pgconn;
if (miscptr)
strncpy(database, miscptr, sizeof(database));
else
strncpy(database, DEFAULT_DB, sizeof(database));
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
/*
* Building the connection string
*/
snprintf(connection_string, sizeof(connection_string), "host = '%s' dbname = '%s' user = '******' password = '******' ", hydra_address2string(ip), database, login, pass);
if (verbose)
hydra_report(stderr, "connection string: %s\n", connection_string);
pgconn = PQconnectdb(connection_string);
if (PQstatus(pgconn) == CONNECTION_OK) {
PQfinish(pgconn);
hydra_report_found_host(port, ip, "postgres", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
} else {
PQfinish(pgconn);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
}
return 1;
}
void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
int32_t run = 1, next_run = 1, sock = -1;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
next_run = start_ssh(sock, ip, port, options, miscptr, fp);
break;
case 2:
ssh_disconnect(session);
ssh_finalize();
ssh_free(session);
hydra_child_exit(0);
break;
case 3:
ssh_disconnect(session);
ssh_finalize();
ssh_free(session);
if (verbose)
fprintf(stderr, "[ERROR] ssh protocol error\n");
hydra_child_exit(2);
break;
case 4:
ssh_disconnect(session);
ssh_finalize();
ssh_free(session);
fprintf(stderr, "[ERROR] ssh target does not support password auth\n");
hydra_child_exit(2);
break;
default:
ssh_disconnect(session);
ssh_finalize();
ssh_free(session);
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
int convert_byteorder(unsigned char **result, int size) {
int i = 0;
char *buff;
if ((buff = malloc(size)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n");
return 1;
}
memcpy(buff, *result, size);
while (i < size) {
buff[i + 0] = (*result)[i + 3];
buff[i + 1] = (*result)[i + 2];
buff[i + 2] = (*result)[i + 1];
buff[i + 3] = (*result)[i + 0];
i += 4;
}
memcpy(*result, buff, size);
free(buff);
return 0;
}
/*
int analyze_server_response(int socket)
return 0 or 1 when the cond regex is matched
return -1 if no response from server
*/
int analyze_server_response(int s) {
int runs = 0;
while ((buf = hydra_receive_line(s)) != NULL) {
runs++;
//check for http redirection
if (strstr(buf, "HTTP/1.1 3") != NULL || strstr(buf, "HTTP/1.0 3") != NULL || strstr(buf, "Status: 3") != NULL) {
redirected_flag = 1;
} else if (strstr(buf, "HTTP/1.1 401") != NULL || strstr(buf, "HTTP/1.0 401") != NULL) {
auth_flag = 1;
} else if ((strstr(buf, "HTTP/1.1 403") != NULL) || (strstr(buf, "HTTP/1.1 404") != NULL) || (strstr(buf, "HTTP/1.0 403") != NULL) || (strstr(buf, "HTTP/1.0 404") != NULL)) {
return 0;
}
if (hydra_strcasestr(buf, "Location: ") != NULL) {
char *startloc, *endloc;
char str[2048];
startloc = hydra_strcasestr(buf, "Location: ") + strlen("Location: ");
strncpy(str, startloc, sizeof(str) - 1);
str[sizeof(str) - 1] = 0;
endloc = strchr(str, '\n');
if (endloc != NULL)
*endloc = 0;
endloc = strchr(str, '\r');
if (endloc != NULL)
*endloc = 0;
strcpy(redirected_url_buff, str);
}
//there can be multiple cookies
if (hydra_strcasestr(buf, "Set-Cookie: ") != NULL) {
char *cookiebuf = buf;
do {
char *startcookie, *endcookie1, *endcookie2;
char str[1024], tmpcookie[4096] = "", tmpname[128] = "", *ptr, *ptr2;
memset(str, 0, sizeof(str));
startcookie = hydra_strcasestr(cookiebuf, "Set-Cookie: ") + strlen("Set-Cookie: ");
strncpy(str, startcookie, sizeof(str) - 1);
str[sizeof(str) - 1] = 0;
endcookie1 = strchr(str, '\n');
endcookie2 = strchr(str, ';');
//terminate string after cookie data
if (endcookie1 != NULL && endcookie1 < endcookie2)
*endcookie1 = 0;
else
if (endcookie2 != NULL)
*endcookie2 = 0;
// is the cookie already there? if yes, remove it!
if (index(startcookie, '=') != NULL && (ptr = index(startcookie, '=')) - startcookie + 1 <= sizeof(tmpname)) {
strncpy(tmpname, startcookie, sizeof(tmpname) - 2);
tmpname[sizeof(tmpname) - 2] = 0;
ptr = index(tmpname, '=');
*(++ptr) = 0;
// is the cookie already in the cookiejar? (so, does it have to be replaced?)
if ((ptr = hydra_strcasestr(cookie, tmpname)) != NULL) {
// yes it is.
// if the cookie is not in the beginning of the cookiejar, copy the ones before
if (ptr != cookie && *(ptr - 1) == ' ') {
strncpy(tmpcookie, cookie, ptr - cookie - 2);
tmpcookie[ptr - cookie - 2] = 0;
}
ptr += strlen(tmpname);
// if there are any cookies after this one in the cookiejar, copy them over
if ((ptr2 = strstr(ptr, "; ")) != NULL) {
ptr2 += 2;
strncat(tmpcookie, ptr2, sizeof(tmpcookie) - strlen(tmpcookie) - 1);
}
if (debug) printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: %s\n", tmpname, cookie, tmpcookie);
strcpy(cookie, tmpcookie);
}
}
ptr = index(str, '=');
// only copy the cookie if it has a value (otherwise the server wants to delete the cookie
if (ptr != NULL && *(ptr + 1) != ';' && *(ptr + 1) != 0 && *(ptr + 1) != '\n' && *(ptr + 1) != '\r') {
if (strlen(cookie) > 0)
strncat(cookie, "; ", sizeof(cookie) - strlen(cookie) - 1);
strncat(cookie, str, sizeof(cookie) - strlen(cookie) - 1);
}
cookiebuf = startcookie;
} while (hydra_strcasestr(cookiebuf, "Set-Cookie: ") != NULL);
}
#ifdef HAVE_PCRE
if (hydra_string_match(buf, cond) == 1) {
#else
if (strstr(buf, cond) != NULL) {
#endif
free(buf);
// printf("DEBUG: STRING %s FOUND!!:\n%s\n", cond, buf);
return 1;
}
// else printf("DEBUG: STRING %s NOT FOUND:\n%s\n", cond, buf);
free(buf);
}
if (runs == 0) {
if (debug) hydra_report(stderr, "DEBUG: no response from server\n");
return -1;
}
return 0;
}
void hydra_reconnect(int s, char *ip, int port, unsigned char options) {
if (s >= 0)
s = hydra_disconnect(s);
if ((options & OPTION_SSL) == 0) {
s = hydra_connect_tcp(ip, port);
} else {
s = hydra_connect_ssl(ip, port);
}
}
int start_http_form(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) {
char *empty = "";
char *login, *pass, buffer[9000];
char header[8096], *upd3variables;
int found = !success_cond, i, j;
memset(header, 0, sizeof(header));
cookie[0] = 0; // reset cookies from potential previous attempt
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
upd3variables = strrep(variables, "^PASS^", pass);
upd3variables = strrep(upd3variables, "^USER^", login);
/* again: no snprintf to be portable. dont worry, buffer cant overflow */
if (use_proxy == 1 && proxy_authentication != NULL) {
// proxy with authentication
if (getcookie) {
//doing a GET to save cookies
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla 5.0 (Hydra Proxy Auth)\r\n%s%s\r\n",
webtarget, webport, cookieurl, webtarget, proxy_authentication, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
i = analyze_server_response(s); // return value ignored
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
hydra_reconnect(s, ip, port, options);
}
if (strcmp(type, "POST") == 0) {
sprintf(buffer,
"POST http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy Auth)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s",
webtarget, webport, url, webtarget, proxy_authentication, (int) strlen(upd3variables), header, userheader, upd3variables);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
} else {
sprintf(buffer,
"GET http://%s:%d%.600s?%s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy Auth)\r\n%s%s\r\n",
webtarget, webport, url, upd3variables, webtarget, proxy_authentication, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
}
} else {
if (use_proxy == 1) {
// proxy without authentication
if (getcookie) {
//doing a GET to get cookies
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy)\r\n%s%s\r\n", webtarget, webport, cookieurl, webtarget, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
i = analyze_server_response(s); // ignore result
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
hydra_reconnect(s, ip, port, options);
}
if (strcmp(type, "POST") == 0) {
sprintf(buffer,
"POST http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s",
webtarget, webport, url, webtarget, (int) strlen(upd3variables), header, userheader, upd3variables);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
} else {
sprintf(buffer, "GET http://%s:%d%.600s?%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s%s\r\n", webtarget, webport, url, upd3variables, webtarget, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
}
} else {
// direct web server, no proxy
if (getcookie) {
//doing a GET to save cookies
sprintf(buffer, "GET %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s\r\n", cookieurl, webtarget, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
i = analyze_server_response(s); // ignore result
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
hydra_reconnect(s, ip, port, options);
}
if (strcmp(type, "POST") == 0) {
sprintf(buffer,
"POST %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s",
url, webtarget, (int) strlen(upd3variables), header, userheader, upd3variables);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
} else {
sprintf(buffer, "GET %.600s?%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s%s\r\n", url, upd3variables, webtarget, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
}
}
}
found = analyze_server_response(s);
if (auth_flag) { // we received a 401 error - user using wrong module
hydra_report(stderr, "[ERROR] the target is using HTTP auth, not a web form, received HTTP error code 401. Use module \"http%s-get\" instead.\n",
(options & OPTION_SSL) > 0 ? "s" : "");
return 4;
}
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %.1000s\r\n", cookie);
}
//if page was redirected, follow the location header
redirected_cpt = MAX_REDIRECT;
if (debug) printf("[DEBUG] attempt result: found %d, redirect %d, location: %s\n", found, redirected_flag, redirected_url_buff);
while (found == 0 && redirected_flag && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) {
//we have to split the location
char *startloc, *endloc;
char str[2048];
char str2[2048];
char str3[2048];
redirected_cpt--;
redirected_flag = 0;
//check if the redirect page contains the fail/success condition
#ifdef HAVE_PCRE
if (hydra_string_match(redirected_url_buff, cond) == 1) {
#else
if (strstr(redirected_url_buff, cond) != NULL) {
#endif
found = success_cond;
} else {
//location could be either absolute http(s):// or / something
//or relative
startloc = strstr(redirected_url_buff, "://");
if (startloc != NULL) {
startloc += strlen("://");
if ((endloc=strchr(startloc, '\r')) != NULL) {
startloc[endloc - startloc] = 0;
}
if ((endloc=strchr(startloc, '\n')) != NULL) {
startloc[endloc - startloc] = 0;
}
strcpy(str, startloc);
endloc = strchr(str, '/');
if (endloc != NULL) {
strncpy(str2, str, endloc - str);
str2[endloc - str] = 0;
}
else
strncpy(str2, str, sizeof(str));
if (strlen(str) - strlen(str2) == 0) {
strcpy(str3, "/");
} else {
strncpy(str3, str + strlen(str2), strlen(str) - strlen(str2) - 1);
str3[strlen(str) - strlen(str2) - 1] = 0;
}
} else {
strncpy(str2, webtarget, sizeof(str2));
if (redirected_url_buff[0] != '/') {
//it's a relative path, so we have to concatenate it
//with the path from the first url given
char *urlpath;
char urlpath_extracted[2048];
memset(urlpath_extracted, 0, sizeof(urlpath_extracted));
urlpath=strrchr(url, '/');
if (urlpath != NULL) {
strncpy(urlpath_extracted, url, urlpath-url);
sprintf(str3, "%.1000s/%.1000s", urlpath_extracted, redirected_url_buff);
} else {
sprintf(str3, "%.1000s/%.1000s", url, redirected_url_buff);
}
} else
strncpy(str3, redirected_url_buff, sizeof(str3));
if (debug) hydra_report(stderr, "[DEBUG] host=%s redirect=%s origin=%s\n", str2, str3,url);
}
if (str3[0] != '/') {
j = strlen(str3);
str3[j + 1] = 0;
for (i = j; i > 0; i--)
str3[i] = str3[i - 1];
str3[0] = '/';
}
if (verbose)
hydra_report(stderr, "[VERBOSE] Page redirected to http://%s%s\n", str2, str3);
//re-use the code above to check for proxy use
if (use_proxy == 1 && proxy_authentication != NULL) {
// proxy with authentication
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
webtarget, webport, str3, str2, proxy_authentication, header);
} else {
if (use_proxy == 1) {
// proxy without authentication
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", webtarget, webport, str3, str2, header);
} else {
//direct web server, no proxy
sprintf(buffer, "GET %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", str3, str2, header);
}
}
hydra_reconnect(s, ip, port, options);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
found = analyze_server_response(s);
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
}
}
//if the last status is still 3xx, set it as a false
if (found != -1 && found == success_cond && redirected_flag == 0 && redirected_cpt >= 0) {
hydra_report_found_host(port, ip, "www-form", fp);
hydra_completed_pair_found();
} else {
hydra_completed_pair();
}
return 1;
}
void service_http_form(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *type) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_HTTP, mysslport = PORT_HTTP_SSL;
char *ptr, *ptr2;
hydra_register_socket(sp);
if (webtarget != NULL && (webtarget = strstr(miscptr, "://")) != NULL) {
webtarget += strlen("://");
if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */
*ptr2 = 0;
ptr2++;
ptr = ptr2;
if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL)
miscptr = ptr;
else
miscptr = slash; /* to make things easier to user */
} else if ((ptr2 = index(webtarget, '/')) != NULL) {
if (freemischttpform == 0) {
freemischttpform = 1;
miscptr = malloc(strlen(ptr2) + 1);
strcpy(miscptr, ptr2);
*ptr2 = 0;
}
} else
webtarget = NULL;
}
if (cmdlinetarget != NULL && webtarget == NULL)
webtarget = cmdlinetarget;
else if (webtarget == NULL && cmdlinetarget == NULL)
webtarget = hydra_address2string(ip);
if (port != 0)
webport = port;
else if ((options & OPTION_SSL) == 0)
webport = myport;
else
webport = mysslport;
sprintf(bufferurl, "%.1000s", miscptr);
url = strtok(bufferurl, ":");
variables = strtok(NULL, ":");
cond = strtok(NULL, ":");
sprintf(cookieurl, "%.1000s", url);
//condition now have to contain F or S to set the fail or success condition
if (cond && (strpos(cond, "F=") == 0)) {
success_cond = 0;
cond += 2;
} else if (cond && (strpos(cond, "S=") == 0)) {
success_cond = 1;
cond += 2;
} else {
//by default condition is a fail
success_cond = 0;
}
while ((optional1 = strtok(NULL, ":")) != NULL) {
switch(optional1[0]) {
case 'c': // fall through
case 'C':
sprintf(cookieurl, "%.1000s", optional1 + 2);
break;
case 'h': // fall through
case 'H':
if (sizeof(userheader) - strlen(userheader) > 4) {
strncat(userheader, optional1 + 2, sizeof(userheader) - strlen(userheader) - 4);
strcat(userheader, ":");
optional1 = strtok(NULL, ":");
strncat(userheader, optional1, sizeof(userheader) - strlen(userheader) - 3);
strcat(userheader, "\r\n");
}
break;
// no default
}
}
while (1) {
if (run == 2) {
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
}
}
switch (run) {
case 1: /* connect and service init function */
{
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_http_form(sock, ip, port, options, miscptr, fp, type);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(0);
break;
case 4: /* silent error exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
break;
default:
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
if (freemischttpform)
free(miscptr);
}
void service_telnet(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1, fck;
int myport = PORT_TELNET, mysslport = PORT_TELNET_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
if (miscptr != NULL)
make_to_lower(miscptr);
while (1) {
int first = 0;
int old_waittime = waittime;
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
no_line_mode = 0;
first = 0;
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
if ((buf = hydra_receive_line(sock)) == NULL) { /* check the first line */
hydra_report(stderr, "[ERROR] Not a TELNET protocol or service shutdown\n");
hydra_child_exit(2);
// hydra_child_exit(2);
}
if (hydra_strcasestr(buf, "ress ENTER") != NULL) {
hydra_send(sock, "\r\n", 2, 0);
free(buf);
if ((buf = hydra_receive_line(sock)) == NULL) {
hydra_report(stderr, "[ERROR] Not a TELNET protocol or service shutdown\n");
hydra_child_exit(2);
}
}
if (hydra_strcasestr(buf, "login") != NULL || hydra_strcasestr(buf, "sername:") != NULL) {
waittime = 6;
if (debug)
hydra_report(stdout, "DEBUG: waittime set to %d\n", waittime);
}
do {
unsigned char *buf2 = (unsigned char *) buf;
while (*buf2 == IAC) {
if (first == 0) {
if (debug)
hydra_report(stdout, "DEBUG: requested line mode\n");
fck = write(sock, "\xff\xfb\x22", 3);
first = 1;
}
if ((buf[1] == '\xfc' || buf[1] == '\xfe') && buf2[2] == '\x22') {
no_line_mode = 1;
if (debug)
hydra_report(stdout, "DEBUG: TELNETD peer does not like linemode!\n");
}
if (buf2[2] != '\x22') {
if (buf2[1] == WILL || buf2[1] == WONT) {
buf2[1] = DONT;
} else if (buf2[1] == DO || buf2[1] == DONT) {
buf2[1] = WONT;
}
fck = write(sock, buf2, 3);
}
buf2 = buf2 + 3;
}
if (buf2 != (unsigned char *) buf) {
free(buf);
buf = hydra_receive_line(sock);
} else {
buf[0] = 0;
}
if (buf != NULL && buf[0] != 0 && (unsigned char) buf[0] != IAC)
make_to_lower(buf);
} while (buf != NULL && (unsigned char) buf[0] == IAC && hydra_strcasestr(buf, "ogin:") == NULL && hydra_strcasestr(buf, "sername:") == NULL);
free(buf);
waittime = old_waittime;
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_telnet(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (hydra_data_ready(s) > 0) {
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
free(buf);
}
switch (smtp_auth_mechanism) {
case AUTH_PLAIN:
sprintf(buffer, "AUTH PLAIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP PLAIN AUTH : %s\n", buf);
free(buf);
return 3;
}
free(buf);
memset(buffer, 0, sizeof(buffer));
sasl_plain(buffer, login, pass);
sprintf(buffer, "%.250s\r\n", buffer);
break;
#ifdef LIBOPENSSLNEW
case AUTH_CRAMMD5:{
int rc = 0;
char *preplogin;
rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
return 3;
}
sprintf(buffer, "AUTH CRAM-MD5\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
//get the one-time BASE64 encoded challenge
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP CRAM-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 4);
free(buf);
memset(buffer2, 0, sizeof(buffer2));
sasl_cram_md5(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
sprintf(buffer, "%.250s\r\n", buffer);
free(preplogin);
}
break;
case AUTH_DIGESTMD5:{
sprintf(buffer, "AUTH DIGEST-MD5\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP DIGEST-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
}
memset(buffer, 0, sizeof(buffer));
from64tobits((char *) buffer, buf + 4);
free(buf);
if (verbose)
hydra_report(stderr, "DEBUG S: %s\n", buffer);
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL);
if (buffer2 == NULL)
return 3;
if (verbose)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
#endif
case AUTH_NTLM:{
unsigned char buf1[4096];
unsigned char buf2[4096];
//send auth and receive challenge
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
sprintf(buffer, "AUTH NTLM %s\r\n", buf1);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP NTLM AUTH : %s\n", buf);
free(buf);
return 3;
}
//recover challenge
from64tobits((char *) buf1, buf + 4);
free(buf);
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
default:
/* by default trying AUTH LOGIN */
sprintf(buffer, "AUTH LOGIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
/* 504 5.7.4 Unrecognized authentication type */
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH, either this auth is disabled\nor server is not using auth: %s\n", buf);
free(buf);
return 3;
}
free(buf);
sprintf(buffer2, "%.250s", login);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH : %s\n", buf);
free(buf);
return (3);
}
free(buf);
sprintf(buffer2, "%.250s", pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
#ifdef LIBOPENSSLNEW
if (smtp_auth_mechanism == AUTH_DIGESTMD5) {
if (strstr(buf, "334") != NULL) {
memset(buffer2, 0, sizeof(buffer2));
from64tobits((char *) buffer2, buf + 4);
if (strstr(buffer2, "rspauth=") != NULL) {
hydra_report_found_host(port, ip, "smtp", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
}
} else
#endif
{
if (strstr(buf, "235") != NULL) {
hydra_report_found_host(port, ip, "smtp", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
void service_smtp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1, i = 0;
int myport = PORT_SMTP, mysslport = PORT_SMTP_SSL, disable_tls = 0;
char *buffer1 = "EHLO hydra\r\n";
char *buffer2 = "HELO hydra\r\n";
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = myport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
/* receive initial header */
if ((buf = hydra_receive_line(sock)) == NULL)
hydra_child_exit(2);
if (strstr(buf, "220") == NULL) {
hydra_report(stderr, "[WARNING] SMTP does not allow to connect: %s\n", buf);
free(buf);
hydra_child_exit(2);
}
while (strstr(buf, "220 ") == NULL) {
free(buf);
buf = hydra_receive_line(sock);
}
free(buf);
/* send ehlo and receive/ignore reply */
if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0)
hydra_child_exit(2);
buf = smtp_read_server_capacity(sock);
if (buf == NULL)
hydra_child_exit(2);
#ifdef LIBOPENSSLNEW
if (!disable_tls) {
/* if we got a positive answer */
if (buf[0] == '2') {
if (strstr(buf, "STARTTLS") != NULL) {
hydra_send(sock, "STARTTLS\r\n", strlen("STARTTLS\r\n"), 0);
free(buf);
buf = hydra_receive_line(sock);
if (buf[0] != '2') {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS negotiation failed\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock) == -1)) {
if (verbose)
hydra_report(stderr, "[ERROR] Can't use TLS\n");
disable_tls = 1;
run = 1;
break;
} else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
/* ask again capability request but in TLS mode */
if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0)
hydra_child_exit(2);
buf = smtp_read_server_capacity(sock);
if (buf == NULL)
hydra_child_exit(2);
}
}
}
}
#endif
if (buf[0] != '2') {
if (hydra_send(sock, buffer2, strlen(buffer2), 0) < 0)
hydra_child_exit(2);
free(buf);
buf = smtp_read_server_capacity(sock);
if (buf == NULL)
hydra_child_exit(2);
}
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "NTLM") != NULL)) {
smtp_auth_mechanism = AUTH_NTLM;
}
#ifdef LIBOPENSSLNEW
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "DIGEST-MD5") != NULL)) {
smtp_auth_mechanism = AUTH_DIGESTMD5;
}
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "CRAM-MD5") != NULL)) {
smtp_auth_mechanism = AUTH_CRAMMD5;
}
#endif
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "PLAIN") != NULL)) {
smtp_auth_mechanism = AUTH_PLAIN;
}
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
for (i = 0; i < strlen(miscptr); i++)
miscptr[i] = (char) toupper((int) miscptr[i]);
if (strncmp(miscptr, "LOGIN", 5) == 0)
smtp_auth_mechanism = AUTH_LOGIN;
if (strncmp(miscptr, "PLAIN", 5) == 0)
smtp_auth_mechanism = AUTH_PLAIN;
#ifdef LIBOPENSSLNEW
if (strncmp(miscptr, "CRAM-MD5", 8) == 0)
smtp_auth_mechanism = AUTH_CRAMMD5;
if (strncmp(miscptr, "DIGEST-MD5", 10) == 0)
smtp_auth_mechanism = AUTH_DIGESTMD5;
#endif
if (strncmp(miscptr, "NTLM", 4) == 0)
smtp_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
switch (smtp_auth_mechanism) {
case AUTH_LOGIN:
hydra_report(stderr, "[VERBOSE] using SMTP LOGIN AUTH mechanism\n");
break;
case AUTH_PLAIN:
hydra_report(stderr, "[VERBOSE] using SMTP PLAIN AUTH mechanism\n");
break;
#ifdef LIBOPENSSLNEW
case AUTH_CRAMMD5:
hydra_report(stderr, "[VERBOSE] using SMTP CRAM-MD5 AUTH mechanism\n");
break;
case AUTH_DIGESTMD5:
hydra_report(stderr, "[VERBOSE] using SMTP DIGEST-MD5 AUTH mechanism\n");
break;
#endif
case AUTH_NTLM:
hydra_report(stderr, "[VERBOSE] using SMTP NTLM AUTH mechanism\n");
break;
}
}
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_smtp(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0) {
sock = hydra_disconnect(sock);
}
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
int start_socks5(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[300];
int pport, fud = 0;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
memcpy(buffer, "\x05\x02\x00\x02", 4);
if (hydra_send(s, buffer, 4, 0) < 0) {
return 1;
}
if ((buf = (unsigned char *) hydra_receive_line(s)) == NULL) {
fail_cnt++;
if (fail_cnt >= 10)
return 5;
return (1);
}
fail_cnt = 0;
if (buf[0] != 5) {
if (buf[0] == 4) {
hydra_report(stderr, "[ERROR] Sorry Socks4 / Socks4a ident is not supported\n");
} else {
hydra_report(stderr, "[ERROR] Socks5 protocol or service shutdown: %s\n", buf);
}
free(buf);
return (4);
}
if (buf[1] == 0 || buf[1] == 32) {
hydra_report(stderr, "[INFO] Socks5 server does NOT require any authentication!\n");
free(buf);
return (4);
}
if (buf[1] != 0x2) {
hydra_report(stderr, "[ERROR] Socks5 protocol or service shutdown: %s\n", buf);
free(buf);
return (4);
}
free(buf);
/* RFC 1929
For username/password authentication the client's authentication request is
field 1: version number, 1 byte (must be 0x01)
*/
snprintf(buffer, sizeof(buffer), "\x01%c%s%c%s", (char) strlen(login), login, (char) strlen(pass), pass);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
if ((buf = (unsigned char *) hydra_receive_line(s)) == NULL)
return (1);
if (buf[1] != 255) {
/* new: false positive check */
free(buf);
pport = htons(port);
if (ip[0] == 16) {
memcpy(buffer, "\x05\x01\x00\x04", 4);
memcpy(buffer + 4, &ip[1], 16);
memcpy(buffer + 20, &pport, 2);
hydra_send(s, buffer, 22, 0);
} else {
memcpy(buffer, "\x05\x01\x00\x01", 4);
memcpy(buffer + 4, &ip[1], 4);
memcpy(buffer + 8, &pport, 2);
hydra_send(s, buffer, 10, 0);
}
if ((buf = (unsigned char *) hydra_receive_line(s)) != NULL) {
if (buf[1] == 0 || buf[1] == 32) {
hydra_report_found_host(port, ip, "socks5", fp);
hydra_completed_pair_found();
fud = 1;
} else if (buf[1] != 2) {
hydra_report_found_host_msg(port, ip, "socks5", fp, "might be a false positive!");
}
}
}
if (buf != NULL)
free(buf);
if (fud == 0)
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
int start_oracle_listener(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
unsigned char tns_packet_begin[22] = {
"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00"
};
unsigned char tns_packet_end[32] = {
"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
};
char *empty = "";
char *pass;
char connect_string[200];
char buffer2[260];
int siz = 0;
memset(connect_string, 0, sizeof(connect_string));
memset(buffer2, 0, sizeof(buffer2));
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (sid_mechanism == AUTH_PLAIN) {
if ((hash = malloc(HASHSIZE)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n");
return 1;
}
if (ora_hash_password(pass)) {
hydra_report(stderr, "[ERROR] generating Oracle hash\n");
free(hash);
return 1;
}
pass = (char *) hash;
}
snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE=)(VERSION=169869568)))", pass);
if (hash != NULL)
free(hash);
if (verbose)
hydra_report(stderr, "[VERBOSE] using connectiong string: %s\n", connect_string);
siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string);
if (siz > 255) {
buffer2[0] = 1;
buffer2[1] = siz - 256;
} else {
buffer2[1] = siz;
}
memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin));
siz = strlen(connect_string);
if (siz > 255) {
buffer2[2 + sizeof(tns_packet_begin)] = 1;
buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz - 256;
} else {
buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz;
}
memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end));
memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string));
if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (verbose)
hydra_report(stderr, "[VERBOSE] Server answer: %s\n", buf);
if (strstr(buf, "ERR=0") != NULL) {
hydra_report_found_host(port, ip, "oracle-listener", fp);
hydra_completed_pair_found();
} else
hydra_completed_pair();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
int start_sshkey(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *key, keep_login[300];
int auth_state = 0, rc = 0, i = 0;
ssh_private_key privkey;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(key = hydra_get_next_password()) == 0)
key = empty;
if (new_session) {
if (session) {
ssh_disconnect(session);
ssh_finalize();
ssh_free(session);
}
session = ssh_new();
ssh_options_set(session, SSH_OPTIONS_PORT, &port);
ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
ssh_options_set(session, SSH_OPTIONS_USER, login);
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
if (ssh_connect(session) != 0) {
//if the connection was drop, exit and let hydra main handle it
if (verbose)
hydra_report(stderr, "[ERROR] could not connect to target port %d\n", port);
return 3;
}
if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) {
return 3;
} else if (rc == SSH_AUTH_SUCCESS) {
hydra_report_found_host(port, ip, "sshkey", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
else
return 1;
}
} else
new_session = 1;
auth_state = ssh_auth_list(session);
if ((auth_state & SSH_AUTH_METHOD_PUBLICKEY) > 0) {
privkey = privatekey_from_file(session, key, 0, NULL);
if (!privkey) {
hydra_report(stderr, "[ERROR] skipping invalid private key: \"%s\"\n", key);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
auth_state = ssh_userauth_pubkey(session, NULL, NULL, privkey);
} else {
return 4;
}
if (auth_state == SSH_AUTH_ERROR) {
new_session = 1;
return 1;
}
if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) {
hydra_report_found_host(port, ip, "sshkey", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
} else {
strncpy(keep_login, login, sizeof(keep_login) - 1);
keep_login[sizeof(keep_login) - 1] = '\0';
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
login = hydra_get_next_login();
if (strcmp(login, keep_login) == 0)
new_session = 0;
return 1;
}
/* not reached */
return 1;
}
void service_oracle_listener(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_ORACLE, mysslport = PORT_ORACLE_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
strupper(miscptr);
if (strncmp(miscptr, "CLEAR", 5) == 0)
sid_mechanism = AUTH_CLEAR;
}
if (verbose) {
switch (sid_mechanism) {
case AUTH_CLEAR:
hydra_report(stderr, "[VERBOSE] using SID CLEAR mechanism\n");
break;
case AUTH_PLAIN:
hydra_report(stderr, "[VERBOSE] using SID PLAIN mechanism\n");
break;
}
}
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
/* run the cracking function */
next_run = start_oracle_listener(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 4:
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
