char *imap_read_server_capacity(int32_t sock) { char *ptr = NULL; int32_t resp = 0; char *buf = NULL; do { if (buf != NULL) free(buf); ptr = buf = hydra_receive_line(sock); if (buf != NULL) { if (strstr(buf, "CAPABILITY") != NULL && buf[0] == '*') { resp = 1; usleepn(300); /* we got the capability info then get the completed warning info from server */ while (hydra_data_ready(sock)) { free(buf); buf = hydra_receive_line(sock); } } else { if (buf[strlen(buf) - 1] == '\n') buf[strlen(buf) - 1] = 0; if (buf[strlen(buf) - 1] == '\r') buf[strlen(buf) - 1] = 0; if (isdigit((int32_t) *ptr) && *(ptr + 1) == ' ') { resp = 1; } } } } while (buf != NULL && resp == 0); return buf; }
void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname, int32_t tls) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_FTP, mysslport = PORT_FTP_SSL; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) hydra_child_exit(0); while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport, hostname); port = mysslport; } if (sock < 0) { if (verbose || debug) hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); hydra_child_exit(1); } usleepn(250); buf = hydra_receive_line(sock); if (buf == NULL || buf[0] != '2') { /* check the first line */ if (verbose || debug) hydra_report(stderr, "[ERROR] Not an FTP protocol or service shutdown: %s\n", buf); hydra_child_exit(2); if (buf != NULL) free(buf); hydra_child_exit(2); } while (buf != NULL && strncmp(buf, "220 ", 4) != 0 && strstr(buf, "\n220 ") == NULL) { free(buf); buf = hydra_receive_line(sock); } free(buf); //this mode is manually chosen, so if it fails we giving up if (tls) { if (hydra_send(sock, "AUTH TLS\r\n", strlen("AUTH TLS\r\n"), 0) < 0) { hydra_child_exit(2); } buf = hydra_receive_line(sock); if (buf == NULL) { if (verbose || debug) hydra_report(stderr, "[ERROR] Not an FTP protocol or service shutdown: %s\n", buf); hydra_child_exit(2); } if (buf[0] == '2') { if ((hydra_connect_to_ssl(sock, hostname) == -1) && verbose) { hydra_report(stderr, "[ERROR] Can't use TLS\n"); hydra_child_exit(2); } else { if (verbose) hydra_report(stderr, "[VERBOSE] TLS connection done\n"); } } else { hydra_report(stderr, "[ERROR] TLS negotiation failed %s\n", buf); hydra_child_exit(2); } free(buf); } next_run = 2; break; case 2: /* run the cracking function */ next_run = start_ftp(sock, ip, port, options, miscptr, fp); break; case 3: /* error exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); case 4: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); } run = next_run; } }
int start_telnet(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[300]; int i = 0; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; sprintf(buffer, "%.250s\r", login); if (no_line_mode) { for (i = 0; i < strlen(buffer); i++) { if (strcmp(&buffer[i], "\r") == 0) { send(s, "\r\0", 2, 0); } else { send(s, &buffer[i], 1, 0); } usleepn(20); } } else { if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) { return 1; } } do { if ((buf = hydra_receive_line(s)) == NULL) return 1; if (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '%') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL) { hydra_report_found_host(port, ip, "telnet", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } (void) make_to_lower(buf); if (hydra_strcasestr(buf, "asswor") != NULL || hydra_strcasestr(buf, "asscode") != NULL || hydra_strcasestr(buf, "ennwort") != NULL) i = 1; if (i == 0 && ((strstr(buf, "ogin:") != NULL && strstr(buf, "last login") == NULL) || strstr(buf, "sername:") != NULL)) { free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } free(buf); } while (i == 0); sprintf(buffer, "%.250s\r", pass); if (no_line_mode) { for (i = 0; i < strlen(buffer); i++) { if (strcmp(&buffer[i], "\r") == 0) { send(s, "\r\0", 2, 0); } else { send(s, &buffer[i], 1, 0); } usleepn(20); } } else { if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) { return 1; } } /*win7 answering with do terminal type = 0xfd 0x18 */ while ((buf = hydra_receive_line(s)) != NULL && make_to_lower(buf) && (strstr(buf, "login:"******"last login:"******"sername:") == NULL) { if ((miscptr != NULL && strstr(buf, miscptr) != NULL) || (miscptr == NULL && strstr(buf, "invalid") == NULL && strstr(buf, "failed") == NULL && strstr(buf, "bad ") == NULL && (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL || index(buf, '%') != NULL || ((buf[1] == '\xfd') && (buf[2] == '\x18'))))) { hydra_report_found_host(port, ip, "telnet", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } free(buf); } hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
void service_vnc(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) { int run = 1, next_run = 1, sock = -1; int myport = PORT_VNC, mysslport = PORT_VNC_SSL; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport, hostname); port = mysslport; } if (sock < 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } usleepn(300); buf = hydra_receive_line(sock); if (buf == NULL || (strncmp(buf, "RFB", 3) != 0)) { /* check the first line */ hydra_report(stderr, "[ERROR] Not a VNC protocol or service shutdown: %s\n", buf); hydra_child_exit(2); } if (strstr(buf, " security failures") != NULL) { /* check the first line */ /* VNC has a 'blacklisting' scheme that blocks an IP address after five unsuccessful connection attempts. The IP address is initially blocked for ten seconds, but this doubles for each unsuccessful attempt thereafter. A successful connection from an IP address resets the blacklist timeout. This is built in to VNC Server and does not rely on operating system support. */ failed_auth++; hydra_report(stderr, "VNC server reported too many authentication failures, have to wait some seconds ...\n"); sleep(12 * failed_auth); free(buf); next_run = 1; break; } if (verbose) hydra_report(stderr, "[VERBOSE] Server banner is %s\n", buf); if (((strstr(buf, "RFB 004.001") != NULL) || (strstr(buf, "RFB 003.007") != NULL) || (strstr(buf, "RFB 003.008") != NULL))) { //using proto version 003.008 to talk to server 004.001 same for 3.7 and 3.8 vnc_client_version = RFB37; free(buf); buf = strdup("RFB 003.007\n"); } else { //for RFB 3.3 and fake 3.5 vnc_client_version = RFB33; free(buf); buf = strdup("RFB 003.003\n"); } hydra_send(sock, buf, strlen(buf), 0); next_run = 2; break; case 2: /* run the cracking function */ next_run = start_vnc(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; case 4: if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } }
void service_nntp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) { int i = 0, run = 1, next_run = 1, sock = -1; int myport = PORT_NNTP, mysslport = PORT_NNTP_SSL, disable_tls = 0; char *buffer1 = "CAPABILITIES\r\n"; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport, hostname); port = mysslport; } if (sock < 0) { if (verbose || debug) hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); hydra_child_exit(1); } // usleepn(300); buf = hydra_receive_line(sock); if (buf == NULL || buf[0] != '2') { /* check the first line */ if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf); hydra_child_exit(2); } free(buf); /* send capability request */ if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0) hydra_child_exit(2); buf = nntp_read_server_capacity(sock); if (buf == NULL) { hydra_child_exit(2); } #ifdef LIBOPENSSL if (!disable_tls) { /* if we got a positive answer */ if (strstr(buf, "STARTTLS") != NULL) { hydra_send(sock, "STARTTLS\r\n", strlen("STARTTLS\r\n"), 0); free(buf); buf = hydra_receive_line(sock); /* 382 Begin TLS negotiation now */ if (buf == NULL || strstr(buf, "382") == NULL) { if (verbose) hydra_report(stderr, "[VERBOSE] TLS negotiation failed\n"); } else { free(buf); if ((hydra_connect_to_ssl(sock, hostname) == -1)) { if (verbose) hydra_report(stderr, "[ERROR] Can't use TLS\n"); disable_tls = 1; run = 1; break; } else { if (verbose) hydra_report(stderr, "[VERBOSE] TLS connection done\n"); } /* ask again capability request but in TLS mode */ if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0) hydra_child_exit(2); /* we asking again cause often plain and login can only be negociate in SSL tunnel */ buf = nntp_read_server_capacity(sock); if (buf == NULL) { hydra_child_exit(2); } } } } #endif /* AUTHINFO USER SASL SASL PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5 */ #ifdef HAVE_PCRE if (hydra_string_match(buf, "SASL\\s.*NTLM")) { #else if (strstr(buf, "NTLM") != NULL) { #endif nntp_auth_mechanism = AUTH_NTLM; } #ifdef LIBOPENSSL #ifdef HAVE_PCRE if (hydra_string_match(buf, "SASL\\s.*DIGEST-MD5")) { #else if (strstr(buf, "DIGEST-MD5") != NULL) { #endif nntp_auth_mechanism = AUTH_DIGESTMD5; } #ifdef HAVE_PCRE if (hydra_string_match(buf, "SASL\\s.*CRAM-MD5")) { #else if (strstr(buf, "CRAM-MD5") != NULL) { #endif nntp_auth_mechanism = AUTH_CRAMMD5; } #endif #ifdef HAVE_PCRE if (hydra_string_match(buf, "SASL\\s.*PLAIN")) { #else if (strstr(buf, "PLAIN") != NULL) { #endif nntp_auth_mechanism = AUTH_PLAIN; } #ifdef HAVE_PCRE if (hydra_string_match(buf, "SASL\\s.*LOGIN")) { #else if (strstr(buf, "LOGIN") != NULL) { #endif nntp_auth_mechanism = AUTH_LOGIN; } #ifdef HAVE_PCRE if (hydra_string_match(buf, "AUTHINFO\\sUSER")) { #else if (strstr(buf, "AUTHINFO USER") != NULL) { #endif nntp_auth_mechanism = AUTH_CLEAR; } if ((miscptr != NULL) && (strlen(miscptr) > 0)) { for (i = 0; i < strlen(miscptr); i++) miscptr[i] = (char) toupper((int) miscptr[i]); if (strncmp(miscptr, "USER", 4) == 0) nntp_auth_mechanism = AUTH_CLEAR; if (strncmp(miscptr, "LOGIN", 5) == 0) nntp_auth_mechanism = AUTH_LOGIN; if (strncmp(miscptr, "PLAIN", 5) == 0) nntp_auth_mechanism = AUTH_PLAIN; #ifdef LIBOPENSSL if (strncmp(miscptr, "CRAM-MD5", 8) == 0) nntp_auth_mechanism = AUTH_CRAMMD5; if (strncmp(miscptr, "DIGEST-MD5", 10) == 0) nntp_auth_mechanism = AUTH_DIGESTMD5; #endif if (strncmp(miscptr, "NTLM", 4) == 0) nntp_auth_mechanism = AUTH_NTLM; } if (verbose) { switch (nntp_auth_mechanism) { case AUTH_CLEAR: hydra_report(stderr, "[VERBOSE] using NNTP AUTHINFO USER mechanism\n"); break; case AUTH_LOGIN: hydra_report(stderr, "[VERBOSE] using NNTP LOGIN AUTH mechanism\n"); break; case AUTH_PLAIN: hydra_report(stderr, "[VERBOSE] using NNTP PLAIN AUTH mechanism\n"); break; #ifdef LIBOPENSSL case AUTH_CRAMMD5: hydra_report(stderr, "[VERBOSE] using NNTP CRAM-MD5 AUTH mechanism\n"); break; case AUTH_DIGESTMD5: hydra_report(stderr, "[VERBOSE] using NNTP DIGEST-MD5 AUTH mechanism\n"); break; #endif case AUTH_NTLM: hydra_report(stderr, "[VERBOSE] using NNTP NTLM AUTH mechanism\n"); break; } } usleepn(25); free(buf); next_run = 2; break; case 2: /* run the cracking function */ next_run = start_nntp(sock, ip, port, options, miscptr, fp); break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } } int service_nntp_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here return 0; }