int service_s7_300_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here int sock = -1; int s7port = PORT_S7_300; char *empty = ""; char *pass, buffer[1024]; char context[S7PASSLEN + 1]; unsigned char encoded_password[S7PASSLEN]; char *spaces = " "; unsigned char len_pass; int ret = -1; int i; if (port != 0) s7port = port; if (debug || verbose) printf("[INFO] Checking authentication setup...\n"); sock = hydra_connect_tcp(ip, s7port); if (sock < 0) { hydra_report(stderr, "[ERROR] Can not connect to port %d on the target\n", s7port); return -1; } pass = empty; // prepare password memset(context, 0, sizeof(context)); strncat(context, spaces, S7PASSLEN - strlen(pass)); // encode password encoded_password[0] = context[0] ^ 0x55; encoded_password[1] = context[1] ^ 0x55; for (i = 2; i < S7PASSLEN; i++) { encoded_password[i] = context[i] ^ encoded_password[i-2] ^ 0x55 ; } // send p_cotp and check first 2 bytes of answer if (hydra_send(sock, (char *) p_cotp, 22, 0) < 0) { fprintf(stderr, "[ERROR] can not send data to service\n"); return -1; } memset(buffer, 0, sizeof(buffer)); if ((ret = hydra_recv_nb(sock, buffer, sizeof(buffer))) <= 0) { fprintf(stderr, "[ERROR] did not received data from the service\n"); return -1; } if (ret < 2 || (buffer[0] != 0x03 && buffer[1] != 0x00)) { fprintf(stderr, "[ERROR] invalid reply to init packet\n"); return -1; } // send p_s7_negotiate_pdu and check first 2 bytes of answer if (hydra_send(sock, (char *) p_s7_negotiate_pdu, 25, 0) < 0) { fprintf(stderr, "[ERROR] can not send data to service (2)\n"); return -1; } memset(buffer, 0, sizeof(buffer)); if ((ret = hydra_recv_nb(sock, buffer, sizeof(buffer))) <= 0) { fprintf(stderr, "[ERROR] did not received data from the service (2)\n"); return -1; } if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00)) { fprintf(stderr, "[ERROR] invalid reply to init packet (2)\n"); return -1; } // send p_s7_read_szl and check first 2 bytes of answer if (hydra_send(sock, (char *) p_s7_read_szl, 33, 0) < 0) { fprintf(stderr, "[ERROR] can not send data to service (3)\n"); return -1; } memset(buffer, 0, sizeof(buffer)); if ((ret = hydra_recv_nb(sock, buffer, sizeof(buffer))) >= 0) { fprintf(stderr, "[ERROR] did not received data from the service (3)\n"); return -1; } if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) ) { fprintf(stderr, "[ERROR] invalid reply to init packet (3)\n"); return -1; } // so now add encoded_password to p_s7_password_request and send memset(buffer, 0, sizeof(buffer)); memcpy(buffer, p_s7_password_request, 29); memcpy(buffer + 29, encoded_password, S7PASSLEN); if (hydra_send(sock, buffer, 29 + S7PASSLEN , 0) < 0) { fprintf(stderr, "[ERROR] can not send data to service (4)\n"); return -1; } memset(buffer, 0, sizeof(buffer)); if ((ret = hydra_recv_nb(sock, buffer, sizeof(buffer))) <= 0) { fprintf(stderr, "[ERROR] did not received data from the service (4)\n"); return -1; } // now check answer // 0x0000 - valid password // 0xd605 - no password // 0xd602 - wrong password if (ret > 30) { if ((buffer[27] == '\x00' && buffer[28] == '\x00') || (buffer[27] == '\xd6' && buffer[28] == '\x05')) { hydra_report(stderr, "[INFO] No password protection enabled!\n"); return -1; } } sock = hydra_disconnect(sock); return 0; }
int start_s7_300(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *pass, buffer[1024]; char context[S7PASSLEN + 1]; unsigned char encoded_password[S7PASSLEN]; char *spaces = " "; unsigned char len_pass; int ret = -1; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; // prepare password memset(context, 0, sizeof(context)); if (strlen(pass) < S7PASSLEN) { strncpy(context, pass, strlen(pass)); strncat(context, spaces, S7PASSLEN - strlen(pass) ); } else { strncpy(context, pass, S7PASSLEN); } // encode password encoded_password[0] = context[0] ^ 0x55; encoded_password[1] = context[1] ^ 0x55; int i; for (i = 2; i < S7PASSLEN; i++) { encoded_password[i] = context[i] ^ encoded_password[i-2] ^ 0x55 ; } // send p_cotp and check first 2 bytes of answer if (hydra_send(s, (char *) p_cotp, 22, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret=hydra_recv_nb(s, buffer, sizeof(buffer)); if (ret <= 0) return 3; if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) ) return 3; // send p_s7_negotiate_pdu and check first 2 bytes of answer if (hydra_send(s, (char *) p_s7_negotiate_pdu, 25, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret=hydra_recv_nb(s, buffer, sizeof(buffer)); if (ret <= 0) return 3; if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) ) return 3; // send p_s7_read_szl and check first 2 bytes of answer if (hydra_send(s, (char *) p_s7_read_szl, 33, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret=hydra_recv_nb(s, buffer, sizeof(buffer)); if (ret <= 0) return 3; if (ret > 2 && (buffer[0] != 0x03 && buffer[1] != 0x00) ) return 3; // so now add encoded_password to p_s7_password_request and send memset(buffer, 0, sizeof(buffer)); memcpy(buffer, p_s7_password_request, 29); memcpy(buffer + 29, encoded_password, S7PASSLEN); if (hydra_send(s, buffer, 29 + S7PASSLEN , 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret=hydra_recv_nb(s, buffer, sizeof(buffer)); if (ret <= 0) return 3; // now check answer // 0x0000 - valid password // 0xd605 - no password // 0xd602 - wrong password if (ret > 30 ) { if (buffer[27] == '\x00' && buffer[28] == '\x00') { hydra_report_found_host(port, ip, "s7-300", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } if (buffer[27] == '\xd6' && buffer[28] == '\x05') { //hydra_report_found_host(port, ip, "s7-300", fp); hydra_completed_pair_found(); hydra_report(stderr, "[INFO] No password protection enabled\n"); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; }
int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[1024]; char ms_login[MSLEN + 1]; char ms_pass[MSLEN + 1]; unsigned char len_login, len_pass; int32_t ret = -1; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (strlen(login) > MSLEN) login[MSLEN - 1] = 0; if (strlen(pass) > MSLEN) pass[MSLEN - 1] = 0; len_login = strlen(login); len_pass = strlen(pass); memset(ms_login, 0, MSLEN + 1); memset(ms_pass, 0, MSLEN + 1); strcpy(ms_login, login); strcpy(ms_pass, pass); memset(buffer, 0, sizeof(buffer)); memcpy(buffer, p_hdr, 39); memcpy(buffer + 39, ms_login, MSLEN); memcpy(buffer + MSLEN + 39, &len_login, 1); memcpy(buffer + MSLEN + 1 + 39, ms_pass, MSLEN); memcpy(buffer + MSLEN + 1 + 39 + MSLEN, &len_pass, 1); memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1, p_pk2, 110); memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110, &len_pass, 1); memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1, ms_pass, MSLEN); memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN, p_pk3, 270); if (hydra_send(s, buffer, MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN + 270, 0) < 0) return 1; if (hydra_send(s, (char *) p_lng, 71, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret = hydra_recv_nb(s, buffer, sizeof(buffer)); if (ret <= 0) return 3; if (ret > 10 && buffer[8] == '\xe3') { hydra_report_found_host(port, ip, "mssql", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; }