int start_http(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) { char *empty = ""; char *login, *pass, buffer[500], buffer2[110]; char *header = ""; /* XXX TODO */ char *ptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); /* again: no snprintf to be portable. dont worry, buffer cant overflow */ if (use_proxy == 1 && proxy_authentication != NULL) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication, header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, header); else sprintf(buffer, "%s %.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); while (strstr(buf, "HTTP/1.") == NULL && buf != NULL) buf = hydra_receive_line(s); if (buf == NULL) return 1; /* while (hydra_data_ready(s) > 0) recv(s, buffer, sizeof(buf), 0); buf = hydra_receive_line(s); */ ptr = ((char *) index(buf, ' ')) + 1; if (ptr != NULL && (*ptr == '2' || strncmp(ptr, "301", 3) == 0)) { hydra_report_found_host(port, ip, "www", fp); hydra_completed_pair_found(); } else { if (ptr != NULL && *ptr != '4') printf("Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass); hydra_completed_pair(); } free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500]; char *header = ""; /* XXX TODO */ char *ptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; switch (http_auth_mechanism) { case AUTH_BASIC: sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); /* again: no snprintf to be portable. dont worry, buffer cant overflow */ if (use_proxy == 1 && proxy_authentication != NULL) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication, header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, header); else sprintf(buffer, "%s %.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header); } if (debug) hydra_report(stderr, "C:%s\n", buffer); break; #ifdef LIBOPENSSL case AUTH_DIGESTMD5:{ char *pbuffer; pbuffer = hydra_strcasestr(buf, "WWW-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; sasl_digest_md5(buffer2, login, pass, buffer, miscptr, type, webtarget, webport, header); if (buffer2 == NULL) { return 3; } if (debug) hydra_report(stderr, "C:%s\n", buffer2); strcpy(buffer, buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; char *pos = NULL; //send auth and receive challenge //send auth request: let the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); /* to be portable, no snprintf, buffer is big enough so it cant overflow */ //send the first.. if (use_proxy == 1 && proxy_authentication != NULL) sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication, header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, header); else sprintf(buffer, "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, buf1, header); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive challenge buf = hydra_receive_line(s); while (buf != NULL && (pos = hydra_strcasestr(buf, "WWW-Authenticate: NTLM ")) == NULL) { free(buf); buf = hydra_receive_line(s); } if (buf == NULL) return 1; if (pos != NULL) { char *str; pos+=23; if ((str=strchr(pos, '\r')) != NULL) { pos[str - pos] = 0; } if ((str=strchr(pos, '\n')) != NULL) { pos[str - pos] = 0; } } //recover challenge from64tobits((char *) buf1, pos); free(buf); //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); //create the auth response if (use_proxy == 1 && proxy_authentication != NULL) sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication, header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, header); else sprintf(buffer, "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, buf1, header); } if (debug) hydra_report(stderr, "C:%s\n", buffer); } break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); buf = hydra_receive_line(s); } //if server cut the connection, just exit cleanly or //this will be an infinite loop if (buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } if (debug) hydra_report(stderr, "S:%s\n", buf); ptr = ((char *) index(buf, ' ')) + 1; if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) { hydra_report_found_host(port, ip, "www", fp); hydra_completed_pair_found(); } else { if (ptr != NULL && *ptr != '4') fprintf(stderr, "[WARNING] Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass); //the first authentication type failed, check the type from server header if ((hydra_strcasestr(buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) { //seems the auth supported is not Basic shceme so testing further int find_auth = 0; if (hydra_strcasestr(buf, "WWW-Authenticate: NTLM") != NULL) { http_auth_mechanism = AUTH_NTLM; find_auth = 1; } #ifdef LIBOPENSSL if (hydra_strcasestr(buf, "WWW-Authenticate: Digest") != NULL) { http_auth_mechanism = AUTH_DIGESTMD5; find_auth = 1; } #endif if (find_auth) { free(buf); return 1; } } hydra_completed_pair(); } free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *type, ptr_header_node ptr_head) { char *empty = ""; char *login, *pass, *buffer, buffer2[500]; char *header; char *ptr, *fooptr; int32_t complete_line = 0, buffer_size; char tmpreplybuf[1024] = "", *tmpreplybufptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (strcmp(type, "POST") == 0) add_header(&ptr_head, "Content-Length", "0", HEADER_TYPE_DEFAULT); header = stringify_headers(&ptr_head); buffer_size = strlen(header) + 500; if(!(buffer = malloc(buffer_size))) { free(header); return 3; } // we must reset this if buf is NULL and we do MD5 digest if (http_buf == NULL && http_auth_mechanism == AUTH_DIGESTMD5) http_auth_mechanism = AUTH_BASIC; if (use_proxy > 0 && proxy_count > 0) selected_proxy = random() % proxy_count; switch (http_auth_mechanism) { case AUTH_BASIC: sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); /* again: no snprintf to be portable. don't worry, buffer can't overflow */ if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, header); else sprintf(buffer, "%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header); } if (debug) hydra_report(stderr, "C:%s\n", buffer); break; #ifdef LIBOPENSSL case AUTH_DIGESTMD5:{ char *pbuffer; pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), buffer_size - 1); buffer[buffer_size - 1] = '\0'; fooptr = buffer2; sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header); if (fooptr == NULL) { free(buffer); free(header); return 3; } if (debug) hydra_report(stderr, "C:%s\n", buffer2); strcpy(buffer, buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; char *pos = NULL; //send auth and receive challenge //send auth request: let the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); /* to be portable, no snprintf, buffer is big enough so it can't overflow */ //send the first.. if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, header); else sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buf1, header); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { free(buffer); free(header); return 1; } //receive challenge if (http_buf != NULL) free(http_buf); http_buf = hydra_receive_line(s); if (http_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); free(buffer); free(header); return 3; } pos = hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM "); if (pos != NULL) { char *str; pos += 23; if ((str = strchr(pos, '\r')) != NULL) { pos[str - pos] = 0; } if ((str = strchr(pos, '\n')) != NULL) { pos[str - pos] = 0; } } else { hydra_report(stderr, "[ERROR] It is not NTLM authentication type\n"); return 3; } //recover challenge from64tobits((char *) buf1, pos); free(http_buf); http_buf = NULL; //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); //create the auth response if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, header); else sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buf1, header); } if (debug) hydra_report(stderr, "C:%s\n", buffer); } break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { free(buffer); free(header); return 1; } if (http_buf != NULL) free(http_buf); http_buf = hydra_receive_line(s); complete_line = 0; tmpreplybuf[0] = 0; while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (index(http_buf, '\n') == NULL && complete_line == 0))) { if (debug) printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf); if (tmpreplybuf[0] == 0 && strstr(http_buf, "HTTP/1.") != NULL) { strncpy(tmpreplybuf, http_buf, sizeof(tmpreplybuf) - 1); tmpreplybuf[sizeof(tmpreplybuf) - 1] = 0; free(http_buf); http_buf = hydra_receive_line(s); } else if (tmpreplybuf[0] != 0) { complete_line = 1; if ((tmpreplybufptr = malloc(strlen(tmpreplybuf) + strlen(http_buf) + 1)) != NULL) { strcpy(tmpreplybufptr, tmpreplybuf); strcat(tmpreplybufptr, http_buf); free(http_buf); http_buf = tmpreplybufptr; if (debug) printf("http_buf now: %s\n", http_buf); } } else { free(http_buf); http_buf = hydra_receive_line(s); } } //if server cut the connection, just exit cleanly or //this will be an infinite loop if (http_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); free(buffer); free(header); return 3; } if (debug) hydra_report(stderr, "S:%s\n", http_buf); ptr = ((char *) index(http_buf, ' ')); if (ptr != NULL) ptr++; if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) { hydra_report_found_host(port, ip, "www", fp); hydra_completed_pair_found(); if (http_buf != NULL) { free(http_buf); http_buf = NULL; } } else { if (ptr != NULL && *ptr != '4') fprintf(stderr, "[WARNING] Unusual return code: %.3s for %s:%s\n", (char *) ptr, login, pass); //the first authentication type failed, check the type from server header if ((hydra_strcasestr(http_buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) { //seems the auth supported is not Basic scheme so testing further int32_t find_auth = 0; if (hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM") != NULL) { http_auth_mechanism = AUTH_NTLM; find_auth = 1; } #ifdef LIBOPENSSL if (hydra_strcasestr(http_buf, "WWW-Authenticate: Digest") != NULL) { http_auth_mechanism = AUTH_DIGESTMD5; find_auth = 1; } #endif if (find_auth) { // free(http_buf); // http_buf = NULL; free(buffer); free(header); return 1; } } hydra_completed_pair(); } // free(http_buf); // http_buf = NULL; free(buffer); free(header); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_sapr3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { RFC_HANDLE handle; char *empty = ""; char *login, *pass, buffer[1024]; char *buf; int i; int sysnr = port % 100; char opts[] = "RFCINI=N RFCTRACE=N BALANCE=N DEBUG=N TRACE=0 ABAP_DEBUG=0"; // char opts[] = "RFCINI=N RFCTRACE=Y BALANCE=N DEBUG=Y TRACE=Y ABAP_DEBUG=Y"; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (strlen(login) > 0) for (i = 0; i < strlen(login); i++) login[i] = (char) toupper(login[i]); if (strlen(pass) > 0) for (i = 0; i < strlen(pass); i++) pass[i] = (char) toupper(pass[i]); memset(buffer, 0, sizeof(buffer)); memset(&error_info, 0, sizeof(error_info)); //strcpy(buf, "mvse001"); snprintf(buffer, sizeof(buffer), "ASHOST=%s SYSNR=%02d CLIENT=%03d USER=\"%s\" PASSWD=\"%s\" LANG=DE %s", hydra_address2string(ip), sysnr, atoi(miscptr), login, pass, opts); /* USER=SAPCPIC PASSWORD=admin USER=SAP* PASSWORD=PASS ## do we need these options? SAPSYS=3 SNC_MODE=N SAPGUI=N INVISIBLE=N GUIATOPEN=Y NRCALL=00001 CLOSE=N ASHOST= // IP SYSNR= // port - 3200, scale 2 CLIENT= // miscptr, scale 2 ABAP_DEBUG=0 USER= PASSWD= LANG=DE */ //printf ("DEBUG: %d Connectstring \"%s\"\n",sizeof(error_info),buffer); handle = RfcOpenEx(buffer, &error_info); //printf("DEBUG: handle %d, key %s, message %s\n", handle, error_info.key, error_info.message); if (handle <= RFC_HANDLE_NULL) return 3; if (strstr(error_info.message, "sapgui") != NULL || strlen(error_info.message) == 0) { hydra_report_found_host(port, ip, "sapr3", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } else { if (strstr(error_info.key, "ERROR_COMMUNICATION") != NULL) { /* sysnr does not exist, report as port closed */ return 3; } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; } return 1; }
int start_teamspeak(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass; char buf[100]; struct team_speak teamspeak; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; memset(&teamspeak, 0, sizeof(struct team_speak)); memcpy(&teamspeak.header, "\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00", 16); teamspeak.clientlen = 9; strcpy((char *) &teamspeak.client, "TeamSpeak"); teamspeak.oslen = 11; strcpy((char *) &teamspeak.os, "Linux 2.6.9"); memcpy(&teamspeak.misc, "\x02\x00\x00\x00\x20\x00\x3c\x00\x01\x02", 10); teamspeak.userlen = strlen(login); strncpy((char *) &teamspeak.user, login, 29); teamspeak.passlen = strlen(pass); strncpy((char *) &teamspeak.pass, pass, 29); teamspeak.loginlen = 0; strcpy((char *) &teamspeak.login, ""); #ifdef HAVE_ZLIB teamspeak.crc = crc32(0L, (const Bytef *)&teamspeak, sizeof(struct team_speak)); #else teamspeak.crc = crc32(&teamspeak, sizeof(struct team_speak)); #endif if (hydra_send(s, (char *) &teamspeak, sizeof(struct team_speak), 0) < 0) { return 3; } if (hydra_data_ready_timed(s, 5, 0) > 0) { hydra_recv(s, (char *) buf, sizeof(buf)); if (buf[0x58] == 1) { hydra_report_found_host(port, ip, "teamspeak", fp); hydra_completed_pair_found(); } if (buf[0x4B] != 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } } else { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_oracle_sid(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { /* PP is the packet length XX is the length of connect data PP + tns_packet_begin + XX + tns_packet_end */ unsigned char tns_packet_begin[22] = { "\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00" }; unsigned char tns_packet_end[32] = { "\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00" }; char *empty = ""; char *login; char connect_string[200]; char buffer2[260]; int siz = 0; memset(connect_string, 0, sizeof(connect_string)); memset(buffer2, 0, sizeof(buffer2)); if (strlen(login = hydra_get_next_login()) == 0) login = empty; snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))", login, hydra_address2string(ip), port); siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string); if (siz > 255) { buffer2[0] = 1; buffer2[1] = siz - 256; } else { buffer2[1] = siz; } memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin)); siz = strlen(connect_string); if (siz > 255) { buffer2[2 + sizeof(tns_packet_begin)] = 1; buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz - 256; } else { buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz; } memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end)); memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string)); if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; //if no error reported. it should be a resend packet type 00 08 00 00 0b 00 00 00, 4 is refuse if ((strstr(buf, "ERR=") == NULL) && (buf[4] != 4)) { hydra_report_found_host(port, ip, "oracle-sid", fp); hydra_completed_pair_found(); } else hydra_completed_pair(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_telnet(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[300]; int i = 0; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; sprintf(buffer, "%.250s\r", login); if (no_line_mode) { for (i = 0; i < strlen(buffer); i++) { if (strcmp(&buffer[i], "\r") == 0) { send(s, "\r\0", 2, 0); } else { send(s, &buffer[i], 1, 0); } usleepn(20); } } else { if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) { return 1; } } do { if ((buf = hydra_receive_line(s)) == NULL) return 1; if (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '%') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL) { hydra_report_found_host(port, ip, "telnet", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } (void) make_to_lower(buf); if (hydra_strcasestr(buf, "asswor") != NULL || hydra_strcasestr(buf, "asscode") != NULL || hydra_strcasestr(buf, "ennwort") != NULL) i = 1; if (i == 0 && ((strstr(buf, "ogin:") != NULL && strstr(buf, "last login") == NULL) || strstr(buf, "sername:") != NULL)) { free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } free(buf); } while (i == 0); sprintf(buffer, "%.250s\r", pass); if (no_line_mode) { for (i = 0; i < strlen(buffer); i++) { if (strcmp(&buffer[i], "\r") == 0) { send(s, "\r\0", 2, 0); } else { send(s, &buffer[i], 1, 0); } usleepn(20); } } else { if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) { return 1; } } /*win7 answering with do terminal type = 0xfd 0x18 */ while ((buf = hydra_receive_line(s)) != NULL && make_to_lower(buf) && (strstr(buf, "login:"******"last login:"******"sername:") == NULL) { if ((miscptr != NULL && strstr(buf, miscptr) != NULL) || (miscptr == NULL && strstr(buf, "invalid") == NULL && strstr(buf, "failed") == NULL && strstr(buf, "bad ") == NULL && (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL || index(buf, '%') != NULL || ((buf[1] == '\xfd') && (buf[2] == '\x18'))))) { hydra_report_found_host(port, ip, "telnet", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } free(buf); } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_cisco(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *pass, hybuffer[300]; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; #ifdef PALM sprintf(hybuffer, "%s\r\n", pass); #else sprintf(hybuffer, "%.250s\r\n", pass); #endif if (hydra_send(s, hybuffer, strlen(hybuffer), 0) < 0) { return 1; } sleep(1); hybuf = NULL; do { if (hybuf != NULL) free(hybuf); if ((hybuf = hydra_receive_line(s)) == NULL) return 3; if (hybuf[strlen(hybuf) - 1] == '\n') hybuf[strlen(hybuf) - 1] = 0; if (hybuf[strlen(hybuf) - 1] == '\r') hybuf[strlen(hybuf) - 1] = 0; } while (strlen(hybuf) <= 1); if (strstr(hybuf, "assw") != NULL) { hydra_completed_pair(); free(hybuf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; #ifdef PALM sprintf(hybuffer, "%s\r\n", pass); #else sprintf(hybuffer, "%.250s\r\n", pass); #endif if (hydra_send(s, hybuffer, strlen(hybuffer), 0) < 0) { return 1; } hybuf = NULL; do { if (hybuf != NULL) free(hybuf); if ((hybuf = hydra_receive_line(s)) == NULL) return 3; if (hybuf[strlen(hybuf) - 1] == '\n') hybuf[strlen(hybuf) - 1] = 0; if (hybuf[strlen(hybuf) - 1] == '\r') hybuf[strlen(hybuf) - 1] = 0; } while (strlen(hybuf) <= 1); if (hybuf != NULL && strstr(hybuf, "assw") != NULL) { hydra_completed_pair(); free(hybuf); hybuf = NULL; if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; #ifdef PALM sprintf(hybuffer, "%s\r\n", pass); #else sprintf(hybuffer, "%.250s\r\n", pass); #endif if (hydra_send(s, hybuffer, strlen(hybuffer), 0) < 0) { return 1; } hybuf = NULL; do { if (hybuf != NULL) free(hybuf); hybuf = hydra_receive_line(s); if (hybuf != NULL) { if (hybuf[strlen(hybuf) - 1] == '\n') hybuf[strlen(hybuf) - 1] = 0; if (hybuf[strlen(hybuf) - 1] == '\r') hybuf[strlen(hybuf) - 1] = 0; } } while (hybuf != NULL && strlen(hybuf) <= 1); } } if (hybuf != NULL && (strstr(hybuf, "assw") != NULL || strstr(hybuf, "ad ") != NULL || strstr(hybuf, "attempt") != NULL || strstr(hybuf, "ailur") != NULL)) { free(hybuf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } hydra_report_found_host(port, ip, "cisco", fp); hydra_completed_pair_found(); if (hybuf != NULL) free(hybuf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_ldap(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp, char version) { char *empty = ""; char *login = "", *pass, buffer[512]; int length; if (miscptr == NULL) { if (strlen(login = hydra_get_next_login()) == 0) login = empty; } else login = miscptr; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; length = 14 + strlen(login) + strlen(pass); memset(buffer, 0, sizeof(buffer)); buffer[0] = 48; buffer[1] = length - 2; buffer[2] = 2; buffer[3] = 1; buffer[4] = counter % 256; buffer[5] = 96; buffer[6] = length - 7; buffer[7] = 2; buffer[8] = 1; buffer[9] = version; buffer[10] = 4; buffer[11] = strlen(login); /* DN */ memcpy(&buffer[12], login, strlen(login)); buffer[12 + strlen(login)] = (unsigned char) 128; buffer[13 + strlen(login)] = strlen(pass); memcpy(&buffer[14 + strlen(login)], pass, strlen(pass)); /* PASS */ if (hydra_send(s, buffer, length, 0) < 0) return 1; if ((buf = hydra_receive_line(s)) == NULL) return 1; /* success is: 0a 01 00 - failure is: 0a 01 31 */ if ((buf[0] != 0 && buf[9] == 0) || (buf[0] != 32 && buf[9] == 32)) { hydra_report_found_host(port, ip, "ldap", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 2) { hydra_report(stderr, "Invalid protocol version, you tried ldap%c, better try ldap%c\n", version + '0', version == 2 ? '3' : '2'); hydra_child_exit(2); sleep(1); exit(-1); } if (buf[9] != 49 && buf[9] != 2) { hydra_report(stderr, "Uh, unknown LDAP response, remember, this module is beta! Please report this:\n"); hydra_report(stderr, "Dump: %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x %.2x\n", buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], buf[6], buf[7], buf[8], buf[9], buf[10], buf[11], buf[12], buf[13], buf[14], buf[15]); return 3; } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; char *login, *pass, buffer[500], buffer2[500]; char *AUTH_STR = "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='"; char *AUTH_STR_END = "'/>"; char *CHALLENGE_STR = "<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>"; char *CHALLENGE_STR2 = "<challenge xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">"; char *CHALLENGE_END_STR = "</challenge>"; char *RESPONSE_STR = "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>"; char *RESPONSE_END_STR = "</response>"; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; switch (xmpp_auth_mechanism) { case AUTH_SCRAMSHA1: sprintf(buffer, "%s%s%s", AUTH_STR, "SCRAM-SHA-1", AUTH_STR_END); break; case AUTH_CRAMMD5: sprintf(buffer, "%s%s%s", AUTH_STR, "CRAM-MD5", AUTH_STR_END); break; case AUTH_DIGESTMD5: sprintf(buffer, "%s%s%s", AUTH_STR, "DIGEST-MD5", AUTH_STR_END); break; case AUTH_PLAIN: sprintf(buffer, "%s%s%s", AUTH_STR, "PLAIN", AUTH_STR_END); break; default: sprintf(buffer, "%s%s%s", AUTH_STR, "LOGIN", AUTH_STR_END); break; } hydra_send(s, buffer, strlen(buffer), 0); usleep(300000); buf = hydra_receive_line(s); if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buf); if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) { /* the challenge string is sent depending of the auth chosen it's the case for login auth */ char *ptr = strstr(buf, CHALLENGE_STR); if (!ptr) ptr = strstr(buf, CHALLENGE_STR2); char *ptr_end = strstr(ptr, CHALLENGE_END_STR); int chglen = ptr_end - ptr - strlen(CHALLENGE_STR); if ((chglen > 0) && (chglen < sizeof(buffer2))) { strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen); buffer2[chglen] = '\0'; memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buffer2); if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); } switch (xmpp_auth_mechanism) { case AUTH_LOGIN:{ if (strstr(buffer, "sername") != NULL) { strncpy(buffer2, login, sizeof(buffer2) - 1); buffer2[sizeof(buffer2) - 1] = '\0'; hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { free(buf); return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; /* server now would ask for the password */ if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) { char *ptr = strstr(buf, CHALLENGE_STR); if (!ptr) ptr = strstr(buf, CHALLENGE_STR2); char *ptr_end = strstr(ptr, CHALLENGE_END_STR); int chglen = ptr_end - ptr - strlen(CHALLENGE_STR); if ((chglen > 0) && (chglen < sizeof(buffer2))) { strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen); buffer2[chglen] = '\0'; memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buffer2); if (strstr(buffer, "assword") != NULL) { strncpy(buffer2, pass, sizeof(buffer2) - 1); buffer2[sizeof(buffer2) - 1] = '\0'; hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); } } else { hydra_report(stderr, "[ERROR] xmpp could not extract challenge from server\n"); free(buf); return 1; } free(buf); } } } break; #ifdef LIBOPENSSL case AUTH_PLAIN:{ memset(buffer2, 0, sizeof(buffer)); sasl_plain(buffer2, login, pass); sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer); } break; case AUTH_CRAMMD5:{ int rc = 0; char *preplogin; memset(buffer2, 0, sizeof(buffer2)); sasl_cram_md5(buffer2, pass, buffer); rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } sprintf(buffer, "%.200s %.250s", preplogin, buffer2); if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer); hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer2, "%s%.250s%s", RESPONSE_STR, buffer, RESPONSE_END_STR); strncpy(buffer, buffer2, sizeof(buffer) - 1); buffer[sizeof(buffer) - 1] = '\0'; free(preplogin); } break; case AUTH_DIGESTMD5:{ memset(buffer2, 0, sizeof(buffer2)); sasl_digest_md5(buffer2, login, pass, buffer, domain, "xmpp", NULL, 0, NULL); if (buffer2 == NULL) return 3; if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); } break; case AUTH_SCRAMSHA1:{ /*client-first-message */ char clientfirstmessagebare[200]; char *preplogin; int rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin); free(preplogin); sprintf(buffer2, "n,,%.200s", clientfirstmessagebare); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) { char serverfirstmessage[200]; char *ptr = strstr(buf, CHALLENGE_STR); if (!ptr) ptr = strstr(buf, CHALLENGE_STR2); char *ptr_end = strstr(ptr, CHALLENGE_END_STR); int chglen = ptr_end - ptr - strlen(CHALLENGE_STR); if ((chglen > 0) && (chglen < sizeof(buffer2))) { strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen); buffer2[chglen] = '\0'; } else { hydra_report(stderr, "[ERROR] xmpp could not extract challenge from server\n"); free(buf); return 1; } /*server-first-message */ memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buffer2); strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1); serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0'; memset(buffer2, 0, sizeof(buffer2)); sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage); if (buffer2 == NULL) { hydra_report(stderr, "[ERROR] Can't compute client response\n"); free(buf); return 1; } hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); } else { if (verbose || debug) hydra_report(stderr, "[ERROR] Not a valid server challenge\n"); free(buf); return 1; } free(buf); } break; #endif } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } usleep(50000); buf = hydra_receive_line(s); if (buf == NULL) return 1; //we test the challenge tag as digest-md5 when connected is sending "rspauth" value //so if we are receiving a second challenge we assume the auth is good if ((strstr(buf, "<success") != NULL) || (strstr(buf, "<challenge ") != NULL)) { hydra_report_found_host(port, ip, "xmpp", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } if (verbose) hydra_report(stderr, "[ERROR] %s\n", buf); free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } if (strstr(buf, "<failure")) { hydra_report(stderr, "[ERROR] Protocol failure, try using another auth method. %s\n", strstr(buf, "<failure")); } return 3; }
int start_ncp(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp) { char* login; char* pass; char context[256]; unsigned int ncp_lib_error_code; struct sockaddr_in remote_ip; char *empty = ""; int object_type = NCP_BINDERY_USER; _NCP_DATA* session; memset(&remote_ip, 0, sizeof(remote_ip)); memcpy(&remote_ip.sin_addr.s_addr, &ip, 4); remote_ip.sin_family = AF_INET; session = malloc(sizeof(_NCP_DATA)); memset(session, 0, sizeof(_NCP_DATA)); login=empty; pass=empty; if (strlen(login = hydra_get_next_login()) == 0) { login = empty; } else { if (miscptr) { if (strlen(miscptr)+strlen(login) > sizeof(context)) { return 4; } memset(context, 0, sizeof(context)); strncpy(context, login, strlen(login)); strncpy(context+strlen(login), miscptr, sizeof(miscptr)+1); login=context; } } //login and password are case insensitive //str_upper(login); if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; ncp_lib_error_code = ncp_find_conn_spec3(inet_ntoa((struct in_addr) remote_ip.sin_addr), login, "", 1, getuid(), 0, &session->spec); if (ncp_lib_error_code) { free(session);return 1;} ncp_lib_error_code = NWCCOpenConnByName(NULL, session->spec.server, NWCC_NAME_FORMAT_BIND, NWCC_OPEN_NEW_CONN, NWCC_RESERVED, &session->conn); if (ncp_lib_error_code) { free(session);return 1;} memset(session->spec.password, 0, sizeof(session->spec.password)); memcpy(session->spec.password, pass, strlen(pass)+1); //str_upper(session->spec.password); ncp_lib_error_code = ncp_login_conn(session->conn, session->spec.user, object_type, session->spec.password); switch (ncp_lib_error_code & 0x0000FFFF) { case 0x0000: /* Success */ #ifdef NCP_DEBUG printf("Connection success (%s / %s). Error code: %X\n", login, pass, ncp_lib_error_code); #endif ncp_close(session->conn); hydra_report_found_host(port, ip, "ncp", fp); //ok hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; //exit free(session); return 2; //next break; case 0x89DE: /* PASSWORD INVALID */ case 0x89F0: /* BIND WILDCARD INVALID */ case 0x89FF: /* NO OBJ OR BAD PASSWORD */ case 0xFD63: /* FAILED_AUTHENTICATION */ case 0xFDA7: /* NO_SUCH_ENTRY */ #ifdef NCP_DEBUG printf("Incorrect password (%s / %s). Error code: %X\n", login, pass, ncp_lib_error_code); #endif ncp_close(session->conn); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { free(session); return 2; //next } break; default: #ifdef NCP_DEBUG printf("Failed to open connection. Error code: %X\n",ncp_lib_error_code); #endif if (session->conn != NULL) ncp_close(session->conn); break; } free(session); return 1; //reconnect }
int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[1024]; char ms_login[MSLEN + 1]; char ms_pass[MSLEN + 1]; unsigned char len_login, len_pass; int32_t ret = -1; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (strlen(login) > MSLEN) login[MSLEN - 1] = 0; if (strlen(pass) > MSLEN) pass[MSLEN - 1] = 0; len_login = strlen(login); len_pass = strlen(pass); memset(ms_login, 0, MSLEN + 1); memset(ms_pass, 0, MSLEN + 1); strcpy(ms_login, login); strcpy(ms_pass, pass); memset(buffer, 0, sizeof(buffer)); memcpy(buffer, p_hdr, 39); memcpy(buffer + 39, ms_login, MSLEN); memcpy(buffer + MSLEN + 39, &len_login, 1); memcpy(buffer + MSLEN + 1 + 39, ms_pass, MSLEN); memcpy(buffer + MSLEN + 1 + 39 + MSLEN, &len_pass, 1); memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1, p_pk2, 110); memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110, &len_pass, 1); memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1, ms_pass, MSLEN); memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN, p_pk3, 270); if (hydra_send(s, buffer, MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN + 270, 0) < 0) return 1; if (hydra_send(s, (char *) p_lng, 71, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret = hydra_recv_nb(s, buffer, sizeof(buffer)); if (ret <= 0) return 3; if (ret > 10 && buffer[8] == '\xe3') { hydra_report_found_host(port, ip, "mssql", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; }
int start_sshkey(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *key, keep_login[300]; int auth_state = 0, rc = 0; ssh_private_key privkey; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(key = hydra_get_next_password()) == 0) key = empty; if (new_session) { if (session) { ssh_disconnect(session); ssh_finalize(); ssh_free(session); } session = ssh_new(); ssh_options_set(session, SSH_OPTIONS_PORT, &port); ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip)); ssh_options_set(session, SSH_OPTIONS_USER, login); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none"); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none"); if (ssh_connect(session) != 0) { //if the connection was drop, exit and let hydra main handle it if (verbose) hydra_report(stderr, "[ERROR] could not connect to target port %d\n", port); return 3; } if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) { return 3; } else if (rc == SSH_AUTH_SUCCESS) { hydra_report_found_host(port, ip, "sshkey", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; else return 1; } } else new_session = 1; auth_state = ssh_auth_list(session); if ((auth_state & SSH_AUTH_METHOD_PUBLICKEY) > 0) { privkey = privatekey_from_file(session, key, 0, NULL); if (!privkey) { hydra_report(stderr, "[ERROR] skipping invalid private key: \"%s\"\n", key); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } auth_state = ssh_userauth_pubkey(session, NULL, NULL, privkey); } else { return 4; } if (auth_state == SSH_AUTH_ERROR) { new_session = 1; return 1; } if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) { hydra_report_found_host(port, ip, "sshkey", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } else { strncpy(keep_login, login, sizeof(keep_login) - 1); keep_login[sizeof(keep_login) - 1] = '\0'; hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; login = hydra_get_next_login(); if (strcmp(login, keep_login) == 0) new_session = 0; return 1; } /* not reached */ return 1; }
int start_oracle(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[200], sid[100]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; strncpy(sid, miscptr, sizeof(sid)); snprintf(buffer, sizeof(buffer), "//%s:%d/%s", hydra_address2string(ip), port, sid); /* To use the Easy Connect naming method, PHP must be linked with Oracle 10g or greater Client libraries. The Easy Connect string for Oracle 10g is of the form: [//]host_name[:port][/service_name]. With Oracle 11g, the syntax is: [//]host_name[:port][/service_name][:server_type][/instance_name]. Service names can be found by running the Oracle utility lsnrctl status on the database server machine. The tnsnames.ora file can be in the Oracle Net search path, which includes $ORACLE_HOME/network/admin and /etc. Alternatively set TNS_ADMIN so that $TNS_ADMIN/tnsnames.ora is read. Make sure the web daemon has read access to the file. */ if (OCIInitialize(OCI_DEFAULT, NULL, NULL, NULL, NULL)) { print_oracle_error("OCIInitialize"); return 4; } if (OCIEnvInit(&o_environment, OCI_DEFAULT, 0, NULL)) { print_oracle_error("OCIEnvInit"); return 4; } if (OCIEnvInit(&o_environment, OCI_DEFAULT, 0, NULL)) { print_oracle_error("OCIEnvInit 2"); return 4; } if (OCIHandleAlloc(o_environment, (dvoid **) & o_error, OCI_HTYPE_ERROR, (size_t) 0, NULL)) { print_oracle_error("OCIHandleAlloc"); return 4; } if (OCILogon(o_environment, o_error, &o_servicecontext, (const OraText *) login, strlen(login), (const OraText *) pass, strlen(pass), (const OraText *) buffer, strlen(buffer))) { OCIErrorGet(o_error, 1, NULL, &o_errorcode, o_errormsg, sizeof(o_errormsg), OCI_HTYPE_ERROR); //database: oracle_error: ORA-01017: invalid username/password; logon denied //database: oracle_error: ORA-12514: TNS:listener does not currently know of service requested in connect descriptor //database: oracle_error: ORA-28000: the account is locked //Failed login attempts is set to 10 by default if (verbose) { hydra_report(stderr, "[VERBOSE] database: oracle_error: %s\n", o_errormsg); } if (strstr((const char *) o_errormsg, "ORA-12514") != NULL) { hydra_report(stderr, "[ERROR] ORACLE SID is not valid, you should try to enumerate them.\n"); } if (strstr((const char *) o_errormsg, "ORA-28000") != NULL) { hydra_report(stderr, "[ERROR] ORACLE account %s is locked.\n", login); } if (o_error) { OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR); } hydra_completed_pair(); //by default, set in sqlnet.ora, the trace file is generated in pwd to log any errors happening, //as we don't care, we are deleting the file //set these parameters to not generate the file //LOG_DIRECTORY_CLIENT = /dev/null //LOG_FILE_CLIENT = /dev/null unlink("sqlnet.log"); return 2; } else { OCILogoff(o_servicecontext, o_error); if (o_error) { OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR); } hydra_report_found_host(port, ip, "oracle", fp); hydra_completed_pair_found(); } if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
char *smtp_read_server_capacity(int sock) { char *ptr = NULL; int resp = 0; char *buf = NULL; do { if (buf != NULL) free(buf); ptr = buf = hydra_receive_line(sock); if (buf != NULL) { if (isdigit((int) buf[0]) && buf[3] == ' ') resp = 1; else { if (buf[strlen(buf) - 1] == '\n') buf[strlen(buf) - 1] = 0; if (buf[strlen(buf) - 1] == '\r') buf[strlen(buf) - 1] = 0; #ifdef NO_RINDEX if ((ptr = strrchr(buf, '\n')) != NULL) { #else if ((ptr = rindex(buf, '\n')) != NULL) { #endif ptr++; if (isdigit((int) *ptr) && *(ptr + 3) == ' ') resp = 1; } } } } while (buf != NULL && resp == 0); return buf; } int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500], *fooptr, *buf; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s) > 0) { if ((buf = hydra_receive_line(s)) == NULL) return (1); free(buf); } switch (smtp_auth_mechanism) { case AUTH_PLAIN: sprintf(buffer, "AUTH PLAIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP PLAIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); memset(buffer, 0, sizeof(buffer)); sasl_plain(buffer, login, pass); sprintf(buffer, "%.250s\r\n", buffer); break; #ifdef LIBOPENSSL case AUTH_CRAMMD5:{ int rc = 0; char *preplogin; rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } sprintf(buffer, "AUTH CRAM-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } //get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL || strlen(buf) < 8) { hydra_report(stderr, "[ERROR] SMTP CRAM-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); memset(buffer2, 0, sizeof(buffer2)); sasl_cram_md5(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer, "%.250s\r\n", buffer); free(preplogin); } break; case AUTH_DIGESTMD5:{ sprintf(buffer, "AUTH DIGEST-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); if (debug) hydra_report(stderr, "DEBUG S: %s\n", buffer); fooptr = buffer2; sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL); if (fooptr == NULL) return 3; if (debug) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; //send auth and receive challenge buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); sprintf(buffer, "AUTH NTLM %s\r\n", buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL || strlen(buf) < 8) { hydra_report(stderr, "[ERROR] SMTP NTLM AUTH : %s\n", buf); free(buf); return 3; } //recover challenge from64tobits((char *) buf1, buf + 4); free(buf); buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "%s\r\n", buf1); } break; default: /* by default trying AUTH LOGIN */ sprintf(buffer, "AUTH LOGIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; /* 504 5.7.4 Unrecognized authentication type */ if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH, either this auth is disabled\nor server is not using auth: %s\n", buf); free(buf); return 3; } free(buf); sprintf(buffer2, "%.250s", login); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH : %s\n", buf); free(buf); return (3); } free(buf); sprintf(buffer2, "%.250s", pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); #ifdef LIBOPENSSL if (smtp_auth_mechanism == AUTH_DIGESTMD5) { if (strstr(buf, "334") != NULL && strlen(buf) >= 8) { memset(buffer2, 0, sizeof(buffer2)); from64tobits((char *) buffer2, buf + 4); if (strstr(buffer2, "rspauth=") != NULL) { hydra_report_found_host(port, ip, "smtp", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } } } else #endif { if (strstr(buf, "235") != NULL) { hydra_report_found_host(port, ip, "smtp", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_s7_300(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *pass, buffer[1024]; char context[S7PASSLEN + 1]; unsigned char encoded_password[S7PASSLEN]; char *spaces = " "; unsigned char len_pass; int ret = -1; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; // prepare password memset(context, 0, sizeof(context)); if (strlen(pass) < S7PASSLEN) { strncpy(context, pass, strlen(pass)); strncat(context, spaces, S7PASSLEN - strlen(pass) ); } else { strncpy(context, pass, S7PASSLEN); } // encode password encoded_password[0] = context[0] ^ 0x55; encoded_password[1] = context[1] ^ 0x55; int i; for (i = 2; i < S7PASSLEN; i++) { encoded_password[i] = context[i] ^ encoded_password[i-2] ^ 0x55 ; } // send p_cotp and check first 2 bytes of answer if (hydra_send(s, (char *) p_cotp, 22, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret=hydra_recv_nb(s, buffer, sizeof(buffer)); if (ret <= 0) return 3; if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) ) return 3; // send p_s7_negotiate_pdu and check first 2 bytes of answer if (hydra_send(s, (char *) p_s7_negotiate_pdu, 25, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret=hydra_recv_nb(s, buffer, sizeof(buffer)); if (ret <= 0) return 3; if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) ) return 3; // send p_s7_read_szl and check first 2 bytes of answer if (hydra_send(s, (char *) p_s7_read_szl, 33, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret=hydra_recv_nb(s, buffer, sizeof(buffer)); if (ret <= 0) return 3; if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) ) return 3; // so now add encoded_password to p_s7_password_request and send memset(buffer, 0, sizeof(buffer)); memcpy(buffer, p_s7_password_request, 29); memcpy(buffer + 29, encoded_password, S7PASSLEN); if (hydra_send(s, buffer, 29 + S7PASSLEN , 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret=hydra_recv_nb(s, buffer, sizeof(buffer)); if (ret <= 0) return 3; // now check answer // 0x0000 - valid password // 0xd605 - no password // 0xd602 - wrong password if (ret > 30 ) { if (buffer[27] == '\x00' && buffer[28] == '\x00') { hydra_report_found_host(port, ip, "s7-300", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } if (buffer[27] == '\xd6' && buffer[28] == '\x05') { //hydra_report_found_host(port, ip, "s7-300", fp); hydra_completed_pair_found(); hydra_report(stderr, "[INFO] No password protection enabled\n"); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; }
int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s)) { if ((buf = hydra_receive_line(s)) == NULL) return (1); free(buf); } switch (imap_auth_mechanism) { case AUTH_LOGIN: sprintf(buffer, "%d AUTHENTICATE LOGIN\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) { hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, login); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) { hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); break; case AUTH_PLAIN: sprintf(buffer, "%d AUTHENTICATE PLAIN\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) { hydra_report(stderr, "[ERROR] IMAP PLAIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); memset(buffer, 0, sizeof(buffer)); sasl_plain(buffer, login, pass); sprintf(buffer, "%.250s\r\n", buffer); break; #ifdef LIBOPENSSLNEW case AUTH_CRAMMD5: case AUTH_CRAMSHA1: case AUTH_CRAMSHA256:{ int rc = 0; char *preplogin; rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } switch (imap_auth_mechanism) { case AUTH_CRAMMD5: sprintf(buffer, "%d AUTHENTICATE CRAM-MD5\r\n", counter); break; case AUTH_CRAMSHA1: sprintf(buffer, "%d AUTHENTICATE CRAM-SHA1\r\n", counter); break; case AUTH_CRAMSHA256: sprintf(buffer, "%d AUTHENTICATE CRAM-SHA256\r\n", counter); break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } //get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { switch (imap_auth_mechanism) { case AUTH_CRAMMD5: hydra_report(stderr, "[ERROR] IMAP CRAM-MD5 AUTH : %s\n", buf); break; case AUTH_CRAMSHA1: hydra_report(stderr, "[ERROR] IMAP CRAM-SHA1 AUTH : %s\n", buf); break; case AUTH_CRAMSHA256: hydra_report(stderr, "[ERROR] IMAP CRAM-SHA256 AUTH : %s\n", buf); break; } free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 2); free(buf); memset(buffer2, 0, sizeof(buffer2)); switch (imap_auth_mechanism) { case AUTH_CRAMMD5:{ sasl_cram_md5(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; case AUTH_CRAMSHA1:{ sasl_cram_sha1(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; case AUTH_CRAMSHA256:{ sasl_cram_sha256(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; } hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer, "%.250s\r\n", buffer); free(preplogin); } break; case AUTH_DIGESTMD5:{ sprintf(buffer, "%d AUTHENTICATE DIGEST-MD5\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { hydra_report(stderr, "[ERROR] IMAP DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf); free(buf); if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "imap", NULL, 0, NULL); if (buffer2 == NULL) return 3; if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } break; case AUTH_SCRAMSHA1:{ char clientfirstmessagebare[200]; char serverfirstmessage[200]; char *preplogin; int rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } sprintf(buffer, "%d AUTHENTICATE SCRAM-SHA-1\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { hydra_report(stderr, "[ERROR] IMAP SCRAM-SHA1 AUTH : %s\n", buf); free(buf); return 3; } free(buf); snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin); free(preplogin); memset(buffer2, 0, sizeof(buffer2)); sprintf(buffer2, "n,,%.200s", clientfirstmessagebare); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); snprintf(buffer, sizeof(buffer), "%s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { if (verbose || debug) hydra_report(stderr, "[ERROR] Not a valid server challenge\n"); free(buf); return 1; } else { /* recover server challenge */ memset(buffer, 0, sizeof(buffer)); //+ cj1oeWRyYU9VNVZqcHQ5RjNqcmVXRVFWTCxzPWhGbTNnRGw0akdidzJVVHosaT00MDk2 from64tobits((char *) buffer, buf + 2); free(buf); strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1); serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0'; memset(buffer2, 0, sizeof(buffer2)); sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage); if (buffer2 == NULL) { hydra_report(stderr, "[ERROR] Can't compute client response\n"); return 1; } hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; //Send auth request sprintf(buffer, "%d AUTHENTICATE NTLM\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { hydra_report(stderr, "[ERROR] IMAP NTLM AUTH : %s\n", buf); free(buf); return 3; } free(buf); //send auth and receive challenge //send auth request: lst the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); sprintf(buffer, "%s\r\n", buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; if ((buf = hydra_receive_line(s)) == NULL) return (1); //recover challenge from64tobits((char *) buf1, buf + 2); free(buf); //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "%s\r\n", buf1); } break; default: //clear authentication sprintf(buffer, "%d LOGIN \"%.100s\" \"%.100s\"\r\n", counter, login, pass); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { if (verbose) hydra_report(stderr, "[ERROR] %s\n", buf); free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; if (counter == 4) return 1; return (2); } free(buf); hydra_report_found_host(port, ip, "imap", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
char *nntp_read_server_capacity(int sock) { char *ptr = NULL; int resp = 0; char *buf = NULL; do { if (buf != NULL) free(buf); ptr = buf = hydra_receive_line(sock); if (buf != NULL) { if (isdigit((int) buf[0]) && buf[3] == ' ') resp = 1; else { if (buf[strlen(buf) - 1] == '\n') buf[strlen(buf) - 1] = 0; if (buf[strlen(buf) - 1] == '\r') buf[strlen(buf) - 1] = 0; #ifdef NO_RINDEX if ((ptr = strrchr(buf, '\n')) != NULL) { #else if ((ptr = rindex(buf, '\n')) != NULL) { #endif ptr++; if (isdigit((int) *ptr) && *(ptr + 3) == ' ') resp = 1; } } } } while (buf != NULL && resp == 0); return buf; } int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; char *login, *pass, buffer[300], buffer2[500]; int i = 1; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (i > 0 && hydra_data_ready(s) > 0) i = hydra_recv(s, buffer, 300); switch (nntp_auth_mechanism) { case AUTH_LOGIN: sprintf(buffer, "AUTHINFO SASL LOGIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, login); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); break; case AUTH_PLAIN: sprintf(buffer, "AUTHINFO SASL PLAIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP PLAIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); memset(buffer, 0, sizeof(buffer)); sasl_plain(buffer, login, pass); sprintf(buffer, "%.250s\r\n", buffer); break; #ifdef LIBOPENSSL case AUTH_CRAMMD5:{ int rc = 0; char *preplogin; rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } sprintf(buffer, "AUTHINFO SASL CRAM-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } //get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP CRAM-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); memset(buffer2, 0, sizeof(buffer2)); sasl_cram_md5(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer, "%.250s\r\n", buffer); free(preplogin); } break; case AUTH_DIGESTMD5:{ sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL); if (buffer2 == NULL) return 3; if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; //send auth and receive challenge buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); sprintf(buffer, "AUTHINFO SASL NTLM %s\r\n", (char*)buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf); free(buf); return 3; } //recover challenge from64tobits((char *) buf1, buf + 4); free(buf); buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "%s\r\n", (char*)buf1); } break; default:{ sprintf(buffer, "AUTHINFO USER %.250s\r\n", login); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if (buf[0] != '3') { if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf); free(buf); return (3); } free(buf); sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass); } break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if (buf[0] == '2') { hydra_report_found_host(port, ip, "nntp", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_http_proxy(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500]; char url[210], host[30]; char *header = ""; /* XXX TODO */ char *ptr, *fooptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (miscptr == NULL) { strcpy(url, "http://www.microsoft.com/"); strcpy(host, "Host: www.microsoft.com\r\n"); } else { sprintf(url, "%.200s", miscptr); ptr = strstr(miscptr, "://"); // :// check is in hydra.c sprintf(host, "Host: %.200s", ptr + 3); if ((ptr = index(host, '/')) != NULL) *ptr = 0; if ((ptr = index(host + 6, ':')) != NULL && host[0] != '[') *ptr = 0; strcat(host, "\r\n"); } if (http_proxy_auth_mechanism != AUTH_BASIC && (http_proxy_auth_mechanism == AUTH_ERROR || http_proxy_buf == NULL)) { //send dummy request sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 3; //receive first 40x http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } if (http_proxy_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } if (debug) hydra_report(stderr, "S:%s\n", http_proxy_buf); free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } if (http_proxy_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Proxy seems not to require authentication\n"); return 3; } if (debug) hydra_report(stderr, "S:%s\n", http_proxy_buf); //after the first query we should have been disconnected from web server s = hydra_disconnect(s); if ((options & OPTION_SSL) == 0) { s = hydra_connect_tcp(ip, port); } else { s = hydra_connect_ssl(ip, port); } } if (http_proxy_auth_mechanism == AUTH_BASIC || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Basic") != NULL) { http_proxy_auth_mechanism = AUTH_BASIC; sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 3; free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } //if server cut the connection, just exit cleanly or //this will be an infinite loop if (http_proxy_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } if (debug) hydra_report(stderr, "S:%s\n", http_proxy_buf); } else { if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM") != NULL) { unsigned char buf1[4096]; unsigned char buf2[4096]; char *pos = NULL; http_proxy_auth_mechanism = AUTH_NTLM; //send auth and receive challenge //send auth request: let the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); /* to be portable, no snprintf, buffer is big enough so it cant overflow */ //send the first.. sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 3; //receive challenge free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && (pos = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM ")) == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } if (pos != NULL) { char *str; pos += 25; if ((str = strchr(pos, '\r')) != NULL) { pos[str - pos] = 0; } if ((str = strchr(pos, '\n')) != NULL) { pos[str - pos] = 0; } } //recover challenge if (http_proxy_buf != NULL && strlen(http_proxy_buf) >= 4) { from64tobits((char *) buf1, pos); free(http_proxy_buf); http_proxy_buf = NULL; return 3; } //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 3; if (http_proxy_buf != NULL) free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } if (http_proxy_buf == NULL) return 3; } else { #ifdef LIBOPENSSL if (hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest") != NULL) { char *pbuffer; http_proxy_auth_mechanism = AUTH_DIGESTMD5; pbuffer = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; pbuffer = NULL; fooptr = buffer2; sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header); if (fooptr == NULL) return 3; if (debug) hydra_report(stderr, "C:%s\n", buffer2); if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0) return 3; free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } if (debug && http_proxy_buf != NULL) hydra_report(stderr, "S:%s\n", http_proxy_buf); if (http_proxy_buf == NULL) return 3; } else #endif { if (http_proxy_buf != NULL) { // buf[strlen(http_proxy_buf) - 1] = '\0'; hydra_report(stderr, "Unsupported Auth type:\n%s\n", http_proxy_buf); free(http_proxy_buf); http_proxy_buf = NULL; } else { hydra_report(stderr, "Unsupported Auth type\n"); } return 3; } } } ptr = ((char *) index(http_proxy_buf, ' ')) + 1; if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2')) { hydra_report_found_host(port, ip, "http-proxy", fp); hydra_completed_pair_found(); free(http_proxy_buf); http_proxy_buf = NULL; } else { if (*ptr != '4') hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char) *(index(http_proxy_buf, ' ') + 1), login, pass); else if (verbose && *(ptr + 2) == '3') hydra_report(stderr, "[INFO] Potential success, could be false positive: %s:%s\n", login, pass); hydra_completed_pair(); free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } } if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; if (http_proxy_buf != NULL) return 2; else return 1; }
int start_oracle_listener(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { unsigned char tns_packet_begin[22] = { "\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00" }; unsigned char tns_packet_end[32] = { "\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00" }; char *empty = ""; char *pass; char connect_string[200]; char buffer2[260]; int siz = 0; memset(connect_string, 0, sizeof(connect_string)); memset(buffer2, 0, sizeof(buffer2)); if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (sid_mechanism == AUTH_PLAIN) { if ((hash = malloc(HASHSIZE)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } memset(hash, 0, HASHSIZE); if (ora_hash_password(pass)) { hydra_report(stderr, "[ERROR] generating Oracle hash\n"); free(hash); return 1; } pass = (char *) hash; } snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE=)(VERSION=169869568)))", pass); if (hash != NULL) free(hash); if (verbose) hydra_report(stderr, "[VERBOSE] using connectiong string: %s\n", connect_string); siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string); if (siz > 255) { buffer2[0] = 1; buffer2[1] = siz - 256; } else { buffer2[1] = siz; } memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin)); siz = strlen(connect_string); if (siz > 255) { buffer2[2 + sizeof(tns_packet_begin)] = 1; buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz - 256; } else { buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz; } memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end)); memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string)); if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (verbose || debug) hydra_report(stderr, "[VERBOSE] Server answer: %s\n", buf); if (strstr(buf, "ERR=0") != NULL) { hydra_report_found_host(port, ip, "oracle-listener", fp); hydra_completed_pair_found(); } else hydra_completed_pair(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_rlogin(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[300] = "", buffer2[100], *bptr = buffer2; int ret; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; memset(buffer2, 0, sizeof(buffer2)); bptr++; strcpy(bptr, login); bptr += 1 + strlen(login); strcpy(bptr, login); bptr += 1 + strlen(login); strcpy(bptr, TERM); if (hydra_send(s, buffer2, 4 + strlen(login) + strlen(login) + strlen(TERM), 0) < 0) { return 4; } ret = hydra_recv(s, buffer, sizeof(buffer)); /* 0x00 is sent but hydra_recv transformed it */ if (strlen(buffer) == 0) ret = hydra_recv(s, buffer, sizeof(buffer)); if (ret > 0 && (strstr(buffer, "rlogind:") != NULL)) return 1; if (ret > 0 && (strstr(buffer, "ssword") != NULL)) { if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; sprintf(buffer2, "%s\r", pass); if (hydra_send(s, buffer2, 1 + strlen(pass), 0) < 0) { return 1; } memset(buffer, 0, sizeof(buffer)); ret = hydra_recv(s, buffer, sizeof(buffer)); if (strcmp(buffer, "\r\n")) ret = hydra_recv(s, buffer, sizeof(buffer)); } /* Authentication failure */ if (ret > 0 && (strstr(buffer, "ssword") == NULL)) { #ifdef HAVE_PCRE if (!hydra_string_match(buffer, "\\s(failure|incorrect|denied)")) { #else /* check for failure and incorrect msg */ if ((strstr(buffer, "ailure") == NULL) && (strstr(buffer, "ncorrect") == NULL) && (strstr(buffer, "denied") == NULL)) { #endif hydra_report_found_host(port, ip, "rlogin", fp); hydra_completed_pair_found(); } else { hydra_completed_pair(); } } else { /* if password is asked a second time, it means the pass we provided is wrong */ hydra_completed_pair(); } if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } void service_rlogin(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1; int myport = PORT_RLOGIN, mysslport = PORT_RLOGIN_SSL; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { next_run = 0; switch (run) { case 1: /* connect and service init function */ { /* 512 -> 1023 */ hydra_set_srcport(1023); if (sock >= 0) sock = hydra_disconnect(sock); // usleep(275000); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } next_run = 2; break; } case 2: /* run the cracking function */ next_run = start_rlogin(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; default: hydra_report(stderr, "Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } }
int start_sip(int s, char *ip, char *lip, int port, int lport, unsigned char options, char *miscptr, FILE * fp) { char *login, *pass, *host, buffer[SIP_MAX_BUF]; int i; char buf[SIP_MAX_BUF]; if (strlen(login = hydra_get_next_login()) == 0) login = NULL; if (strlen(pass = hydra_get_next_password()) == 0) pass = NULL; if (external_ip_addr[0]) lip = external_ip_addr; host = miscptr; cseq = 1; empty_register(buffer, host, lip, port, lport, login); cseq++; if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 3; } int has_sip_cred = 0; int try = 0; /* We have to check many times because server may begin to send "100 Trying" * before "401 Unauthorized" */ while (try < 2 && !has_sip_cred) { try++; if (hydra_data_ready_timed(s, 3, 0) > 0) { i = hydra_recv(s, (char *) buf, sizeof(buf)); buf[sizeof(buf) - 1] = '\0'; if (strncmp(buf, "SIP/2.0 404", 11) == 0) { hydra_report(stdout, "[ERROR] Get error code 404 : user '%s' not found\n", login); return 2; } if (strncmp(buf, "SIP/2.0 606", 11) == 0) { char *ptr=NULL; int i = 0; // if we already tried to connect, exit if (external_ip_addr[0]) { hydra_report(stdout, "[ERROR] Get error code 606 : session is not acceptable by the server\n"); return 2; } if (verbose) hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not acceptable by the server,\n" "maybe it's an addressing issue as you are using NAT, trying to reconnect\n" "using addr from the server reply\n"); /* SIP/2.0 606 Not Acceptable Via: SIP/2.0/UDP 192.168.0.21:46759;received=82.227.229.137 */ #ifdef HAVE_PCRE if (hydra_string_match(buf, "Via: SIP.*received=")) { ptr=strstr(buf, "received="); #else if ((ptr=strstr(buf, "received="))) { #endif strncpy(external_ip_addr, ptr+strlen("received="), sizeof(external_ip_addr)); external_ip_addr[sizeof(external_ip_addr) - 1] = '\0'; for (i = 0; i < strlen(external_ip_addr); i++) { if (external_ip_addr[i] <= 32) { external_ip_addr[i] = '\0'; } } if (verbose) hydra_report(stderr, "[VERBOSE] Will reconnect using external IP address %s\n", external_ip_addr); return 1; } hydra_report(stderr, "[ERROR] Could not find external IP address in server answer\n"); return 2; } } } if (!strstr(buf, "WWW-Authenticate: Digest")) { hydra_report(stderr, "[ERROR] no www-authenticate header found!\n"); return -1; } if (verbose) hydra_report(stderr, "[INFO] S: %s\n", buf); char buffer2[512]; sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL); memset(buffer, 0, SIP_MAX_BUF); snprintf(buffer, SIP_MAX_BUF, "REGISTER sip:%s SIP/2.0\n" "Via: SIP/2.0/UDP %s:%i\n" "From: <sip:%s@%s>\n" "To: <sip:%s@%s>\n" "Call-ID: 1337@%s\n" "CSeq: %i REGISTER\n" "Authorization: Digest %s\n" "Content-Length: 0\n\n", host, lip, lport, login, host, login, host, host, cseq, buffer2); cseq++; if (verbose) hydra_report(stderr, "[INFO] C: %s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 3; } try = 0; int has_resp = 0; int sip_code = 0; while (try < 2 && !has_resp) { try++; if (hydra_data_ready_timed(s, 5, 0) > 0) { memset(buf, 0, sizeof(buf)); i = hydra_recv(s, (char *) buf, sizeof(buf)); if (verbose) hydra_report(stderr, "[INFO] S: %s\n", buf); sip_code = get_sip_code(buf); if (sip_code >= 200 && sip_code < 300) { hydra_report_found_host(port, ip, "sip", fp); hydra_completed_pair_found(); has_resp = 1; } if (sip_code >= 400 && sip_code < 500) { has_resp = 1; } } } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } void service_sip(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1; int myport = PORT_SIP, mysslport = PORT_SIP_SSL; char *lip = get_iface_ip((int) *(&ip[1])); hydra_register_socket(sp); // FIXME IPV6 if (ip[0] != 4) { fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are appreciated.\n"); hydra_child_exit(2); } if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) run = 3; int lport = 0; while (1) { switch (run) { case 1: if (sock < 0) { if (port != 0) myport = port; lport = rand() % (65535 - 1024) + 1024; hydra_set_srcport(lport); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_udp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = mysslport; } if (sock < 0) { if (verbose || debug) hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); free(lip); hydra_child_exit(1); } } next_run = start_sip(sock, ip, lip, port, lport, options, miscptr, fp); break; case 2: if (sock >= 0) sock = hydra_disconnect(sock); free(lip); hydra_child_exit(2); break; case 3: if (sock >= 0) sock = hydra_disconnect(sock); free(lip); hydra_child_exit(2); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); free(lip); hydra_child_exit(2); } run = next_run; } } char *get_iface_ip(unsigned long int ip) { int sfd; sfd = socket(AF_INET, SOCK_DGRAM, 0); struct sockaddr_in tparamet; tparamet.sin_family = AF_INET; tparamet.sin_port = htons(2000); tparamet.sin_addr.s_addr = ip; if (connect(sfd, (const struct sockaddr *) &tparamet, sizeof(struct sockaddr_in))) { perror("connect"); close(sfd); return NULL; } struct sockaddr_in *local = malloc(sizeof(struct sockaddr_in)); int size = sizeof(struct sockaddr_in); if (getsockname(sfd, (void *) local, (socklen_t *) & size)) { perror("getsockname"); close(sfd); free(local); return NULL; } close(sfd); char buff[32]; if (!inet_ntop(AF_INET, (void *) &local->sin_addr, buff, 32)) { perror("inet_ntop"); free(local); return NULL; } char *str = malloc(sizeof(char) * (strlen(buff) + 1)); strcpy(str, buff); free(local); return str; } #endif int service_sip_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here return 0; }
int start_ldap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char version, int auth_method) { char *empty = ""; char *login = "", *pass; unsigned char buffer[512]; int length = 0; int ldap_auth_mechanism = auth_method; /* The LDAP "simple" method has three modes of operation: * anonymous= no user no pass * unauthenticated= user but no pass * user/password authenticated= user and pass */ if ((miscptr != NULL) && (ldap_auth_mechanism == AUTH_CLEAR)) { login = miscptr; } else { if (strlen(login = hydra_get_next_login()) == 0) login = empty; } if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; switch (ldap_auth_mechanism) { case AUTH_CLEAR: length = 14 + strlen(login) + strlen(pass); break; #ifdef LIBOPENSSLNEW case AUTH_CRAMMD5: length = 14 + strlen(miscptr) + strlen("CRAM-MD5") + 2; break; case AUTH_DIGESTMD5: length = 14 + strlen(miscptr) + strlen("DIGEST-MD5") + 2; break; #endif } memset(buffer, 0, sizeof(buffer)); buffer[0] = 48; buffer[1] = length - 2; buffer[2] = 2; buffer[3] = 1; buffer[4] = counter % 256; buffer[5] = 96; buffer[6] = length - 7; buffer[7] = 2; buffer[8] = 1; buffer[9] = version; buffer[10] = 4; if (ldap_auth_mechanism == AUTH_CLEAR) { buffer[11] = strlen(login); /* DN */ memcpy(&buffer[12], login, strlen(login)); buffer[12 + strlen(login)] = (unsigned char) 128; buffer[13 + strlen(login)] = strlen(pass); memcpy(&buffer[14 + strlen(login)], pass, strlen(pass)); /* PASS */ } else { char *authm = "DIGEST-MD5"; if (ldap_auth_mechanism == AUTH_CRAMMD5) { authm = "CRAM-MD5"; } if ((strlen(miscptr)) > sizeof(buffer) - 16 - strlen(authm)) { miscptr[sizeof(buffer) - 16 - strlen(authm)] = '\0'; } buffer[11] = strlen(miscptr); /* DN */ memcpy(&buffer[12], miscptr, strlen(miscptr)); buffer[12 + strlen(miscptr)] = 163; buffer[13 + strlen(miscptr)] = 2 + strlen(authm); buffer[14 + strlen(miscptr)] = 4; buffer[15 + strlen(miscptr)] = strlen(authm); memcpy(&buffer[16 + strlen(miscptr)], authm, strlen(authm)); } if (hydra_send(s, (char*)buffer, length, 0) < 0) return 1; if ((buf = (unsigned char*) hydra_receive_line(s)) == NULL) return 1; if (buf[0] != 0 && buf[0] != 32 && buf[9] == 2) { if (verbose) hydra_report(stderr, "[VERBOSE] Protocol invalid\n"); free(buf); return 3; } if (buf[0] != 0 && buf[0] != 32 && buf[9] == 13) { if (verbose) hydra_report(stderr, "[VERBOSE] Confidentiality required, TLS has to be enabled\n"); tls_required = 1; free(buf); return 1; } if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 34) { hydra_report(stderr, "[ERROR] Invalid DN Syntax\n"); hydra_child_exit(2); free(buf); return 3; } #ifdef LIBOPENSSLNEW /* one more step auth for CRAM and DIGEST */ if (ldap_auth_mechanism == AUTH_CRAMMD5) { /* get the challenge, need to extract it */ char *ptr; char buf2[32]; ptr = strstr((char*) buf, "<"); sasl_cram_md5(buf2, pass, ptr); if (buf2 == NULL) return 1; counter++; if (strstr(miscptr, "^USER^") != NULL) { miscptr = strrep(miscptr, "^USER^", login); } length = 12 + strlen(miscptr) + 4 + strlen("CRAM-MD5") + 2 + strlen(login) + 1 + strlen(buf2); memset(buffer, 0, sizeof(buffer)); buffer[0] = 48; buffer[1] = length - 2; buffer[2] = 2; buffer[3] = 1; buffer[4] = counter % 256; buffer[5] = 96; buffer[6] = length - 7; buffer[7] = 2; buffer[8] = 1; buffer[9] = version; buffer[10] = 4; buffer[11] = strlen(miscptr); /* DN */ memcpy(&buffer[12], miscptr, strlen(miscptr)); buffer[12 + strlen(miscptr)] = 163; buffer[13 + strlen(miscptr)] = 2 + strlen("CRAM-MD5") + 2 + strlen(login) + 1 + strlen(buf2); buffer[14 + strlen(miscptr)] = 4; buffer[15 + strlen(miscptr)] = strlen("CRAM-MD5"); memcpy(&buffer[16 + strlen(miscptr)], "CRAM-MD5", strlen("CRAM-MD5")); buffer[16 + strlen(miscptr) + strlen("CRAM-MD5")] = 4; buffer[17 + strlen(miscptr) + strlen("CRAM-MD5")] = strlen(login) + 1 + strlen(buf2); memcpy(&buffer[18 + strlen(miscptr) + strlen("CRAM-MD5")], login, strlen(login)); buffer[18 + strlen(miscptr) + strlen("CRAM-MD5") + strlen(login)] = ' '; memcpy(&buffer[18 + strlen(miscptr) + strlen("CRAM-MD5") + strlen(login) + 1], buf2, strlen(buf2)); if (hydra_send(s, (char*)buffer, length, 0) < 0) return 1; free(buf); if ((buf = (unsigned char*) hydra_receive_line(s)) == NULL) return 1; } else { if (ldap_auth_mechanism == AUTH_DIGESTMD5) { char *ptr; char buffer2[500]; int ind = 0; ptr = strstr((char*)buf, "realm="); counter++; if (strstr(miscptr, "^USER^") != NULL) { miscptr = strrep(miscptr, "^USER^", login); } sasl_digest_md5(buffer2, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL); if (buffer2 == NULL) { free(buf); return 3; } length = 26 + strlen(miscptr) + strlen("DIGEST-MD5") + strlen(buffer2); memset(buffer, 0, sizeof(buffer)); ind = 0; buffer[ind] = 48; ind++; buffer[ind] = 130; ind++; if (length - 4 > 255) { buffer[ind] = 1; ind++; buffer[ind] = length - 256 - 4; ind++; } else { buffer[ind] = 0; ind++; buffer[ind] = length - 4; ind++; } buffer[ind] = 2; ind++; buffer[ind] = 1; ind++; buffer[ind] = counter % 256; ind++; buffer[ind] = 96; /*0x60 */ ind++; buffer[ind] = 130; ind++; if (length - 7 - 4 > 255) { buffer[ind] = 1; ind++; buffer[ind] = length - 256 - 11; ind++; } else { buffer[ind] = 0; ind++; buffer[ind] = length - 11; ind++; } buffer[ind] = 2; ind++; buffer[ind] = 1; ind++; buffer[ind] = version; ind++; buffer[ind] = 4; ind++; buffer[ind] = strlen(miscptr); ind++; memcpy(&buffer[ind], miscptr, strlen(miscptr)); /*DN*/ buffer[ind + strlen(miscptr)] = 163; //0xa3 ind++; buffer[ind + strlen(miscptr)] = 130; //0x82 ind++; if (strlen(buffer2) + 6 + strlen("DIGEST-MD5") > 255) { buffer[ind + strlen(miscptr)] = 1; ind++; buffer[ind + strlen(miscptr)] = strlen(buffer2) + 6 + strlen("DIGEST-MD5") - 256; } else { buffer[ind + strlen(miscptr)] = 0; ind++; buffer[ind + strlen(miscptr)] = strlen(buffer2) + 6 + strlen("DIGEST-MD5"); } ind++; buffer[ind + strlen(miscptr)] = 4; ind++; buffer[ind + strlen(miscptr)] = strlen("DIGEST-MD5"); ind++; memcpy(&buffer[ind + strlen(miscptr)], "DIGEST-MD5", strlen("DIGEST-MD5")); buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 4; ind++; buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 130; ind++; if (strlen(buffer2) > 255) { buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 1; ind++; buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = strlen(buffer2) - 256; } else { buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 0; ind++; buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = strlen(buffer2); } ind++; memcpy(&buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")], buffer2, strlen(buffer2)); ind++; if (hydra_send(s, (char*)buffer, length, 0) < 0) return 1; free(buf); if ((buf = (unsigned char*) hydra_receive_line(s)) == NULL) return 1; } } #endif /* success is: 0a 01 00 - failure is: 0a 01 31 */ if ((buf[0] != 0 && buf[9] == 0) || (buf[0] != 32 && buf[9] == 32)) { hydra_report_found_host(port, ip, "ldap", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 7) { hydra_report(stderr, "[ERROR] Unknown authentication method\n"); free(buf); hydra_child_exit(2); } if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 53) { if (verbose) hydra_report(stderr, "[VERBOSE] Server unwilling to perform action, maybe deny by server config or too busy when tried login: %s password: %s\n", login, pass); free(buf); return 1; } if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 2) { hydra_report(stderr, "[ERROR] Invalid protocol version, you tried ldap%c, better try ldap%c\n", version + '0', version == 2 ? '3' : '2'); free(buf); hydra_child_exit(2); sleep(1); hydra_child_exit(2); } //0 0x30, 0x84, 0x20, 0x20, 0x20, 0x10, 0x02, 0x01, //8 0x01, 0x61, 0x84, 0x20, 0x20, 0x20, 0x07, 0x0a, //16 0x01, 0x20, 0x04, 0x20, 0x04, 0x20, 0x00, 0x00, // this is for w2k8 active directory ldap auth if (buf[0] == 48 && buf[1] == 132) { if (buf[9] == 0x61 && buf[1] == 0x84) { if (buf[17] == 0 || buf[17] == 0x20) { hydra_report_found_host(port, ip, "ldap", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } } } else { if (buf[9] != 49 && buf[9] != 2 && buf[9] != 53) { hydra_report(stderr, "[ERROR] Uh, unknown LDAP response! Please report this: \n"); print_hex((unsigned char *) buf, 24); free(buf); return 3; } } hydra_completed_pair(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_pop3(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; char *login, *pass, buffer[300]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s) > 0) { if ((buf = hydra_receive_line(s)) == NULL) return (1); free(buf); } #ifdef PALM sprintf(buffer, "USER %s\r\n", login); #else sprintf(buffer, "USER %.250s\r\n", login); #endif if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); if (buf[0] != '+') { hydra_report(stderr, "Error: POP3 protocol error or service shutdown: %s\n", buf); free(buf); return (3); } free(buf); #ifdef PALM sprintf(buffer, "PASS %s\r\n", pass); #else sprintf(buffer, "PASS %.250s\r\n", pass); #endif if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); if (buf[0] == '+') { hydra_report_found_host(port, ip, "pop3", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } /* special AS/400 hack */ if (strstr(buf, "CPF2204") != NULL || strstr(buf, "CPF22E3") != NULL || strstr(buf, "CPF22E4") != NULL || strstr(buf, "CPF22E5") != NULL) { hydra_completed_pair_skip(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; char *login, *pass, buffer[500], buffer2[500]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s) > 0) { if ((buf = hydra_receive_line(s)) == NULL) return 4; free(buf); } switch (p->pop3_auth_mechanism) { #ifdef LIBOPENSSL case AUTH_APOP:{ MD5_CTX c; unsigned char md5_raw[MD5_DIGEST_LENGTH]; int i; char *pbuffer = buffer2; MD5_Init(&c); MD5_Update(&c, apop_challenge, strlen(apop_challenge)); MD5_Update(&c, pass, strlen(pass)); MD5_Final(md5_raw, &c); for (i = 0; i < MD5_DIGEST_LENGTH; i++) { sprintf(pbuffer, "%02x", md5_raw[i]); pbuffer += 2; } sprintf(buffer, "APOP %s %s\r\n", login, buffer2); } break; #endif case AUTH_LOGIN:{ sprintf(buffer, "AUTH LOGIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, login); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); } break; case AUTH_PLAIN:{ sprintf(buffer, "AUTH PLAIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 PLAIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); memset(buffer, 0, sizeof(buffer)); sasl_plain(buffer, login, pass); sprintf(buffer, "%.250s\r\n", buffer); } break; #ifdef LIBOPENSSL case AUTH_CRAMMD5: case AUTH_CRAMSHA1: case AUTH_CRAMSHA256:{ int rc = 0; char *preplogin; rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } switch (p->pop3_auth_mechanism) { case AUTH_CRAMMD5: sprintf(buffer, "AUTH CRAM-MD5\r\n"); break; case AUTH_CRAMSHA1: sprintf(buffer, "AUTH CRAM-SHA1\r\n"); break; case AUTH_CRAMSHA256: sprintf(buffer, "AUTH CRAM-SHA256\r\n"); break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } //get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { switch (p->pop3_auth_mechanism) { case AUTH_CRAMMD5: hydra_report(stderr, "[ERROR] POP3 CRAM-MD5 AUTH : %s\n", buf); break; case AUTH_CRAMSHA1: hydra_report(stderr, "[ERROR] POP3 CRAM-SHA1 AUTH : %s\n", buf); break; case AUTH_CRAMSHA256: hydra_report(stderr, "[ERROR] POP3 CRAM-SHA256 AUTH : %s\n", buf); break; } free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 2); free(buf); memset(buffer2, 0, sizeof(buffer2)); switch (p->pop3_auth_mechanism) { case AUTH_CRAMMD5:{ sasl_cram_md5(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; case AUTH_CRAMSHA1:{ sasl_cram_sha1(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; case AUTH_CRAMSHA256:{ sasl_cram_sha256(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; } hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer, "%.250s\r\n", buffer); free(preplogin); } break; case AUTH_DIGESTMD5:{ sprintf(buffer, "AUTH DIGEST-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf); free(buf); if (verbose) hydra_report(stderr, "[VERBOSE] S: %s\n", buffer); sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "pop", NULL, 0, NULL); if (buffer2 == NULL) return 3; if (verbose) hydra_report(stderr, "[VERBOSE] C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; //Send auth request sprintf(buffer, "AUTH NTLM\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 NTLM AUTH : %s\n", buf); free(buf); return 3; } free(buf); //send auth and receive challenge //send auth request: lst the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); sprintf(buffer, "%s\r\n", buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; if ((buf = hydra_receive_line(s)) == NULL) return 4; //recover challenge from64tobits((char *) buf1, buf + 2); free(buf); //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "%s\r\n", buf1); } break; default: sprintf(buffer, "USER %.250s\r\n", login); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 protocol or service shutdown: %s\n", buf); free(buf); return (3); } free(buf); sprintf(buffer, "PASS %.250s\r\n", pass); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) { return 4; } if (buf[0] == '+') { hydra_report_found_host(port, ip, "pop3", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } /* special AS/400 hack */ if (strstr(buf, "CPF2204") != NULL || strstr(buf, "CPF22E3") != NULL || strstr(buf, "CPF22E4") != NULL || strstr(buf, "CPF22E5") != NULL) { hydra_completed_pair_skip(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_vnc(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *pass; unsigned char buf2[CHALLENGESIZE + 4]; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; recv(s, buf2, CHALLENGESIZE + 4, 0); if (vnc_client_version == RFB37) { int i; //fprintf(stderr,"number of security types supported: %d\n", buf2[0]); if (buf2[0] == 0) { hydra_report(stderr, "[ERROR] VNC server connection failed\n"); hydra_child_exit(0); } for (i = 1; i <= buf2[0]; i++) { //fprintf(stderr,"sec type %u\n",buf2[i]); //check if weak security types are available if (buf2[i] <= 0x2) { buf2[3] = buf2[i]; break; } } } //supported security type switch (buf2[3]) { case 0x0: hydra_report(stderr, "[ERROR] VNC server told us to quit %c\n", buf[3]); hydra_child_exit(0); case 0x1: hydra_report(fp, "VNC server does not require authentication.\n"); if (fp != stdout) hydra_report(stdout, "VNC server does not require authentication.\n"); hydra_report_found_host(port, ip, "vnc", fp); hydra_completed_pair_found(); hydra_child_exit(2); case 0x2: //VNC security type supported is the only type supported for now if (vnc_client_version == RFB37) { sprintf(buf, "%c", 0x2); if (hydra_send(s, buf, strlen(buf), 0) < 0) { return 1; } //get authentication challenge from server if (recv(s, buf2, CHALLENGESIZE, 0) == -1) return 1; //send response vncEncryptBytes(buf2, pass); if (hydra_send(s, (char *) buf2, CHALLENGESIZE, 0) < 0) { return 1; } } else { //in old proto, challenge is following the security type vncEncryptBytes((unsigned char *) buf2 + 4, pass); if (hydra_send(s, (char *) buf2 + 4, CHALLENGESIZE, 0) < 0) { return 1; } } break; default: hydra_report(stderr, "[ERROR] unknown VNC security type\n"); hydra_child_exit(2); } //check security result value recv(s, buf, 4, 0); if (buf == NULL) return 1; switch (buf[3]) { case 0x0: hydra_report_found_host(port, ip, "vnc", fp); hydra_completed_pair_found(); free(buf); failed_auth = 0; if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; case 0x1: free(buf); if (verbose) hydra_report(stderr, "[VERBOSE] Authentication failed for password %s\n", pass); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; default: free(buf); hydra_report(stderr, "[ERROR] unknown VNC server security result %d\n", buf[3]); return 1; } return 1; /* never reached */ }
int start_smtp_enum(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[500]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s) > 0) { if ((buf = hydra_receive_line(s)) == NULL) return (1); free(buf); } if (smtp_enum_cmd == RCPT) { tosent = 0; if (pass != empty) { snprintf(buffer, sizeof(buffer), "MAIL FROM: root@%s\r\n", pass); } else { snprintf(buffer, sizeof(buffer), "MAIL FROM: root\r\n"); } if (verbose) hydra_report(stderr, "DEBUG C: %s", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); if (verbose) hydra_report(stderr, "DEBUG S: %s", buf); /* good return values are something like 25x */ #ifdef HAVE_PCRE if (hydra_string_match(buf, "^25\\d\\s")) { #else if (strstr(buf, "25") != NULL) { #endif if (pass != empty) { snprintf(buffer, sizeof(buffer), "RCPT TO: %s@%s\r\n", login, pass); } else { snprintf(buffer, sizeof(buffer), "RCPT TO: %s\r\n", login); } tosent = 1; } else { err = strstr(buf, "Error"); if (err) { if (verbose) { hydra_report(stderr, "Server %s", err); } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } } } else { char cmd[5] = ""; memset(cmd, 0, sizeof(cmd)); if (smtp_enum_cmd == EXPN) strcpy(cmd, "EXPN"); else strcpy(cmd, "VRFY"); if (pass != empty) { snprintf(buffer, sizeof(buffer), "%s %s@%s\r\n", cmd, login, pass); } else { snprintf(buffer, sizeof(buffer), "%s %s\r\n", cmd, login); } } if (verbose) hydra_report(stderr, "DEBUG C: %s", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); if (verbose) hydra_report(stderr, "DEBUG S: %s", buf); /* good return values are something like 25x */ #ifdef HAVE_PCRE if (hydra_string_match(buf, "^25\\d\\s")) { #else if (strstr(buf, "25") != NULL) { #endif hydra_report_found_host(port, ip, "smtp-enum", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } err = strstr(buf, "Error"); if (err || tosent) { // we should report command not identified by the server //502 5.5.2 Error: command not recognized #ifdef HAVE_PCRE if ((verbose || hydra_string_match(buf, "\\scommand\\snot\\srecognized")) && err) { #else if ((verbose || strstr(buf, "command") != NULL) && err) { #endif hydra_report(stderr, "Server %s", err); } memset(buffer, 0, sizeof(buffer)); //503 5.5.1 Error: nested MAIL command strncpy(buffer, "RSET\r\n", sizeof(buffer)); free(buf); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } void service_smtp_enum(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1, i = 0; int myport = PORT_SMTP, mysslport = PORT_SMTP_SSL; char *buffer = "HELO hydra\r\n"; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); port = myport; } if (sock < 0) { hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } /* receive initial header */ if ((buf = hydra_receive_line(sock)) == NULL) hydra_child_exit(2); if (strstr(buf, "220") == NULL) { hydra_report(stderr, "Warning: SMTP does not allow to connect: %s\n", buf); hydra_child_exit(2); } while (strstr(buf, "220 ") == NULL) { free(buf); buf = hydra_receive_line(sock); } if (buf[0] != '2') { if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) { free(buf); hydra_child_exit(2); } } if ((miscptr != NULL) && (strlen(miscptr) > 0)) { for (i = 0; i < strlen(miscptr); i++) miscptr[i] = (char) toupper((int) miscptr[i]); if (strncmp(miscptr, "EXPN", 4) == 0) smtp_enum_cmd = EXPN; if (strncmp(miscptr, "RCPT", 4) == 0) smtp_enum_cmd = RCPT; } if (verbose) { switch (smtp_enum_cmd) { case VRFY: hydra_report(stderr, "using SMTP VRFY command\n"); break; case EXPN: hydra_report(stderr, "using SMTP EXPN command\n"); break; case RCPT: hydra_report(stderr, "using SMTP RCPT TO command\n"); break; } } free(buf); next_run = 2; break; case 2: /* run the cracking function */ next_run = start_smtp_enum(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) { sock = hydra_disconnect(sock); } hydra_child_exit(0); return; default: hydra_report(stderr, "Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } }
int start_telnet(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[300]; int i = 0; #ifdef PALM Err error; Int32 AppNetTimeout = SysTicksPerSecond() * 10; #endif no_line_mode = 0; /* hmmm seems to work anyway */ if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; #ifdef PALM sprintf(buffer, "%s\r", login); #else sprintf(buffer, "%.250s\r", login); #endif if (no_line_mode) { for (i = 0; i < strlen(buffer) + 1; i++) { #ifdef PALM NetLibSend(AppNetRefnum, s, &buffer[i], 1, 0, 0, 0, AppNetTimeout, &error); #else send(s, &buffer[i], 1, 0); #endif usleep(2000); } } else { if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) { return 1; } } do { if ((buf = hydra_receive_line(s)) == NULL) return 1; if (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '%') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL || index(buf, '%') != NULL) { hydra_report_found_host(port, ip, "telnet", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; free(buf); return 1; } (void) make_to_lower(buf); if (strstr(buf, "asswor") != NULL || strstr(buf, "asscode") != NULL || strstr(buf, "ennwort") != NULL) i = 1; if (i == 0 && ((strstr(buf, "ogin:") != NULL && strstr(buf, "last login") == NULL) || strstr(buf, "sername:") != NULL)) { free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } free(buf); } while (i == 0); #ifdef PALM sprintf(buffer, "%s\r", pass); #else sprintf(buffer, "%.250s\r", pass); #endif if (no_line_mode) { for (i = 0; i < strlen(buffer) + 1; i++) { #ifdef PALM NetLibSend(AppNetRefnum, s, &buffer[i], 1, 0, 0, 0, AppNetTimeout, &error); #else send(s, &buffer[i], 1, 0); #endif usleep(5000); } } else { if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) { return 1; } } while ((buf = hydra_receive_line(s)) != NULL && make_to_lower(buf) && (strstr(buf, "login:"******"last login:"******"sername:") == NULL) { if ((miscptr != NULL && strstr(buf, miscptr) != NULL) ||(miscptr == NULL && ((index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '%') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL || (strstr(buf, " failed") == NULL && index(buf, '%') != NULL))))) { hydra_report_found_host(port, ip, "telnet", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } free(buf); } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_ssh(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, keep_login[300]; int auth_state = 0, rc = 0, i = 0; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (new_session) { if (session) { ssh_disconnect(session); ssh_finalize(); ssh_free(session); } session = ssh_new(); ssh_options_set(session, SSH_OPTIONS_PORT, &port); ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip)); ssh_options_set(session, SSH_OPTIONS_USER, login); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none"); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none"); if (ssh_connect(session) != 0) { //if the connection was drop, trying to reconnect if (verbose) hydra_report(stderr, "Error: could not connect to target port %d\n", port); return 1; } if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) { return 3; } else if (rc == SSH_AUTH_SUCCESS) { hydra_report_found_host(port, ip, "ssh", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; else return 1; } } else new_session = 1; auth_state = ssh_auth_list(session); if ((auth_state & SSH_AUTH_METHOD_PASSWORD) > 0) { auth_state = ssh_userauth_password(session, NULL, pass); } else if ((auth_state & SSH_AUTH_METHOD_INTERACTIVE) > 0) { auth_state = ssh_userauth_kbdint(session, NULL, NULL); while (auth_state == SSH_AUTH_INFO) { rc = ssh_userauth_kbdint_getnprompts(session); for (i = 0; i < rc; i++) ssh_userauth_kbdint_setanswer(session, i, pass); auth_state = ssh_userauth_kbdint(session, NULL, NULL); } } else { return 4; } if (auth_state == SSH_AUTH_ERROR) { new_session = 1; return 1; } if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) { hydra_report_found_host(port, ip, "ssh", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } else { strncpy(keep_login, login, sizeof(keep_login) - 1); keep_login[sizeof(keep_login) - 1] = '\0'; hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; login = hydra_get_next_login(); if (strcmp(login, keep_login) == 0) new_session = 0; return 1; } /* not reached */ return 1; }
int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *hostname) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500], mlogin[260], mpass[260], mhost[260]; char url[260], host[30]; char *header = ""; /* XXX TODO */ char *ptr; int auth = 0; login = hydra_get_next_login(); if (login == NULL || strlen(login) == 0 || strstr(login, "://") == NULL) { hydra_completed_pair(); return 1; } pass = hydra_get_next_password(); pass = empty; // ignored strncpy(url, login, sizeof(url) - 1); url[sizeof(url) - 1] = 0; ptr = strstr(login, "://") + 3; if (ptr[0] == '[') ptr++; strncpy(mhost, ptr, sizeof(mhost) - 1); mhost[sizeof(mhost) - 1] = 0; if ((ptr = index(mhost, '/')) != NULL) *ptr = 0; if ((ptr = index(mhost, ']')) != NULL) *ptr = 0; else if ((ptr = index(mhost, ':')) != NULL) *ptr = 0; if (miscptr != NULL && index(miscptr, ':') != NULL) { strncpy(mlogin, miscptr, sizeof(mlogin) - 1); mlogin[sizeof(mlogin) - 1] = 0; ptr = index(mlogin, ':'); *ptr++ = 0; strncpy(mpass, ptr, sizeof(mpass) - 1); mpass[sizeof(mpass) - 1] = 0; auth = 1; } if (http_proxy_auth_mechanism == AUTH_ERROR) { //send dummy request sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, mhost, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive first 40x buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/") == NULL) { free(buf); buf = hydra_receive_line(s); } if (debug) hydra_report(stderr, "S:%s\n", buf); //after the first query we should have been disconnected from web server s = hydra_disconnect(s); if ((options & OPTION_SSL) == 0) { s = hydra_connect_tcp(ip, port); } else { s = hydra_connect_ssl(ip, port, hostname); } } if (auth) { if (hydra_strcasestr(buf, "Proxy-Authenticate: Basic") != NULL) { http_proxy_auth_mechanism = AUTH_BASIC; sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; free(buf); buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); buf = hydra_receive_line(s); } //if server cut the connection, just exit cleanly or //this will be an infinite loop if (buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } if (debug) hydra_report(stderr, "S:%s\n", buf); } else { if (hydra_strcasestr(buf, "Proxy-Authenticate: NTLM") != NULL) { unsigned char buf1[4096]; unsigned char buf2[4096]; char *pos = NULL; http_proxy_auth_mechanism = AUTH_NTLM; //send auth and receive challenge //send auth request: let the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); /* to be portable, no snprintf, buffer is big enough so it cant overflow */ //send the first.. sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive challenge free(buf); buf = hydra_receive_line(s); while (buf != NULL && (pos = hydra_strcasestr(buf, "Proxy-Authenticate: NTLM ")) == NULL) { free(buf); buf = hydra_receive_line(s); } if (pos != NULL) { char *str; pos += 25; if ((str = strchr(pos, '\r')) != NULL) { pos[str - pos] = 0; } if ((str = strchr(pos, '\n')) != NULL) { pos[str - pos] = 0; } } //recover challenge if (buf != NULL) { if (strlen(buf) >= 4) from64tobits((char *) buf1, pos); free(buf); } //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); buf = hydra_receive_line(s); } if (buf == NULL) return 1; } else { #ifdef LIBOPENSSL if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) { char *pbuffer; http_proxy_auth_mechanism = AUTH_DIGESTMD5; pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; pbuffer = buffer2; sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header); if (pbuffer == NULL) return 3; if (debug) hydra_report(stderr, "C:%s\n", buffer2); if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0) return 1; free(buf); buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); buf = hydra_receive_line(s); } if (debug && buf != NULL) hydra_report(stderr, "S:%s\n", buf); if (buf == NULL) return 1; } else #endif { if (buf != NULL) { buf[strlen(buf) - 1] = '\0'; hydra_report(stderr, "Unsupported Auth type:\n%s\n", buf); } else { hydra_report(stderr, "Unsupported Auth type\n"); } return 3; } } } } // result analysis ptr = ((char *) index(buf, ' ')) + 1; if (*ptr == '2' || (*ptr == '3' && (*(ptr + 2) == '1' || *(ptr + 2) == '2')) || strncmp(ptr, "404", 4) == 0 || strncmp(ptr, "403", 4) == 0) { hydra_report_found_host(port, ip, "http-proxy", fp); if (fp != stdout) fprintf(fp, "[%d][http-proxy-urlenum] host: %s url: %s\n", port, hydra_address2string(ip), url); printf("[%d][http-proxy-urlenum] host: %s url: %s\n", port, hydra_address2string(ip), url); hydra_completed_pair_found(); } else { if (strncmp(ptr, "407", 3) == 0 /*|| strncmp(ptr, "401", 3) == 0 */ ) { hydra_report(stderr, "[ERROR] Proxy reports bad credentials!\n"); return 3; } hydra_completed_pair(); } free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }