/* RFC 4616: The PLAIN Simple Authentication and Security Layer (SASL) Mechanism sasl_plain computes the plain authentication from strings login and password and stored the value in variable result the first parameter result must be able to hold at least 255 bytes! */ void sasl_plain(char *result, char *login, char *pass) { char *preplogin; char *preppasswd; int rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { result = NULL; return; } rc = sasl_saslprep(pass, 0, &preppasswd); if (rc) { free(preplogin); result = NULL; return; } if (2 * strlen(preplogin) + 3 + strlen(preppasswd) < 180) { strcpy(result, preplogin); strcpy(result + strlen(preplogin) + 1, preplogin); strcpy(result + 2 * strlen(preplogin) + 2, preppasswd); hydra_tobase64((unsigned char *) result, strlen(preplogin) * 2 + strlen(preppasswd) + 2, 250); } free(preplogin); free(preppasswd); }
int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s) > 0) { if ((buf = hydra_receive_line(s)) == NULL) return (1); free(buf); } switch (smtp_auth_mechanism) { case AUTH_PLAIN: sprintf(buffer, "AUTH PLAIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP PLAIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); memset(buffer, 0, sizeof(buffer)); sasl_plain(buffer, login, pass); sprintf(buffer, "%.250s\r\n", buffer); break; #ifdef LIBOPENSSLNEW case AUTH_CRAMMD5:{ int rc = 0; char *preplogin; rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } sprintf(buffer, "AUTH CRAM-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } //get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP CRAM-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); memset(buffer2, 0, sizeof(buffer2)); sasl_cram_md5(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer, "%.250s\r\n", buffer); free(preplogin); } break; case AUTH_DIGESTMD5:{ sprintf(buffer, "AUTH DIGEST-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL); if (buffer2 == NULL) return 3; if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; //send auth and receive challenge buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); sprintf(buffer, "AUTH NTLM %s\r\n", buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP NTLM AUTH : %s\n", buf); free(buf); return 3; } //recover challenge from64tobits((char *) buf1, buf + 4); free(buf); buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "%s\r\n", buf1); } break; default: /* by default trying AUTH LOGIN */ sprintf(buffer, "AUTH LOGIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; /* 504 5.7.4 Unrecognized authentication type */ if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH, either this auth is disabled\nor server is not using auth: %s\n", buf); free(buf); return 3; } free(buf); sprintf(buffer2, "%.250s", login); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH : %s\n", buf); free(buf); return (3); } free(buf); sprintf(buffer2, "%.250s", pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); #ifdef LIBOPENSSLNEW if (smtp_auth_mechanism == AUTH_DIGESTMD5) { if (strstr(buf, "334") != NULL) { memset(buffer2, 0, sizeof(buffer2)); from64tobits((char *) buffer2, buf + 4); if (strstr(buffer2, "rspauth=") != NULL) { hydra_report_found_host(port, ip, "smtp", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } } } else #endif { if (strstr(buf, "235") != NULL) { hydra_report_found_host(port, ip, "smtp", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_http_proxy(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *hostname) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500]; char url[210], host[30]; char *header = ""; /* XXX TODO */ char *ptr, *fooptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (miscptr == NULL) { strcpy(url, "http://www.microsoft.com/"); strcpy(host, "Host: www.microsoft.com\r\n"); } else { sprintf(url, "%.200s", miscptr); ptr = strstr(miscptr, "://"); // :// check is in hydra.c sprintf(host, "Host: %.200s", ptr + 3); if ((ptr = index(host, '/')) != NULL) *ptr = 0; if ((ptr = index(host + 6, ':')) != NULL && host[0] != '[') *ptr = 0; strcat(host, "\r\n"); } if (http_proxy_auth_mechanism != AUTH_BASIC && (http_proxy_auth_mechanism == AUTH_ERROR || http_proxy_buf == NULL)) { //send dummy request sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 3; //receive first 40x http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } if (http_proxy_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } if (debug) hydra_report(stderr, "S:%s\n", http_proxy_buf); free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } if (http_proxy_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Proxy seems not to require authentication\n"); return 3; } if (debug) hydra_report(stderr, "S:%s\n", http_proxy_buf); //after the first query we should have been disconnected from web server s = hydra_disconnect(s); if ((options & OPTION_SSL) == 0) { s = hydra_connect_tcp(ip, port); } else { s = hydra_connect_ssl(ip, port, hostname); } } if (http_proxy_auth_mechanism == AUTH_BASIC || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Basic") != NULL) { http_proxy_auth_mechanism = AUTH_BASIC; sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 3; free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } //if server cut the connection, just exit cleanly or //this will be an infinite loop if (http_proxy_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } if (debug) hydra_report(stderr, "S:%s\n", http_proxy_buf); } else { if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM") != NULL) { unsigned char buf1[4096]; unsigned char buf2[4096]; char *pos = NULL; http_proxy_auth_mechanism = AUTH_NTLM; //send auth and receive challenge //send auth request: let the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); /* to be portable, no snprintf, buffer is big enough so it cant overflow */ //send the first.. sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 3; //receive challenge free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && (pos = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM ")) == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } if (pos != NULL) { char *str; pos += 25; if ((str = strchr(pos, '\r')) != NULL) { pos[str - pos] = 0; } if ((str = strchr(pos, '\n')) != NULL) { pos[str - pos] = 0; } } //recover challenge if (http_proxy_buf != NULL && strlen(http_proxy_buf) >= 4) { from64tobits((char *) buf1, pos); free(http_proxy_buf); http_proxy_buf = NULL; return 3; } //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 3; if (http_proxy_buf != NULL) free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } if (http_proxy_buf == NULL) return 3; } else { #ifdef LIBOPENSSL if (hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest") != NULL) { char *pbuffer; http_proxy_auth_mechanism = AUTH_DIGESTMD5; pbuffer = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; pbuffer = NULL; fooptr = buffer2; sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header); if (fooptr == NULL) return 3; if (debug) hydra_report(stderr, "C:%s\n", buffer2); if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0) return 3; free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } if (debug && http_proxy_buf != NULL) hydra_report(stderr, "S:%s\n", http_proxy_buf); if (http_proxy_buf == NULL) return 3; } else #endif { if (http_proxy_buf != NULL) { // buf[strlen(http_proxy_buf) - 1] = '\0'; hydra_report(stderr, "Unsupported Auth type:\n%s\n", http_proxy_buf); free(http_proxy_buf); http_proxy_buf = NULL; } else { hydra_report(stderr, "Unsupported Auth type\n"); } return 3; } } } ptr = ((char *) index(http_proxy_buf, ' ')) + 1; if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2')) { hydra_report_found_host(port, ip, "http-proxy", fp); hydra_completed_pair_found(); free(http_proxy_buf); http_proxy_buf = NULL; } else { if (*ptr != '4') hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char) *(index(http_proxy_buf, ' ') + 1), login, pass); else if (verbose && *(ptr + 2) == '3') hydra_report(stderr, "[INFO] Potential success, could be false positive: %s:%s\n", login, pass); hydra_completed_pair(); free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } } if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; if (http_proxy_buf != NULL) return 2; else return 1; }
int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *type, ptr_header_node ptr_head) { char *empty = ""; char *login, *pass, *buffer, buffer2[500]; char *header; char *ptr, *fooptr; int32_t complete_line = 0, buffer_size; char tmpreplybuf[1024] = "", *tmpreplybufptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; if (strcmp(type, "POST") == 0) add_header(&ptr_head, "Content-Length", "0", HEADER_TYPE_DEFAULT); header = stringify_headers(&ptr_head); buffer_size = strlen(header) + 500; if(!(buffer = malloc(buffer_size))) { free(header); return 3; } // we must reset this if buf is NULL and we do MD5 digest if (http_buf == NULL && http_auth_mechanism == AUTH_DIGESTMD5) http_auth_mechanism = AUTH_BASIC; if (use_proxy > 0 && proxy_count > 0) selected_proxy = random() % proxy_count; switch (http_auth_mechanism) { case AUTH_BASIC: sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); /* again: no snprintf to be portable. don't worry, buffer can't overflow */ if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, header); else sprintf(buffer, "%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header); } if (debug) hydra_report(stderr, "C:%s\n", buffer); break; #ifdef LIBOPENSSL case AUTH_DIGESTMD5:{ char *pbuffer; pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), buffer_size - 1); buffer[buffer_size - 1] = '\0'; fooptr = buffer2; sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header); if (fooptr == NULL) { free(buffer); free(header); return 3; } if (debug) hydra_report(stderr, "C:%s\n", buffer2); strcpy(buffer, buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; char *pos = NULL; //send auth and receive challenge //send auth request: let the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); /* to be portable, no snprintf, buffer is big enough so it can't overflow */ //send the first.. if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, header); else sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buf1, header); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { free(buffer); free(header); return 1; } //receive challenge if (http_buf != NULL) free(http_buf); http_buf = hydra_receive_line(s); if (http_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); free(buffer); free(header); return 3; } pos = hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM "); if (pos != NULL) { char *str; pos += 23; if ((str = strchr(pos, '\r')) != NULL) { pos[str - pos] = 0; } if ((str = strchr(pos, '\n')) != NULL) { pos[str - pos] = 0; } } else { hydra_report(stderr, "[ERROR] It is not NTLM authentication type\n"); return 3; } //recover challenge from64tobits((char *) buf1, pos); free(http_buf); http_buf = NULL; //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); //create the auth response if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, header); else sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buf1, header); } if (debug) hydra_report(stderr, "C:%s\n", buffer); } break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { free(buffer); free(header); return 1; } if (http_buf != NULL) free(http_buf); http_buf = hydra_receive_line(s); complete_line = 0; tmpreplybuf[0] = 0; while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (index(http_buf, '\n') == NULL && complete_line == 0))) { if (debug) printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf); if (tmpreplybuf[0] == 0 && strstr(http_buf, "HTTP/1.") != NULL) { strncpy(tmpreplybuf, http_buf, sizeof(tmpreplybuf) - 1); tmpreplybuf[sizeof(tmpreplybuf) - 1] = 0; free(http_buf); http_buf = hydra_receive_line(s); } else if (tmpreplybuf[0] != 0) { complete_line = 1; if ((tmpreplybufptr = malloc(strlen(tmpreplybuf) + strlen(http_buf) + 1)) != NULL) { strcpy(tmpreplybufptr, tmpreplybuf); strcat(tmpreplybufptr, http_buf); free(http_buf); http_buf = tmpreplybufptr; if (debug) printf("http_buf now: %s\n", http_buf); } } else { free(http_buf); http_buf = hydra_receive_line(s); } } //if server cut the connection, just exit cleanly or //this will be an infinite loop if (http_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); free(buffer); free(header); return 3; } if (debug) hydra_report(stderr, "S:%s\n", http_buf); ptr = ((char *) index(http_buf, ' ')); if (ptr != NULL) ptr++; if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) { hydra_report_found_host(port, ip, "www", fp); hydra_completed_pair_found(); if (http_buf != NULL) { free(http_buf); http_buf = NULL; } } else { if (ptr != NULL && *ptr != '4') fprintf(stderr, "[WARNING] Unusual return code: %.3s for %s:%s\n", (char *) ptr, login, pass); //the first authentication type failed, check the type from server header if ((hydra_strcasestr(http_buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) { //seems the auth supported is not Basic scheme so testing further int32_t find_auth = 0; if (hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM") != NULL) { http_auth_mechanism = AUTH_NTLM; find_auth = 1; } #ifdef LIBOPENSSL if (hydra_strcasestr(http_buf, "WWW-Authenticate: Digest") != NULL) { http_auth_mechanism = AUTH_DIGESTMD5; find_auth = 1; } #endif if (find_auth) { // free(http_buf); // http_buf = NULL; free(buffer); free(header); return 1; } } hydra_completed_pair(); } // free(http_buf); // http_buf = NULL; free(buffer); free(header); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500]; char *header = ""; /* XXX TODO */ char *ptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; switch (http_auth_mechanism) { case AUTH_BASIC: sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); /* again: no snprintf to be portable. dont worry, buffer cant overflow */ if (use_proxy == 1 && proxy_authentication != NULL) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication, header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, header); else sprintf(buffer, "%s %.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header); } if (debug) hydra_report(stderr, "C:%s\n", buffer); break; #ifdef LIBOPENSSL case AUTH_DIGESTMD5:{ char *pbuffer; pbuffer = hydra_strcasestr(buf, "WWW-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; sasl_digest_md5(buffer2, login, pass, buffer, miscptr, type, webtarget, webport, header); if (buffer2 == NULL) { return 3; } if (debug) hydra_report(stderr, "C:%s\n", buffer2); strcpy(buffer, buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; char *pos = NULL; //send auth and receive challenge //send auth request: let the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); /* to be portable, no snprintf, buffer is big enough so it cant overflow */ //send the first.. if (use_proxy == 1 && proxy_authentication != NULL) sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication, header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, header); else sprintf(buffer, "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, buf1, header); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive challenge buf = hydra_receive_line(s); while (buf != NULL && (pos = hydra_strcasestr(buf, "WWW-Authenticate: NTLM ")) == NULL) { free(buf); buf = hydra_receive_line(s); } if (buf == NULL) return 1; if (pos != NULL) { char *str; pos+=23; if ((str=strchr(pos, '\r')) != NULL) { pos[str - pos] = 0; } if ((str=strchr(pos, '\n')) != NULL) { pos[str - pos] = 0; } } //recover challenge from64tobits((char *) buf1, pos); free(buf); //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); //create the auth response if (use_proxy == 1 && proxy_authentication != NULL) sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication, header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, header); else sprintf(buffer, "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, buf1, header); } if (debug) hydra_report(stderr, "C:%s\n", buffer); } break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); buf = hydra_receive_line(s); } //if server cut the connection, just exit cleanly or //this will be an infinite loop if (buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } if (debug) hydra_report(stderr, "S:%s\n", buf); ptr = ((char *) index(buf, ' ')) + 1; if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) { hydra_report_found_host(port, ip, "www", fp); hydra_completed_pair_found(); } else { if (ptr != NULL && *ptr != '4') fprintf(stderr, "[WARNING] Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass); //the first authentication type failed, check the type from server header if ((hydra_strcasestr(buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) { //seems the auth supported is not Basic shceme so testing further int find_auth = 0; if (hydra_strcasestr(buf, "WWW-Authenticate: NTLM") != NULL) { http_auth_mechanism = AUTH_NTLM; find_auth = 1; } #ifdef LIBOPENSSL if (hydra_strcasestr(buf, "WWW-Authenticate: Digest") != NULL) { http_auth_mechanism = AUTH_DIGESTMD5; find_auth = 1; } #endif if (find_auth) { free(buf); return 1; } } hydra_completed_pair(); } free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; char *login, *pass, buffer[500], buffer2[500]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s) > 0) { if ((buf = hydra_receive_line(s)) == NULL) return 4; free(buf); } switch (p->pop3_auth_mechanism) { #ifdef LIBOPENSSL case AUTH_APOP:{ MD5_CTX c; unsigned char md5_raw[MD5_DIGEST_LENGTH]; int i; char *pbuffer = buffer2; MD5_Init(&c); MD5_Update(&c, apop_challenge, strlen(apop_challenge)); MD5_Update(&c, pass, strlen(pass)); MD5_Final(md5_raw, &c); for (i = 0; i < MD5_DIGEST_LENGTH; i++) { sprintf(pbuffer, "%02x", md5_raw[i]); pbuffer += 2; } sprintf(buffer, "APOP %s %s\r\n", login, buffer2); } break; #endif case AUTH_LOGIN:{ sprintf(buffer, "AUTH LOGIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, login); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); } break; case AUTH_PLAIN:{ sprintf(buffer, "AUTH PLAIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 PLAIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); memset(buffer, 0, sizeof(buffer)); sasl_plain(buffer, login, pass); sprintf(buffer, "%.250s\r\n", buffer); } break; #ifdef LIBOPENSSL case AUTH_CRAMMD5: case AUTH_CRAMSHA1: case AUTH_CRAMSHA256:{ int rc = 0; char *preplogin; rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } switch (p->pop3_auth_mechanism) { case AUTH_CRAMMD5: sprintf(buffer, "AUTH CRAM-MD5\r\n"); break; case AUTH_CRAMSHA1: sprintf(buffer, "AUTH CRAM-SHA1\r\n"); break; case AUTH_CRAMSHA256: sprintf(buffer, "AUTH CRAM-SHA256\r\n"); break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } //get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { switch (p->pop3_auth_mechanism) { case AUTH_CRAMMD5: hydra_report(stderr, "[ERROR] POP3 CRAM-MD5 AUTH : %s\n", buf); break; case AUTH_CRAMSHA1: hydra_report(stderr, "[ERROR] POP3 CRAM-SHA1 AUTH : %s\n", buf); break; case AUTH_CRAMSHA256: hydra_report(stderr, "[ERROR] POP3 CRAM-SHA256 AUTH : %s\n", buf); break; } free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 2); free(buf); memset(buffer2, 0, sizeof(buffer2)); switch (p->pop3_auth_mechanism) { case AUTH_CRAMMD5:{ sasl_cram_md5(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; case AUTH_CRAMSHA1:{ sasl_cram_sha1(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; case AUTH_CRAMSHA256:{ sasl_cram_sha256(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; } hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer, "%.250s\r\n", buffer); free(preplogin); } break; case AUTH_DIGESTMD5:{ sprintf(buffer, "AUTH DIGEST-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf); free(buf); if (verbose) hydra_report(stderr, "[VERBOSE] S: %s\n", buffer); sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "pop", NULL, 0, NULL); if (buffer2 == NULL) return 3; if (verbose) hydra_report(stderr, "[VERBOSE] C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; //Send auth request sprintf(buffer, "AUTH NTLM\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 NTLM AUTH : %s\n", buf); free(buf); return 3; } free(buf); //send auth and receive challenge //send auth request: lst the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); sprintf(buffer, "%s\r\n", buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; if ((buf = hydra_receive_line(s)) == NULL) return 4; //recover challenge from64tobits((char *) buf1, buf + 2); free(buf); //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "%s\r\n", buf1); } break; default: sprintf(buffer, "USER %.250s\r\n", login); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 4; if (buf[0] != '+') { hydra_report(stderr, "[ERROR] POP3 protocol or service shutdown: %s\n", buf); free(buf); return (3); } free(buf); sprintf(buffer, "PASS %.250s\r\n", pass); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) { return 4; } if (buf[0] == '+') { hydra_report_found_host(port, ip, "pop3", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } /* special AS/400 hack */ if (strstr(buf, "CPF2204") != NULL || strstr(buf, "CPF22E3") != NULL || strstr(buf, "CPF22E4") != NULL || strstr(buf, "CPF22E5") != NULL) { hydra_completed_pair_skip(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500]; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s)) { if ((buf = hydra_receive_line(s)) == NULL) return (1); free(buf); } switch (imap_auth_mechanism) { case AUTH_LOGIN: sprintf(buffer, "%d AUTHENTICATE LOGIN\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) { hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, login); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) { hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); break; case AUTH_PLAIN: sprintf(buffer, "%d AUTHENTICATE PLAIN\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) { hydra_report(stderr, "[ERROR] IMAP PLAIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); memset(buffer, 0, sizeof(buffer)); sasl_plain(buffer, login, pass); sprintf(buffer, "%.250s\r\n", buffer); break; #ifdef LIBOPENSSLNEW case AUTH_CRAMMD5: case AUTH_CRAMSHA1: case AUTH_CRAMSHA256:{ int rc = 0; char *preplogin; rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } switch (imap_auth_mechanism) { case AUTH_CRAMMD5: sprintf(buffer, "%d AUTHENTICATE CRAM-MD5\r\n", counter); break; case AUTH_CRAMSHA1: sprintf(buffer, "%d AUTHENTICATE CRAM-SHA1\r\n", counter); break; case AUTH_CRAMSHA256: sprintf(buffer, "%d AUTHENTICATE CRAM-SHA256\r\n", counter); break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } //get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { switch (imap_auth_mechanism) { case AUTH_CRAMMD5: hydra_report(stderr, "[ERROR] IMAP CRAM-MD5 AUTH : %s\n", buf); break; case AUTH_CRAMSHA1: hydra_report(stderr, "[ERROR] IMAP CRAM-SHA1 AUTH : %s\n", buf); break; case AUTH_CRAMSHA256: hydra_report(stderr, "[ERROR] IMAP CRAM-SHA256 AUTH : %s\n", buf); break; } free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 2); free(buf); memset(buffer2, 0, sizeof(buffer2)); switch (imap_auth_mechanism) { case AUTH_CRAMMD5:{ sasl_cram_md5(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; case AUTH_CRAMSHA1:{ sasl_cram_sha1(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; case AUTH_CRAMSHA256:{ sasl_cram_sha256(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; } hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer, "%.250s\r\n", buffer); free(preplogin); } break; case AUTH_DIGESTMD5:{ sprintf(buffer, "%d AUTHENTICATE DIGEST-MD5\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { hydra_report(stderr, "[ERROR] IMAP DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf); free(buf); if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "imap", NULL, 0, NULL); if (buffer2 == NULL) return 3; if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } break; case AUTH_SCRAMSHA1:{ char clientfirstmessagebare[200]; char serverfirstmessage[200]; char *preplogin; int rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } sprintf(buffer, "%d AUTHENTICATE SCRAM-SHA-1\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { hydra_report(stderr, "[ERROR] IMAP SCRAM-SHA1 AUTH : %s\n", buf); free(buf); return 3; } free(buf); snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin); free(preplogin); memset(buffer2, 0, sizeof(buffer2)); sprintf(buffer2, "n,,%.200s", clientfirstmessagebare); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); snprintf(buffer, sizeof(buffer), "%s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { if (verbose || debug) hydra_report(stderr, "[ERROR] Not a valid server challenge\n"); free(buf); return 1; } else { /* recover server challenge */ memset(buffer, 0, sizeof(buffer)); //+ cj1oeWRyYU9VNVZqcHQ5RjNqcmVXRVFWTCxzPWhGbTNnRGw0akdidzJVVHosaT00MDk2 from64tobits((char *) buffer, buf + 2); free(buf); strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1); serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0'; memset(buffer2, 0, sizeof(buffer2)); sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage); if (buffer2 == NULL) { hydra_report(stderr, "[ERROR] Can't compute client response\n"); return 1; } hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; //Send auth request sprintf(buffer, "%d AUTHENTICATE NTLM\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { hydra_report(stderr, "[ERROR] IMAP NTLM AUTH : %s\n", buf); free(buf); return 3; } free(buf); //send auth and receive challenge //send auth request: lst the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); sprintf(buffer, "%s\r\n", buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; if ((buf = hydra_receive_line(s)) == NULL) return (1); //recover challenge from64tobits((char *) buf1, buf + 2); free(buf); //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "%s\r\n", buf1); } break; default: //clear authentication sprintf(buffer, "%d LOGIN \"%.100s\" \"%.100s\"\r\n", counter, login, pass); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { if (verbose) hydra_report(stderr, "[ERROR] %s\n", buf); free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; if (counter == 4) return 1; return (2); } free(buf); hydra_report_found_host(port, ip, "imap", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
char *nntp_read_server_capacity(int sock) { char *ptr = NULL; int resp = 0; char *buf = NULL; do { if (buf != NULL) free(buf); ptr = buf = hydra_receive_line(sock); if (buf != NULL) { if (isdigit((int) buf[0]) && buf[3] == ' ') resp = 1; else { if (buf[strlen(buf) - 1] == '\n') buf[strlen(buf) - 1] = 0; if (buf[strlen(buf) - 1] == '\r') buf[strlen(buf) - 1] = 0; #ifdef NO_RINDEX if ((ptr = strrchr(buf, '\n')) != NULL) { #else if ((ptr = rindex(buf, '\n')) != NULL) { #endif ptr++; if (isdigit((int) *ptr) && *(ptr + 3) == ' ') resp = 1; } } } } while (buf != NULL && resp == 0); return buf; } int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; char *login, *pass, buffer[300], buffer2[500]; int i = 1; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (i > 0 && hydra_data_ready(s) > 0) i = hydra_recv(s, buffer, 300); switch (nntp_auth_mechanism) { case AUTH_LOGIN: sprintf(buffer, "AUTHINFO SASL LOGIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, login); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); break; case AUTH_PLAIN: sprintf(buffer, "AUTHINFO SASL PLAIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP PLAIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); memset(buffer, 0, sizeof(buffer)); sasl_plain(buffer, login, pass); sprintf(buffer, "%.250s\r\n", buffer); break; #ifdef LIBOPENSSL case AUTH_CRAMMD5:{ int rc = 0; char *preplogin; rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } sprintf(buffer, "AUTHINFO SASL CRAM-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } //get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP CRAM-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); memset(buffer2, 0, sizeof(buffer2)); sasl_cram_md5(buffer2, pass, buffer); sprintf(buffer, "%s %.250s", preplogin, buffer2); hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer, "%.250s\r\n", buffer); free(preplogin); } break; case AUTH_DIGESTMD5:{ sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buf + 4); free(buf); if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL); if (buffer2 == NULL) return 3; if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } break; #endif case AUTH_NTLM:{ unsigned char buf1[4096]; unsigned char buf2[4096]; //send auth and receive challenge buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); sprintf(buffer, "AUTHINFO SASL NTLM %s\r\n", (char*)buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (buf == NULL || strstr(buf, "383") == NULL) { hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf); free(buf); return 3; } //recover challenge from64tobits((char *) buf1, buf + 4); free(buf); buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "%s\r\n", (char*)buf1); } break; default:{ sprintf(buffer, "AUTHINFO USER %.250s\r\n", login); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if (buf[0] != '3') { if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf); free(buf); return (3); } free(buf); sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass); } break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if (buf[0] == '2') { hydra_report_found_host(port, ip, "nntp", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; }
int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; char *login, *pass, buffer[500], buffer2[500]; char *AUTH_STR = "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='"; char *AUTH_STR_END = "'/>"; char *CHALLENGE_STR = "<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>"; char *CHALLENGE_STR2 = "<challenge xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">"; char *CHALLENGE_END_STR = "</challenge>"; char *RESPONSE_STR = "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>"; char *RESPONSE_END_STR = "</response>"; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; switch (xmpp_auth_mechanism) { case AUTH_SCRAMSHA1: sprintf(buffer, "%s%s%s", AUTH_STR, "SCRAM-SHA-1", AUTH_STR_END); break; case AUTH_CRAMMD5: sprintf(buffer, "%s%s%s", AUTH_STR, "CRAM-MD5", AUTH_STR_END); break; case AUTH_DIGESTMD5: sprintf(buffer, "%s%s%s", AUTH_STR, "DIGEST-MD5", AUTH_STR_END); break; case AUTH_PLAIN: sprintf(buffer, "%s%s%s", AUTH_STR, "PLAIN", AUTH_STR_END); break; default: sprintf(buffer, "%s%s%s", AUTH_STR, "LOGIN", AUTH_STR_END); break; } hydra_send(s, buffer, strlen(buffer), 0); usleep(300000); buf = hydra_receive_line(s); if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buf); if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) { /* the challenge string is sent depending of the auth chosen it's the case for login auth */ char *ptr = strstr(buf, CHALLENGE_STR); if (!ptr) ptr = strstr(buf, CHALLENGE_STR2); char *ptr_end = strstr(ptr, CHALLENGE_END_STR); int chglen = ptr_end - ptr - strlen(CHALLENGE_STR); if ((chglen > 0) && (chglen < sizeof(buffer2))) { strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen); buffer2[chglen] = '\0'; memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buffer2); if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); } switch (xmpp_auth_mechanism) { case AUTH_LOGIN:{ if (strstr(buffer, "sername") != NULL) { strncpy(buffer2, login, sizeof(buffer2) - 1); buffer2[sizeof(buffer2) - 1] = '\0'; hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { free(buf); return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; /* server now would ask for the password */ if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) { char *ptr = strstr(buf, CHALLENGE_STR); if (!ptr) ptr = strstr(buf, CHALLENGE_STR2); char *ptr_end = strstr(ptr, CHALLENGE_END_STR); int chglen = ptr_end - ptr - strlen(CHALLENGE_STR); if ((chglen > 0) && (chglen < sizeof(buffer2))) { strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen); buffer2[chglen] = '\0'; memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buffer2); if (strstr(buffer, "assword") != NULL) { strncpy(buffer2, pass, sizeof(buffer2) - 1); buffer2[sizeof(buffer2) - 1] = '\0'; hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); } } else { hydra_report(stderr, "[ERROR] xmpp could not extract challenge from server\n"); free(buf); return 1; } free(buf); } } } break; #ifdef LIBOPENSSL case AUTH_PLAIN:{ memset(buffer2, 0, sizeof(buffer)); sasl_plain(buffer2, login, pass); sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer); } break; case AUTH_CRAMMD5:{ int rc = 0; char *preplogin; memset(buffer2, 0, sizeof(buffer2)); sasl_cram_md5(buffer2, pass, buffer); rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } sprintf(buffer, "%.200s %.250s", preplogin, buffer2); if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer); hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer2, "%s%.250s%s", RESPONSE_STR, buffer, RESPONSE_END_STR); strncpy(buffer, buffer2, sizeof(buffer) - 1); buffer[sizeof(buffer) - 1] = '\0'; free(preplogin); } break; case AUTH_DIGESTMD5:{ memset(buffer2, 0, sizeof(buffer2)); sasl_digest_md5(buffer2, login, pass, buffer, domain, "xmpp", NULL, 0, NULL); if (buffer2 == NULL) return 3; if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); } break; case AUTH_SCRAMSHA1:{ /*client-first-message */ char clientfirstmessagebare[200]; char *preplogin; int rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin); free(preplogin); sprintf(buffer2, "n,,%.200s", clientfirstmessagebare); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) { char serverfirstmessage[200]; char *ptr = strstr(buf, CHALLENGE_STR); if (!ptr) ptr = strstr(buf, CHALLENGE_STR2); char *ptr_end = strstr(ptr, CHALLENGE_END_STR); int chglen = ptr_end - ptr - strlen(CHALLENGE_STR); if ((chglen > 0) && (chglen < sizeof(buffer2))) { strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen); buffer2[chglen] = '\0'; } else { hydra_report(stderr, "[ERROR] xmpp could not extract challenge from server\n"); free(buf); return 1; } /*server-first-message */ memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buffer2); strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1); serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0'; memset(buffer2, 0, sizeof(buffer2)); sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage); if (buffer2 == NULL) { hydra_report(stderr, "[ERROR] Can't compute client response\n"); free(buf); return 1; } hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); } else { if (verbose || debug) hydra_report(stderr, "[ERROR] Not a valid server challenge\n"); free(buf); return 1; } free(buf); } break; #endif } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } usleep(50000); buf = hydra_receive_line(s); if (buf == NULL) return 1; //we test the challenge tag as digest-md5 when connected is sending "rspauth" value //so if we are receiving a second challenge we assume the auth is good if ((strstr(buf, "<success") != NULL) || (strstr(buf, "<challenge ") != NULL)) { hydra_report_found_host(port, ip, "xmpp", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } if (verbose) hydra_report(stderr, "[ERROR] %s\n", buf); free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } if (strstr(buf, "<failure")) { hydra_report(stderr, "[ERROR] Protocol failure, try using another auth method. %s\n", strstr(buf, "<failure")); } return 3; }
int start_http(int s, unsigned long int ip, int port, unsigned char options, char *miscptr, FILE * fp, char *type) { char *empty = ""; char *login, *pass, buffer[500], buffer2[110]; char *header = ""; /* XXX TODO */ char *ptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); /* again: no snprintf to be portable. dont worry, buffer cant overflow */ if (use_proxy == 1 && proxy_authentication != NULL) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication, header); else { if (use_proxy == 1) sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buffer2, header); else sprintf(buffer, "%s %.250s HTTP/1.0\r\nHost: %s\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); while (strstr(buf, "HTTP/1.") == NULL && buf != NULL) buf = hydra_receive_line(s); if (buf == NULL) return 1; /* while (hydra_data_ready(s) > 0) recv(s, buffer, sizeof(buf), 0); buf = hydra_receive_line(s); */ ptr = ((char *) index(buf, ' ')) + 1; if (ptr != NULL && (*ptr == '2' || strncmp(ptr, "301", 3) == 0)) { hydra_report_found_host(port, ip, "www", fp); hydra_completed_pair_found(); } else { if (ptr != NULL && *ptr != '4') printf("Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass); hydra_completed_pair(); } free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }
int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char *hostname) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500], mlogin[260], mpass[260], mhost[260]; char url[260], host[30]; char *header = ""; /* XXX TODO */ char *ptr; int auth = 0; login = hydra_get_next_login(); if (login == NULL || strlen(login) == 0 || strstr(login, "://") == NULL) { hydra_completed_pair(); return 1; } pass = hydra_get_next_password(); pass = empty; // ignored strncpy(url, login, sizeof(url) - 1); url[sizeof(url) - 1] = 0; ptr = strstr(login, "://") + 3; if (ptr[0] == '[') ptr++; strncpy(mhost, ptr, sizeof(mhost) - 1); mhost[sizeof(mhost) - 1] = 0; if ((ptr = index(mhost, '/')) != NULL) *ptr = 0; if ((ptr = index(mhost, ']')) != NULL) *ptr = 0; else if ((ptr = index(mhost, ':')) != NULL) *ptr = 0; if (miscptr != NULL && index(miscptr, ':') != NULL) { strncpy(mlogin, miscptr, sizeof(mlogin) - 1); mlogin[sizeof(mlogin) - 1] = 0; ptr = index(mlogin, ':'); *ptr++ = 0; strncpy(mpass, ptr, sizeof(mpass) - 1); mpass[sizeof(mpass) - 1] = 0; auth = 1; } if (http_proxy_auth_mechanism == AUTH_ERROR) { //send dummy request sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, mhost, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive first 40x buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/") == NULL) { free(buf); buf = hydra_receive_line(s); } if (debug) hydra_report(stderr, "S:%s\n", buf); //after the first query we should have been disconnected from web server s = hydra_disconnect(s); if ((options & OPTION_SSL) == 0) { s = hydra_connect_tcp(ip, port); } else { s = hydra_connect_ssl(ip, port, hostname); } } if (auth) { if (hydra_strcasestr(buf, "Proxy-Authenticate: Basic") != NULL) { http_proxy_auth_mechanism = AUTH_BASIC; sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; free(buf); buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); buf = hydra_receive_line(s); } //if server cut the connection, just exit cleanly or //this will be an infinite loop if (buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } if (debug) hydra_report(stderr, "S:%s\n", buf); } else { if (hydra_strcasestr(buf, "Proxy-Authenticate: NTLM") != NULL) { unsigned char buf1[4096]; unsigned char buf2[4096]; char *pos = NULL; http_proxy_auth_mechanism = AUTH_NTLM; //send auth and receive challenge //send auth request: let the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); /* to be portable, no snprintf, buffer is big enough so it cant overflow */ //send the first.. sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; //receive challenge free(buf); buf = hydra_receive_line(s); while (buf != NULL && (pos = hydra_strcasestr(buf, "Proxy-Authenticate: NTLM ")) == NULL) { free(buf); buf = hydra_receive_line(s); } if (pos != NULL) { char *str; pos += 25; if ((str = strchr(pos, '\r')) != NULL) { pos[str - pos] = 0; } if ((str = strchr(pos, '\n')) != NULL) { pos[str - pos] = 0; } } //recover challenge if (buf != NULL) { if (strlen(buf) >= 4) from64tobits((char *) buf1, pos); free(buf); } //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); buf = hydra_receive_line(s); } if (buf == NULL) return 1; } else { #ifdef LIBOPENSSL if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) { char *pbuffer; http_proxy_auth_mechanism = AUTH_DIGESTMD5; pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; pbuffer = buffer2; sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header); if (pbuffer == NULL) return 3; if (debug) hydra_report(stderr, "C:%s\n", buffer2); if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0) return 1; free(buf); buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); buf = hydra_receive_line(s); } if (debug && buf != NULL) hydra_report(stderr, "S:%s\n", buf); if (buf == NULL) return 1; } else #endif { if (buf != NULL) { buf[strlen(buf) - 1] = '\0'; hydra_report(stderr, "Unsupported Auth type:\n%s\n", buf); } else { hydra_report(stderr, "Unsupported Auth type\n"); } return 3; } } } } // result analysis ptr = ((char *) index(buf, ' ')) + 1; if (*ptr == '2' || (*ptr == '3' && (*(ptr + 2) == '1' || *(ptr + 2) == '2')) || strncmp(ptr, "404", 4) == 0 || strncmp(ptr, "403", 4) == 0) { hydra_report_found_host(port, ip, "http-proxy", fp); if (fp != stdout) fprintf(fp, "[%d][http-proxy-urlenum] host: %s url: %s\n", port, hydra_address2string(ip), url); printf("[%d][http-proxy-urlenum] host: %s url: %s\n", port, hydra_address2string(ip), url); hydra_completed_pair_found(); } else { if (strncmp(ptr, "407", 3) == 0 /*|| strncmp(ptr, "401", 3) == 0 */ ) { hydra_report(stderr, "[ERROR] Proxy reports bad credentials!\n"); return 3; } hydra_completed_pair(); } free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; }