void service_socks5(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_SOCKS5, mysslport = PORT_SOCKS5_SSL;
hydra_register_socket(sp);
if (port != 0)
myport = port;
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// sleepn(300);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_socks5(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 4: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
case 5: /* clean exit, server may blocking connections */
hydra_report(stderr, "[ERROR] Server may blocking connections\n");
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_asterisk(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_ASTERISK, mysslport = PORT_ASTERISK_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// sleepn(300);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
buf = hydra_receive_line(sock);
//fprintf(stderr, "%s\n",buf);
//banner should look like:
//Asterisk Call Manager/1.1
if (buf == NULL || strstr(buf, "Asterisk Call Manager/") == NULL) {
/* check the first line */
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not an Asterisk Call Manager protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_asterisk(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
void service_firebird(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_FIREBIRD, mysslport = PORT_FIREBIRD_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
case 2:
/*
* Here we start the password cracking process
*/
next_run = start_firebird(sock, ip, port, options, miscptr, fp);
break;
case 3:
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
fprintf(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void
service_rexec(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port)
{
int run = 1, next_run, sock = -1;
int myport = PORT_REXEC, mysslport = PORT_REXEC_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(275000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_rexec(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "Caught unknown return code, exiting!\n");
hydra_child_exit(0);
#ifdef PALM
return;
#else
exit(-1);
#endif
}
run = next_run;
}
}
void service_http_proxy(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_HTTP_PROXY, mysslport = PORT_HTTP_PROXY_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
if (http_proxy_buf != NULL)
free(http_proxy_buf);
if (sock >= 0)
sock = hydra_disconnect(sock);
// sleepn(275);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_http_proxy(sock, ip, port, options, miscptr, fp, hostname);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
fprintf(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_cvs(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_CVS, mysslport = PORT_CVS_SSL;
hydra_register_socket(sp);
if ((miscptr == NULL) || (strlen(miscptr) == 0)) {
miscptr = "/root";
}
while (1) {
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleepn(300);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = start_cvs(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
void service_pop3(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
int run = 1, next_run, sock = -1;
int myport = PORT_POP3, mysslport = PORT_POP3_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while(1) {
switch(run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0) myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0) mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = myport;
}
if (sock < 0) {
fprintf(stderr, "Error: Child with pid %d terminating, can not connect\n", (int)getpid());
hydra_child_exit();
}
buf = hydra_receive_line(sock);
if (buf == NULL || buf[0] != '+') { /* check the first line */
fprintf(stderr,"Error: Not an POP3 protocol or service shutdown: %s\n", buf);
hydra_child_exit();
exit(-1);
}
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_pop3(sock, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0) sock = hydra_disconnect(sock);
hydra_child_exit();
return;
default: fprintf(stderr,"Caught unknown return code, exiting!\n");
hydra_child_exit();
exit(-1);
}
run = next_run;
}
}
void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname, int32_t tls) {
int32_t run = 1, next_run = 1, sock = -1;
int32_t myport = PORT_FTP, mysslport = PORT_FTP_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
hydra_child_exit(0);
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleepn(300);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
hydra_child_exit(1);
}
usleepn(250);
buf = hydra_receive_line(sock);
if (buf == NULL || buf[0] != '2') { /* check the first line */
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not an FTP protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
if (buf != NULL)
free(buf);
hydra_child_exit(2);
}
while (buf != NULL && strncmp(buf, "220 ", 4) != 0 && strstr(buf, "\n220 ") == NULL) {
free(buf);
buf = hydra_receive_line(sock);
}
free(buf);
//this mode is manually chosen, so if it fails we giving up
if (tls) {
if (hydra_send(sock, "AUTH TLS\r\n", strlen("AUTH TLS\r\n"), 0) < 0) {
hydra_child_exit(2);
}
buf = hydra_receive_line(sock);
if (buf == NULL) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not an FTP protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
if (buf[0] == '2') {
if ((hydra_connect_to_ssl(sock, hostname) == -1) && verbose) {
hydra_report(stderr, "[ERROR] Can't use TLS\n");
hydra_child_exit(2);
} else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
} else {
hydra_report(stderr, "[ERROR] TLS negotiation failed %s\n", buf);
hydra_child_exit(2);
}
free(buf);
}
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_ftp(sock, ip, port, options, miscptr, fp);
break;
case 3: /* error exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
case 4: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
void
service_nntp(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port)
{
int run = 1, next_run, sock = -1;
int myport = PORT_NNTP, mysslport = PORT_NNTP_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
// usleep(300000);
buf = hydra_receive_line(sock);
if (buf == NULL || buf[0] != '2') { /* check the first line */
hydra_report(stderr, "Error: Not an NNTP protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
free(buf);
#ifdef PALM
return;
#else
exit(-1);
#endif
}
free(buf);
/* buf = hydra_receive_line(sock); */
/* free(buf); */
// usleep(1500000);
usleep(25000);
buf = malloc(1024);
while (hydra_data_ready(sock) > 0)
hydra_recv(sock, buf, 1024);
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_nntp(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "Caught unknown return code, exiting!\n");
hydra_child_exit(0);
#ifdef PALM
return;
#else
exit(-1);
#endif
}
run = next_run;
}
}
void service_ldap(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char version, int auth_method) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_LDAP, mysslport = PORT_LDAP_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(275000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
counter = 1;
if (tls_required) {
/* Start TLS operation OID = 1.3.6.1.4.1.1466.20037 according to RFC 2830 */
char confidentiality_required[] = "\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";
if (hydra_send(sock, confidentiality_required, strlen(confidentiality_required), 0) < 0)
hydra_child_exit(1);
if ((buf = (unsigned char*) hydra_receive_line(sock)) == NULL)
hydra_child_exit(1);
if ((buf[0] != 0 && buf[9] == 0) || (buf[0] != 32 && buf[9] == 32)) {
/* TLS option negociation goes well, now trying to connect */
if ((hydra_connect_to_ssl(sock) == -1) && verbose) {
hydra_report(stderr, "[ERROR] Can't use TLS\n");
hydra_child_exit(1);
} else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
counter++;
}
} else {
hydra_report(stderr, "[ERROR] Can't use TLS %s\n", buf);
hydra_child_exit(1);
}
}
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_ldap(sock, ip, port, options, miscptr, fp, version, auth_method);
counter++;
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
/*
int analyze_server_response(int socket)
return 0 or 1 when the cond regex is matched
return -1 if no response from server
*/
int analyze_server_response(int s) {
int runs = 0;
while ((buf = hydra_receive_line(s)) != NULL) {
runs++;
//check for http redirection
if (strstr(buf, "HTTP/1.1 3") != NULL || strstr(buf, "HTTP/1.0 3") != NULL || strstr(buf, "Status: 3") != NULL) {
redirected_flag = 1;
} else if (strstr(buf, "HTTP/1.1 401") != NULL || strstr(buf, "HTTP/1.0 401") != NULL) {
auth_flag = 1;
} else if ((strstr(buf, "HTTP/1.1 403") != NULL) || (strstr(buf, "HTTP/1.1 404") != NULL) || (strstr(buf, "HTTP/1.0 403") != NULL) || (strstr(buf, "HTTP/1.0 404") != NULL)) {
return 0;
}
if (hydra_strcasestr(buf, "Location: ") != NULL) {
char *startloc, *endloc;
char str[2048];
startloc = hydra_strcasestr(buf, "Location: ") + strlen("Location: ");
strncpy(str, startloc, sizeof(str) - 1);
str[sizeof(str) - 1] = 0;
endloc = strchr(str, '\n');
if (endloc != NULL)
*endloc = 0;
endloc = strchr(str, '\r');
if (endloc != NULL)
*endloc = 0;
strcpy(redirected_url_buff, str);
}
//there can be multiple cookies
if (hydra_strcasestr(buf, "Set-Cookie: ") != NULL) {
char *cookiebuf = buf;
do {
char *startcookie, *endcookie1, *endcookie2;
char str[1024], tmpcookie[4096] = "", tmpname[128] = "", *ptr, *ptr2;
memset(str, 0, sizeof(str));
startcookie = hydra_strcasestr(cookiebuf, "Set-Cookie: ") + strlen("Set-Cookie: ");
strncpy(str, startcookie, sizeof(str) - 1);
str[sizeof(str) - 1] = 0;
endcookie1 = strchr(str, '\n');
endcookie2 = strchr(str, ';');
//terminate string after cookie data
if (endcookie1 != NULL && ((endcookie1 < endcookie2) || (endcookie2 == NULL))) {
if (*(endcookie1 - 1) == '\r')
endcookie1--;
*endcookie1 = 0;
} else if (endcookie2 != NULL)
*endcookie2 = 0;
// is the cookie already there? if yes, remove it!
if (index(startcookie, '=') != NULL && (ptr = index(startcookie, '=')) - startcookie + 1 <= sizeof(tmpname)) {
strncpy(tmpname, startcookie, sizeof(tmpname) - 2);
tmpname[sizeof(tmpname) - 2] = 0;
ptr = index(tmpname, '=');
*(++ptr) = 0;
// is the cookie already in the cookiejar? (so, does it have to be replaced?)
if ((ptr = hydra_strcasestr(cookie, tmpname)) != NULL) {
// yes it is.
// if the cookie is not in the beginning of the cookiejar, copy the ones before
if (ptr != cookie && *(ptr - 1) == ' ') {
strncpy(tmpcookie, cookie, ptr - cookie - 2);
tmpcookie[ptr - cookie - 2] = 0;
}
ptr += strlen(tmpname);
// if there are any cookies after this one in the cookiejar, copy them over
if ((ptr2 = strstr(ptr, "; ")) != NULL) {
ptr2 += 2;
strncat(tmpcookie, ptr2, sizeof(tmpcookie) - strlen(tmpcookie) - 1);
}
if (debug)
printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: %s\n", tmpname, cookie, tmpcookie);
strcpy(cookie, tmpcookie);
}
}
ptr = index(str, '=');
// only copy the cookie if it has a value (otherwise the server wants to delete the cookie)
if (ptr != NULL && *(ptr + 1) != ';' && *(ptr + 1) != 0 && *(ptr + 1) != '\n' && *(ptr + 1) != '\r') {
if (strlen(cookie) > 0)
strncat(cookie, "; ", sizeof(cookie) - strlen(cookie) - 1);
strncat(cookie, str, sizeof(cookie) - strlen(cookie) - 1);
}
cookiebuf = startcookie;
} while (hydra_strcasestr(cookiebuf, "Set-Cookie: ") != NULL);
}
#ifdef HAVE_PCRE
if (hydra_string_match(buf, cond) == 1) {
#else
if (strstr(buf, cond) != NULL) {
#endif
free(buf);
// printf("DEBUG: STRING %s FOUND!!:\n%s\n", cond, buf);
return 1;
}
// else printf("DEBUG: STRING %s NOT FOUND:\n%s\n", cond, buf);
free(buf);
}
if (runs == 0) {
if (debug)
hydra_report(stderr, "DEBUG: no response from server\n");
return -1;
}
return 0;
}
void hydra_reconnect(int s, char *ip, int port, unsigned char options) {
if (s >= 0)
s = hydra_disconnect(s);
if ((options & OPTION_SSL) == 0) {
s = hydra_connect_tcp(ip, port);
} else {
s = hydra_connect_ssl(ip, port);
}
}
int start_http_form(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type, ptr_header_node ptr_head) {
char *empty = "";
char *login, *pass, clogin[256], cpass[256];
char header[8096], *upd3variables;
char *http_request;
int found = !success_cond, i, j;
char content_length[MAX_CONTENT_LENGTH], proxy_string[MAX_PROXY_LENGTH];
memset(header, 0, sizeof(header));
cookie[0] = 0; // reset cookies from potential previous attempt
// Take the next login/pass pair
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
strncpy(clogin, html_encode(login), sizeof(clogin) - 1);
clogin[sizeof(clogin) - 1] = 0;
strncpy(cpass, html_encode(pass), sizeof(cpass) - 1);
cpass[sizeof(cpass) - 1] = 0;
upd3variables = hydra_strrep(variables, "^USER^", clogin);
upd3variables = hydra_strrep(upd3variables, "^PASS^", cpass);
// Replace the user/pass placeholders in the user-supplied headers
hdrrep(&ptr_head, "^USER^", clogin);
hdrrep(&ptr_head, "^PASS^", cpass);
/* again: no snprintf to be portable. dont worry, buffer cant overflow */
if (use_proxy == 1 && proxy_authentication != NULL) {
if (getcookie) {
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, cookieurl);
http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
i = analyze_server_response(s); // ignore result
if (strlen(cookie) > 0)
add_header(&ptr_head, "Cookie", cookie, HEADER_TYPE_DEFAULT_REPL);
hydra_reconnect(s, ip, port, options);
}
// now prepare for the "real" request
if (strcmp(type, "POST") == 0) {
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, url);
snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int) strlen(upd3variables));
if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT))
hdrrepv(&ptr_head, "Content-Length", content_length);
else
add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT);
if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT))
add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT);
normal_request = stringify_headers(&ptr_head);
http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
} else {
normal_request = stringify_headers(&ptr_head);
http_request = prepare_http_request("GET", url, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
}
} else {
if (use_proxy == 1) {
// proxy without authentication
if (getcookie) {
//doing a GET to get cookies
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, cookieurl);
http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
i = analyze_server_response(s); // ignore result
if (strlen(cookie) > 0)
add_header(&ptr_head, "Cookie", cookie, HEADER_TYPE_DEFAULT_REPL);
hydra_reconnect(s, ip, port, options);
}
// now prepare for the "real" request
if (strcmp(type, "POST") == 0) {
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, url);
snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int) strlen(upd3variables));
if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT))
hdrrepv(&ptr_head, "Content-Length", content_length);
else
add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT);
if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT))
add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT);
normal_request = stringify_headers(&ptr_head);
http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
} else {
normal_request = stringify_headers(&ptr_head);
http_request = prepare_http_request("GET", url, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
}
} else {
// direct web server, no proxy
if (getcookie) {
//doing a GET to save cookies
http_request = prepare_http_request("GET", cookieurl, NULL, cookie_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
i = analyze_server_response(s); // ignore result
if (strlen(cookie) > 0) {
add_header(&ptr_head, "Cookie", cookie, HEADER_TYPE_DEFAULT_REPL);
normal_request = stringify_headers(&ptr_head);
}
hydra_reconnect(s, ip, port, options);
}
// now prepare for the "real" request
if (strcmp(type, "POST") == 0) {
snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int) strlen(upd3variables));
if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT))
hdrrepv(&ptr_head, "Content-Length", content_length);
else
add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT);
if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT))
add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT);
normal_request = stringify_headers(&ptr_head);
http_request = prepare_http_request("POST", url, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
} else {
normal_request = stringify_headers(&ptr_head);
http_request = prepare_http_request("GET", url, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
}
}
}
if (debug)
hydra_report_debug(stdout, "HTTP request sent:\n%s\n", http_request);
found = analyze_server_response(s);
if (auth_flag) { // we received a 401 error - user using wrong module
hydra_report(stderr, "[ERROR] the target is using HTTP auth, not a web form, received HTTP error code 401. Use module \"http%s-get\" instead.\n",
(options & OPTION_SSL) > 0 ? "s" : "");
return 4;
}
if (strlen(cookie) > 0)
add_header(&ptr_head, "Cookie", cookie, HEADER_TYPE_DEFAULT_REPL);
//if page was redirected, follow the location header
redirected_cpt = MAX_REDIRECT;
if (debug)
printf("[DEBUG] attempt result: found %d, redirect %d, location: %s\n", found, redirected_flag, redirected_url_buff);
while (found == 0 && redirected_flag && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) {
//we have to split the location
char *startloc, *endloc;
char str[2048];
char str2[2048];
char str3[2048];
redirected_cpt--;
redirected_flag = 0;
//check if the redirect page contains the fail/success condition
#ifdef HAVE_PCRE
if (hydra_string_match(redirected_url_buff, cond) == 1) {
#else
if (strstr(redirected_url_buff, cond) != NULL) {
#endif
found = success_cond;
} else {
//location could be either absolute http(s):// or / something
//or relative
startloc = strstr(redirected_url_buff, "://");
if (startloc != NULL) {
startloc += strlen("://");
if ((endloc = strchr(startloc, '\r')) != NULL) {
startloc[endloc - startloc] = 0;
}
if ((endloc = strchr(startloc, '\n')) != NULL) {
startloc[endloc - startloc] = 0;
}
strcpy(str, startloc);
endloc = strchr(str, '/');
if (endloc != NULL) {
strncpy(str2, str, endloc - str);
str2[endloc - str] = 0;
} else
strncpy(str2, str, sizeof(str));
if (strlen(str) - strlen(str2) == 0) {
strcpy(str3, "/");
} else {
strncpy(str3, str + strlen(str2), strlen(str) - strlen(str2) - 1);
str3[strlen(str) - strlen(str2) - 1] = 0;
}
} else {
strncpy(str2, webtarget, sizeof(str2));
if (redirected_url_buff[0] != '/') {
//it's a relative path, so we have to concatenate it
//with the path from the first url given
char *urlpath;
char urlpath_extracted[2048];
memset(urlpath_extracted, 0, sizeof(urlpath_extracted));
urlpath = strrchr(url, '/');
if (urlpath != NULL) {
strncpy(urlpath_extracted, url, urlpath - url);
sprintf(str3, "%.1000s/%.1000s", urlpath_extracted, redirected_url_buff);
} else {
sprintf(str3, "%.1000s/%.1000s", url, redirected_url_buff);
}
} else
strncpy(str3, redirected_url_buff, sizeof(str3));
if (debug)
hydra_report(stderr, "[DEBUG] host=%s redirect=%s origin=%s\n", str2, str3, url);
}
if (str3[0] != '/') {
j = strlen(str3);
str3[j + 1] = 0;
for (i = j; i > 0; i--)
str3[i] = str3[i - 1];
str3[0] = '/';
}
if (verbose)
hydra_report(stderr, "[VERBOSE] Page redirected to http://%s%s\n", str2, str3);
//re-use the code above to check for proxy use
if (use_proxy == 1 && proxy_authentication != NULL) {
// proxy with authentication
hdrrepv(&ptr_head, "Host", str2);
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, str3);
normal_request = stringify_headers(&ptr_head);
http_request = prepare_http_request("GET", proxy_string, NULL, normal_request);
} else {
if (use_proxy == 1) {
// proxy without authentication
hdrrepv(&ptr_head, "Host", str2);
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, str3);
normal_request = stringify_headers(&ptr_head);
http_request = prepare_http_request("GET", proxy_string, NULL, normal_request);
} else {
//direct web server, no proxy
hdrrepv(&ptr_head, "Host", str2);
normal_request = stringify_headers(&ptr_head);
http_request = prepare_http_request("GET", str3, NULL, normal_request);
}
}
hydra_reconnect(s, ip, port, options);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
found = analyze_server_response(s);
if (strlen(cookie) > 0)
add_header(&ptr_head, "Cookie", cookie, HEADER_TYPE_DEFAULT_REPL);
}
}
//if the last status is still 3xx, set it as a false
if (found != -1 && found == success_cond && (redirected_flag == 0 || success_cond == 1) && redirected_cpt >= 0) {
hydra_report_found_host(port, ip, "www-form", fp);
hydra_completed_pair_found();
} else {
hydra_completed_pair();
}
return 1;
}
void service_http_form(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *type, ptr_header_node * ptr_head) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_HTTP, mysslport = PORT_HTTP_SSL;
// register our socket descriptor
hydra_register_socket(sp);
/*
* Iterate through the runs. Possible values are the following:
* - 1 -> Open connection to remote server.
* - 2 -> Run password attempts.
* - 3 -> Disconnect and end with success.
* - 4 -> Disconnect and end with error.
*/
while (1) {
if (run == 2) {
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
}
}
switch (run) {
case 1: /* connect and service init function */
{
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, cannot connect\n", (int) getpid());
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_http_form(sock, ip, port, options, miscptr, fp, type, *ptr_head);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(0);
break;
case 4: /* silent error exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
break;
default:
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
if (freemischttpform)
free(miscptr);
}
void service_telnet(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1, fck;
int myport = PORT_TELNET, mysslport = PORT_TELNET_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
if (miscptr != NULL)
make_to_lower(miscptr);
while (1) {
int first = 0;
int old_waittime = waittime;
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
no_line_mode = 0;
first = 0;
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
if ((buf = hydra_receive_line(sock)) == NULL) { /* check the first line */
hydra_report(stderr, "[ERROR] Not a TELNET protocol or service shutdown\n");
hydra_child_exit(2);
// hydra_child_exit(2);
}
if (hydra_strcasestr(buf, "ress ENTER") != NULL) {
hydra_send(sock, "\r\n", 2, 0);
free(buf);
if ((buf = hydra_receive_line(sock)) == NULL) {
hydra_report(stderr, "[ERROR] Not a TELNET protocol or service shutdown\n");
hydra_child_exit(2);
}
}
if (hydra_strcasestr(buf, "login") != NULL || hydra_strcasestr(buf, "sername:") != NULL) {
waittime = 6;
if (debug)
hydra_report(stdout, "DEBUG: waittime set to %d\n", waittime);
}
do {
unsigned char *buf2 = (unsigned char *) buf;
while (*buf2 == IAC) {
if (first == 0) {
if (debug)
hydra_report(stdout, "DEBUG: requested line mode\n");
fck = write(sock, "\xff\xfb\x22", 3);
first = 1;
}
if ((buf[1] == '\xfc' || buf[1] == '\xfe') && buf2[2] == '\x22') {
no_line_mode = 1;
if (debug)
hydra_report(stdout, "DEBUG: TELNETD peer does not like linemode!\n");
}
if (buf2[2] != '\x22') {
if (buf2[1] == WILL || buf2[1] == WONT) {
buf2[1] = DONT;
} else if (buf2[1] == DO || buf2[1] == DONT) {
buf2[1] = WONT;
}
fck = write(sock, buf2, 3);
}
buf2 = buf2 + 3;
}
if (buf2 != (unsigned char *) buf) {
free(buf);
buf = hydra_receive_line(sock);
} else {
buf[0] = 0;
}
if (buf != NULL && buf[0] != 0 && (unsigned char) buf[0] != IAC)
make_to_lower(buf);
} while (buf != NULL && (unsigned char) buf[0] == IAC && hydra_strcasestr(buf, "ogin:") == NULL && hydra_strcasestr(buf, "sername:") == NULL);
free(buf);
waittime = old_waittime;
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_telnet(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_nntp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int i = 0, run = 1, next_run = 1, sock = -1;
int myport = PORT_NNTP, mysslport = PORT_NNTP_SSL, disable_tls = 0;
char *buffer1 = "CAPABILITIES\r\n";
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
// usleep(300000);
buf = hydra_receive_line(sock);
if (buf == NULL || buf[0] != '2') { /* check the first line */
if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
free(buf);
/* send capability request */
if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0)
hydra_child_exit(2);
buf = nntp_read_server_capacity(sock);
if (buf == NULL) {
hydra_child_exit(2);
}
#ifdef LIBOPENSSL
if (!disable_tls) {
/* if we got a positive answer */
if (strstr(buf, "STARTTLS") != NULL) {
hydra_send(sock, "STARTTLS\r\n", strlen("STARTTLS\r\n"), 0);
free(buf);
buf = hydra_receive_line(sock);
/* 382 Begin TLS negotiation now */
if (buf == NULL || strstr(buf, "382") == NULL) {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS negotiation failed\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock) == -1)) {
if (verbose)
hydra_report(stderr, "[ERROR] Can't use TLS\n");
disable_tls = 1;
run = 1;
break;
} else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
/* ask again capability request but in TLS mode */
if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0)
hydra_child_exit(2);
/* we asking again cause often plain and login can only
be negociate in SSL tunnel
*/
buf = nntp_read_server_capacity(sock);
if (buf == NULL) {
hydra_child_exit(2);
}
}
}
}
#endif
/*
AUTHINFO USER SASL
SASL PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5
*/
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "SASL\\s.*NTLM")) {
#else
if (strstr(buf, "NTLM") != NULL) {
#endif
nntp_auth_mechanism = AUTH_NTLM;
}
#ifdef LIBOPENSSL
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "SASL\\s.*DIGEST-MD5")) {
#else
if (strstr(buf, "DIGEST-MD5") != NULL) {
#endif
nntp_auth_mechanism = AUTH_DIGESTMD5;
}
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "SASL\\s.*CRAM-MD5")) {
#else
if (strstr(buf, "CRAM-MD5") != NULL) {
#endif
nntp_auth_mechanism = AUTH_CRAMMD5;
}
#endif
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "SASL\\s.*PLAIN")) {
#else
if (strstr(buf, "PLAIN") != NULL) {
#endif
nntp_auth_mechanism = AUTH_PLAIN;
}
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "SASL\\s.*LOGIN")) {
#else
if (strstr(buf, "LOGIN") != NULL) {
#endif
nntp_auth_mechanism = AUTH_LOGIN;
}
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "AUTHINFO\\sUSER")) {
#else
if (strstr(buf, "AUTHINFO USER") != NULL) {
#endif
nntp_auth_mechanism = AUTH_CLEAR;
}
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
for (i = 0; i < strlen(miscptr); i++)
miscptr[i] = (char) toupper((int) miscptr[i]);
if (strncmp(miscptr, "USER", 4) == 0)
nntp_auth_mechanism = AUTH_CLEAR;
if (strncmp(miscptr, "LOGIN", 5) == 0)
nntp_auth_mechanism = AUTH_LOGIN;
if (strncmp(miscptr, "PLAIN", 5) == 0)
nntp_auth_mechanism = AUTH_PLAIN;
#ifdef LIBOPENSSL
if (strncmp(miscptr, "CRAM-MD5", 8) == 0)
nntp_auth_mechanism = AUTH_CRAMMD5;
if (strncmp(miscptr, "DIGEST-MD5", 10) == 0)
nntp_auth_mechanism = AUTH_DIGESTMD5;
#endif
if (strncmp(miscptr, "NTLM", 4) == 0)
nntp_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
switch (nntp_auth_mechanism) {
case AUTH_CLEAR:
hydra_report(stderr, "[VERBOSE] using NNTP AUTHINFO USER mechanism\n");
break;
case AUTH_LOGIN:
hydra_report(stderr, "[VERBOSE] using NNTP LOGIN AUTH mechanism\n");
break;
case AUTH_PLAIN:
hydra_report(stderr, "[VERBOSE] using NNTP PLAIN AUTH mechanism\n");
break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:
hydra_report(stderr, "[VERBOSE] using NNTP CRAM-MD5 AUTH mechanism\n");
break;
case AUTH_DIGESTMD5:
hydra_report(stderr, "[VERBOSE] using NNTP DIGEST-MD5 AUTH mechanism\n");
break;
#endif
case AUTH_NTLM:
hydra_report(stderr, "[VERBOSE] using NNTP NTLM AUTH mechanism\n");
break;
}
}
usleep(25000);
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_nntp(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
int service_nntp_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
// return codes:
// 0 all OK
// -1 error, hydra will exit, so print a good error message here
return 0;
}
void service_http(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *type) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_HTTP, mysslport = PORT_HTTP_SSL;
char *ptr, *ptr2;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
if ((webtarget = strstr(miscptr, "://")) != NULL) {
webtarget += strlen("://");
if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */
*ptr2 = 0;
ptr2++;
ptr = ptr2;
if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL)
miscptr = ptr;
else
miscptr = slash; /* to make things easier to user */
} else if ((ptr2 = index(webtarget, '/')) != NULL) {
miscptr = malloc(strlen(ptr2) + 1);
freemischttp = 1;
strcpy(miscptr, ptr2);
*ptr2 = 0;
} else
webtarget = NULL;
}
if (cmdlinetarget != NULL && webtarget == NULL)
webtarget = cmdlinetarget;
else if (webtarget == NULL && cmdlinetarget == NULL)
webtarget = hydra_address2string(ip);
if (port != 0)
webport = port;
else if ((options & OPTION_SSL) == 0)
webport = myport;
else
webport = mysslport;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
if (freemischttp)
free(miscptr);
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_http(sock, ip, port, options, miscptr, fp, type);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttp)
free(miscptr);
hydra_child_exit(0);
return;
default:
if (freemischttp)
free(miscptr);
fprintf(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_smtp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1, i = 0;
int myport = PORT_SMTP, mysslport = PORT_SMTP_SSL, disable_tls = 0;
char *buffer1 = "EHLO hydra\r\n";
char *buffer2 = "HELO hydra\r\n";
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = myport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
/* receive initial header */
if ((buf = hydra_receive_line(sock)) == NULL)
hydra_child_exit(2);
if (strstr(buf, "220") == NULL) {
hydra_report(stderr, "[WARNING] SMTP does not allow to connect: %s\n", buf);
free(buf);
hydra_child_exit(2);
}
while (strstr(buf, "220 ") == NULL) {
free(buf);
buf = hydra_receive_line(sock);
}
free(buf);
/* send ehlo and receive/ignore reply */
if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0)
hydra_child_exit(2);
buf = smtp_read_server_capacity(sock);
if (buf == NULL)
hydra_child_exit(2);
#ifdef LIBOPENSSLNEW
if (!disable_tls) {
/* if we got a positive answer */
if (buf[0] == '2') {
if (strstr(buf, "STARTTLS") != NULL) {
hydra_send(sock, "STARTTLS\r\n", strlen("STARTTLS\r\n"), 0);
free(buf);
buf = hydra_receive_line(sock);
if (buf[0] != '2') {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS negotiation failed\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock) == -1)) {
if (verbose)
hydra_report(stderr, "[ERROR] Can't use TLS\n");
disable_tls = 1;
run = 1;
break;
} else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
/* ask again capability request but in TLS mode */
if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0)
hydra_child_exit(2);
buf = smtp_read_server_capacity(sock);
if (buf == NULL)
hydra_child_exit(2);
}
}
}
}
#endif
if (buf[0] != '2') {
if (hydra_send(sock, buffer2, strlen(buffer2), 0) < 0)
hydra_child_exit(2);
free(buf);
buf = smtp_read_server_capacity(sock);
if (buf == NULL)
hydra_child_exit(2);
}
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "NTLM") != NULL)) {
smtp_auth_mechanism = AUTH_NTLM;
}
#ifdef LIBOPENSSLNEW
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "DIGEST-MD5") != NULL)) {
smtp_auth_mechanism = AUTH_DIGESTMD5;
}
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "CRAM-MD5") != NULL)) {
smtp_auth_mechanism = AUTH_CRAMMD5;
}
#endif
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "PLAIN") != NULL)) {
smtp_auth_mechanism = AUTH_PLAIN;
}
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
for (i = 0; i < strlen(miscptr); i++)
miscptr[i] = (char) toupper((int) miscptr[i]);
if (strncmp(miscptr, "LOGIN", 5) == 0)
smtp_auth_mechanism = AUTH_LOGIN;
if (strncmp(miscptr, "PLAIN", 5) == 0)
smtp_auth_mechanism = AUTH_PLAIN;
#ifdef LIBOPENSSLNEW
if (strncmp(miscptr, "CRAM-MD5", 8) == 0)
smtp_auth_mechanism = AUTH_CRAMMD5;
if (strncmp(miscptr, "DIGEST-MD5", 10) == 0)
smtp_auth_mechanism = AUTH_DIGESTMD5;
#endif
if (strncmp(miscptr, "NTLM", 4) == 0)
smtp_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
switch (smtp_auth_mechanism) {
case AUTH_LOGIN:
hydra_report(stderr, "[VERBOSE] using SMTP LOGIN AUTH mechanism\n");
break;
case AUTH_PLAIN:
hydra_report(stderr, "[VERBOSE] using SMTP PLAIN AUTH mechanism\n");
break;
#ifdef LIBOPENSSLNEW
case AUTH_CRAMMD5:
hydra_report(stderr, "[VERBOSE] using SMTP CRAM-MD5 AUTH mechanism\n");
break;
case AUTH_DIGESTMD5:
hydra_report(stderr, "[VERBOSE] using SMTP DIGEST-MD5 AUTH mechanism\n");
break;
#endif
case AUTH_NTLM:
hydra_report(stderr, "[VERBOSE] using SMTP NTLM AUTH mechanism\n");
break;
}
}
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_smtp(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0) {
sock = hydra_disconnect(sock);
}
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_pop3(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
int run = 1, next_run = 1, sock = -1, i;
char *ptr = NULL;
//extract data from the pool, ip is the key
if (plist == NULL)
if (service_pop3_init(ip, sp, options, miscptr, fp, port) != 0)
hydra_child_exit(2);
p = list_find(ip);
if (p == NULL) {
hydra_report(stderr, "[ERROR] Could not find ip %s in pool\n", hydra_address2string(ip));
return;
}
if (list_remove(p) != 0)
hydra_report(stderr, "[ERROR] Could not find ip %s in pool to free memory\n", hydra_address2string(ip));
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
sock = hydra_connect_tcp(ip, port);
} else {
sock = hydra_connect_ssl(ip, port);
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
buf = hydra_receive_line(sock);
if (buf == NULL || buf[0] != '+') { /* check the first line */
if (verbose || debug) hydra_report(stderr, "[ERROR] Not an POP3 protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
ptr = strstr(buf, "<");
if (ptr != NULL && buf[0] == '+') {
if (ptr[strlen(ptr) - 1] == '\n')
ptr[strlen(ptr) - 1] = 0;
if (ptr[strlen(ptr) - 1] == '\r')
ptr[strlen(ptr) - 1] = 0;
strcpy(apop_challenge, ptr);
}
free(buf);
#ifdef LIBOPENSSL
if (!p->disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
hydra_send(sock, "STLS\r\n", strlen("STLS\r\n"), 0);
buf = hydra_receive_line(sock);
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock) == -1)) {
if (verbose)
hydra_report(stderr, "[ERROR] Can't use TLS\n");
p->disable_tls = 1;
}
else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
}
}
#endif
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_pop3(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 4: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
int service_pop3_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
int myport = PORT_POP3, mysslport = PORT_POP3_SSL;
char *ptr = NULL;
int sock = -1;
char *capa_str = "CAPA\r\n";
char *quit_str = "QUIT\r\n";
pool p;
p.pop3_auth_mechanism=AUTH_CLEAR;
p.disable_tls = 1;
memcpy(p.ip, ip, 36);
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(p.ip, myport);
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(p.ip, mysslport);
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] pid %d terminating, can not connect\n", (int) getpid());
return -1;
}
buf = hydra_receive_line(sock);
if (buf == NULL || buf[0] != '+') { /* check the first line */
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not an POP3 protocol or service shutdown: %s\n", buf);
return -1;
}
ptr = strstr(buf, "<");
if (ptr != NULL && buf[0] == '+') {
if (ptr[strlen(ptr) - 1] == '\n')
ptr[strlen(ptr) - 1] = 0;
if (ptr[strlen(ptr) - 1] == '\r')
ptr[strlen(ptr) - 1] = 0;
strcpy(apop_challenge, ptr);
}
free(buf);
/* send capability request */
if (hydra_send(sock, capa_str, strlen(capa_str), 0) < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Can not send the CAPABILITY request\n");
return -1;
}
buf = pop3_read_server_capacity(sock);
if (buf == NULL) {
hydra_report(stderr, "[ERROR] No answer from CAPABILITY request\n");
return -1;
}
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
int i;
for (i = 0; i < strlen(miscptr); i++)
miscptr[i] = (char) toupper((int) miscptr[i]);
if (strstr(miscptr, "TLS") || strstr(miscptr, "SSL")) {
p.disable_tls = 0;
}
}
#ifdef LIBOPENSSL
if (!p.disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
if (strstr(buf, "STLS") != NULL) {
hydra_send(sock, "STLS\r\n", strlen("STLS\r\n"), 0);
free(buf);
buf = hydra_receive_line(sock);
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock) == -1)) {
if (verbose)
hydra_report(stderr, "[ERROR] Can't use TLS\n");
p.disable_tls = 1;
} else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
if (!p.disable_tls) {
/* ask again capability request but in TLS mode */
if (hydra_send(sock, capa_str, strlen(capa_str), 0) < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Can not send the CAPABILITY request\n");
return -1;
}
buf = pop3_read_server_capacity(sock);
if (buf == NULL) {
hydra_report(stderr, "[ERROR] No answer from CAPABILITY request\n");
return -1;
}
}
}
} else
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n");
}
#endif
if (hydra_send(sock, quit_str, strlen(quit_str), 0) < 0) {
//we dont care if the server is not receiving the quit msg
}
hydra_disconnect(sock);
if (verbose)
hydra_report(stderr, "[VERBOSE] CAPABILITY: %s", buf);
/* example:
+OK Capability list follows:
TOP
LOGIN-DELAY 180
UIDL
USER
SASL PLAIN LOGIN
*/
/* according to rfc 2449:
The POP3 AUTH command [POP-AUTH] permits the use of [SASL]
authentication mechanisms with POP3. The SASL capability
indicates that the AUTH command is available and that it supports
an optional base64 encoded second argument for an initial client
response as described in the SASL specification. The argument to
the SASL capability is a space separated list of SASL mechanisms
which are supported.
*/
/* which mean threre will *always* have a space before the LOGIN auth keyword */
if ((strstr(buf, " LOGIN") == NULL) && (strstr(buf, "NTLM") != NULL)) {
p.pop3_auth_mechanism = AUTH_NTLM;
}
#ifdef LIBOPENSSL
if ((strstr(buf, " LOGIN") == NULL) && (strstr(buf, "DIGEST-MD5") != NULL)) {
p.pop3_auth_mechanism = AUTH_DIGESTMD5;
}
if ((strstr(buf, " LOGIN") == NULL) && (strstr(buf, "CRAM-SHA256") != NULL)) {
p.pop3_auth_mechanism = AUTH_CRAMSHA256;
}
if ((strstr(buf, " LOGIN") == NULL) && (strstr(buf, "CRAM-SHA1") != NULL)) {
p.pop3_auth_mechanism = AUTH_CRAMSHA1;
}
if ((strstr(buf, " LOGIN") == NULL) && (strstr(buf, "CRAM-MD5") != NULL)) {
p.pop3_auth_mechanism = AUTH_CRAMMD5;
}
#endif
if ((strstr(buf, " LOGIN") == NULL) && (strstr(buf, "PLAIN") != NULL)) {
p.pop3_auth_mechanism = AUTH_PLAIN;
}
if (strstr(buf, " LOGIN") != NULL) {
p.pop3_auth_mechanism = AUTH_LOGIN;
}
if (strstr(buf, "SASL") == NULL) {
#ifdef LIBOPENSSL
if (strlen(apop_challenge) == 0) {
p.pop3_auth_mechanism = AUTH_CLEAR;
} else {
p.pop3_auth_mechanism = AUTH_APOP;
}
#else
p.pop3_auth_mechanism = AUTH_CLEAR;
#endif
}
free(buf);
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
if (strstr(miscptr, "CLEAR"))
p.pop3_auth_mechanism = AUTH_CLEAR;
if (strstr(miscptr, "LOGIN"))
p.pop3_auth_mechanism = AUTH_LOGIN;
if (strstr(miscptr, "PLAIN"))
p.pop3_auth_mechanism = AUTH_PLAIN;
#ifdef LIBOPENSSL
if (strstr(miscptr, "APOP"))
p.pop3_auth_mechanism = AUTH_APOP;
if (strstr(miscptr, "CRAM-MD5"))
p.pop3_auth_mechanism = AUTH_CRAMMD5;
if (strstr(miscptr, "CRAM-SHA1"))
p.pop3_auth_mechanism = AUTH_CRAMSHA1;
if (strstr(miscptr, "CRAM-SHA256"))
p.pop3_auth_mechanism = AUTH_CRAMSHA256;
if (strstr(miscptr, "DIGEST-MD5"))
p.pop3_auth_mechanism = AUTH_DIGESTMD5;
#endif
if (strstr(miscptr, "NTLM"))
p.pop3_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
switch (p.pop3_auth_mechanism) {
case AUTH_CLEAR:
hydra_report(stderr, "[VERBOSE] using POP3 CLEAR LOGIN mechanism\n");
break;
case AUTH_LOGIN:
hydra_report(stderr, "[VERBOSE] using POP3 LOGIN AUTH mechanism\n");
break;
case AUTH_PLAIN:
hydra_report(stderr, "[VERBOSE] using POP3 PLAIN AUTH mechanism\n");
break;
case AUTH_APOP:
#ifdef LIBOPENSSL
if (strlen(apop_challenge) == 0) {
hydra_report(stderr, "[VERBOSE] APOP not supported by server, using clear login\n");
p.pop3_auth_mechanism = AUTH_CLEAR;
} else {
hydra_report(stderr, "[VERBOSE] using POP3 APOP AUTH mechanism\n");
}
#else
p.pop3_auth_mechanism = AUTH_CLEAR;
#endif
break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:
hydra_report(stderr, "[VERBOSE] using POP3 CRAM-MD5 AUTH mechanism\n");
break;
case AUTH_CRAMSHA1:
hydra_report(stderr, "[VERBOSE] using POP3 CRAM-SHA1 AUTH mechanism\n");
break;
case AUTH_CRAMSHA256:
hydra_report(stderr, "[VERBOSE] using POP3 CRAM-SHA256 AUTH mechanism\n");
break;
case AUTH_DIGESTMD5:
hydra_report(stderr, "[VERBOSE] using POP3 DIGEST-MD5 AUTH mechanism\n");
break;
#endif
case AUTH_NTLM:
hydra_report(stderr, "[VERBOSE] using POP3 NTLM AUTH mechanism\n");
break;
}
}
if(!plist)
plist=list_create(p);
else
plist=list_insert(p);
return 0;
}
void
service_cisco_enable(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port)
{
int run = 1, failc = 0, retry = 1, next_run, sock = -1;
int myport = PORT_TELNET, mysslport = PORT_TELNET_SSL;
char buffer[300];
char *login;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(275000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
fprintf(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
/* Cisco AAA Support */
if (strlen(login = hydra_get_next_login()) != 0) {
while ((buf = hydra_receive_line(sock)) != NULL && strstr(buf, "name") == NULL) {
free(buf);
}
sprintf(buffer, "%.250s\r", login);
if (hydra_send(sock, buffer, strlen(buffer) + 1, 0) < 0) {
fprintf(stderr, "Error: Child with pid %d terminating, can not send login\n", (int) getpid());
hydra_child_exit(2);
}
}
if (miscptr != NULL) {
while ((buf = hydra_receive_line(sock)) != NULL && strstr(buf, "assw") == NULL) {
free(buf);
}
sprintf(buffer, "%.250s\r\n", miscptr);
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
fprintf(stderr, "Error: Child with pid %d terminating, can not send login\n", (int) getpid());
hydra_child_exit(2);
}
}
buf = hydra_receive_line(sock);
if (strstr(buf, "assw") != NULL) {
fprintf(stderr, "Error: Child with pid %d terminating - can not login, can not login\n", (int) getpid());
hydra_child_exit(2);
}
free(buf);
next_run = 2;
break;
}
case 2: /* run the cracking function */
{
unsigned char *buf2 = malloc(256);
int f = 0;
sprintf(buffer, "%.250s\r\n", "ena");
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
fprintf(stderr, "Error: Child with pid %d terminating, can not send 'ena'\n", (int) getpid());
hydra_child_exit(2);
}
do {
if (f != 0)
free(buf2);
else
f = 1;
if ((buf2 = (unsigned char *) hydra_receive_line(sock)) == NULL) {
if (failc < retry) {
next_run = 1;
failc++;
fprintf(stderr, "Error: Child with pid %d was disconnected - retrying (%d of %d retries)\n", getpid(), failc, retry);
sleep(3);
break;
} else {
fprintf(stderr, "Error: Child with pid %d was disconnected - exiting\n", getpid());
hydra_child_exit(0);
}
}
} while (strstr((char *) buf2, "assw") == NULL);
free(buf2);
if (next_run != 0)
break;
failc = 0;
next_run = start_cisco_enable(sock, ip, port, options, miscptr, fp);
break;
}
case 3: /* clean exit */
sprintf(buffer, "%.250s\r\n", "exit");
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
fprintf(stderr, "Error: Child with pid %d terminating, can not send 'exit'\n", (int) getpid());
hydra_child_exit(0);
}
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
fprintf(stderr, "Caught unknown return code, exiting!\n");
hydra_child_exit(0);
exit(-1);
}
run = next_run;
}
}
void service_vnc(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_VNC, mysslport = PORT_VNC_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
usleep(300000);
buf = hydra_receive_line(sock);
if (buf == NULL || (strncmp(buf, "RFB", 3) != 0)) { /* check the first line */
hydra_report(stderr, "[ERROR] Not a VNC protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
if (strstr(buf, " security failures") != NULL) { /* check the first line */
/*
VNC has a 'blacklisting' scheme that blocks an IP address after five unsuccessful connection attempts.
The IP address is initially blocked for ten seconds,
but this doubles for each unsuccessful attempt thereafter.
A successful connection from an IP address resets the blacklist timeout.
This is built in to VNC Server and does not rely on operating system support.
*/
failed_auth++;
hydra_report(stderr, "VNC server reported too many authentication failures, have to wait some seconds ...\n");
sleep(12 * failed_auth);
free(buf);
next_run = 1;
break;
}
if (verbose)
hydra_report(stderr, "[VERBOSE] Server banner is %s\n", buf);
if (((strstr(buf, "RFB 004.001") != NULL) || (strstr(buf, "RFB 003.007") != NULL) || (strstr(buf, "RFB 003.008") != NULL))) {
//using proto version 003.008 to talk to server 004.001 same for 3.7 and 3.8
vnc_client_version = RFB37;
free(buf);
buf = strdup("RFB 003.007\n");
} else {
//for RFB 3.3 and fake 3.5
vnc_client_version = RFB33;
free(buf);
buf = strdup("RFB 003.003\n");
}
hydra_send(sock, buf, strlen(buf), 0);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_vnc(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 4:
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_imap(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_IMAP, mysslport = PORT_IMAP_SSL, disable_tls = 0;
char *buffer1 = "1 CAPABILITY\r\n";
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(275000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
buf = hydra_receive_line(sock);
if ((buf == NULL) || (strstr(buf, "OK") == NULL && buf[0] != '*')) { /* check the first line */
if (verbose || debug) hydra_report(stderr, "[ERROR] Not an IMAP protocol or service shutdown:\n");
if (buf != NULL)
free(buf);
hydra_child_exit(2);
}
free(buf);
/* send capability request */
if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0)
exit(-1);
counter = 2;
buf = imap_read_server_capacity(sock);
if (buf == NULL) {
hydra_child_exit(2);
}
#ifdef LIBOPENSSLNEW
if (!disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
if (strstr(buf, "STARTTLS") != NULL) {
hydra_send(sock, "2 STARTTLS\r\n", strlen("2 STARTTLS\r\n"), 0);
counter++;
free(buf);
buf = hydra_receive_line(sock);
if (buf == NULL || (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL)) {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS negotiation failed\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock) == -1)) {
if (verbose)
hydra_report(stderr, "[ERROR] Can't use TLS\n");
disable_tls = 1;
run = 1;
break;
} else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
/* ask again capability request but in TLS mode */
if (hydra_send(sock, "3 CAPABILITY\r\n", strlen("3 CAPABILITY\r\n"), 0) < 0)
hydra_child_exit(2);
buf = imap_read_server_capacity(sock);
counter++;
if (buf == NULL)
hydra_child_exit(2);
}
}
}
#endif
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "NTLM") != NULL)) {
imap_auth_mechanism = AUTH_NTLM;
}
#ifdef LIBOPENSSLNEW
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "SCRAM-SHA-1") != NULL)) {
imap_auth_mechanism = AUTH_SCRAMSHA1;
}
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "DIGEST-MD5") != NULL)) {
imap_auth_mechanism = AUTH_DIGESTMD5;
}
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "CRAM-SHA256") != NULL)) {
imap_auth_mechanism = AUTH_CRAMSHA256;
}
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "CRAM-SHA1") != NULL)) {
imap_auth_mechanism = AUTH_CRAMSHA1;
}
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "CRAM-MD5") != NULL)) {
imap_auth_mechanism = AUTH_CRAMMD5;
}
#endif
if ((strstr(buf, "LOGIN") == NULL) && (strstr(buf, "PLAIN") != NULL)) {
imap_auth_mechanism = AUTH_PLAIN;
}
if (strstr(buf, "LOGIN") != NULL) {
imap_auth_mechanism = AUTH_LOGIN;
}
free(buf);
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
int i;
for (i = 0; i < strlen(miscptr); i++)
miscptr[i] = (char) toupper((int) miscptr[i]);
if (strncmp(miscptr, "CLEAR", 5) == 0)
imap_auth_mechanism = AUTH_CLEAR;
if (strncmp(miscptr, "LOGIN", 5) == 0)
imap_auth_mechanism = AUTH_LOGIN;
if (strncmp(miscptr, "PLAIN", 5) == 0)
imap_auth_mechanism = AUTH_PLAIN;
#ifdef LIBOPENSSLNEW
if (strncmp(miscptr, "CRAM-MD5", 8) == 0)
imap_auth_mechanism = AUTH_CRAMMD5;
if (strncmp(miscptr, "CRAM-SHA1", 9) == 0)
imap_auth_mechanism = AUTH_CRAMSHA1;
if (strncmp(miscptr, "CRAM-SHA256", 11) == 0)
imap_auth_mechanism = AUTH_CRAMSHA256;
if (strncmp(miscptr, "DIGEST-MD5", 10) == 0)
imap_auth_mechanism = AUTH_DIGESTMD5;
if (strncmp(miscptr, "SCRAM-SHA1", 10) == 0)
imap_auth_mechanism = AUTH_SCRAMSHA1;
#endif
if (strncmp(miscptr, "NTLM", 4) == 0)
imap_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
switch (imap_auth_mechanism) {
case AUTH_CLEAR:
hydra_report(stderr, "[VERBOSE] using IMAP CLEAR LOGIN mechanism\n");
break;
case AUTH_LOGIN:
hydra_report(stderr, "[VERBOSE] using IMAP LOGIN AUTH mechanism\n");
break;
case AUTH_PLAIN:
hydra_report(stderr, "[VERBOSE] using IMAP PLAIN AUTH mechanism\n");
break;
#ifdef LIBOPENSSLNEW
case AUTH_CRAMMD5:
hydra_report(stderr, "[VERBOSE] using IMAP CRAM-MD5 AUTH mechanism\n");
break;
case AUTH_CRAMSHA1:
hydra_report(stderr, "[VERBOSE] using IMAP CRAM-SHA1 AUTH mechanism\n");
break;
case AUTH_CRAMSHA256:
hydra_report(stderr, "[VERBOSE] using IMAP CRAM-SHA256 AUTH mechanism\n");
break;
case AUTH_DIGESTMD5:
hydra_report(stderr, "[VERBOSE] using IMAP DIGEST-MD5 AUTH mechanism\n");
break;
case AUTH_SCRAMSHA1:
hydra_report(stderr, "[VERBOSE] using IMAP SCRAM-SHA1 AUTH mechanism\n");
break;
#endif
case AUTH_NTLM:
hydra_report(stderr, "[VERBOSE] using IMAP NTLM AUTH mechanism\n");
break;
}
}
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_imap(sock, ip, port, options, miscptr, fp);
counter++;
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
int start_sip(int s, char *ip, char *lip, int port, int lport, unsigned char options, char *miscptr, FILE * fp) {
char *login, *pass, *host, buffer[SIP_MAX_BUF];
int i;
char buf[SIP_MAX_BUF];
if (strlen(login = hydra_get_next_login()) == 0)
login = NULL;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = NULL;
if (external_ip_addr[0])
lip = external_ip_addr;
host = miscptr;
cseq = 1;
empty_register(buffer, host, lip, port, lport, login);
cseq++;
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 3;
}
int has_sip_cred = 0;
int try = 0;
/* We have to check many times because server may begin to send "100 Trying"
* before "401 Unauthorized" */
while (try < 2 && !has_sip_cred) {
try++;
if (hydra_data_ready_timed(s, 3, 0) > 0) {
i = hydra_recv(s, (char *) buf, sizeof(buf));
buf[sizeof(buf) - 1] = '\0';
if (strncmp(buf, "SIP/2.0 404", 11) == 0) {
hydra_report(stdout, "[ERROR] Get error code 404 : user '%s' not found\n", login);
return 2;
}
if (strncmp(buf, "SIP/2.0 606", 11) == 0) {
char *ptr=NULL;
int i = 0;
// if we already tried to connect, exit
if (external_ip_addr[0]) {
hydra_report(stdout, "[ERROR] Get error code 606 : session is not acceptable by the server\n");
return 2;
}
if (verbose)
hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not acceptable by the server,\n"
"maybe it's an addressing issue as you are using NAT, trying to reconnect\n"
"using addr from the server reply\n");
/*
SIP/2.0 606 Not Acceptable
Via: SIP/2.0/UDP 192.168.0.21:46759;received=82.227.229.137
*/
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "Via: SIP.*received=")) {
ptr=strstr(buf, "received=");
#else
if ((ptr=strstr(buf, "received="))) {
#endif
strncpy(external_ip_addr, ptr+strlen("received="), sizeof(external_ip_addr));
external_ip_addr[sizeof(external_ip_addr) - 1] = '\0';
for (i = 0; i < strlen(external_ip_addr); i++) {
if (external_ip_addr[i] <= 32) {
external_ip_addr[i] = '\0';
}
}
if (verbose)
hydra_report(stderr, "[VERBOSE] Will reconnect using external IP address %s\n", external_ip_addr);
return 1;
}
hydra_report(stderr, "[ERROR] Could not find external IP address in server answer\n");
return 2;
}
}
}
if (!strstr(buf, "WWW-Authenticate: Digest")) {
hydra_report(stderr, "[ERROR] no www-authenticate header found!\n");
return -1;
}
if (verbose)
hydra_report(stderr, "[INFO] S: %s\n", buf);
char buffer2[512];
sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL);
memset(buffer, 0, SIP_MAX_BUF);
snprintf(buffer, SIP_MAX_BUF,
"REGISTER sip:%s SIP/2.0\n"
"Via: SIP/2.0/UDP %s:%i\n"
"From: <sip:%s@%s>\n"
"To: <sip:%s@%s>\n"
"Call-ID: 1337@%s\n"
"CSeq: %i REGISTER\n"
"Authorization: Digest %s\n"
"Content-Length: 0\n\n", host, lip, lport, login, host, login, host, host, cseq, buffer2);
cseq++;
if (verbose)
hydra_report(stderr, "[INFO] C: %s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 3;
}
try = 0;
int has_resp = 0;
int sip_code = 0;
while (try < 2 && !has_resp) {
try++;
if (hydra_data_ready_timed(s, 5, 0) > 0) {
memset(buf, 0, sizeof(buf));
i = hydra_recv(s, (char *) buf, sizeof(buf));
if (verbose)
hydra_report(stderr, "[INFO] S: %s\n", buf);
sip_code = get_sip_code(buf);
if (sip_code >= 200 && sip_code < 300) {
hydra_report_found_host(port, ip, "sip", fp);
hydra_completed_pair_found();
has_resp = 1;
}
if (sip_code >= 400 && sip_code < 500) {
has_resp = 1;
}
}
}
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
void service_sip(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_SIP, mysslport = PORT_SIP_SSL;
char *lip = get_iface_ip((int) *(&ip[1]));
hydra_register_socket(sp);
// FIXME IPV6
if (ip[0] != 4) {
fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are appreciated.\n");
hydra_child_exit(2);
}
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
run = 3;
int lport = 0;
while (1) {
switch (run) {
case 1:
if (sock < 0) {
if (port != 0)
myport = port;
lport = rand() % (65535 - 1024) + 1024;
hydra_set_srcport(lport);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_udp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
free(lip);
hydra_child_exit(1);
}
}
next_run = start_sip(sock, ip, lip, port, lport, options, miscptr, fp);
break;
case 2:
if (sock >= 0)
sock = hydra_disconnect(sock);
free(lip);
hydra_child_exit(2);
break;
case 3:
if (sock >= 0)
sock = hydra_disconnect(sock);
free(lip);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
free(lip);
hydra_child_exit(2);
}
run = next_run;
}
}
char *get_iface_ip(unsigned long int ip) {
int sfd;
sfd = socket(AF_INET, SOCK_DGRAM, 0);
struct sockaddr_in tparamet;
tparamet.sin_family = AF_INET;
tparamet.sin_port = htons(2000);
tparamet.sin_addr.s_addr = ip;
if (connect(sfd, (const struct sockaddr *) &tparamet, sizeof(struct sockaddr_in))) {
perror("connect");
close(sfd);
return NULL;
}
struct sockaddr_in *local = malloc(sizeof(struct sockaddr_in));
int size = sizeof(struct sockaddr_in);
if (getsockname(sfd, (void *) local, (socklen_t *) & size)) {
perror("getsockname");
close(sfd);
free(local);
return NULL;
}
close(sfd);
char buff[32];
if (!inet_ntop(AF_INET, (void *) &local->sin_addr, buff, 32)) {
perror("inet_ntop");
free(local);
return NULL;
}
char *str = malloc(sizeof(char) * (strlen(buff) + 1));
strcpy(str, buff);
free(local);
return str;
}
#endif
int service_sip_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
// return codes:
// 0 all OK
// -1 error, hydra will exit, so print a good error message here
return 0;
}
void service_vmauthd(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_VMAUTHD, mysslport = PORT_VMAUTHD_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = myport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
buf = hydra_receive_line(sock);
//fprintf(stderr, "%s\n",buf);
//220 VMware Authentication Daemon Version 1.00
//220 VMware Authentication Daemon Version 1.10: SSL Required
//220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC ,
if (buf == NULL || strstr(buf, "220 VMware Authentication Daemon Version ") == NULL) {
/* check the first line */
if (verbose || debug) hydra_report(stderr, "[ERROR] Not an vmware authd protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
if ((strstr(buf, "Version 1.00") == NULL) && (strstr(buf, "Version 1.10") == NULL)) {
free(buf);
hydra_report(stderr, "[ERROR] this vmware authd protocol is not supported, please report: %s\n", buf);
hydra_child_exit(2);
}
//by default this service is waiting for ssl connections
if (strstr(buf, "SSL Required") != NULL) {
if ((options & OPTION_SSL) == 0) {
//reconnecting using SSL
if (hydra_connect_to_ssl(sock) == -1) {
free(buf);
hydra_report(stderr, "[ERROR] Can't use SSL\n");
hydra_child_exit(2);
}
}
}
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_vmauthd(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
int start_http_proxy(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *hostname) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
char url[210], host[30];
char *header = ""; /* XXX TODO */
char *ptr, *fooptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (miscptr == NULL) {
strcpy(url, "http://www.microsoft.com/");
strcpy(host, "Host: www.microsoft.com\r\n");
} else {
sprintf(url, "%.200s", miscptr);
ptr = strstr(miscptr, "://"); // :// check is in hydra.c
sprintf(host, "Host: %.200s", ptr + 3);
if ((ptr = index(host, '/')) != NULL)
*ptr = 0;
if ((ptr = index(host + 6, ':')) != NULL && host[0] != '[')
*ptr = 0;
strcat(host, "\r\n");
}
if (http_proxy_auth_mechanism != AUTH_BASIC && (http_proxy_auth_mechanism == AUTH_ERROR || http_proxy_buf == NULL)) {
//send dummy request
sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 3;
//receive first 40x
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
if (http_proxy_buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Server did not answer\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
if (http_proxy_buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Proxy seems not to require authentication\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
//after the first query we should have been disconnected from web server
s = hydra_disconnect(s);
if ((options & OPTION_SSL) == 0) {
s = hydra_connect_tcp(ip, port);
} else {
s = hydra_connect_ssl(ip, port, hostname);
}
}
if (http_proxy_auth_mechanism == AUTH_BASIC || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Basic") != NULL) {
http_proxy_auth_mechanism = AUTH_BASIC;
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 3;
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
//if server cut the connection, just exit cleanly or
//this will be an infinite loop
if (http_proxy_buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Server did not answer\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
} else {
if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM") != NULL) {
unsigned char buf1[4096];
unsigned char buf2[4096];
char *pos = NULL;
http_proxy_auth_mechanism = AUTH_NTLM;
//send auth and receive challenge
//send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
/* to be portable, no snprintf, buffer is big enough so it cant overflow */
//send the first..
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 3;
//receive challenge
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && (pos = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM ")) == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
if (pos != NULL) {
char *str;
pos += 25;
if ((str = strchr(pos, '\r')) != NULL) {
pos[str - pos] = 0;
}
if ((str = strchr(pos, '\n')) != NULL) {
pos[str - pos] = 0;
}
}
//recover challenge
if (http_proxy_buf != NULL && strlen(http_proxy_buf) >= 4) {
from64tobits((char *) buf1, pos);
free(http_proxy_buf);
http_proxy_buf = NULL;
return 3;
}
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 3;
if (http_proxy_buf != NULL)
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
if (http_proxy_buf == NULL)
return 3;
} else {
#ifdef LIBOPENSSL
if (hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest") != NULL) {
char *pbuffer;
http_proxy_auth_mechanism = AUTH_DIGESTMD5;
pbuffer = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest ");
strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
pbuffer = NULL;
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (fooptr == NULL)
return 3;
if (debug)
hydra_report(stderr, "C:%s\n", buffer2);
if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0)
return 3;
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
if (debug && http_proxy_buf != NULL)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
if (http_proxy_buf == NULL)
return 3;
} else
#endif
{
if (http_proxy_buf != NULL) {
// buf[strlen(http_proxy_buf) - 1] = '\0';
hydra_report(stderr, "Unsupported Auth type:\n%s\n", http_proxy_buf);
free(http_proxy_buf);
http_proxy_buf = NULL;
} else {
hydra_report(stderr, "Unsupported Auth type\n");
}
return 3;
}
}
}
ptr = ((char *) index(http_proxy_buf, ' ')) + 1;
if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2')) {
hydra_report_found_host(port, ip, "http-proxy", fp);
hydra_completed_pair_found();
free(http_proxy_buf);
http_proxy_buf = NULL;
} else {
if (*ptr != '4')
hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char) *(index(http_proxy_buf, ' ') + 1), login, pass);
else if (verbose && *(ptr + 2) == '3')
hydra_report(stderr, "[INFO] Potential success, could be false positive: %s:%s\n", login, pass);
hydra_completed_pair();
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
}
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
if (http_proxy_buf != NULL)
return 2;
else
return 1;
}
void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname, char *type) {
int32_t run = 1, next_run = 1, sock = -1;
int32_t myport = PORT_HTTP, mysslport = PORT_HTTP_SSL;
char *ptr, *ptr2;
ptr_header_node ptr_head = NULL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
if ((webtarget = strstr(miscptr, "://")) != NULL) {
webtarget += strlen("://");
if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */
*ptr2 = 0;
ptr2++;
ptr = ptr2;
if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL)
miscptr = ptr;
else
miscptr = slash; /* to make things easier to user */
} else if ((ptr2 = index(webtarget, '/')) != NULL) {
miscptr = malloc(strlen(ptr2) + 1);
freemischttp = 1;
strcpy(miscptr, ptr2);
*ptr2 = 0;
} else
webtarget = hostname;
} else
if (strlen(miscptr) == 0)
miscptr = strdup("/");
if (webtarget == NULL)
webtarget = hostname;
if (port != 0)
webport = port;
else if ((options & OPTION_SSL) == 0)
webport = myport;
else
webport = mysslport;
/* Advance to options string */
ptr = miscptr;
while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\'))
ptr++;
if (*ptr != 0)
*ptr++ = 0;
optional1 = ptr;
if (!parse_options(optional1, &ptr_head)) // this function is in hydra-http-form.c !!
run = 4;
if (http_auth_mechanism == AUTH_UNASSIGNED)
http_auth_mechanism = AUTH_BASIC;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
}
if (sock < 0) {
if (freemischttp)
free(miscptr);
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_http(sock, ip, port, options, miscptr, fp, type, ptr_head);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttp)
free(miscptr);
hydra_child_exit(0);
return;
default:
if (freemischttp)
free(miscptr);
fprintf(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_oracle_listener(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_ORACLE, mysslport = PORT_ORACLE_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
strupper(miscptr);
if (strncmp(miscptr, "CLEAR", 5) == 0)
sid_mechanism = AUTH_CLEAR;
}
if (verbose) {
switch (sid_mechanism) {
case AUTH_CLEAR:
hydra_report(stderr, "[VERBOSE] using SID CLEAR mechanism\n");
break;
case AUTH_PLAIN:
hydra_report(stderr, "[VERBOSE] using SID PLAIN mechanism\n");
break;
}
}
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
/* run the cracking function */
next_run = start_oracle_listener(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 4:
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_vnc(unsigned long int ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
int run = 1, next_run, sock = -1;
int myport = PORT_VNC, mysslport = PORT_VNC_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while(1) {
switch(run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0) myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0) mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
fprintf(stderr, "Error: Child with pid %d terminating, can not connect\n", (int)getpid());
hydra_child_exit();
}
buf = hydra_receive_line(sock);
if (buf == NULL) { /* check the first line */
fprintf(stderr,"Error: Not an VNC protocol or service shutdown: %s\n", buf);
hydra_child_exit();
exit(-1);
}
hydra_send(sock, buf, strlen(buf), 0);
free(buf);
buf = hydra_receive_line(sock);
if (buf == NULL) { /* check the first line */
fprintf(stderr,"Error: Not an VNC protocol or service shutdown: %s\n", buf);
hydra_child_exit();
exit(-1);
}
next_run = 2;
switch(buf[3]) {
case 0:
fprintf(stderr,"Error: VNC server told us to quit\n");
hydra_child_exit();
exit(-1);
case 1:
fprintf(fp, "VNC server does not require authentication.\n");
printf("VNC server does not require authentication.\n");
hydra_child_exit();
exit(-1);
case 2:
break;
default:
fprintf(stderr,"Error: unknown VNC authentication type\n");
hydra_child_exit();
exit(-1);
}
free(buf);
break;
case 2: /* run the cracking function */
next_run = start_vnc(sock, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0) sock = hydra_disconnect(sock);
hydra_child_exit();
return;
default: fprintf(stderr,"Caught unknown return code, exiting!\n");
hydra_child_exit();
exit(-1);
}
run = next_run;
}
}
/*
int analyze_server_response(int socket)
return 0 or 1 when the cond regex is matched
return -1 if no response from server
*/
int analyze_server_response(int s) {
int runs = 0;
while ((buf = hydra_receive_line(s)) != NULL) {
runs++;
//check for http redirection
if (strstr(buf, "HTTP/1.1 3") != NULL || strstr(buf, "HTTP/1.0 3") != NULL || strstr(buf, "Status: 3") != NULL) {
redirected_flag = 1;
} else if (strstr(buf, "HTTP/1.1 401") != NULL || strstr(buf, "HTTP/1.0 401") != NULL) {
auth_flag = 1;
} else if ((strstr(buf, "HTTP/1.1 403") != NULL) || (strstr(buf, "HTTP/1.1 404") != NULL) || (strstr(buf, "HTTP/1.0 403") != NULL) || (strstr(buf, "HTTP/1.0 404") != NULL)) {
return 0;
}
if (hydra_strcasestr(buf, "Location: ") != NULL) {
char *startloc, *endloc;
char str[2048];
startloc = hydra_strcasestr(buf, "Location: ") + strlen("Location: ");
strncpy(str, startloc, sizeof(str) - 1);
str[sizeof(str) - 1] = 0;
endloc = strchr(str, '\n');
if (endloc != NULL)
*endloc = 0;
endloc = strchr(str, '\r');
if (endloc != NULL)
*endloc = 0;
strcpy(redirected_url_buff, str);
}
//there can be multiple cookies
if (hydra_strcasestr(buf, "Set-Cookie: ") != NULL) {
char *cookiebuf = buf;
do {
char *startcookie, *endcookie1, *endcookie2;
char str[1024], tmpcookie[4096] = "", tmpname[128] = "", *ptr, *ptr2;
memset(str, 0, sizeof(str));
startcookie = hydra_strcasestr(cookiebuf, "Set-Cookie: ") + strlen("Set-Cookie: ");
strncpy(str, startcookie, sizeof(str) - 1);
str[sizeof(str) - 1] = 0;
endcookie1 = strchr(str, '\n');
endcookie2 = strchr(str, ';');
//terminate string after cookie data
if (endcookie1 != NULL && endcookie1 < endcookie2)
*endcookie1 = 0;
else
if (endcookie2 != NULL)
*endcookie2 = 0;
// is the cookie already there? if yes, remove it!
if (index(startcookie, '=') != NULL && (ptr = index(startcookie, '=')) - startcookie + 1 <= sizeof(tmpname)) {
strncpy(tmpname, startcookie, sizeof(tmpname) - 2);
tmpname[sizeof(tmpname) - 2] = 0;
ptr = index(tmpname, '=');
*(++ptr) = 0;
// is the cookie already in the cookiejar? (so, does it have to be replaced?)
if ((ptr = hydra_strcasestr(cookie, tmpname)) != NULL) {
// yes it is.
// if the cookie is not in the beginning of the cookiejar, copy the ones before
if (ptr != cookie && *(ptr - 1) == ' ') {
strncpy(tmpcookie, cookie, ptr - cookie - 2);
tmpcookie[ptr - cookie - 2] = 0;
}
ptr += strlen(tmpname);
// if there are any cookies after this one in the cookiejar, copy them over
if ((ptr2 = strstr(ptr, "; ")) != NULL) {
ptr2 += 2;
strncat(tmpcookie, ptr2, sizeof(tmpcookie) - strlen(tmpcookie) - 1);
}
if (debug) printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: %s\n", tmpname, cookie, tmpcookie);
strcpy(cookie, tmpcookie);
}
}
ptr = index(str, '=');
// only copy the cookie if it has a value (otherwise the server wants to delete the cookie
if (ptr != NULL && *(ptr + 1) != ';' && *(ptr + 1) != 0 && *(ptr + 1) != '\n' && *(ptr + 1) != '\r') {
if (strlen(cookie) > 0)
strncat(cookie, "; ", sizeof(cookie) - strlen(cookie) - 1);
strncat(cookie, str, sizeof(cookie) - strlen(cookie) - 1);
}
cookiebuf = startcookie;
} while (hydra_strcasestr(cookiebuf, "Set-Cookie: ") != NULL);
}
#ifdef HAVE_PCRE
if (hydra_string_match(buf, cond) == 1) {
#else
if (strstr(buf, cond) != NULL) {
#endif
free(buf);
// printf("DEBUG: STRING %s FOUND!!:\n%s\n", cond, buf);
return 1;
}
// else printf("DEBUG: STRING %s NOT FOUND:\n%s\n", cond, buf);
free(buf);
}
if (runs == 0) {
if (debug) hydra_report(stderr, "DEBUG: no response from server\n");
return -1;
}
return 0;
}
void hydra_reconnect(int s, char *ip, int port, unsigned char options) {
if (s >= 0)
s = hydra_disconnect(s);
if ((options & OPTION_SSL) == 0) {
s = hydra_connect_tcp(ip, port);
} else {
s = hydra_connect_ssl(ip, port);
}
}
int start_http_form(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) {
char *empty = "";
char *login, *pass, buffer[9000];
char header[8096], *upd3variables;
int found = !success_cond, i, j;
memset(header, 0, sizeof(header));
cookie[0] = 0; // reset cookies from potential previous attempt
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
upd3variables = strrep(variables, "^PASS^", pass);
upd3variables = strrep(upd3variables, "^USER^", login);
/* again: no snprintf to be portable. dont worry, buffer cant overflow */
if (use_proxy == 1 && proxy_authentication != NULL) {
// proxy with authentication
if (getcookie) {
//doing a GET to save cookies
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla 5.0 (Hydra Proxy Auth)\r\n%s%s\r\n",
webtarget, webport, cookieurl, webtarget, proxy_authentication, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
i = analyze_server_response(s); // return value ignored
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
hydra_reconnect(s, ip, port, options);
}
if (strcmp(type, "POST") == 0) {
sprintf(buffer,
"POST http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy Auth)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s",
webtarget, webport, url, webtarget, proxy_authentication, (int) strlen(upd3variables), header, userheader, upd3variables);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
} else {
sprintf(buffer,
"GET http://%s:%d%.600s?%s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy Auth)\r\n%s%s\r\n",
webtarget, webport, url, upd3variables, webtarget, proxy_authentication, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
}
} else {
if (use_proxy == 1) {
// proxy without authentication
if (getcookie) {
//doing a GET to get cookies
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy)\r\n%s%s\r\n", webtarget, webport, cookieurl, webtarget, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
i = analyze_server_response(s); // ignore result
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
hydra_reconnect(s, ip, port, options);
}
if (strcmp(type, "POST") == 0) {
sprintf(buffer,
"POST http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s",
webtarget, webport, url, webtarget, (int) strlen(upd3variables), header, userheader, upd3variables);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
} else {
sprintf(buffer, "GET http://%s:%d%.600s?%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s%s\r\n", webtarget, webport, url, upd3variables, webtarget, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
}
} else {
// direct web server, no proxy
if (getcookie) {
//doing a GET to save cookies
sprintf(buffer, "GET %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s\r\n", cookieurl, webtarget, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
i = analyze_server_response(s); // ignore result
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
hydra_reconnect(s, ip, port, options);
}
if (strcmp(type, "POST") == 0) {
sprintf(buffer,
"POST %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s",
url, webtarget, (int) strlen(upd3variables), header, userheader, upd3variables);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
} else {
sprintf(buffer, "GET %.600s?%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s%s\r\n", url, upd3variables, webtarget, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
}
}
}
found = analyze_server_response(s);
if (auth_flag) { // we received a 401 error - user using wrong module
hydra_report(stderr, "[ERROR] the target is using HTTP auth, not a web form, received HTTP error code 401. Use module \"http%s-get\" instead.\n",
(options & OPTION_SSL) > 0 ? "s" : "");
return 4;
}
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %.1000s\r\n", cookie);
}
//if page was redirected, follow the location header
redirected_cpt = MAX_REDIRECT;
if (debug) printf("[DEBUG] attempt result: found %d, redirect %d, location: %s\n", found, redirected_flag, redirected_url_buff);
while (found == 0 && redirected_flag && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) {
//we have to split the location
char *startloc, *endloc;
char str[2048];
char str2[2048];
char str3[2048];
redirected_cpt--;
redirected_flag = 0;
//check if the redirect page contains the fail/success condition
#ifdef HAVE_PCRE
if (hydra_string_match(redirected_url_buff, cond) == 1) {
#else
if (strstr(redirected_url_buff, cond) != NULL) {
#endif
found = success_cond;
} else {
//location could be either absolute http(s):// or / something
//or relative
startloc = strstr(redirected_url_buff, "://");
if (startloc != NULL) {
startloc += strlen("://");
if ((endloc=strchr(startloc, '\r')) != NULL) {
startloc[endloc - startloc] = 0;
}
if ((endloc=strchr(startloc, '\n')) != NULL) {
startloc[endloc - startloc] = 0;
}
strcpy(str, startloc);
endloc = strchr(str, '/');
if (endloc != NULL) {
strncpy(str2, str, endloc - str);
str2[endloc - str] = 0;
}
else
strncpy(str2, str, sizeof(str));
if (strlen(str) - strlen(str2) == 0) {
strcpy(str3, "/");
} else {
strncpy(str3, str + strlen(str2), strlen(str) - strlen(str2) - 1);
str3[strlen(str) - strlen(str2) - 1] = 0;
}
} else {
strncpy(str2, webtarget, sizeof(str2));
if (redirected_url_buff[0] != '/') {
//it's a relative path, so we have to concatenate it
//with the path from the first url given
char *urlpath;
char urlpath_extracted[2048];
memset(urlpath_extracted, 0, sizeof(urlpath_extracted));
urlpath=strrchr(url, '/');
if (urlpath != NULL) {
strncpy(urlpath_extracted, url, urlpath-url);
sprintf(str3, "%.1000s/%.1000s", urlpath_extracted, redirected_url_buff);
} else {
sprintf(str3, "%.1000s/%.1000s", url, redirected_url_buff);
}
} else
strncpy(str3, redirected_url_buff, sizeof(str3));
if (debug) hydra_report(stderr, "[DEBUG] host=%s redirect=%s origin=%s\n", str2, str3,url);
}
if (str3[0] != '/') {
j = strlen(str3);
str3[j + 1] = 0;
for (i = j; i > 0; i--)
str3[i] = str3[i - 1];
str3[0] = '/';
}
if (verbose)
hydra_report(stderr, "[VERBOSE] Page redirected to http://%s%s\n", str2, str3);
//re-use the code above to check for proxy use
if (use_proxy == 1 && proxy_authentication != NULL) {
// proxy with authentication
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
webtarget, webport, str3, str2, proxy_authentication, header);
} else {
if (use_proxy == 1) {
// proxy without authentication
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", webtarget, webport, str3, str2, header);
} else {
//direct web server, no proxy
sprintf(buffer, "GET %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", str3, str2, header);
}
}
hydra_reconnect(s, ip, port, options);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
found = analyze_server_response(s);
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
}
}
//if the last status is still 3xx, set it as a false
if (found != -1 && found == success_cond && redirected_flag == 0 && redirected_cpt >= 0) {
hydra_report_found_host(port, ip, "www-form", fp);
hydra_completed_pair_found();
} else {
hydra_completed_pair();
}
return 1;
}
void service_http_form(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *type) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_HTTP, mysslport = PORT_HTTP_SSL;
char *ptr, *ptr2;
hydra_register_socket(sp);
if (webtarget != NULL && (webtarget = strstr(miscptr, "://")) != NULL) {
webtarget += strlen("://");
if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */
*ptr2 = 0;
ptr2++;
ptr = ptr2;
if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL)
miscptr = ptr;
else
miscptr = slash; /* to make things easier to user */
} else if ((ptr2 = index(webtarget, '/')) != NULL) {
if (freemischttpform == 0) {
freemischttpform = 1;
miscptr = malloc(strlen(ptr2) + 1);
strcpy(miscptr, ptr2);
*ptr2 = 0;
}
} else
webtarget = NULL;
}
if (cmdlinetarget != NULL && webtarget == NULL)
webtarget = cmdlinetarget;
else if (webtarget == NULL && cmdlinetarget == NULL)
webtarget = hydra_address2string(ip);
if (port != 0)
webport = port;
else if ((options & OPTION_SSL) == 0)
webport = myport;
else
webport = mysslport;
sprintf(bufferurl, "%.1000s", miscptr);
url = strtok(bufferurl, ":");
variables = strtok(NULL, ":");
cond = strtok(NULL, ":");
sprintf(cookieurl, "%.1000s", url);
//condition now have to contain F or S to set the fail or success condition
if (cond && (strpos(cond, "F=") == 0)) {
success_cond = 0;
cond += 2;
} else if (cond && (strpos(cond, "S=") == 0)) {
success_cond = 1;
cond += 2;
} else {
//by default condition is a fail
success_cond = 0;
}
while ((optional1 = strtok(NULL, ":")) != NULL) {
switch(optional1[0]) {
case 'c': // fall through
case 'C':
sprintf(cookieurl, "%.1000s", optional1 + 2);
break;
case 'h': // fall through
case 'H':
if (sizeof(userheader) - strlen(userheader) > 4) {
strncat(userheader, optional1 + 2, sizeof(userheader) - strlen(userheader) - 4);
strcat(userheader, ":");
optional1 = strtok(NULL, ":");
strncat(userheader, optional1, sizeof(userheader) - strlen(userheader) - 3);
strcat(userheader, "\r\n");
}
break;
// no default
}
}
while (1) {
if (run == 2) {
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
}
}
switch (run) {
case 1: /* connect and service init function */
{
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_http_form(sock, ip, port, options, miscptr, fp, type);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(0);
break;
case 4: /* silent error exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
break;
default:
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
if (freemischttpform)
free(miscptr);
}
void service_cisco(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, failc = 0, retry = 1, next_run = 1, sock = -1;
int myport = PORT_TELNET, mysslport = PORT_TELNET_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
unsigned char *buf2;
int f = 0;
if (sock >= 0)
sock = hydra_disconnect(sock);
// sleepn(275);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
if (miscptr != NULL && hydra_strcasestr(miscptr, "enter") != NULL)
hydra_send(sock, "\r\n", 2, 0);
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
do {
if (f != 0)
free(buf2);
else
f = 1;
if ((buf2 = (unsigned char *) hydra_receive_line(sock)) == NULL) {
if (failc < retry) {
next_run = 1;
failc++;
if (quiet != 1) hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - retrying (%d of %d retries)\n", (int) getpid(), failc, retry);
sleep(3);
break;
} else {
if (quiet != 1) hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - exiting\n", (int) getpid());
hydra_child_exit(0);
}
}
if (buf2 != NULL && hydra_strcasestr((char*)buf2, "ress ENTER") != NULL)
hydra_send(sock, "\r\n", 2, 0);
} while (strstr((char *) buf2, "assw") == NULL);
free(buf2);
if (next_run != 0)
break;
failc = 0;
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_cisco(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
#ifdef PALM
return;
#else
hydra_child_exit(2);
#endif
}
run = next_run;
}
}
int start_smtp_enum(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[500];
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
while (hydra_data_ready(s) > 0) {
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
free(buf);
}
if (smtp_enum_cmd == RCPT) {
tosent = 0;
if (pass != empty) {
snprintf(buffer, sizeof(buffer), "MAIL FROM: root@%s\r\n", pass);
} else {
snprintf(buffer, sizeof(buffer), "MAIL FROM: root\r\n");
}
if (verbose)
hydra_report(stderr, "DEBUG C: %s", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
if (verbose)
hydra_report(stderr, "DEBUG S: %s", buf);
/* good return values are something like 25x */
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "^25\\d\\s")) {
#else
if (strstr(buf, "25") != NULL) {
#endif
if (pass != empty) {
snprintf(buffer, sizeof(buffer), "RCPT TO: %s@%s\r\n", login, pass);
} else {
snprintf(buffer, sizeof(buffer), "RCPT TO: %s\r\n", login);
}
tosent = 1;
} else {
err = strstr(buf, "Error");
if (err) {
if (verbose) {
hydra_report(stderr, "Server %s", err);
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
}
} else {
char cmd[5] = "";
memset(cmd, 0, sizeof(cmd));
if (smtp_enum_cmd == EXPN)
strcpy(cmd, "EXPN");
else
strcpy(cmd, "VRFY");
if (pass != empty) {
snprintf(buffer, sizeof(buffer), "%s %s@%s\r\n", cmd, login, pass);
} else {
snprintf(buffer, sizeof(buffer), "%s %s\r\n", cmd, login);
}
}
if (verbose)
hydra_report(stderr, "DEBUG C: %s", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
if (verbose)
hydra_report(stderr, "DEBUG S: %s", buf);
/* good return values are something like 25x */
#ifdef HAVE_PCRE
if (hydra_string_match(buf, "^25\\d\\s")) {
#else
if (strstr(buf, "25") != NULL) {
#endif
hydra_report_found_host(port, ip, "smtp-enum", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
err = strstr(buf, "Error");
if (err || tosent) {
// we should report command not identified by the server
//502 5.5.2 Error: command not recognized
#ifdef HAVE_PCRE
if ((verbose || hydra_string_match(buf, "\\scommand\\snot\\srecognized")) && err) {
#else
if ((verbose || strstr(buf, "command") != NULL) && err) {
#endif
hydra_report(stderr, "Server %s", err);
}
memset(buffer, 0, sizeof(buffer));
//503 5.5.1 Error: nested MAIL command
strncpy(buffer, "RSET\r\n", sizeof(buffer));
free(buf);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
}
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
void service_smtp_enum(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1, i = 0;
int myport = PORT_SMTP, mysslport = PORT_SMTP_SSL;
char *buffer = "HELO hydra\r\n";
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = myport;
}
if (sock < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
/* receive initial header */
if ((buf = hydra_receive_line(sock)) == NULL)
hydra_child_exit(2);
if (strstr(buf, "220") == NULL) {
hydra_report(stderr, "Warning: SMTP does not allow to connect: %s\n", buf);
hydra_child_exit(2);
}
while (strstr(buf, "220 ") == NULL) {
free(buf);
buf = hydra_receive_line(sock);
}
if (buf[0] != '2') {
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
free(buf);
hydra_child_exit(2);
}
}
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
for (i = 0; i < strlen(miscptr); i++)
miscptr[i] = (char) toupper((int) miscptr[i]);
if (strncmp(miscptr, "EXPN", 4) == 0)
smtp_enum_cmd = EXPN;
if (strncmp(miscptr, "RCPT", 4) == 0)
smtp_enum_cmd = RCPT;
}
if (verbose) {
switch (smtp_enum_cmd) {
case VRFY:
hydra_report(stderr, "using SMTP VRFY command\n");
break;
case EXPN:
hydra_report(stderr, "using SMTP EXPN command\n");
break;
case RCPT:
hydra_report(stderr, "using SMTP RCPT TO command\n");
break;
}
}
free(buf);
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_smtp_enum(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0) {
sock = hydra_disconnect(sock);
}
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
int start_rlogin(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[300] = "", buffer2[100], *bptr = buffer2;
int ret;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
memset(buffer2, 0, sizeof(buffer2));
bptr++;
strcpy(bptr, login);
bptr += 1 + strlen(login);
strcpy(bptr, login);
bptr += 1 + strlen(login);
strcpy(bptr, TERM);
if (hydra_send(s, buffer2, 4 + strlen(login) + strlen(login) + strlen(TERM), 0) < 0) {
return 4;
}
ret = hydra_recv(s, buffer, sizeof(buffer));
/* 0x00 is sent but hydra_recv transformed it */
if (strlen(buffer) == 0)
ret = hydra_recv(s, buffer, sizeof(buffer));
if (ret > 0 && (strstr(buffer, "rlogind:") != NULL))
return 1;
if (ret > 0 && (strstr(buffer, "ssword") != NULL)) {
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
sprintf(buffer2, "%s\r", pass);
if (hydra_send(s, buffer2, 1 + strlen(pass), 0) < 0) {
return 1;
}
memset(buffer, 0, sizeof(buffer));
ret = hydra_recv(s, buffer, sizeof(buffer));
if (strcmp(buffer, "\r\n"))
ret = hydra_recv(s, buffer, sizeof(buffer));
}
/* Authentication failure */
if (ret > 0 && (strstr(buffer, "ssword") == NULL)) {
#ifdef HAVE_PCRE
if (!hydra_string_match(buffer, "\\s(failure|incorrect|denied)")) {
#else
/* check for failure and incorrect msg */
if ((strstr(buffer, "ailure") == NULL) && (strstr(buffer, "ncorrect") == NULL) && (strstr(buffer, "denied") == NULL)) {
#endif
hydra_report_found_host(port, ip, "rlogin", fp);
hydra_completed_pair_found();
} else {
hydra_completed_pair();
}
} else {
/* if password is asked a second time, it means the pass we provided is wrong */
hydra_completed_pair();
}
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
void service_rlogin(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_RLOGIN, mysslport = PORT_RLOGIN_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
/* 512 -> 1023 */
hydra_set_srcport(1023);
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(275000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_rlogin(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
default:
hydra_report(stderr, "Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}