//
// dirty workaround here: miscptr is the ptr to the logins, and the first one is used
// to test if password authentication is enabled!!
//
int service_ssh_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
// return codes:
// 0 all OK
// 1 skip target without generating an error
// 2 skip target because of protocol problems
// 3 skip target because its unreachable
#ifdef LIBSSH
int rc, method;
ssh_session session = ssh_new();
if (verbose || debug)
printf("[INFO] Testing if password authentication is supported by ssh://%s:%d\n", hydra_address2string(ip), port);
ssh_options_set(session, SSH_OPTIONS_PORT, &port);
ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
if (miscptr == NULL)
ssh_options_set(session, SSH_OPTIONS_USER, "hydra");
else
ssh_options_set(session, SSH_OPTIONS_USER, miscptr);
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
if (ssh_connect(session) != 0) {
fprintf(stderr, "[ERROR] could not connect to ssh://%s:%d - %s\n", hydra_address2string(ip), port, ssh_get_error(session));
return 2;
}
rc = ssh_userauth_none(session, NULL);
method = ssh_userauth_list(session, NULL);
ssh_disconnect(session);
ssh_finalize();
ssh_free(session);
if ((method & SSH_AUTH_METHOD_INTERACTIVE) || (method & SSH_AUTH_METHOD_PASSWORD)) {
if (verbose || debug)
printf("[INFO] Successful, password authentication is supported by ssh://%s:%d\n", hydra_address2string(ip), port);
return 0;
}
fprintf(stderr, "[ERROR] target ssh://%s:%d/ does not support password authentication.\n", hydra_address2string(ip), port);
return 1;
#else
return 0;
#endif
}
int start_firebird(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass;
char database[256];
char connection_string[1024];
isc_db_handle db; /* database handle */
ISC_STATUS_ARRAY status; /* status vector */
char *dpb = NULL; /* DB parameter buffer */
short dpb_length = 0;
if (miscptr)
strncpy(database, miscptr, sizeof(database));
else
strncpy(database, DEFAULT_DB, sizeof(database));
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
dpb_length = (short) (1 + strlen(login) + 2 + strlen(pass) + 2);
if ((dpb = (char *) malloc(dpb_length)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n");
return 1;
}
/* Add user and password to dpb */
*dpb = isc_dpb_version1;
dpb_length = 1;
isc_modify_dpb(&dpb, &dpb_length, isc_dpb_user_name, login, strlen(login));
isc_modify_dpb(&dpb, &dpb_length, isc_dpb_password, pass, strlen(pass));
/* Create connection string */
snprintf(connection_string, sizeof(connection_string), "%s:%s", hydra_address2string(ip), database);
if (isc_attach_database(status, 0, connection_string, &db, dpb_length, dpb)) {
/* for debugging perpose */
if (verbose) {
hydra_report(stderr, "[VERBOSE] ");
isc_print_status(status);
}
isc_free(dpb);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
} else {
isc_detach_database(status, &db);
isc_free(dpb);
hydra_report_found_host(port, ip, "firebird", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
return 1;
}
int start_afp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, mlogin[AFP_MAX_USERNAME_LEN], mpass[AFP_MAX_PASSWORD_LEN];
struct afp_url tmpurl;
/* Build AFP authentication request */
libafpclient_register(&afpclient);
afp_main_quick_startup(NULL);
init_uams();
afp_default_url(&tmpurl);
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
strncpy(tmpurl.servername, hydra_address2string(ip), AFP_SERVER_NAME_LEN - 1);
tmpurl.servername[AFP_SERVER_NAME_LEN] = 0;
strncpy(mlogin, login, AFP_MAX_USERNAME_LEN - 1);
mlogin[AFP_MAX_USERNAME_LEN - 1] = 0;
strncpy(mpass, pass, AFP_MAX_PASSWORD_LEN - 1);
mpass[AFP_MAX_PASSWORD_LEN - 1] = 0;
memcpy(&tmpurl.username, mlogin, AFP_MAX_USERNAME_LEN);
memcpy(&tmpurl.password, mpass, AFP_MAX_PASSWORD_LEN);
if (server_subconnect(tmpurl) == 0) {
hydra_report_found_host(port, ip, "afp", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
} else {
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
}
return 1;
}
int start_sshkey(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *key, keep_login[300];
int auth_state = 0, rc = 0, i = 0;
ssh_private_key privkey;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(key = hydra_get_next_password()) == 0)
key = empty;
if (new_session) {
if (session) {
ssh_disconnect(session);
ssh_finalize();
ssh_free(session);
}
session = ssh_new();
ssh_options_set(session, SSH_OPTIONS_PORT, &port);
ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
ssh_options_set(session, SSH_OPTIONS_USER, login);
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
if (ssh_connect(session) != 0) {
//if the connection was drop, exit and let hydra main handle it
if (verbose)
hydra_report(stderr, "[ERROR] could not connect to target port %d\n", port);
return 3;
}
if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) {
return 3;
} else if (rc == SSH_AUTH_SUCCESS) {
hydra_report_found_host(port, ip, "sshkey", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
else
return 1;
}
} else
new_session = 1;
auth_state = ssh_auth_list(session);
if ((auth_state & SSH_AUTH_METHOD_PUBLICKEY) > 0) {
privkey = privatekey_from_file(session, key, 0, NULL);
if (!privkey) {
hydra_report(stderr, "[ERROR] skipping invalid private key: \"%s\"\n", key);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
auth_state = ssh_userauth_pubkey(session, NULL, NULL, privkey);
} else {
return 4;
}
if (auth_state == SSH_AUTH_ERROR) {
new_session = 1;
return 1;
}
if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) {
hydra_report_found_host(port, ip, "sshkey", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
} else {
strncpy(keep_login, login, sizeof(keep_login) - 1);
keep_login[sizeof(keep_login) - 1] = '\0';
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
login = hydra_get_next_login();
if (strcmp(login, keep_login) == 0)
new_session = 0;
return 1;
}
/* not reached */
return 1;
}
int start_postgres(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass;
char database[256];
char connection_string[1024];
PGconn *pgconn;
if (miscptr)
strncpy(database, miscptr, sizeof(database));
else
strncpy(database, DEFAULT_DB, sizeof(database));
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
/*
* Building the connection string
*/
snprintf(connection_string, sizeof(connection_string), "host = '%s' dbname = '%s' user = '******' password = '******' ", hydra_address2string(ip), database, login, pass);
if (verbose)
hydra_report(stderr, "connection string: %s\n", connection_string);
pgconn = PQconnectdb(connection_string);
if (PQstatus(pgconn) == CONNECTION_OK) {
PQfinish(pgconn);
hydra_report_found_host(port, ip, "postgres", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
} else {
PQfinish(pgconn);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
}
return 1;
}
/*
int analyze_server_response(int socket)
return 0 or 1 when the cond regex is matched
return -1 if no response from server
*/
int analyze_server_response(int s) {
int runs = 0;
while ((buf = hydra_receive_line(s)) != NULL) {
runs++;
//check for http redirection
if (strstr(buf, "HTTP/1.1 3") != NULL || strstr(buf, "HTTP/1.0 3") != NULL || strstr(buf, "Status: 3") != NULL) {
redirected_flag = 1;
} else if (strstr(buf, "HTTP/1.1 401") != NULL || strstr(buf, "HTTP/1.0 401") != NULL) {
auth_flag = 1;
} else if ((strstr(buf, "HTTP/1.1 403") != NULL) || (strstr(buf, "HTTP/1.1 404") != NULL) || (strstr(buf, "HTTP/1.0 403") != NULL) || (strstr(buf, "HTTP/1.0 404") != NULL)) {
return 0;
}
if (hydra_strcasestr(buf, "Location: ") != NULL) {
char *startloc, *endloc;
char str[2048];
startloc = hydra_strcasestr(buf, "Location: ") + strlen("Location: ");
strncpy(str, startloc, sizeof(str) - 1);
str[sizeof(str) - 1] = 0;
endloc = strchr(str, '\n');
if (endloc != NULL)
*endloc = 0;
endloc = strchr(str, '\r');
if (endloc != NULL)
*endloc = 0;
strcpy(redirected_url_buff, str);
}
//there can be multiple cookies
if (hydra_strcasestr(buf, "Set-Cookie: ") != NULL) {
char *cookiebuf = buf;
do {
char *startcookie, *endcookie1, *endcookie2;
char str[1024], tmpcookie[4096] = "", tmpname[128] = "", *ptr, *ptr2;
memset(str, 0, sizeof(str));
startcookie = hydra_strcasestr(cookiebuf, "Set-Cookie: ") + strlen("Set-Cookie: ");
strncpy(str, startcookie, sizeof(str) - 1);
str[sizeof(str) - 1] = 0;
endcookie1 = strchr(str, '\n');
endcookie2 = strchr(str, ';');
//terminate string after cookie data
if (endcookie1 != NULL && endcookie1 < endcookie2)
*endcookie1 = 0;
else
if (endcookie2 != NULL)
*endcookie2 = 0;
// is the cookie already there? if yes, remove it!
if (index(startcookie, '=') != NULL && (ptr = index(startcookie, '=')) - startcookie + 1 <= sizeof(tmpname)) {
strncpy(tmpname, startcookie, sizeof(tmpname) - 2);
tmpname[sizeof(tmpname) - 2] = 0;
ptr = index(tmpname, '=');
*(++ptr) = 0;
// is the cookie already in the cookiejar? (so, does it have to be replaced?)
if ((ptr = hydra_strcasestr(cookie, tmpname)) != NULL) {
// yes it is.
// if the cookie is not in the beginning of the cookiejar, copy the ones before
if (ptr != cookie && *(ptr - 1) == ' ') {
strncpy(tmpcookie, cookie, ptr - cookie - 2);
tmpcookie[ptr - cookie - 2] = 0;
}
ptr += strlen(tmpname);
// if there are any cookies after this one in the cookiejar, copy them over
if ((ptr2 = strstr(ptr, "; ")) != NULL) {
ptr2 += 2;
strncat(tmpcookie, ptr2, sizeof(tmpcookie) - strlen(tmpcookie) - 1);
}
if (debug) printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: %s\n", tmpname, cookie, tmpcookie);
strcpy(cookie, tmpcookie);
}
}
ptr = index(str, '=');
// only copy the cookie if it has a value (otherwise the server wants to delete the cookie
if (ptr != NULL && *(ptr + 1) != ';' && *(ptr + 1) != 0 && *(ptr + 1) != '\n' && *(ptr + 1) != '\r') {
if (strlen(cookie) > 0)
strncat(cookie, "; ", sizeof(cookie) - strlen(cookie) - 1);
strncat(cookie, str, sizeof(cookie) - strlen(cookie) - 1);
}
cookiebuf = startcookie;
} while (hydra_strcasestr(cookiebuf, "Set-Cookie: ") != NULL);
}
#ifdef HAVE_PCRE
if (hydra_string_match(buf, cond) == 1) {
#else
if (strstr(buf, cond) != NULL) {
#endif
free(buf);
// printf("DEBUG: STRING %s FOUND!!:\n%s\n", cond, buf);
return 1;
}
// else printf("DEBUG: STRING %s NOT FOUND:\n%s\n", cond, buf);
free(buf);
}
if (runs == 0) {
if (debug) hydra_report(stderr, "DEBUG: no response from server\n");
return -1;
}
return 0;
}
void hydra_reconnect(int s, char *ip, int port, unsigned char options) {
if (s >= 0)
s = hydra_disconnect(s);
if ((options & OPTION_SSL) == 0) {
s = hydra_connect_tcp(ip, port);
} else {
s = hydra_connect_ssl(ip, port);
}
}
int start_http_form(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) {
char *empty = "";
char *login, *pass, buffer[9000];
char header[8096], *upd3variables;
int found = !success_cond, i, j;
memset(header, 0, sizeof(header));
cookie[0] = 0; // reset cookies from potential previous attempt
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
upd3variables = strrep(variables, "^PASS^", pass);
upd3variables = strrep(upd3variables, "^USER^", login);
/* again: no snprintf to be portable. dont worry, buffer cant overflow */
if (use_proxy == 1 && proxy_authentication != NULL) {
// proxy with authentication
if (getcookie) {
//doing a GET to save cookies
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla 5.0 (Hydra Proxy Auth)\r\n%s%s\r\n",
webtarget, webport, cookieurl, webtarget, proxy_authentication, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
i = analyze_server_response(s); // return value ignored
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
hydra_reconnect(s, ip, port, options);
}
if (strcmp(type, "POST") == 0) {
sprintf(buffer,
"POST http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy Auth)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s",
webtarget, webport, url, webtarget, proxy_authentication, (int) strlen(upd3variables), header, userheader, upd3variables);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
} else {
sprintf(buffer,
"GET http://%s:%d%.600s?%s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy Auth)\r\n%s%s\r\n",
webtarget, webport, url, upd3variables, webtarget, proxy_authentication, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
}
} else {
if (use_proxy == 1) {
// proxy without authentication
if (getcookie) {
//doing a GET to get cookies
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra Proxy)\r\n%s%s\r\n", webtarget, webport, cookieurl, webtarget, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
i = analyze_server_response(s); // ignore result
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
hydra_reconnect(s, ip, port, options);
}
if (strcmp(type, "POST") == 0) {
sprintf(buffer,
"POST http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s",
webtarget, webport, url, webtarget, (int) strlen(upd3variables), header, userheader, upd3variables);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
} else {
sprintf(buffer, "GET http://%s:%d%.600s?%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s%s\r\n", webtarget, webport, url, upd3variables, webtarget, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
}
} else {
// direct web server, no proxy
if (getcookie) {
//doing a GET to save cookies
sprintf(buffer, "GET %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s\r\n", cookieurl, webtarget, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
i = analyze_server_response(s); // ignore result
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
hydra_reconnect(s, ip, port, options);
}
if (strcmp(type, "POST") == 0) {
sprintf(buffer,
"POST %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n%s%s\r\n%s",
url, webtarget, (int) strlen(upd3variables), header, userheader, upd3variables);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
} else {
sprintf(buffer, "GET %.600s?%s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Hydra)\r\n%s%s\r\n", url, upd3variables, webtarget, header, userheader);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
}
}
}
found = analyze_server_response(s);
if (auth_flag) { // we received a 401 error - user using wrong module
hydra_report(stderr, "[ERROR] the target is using HTTP auth, not a web form, received HTTP error code 401. Use module \"http%s-get\" instead.\n",
(options & OPTION_SSL) > 0 ? "s" : "");
return 4;
}
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %.1000s\r\n", cookie);
}
//if page was redirected, follow the location header
redirected_cpt = MAX_REDIRECT;
if (debug) printf("[DEBUG] attempt result: found %d, redirect %d, location: %s\n", found, redirected_flag, redirected_url_buff);
while (found == 0 && redirected_flag && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) {
//we have to split the location
char *startloc, *endloc;
char str[2048];
char str2[2048];
char str3[2048];
redirected_cpt--;
redirected_flag = 0;
//check if the redirect page contains the fail/success condition
#ifdef HAVE_PCRE
if (hydra_string_match(redirected_url_buff, cond) == 1) {
#else
if (strstr(redirected_url_buff, cond) != NULL) {
#endif
found = success_cond;
} else {
//location could be either absolute http(s):// or / something
//or relative
startloc = strstr(redirected_url_buff, "://");
if (startloc != NULL) {
startloc += strlen("://");
if ((endloc=strchr(startloc, '\r')) != NULL) {
startloc[endloc - startloc] = 0;
}
if ((endloc=strchr(startloc, '\n')) != NULL) {
startloc[endloc - startloc] = 0;
}
strcpy(str, startloc);
endloc = strchr(str, '/');
if (endloc != NULL) {
strncpy(str2, str, endloc - str);
str2[endloc - str] = 0;
}
else
strncpy(str2, str, sizeof(str));
if (strlen(str) - strlen(str2) == 0) {
strcpy(str3, "/");
} else {
strncpy(str3, str + strlen(str2), strlen(str) - strlen(str2) - 1);
str3[strlen(str) - strlen(str2) - 1] = 0;
}
} else {
strncpy(str2, webtarget, sizeof(str2));
if (redirected_url_buff[0] != '/') {
//it's a relative path, so we have to concatenate it
//with the path from the first url given
char *urlpath;
char urlpath_extracted[2048];
memset(urlpath_extracted, 0, sizeof(urlpath_extracted));
urlpath=strrchr(url, '/');
if (urlpath != NULL) {
strncpy(urlpath_extracted, url, urlpath-url);
sprintf(str3, "%.1000s/%.1000s", urlpath_extracted, redirected_url_buff);
} else {
sprintf(str3, "%.1000s/%.1000s", url, redirected_url_buff);
}
} else
strncpy(str3, redirected_url_buff, sizeof(str3));
if (debug) hydra_report(stderr, "[DEBUG] host=%s redirect=%s origin=%s\n", str2, str3,url);
}
if (str3[0] != '/') {
j = strlen(str3);
str3[j + 1] = 0;
for (i = j; i > 0; i--)
str3[i] = str3[i - 1];
str3[0] = '/';
}
if (verbose)
hydra_report(stderr, "[VERBOSE] Page redirected to http://%s%s\n", str2, str3);
//re-use the code above to check for proxy use
if (use_proxy == 1 && proxy_authentication != NULL) {
// proxy with authentication
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
webtarget, webport, str3, str2, proxy_authentication, header);
} else {
if (use_proxy == 1) {
// proxy without authentication
sprintf(buffer, "GET http://%s:%d%.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", webtarget, webport, str3, str2, header);
} else {
//direct web server, no proxy
sprintf(buffer, "GET %.600s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", str3, str2, header);
}
}
hydra_reconnect(s, ip, port, options);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
found = analyze_server_response(s);
if (strlen(cookie) > 0) {
sprintf(header, "Cookie: %s\r\n", cookie);
}
}
}
//if the last status is still 3xx, set it as a false
if (found != -1 && found == success_cond && redirected_flag == 0 && redirected_cpt >= 0) {
hydra_report_found_host(port, ip, "www-form", fp);
hydra_completed_pair_found();
} else {
hydra_completed_pair();
}
return 1;
}
void service_http_form(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *type) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_HTTP, mysslport = PORT_HTTP_SSL;
char *ptr, *ptr2;
hydra_register_socket(sp);
if (webtarget != NULL && (webtarget = strstr(miscptr, "://")) != NULL) {
webtarget += strlen("://");
if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */
*ptr2 = 0;
ptr2++;
ptr = ptr2;
if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL)
miscptr = ptr;
else
miscptr = slash; /* to make things easier to user */
} else if ((ptr2 = index(webtarget, '/')) != NULL) {
if (freemischttpform == 0) {
freemischttpform = 1;
miscptr = malloc(strlen(ptr2) + 1);
strcpy(miscptr, ptr2);
*ptr2 = 0;
}
} else
webtarget = NULL;
}
if (cmdlinetarget != NULL && webtarget == NULL)
webtarget = cmdlinetarget;
else if (webtarget == NULL && cmdlinetarget == NULL)
webtarget = hydra_address2string(ip);
if (port != 0)
webport = port;
else if ((options & OPTION_SSL) == 0)
webport = myport;
else
webport = mysslport;
sprintf(bufferurl, "%.1000s", miscptr);
url = strtok(bufferurl, ":");
variables = strtok(NULL, ":");
cond = strtok(NULL, ":");
sprintf(cookieurl, "%.1000s", url);
//condition now have to contain F or S to set the fail or success condition
if (cond && (strpos(cond, "F=") == 0)) {
success_cond = 0;
cond += 2;
} else if (cond && (strpos(cond, "S=") == 0)) {
success_cond = 1;
cond += 2;
} else {
//by default condition is a fail
success_cond = 0;
}
while ((optional1 = strtok(NULL, ":")) != NULL) {
switch(optional1[0]) {
case 'c': // fall through
case 'C':
sprintf(cookieurl, "%.1000s", optional1 + 2);
break;
case 'h': // fall through
case 'H':
if (sizeof(userheader) - strlen(userheader) > 4) {
strncat(userheader, optional1 + 2, sizeof(userheader) - strlen(userheader) - 4);
strcat(userheader, ":");
optional1 = strtok(NULL, ":");
strncat(userheader, optional1, sizeof(userheader) - strlen(userheader) - 3);
strcat(userheader, "\r\n");
}
break;
// no default
}
}
while (1) {
if (run == 2) {
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
}
}
switch (run) {
case 1: /* connect and service init function */
{
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_http_form(sock, ip, port, options, miscptr, fp, type);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(0);
break;
case 4: /* silent error exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_child_exit(1);
break;
default:
if (freemischttpform)
free(miscptr);
freemischttpform = 0;
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
if (freemischttpform)
free(miscptr);
}
int start_oracle_sid(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
/*
PP is the packet length
XX is the length of connect data
PP + tns_packet_begin + XX + tns_packet_end
*/
unsigned char tns_packet_begin[22] = {
"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00"
};
unsigned char tns_packet_end[32] = {
"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
};
char *empty = "";
char *login;
char connect_string[200];
char buffer2[260];
int siz = 0;
memset(connect_string, 0, sizeof(connect_string));
memset(buffer2, 0, sizeof(buffer2));
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))", login,
hydra_address2string(ip), port);
siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string);
if (siz > 255) {
buffer2[0] = 1;
buffer2[1] = siz - 256;
} else {
buffer2[1] = siz;
}
memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin));
siz = strlen(connect_string);
if (siz > 255) {
buffer2[2 + sizeof(tns_packet_begin)] = 1;
buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz - 256;
} else {
buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz;
}
memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end));
memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string));
if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) {
return 1;
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
//if no error reported. it should be a resend packet type 00 08 00 00 0b 00 00 00, 4 is refuse
if ((strstr(buf, "ERR=") == NULL) && (buf[4] != 4)) {
hydra_report_found_host(port, ip, "oracle-sid", fp);
hydra_completed_pair_found();
} else
hydra_completed_pair();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
ptr_header_node ptr_head = NULL;
char *ptr, *ptr2, *proxy_string;
if (webtarget != NULL && (webtarget = strstr(miscptr, "://")) != NULL) {
webtarget += strlen("://");
if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */
*ptr2 = 0;
ptr2++;
ptr = ptr2;
if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL)
miscptr = ptr;
else
miscptr = slash; /* to make things easier to user */
} else if ((ptr2 = index(webtarget, '/')) != NULL) {
if (freemischttpform == 0) {
if ((miscptr = malloc(strlen(ptr2) + 1)) != NULL) {
freemischttpform = 1;
strcpy(miscptr, ptr2);
*ptr2 = 0;
}
}
} else
webtarget = NULL;
}
if (cmdlinetarget != NULL && webtarget == NULL)
webtarget = cmdlinetarget;
else if (webtarget == NULL && cmdlinetarget == NULL)
webtarget = hydra_address2string(ip);
if (port != 0)
webport = port;
else if ((options & OPTION_SSL) == 0)
webport = PORT_HTTP;
else
webport = PORT_HTTP_SSL;
sprintf(bufferurl, "%.1000s", miscptr);
url = bufferurl;
ptr = url;
while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\'))
ptr++;
if (*ptr != 0)
*ptr++ = 0;
variables = ptr;
while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\'))
ptr++;
if (*ptr != 0)
*ptr++ = 0;
cond = ptr;
while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\'))
ptr++;
if (*ptr != 0)
*ptr++ = 0;
optional1 = ptr;
if (strstr(url, "\\:") != NULL) {
if ((ptr = malloc(strlen(url))) != NULL) {
strcpy(ptr, hydra_strrep(url, "\\:", ":"));
url = ptr;
}
}
if (strstr(variables, "\\:") != NULL) {
if ((ptr = malloc(strlen(variables))) != NULL) {
strcpy(ptr, hydra_strrep(variables, "\\:", ":"));
variables = ptr;
}
}
if (strstr(cond, "\\:") != NULL) {
if ((ptr = malloc(strlen(cond))) != NULL) {
strcpy(ptr, hydra_strrep(cond, "\\:", ":"));
cond = ptr;
}
}
if (url == NULL || variables == NULL || cond == NULL /*|| optional1 == NULL */ )
hydra_child_exit(2);
if (*cond == 0) {
fprintf(stderr, "[ERROR] invalid number of parameters in module option\n");
return NULL;
}
sprintf(cookieurl, "%.1000s", url);
//conditions now have to contain F or S to set the fail or success condition
if (*cond != 0 && (strpos(cond, "F=") == 0)) {
success_cond = 0;
cond += 2;
} else if (*cond != 0 && (strpos(cond, "S=") == 0)) {
success_cond = 1;
cond += 2;
} else {
//by default condition is a fail
success_cond = 0;
}
/*
* Parse the user-supplied options.
* Beware of the backslashes (\)!
*/
while (*optional1 != 0) {
switch (optional1[0]) {
case 'c': // fall through
case 'C':
ptr = optional1 + 2;
while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\'))
ptr++;
if (*ptr != 0)
*ptr++ = 0;
sprintf(cookieurl, "%.1000s", hydra_strrep(optional1 + 2, "\\:", ":"));
optional1 = ptr;
break;
case 'h':
// add a new header at the end
ptr = optional1 + 2;
while (*ptr != 0 && *ptr != ':')
ptr++;
if (*(ptr - 1) == '\\')
*(ptr - 1) = 0;
if (*ptr != 0){
*ptr = 0;
ptr += 2;
}
ptr2 = ptr;
while (*ptr2 != 0 && (*ptr2 != ':' || *(ptr2 - 1) == '\\'))
ptr2++;
if (*ptr2 != 0)
*ptr2++ = 0;
/*
* At this point:
* - (optional1 + 2) contains the header's name
* - ptr contains the header's value
*/
if (add_header(&ptr_head, optional1 + 2, hydra_strrep(ptr, "\\:", ":"), HEADER_TYPE_USERHEADER)) {
// Success: break the switch and go ahead
optional1 = ptr2;
break;
}
// Error: abort execution
hydra_report(stderr, "[ERROR] Out of memory for HTTP headers.");
return NULL;
case 'H':
// add a new header, or replace an existing one's value
ptr = optional1 + 2;
while (*ptr != 0 && *ptr != ':')
ptr++;
if (*(ptr - 1) == '\\')
*(ptr - 1) = 0;
if (*ptr != 0){
*ptr = 0;
ptr += 2;
}
ptr2 = ptr;
while (*ptr2 != 0 && (*ptr2 != ':' || *(ptr2 - 1) == '\\'))
ptr2++;
if (*ptr2 != 0)
*ptr2++ = 0;
/*
* At this point:
* - (optional1 + 2) contains the header's name
* - ptr contains the header's value
*/
if (add_header(&ptr_head, optional1 + 2, hydra_strrep(ptr, "\\:", ":"), HEADER_TYPE_USERHEADER_REPL)) {
// Success: break the switch and go ahead
optional1 = ptr2;
break;
}
// Error: abort execution
hydra_report(stderr, "[ERROR] Out of memory for HTTP headers.");
return NULL;
// no default
}
}
/* again: no snprintf to be portable. dont worry, buffer cant overflow */
if (use_proxy == 1 && proxy_authentication != NULL) {
// proxy with authentication
add_header(&ptr_head, "Host", webtarget, HEADER_TYPE_DEFAULT);
add_header(&ptr_head, "User-Agent", "Mozilla 5.0 (Hydra Proxy Auth)", HEADER_TYPE_DEFAULT);
proxy_string = (char *) malloc(strlen(proxy_authentication) + 6);
if (proxy_string) {
strcpy(proxy_string, "Basic ");
strncat(proxy_string, proxy_authentication, strlen(proxy_authentication) - 6);
add_header(&ptr_head, "Proxy-Authorization", proxy_string, HEADER_TYPE_DEFAULT);
} else {
hydra_report(stderr, "Out of memory for \"Proxy-Authorization\" header.");
return NULL;
}
if (getcookie) {
//doing a GET to save cookies
cookie_request = stringify_headers(&ptr_head);
}
normal_request = stringify_headers(&ptr_head);
} else {
if (use_proxy == 1) {
// proxy without authentication
add_header(&ptr_head, "Host", webtarget, HEADER_TYPE_DEFAULT);
add_header(&ptr_head, "User-Agent", "Mozilla/5.0 (Hydra Proxy)", HEADER_TYPE_DEFAULT);
if (getcookie) {
//doing a GET to get cookies
cookie_request = stringify_headers(&ptr_head);
}
normal_request = stringify_headers(&ptr_head);
} else {
// direct web server, no proxy
add_header(&ptr_head, "Host", webtarget, HEADER_TYPE_DEFAULT);
add_header(&ptr_head, "User-Agent", "Mozilla/5.0 (Hydra)", HEADER_TYPE_DEFAULT);
if (getcookie) {
//doing a GET to save cookies
cookie_request = stringify_headers(&ptr_head);
}
normal_request = stringify_headers(&ptr_head);
}
}
return ptr_head;
}
int start_ssh(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, keep_login[300];
int auth_state = 0, rc = 0, i = 0;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (new_session) {
if (session) {
ssh_disconnect(session);
ssh_finalize();
ssh_free(session);
}
session = ssh_new();
ssh_options_set(session, SSH_OPTIONS_PORT, &port);
ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
ssh_options_set(session, SSH_OPTIONS_USER, login);
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
if (ssh_connect(session) != 0) {
//if the connection was drop, trying to reconnect
if (verbose)
hydra_report(stderr, "Error: could not connect to target port %d\n", port);
return 1;
}
if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) {
return 3;
} else if (rc == SSH_AUTH_SUCCESS) {
hydra_report_found_host(port, ip, "ssh", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
else
return 1;
}
} else
new_session = 1;
auth_state = ssh_auth_list(session);
if ((auth_state & SSH_AUTH_METHOD_PASSWORD) > 0) {
auth_state = ssh_userauth_password(session, NULL, pass);
} else if ((auth_state & SSH_AUTH_METHOD_INTERACTIVE) > 0) {
auth_state = ssh_userauth_kbdint(session, NULL, NULL);
while (auth_state == SSH_AUTH_INFO) {
rc = ssh_userauth_kbdint_getnprompts(session);
for (i = 0; i < rc; i++)
ssh_userauth_kbdint_setanswer(session, i, pass);
auth_state = ssh_userauth_kbdint(session, NULL, NULL);
}
} else {
return 4;
}
if (auth_state == SSH_AUTH_ERROR) {
new_session = 1;
return 1;
}
if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) {
hydra_report_found_host(port, ip, "ssh", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
} else {
strncpy(keep_login, login, sizeof(keep_login) - 1);
keep_login[sizeof(keep_login) - 1] = '\0';
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
login = hydra_get_next_login();
if (strcmp(login, keep_login) == 0)
new_session = 0;
return 1;
}
/* not reached */
return 1;
}
void service_http(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *type) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_HTTP, mysslport = PORT_HTTP_SSL;
char *ptr, *ptr2;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
if ((webtarget = strstr(miscptr, "://")) != NULL) {
webtarget += strlen("://");
if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */
*ptr2 = 0;
ptr2++;
ptr = ptr2;
if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL)
miscptr = ptr;
else
miscptr = slash; /* to make things easier to user */
} else if ((ptr2 = index(webtarget, '/')) != NULL) {
miscptr = malloc(strlen(ptr2) + 1);
freemischttp = 1;
strcpy(miscptr, ptr2);
*ptr2 = 0;
} else
webtarget = NULL;
}
if (cmdlinetarget != NULL && webtarget == NULL)
webtarget = cmdlinetarget;
else if (webtarget == NULL && cmdlinetarget == NULL)
webtarget = hydra_address2string(ip);
if (port != 0)
webport = port;
else if ((options & OPTION_SSL) == 0)
webport = myport;
else
webport = mysslport;
while (1) {
next_run = 0;
switch (run) {
case 1: /* connect and service init function */
{
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = mysslport;
}
if (sock < 0) {
if (freemischttp)
free(miscptr);
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
}
case 2: /* run the cracking function */
next_run = start_http(sock, ip, port, options, miscptr, fp, type);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
if (freemischttp)
free(miscptr);
hydra_child_exit(0);
return;
default:
if (freemischttp)
free(miscptr);
fprintf(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
void service_pop3(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) {
int run = 1, next_run = 1, sock = -1, i;
char *ptr = NULL;
//extract data from the pool, ip is the key
if (plist == NULL)
if (service_pop3_init(ip, sp, options, miscptr, fp, port) != 0)
hydra_child_exit(2);
p = list_find(ip);
if (p == NULL) {
hydra_report(stderr, "[ERROR] Could not find ip %s in pool\n", hydra_address2string(ip));
return;
}
if (list_remove(p) != 0)
hydra_report(stderr, "[ERROR] Could not find ip %s in pool to free memory\n", hydra_address2string(ip));
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
// usleep(300000);
if ((options & OPTION_SSL) == 0) {
sock = hydra_connect_tcp(ip, port);
} else {
sock = hydra_connect_ssl(ip, port);
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
buf = hydra_receive_line(sock);
if (buf == NULL || buf[0] != '+') { /* check the first line */
if (verbose || debug) hydra_report(stderr, "[ERROR] Not an POP3 protocol or service shutdown: %s\n", buf);
hydra_child_exit(2);
}
ptr = strstr(buf, "<");
if (ptr != NULL && buf[0] == '+') {
if (ptr[strlen(ptr) - 1] == '\n')
ptr[strlen(ptr) - 1] = 0;
if (ptr[strlen(ptr) - 1] == '\r')
ptr[strlen(ptr) - 1] = 0;
strcpy(apop_challenge, ptr);
}
free(buf);
#ifdef LIBOPENSSL
if (!p->disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
hydra_send(sock, "STLS\r\n", strlen("STLS\r\n"), 0);
buf = hydra_receive_line(sock);
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock) == -1)) {
if (verbose)
hydra_report(stderr, "[ERROR] Can't use TLS\n");
p->disable_tls = 1;
}
else {
if (verbose)
hydra_report(stderr, "[VERBOSE] TLS connection done\n");
}
}
}
#endif
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_pop3(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 4: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}
}
int start_sapr3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
RFC_HANDLE handle;
char *empty = "";
char *login, *pass, buffer[1024];
char *buf;
int i;
int sysnr = port % 100;
char opts[] = "RFCINI=N RFCTRACE=N BALANCE=N DEBUG=N TRACE=0 ABAP_DEBUG=0";
// char opts[] = "RFCINI=N RFCTRACE=Y BALANCE=N DEBUG=Y TRACE=Y ABAP_DEBUG=Y";
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (strlen(login) > 0)
for (i = 0; i < strlen(login); i++)
login[i] = (char) toupper(login[i]);
if (strlen(pass) > 0)
for (i = 0; i < strlen(pass); i++)
pass[i] = (char) toupper(pass[i]);
memset(buffer, 0, sizeof(buffer));
memset(&error_info, 0, sizeof(error_info));
//strcpy(buf, "mvse001");
snprintf(buffer, sizeof(buffer), "ASHOST=%s SYSNR=%02d CLIENT=%03d USER=\"%s\" PASSWD=\"%s\" LANG=DE %s", hydra_address2string(ip), sysnr, atoi(miscptr), login, pass, opts);
/*
USER=SAPCPIC PASSWORD=admin
USER=SAP* PASSWORD=PASS
## do we need these options?
SAPSYS=3 SNC_MODE=N SAPGUI=N INVISIBLE=N GUIATOPEN=Y NRCALL=00001 CLOSE=N
ASHOST= // IP
SYSNR= // port - 3200, scale 2
CLIENT= // miscptr, scale 2
ABAP_DEBUG=0
USER=
PASSWD=
LANG=DE
*/
//printf ("DEBUG: %d Connectstring \"%s\"\n",sizeof(error_info),buffer);
handle = RfcOpenEx(buffer, &error_info);
//printf("DEBUG: handle %d, key %s, message %s\n", handle, error_info.key, error_info.message);
if (handle <= RFC_HANDLE_NULL)
return 3;
if (strstr(error_info.message, "sapgui") != NULL || strlen(error_info.message) == 0) {
hydra_report_found_host(port, ip, "sapr3", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
} else {
if (strstr(error_info.key, "ERROR_COMMUNICATION") != NULL) {
/* sysnr does not exist, report as port closed */
return 3;
}
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
}
return 1;
}
int internal__hydra_connect(char *host, int port, int protocol, int type) {
int s, ret = -1, ipv6 = 0;
#ifdef AF_INET6
struct sockaddr_in6 target6;
struct sockaddr_in6 sin6;
#endif
struct sockaddr_in target;
struct sockaddr_in sin;
char *buf, *tmpptr = NULL;
int err = 0;
#ifdef AF_INET6
memset(&target6, 0, sizeof(target6));
memset(&sin6, 0, sizeof(sin6));
if ((host[0] == 16 && proxy_string_ip[0] != 4) || proxy_string_ip[0] == 16)
ipv6 = 1;
#endif
#ifdef AF_INET6
if (ipv6)
s = socket(AF_INET6, protocol, type);
else
#endif
s = socket(PF_INET, protocol, type);
if (s >= 0) {
if (src_port != 0) {
int bind_ok = 0;
#ifdef AF_INET6
if (ipv6) {
sin6.sin6_family = AF_INET6;
sin6.sin6_port = htons(src_port);
} else
#endif
{
sin.sin_family = PF_INET;
sin.sin_port = htons(src_port);
sin.sin_addr.s_addr = INADDR_ANY;
}
//we will try to find a free port down to 512
while (!bind_ok && src_port >= 512) {
#ifdef AF_INET6
if (ipv6)
ret = bind(s, (struct sockaddr *) &sin6, sizeof(sin6));
else
#endif
ret = bind(s, (struct sockaddr *) &sin, sizeof(sin));
if (ret == -1) {
if (verbose)
perror("internal_hydra_connect error");
if (errno == EADDRINUSE) {
src_port--;
#ifdef AF_INET6
if (ipv6)
sin6.sin6_port = htons(src_port);
else
#endif
sin.sin_port = htons(src_port);
} else {
if (errno == EACCES && (getuid() > 0)) {
fprintf(stderr, "[ERROR] You need to be root to test this service\n");
close(s);
return -1;
}
}
} else
bind_ok = 1;
}
}
if (use_proxy > 0) {
if (proxy_string_ip[0] == 4) {
memcpy(&target.sin_addr.s_addr, &proxy_string_ip[1], 4);
target.sin_family = AF_INET;
target.sin_port = htons(proxy_string_port);
}
#ifdef AF_INET6
if (proxy_string_ip[0] == 16) {
memcpy(&target6.sin6_addr, &proxy_string_ip[1], 16);
target6.sin6_family = AF_INET6;
target6.sin6_port = htons(proxy_string_port);
}
#endif
} else {
if (host[0] == 4) {
memcpy(&target.sin_addr.s_addr, &host[1], 4);
target.sin_family = AF_INET;
target.sin_port = htons(port);
}
#ifdef AF_INET6
if (host[0] == 16) {
memcpy(&target6.sin6_addr, &host[1], 16);
target6.sin6_family = AF_INET6;
target6.sin6_port = htons(port);
}
#endif
}
signal(SIGALRM, alarming);
do {
if (fail > 0)
sleep(WAIT_BETWEEN_CONNECT_RETRY);
alarm_went_off = 0;
alarm(waittime);
#ifdef AF_INET6
#ifdef SO_BINDTODEVICE
if (host[17] != 0) {
setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE, &host[17], strlen(&host[17]) + 1);
}
#else
#ifdef IP_FORCE_OUT_IFP
if (host[17] != 0) {
setsockopt(s, SOL_SOCKET, IP_FORCE_OUT_IFP, &host[17], strlen(&host[17]) + 1);
}
#endif
#endif
if (ipv6)
ret = connect(s, (struct sockaddr *) &target6, sizeof(target6));
else
#endif
ret = connect(s, (struct sockaddr *) &target, sizeof(target));
alarm(0);
if (ret < 0 && alarm_went_off == 0) {
fail++;
if (verbose && fail <= MAX_CONNECT_RETRY)
fprintf(stderr, "Process %d: Can not connect [unreachable], retrying (%d of %d retries)\n", (int) getpid(), fail, MAX_CONNECT_RETRY);
}
} while (ret < 0 && fail <= MAX_CONNECT_RETRY);
if (ret < 0 && fail > MAX_CONNECT_RETRY) {
if (debug)
printf("DEBUG_CONNECT_UNREACHABLE\n");
/* we wont quit here, thats up to the module to decide what to do
* fprintf(stderr, "Process %d: Can not connect [unreachable], process exiting\n", (int)getpid());
* hydra_child_exit(1);
*/
extern_socket = -1;
close(s);
ret = -1;
return ret;
}
ret = s;
extern_socket = s;
if (debug)
printf("DEBUG_CONNECT_OK\n");
err = 0;
if (use_proxy == 2) {
if ((buf = malloc(4096)) == NULL) {
fprintf(stderr, "[ERROR] could not malloc()\n");
close(s);
return -1;
}
memset(&target, 0, sizeof(target));
if (host[0] == 4) {
memcpy(&target.sin_addr.s_addr, &host[1], 4);
target.sin_family = AF_INET;
target.sin_port = htons(port);
}
#ifdef AF_INET6
memset(&target6, 0, sizeof(target6));
if (host[0] == 16) {
memcpy(&target6.sin6_addr, &host[1], 16);
target6.sin6_family = AF_INET6;
target6.sin6_port = htons(port);
}
#endif
if (hydra_strcasestr(proxy_string_type, "connect") || hydra_strcasestr(proxy_string_type, "http")) {
if (proxy_authentication == NULL)
if (host[0] == 16)
snprintf(buf, 4096, "CONNECT [%s]:%d HTTP/1.0\r\n\r\n", hydra_address2string(host), port);
else
snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\n\r\n", hydra_address2string(host), port);
else if (host[0] == 16)
snprintf(buf, 4096, "CONNECT [%s]:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication);
else
snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication);
send(s, buf, strlen(buf), 0);
recv(s, buf, 4096, 0);
if (strncmp("HTTP/", buf, 5) == 0 && (tmpptr = index(buf, ' ')) != NULL && *++tmpptr == '2') {
if (debug)
printf("DEBUG_CONNECT_PROXY_OK\n");
} else {
if (debug)
printf("DEBUG_CONNECT_PROXY_FAILED (Code: %c%c%c)\n", *tmpptr, *(tmpptr + 1), *(tmpptr + 2));
if (verbose)
fprintf(stderr, "[ERROR] CONNECT call to proxy failed with code %c%c%c\n", *tmpptr, *(tmpptr + 1), *(tmpptr + 2));
err = 1;
}
// free(buf);
} else {
if (hydra_strcasestr(proxy_string_type, "socks5")) {
// char buf[1024];
size_t cnt, wlen;
/* socks v5 support */
buf[0] = SOCKS_V5;
buf[1] = 1;
if (proxy_authentication == NULL)
buf[2] = SOCKS_NOAUTH;
else
buf[2] = SOCKS_PASSAUTH;
cnt = hydra_send(s, buf, 3, 0);
if (cnt != 3) {
hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/3)\n", cnt);
err = 1;
} else {
cnt = hydra_recv(s, buf, 2);
if (cnt != 2) {
hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/2)\n", cnt);
err = 1;
}
if ((unsigned int) buf[1] == SOCKS_NOMETHOD) {
hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication method negotiation failed\n");
err = 1;
}
/* SOCKS_DOMAIN not supported here, do we need it ? */
if (err != 1) {
/* send user/pass */
if (proxy_authentication != NULL) {
//format was checked previously
char *login = strtok(proxy_authentication, ":");
char *pass = strtok(NULL, ":");
snprintf(buf, sizeof(buf), "\x01%c%s%c%s", (char) strlen(login), login, (char) strlen(pass), pass);
cnt = hydra_send(s, buf, strlen(buf), 0);
if (cnt != strlen(buf)) {
hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/3)\n", cnt);
err = 1;
} else {
cnt = hydra_recv(s, buf, 2);
if (cnt != 2) {
hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/2)\n", cnt);
err = 1;
}
if (buf[1] != 0) {
hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication failure\n");
err = 1;
} else {
if (debug)
hydra_report(stderr, "[DEBUG] SOCKS5 proxy authentication success\n");
}
}
}
#ifdef AF_INET6
if (ipv6) {
/* Version 5, connect: IPv6 address */
buf[0] = SOCKS_V5;
buf[1] = SOCKS_CONNECT;
buf[2] = 0;
buf[3] = SOCKS_IPV6;
memcpy(buf + 4, &target6.sin6_addr, sizeof target6.sin6_addr);
memcpy(buf + 20, &target6.sin6_port, sizeof target6.sin6_port);
wlen = 22;
} else {
#endif
/* Version 5, connect: IPv4 address */
buf[0] = SOCKS_V5;
buf[1] = SOCKS_CONNECT;
buf[2] = 0;
buf[3] = SOCKS_IPV4;
memcpy(buf + 4, &target.sin_addr, sizeof target.sin_addr);
memcpy(buf + 8, &target.sin_port, sizeof target.sin_port);
wlen = 10;
#ifdef AF_INET6
}
#endif
cnt = hydra_send(s, buf, wlen, 0);
if (cnt != wlen) {
hydra_report(stderr, "[ERROR] SOCKS5 proxy write failed (%zu/%zu)\n", cnt, wlen);
err = 1;
} else {
cnt = hydra_recv(s, buf, 10);
if (cnt != 10) {
hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/10)\n", cnt);
err = 1;
}
if (buf[1] != 0) {
/* 0x05 = connection refused by destination host */
if (buf[1] == 5)
hydra_report(stderr, "[ERROR] SOCKS proxy request failed\n");
else
hydra_report(stderr, "[ERROR] SOCKS error %d\n", buf[1]);
err = 1;
}
}
}
}
} else {
if (hydra_strcasestr(proxy_string_type, "socks4")) {
if (ipv6) {
hydra_report(stderr, "[ERROR] SOCKS4 proxy does not support IPv6\n");
err = 1;
} else {
// char buf[1024];
size_t cnt, wlen;
/* socks v4 support */
buf[0] = SOCKS_V4;
buf[1] = SOCKS_CONNECT; /* connect */
memcpy(buf + 2, &target.sin_port, sizeof target.sin_port);
memcpy(buf + 4, &target.sin_addr, sizeof target.sin_addr);
buf[8] = 0; /* empty username */
wlen = 9;
cnt = hydra_send(s, buf, wlen, 0);
if (cnt != wlen) {
hydra_report(stderr, "[ERROR] SOCKS4 proxy write failed (%zu/%zu)\n", cnt, wlen);
err = 1;
} else {
cnt = hydra_recv(s, buf, 8);
if (cnt != 8) {
hydra_report(stderr, "[ERROR] SOCKS4 proxy read failed (%zu/8)\n", cnt);
err = 1;
}
if (buf[1] != 90) {
/* 91 = 0x5b = request rejected or failed */
if (buf[1] == 91)
hydra_report(stderr, "[ERROR] SOCKS proxy request failed\n");
else
hydra_report(stderr, "[ERROR] SOCKS error %d\n", buf[1]);
err = 1;
}
}
}
} else {
hydra_report(stderr, "[ERROR] Unknown proxy type: %s, valid type are \"connect\", \"socks4\" or \"socks5\"\n", proxy_string_type);
err = 1;
}
}
}
free(buf);
}
if (err) {
close(s);
extern_socket = -1;
ret = -1;
close(s);
return ret;
}
fail = 0;
return ret;
}
return ret;
}
int start_oracle(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[200], sid[100];
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
strncpy(sid, miscptr, sizeof(sid));
snprintf(buffer, sizeof(buffer), "//%s:%d/%s", hydra_address2string(ip), port, sid);
/*
To use the Easy Connect naming method, PHP must be linked with Oracle 10g or greater Client libraries.
The Easy Connect string for Oracle 10g is of the form: [//]host_name[:port][/service_name].
With Oracle 11g, the syntax is: [//]host_name[:port][/service_name][:server_type][/instance_name].
Service names can be found by running the Oracle utility lsnrctl status on the database server machine.
The tnsnames.ora file can be in the Oracle Net search path, which includes $ORACLE_HOME/network/admin
and /etc. Alternatively set TNS_ADMIN so that $TNS_ADMIN/tnsnames.ora is read. Make sure the web
daemon has read access to the file.
*/
if (OCIInitialize(OCI_DEFAULT, NULL, NULL, NULL, NULL)) {
print_oracle_error("OCIInitialize");
return 4;
}
if (OCIEnvInit(&o_environment, OCI_DEFAULT, 0, NULL)) {
print_oracle_error("OCIEnvInit");
return 4;
}
if (OCIEnvInit(&o_environment, OCI_DEFAULT, 0, NULL)) {
print_oracle_error("OCIEnvInit 2");
return 4;
}
if (OCIHandleAlloc(o_environment, (dvoid **) & o_error, OCI_HTYPE_ERROR, (size_t) 0, NULL)) {
print_oracle_error("OCIHandleAlloc");
return 4;
}
if (OCILogon(o_environment, o_error, &o_servicecontext, (const OraText *) login, strlen(login), (const OraText *) pass, strlen(pass), (const OraText *) buffer, strlen(buffer))) {
OCIErrorGet(o_error, 1, NULL, &o_errorcode, o_errormsg, sizeof(o_errormsg), OCI_HTYPE_ERROR);
//database: oracle_error: ORA-01017: invalid username/password; logon denied
//database: oracle_error: ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
//database: oracle_error: ORA-28000: the account is locked
//Failed login attempts is set to 10 by default
if (verbose) {
hydra_report(stderr, "[VERBOSE] database: oracle_error: %s\n", o_errormsg);
}
if (strstr((const char *) o_errormsg, "ORA-12514") != NULL) {
hydra_report(stderr, "[ERROR] ORACLE SID is not valid, you should try to enumerate them.\n");
}
if (strstr((const char *) o_errormsg, "ORA-28000") != NULL) {
hydra_report(stderr, "[ERROR] ORACLE account %s is locked.\n", login);
}
if (o_error) {
OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR);
}
hydra_completed_pair();
//by default, set in sqlnet.ora, the trace file is generated in pwd to log any errors happening,
//as we don't care, we are deleting the file
//set these parameters to not generate the file
//LOG_DIRECTORY_CLIENT = /dev/null
//LOG_FILE_CLIENT = /dev/null
unlink("sqlnet.log");
return 2;
} else {
OCILogoff(o_servicecontext, o_error);
if (o_error) {
OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR);
}
hydra_report_found_host(port, ip, "oracle", fp);
hydra_completed_pair_found();
}
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *hostname) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500], mlogin[260], mpass[260], mhost[260];
char url[260], host[30];
char *header = ""; /* XXX TODO */
char *ptr;
int auth = 0;
login = hydra_get_next_login();
if (login == NULL || strlen(login) == 0 || strstr(login, "://") == NULL) {
hydra_completed_pair();
return 1;
}
pass = hydra_get_next_password();
pass = empty; // ignored
strncpy(url, login, sizeof(url) - 1);
url[sizeof(url) - 1] = 0;
ptr = strstr(login, "://") + 3;
if (ptr[0] == '[')
ptr++;
strncpy(mhost, ptr, sizeof(mhost) - 1);
mhost[sizeof(mhost) - 1] = 0;
if ((ptr = index(mhost, '/')) != NULL)
*ptr = 0;
if ((ptr = index(mhost, ']')) != NULL)
*ptr = 0;
else if ((ptr = index(mhost, ':')) != NULL)
*ptr = 0;
if (miscptr != NULL && index(miscptr, ':') != NULL) {
strncpy(mlogin, miscptr, sizeof(mlogin) - 1);
mlogin[sizeof(mlogin) - 1] = 0;
ptr = index(mlogin, ':');
*ptr++ = 0;
strncpy(mpass, ptr, sizeof(mpass) - 1);
mpass[sizeof(mpass) - 1] = 0;
auth = 1;
}
if (http_proxy_auth_mechanism == AUTH_ERROR) {
//send dummy request
sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, mhost, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive first 40x
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (debug)
hydra_report(stderr, "S:%s\n", buf);
//after the first query we should have been disconnected from web server
s = hydra_disconnect(s);
if ((options & OPTION_SSL) == 0) {
s = hydra_connect_tcp(ip, port);
} else {
s = hydra_connect_ssl(ip, port, hostname);
}
}
if (auth) {
if (hydra_strcasestr(buf, "Proxy-Authenticate: Basic") != NULL) {
http_proxy_auth_mechanism = AUTH_BASIC;
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
free(buf);
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
//if server cut the connection, just exit cleanly or
//this will be an infinite loop
if (buf == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Server did not answer\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", buf);
} else {
if (hydra_strcasestr(buf, "Proxy-Authenticate: NTLM") != NULL) {
unsigned char buf1[4096];
unsigned char buf2[4096];
char *pos = NULL;
http_proxy_auth_mechanism = AUTH_NTLM;
//send auth and receive challenge
//send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2));
/* to be portable, no snprintf, buffer is big enough so it cant overflow */
//send the first..
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
//receive challenge
free(buf);
buf = hydra_receive_line(s);
while (buf != NULL && (pos = hydra_strcasestr(buf, "Proxy-Authenticate: NTLM ")) == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (pos != NULL) {
char *str;
pos += 25;
if ((str = strchr(pos, '\r')) != NULL) {
pos[str - pos] = 0;
}
if ((str = strchr(pos, '\n')) != NULL) {
pos[str - pos] = 0;
}
}
//recover challenge
if (buf != NULL) {
if (strlen(buf) >= 4)
from64tobits((char *) buf1, pos);
free(buf);
}
//Send response
buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (buf == NULL)
return 1;
} else {
#ifdef LIBOPENSSL
if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) {
char *pbuffer;
http_proxy_auth_mechanism = AUTH_DIGESTMD5;
pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest ");
strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
pbuffer = buffer2;
sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (pbuffer == NULL)
return 3;
if (debug)
hydra_report(stderr, "C:%s\n", buffer2);
if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0)
return 1;
free(buf);
buf = hydra_receive_line(s);
while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) {
free(buf);
buf = hydra_receive_line(s);
}
if (debug && buf != NULL)
hydra_report(stderr, "S:%s\n", buf);
if (buf == NULL)
return 1;
} else
#endif
{
if (buf != NULL) {
buf[strlen(buf) - 1] = '\0';
hydra_report(stderr, "Unsupported Auth type:\n%s\n", buf);
} else {
hydra_report(stderr, "Unsupported Auth type\n");
}
return 3;
}
}
}
}
// result analysis
ptr = ((char *) index(buf, ' ')) + 1;
if (*ptr == '2' || (*ptr == '3' && (*(ptr + 2) == '1' || *(ptr + 2) == '2')) || strncmp(ptr, "404", 4) == 0 || strncmp(ptr, "403", 4) == 0) {
hydra_report_found_host(port, ip, "http-proxy", fp);
if (fp != stdout)
fprintf(fp, "[%d][http-proxy-urlenum] host: %s url: %s\n", port, hydra_address2string(ip), url);
printf("[%d][http-proxy-urlenum] host: %s url: %s\n", port, hydra_address2string(ip), url);
hydra_completed_pair_found();
} else {
if (strncmp(ptr, "407", 3) == 0 /*|| strncmp(ptr, "401", 3) == 0 */ ) {
hydra_report(stderr, "[ERROR] Proxy reports bad credentials!\n");
return 3;
}
hydra_completed_pair();
}
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
