Esempio n. 1
0
int ClientAuthenticate(const char *protocol, const char *name, const char *pwd, const char *domain, const char *hostname)
{
	tSmbNtlmAuthRequest request;
	tSmbNtlmAuthChallenge challenge;
	tSmbNtlmAuthResponse response;
	short len;
	
	buildSmbNtlmAuthRequest(&request,name?(char*)name:(char*)"",domain?(char*)domain:(char*)"");
	len=htons(SmbLength(&request));
	if(tcp_write(&len,sizeof(len))<0)
	  return 0;
	if(tcp_write(&request,SmbLength(&request))<0)
	  return 0;
	if(tcp_read(&len,2)!=2)
	  return 0;
	if(!len)
	  return 0;
	if(tcp_read(&challenge,ntohs(len))!=ntohs(len))
	  return 0;
	buildSmbNtlmAuthResponse(&challenge, &response, name?(char*)name:(char*)"", pwd?(char*)pwd:(char*)"");
	len=htons(SmbLength(&response));
	if(tcp_write(&len,sizeof(len))<0)
	  return 0;
	if(tcp_write(&response, SmbLength(&response))<0)
	  return 0;
	return 1;
}
Esempio n. 2
0
static VALUE
ntlm_negotiate(VALUE obj)
{
  tSmbNtlmAuthRequest request;
  buildSmbNtlmAuthRequest(&request, "Workstation", "Domain");
  return rb_str_new((const char *)&request, SmbLength(&request));
}
Esempio n. 3
0
smheader *GetSmbPacket3(smheader* SmbPacket2,char *lpUserName, char *lpPassword,  char *domainname, char *host, tSmbNtlmAuthResponse* OptionalNtlmPacket3)
{
	char buf2[16384];
	smheader *SmbPacket3;
	memset((char*)buf2,'\0',sizeof(buf2));
	buildAuthResponse((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2),(tSmbNtlmAuthResponse*)buf2,0,lpUserName,lpPassword,domainname,host, OptionalNtlmPacket3);
    //DumpMem((void*)buf2,sizeof(tSmbNtlmAuthResponse));
	SmbPacket3=BuildSmbPacket((smheader*)SmbPacket2,SESSIONSETUPANDX,0,buf2,(int)SmbLength((tSmbNtlmAuthResponse *)buf2));
	return(SmbPacket3);
}
Esempio n. 4
0
static VALUE
ntlm_authenticate(VALUE obj, VALUE challenge, VALUE user_at_domain, VALUE password)
{
  tSmbNtlmAuthResponse response;

  Check_Type(challenge, T_STRING);
  Check_Type(user_at_domain, T_STRING);
  Check_Type(password, T_STRING);

  buildSmbNtlmAuthResponse((tSmbNtlmAuthChallenge *)RSTRING_PTR(challenge), &response, RSTRING_PTR(user_at_domain), RSTRING_PTR(password));

  return rb_str_new((const char *)&response, SmbLength(&response));
}
Esempio n. 5
0
smheader *BuildSmbPacket1(void)
{
	char buf2[4096];
	smheader *SmbPacket1;
	memset((char*)buf2,'\0',sizeof(buf2));
	BuildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL);
#ifdef _DBG_
	DumpMem((char*)buf2,SmbLength((tSmbNtlmAuthRequest*)buf2));
#endif
	SmbPacket1=BuildSmbPacket((smheader*)NULL,SESSIONSETUPANDX,0,buf2,40);

	return(SmbPacket1);
}
Esempio n. 6
0
int
start_http_proxy_auth_ntlm(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp)
{
  char *empty = "";
  char *login, *pass, buffer[500];
  char url[210], host[30];
  char *header = "";            /* XXX TODO */
  char *ptr;
  //beware of fixed sized buffer, asserts may fail, don't use long strings :)
  //Yes, I Know, year 2k6 and still with this shit..
  unsigned char buf1[4096];
  unsigned char buf2[4096];

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

//  sprintf(buffer2, "%.50s:%.50s", login, pass);
//  hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

  if (miscptr == NULL) {
    strcpy(url, "http://www.microsoft.com/");
    strcpy(host, "Host: www.microsoft.com\r\n");
  } else {
    sprintf(url, "%.200s", miscptr);
    strcpy(host, ""); /* too lazy to parse the URL, me too */
  }

  //send dummy request
  sprintf(buffer, "HEAD %s HTTP/1.0\r\n%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, header);
  if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
    return 1;

  //receive first 40x
  buf = hydra_receive_line(s);
  while (strstr(buf, "HTTP") == NULL && buf != NULL)
    buf = hydra_receive_line(s);


  //send auth and receive challenge
  //send auth request: let the server send it's own hostname and domainname
  buildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL);
  to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest*)buf2));

  /* to be portable, no snprintf, buffer is big enough so it cant overflow */
  //send the first..
  sprintf(buffer, "HEAD %s HTTP/1.0\r\n%sAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buf1, header);
  if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
    return 1;

  //receive challenge
  buf = hydra_receive_line(s);
  while (strstr(buf, "WWW-Authenticate: NTLM ") == NULL && buf != NULL)
    buf = hydra_receive_line(s);

  //recover challenge
  from64tobits((char*)buf1, buf+23);

  //Send response
  buildAuthResponse((tSmbNtlmAuthChallenge*)buf1,(tSmbNtlmAuthResponse*)buf2,0,login,pass,NULL,NULL);
  to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse*)buf2));
  sprintf(buffer, "HEAD %s HTTP/1.0\r\n%sAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buf1, header);
  if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
    return 1;

  buf = hydra_receive_line(s);
  while (strstr(buf, "HTTP/1.") == NULL && buf != NULL)
    buf = hydra_receive_line(s);

  if (buf == NULL)
    return 1;

/*
    while (hydra_data_ready(s) > 0)
      recv(s, buffer, sizeof(buf), 0);
        buf = hydra_receive_line(s);
*/

  ptr = ((char *) index(buf, ' ')) + 1;
  if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1')) {
    hydra_report_found_host(port, ip, "http-proxy", fp);
    hydra_completed_pair_found();
  } else {
    if (*ptr != '4')
      printf("Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass);
    hydra_completed_pair();
  }

  free(buf);

  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;

}
Esempio n. 7
0
/*
  A0001 AUTHENTICATE NTLM
  
  NTLM IMAP Authentication
  Based on:
    http://curl.haxx.se/rfc/ntlm.html#ntlmImapAuthentication
    http://src.opensolaris.org/source/xref/sfw/usr/src/cmd/fetchmail/fetchmail-6.3.8/README.NTLM
*/
int sendAuthNTLM(int hSocket, _MODULE_DATA* _psSessionData, char* szLogin, char* szPassword)
{
  unsigned char* bufSend = NULL;
  unsigned char* bufReceive = NULL;
  int nSendBufferSize = 0;
  int nReceiveBufferSize = 0;
  tSmbNtlmAuthRequest   sTmpReq;
  tSmbNtlmAuthChallenge sTmpChall;
  tSmbNtlmAuthResponse  sTmpResp;
  unsigned char* szTmpBuf = NULL;
  unsigned char* szTmpBuf64 = NULL;

  /* --- Send initial AUTHENTICATE NTLM command --- */
  nSendBufferSize = strlen(_psSessionData->szTag) + 21;
  bufSend = malloc(nSendBufferSize + 1);
  memset(bufSend, 0, nSendBufferSize + 1);
  sprintf(bufSend, "%s AUTHENTICATE NTLM\r\n", _psSessionData->szTag);
  
  if (medusaSend(hSocket, bufSend, strlen(bufSend), 0) < 0)
  {
    writeError(ERR_ERROR, "%s failed: medusaSend was not successful", MODULE_NAME);
  }
  FREE(bufSend); 

  /* Server should respond with an empty challenge, consisting simply of a "+" */
  nReceiveBufferSize = 0;
  if ((medusaReceiveRegex(hSocket, &bufReceive, &nReceiveBufferSize, "\\+\r\n") == FAILURE) || (bufReceive == NULL))
  {
    writeError(ERR_ERROR, "[%s] IMAP server did not respond with \"+\" to AUTHENTICATE NTLM request.", MODULE_NAME);
    writeError(ERR_ERROR, "[%s] IMAP server sent the following response: %s", MODULE_NAME, bufReceive);
    return FAILURE;
  }
  FREE(bufReceive);

  /* --- Send Base-64 encoded Type-1 message --- */
  buildAuthRequest(&sTmpReq, 0, NULL, NULL);
  
  szTmpBuf64 = malloc(2 * SmbLength(&sTmpReq) + 2);
  memset(szTmpBuf64, 0, 2 * SmbLength(&sTmpReq) + 2);

  base64_encode((char *)&sTmpReq, SmbLength(&sTmpReq), szTmpBuf64);
  writeError(ERR_DEBUG_MODULE, "[%s] Sending initial challenge (B64 Encoded): %s", MODULE_NAME, szTmpBuf64);

  nSendBufferSize = strlen(szTmpBuf64) + 2;
  bufSend = malloc(nSendBufferSize + 1);
  memset(bufSend, 0, nSendBufferSize + 1);
  sprintf(bufSend, "%s\r\n", szTmpBuf64);

  FREE(szTmpBuf64);

  if (medusaSend(hSocket, bufSend, strlen(bufSend), 0) < 0)
  {
    writeError(ERR_ERROR, "[%s] failed: medusaSend was not successful", MODULE_NAME);
    return FAILURE;
  }
  FREE(bufSend); 
  
  /* Server should respond with a Base-64 encoded Type-2 challenge message. The challenge response format is 
     specified by RFC 1730 ("+", followed by a space, followed by the challenge message). */
  nReceiveBufferSize = 0;
  if ((medusaReceiveRegex(hSocket, &bufReceive, &nReceiveBufferSize, "\\+ .*\r\n") == FAILURE) || (bufReceive == NULL))
  {
    writeError(ERR_ERROR, "[%s] Server did not send valid Type-2 challenge response.", MODULE_NAME);
    return FAILURE;
  }

  szTmpBuf = ((char*)index(bufReceive, '\r'));
  szTmpBuf[0] = '\0';

  writeError(ERR_DEBUG_MODULE, "[%s] NTLM Challenge (B64 Encoded): %s", MODULE_NAME, bufReceive + 2);
  base64_decode(bufReceive + 2, (char *)&sTmpChall);

  FREE(bufReceive);
  
  /* --- Calculate and send Base-64 encoded Type 3 response --- */
 
  buildAuthResponse(&sTmpChall, &sTmpResp, 0, szLogin, szPassword, _psSessionData->szDomain, NULL); 

  szTmpBuf64 = malloc(2 * SmbLength(&sTmpResp) + 2);
  memset(szTmpBuf64, 0, 2 * SmbLength(&sTmpResp) + 2);

  base64_encode((char *)&sTmpResp, SmbLength(&sTmpResp), szTmpBuf64);
  writeError(ERR_DEBUG_MODULE, "[%s] NTLM Response (B64 Encoded): %s", MODULE_NAME, szTmpBuf64);

  nSendBufferSize = strlen(szTmpBuf64) + 2;
  bufSend = malloc(nSendBufferSize + 1);
  memset(bufSend, 0, nSendBufferSize + 1);
  sprintf(bufSend, "%s\r\n", szTmpBuf64);

  if (medusaSend(hSocket, bufSend, nSendBufferSize, 0) < 0)
  {
    writeError(ERR_ERROR, "[%s] failed: medusaSend was not successful", MODULE_NAME);
    return FAILURE;
  }

  FREE(szTmpBuf64);
  FREE(bufSend);

  /* Server should validate the response and indicate the result of authentication.
     e.g.  0001 OK AUTHENTICATE NTLM completed. */

  return SUCCESS;
}
Esempio n. 8
0
int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *type, ptr_header_node ptr_head) {
  char *empty = "";
  char *login, *pass, *buffer, buffer2[500];
  char *header;
  char *ptr, *fooptr;
  int32_t complete_line = 0, buffer_size;
  char tmpreplybuf[1024] = "", *tmpreplybufptr;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  if (strcmp(type, "POST") == 0)
    add_header(&ptr_head, "Content-Length", "0", HEADER_TYPE_DEFAULT);

  header = stringify_headers(&ptr_head);

  buffer_size = strlen(header) + 500;
  if(!(buffer = malloc(buffer_size))) {
    free(header);
    return 3;
  }

  // we must reset this if buf is NULL and we do MD5 digest
  if (http_buf == NULL && http_auth_mechanism == AUTH_DIGESTMD5)
    http_auth_mechanism = AUTH_BASIC;

  if (use_proxy > 0 && proxy_count > 0)
    selected_proxy = random() % proxy_count;

  switch (http_auth_mechanism) {
  case AUTH_BASIC:
    sprintf(buffer2, "%.50s:%.50s", login, pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

    /* again: no snprintf to be portable. don't worry, buffer can't overflow */
    if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
      sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
              type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header);
    else {
      if (use_proxy == 1)
        sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buffer2, header);
      else
        sprintf(buffer, "%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header);
    }
    if (debug)
      hydra_report(stderr, "C:%s\n", buffer);
    break;

#ifdef LIBOPENSSL
  case AUTH_DIGESTMD5:{
      char *pbuffer;

      pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest ");
      strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), buffer_size - 1);
      buffer[buffer_size - 1] = '\0';

      fooptr = buffer2;
      sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header);
      if (fooptr == NULL) {
        free(buffer);
        free(header);
        return 3;
      }

      if (debug)
        hydra_report(stderr, "C:%s\n", buffer2);
      strcpy(buffer, buffer2);
    }
    break;
#endif

  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];
      char *pos = NULL;

      //send auth and receive challenge
      //send auth request: let the server send it's own hostname and domainname
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

      /* to be portable, no snprintf, buffer is big enough so it can't overflow */
      //send the first..
      if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
        sprintf(buffer,
                "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
      else {
        if (use_proxy == 1)
          sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                  type, webtarget, webport, miscptr, webtarget, buf1, header);
        else
          sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget,
                  buf1, header);
      }

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        free(buffer);
        free(header);
        return 1;
      }

      //receive challenge
      if (http_buf != NULL)
        free(http_buf);

      http_buf = hydra_receive_line(s);
      if (http_buf == NULL) {
        if (verbose)
          hydra_report(stderr, "[ERROR] Server did not answer\n");
        free(buffer);
        free(header);
        return 3;
      }

      pos = hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM ");
      if (pos != NULL) {
        char *str;

        pos += 23;
        if ((str = strchr(pos, '\r')) != NULL) {
          pos[str - pos] = 0;
        }
        if ((str = strchr(pos, '\n')) != NULL) {
          pos[str - pos] = 0;
        }
      } else {
        hydra_report(stderr, "[ERROR] It is not NTLM authentication type\n");
        return 3;
      }

      //recover challenge
      from64tobits((char *) buf1, pos);
      free(http_buf);
      http_buf = NULL;

      //Send response
      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));

      //create the auth response
      if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
        sprintf(buffer,
                "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
      else {
        if (use_proxy == 1)
          sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                  type, webtarget, webport, miscptr, webtarget, buf1, header);
        else
          sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget,
                  buf1, header);
      }

      if (debug)
        hydra_report(stderr, "C:%s\n", buffer);
    }
    break;
  }

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    free(buffer);
    free(header);
    return 1;
  }

  if (http_buf != NULL)
    free(http_buf);
  http_buf = hydra_receive_line(s);
  complete_line = 0;
  tmpreplybuf[0] = 0;

  while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (index(http_buf, '\n') == NULL && complete_line == 0))) {
    if (debug) printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf);
    if (tmpreplybuf[0] == 0 && strstr(http_buf, "HTTP/1.") != NULL) {
      strncpy(tmpreplybuf, http_buf, sizeof(tmpreplybuf) - 1);
      tmpreplybuf[sizeof(tmpreplybuf) - 1] = 0;
      free(http_buf);
      http_buf = hydra_receive_line(s);
    } else if (tmpreplybuf[0] != 0) {
      complete_line = 1;
      if ((tmpreplybufptr = malloc(strlen(tmpreplybuf) + strlen(http_buf) + 1)) != NULL) {
        strcpy(tmpreplybufptr, tmpreplybuf);
        strcat(tmpreplybufptr, http_buf);
        free(http_buf);
        http_buf = tmpreplybufptr;
        if (debug) printf("http_buf now: %s\n", http_buf);
      }
    } else {
      free(http_buf);
      http_buf = hydra_receive_line(s);
    }
  }

  //if server cut the connection, just exit cleanly or 
  //this will be an infinite loop
  if (http_buf == NULL) {
    if (verbose)
      hydra_report(stderr, "[ERROR] Server did not answer\n");
    free(buffer);
    free(header);
    return 3;
  }

  if (debug)
    hydra_report(stderr, "S:%s\n", http_buf);

  ptr = ((char *) index(http_buf, ' '));
  if (ptr != NULL)
    ptr++;
  if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) {
    hydra_report_found_host(port, ip, "www", fp);
    hydra_completed_pair_found();
    if (http_buf != NULL) {
      free(http_buf);
      http_buf = NULL;
    }
  } else {
    if (ptr != NULL && *ptr != '4')
      fprintf(stderr, "[WARNING] Unusual return code: %.3s for %s:%s\n", (char *) ptr, login, pass);

    //the first authentication type failed, check the type from server header
    if ((hydra_strcasestr(http_buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) {
      //seems the auth supported is not Basic scheme so testing further
      int32_t find_auth = 0;

      if (hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM") != NULL) {
        http_auth_mechanism = AUTH_NTLM;
        find_auth = 1;
      }
#ifdef LIBOPENSSL
      if (hydra_strcasestr(http_buf, "WWW-Authenticate: Digest") != NULL) {
        http_auth_mechanism = AUTH_DIGESTMD5;
        find_auth = 1;
      }
#endif

      if (find_auth) {
//        free(http_buf);
//        http_buf = NULL;
        free(buffer);
        free(header);
        return 1;
      }
    }
    hydra_completed_pair();
  }
//  free(http_buf);
//  http_buf = NULL;
  free(buffer);
  free(header);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;
}
Esempio n. 9
0
int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) {
  char *empty = "";
  char *login, *pass, buffer[500], buffer2[500];
  char *header = "";            /* XXX TODO */
  char *ptr;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  switch (http_auth_mechanism) {
  case AUTH_BASIC:
    sprintf(buffer2, "%.50s:%.50s", login, pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

    /* again: no snprintf to be portable. dont worry, buffer cant overflow */
    if (use_proxy == 1 && proxy_authentication != NULL)
      sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
              type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication, header);
    else {
      if (use_proxy == 1)
        sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buffer2, header);
      else
        sprintf(buffer, "%s %.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header);
    }
    if (debug)
      hydra_report(stderr, "C:%s\n", buffer);
    break;

#ifdef LIBOPENSSL
  case AUTH_DIGESTMD5:{
      char *pbuffer;

      pbuffer = hydra_strcasestr(buf, "WWW-Authenticate: Digest ");
      strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer));
      buffer[sizeof(buffer) - 1] = '\0';

      sasl_digest_md5(buffer2, login, pass, buffer, miscptr, type, webtarget, webport, header);
      if (buffer2 == NULL) {
        return 3;
      }

      if (debug)
        hydra_report(stderr, "C:%s\n", buffer2);
      strcpy(buffer, buffer2);
    }
    break;
#endif

  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];
      char *pos = NULL;

      //send auth and receive challenge
      //send auth request: let the server send it's own hostname and domainname
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

      /* to be portable, no snprintf, buffer is big enough so it cant overflow */
      //send the first..
      if (use_proxy == 1 && proxy_authentication != NULL)
        sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication, header);
      else {
        if (use_proxy == 1)
          sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
                  type, webtarget, webport, miscptr, webtarget, buf1, header);
        else
          sprintf(buffer, "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, buf1, header);
      }

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;

      //receive challenge
      buf = hydra_receive_line(s);
      while (buf != NULL && (pos = hydra_strcasestr(buf, "WWW-Authenticate: NTLM ")) == NULL) {
        free(buf);
        buf = hydra_receive_line(s);
      }

      if (buf == NULL)
        return 1;

      if (pos != NULL) {
        char *str;

        pos+=23;
        if ((str=strchr(pos, '\r')) != NULL) {
          pos[str - pos] = 0;
        }
        if ((str=strchr(pos, '\n')) != NULL) {
          pos[str - pos] = 0; }
      }

      //recover challenge
      from64tobits((char *) buf1, pos);
      free(buf);

      //Send response
      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));

      //create the auth response
      if (use_proxy == 1 && proxy_authentication != NULL)
        sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
                type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication, header);
      else {
        if (use_proxy == 1)
          sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
                  type, webtarget, webport, miscptr, webtarget, buf1, header);
        else
          sprintf(buffer, "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, buf1, header);
      }

      if (debug)
        hydra_report(stderr, "C:%s\n", buffer);
    }
    break;
  }

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }

  buf = hydra_receive_line(s);
  while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
    free(buf);
    buf = hydra_receive_line(s);
  }

  //if server cut the connection, just exit cleanly or 
  //this will be an infinite loop
  if (buf == NULL) {
    if (verbose)
      hydra_report(stderr, "[ERROR] Server did not answer\n");
    return 3;
  }

  if (debug)
    hydra_report(stderr, "S:%s\n", buf);

  ptr = ((char *) index(buf, ' ')) + 1;
  if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) {
    hydra_report_found_host(port, ip, "www", fp);
    hydra_completed_pair_found();
  } else {
    if (ptr != NULL && *ptr != '4')
      fprintf(stderr, "[WARNING] Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass);

    //the first authentication type failed, check the type from server header
    if ((hydra_strcasestr(buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) {
      //seems the auth supported is not Basic shceme so testing further
      int find_auth = 0;

      if (hydra_strcasestr(buf, "WWW-Authenticate: NTLM") != NULL) {
        http_auth_mechanism = AUTH_NTLM;
        find_auth = 1;
      }
#ifdef LIBOPENSSL
      if (hydra_strcasestr(buf, "WWW-Authenticate: Digest") != NULL) {
        http_auth_mechanism = AUTH_DIGESTMD5;
        find_auth = 1;
      }
#endif

      if (find_auth) {
        free(buf);
        return 1;
      }
    }
    hydra_completed_pair();
  }
  free(buf);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;

}
Esempio n. 10
0
int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "\"\"";
  char *login, *pass, buffer[500], buffer2[500];

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (hydra_data_ready(s) > 0) {
    if ((buf = hydra_receive_line(s)) == NULL)
      return 4;
    free(buf);
  }

  switch (p->pop3_auth_mechanism) {
#ifdef LIBOPENSSL
  case AUTH_APOP:{
      MD5_CTX c;
      unsigned char md5_raw[MD5_DIGEST_LENGTH];
      int i;
      char *pbuffer = buffer2;

      MD5_Init(&c);
      MD5_Update(&c, apop_challenge, strlen(apop_challenge));
      MD5_Update(&c, pass, strlen(pass));
      MD5_Final(md5_raw, &c);

      for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
        sprintf(pbuffer, "%02x", md5_raw[i]);
        pbuffer += 2;
      }
      sprintf(buffer, "APOP %s %s\r\n", login, buffer2);
    }
    break;
#endif

  case AUTH_LOGIN:{
      sprintf(buffer, "AUTH LOGIN\r\n");
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;
      if (buf[0] != '+') {
        hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);
      strcpy(buffer2, login);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

      sprintf(buffer, "%.250s\r\n", buffer2);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;

      if (buf[0] != '+') {
        hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);
      strcpy(buffer2, pass);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      sprintf(buffer, "%.250s\r\n", buffer2);
    }
    break;

  case AUTH_PLAIN:{
      sprintf(buffer, "AUTH PLAIN\r\n");
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;
      if (buf[0] != '+') {
        hydra_report(stderr, "[ERROR] POP3 PLAIN AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);

      memset(buffer, 0, sizeof(buffer));
      sasl_plain(buffer, login, pass);
      sprintf(buffer, "%.250s\r\n", buffer);
    }
    break;

#ifdef LIBOPENSSL
  case AUTH_CRAMMD5:
  case AUTH_CRAMSHA1:
  case AUTH_CRAMSHA256:{
      int rc = 0;
      char *preplogin;

      rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
      if (rc) {
        return 3;
      }

      switch (p->pop3_auth_mechanism) {
      case AUTH_CRAMMD5:
        sprintf(buffer, "AUTH CRAM-MD5\r\n");
        break;
      case AUTH_CRAMSHA1:
        sprintf(buffer, "AUTH CRAM-SHA1\r\n");
        break;
      case AUTH_CRAMSHA256:
        sprintf(buffer, "AUTH CRAM-SHA256\r\n");
        break;
      }
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      //get the one-time BASE64 encoded challenge

      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;
      if (buf[0] != '+') {
        switch (p->pop3_auth_mechanism) {
        case AUTH_CRAMMD5:
          hydra_report(stderr, "[ERROR] POP3 CRAM-MD5 AUTH : %s\n", buf);
          break;
        case AUTH_CRAMSHA1:
          hydra_report(stderr, "[ERROR] POP3 CRAM-SHA1 AUTH : %s\n", buf);
          break;
        case AUTH_CRAMSHA256:
          hydra_report(stderr, "[ERROR] POP3 CRAM-SHA256 AUTH : %s\n", buf);
          break;
        }
        free(buf);
        return 3;
      }

      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 2);
      free(buf);

      memset(buffer2, 0, sizeof(buffer2));

      switch (p->pop3_auth_mechanism) {
      case AUTH_CRAMMD5:{
          sasl_cram_md5(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      case AUTH_CRAMSHA1:{
          sasl_cram_sha1(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      case AUTH_CRAMSHA256:{
          sasl_cram_sha256(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      }
      hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
      sprintf(buffer, "%.250s\r\n", buffer);
      free(preplogin);
    }
    break;

  case AUTH_DIGESTMD5:{
      sprintf(buffer, "AUTH DIGEST-MD5\r\n");

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;
      if (buf[0] != '+') {
        hydra_report(stderr, "[ERROR] POP3 DIGEST-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf);
      free(buf);

      if (verbose)
        hydra_report(stderr, "[VERBOSE] S: %s\n", buffer);

      sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "pop", NULL, 0, NULL);
      if (buffer2 == NULL)
        return 3;

      if (verbose)
        hydra_report(stderr, "[VERBOSE] C: %s\n", buffer2);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      sprintf(buffer, "%s\r\n", buffer2);
    }
    break;
#endif

  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];

      //Send auth request
      sprintf(buffer, "AUTH NTLM\r\n");

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;
      if (buf[0] != '+') {
        hydra_report(stderr, "[ERROR] POP3 NTLM AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);
      //send auth and receive challenge
      //send auth request: lst the server send it's own hostname and domainname
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

      sprintf(buffer, "%s\r\n", buf1);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      if ((buf = hydra_receive_line(s)) == NULL)
        return 4;

      //recover challenge
      from64tobits((char *) buf1, buf + 2);
      free(buf);

      //Send response
      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));

      sprintf(buffer, "%s\r\n", buf1);
    }
    break;
  default:
    sprintf(buffer, "USER %.250s\r\n", login);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 4;
    if (buf[0] != '+') {
      hydra_report(stderr, "[ERROR] POP3 protocol or service shutdown: %s\n", buf);
      free(buf);
      return (3);
    }
    free(buf);
    sprintf(buffer, "PASS %.250s\r\n", pass);
  }

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }

  if ((buf = hydra_receive_line(s)) == NULL) {
    return 4;
 }

  if (buf[0] == '+') {
    hydra_report_found_host(port, ip, "pop3", fp);
    hydra_completed_pair_found();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }
  /* special AS/400 hack */
  if (strstr(buf, "CPF2204") != NULL || strstr(buf, "CPF22E3") != NULL || strstr(buf, "CPF22E4") != NULL || strstr(buf, "CPF22E5") != NULL) {
    hydra_completed_pair_skip();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }
  free(buf);
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 2;
}
Esempio n. 11
0
int
_gsasl_ntlm_client_step (Gsasl_session * sctx,
                         void *mech_data,
                         const char *input, size_t input_len,
                         char **output, size_t * output_len)
{
    _Gsasl_ntlm_state *state = mech_data;
    tSmbNtlmAuthRequest request;
    tSmbNtlmAuthChallenge challenge;
    tSmbNtlmAuthResponse response;
    const char *domain = gsasl_property_get (sctx, GSASL_REALM);
    const char *authid = gsasl_property_get (sctx, GSASL_AUTHID);
    const char *password;
    int res;

    if (!authid)
        return GSASL_NO_AUTHID;

    switch (state->step)
    {
    case 0:
        /* Isn't this just the IMAP continuation char?  Not part of SASL mech.
           if (input_len != 1 && *input != '+')
           return GSASL_MECHANISM_PARSE_ERROR; */

        buildSmbNtlmAuthRequest (&request, authid, domain);

        *output_len = SmbLength (&request);
        *output = malloc (*output_len);
        if (!*output)
            return GSASL_MALLOC_ERROR;
        memcpy (*output, &request, *output_len);

        /* dumpSmbNtlmAuthRequest(stdout, &request); */

        state->step++;
        res = GSASL_NEEDS_MORE;
        break;

    case 1:
        if (input_len > sizeof (challenge))
            return GSASL_MECHANISM_PARSE_ERROR;

        /* Hand crafted challenge for parser testing:
           TlRMTVNTUAAAAAAAAAAAAAAAAAAAAGFiY2RlZmdoMDEyMzQ1Njc4ODY2NDQwMTIz */

        memcpy (&challenge, input, input_len);

        password = gsasl_property_get (sctx, GSASL_PASSWORD);
        if (!password)
            return GSASL_NO_PASSWORD;

        buildSmbNtlmAuthResponse (&challenge, &response, authid, password);

        *output_len = SmbLength (&response);
        *output = malloc (*output_len);
        if (!*output)
            return GSASL_MALLOC_ERROR;
        memcpy (*output, &response, *output_len);

        /* dumpSmbNtlmAuthResponse(stdout, &response); */

        state->step++;
        res = GSASL_OK;
        break;

    default:
        res = GSASL_MECHANISM_CALLED_TOO_MANY_TIMES;
        break;
    }

    return res;
}
Esempio n. 12
0
/* does both calls*/
int
get_ntlm_page (char *url, char *user, char *password, char *domain,
	       char *responsebuf)
{
  tSmbNtlmAuthRequest request;
  char buf[15000], *response;
  unsigned char buf2[5000];
  unsigned long retval;
  int notfin;
  memset((char*)&request,0,sizeof(request));
  memset(buf,0,sizeof(buf));
  memset(buf2,0,sizeof(buf2));
  memset(&request,0x00,sizeof(request));

  /*first we request to authorize via NTLM */
  buildSmbNtlmAuthRequest ((tSmbNtlmAuthRequest *) & request, user, domain);
  /*go to base64 - need to integrate this into SPIKE proper */
  to64frombits (buf, (unsigned char *) &request, SmbLength (&request));
  /*throw that in to NTLM Auth: */

  send_ntlm_packet (buf, METHOD);
  spike_clear ();
  memset(buf,0,sizeof(buf));

  printf ("reading server response\n");

  /*now we should have gotten a valid response from the server */
  notfin = 1;
  retval = 1;
  response=NULL;
  while (retval && notfin)
    {
      memset (buf, 0x00, sizeof (buf));
      notfin = s_fd_wait ();
      if (!notfin)
	break;
      retval = read (our_spike->fd, buf, 2500);
      if (retval)
	{
	  /*here we look for the string "WWW-Authenticate: NTLM " followed
	     *             by a base64 encoded value which is deliminated by a \r\n" */
	  if (response == 0)
	    {
	      if ((response = s_scan_for_variable (buf,
						   "WWW-Authenticate: NTLM ",
						   "\r\n")) != NULL)
		{
		  /*found our string */
		  printf ("Found our WWW-auth string\n");
		  //break;
		}
	      /*printf("%s",buffer); */
	    }
	}
      else
	{
	  break;
	}
    }				/*end while read loop */
  if (response == NULL)
    {
      printf ("Couldn't find WWW-Authenticate string!\n");
      return (0);

    }

  /*Grab the NTLM AUTH: response */
  from64tobits (buf, response);
  buildSmbNtlmAuthResponse ((tSmbNtlmAuthChallenge *) buf,
			    (tSmbNtlmAuthResponse *) buf2, user, password);
  to64frombits (buf, buf2, SmbLength ((tSmbNtlmAuthResponse *) buf2));
  /*send that out */
  send_ntlm_packet (buf, METHOD);
  spike_clear ();

  /*now we should have gotten a valid response from the server */
  /*hopefully this will have 200 Ok */
  responsebuf[0] = 0;		/*clear this buffer */
  notfin = 1;
  retval = 1;
  while (retval && notfin)
    {
      memset (buf, 0x00, sizeof (buf));
      notfin = s_fd_wait ();
      if (!notfin)
	break;
      retval = read (our_spike->fd, buf, 2500);
      buf[2500] = 0;
      if (retval)
	{
          if (strlen(responsebuf)+strlen(buf)>2500)
		  return 1;
	  strcat (responsebuf, buf);
	}
    }				/*end while read loop */

  return 1;
}
Esempio n. 13
0
int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[500], buffer2[500];

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (hydra_data_ready(s)) {
    if ((buf = hydra_receive_line(s)) == NULL)
      return (1);
    free(buf);
  }

  switch (imap_auth_mechanism) {
  case AUTH_LOGIN:
    sprintf(buffer, "%d AUTHENTICATE LOGIN\r\n", counter);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
      hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    strcpy(buffer2, login);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

    sprintf(buffer, "%.250s\r\n", buffer2);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
      hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    strcpy(buffer2, pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
    sprintf(buffer, "%.250s\r\n", buffer2);
    break;

  case AUTH_PLAIN:
    sprintf(buffer, "%d AUTHENTICATE PLAIN\r\n", counter);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) {
      hydra_report(stderr, "[ERROR] IMAP PLAIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);

    memset(buffer, 0, sizeof(buffer));
    sasl_plain(buffer, login, pass);
    sprintf(buffer, "%.250s\r\n", buffer);
    break;

#ifdef LIBOPENSSLNEW
  case AUTH_CRAMMD5:
  case AUTH_CRAMSHA1:
  case AUTH_CRAMSHA256:{
      int rc = 0;
      char *preplogin;

      rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
      if (rc) {
        return 3;
      }

      switch (imap_auth_mechanism) {

      case AUTH_CRAMMD5:
        sprintf(buffer, "%d AUTHENTICATE CRAM-MD5\r\n", counter);
        break;
      case AUTH_CRAMSHA1:
        sprintf(buffer, "%d AUTHENTICATE CRAM-SHA1\r\n", counter);
        break;
      case AUTH_CRAMSHA256:
        sprintf(buffer, "%d AUTHENTICATE CRAM-SHA256\r\n", counter);
        break;
      }
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      //get the one-time BASE64 encoded challenge
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
        switch (imap_auth_mechanism) {
        case AUTH_CRAMMD5:
          hydra_report(stderr, "[ERROR] IMAP CRAM-MD5 AUTH : %s\n", buf);
          break;
        case AUTH_CRAMSHA1:
          hydra_report(stderr, "[ERROR] IMAP CRAM-SHA1 AUTH : %s\n", buf);
          break;
        case AUTH_CRAMSHA256:
          hydra_report(stderr, "[ERROR] IMAP CRAM-SHA256 AUTH : %s\n", buf);
          break;
        }
        free(buf);
        return 3;
      }

      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 2);
      free(buf);

      memset(buffer2, 0, sizeof(buffer2));

      switch (imap_auth_mechanism) {
      case AUTH_CRAMMD5:{
          sasl_cram_md5(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      case AUTH_CRAMSHA1:{
          sasl_cram_sha1(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      case AUTH_CRAMSHA256:{
          sasl_cram_sha256(buffer2, pass, buffer);
          sprintf(buffer, "%s %.250s", preplogin, buffer2);
        }
        break;
      }
      hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
      sprintf(buffer, "%.250s\r\n", buffer);
      free(preplogin);
    }
    break;
  case AUTH_DIGESTMD5:{
      sprintf(buffer, "%d AUTHENTICATE DIGEST-MD5\r\n", counter);

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
        hydra_report(stderr, "[ERROR] IMAP DIGEST-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf);
      free(buf);

      if (verbose)
        hydra_report(stderr, "DEBUG S: %s\n", buffer);

      sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "imap", NULL, 0, NULL);
      if (buffer2 == NULL)
        return 3;
      if (verbose)
        hydra_report(stderr, "DEBUG C: %s\n", buffer2);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      sprintf(buffer, "%s\r\n", buffer2);

    }
    break;
  case AUTH_SCRAMSHA1:{
      char clientfirstmessagebare[200];
      char serverfirstmessage[200];
      char *preplogin;
      int rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);

      if (rc) {
        return 3;
      }
      sprintf(buffer, "%d AUTHENTICATE SCRAM-SHA-1\r\n", counter);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
        hydra_report(stderr, "[ERROR] IMAP SCRAM-SHA1 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);

      snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin);
      free(preplogin);
      memset(buffer2, 0, sizeof(buffer2));
      sprintf(buffer2, "n,,%.200s", clientfirstmessagebare);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      snprintf(buffer, sizeof(buffer), "%s\r\n", buffer2);

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      buf = hydra_receive_line(s);
      if (buf == NULL)
        return 1;
      if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
        if (verbose || debug) hydra_report(stderr, "[ERROR] Not a valid server challenge\n");
        free(buf);
        return 1;
      } else {
        /* recover server challenge */
        memset(buffer, 0, sizeof(buffer));
        //+ cj1oeWRyYU9VNVZqcHQ5RjNqcmVXRVFWTCxzPWhGbTNnRGw0akdidzJVVHosaT00MDk2
        from64tobits((char *) buffer, buf + 2);
        free(buf);
        strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1);
        serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0';

        memset(buffer2, 0, sizeof(buffer2));
        sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage);
        if (buffer2 == NULL) {
          hydra_report(stderr, "[ERROR] Can't compute client response\n");
          return 1;
        }
        hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
        sprintf(buffer, "%s\r\n", buffer2);
      }
    }
    break;
#endif
  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];

      //Send auth request
      sprintf(buffer, "%d AUTHENTICATE NTLM\r\n", counter);

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
        hydra_report(stderr, "[ERROR] IMAP NTLM AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      free(buf);
      //send auth and receive challenge
      //send auth request: lst the server send it's own hostname and domainname
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

      sprintf(buffer, "%s\r\n", buf1);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      if ((buf = hydra_receive_line(s)) == NULL)
        return (1);

      //recover challenge
      from64tobits((char *) buf1, buf + 2);
      free(buf);

      //Send response
      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));

      sprintf(buffer, "%s\r\n", buf1);
    }
    break;
  default:
    //clear authentication
    sprintf(buffer, "%d LOGIN \"%.100s\" \"%.100s\"\r\n", counter, login, pass);
  }

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  if ((buf = hydra_receive_line(s)) == NULL)
    return (1);

  if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) {
    if (verbose)
      hydra_report(stderr, "[ERROR] %s\n", buf);
    free(buf);
    hydra_completed_pair();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    if (counter == 4)
      return 1;
    return (2);
  }
  free(buf);

  hydra_report_found_host(port, ip, "imap", fp);
  hydra_completed_pair_found();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 1;
}
Esempio n. 14
0
char *nntp_read_server_capacity(int sock) {
  char *ptr = NULL;
  int resp = 0;
  char *buf = NULL;

  do {
    if (buf != NULL)
      free(buf);
    ptr = buf = hydra_receive_line(sock);
    if (buf != NULL) {
      if (isdigit((int) buf[0]) && buf[3] == ' ')
        resp = 1;
      else {
        if (buf[strlen(buf) - 1] == '\n')
          buf[strlen(buf) - 1] = 0;
        if (buf[strlen(buf) - 1] == '\r')
          buf[strlen(buf) - 1] = 0;
#ifdef NO_RINDEX
        if ((ptr = strrchr(buf, '\n')) != NULL) {
#else
        if ((ptr = rindex(buf, '\n')) != NULL) {
#endif
          ptr++;
          if (isdigit((int) *ptr) && *(ptr + 3) == ' ')
            resp = 1;
        }
      }
    }
  } while (buf != NULL && resp == 0);
  return buf;
}

int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "\"\"";
  char *login, *pass, buffer[300], buffer2[500];
  int i = 1;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (i > 0 && hydra_data_ready(s) > 0)
    i = hydra_recv(s, buffer, 300);

  switch (nntp_auth_mechanism) {
  case AUTH_LOGIN:
    sprintf(buffer, "AUTHINFO SASL LOGIN\r\n");
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (buf == NULL || strstr(buf, "383") == NULL) {
      hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    strcpy(buffer2, login);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));

    sprintf(buffer, "%.250s\r\n", buffer2);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (buf == NULL || strstr(buf, "383") == NULL) {
      hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    strcpy(buffer2, pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
    sprintf(buffer, "%.250s\r\n", buffer2);
    break;
  case AUTH_PLAIN:
    sprintf(buffer, "AUTHINFO SASL PLAIN\r\n");
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (buf == NULL || strstr(buf, "383") == NULL) {
      hydra_report(stderr, "[ERROR] NNTP PLAIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);

    memset(buffer, 0, sizeof(buffer));
    sasl_plain(buffer, login, pass);
    sprintf(buffer, "%.250s\r\n", buffer);
    break;
#ifdef LIBOPENSSL
  case AUTH_CRAMMD5:{
      int rc = 0;
      char *preplogin;

      rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
      if (rc) {
        return 3;
      }

      sprintf(buffer, "AUTHINFO SASL CRAM-MD5\r\n");
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      //get the one-time BASE64 encoded challenge
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (buf == NULL || strstr(buf, "383") == NULL) {
        hydra_report(stderr, "[ERROR] NNTP CRAM-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }

      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 4);
      free(buf);

      memset(buffer2, 0, sizeof(buffer2));
      sasl_cram_md5(buffer2, pass, buffer);

      sprintf(buffer, "%s %.250s", preplogin, buffer2);
      hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
      sprintf(buffer, "%.250s\r\n", buffer);
      free(preplogin);
    }
    break;

  case AUTH_DIGESTMD5:{
      sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n");

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (buf == NULL || strstr(buf, "383") == NULL) {
        hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 4);
      free(buf);

      if (verbose)
        hydra_report(stderr, "DEBUG S: %s\n", buffer);
      sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL);
      if (buffer2 == NULL)
        return 3;

      if (verbose)
        hydra_report(stderr, "DEBUG C: %s\n", buffer2);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      sprintf(buffer, "%s\r\n", buffer2);
    }
    break;

#endif

  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];

      //send auth and receive challenge
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
      sprintf(buffer, "AUTHINFO SASL NTLM %s\r\n", (char*)buf1);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (buf == NULL || strstr(buf, "383") == NULL) {
        hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      //recover challenge
      from64tobits((char *) buf1, buf + 4);
      free(buf);

      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
      sprintf(buffer, "%s\r\n", (char*)buf1);
    }
    break;

  default:{
      sprintf(buffer, "AUTHINFO USER %.250s\r\n", login);

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      buf = hydra_receive_line(s);
      if (buf == NULL)
        return 1;
      if (buf[0] != '3') {
        if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf);
        free(buf);
        return (3);
      }
      free(buf);
      sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass);
    }
    break;
  }


  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  buf = hydra_receive_line(s);
  if (buf == NULL)
    return 1;

  if (buf[0] == '2') {
    hydra_report_found_host(port, ip, "nntp", fp);
    hydra_completed_pair_found();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }

  free(buf);
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 2;
}
Esempio n. 15
0
/*
  http://davenport.sourceforge.net/ntlm.html#ntlmSmtpAuthentication
*/
int sendAuthNTLM(int hSocket, _MODULE_DATA* _psSessionData, char* szLogin, char* szPassword)
{
  unsigned char* bufSend = NULL;
  unsigned char* bufReceive = NULL;
  int nReceiveBufferSize = 0;
  int nSendBufferSize = 0;
  tSmbNtlmAuthRequest   sTmpReq;
  tSmbNtlmAuthChallenge sTmpChall;
  tSmbNtlmAuthResponse  sTmpResp;
  unsigned char* szTmpBuf = NULL;
  unsigned char* szTmpBuf64 = NULL;

  writeError(ERR_DEBUG_MODULE, "[%s] Initiating NTLM Authentication Attempt.", MODULE_NAME);

  /* --- Send Base-64 encoded Type-1 message --- */

  buildAuthRequest(&sTmpReq, 0, NULL, NULL);

  szTmpBuf64 = malloc(2 * SmbLength(&sTmpReq) + 2);
  memset(szTmpBuf64, 0, 2 * SmbLength(&sTmpReq) + 2);

  base64_encode((char *)&sTmpReq, SmbLength(&sTmpReq), (char *)szTmpBuf64);
  writeError(ERR_DEBUG_MODULE, "[%s] Sending initial challenge (B64 Encoded): %s", MODULE_NAME, szTmpBuf64);

  nSendBufferSize = strlen((char *)szTmpBuf64) + 2;
  bufSend = malloc(10 + nSendBufferSize + 1);
  memset(bufSend, 0, 10 + nSendBufferSize + 1);
  sprintf((char *)bufSend, "AUTH NTLM %s\r\n", szTmpBuf64);

  FREE(szTmpBuf64);

  if (medusaSend(hSocket, bufSend, strlen((char *)bufSend), 0) < 0)
  {
    writeError(ERR_ERROR, "[%s] failed: medusaSend was not successful", MODULE_NAME);
    return FAILURE;
  }
  FREE(bufSend);

  /* Server should respond with a Base-64 encoded Type-2 challenge message. The challenge response format is 
     "334", followed by a space, followed by the challenge message. */
  nReceiveBufferSize = 0;
  if ((medusaReceiveRegex(hSocket, &bufReceive, &nReceiveBufferSize, "^334 .*\r\n") == FAILURE) || (bufReceive == NULL))
  {
    writeError(ERR_ERROR, "[%s] Server did not send valid Type-2 challenge response.", MODULE_NAME);
    FREE(bufReceive);
    return FAILURE;
  }

  szTmpBuf = (unsigned char *)index((char *)bufReceive, '\r');
  szTmpBuf[0] = '\0';

  writeError(ERR_DEBUG_MODULE, "[%s] NTLM Challenge (B64 Encoded): %s", MODULE_NAME, bufReceive + 4);
  base64_decode((char *)bufReceive + 4, (char *)&sTmpChall);

  FREE(bufReceive);

  /* --- Calculate and send Base-64 encoded Type 3 response --- */
  buildAuthResponse(&sTmpChall, &sTmpResp, 0, szLogin, szPassword, _psSessionData->szDomain, NULL);

  szTmpBuf64 = malloc(2 * SmbLength(&sTmpResp) + 2);
  memset(szTmpBuf64, 0, 2 * SmbLength(&sTmpResp) + 2);

  base64_encode((char *)&sTmpResp, SmbLength(&sTmpResp), (char *)szTmpBuf64);
  writeError(ERR_DEBUG_MODULE, "[%s] NTLM Response (B64 Encoded): %s", MODULE_NAME, szTmpBuf64);

  nSendBufferSize = strlen((char *)szTmpBuf64) + 2;
  bufSend = malloc(nSendBufferSize + 1);
  memset(bufSend, 0, nSendBufferSize + 1);
  sprintf((char *)bufSend, "%s\r\n", szTmpBuf64);

  if (medusaSend(hSocket, bufSend, nSendBufferSize, 0) < 0)
  {
    writeError(ERR_ERROR, "[%s] failed: medusaSend was not successful", MODULE_NAME);
    return FAILURE;
  }

  FREE(szTmpBuf64);
  FREE(bufSend);

  return SUCCESS;
}
Esempio n. 16
0
int start_http_proxy(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *hostname) {
  char *empty = "";
  char *login, *pass, buffer[500], buffer2[500];
  char url[210], host[30];
  char *header = "";            /* XXX TODO */
  char *ptr, *fooptr;

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  if (miscptr == NULL) {
    strcpy(url, "http://www.microsoft.com/");
    strcpy(host, "Host: www.microsoft.com\r\n");
  } else {
    sprintf(url, "%.200s", miscptr);
    ptr = strstr(miscptr, "://");       // :// check is in hydra.c
    sprintf(host, "Host: %.200s", ptr + 3);
    if ((ptr = index(host, '/')) != NULL)
      *ptr = 0;
    if ((ptr = index(host + 6, ':')) != NULL && host[0] != '[')
      *ptr = 0;
    strcat(host, "\r\n");
  }

  if (http_proxy_auth_mechanism != AUTH_BASIC && (http_proxy_auth_mechanism == AUTH_ERROR || http_proxy_buf == NULL)) {
    //send dummy request
    sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, header);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
      return 3;

    //receive first 40x
    http_proxy_buf = hydra_receive_line(s);
    while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/") == NULL) {
      free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
    }

    if (http_proxy_buf == NULL) {
      if (verbose)
        hydra_report(stderr, "[ERROR] Server did not answer\n");
      return 3;
    }

    if (debug)
      hydra_report(stderr, "S:%s\n", http_proxy_buf);

    free(http_proxy_buf);
    http_proxy_buf = hydra_receive_line(s);
    while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) {
      free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
    }

    if (http_proxy_buf == NULL) {
      if (verbose)
        hydra_report(stderr, "[ERROR] Proxy seems not to require authentication\n");
      return 3;
    }

    if (debug)
      hydra_report(stderr, "S:%s\n", http_proxy_buf);

    //after the first query we should have been disconnected from web server
    s = hydra_disconnect(s);
    if ((options & OPTION_SSL) == 0) {
      s = hydra_connect_tcp(ip, port);
    } else {
      s = hydra_connect_ssl(ip, port, hostname);
    }
  }

  if (http_proxy_auth_mechanism == AUTH_BASIC || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Basic") != NULL) {
    http_proxy_auth_mechanism = AUTH_BASIC;
    sprintf(buffer2, "%.50s:%.50s", login, pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
    sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
    if (debug)
      hydra_report(stderr, "C:%s\n", buffer);
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
      return 3;
    free(http_proxy_buf);
    http_proxy_buf = hydra_receive_line(s);
    while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
      free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
    }

    //if server cut the connection, just exit cleanly or 
    //this will be an infinite loop
    if (http_proxy_buf == NULL) {
      if (verbose)
        hydra_report(stderr, "[ERROR] Server did not answer\n");
      return 3;
    }

    if (debug)
      hydra_report(stderr, "S:%s\n", http_proxy_buf);
  } else {
    if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM") != NULL) {

      unsigned char buf1[4096];
      unsigned char buf2[4096];
      char *pos = NULL;

      http_proxy_auth_mechanism = AUTH_NTLM;
      //send auth and receive challenge
      //send auth request: let the server send it's own hostname and domainname
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

      /* to be portable, no snprintf, buffer is big enough so it cant overflow */
      //send the first..
      sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 3;

      //receive challenge
      free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
      while (http_proxy_buf != NULL && (pos = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM ")) == NULL) {
        free(http_proxy_buf);
        http_proxy_buf = hydra_receive_line(s);
      }
      if (pos != NULL) {
        char *str;

        pos += 25;
        if ((str = strchr(pos, '\r')) != NULL) {
          pos[str - pos] = 0;
        }
        if ((str = strchr(pos, '\n')) != NULL) {
          pos[str - pos] = 0;
        }
      }
      //recover challenge
      if (http_proxy_buf != NULL && strlen(http_proxy_buf) >= 4) {
        from64tobits((char *) buf1, pos);
        free(http_proxy_buf);
        http_proxy_buf = NULL;
        return 3;
      }
      //Send response
      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
      sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
      if (debug)
        hydra_report(stderr, "C:%s\n", buffer);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 3;

      if (http_proxy_buf != NULL)
       free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
      while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
        free(http_proxy_buf);
        http_proxy_buf = hydra_receive_line(s);
      }

      if (http_proxy_buf == NULL)
        return 3;
    } else {
#ifdef LIBOPENSSL
      if (hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest") != NULL) {

        char *pbuffer;

        http_proxy_auth_mechanism = AUTH_DIGESTMD5;
        pbuffer = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest ");
        strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
        buffer[sizeof(buffer) - 1] = '\0';
        pbuffer = NULL;

        fooptr = buffer2;
        sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header);
        if (fooptr == NULL)
          return 3;

        if (debug)
          hydra_report(stderr, "C:%s\n", buffer2);
        if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0)
          return 3;

        free(http_proxy_buf);
        http_proxy_buf = hydra_receive_line(s);
        while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
          free(http_proxy_buf);
          http_proxy_buf = hydra_receive_line(s);
        }

        if (debug && http_proxy_buf != NULL)
          hydra_report(stderr, "S:%s\n", http_proxy_buf);

        if (http_proxy_buf == NULL)
          return 3;

      } else
#endif
      {
        if (http_proxy_buf != NULL) {
//          buf[strlen(http_proxy_buf) - 1] = '\0';
          hydra_report(stderr, "Unsupported Auth type:\n%s\n", http_proxy_buf);
          free(http_proxy_buf);
          http_proxy_buf = NULL;
        } else {
          hydra_report(stderr, "Unsupported Auth type\n");
        }
        return 3;
      }
    }
  }

  ptr = ((char *) index(http_proxy_buf, ' ')) + 1;
  if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2')) {
    hydra_report_found_host(port, ip, "http-proxy", fp);
    hydra_completed_pair_found();
    free(http_proxy_buf);
    http_proxy_buf = NULL;
  } else {
    if (*ptr != '4')
      hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char) *(index(http_proxy_buf, ' ') + 1), login, pass);
    else if (verbose && *(ptr + 2) == '3')
      hydra_report(stderr, "[INFO] Potential success, could be false positive: %s:%s\n", login, pass);
    hydra_completed_pair();
    free(http_proxy_buf);
    http_proxy_buf = hydra_receive_line(s);
    while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) {
      free(http_proxy_buf);
      http_proxy_buf = hydra_receive_line(s);
    }
  }

  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  if (http_proxy_buf != NULL)
    return 2;
  else
    return 1;
}
Esempio n. 17
0
int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
  char *empty = "";
  char *login, *pass, buffer[500], buffer2[500];

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  while (hydra_data_ready(s) > 0) {
    if ((buf = hydra_receive_line(s)) == NULL)
      return (1);
    free(buf);
  }

  switch (smtp_auth_mechanism) {

  case AUTH_PLAIN:
    sprintf(buffer, "AUTH PLAIN\r\n");
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;
    if (strstr(buf, "334") == NULL) {
      hydra_report(stderr, "[ERROR] SMTP PLAIN AUTH : %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);

    memset(buffer, 0, sizeof(buffer));
    sasl_plain(buffer, login, pass);
    sprintf(buffer, "%.250s\r\n", buffer);
    break;

#ifdef LIBOPENSSLNEW
  case AUTH_CRAMMD5:{
      int rc = 0;
      char *preplogin;

      rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
      if (rc) {
        return 3;
      }

      sprintf(buffer, "AUTH CRAM-MD5\r\n");
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      //get the one-time BASE64 encoded challenge
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, "334") == NULL) {
        hydra_report(stderr, "[ERROR] SMTP CRAM-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 4);
      free(buf);

      memset(buffer2, 0, sizeof(buffer2));
      sasl_cram_md5(buffer2, pass, buffer);

      sprintf(buffer, "%s %.250s", preplogin, buffer2);
      hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer));
      sprintf(buffer, "%.250s\r\n", buffer);
      free(preplogin);
    }
    break;

  case AUTH_DIGESTMD5:{
      sprintf(buffer, "AUTH DIGEST-MD5\r\n");

      if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
        return 1;
      //receive
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, "334") == NULL) {
        hydra_report(stderr, "[ERROR] SMTP DIGEST-MD5 AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      memset(buffer, 0, sizeof(buffer));
      from64tobits((char *) buffer, buf + 4);
      free(buf);

      if (verbose)
        hydra_report(stderr, "DEBUG S: %s\n", buffer);

      sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL);
      if (buffer2 == NULL)
        return 3;

      if (verbose)
        hydra_report(stderr, "DEBUG C: %s\n", buffer2);
      hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
      sprintf(buffer, "%s\r\n", buffer2);
    }
    break;
#endif

  case AUTH_NTLM:{
      unsigned char buf1[4096];
      unsigned char buf2[4096];

      //send auth and receive challenge
      buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
      sprintf(buffer, "AUTH NTLM %s\r\n", buf1);
      if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
        return 1;
      }
      if ((buf = hydra_receive_line(s)) == NULL)
        return 1;
      if (strstr(buf, "334") == NULL) {
        hydra_report(stderr, "[ERROR] SMTP NTLM AUTH : %s\n", buf);
        free(buf);
        return 3;
      }
      //recover challenge
      from64tobits((char *) buf1, buf + 4);
      free(buf);

      buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
      to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
      sprintf(buffer, "%s\r\n", buf1);
    }
    break;

  default:
    /* by default trying AUTH LOGIN */
    sprintf(buffer, "AUTH LOGIN\r\n");
    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return 1;

    /* 504 5.7.4 Unrecognized authentication type  */
    if (strstr(buf, "334") == NULL) {
      hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH, either this auth is disabled\nor server is not using auth: %s\n", buf);
      free(buf);
      return 3;
    }
    free(buf);
    sprintf(buffer2, "%.250s", login);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
    sprintf(buffer, "%.250s\r\n", buffer2);

    if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
      return 1;
    }
    if ((buf = hydra_receive_line(s)) == NULL)
      return (1);
    if (strstr(buf, "334") == NULL) {
      hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH : %s\n", buf);
      free(buf);
      return (3);
    }
    free(buf);

    sprintf(buffer2, "%.250s", pass);
    hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
    sprintf(buffer, "%.250s\r\n", buffer2);
  }

  if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
    return 1;
  }
  if ((buf = hydra_receive_line(s)) == NULL)
    return (1);

#ifdef LIBOPENSSLNEW
  if (smtp_auth_mechanism == AUTH_DIGESTMD5) {
    if (strstr(buf, "334") != NULL) {
      memset(buffer2, 0, sizeof(buffer2));
      from64tobits((char *) buffer2, buf + 4);
      if (strstr(buffer2, "rspauth=") != NULL) {
        hydra_report_found_host(port, ip, "smtp", fp);
        hydra_completed_pair_found();
        free(buf);
        if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
          return 3;
        return 1;
      }
    }
  } else
#endif
  {
    if (strstr(buf, "235") != NULL) {
      hydra_report_found_host(port, ip, "smtp", fp);
      hydra_completed_pair_found();
      free(buf);
      if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
      return 1;
    }
  }
  free(buf);
  hydra_completed_pair();
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;

  return 2;
}
Esempio n. 18
0
int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *hostname) {
    char *empty = "";
    char *login, *pass, buffer[500], buffer2[500], mlogin[260], mpass[260], mhost[260];
    char url[260], host[30];
    char *header = "";            /* XXX TODO */
    char *ptr;
    int auth = 0;

    login = hydra_get_next_login();
    if (login == NULL || strlen(login) == 0 || strstr(login, "://") == NULL) {
        hydra_completed_pair();
        return 1;
    }
    pass = hydra_get_next_password();
    pass = empty;                 // ignored

    strncpy(url, login, sizeof(url) - 1);
    url[sizeof(url) - 1] = 0;
    ptr = strstr(login, "://") + 3;
    if (ptr[0] == '[')
        ptr++;
    strncpy(mhost, ptr, sizeof(mhost) - 1);
    mhost[sizeof(mhost) - 1] = 0;
    if ((ptr = index(mhost, '/')) != NULL)
        *ptr = 0;
    if ((ptr = index(mhost, ']')) != NULL)
        *ptr = 0;
    else if ((ptr = index(mhost, ':')) != NULL)
        *ptr = 0;

    if (miscptr != NULL && index(miscptr, ':') != NULL) {
        strncpy(mlogin, miscptr, sizeof(mlogin) - 1);
        mlogin[sizeof(mlogin) - 1] = 0;
        ptr = index(mlogin, ':');
        *ptr++ = 0;
        strncpy(mpass, ptr, sizeof(mpass) - 1);
        mpass[sizeof(mpass) - 1] = 0;
        auth = 1;
    }

    if (http_proxy_auth_mechanism == AUTH_ERROR) {
        //send dummy request
        sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, mhost, header);
        if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
            return 1;

        //receive first 40x
        buf = hydra_receive_line(s);
        while (buf != NULL && strstr(buf, "HTTP/") == NULL) {
            free(buf);
            buf = hydra_receive_line(s);
        }

        if (debug)
            hydra_report(stderr, "S:%s\n", buf);

        //after the first query we should have been disconnected from web server
        s = hydra_disconnect(s);
        if ((options & OPTION_SSL) == 0) {
            s = hydra_connect_tcp(ip, port);
        } else {
            s = hydra_connect_ssl(ip, port, hostname);
        }
    }

    if (auth) {
        if (hydra_strcasestr(buf, "Proxy-Authenticate: Basic") != NULL) {
            http_proxy_auth_mechanism = AUTH_BASIC;
            sprintf(buffer2, "%.50s:%.50s", login, pass);
            hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
            sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
            if (debug)
                hydra_report(stderr, "C:%s\n", buffer);
            if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
                return 1;
            free(buf);
            buf = hydra_receive_line(s);
            while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
                free(buf);
                buf = hydra_receive_line(s);
            }

            //if server cut the connection, just exit cleanly or
            //this will be an infinite loop
            if (buf == NULL) {
                if (verbose)
                    hydra_report(stderr, "[ERROR] Server did not answer\n");
                return 3;
            }

            if (debug)
                hydra_report(stderr, "S:%s\n", buf);
        } else {
            if (hydra_strcasestr(buf, "Proxy-Authenticate: NTLM") != NULL) {
                unsigned char buf1[4096];
                unsigned char buf2[4096];
                char *pos = NULL;

                http_proxy_auth_mechanism = AUTH_NTLM;
                //send auth and receive challenge
                //send auth request: let the server send it's own hostname and domainname
                buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
                to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));

                /* to be portable, no snprintf, buffer is big enough so it cant overflow */
                //send the first..
                sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
                        header);
                if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
                    return 1;

                //receive challenge
                free(buf);
                buf = hydra_receive_line(s);
                while (buf != NULL && (pos = hydra_strcasestr(buf, "Proxy-Authenticate: NTLM ")) == NULL) {
                    free(buf);
                    buf = hydra_receive_line(s);
                }
                if (pos != NULL) {
                    char *str;

                    pos += 25;
                    if ((str = strchr(pos, '\r')) != NULL) {
                        pos[str - pos] = 0;
                    }
                    if ((str = strchr(pos, '\n')) != NULL) {
                        pos[str - pos] = 0;
                    }
                }
                //recover challenge
                if (buf != NULL) {
                    if (strlen(buf) >= 4)
                        from64tobits((char *) buf1, pos);
                    free(buf);
                }
                //Send response
                buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
                to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
                sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
                        header);
                if (debug)
                    hydra_report(stderr, "C:%s\n", buffer);
                if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
                    return 1;

                buf = hydra_receive_line(s);
                while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
                    free(buf);
                    buf = hydra_receive_line(s);
                }

                if (buf == NULL)
                    return 1;
            } else {
#ifdef LIBOPENSSL
                if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) {
                    char *pbuffer;

                    http_proxy_auth_mechanism = AUTH_DIGESTMD5;
                    pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest ");
                    strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
                    buffer[sizeof(buffer) - 1] = '\0';

                    pbuffer = buffer2;
                    sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header);
                    if (pbuffer == NULL)
                        return 3;

                    if (debug)
                        hydra_report(stderr, "C:%s\n", buffer2);
                    if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0)
                        return 1;

                    free(buf);
                    buf = hydra_receive_line(s);
                    while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
                        free(buf);
                        buf = hydra_receive_line(s);
                    }

                    if (debug && buf != NULL)
                        hydra_report(stderr, "S:%s\n", buf);

                    if (buf == NULL)
                        return 1;

                } else
#endif
                {
                    if (buf != NULL) {
                        buf[strlen(buf) - 1] = '\0';
                        hydra_report(stderr, "Unsupported Auth type:\n%s\n", buf);
                    } else {
                        hydra_report(stderr, "Unsupported Auth type\n");
                    }
                    return 3;
                }
            }
        }
    }
    // result analysis
    ptr = ((char *) index(buf, ' ')) + 1;
    if (*ptr == '2' || (*ptr == '3' && (*(ptr + 2) == '1' || *(ptr + 2) == '2')) || strncmp(ptr, "404", 4) == 0 || strncmp(ptr, "403", 4) == 0) {
        hydra_report_found_host(port, ip, "http-proxy", fp);
        if (fp != stdout)
            fprintf(fp, "[%d][http-proxy-urlenum] host: %s   url: %s\n", port, hydra_address2string(ip), url);
        printf("[%d][http-proxy-urlenum] host: %s   url: %s\n", port, hydra_address2string(ip), url);
        hydra_completed_pair_found();
    } else {
        if (strncmp(ptr, "407", 3) == 0 /*|| strncmp(ptr, "401", 3) == 0 */ ) {
            hydra_report(stderr, "[ERROR] Proxy reports bad credentials!\n");
            return 3;
        }
        hydra_completed_pair();
    }

    free(buf);

    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
        return 3;
    return 1;
}