github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-07-05 20:41:39 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

david sadly cant help maintain hydra anymore

Browse source
This commit is contained in:
van Hauser 2014-09-11 20:34:44 +02:00
parent 63a92b9d05
commit 0a07987392
6 changed files with 666 additions and 670 deletions
Download patch file Download diff file Expand all files Collapse all files

2
CHANGES
View file

@ -2,6 +2,8 @@ Changelog for hydra
-------------------
Release 8.1-pre
* David Maciejak, my co-maintainer moved to a different job and country and can not help with Hydra anymore - sadly! Wish you all the best!
* Added patch Strunk18 which adds h/H header options for http-form-*, still buggy though
* Fixed for cisco-enable if an intial Login/Password is used (thanks to joswr1te for reporting)
* Added patch by tux-mind for better MySQL compilation and an Android patches and Makefile. Thanks!
* Added xhydra gtk patch by Petar Kaleychev to support -e r reverse login attempt, thanks!

2
README
View file

@ -3,7 +3,7 @@
(c) 2001-2014 by van Hauser / THC
<vh@thc.org> http://www.thc.org
co-maintained by David (dot) Maciejak @ gmail (dot) com
many modules were written by David (dot) Maciejak @ gmail (dot) com
BFG code by Jan Dlabal <dlabaljan@gmail.com>
Licensed under AGPLv3 (see LICENSE file)

1226
hydra-http-form.c
View file

File diff suppressed because it is too large Load diff

2
hydra.1
View file

@ -113,7 +113,7 @@ Show summary of options.
.br
The programs are documented fully by van Hauser <vh@thc.org>
.SH AUTHOR
hydra was written by van Hauser / THC <vh@thc.org> and is co-maintained by David Maciejak <david.maciejak@gmail.com>.
hydra was written by van Hauser / THC <vh@thc.org>
.PP
This manual page was written by Daniel Echeverry <epsilon77@gmail.com>,

102
hydra.c
View file

@ -47,7 +47,8 @@ extern void service_http_proxy(char *ip, int sp, unsigned char options, char *mi
extern void service_xmpp(char *target, char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port);
extern void service_irc(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port);
extern void service_http_proxy_urlenum(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port);
extern void service_s7_300(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port);
extern void service_s7_300(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port);
// ADD NEW SERVICES HERE
#ifdef HAVE_MATH_H
@ -132,12 +133,14 @@ extern int service_http_proxy_urlenum_init(char *ip, int sp, unsigned char optio
extern int service_vmauthd_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port);
extern int service_vnc_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port);
extern int service_xmpp_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port);
extern int service_s7_300_init(char *ip, int sp, unsigned char options, char *miscptr, FILE *fp, int port);
extern int service_s7_300_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port);
// ADD NEW SERVICES HERE
// ADD NEW SERVICES HERE
char *SERVICES = "asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp";
char *SERVICES =
"asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp";
#define MAXBUF 520
#define MAXLINESIZE ( ( MAXBUF / 2 ) - 4 )
@ -158,8 +161,6 @@ char *SERVICES = "asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-
#define VERSION "v8.1-dev"
#define AUTHOR "van Hauser/THC"
#define EMAIL "<vh@thc.org>"
#define AUTHOR2 "David Maciejak"
#define EMAIL2 "<david.maciejak@gmail.com>"
#define RESOURCE "http://www.thc.org/thc-hydra"
extern char *hydra_strcasestr(const char *haystack, const char *needle);
@ -264,6 +265,7 @@ typedef struct {
// external vars
extern char HYDRA_EXIT[5];
#if !defined(ANDROID) && !defined(__BIONIC__)
extern int errno;
#endif
@ -353,9 +355,7 @@ void help(int ext) {
printf(" OPT some service modules support additional input (-U for module help)\n");
printf("\nSupported services: %s\n", SERVICES);
printf
("\n%s is a tool to guess/crack valid login/password pairs. Licensed under AGPL\nv3.0. The newest version is always available at %s\n",
PROGRAM, RESOURCE);
printf("\n%s is a tool to guess/crack valid login/password pairs. Licensed under AGPL\nv3.0. The newest version is always available at %s\n", PROGRAM, RESOURCE);
printf("Don't use in military or secret service organizations, or for illegal purposes.\n");
if (ext && strlen(unsupported) > 0) {
if (unsupported[strlen(unsupported) - 1] == ' ')
@ -565,15 +565,11 @@ void module_usage() {
" C=/page/uri to define a different page to gather initial cookies from\n"
" (h|H)=My-Hdr: foo to send a user defined HTTP header with each request\n"
" ^USER^ and ^PASS^ can also be put into these headers!\n"
" Note that 'h' and 'H' are not the same. The former will add the user-defined header at the end"
" regardless it's already being sent by Hydra or not. The latter will replace the value of that header"
" if it exists, by the one supplied by the user, or add the header at the end if it does not exist."
" For example: 'h=User-Agent: Googlebot' would send two 'User-Agent' headers, the one supplied by default"
" ('Mozilla/5.0 (Hydra)'), and the one supplied by the user ('Googlebot'). 'H=User-Agent: Googlebot' would"
" only send a single 'User-Agent' header with the value supplied, effectively replacing the default user agent."
" This is useful to pass hidden CSRF token fields that are tied to a previously issued cookie and are unique"
" for each session. Various C/H/h parameters can be specified separated by colons and optionally intermixed."
"Examples:\n"
" Note: 'h' will add the user-defined header at the end\n"
" regardless it's already being sent by Hydra or not.\n"
" 'H' will replace the value of that header if it exists, by the\n"
" one supplied by the user, or add the header at the end\n"
"\nExamples:\n"
" \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n"
" \"/login.php:user=^USER^&pass=^PASS^&colon=colon\\:escape:S=authlog=.*success\"\n"
" \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n"
@ -825,7 +821,7 @@ void hydra_restore_read() {
pass_ptr = csv_ptr = login_ptr;
}
hydra_targets = malloc((hydra_brains.targets + 3 )* sizeof(hydra_targets));
hydra_targets = malloc((hydra_brains.targets + 3) * sizeof(hydra_targets));
for (j = 0; j < hydra_brains.targets; j++) {
hydra_targets[j] = malloc(sizeof(hydra_target));
fck = (int) fread(hydra_targets[j], sizeof(hydra_target), 1, f);
@ -873,7 +869,7 @@ void hydra_restore_read() {
hydra_targets[j]->use_count = 0;
hydra_targets[j]->failed = 0;
}
hydra_heads = malloc((hydra_options.max_use + 2 ) * sizeof(int) + 8);
hydra_heads = malloc((hydra_options.max_use + 2) * sizeof(int) + 8);
for (j = 0; j < hydra_options.max_use; j++) {
hydra_heads[j] = malloc(sizeof(hydra_head));
fck = (int) fread(hydra_heads[j], sizeof(hydra_head), 1, f);
@ -976,7 +972,7 @@ unsigned long int countlines(FILE * fp, int colonmode) {
}
rewind(fp);
free(buf);
(void)fstat(fileno(fp), &st);
(void) fstat(fileno(fp), &st);
size_of_data = st.st_size + 1;
return lines;
}
@ -1153,7 +1149,7 @@ void hydra_service_init(int target_no) {
if (strcmp(hydra_options.service, "xmpp") == 0)
x = service_xmpp_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port);
if (strcmp(hydra_options.service, "s7-300") == 0)
x = service_s7_300_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port);
x = service_s7_300_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port);
// ADD NEW SERVICES HERE
if (x != 0 && x != 99) {
@ -1339,15 +1335,16 @@ int hydra_spawn_head(int head_no, int target_no) {
service_sip(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port);
#endif
if (strcmp(hydra_options.service, "xmpp") == 0)
service_xmpp(hydra_targets[target_no]->target, hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port);
service_xmpp(hydra_targets[target_no]->target, hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp,
hydra_targets[target_no]->port);
if (strcmp(hydra_options.service, "irc") == 0)
service_irc(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port);
#ifdef LIBOPENSSL
if (strcmp(hydra_options.service, "rdp") == 0)
service_rdp(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port);
#endif
if (strcmp(hydra_options.service, "s7-300") == 0)
service_s7_300(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port);
if (strcmp(hydra_options.service, "s7-300") == 0)
service_s7_300(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port);
// ADD NEW SERVICES HERE
// just in case a module returns (which it shouldnt) we let it exit here
@ -1356,7 +1353,7 @@ int hydra_spawn_head(int head_no, int target_no) {
child_head_no = -1;
if (hydra_heads[head_no]->pid > 0) {
fck = write(hydra_heads[head_no]->sp[1], "n", 1); // yes, a small "n" - this way we can distinguish later if the client successfully tested a pair and is requesting a new one or the mother did that
(void)fcntl(hydra_heads[head_no]->sp[0], F_SETFL, O_NONBLOCK);
(void) fcntl(hydra_heads[head_no]->sp[0], F_SETFL, O_NONBLOCK);
if (hydra_heads[head_no]->redo != 1)
hydra_heads[head_no]->target_no = target_no;
hydra_heads[head_no]->active = 1;
@ -1516,14 +1513,14 @@ void hydra_increase_fail_count(int target_no, int head_no) {
printf("[DEBUG] hydra_increase_fail_count: %d >= %d => disable\n", hydra_targets[target_no]->fail_count,
MAXFAIL + (hydra_options.tasks <= 4 && hydra_targets[target_no]->ok ? 6 - hydra_options.tasks : 1) + (hydra_options.tasks - hydra_targets[target_no]->failed < 5
&& hydra_targets[target_no]->ok ? 6 - (hydra_options.tasks -
hydra_targets[target_no]->
failed) : 1) +
(hydra_targets[target_no]->ok ? 2 : -2));
hydra_targets
[target_no]->failed) : 1)
+ (hydra_targets[target_no]->ok ? 2 : -2));
if (hydra_targets[target_no]->fail_count >=
MAXFAIL + (hydra_options.tasks <= 4 && hydra_targets[target_no]->ok ? 6 - hydra_options.tasks : 1) + (hydra_options.tasks - hydra_targets[target_no]->failed < 5
&& hydra_targets[target_no]->ok ? 6 - (hydra_options.tasks -
hydra_targets[target_no]->
failed) : 1) +
hydra_targets
[target_no]->failed) : 1) +
(hydra_targets[target_no]->ok ? 2 : -2)
) {
k = 0;
@ -1943,8 +1940,8 @@ int hydra_send_next_pair(int target_no, int head_no) {
}
if (debug || hydra_options.showAttempt) {
printf("[%sATTEMPT] target %s - login \"%s\" - pass \"%s\" - %lu of %lu [child %d]\n",
hydra_targets[target_no]->redo_state ? "REDO-" : snp_is_redo ? "RE-" : "", hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr,
hydra_targets[target_no]->sent, hydra_brains.todo + hydra_targets[target_no]->redo, head_no);
hydra_targets[target_no]->redo_state ? "REDO-" : snp_is_redo ? "RE-" : "", hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr,
hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->sent, hydra_brains.todo + hydra_targets[target_no]->redo, head_no);
}
loop_cnt = 0;
return 0;
@ -2045,7 +2042,7 @@ int main(int argc, char *argv[]) {
struct sockaddr_in6 *ipv6 = NULL;
struct sockaddr_in *ipv4 = NULL;
printf("%s %s (c) 2014 by %s & %s - Please do not use in military or secret service organizations, or for illegal purposes.\n\n", PROGRAM, VERSION, AUTHOR, AUTHOR2);
printf("%s %s (c) 2014 by %s - Please do not use in military or secret service organizations, or for illegal purposes.\n\n", PROGRAM, VERSION, AUTHOR);
#ifndef LIBPOSTGRES
SERVICES = hydra_string_replace(SERVICES, "postgres ", "");
strcat(unsupported, "postgres ");
@ -2396,7 +2393,7 @@ int main(int argc, char *argv[]) {
hydra_options.port = port = atoi(port_pos);
if (param_pos != NULL) {
if (strstr(hydra_options.service, "http") != NULL && strstr(hydra_options.service, "http-proxy") == NULL && param_pos[1] != '/')
*--param_pos = '/';
*--param_pos = '/';
hydra_options.miscptr = param_pos;
}
//printf("target: %s service: %s port: %s opt: %s\n", target_pos, hydra_options.service, port_pos, param_pos);
@ -2768,7 +2765,7 @@ int main(int argc, char *argv[]) {
i = 2;
if (hydra_options.login == NULL) {
//hydra_options.login = empty_login;
i = 1; // login will be the initial Username: login, or line Password:
i = 1; // login will be the initial Username: login, or line Password:
}
if (hydra_options.miscptr == NULL) {
fprintf(stderr, "[WARNING] You did not supply the initial support to the Cisco via -l, assuming direct console access\n");
@ -2929,7 +2926,8 @@ int main(int argc, char *argv[]) {
}
if (hydra_options.ssl == 1 && strncmp(hydra_options.service, "http-", 5 == 0) && hydra_options.port == 443)
fprintf(stderr, "[WARNING] you specified port 443 for attacking a http service, however did not specify the -S ssl switch nor used https-..., therefore using plain HTTP\n");
fprintf(stderr,
"[WARNING] you specified port 443 for attacking a http service, however did not specify the -S ssl switch nor used https-..., therefore using plain HTTP\n");
if (hydra_options.loop_mode && hydra_options.colonfile != NULL)
bail("The loop mode option (-u) works with all modes - except colon files (-C)\n");
@ -3125,11 +3123,11 @@ int main(int argc, char *argv[]) {
bail("Could not allocate enough memory for target data");
sizeinfile = size_of_data;
if (countinfile > MAX_LINES / 1000) {
fprintf(stderr, "[ERROR] Maximum number of target file entries is %d, this file has %d entries.\n", MAX_LINES / 1000, (int)countinfile);
fprintf(stderr, "[ERROR] Maximum number of target file entries is %d, this file has %d entries.\n", MAX_LINES / 1000, (int) countinfile);
exit(-1);
}
if (sizeinfile > MAX_BYTES / 1000) {
fprintf(stderr, "[ERROR] Maximum size of the server file is %d, this file has %d bytes.\n", MAX_BYTES / 1000, (int)sizeinfile);
fprintf(stderr, "[ERROR] Maximum size of the server file is %d, this file has %d bytes.\n", MAX_BYTES / 1000, (int) sizeinfile);
exit(-1);
}
if ((servers_ptr = malloc(sizeinfile + countservers + 8)) == NULL)
@ -3144,9 +3142,9 @@ int main(int argc, char *argv[]) {
hydra_targets[i]->target = tmpptr;
if ((tmpptr2 = index(hydra_targets[i]->target, ':')) != NULL) {
*tmpptr2++ = 0;
hydra_targets[i]->port = atoi(tmpptr2);
if (hydra_targets[i]->port < 1 || hydra_targets[i]->port > 65535)
hydra_targets[i]->port = 0;
hydra_targets[i]->port = atoi(tmpptr2);
if (hydra_targets[i]->port < 1 || hydra_targets[i]->port > 65535)
hydra_targets[i]->port = 0;
}
if (hydra_targets[i]->port == 0)
hydra_targets[i]->port = hydra_options.port;
@ -3159,6 +3157,7 @@ int main(int argc, char *argv[]) {
unsigned int four_from, four_to, addr_cur, addr_cur2, k, l;
in_addr_t addr4;
struct sockaddr_in target;
hydra_options.cidr = 1;
do_retry = 0;
if ((tmpptr = malloc(strlen(hydra_options.server) + 1)) == NULL) {
@ -3193,7 +3192,7 @@ int main(int argc, char *argv[]) {
hydra_targets[i] = malloc(sizeof(hydra_target));
memset(hydra_targets[i], 0, sizeof(hydra_target));
addr_cur2 = htonl(addr_cur);
memcpy(&target.sin_addr.s_addr, (char*) &addr_cur2, 4);
memcpy(&target.sin_addr.s_addr, (char *) &addr_cur2, 4);
hydra_targets[i]->target = strdup(inet_ntoa((struct in_addr) target.sin_addr));
hydra_targets[i]->port = hydra_options.port;
addr_cur++;
@ -3202,7 +3201,7 @@ int main(int argc, char *argv[]) {
if (verbose)
printf("[VERBOSE] CIDR attack from %s to %s\n", hydra_targets[0]->target, hydra_targets[l - 1]->target);
printf("[WARNING] The CIDR attack mode is still beta. Please report issues.\n");
} else { // standard: single target on command line
} else { // standard: single target on command line
countservers = hydra_brains.targets = 1;
hydra_targets = malloc(sizeof(int) * 4);
hydra_targets[0] = malloc(sizeof(hydra_target));
@ -3364,12 +3363,13 @@ int main(int argc, char *argv[]) {
if (hydra_options.ssl)
options = options | OPTION_SSL;
if (hydra_options.colonfile != NULL)
printf("[DATA] max %d task%s per %d server%s, overall %d tasks, %lu login tr%s, ~%lu tr%s per task\n", hydra_options.tasks, hydra_options.tasks == 1 ? "" : "s", hydra_brains.targets,
hydra_brains.targets == 1 ? "" : "s", hydra_options.max_use, hydra_brains.todo, hydra_brains.todo == 1 ? "y" : "ies", math2, math2 == 1 ? "y" : "ies");
printf("[DATA] max %d task%s per %d server%s, overall %d tasks, %lu login tr%s, ~%lu tr%s per task\n", hydra_options.tasks, hydra_options.tasks == 1 ? "" : "s",
hydra_brains.targets, hydra_brains.targets == 1 ? "" : "s", hydra_options.max_use, hydra_brains.todo, hydra_brains.todo == 1 ? "y" : "ies", math2,
math2 == 1 ? "y" : "ies");
else
printf("[DATA] max %d task%s per %d server%s, overall %d tasks, %lu login tr%s (l:%lu/p:%lu), ~%lu tr%s per task\n", hydra_options.tasks, hydra_options.tasks == 1 ? "" : "s", hydra_brains.targets,
hydra_brains.targets == 1 ? "" : "s", hydra_options.max_use, hydra_brains.todo, hydra_brains.todo == 1 ? "y" : "ies", (unsigned long int) hydra_brains.countlogin,
(unsigned long int) hydra_brains.countpass, math2, math2 == 1 ? "y" : "ies");
printf("[DATA] max %d task%s per %d server%s, overall %d tasks, %lu login tr%s (l:%lu/p:%lu), ~%lu tr%s per task\n", hydra_options.tasks, hydra_options.tasks == 1 ? "" : "s",
hydra_brains.targets, hydra_brains.targets == 1 ? "" : "s", hydra_options.max_use, hydra_brains.todo, hydra_brains.todo == 1 ? "y" : "ies",
(unsigned long int) hydra_brains.countlogin, (unsigned long int) hydra_brains.countpass, math2, math2 == 1 ? "y" : "ies");
printf("[DATA] attacking service %s on port %d\n", hydra_options.service, port);
@ -3494,8 +3494,8 @@ int main(int argc, char *argv[]) {
// should we do the init centrally or should each child do that?
// that depends largely on the number of targets and maximum tasks
// if (hydra_brains.targets == 1 || (hydra_brains.targets < 4 && hydra_options.tasks / hydra_brains.targets > 4 && hydra_brains.todo > 15))
for (i = 0; i < hydra_brains.targets; i++)
hydra_service_init(i);
for (i = 0; i < hydra_brains.targets; i++)
hydra_service_init(i);
starttime = elapsed_status = elapsed_restore = time(NULL);
fflush(stdout);
@ -3683,7 +3683,7 @@ int main(int argc, char *argv[]) {
hydra_brains.sent, // tries
(long unsigned int) ((elapsed_status - starttime) / 3600), // hours
(long unsigned int) (((elapsed_status - starttime) % 3600) / 60), // minutes
hydra_brains.todo_all - hydra_brains.sent <= 0 ? 1 : hydra_brains.todo_all - hydra_brains.sent, // left todo
hydra_brains.todo_all - hydra_brains.sent <= 0 ? 1 : hydra_brains.todo_all - hydra_brains.sent, // left todo
(long unsigned int) (((double) hydra_brains.todo_all - hydra_brains.sent) / ((double) hydra_brains.sent / (elapsed_status - starttime))
) / 3600, // hours
(((long unsigned int) (((double) hydra_brains.todo_all - hydra_brains.sent) / ((double) hydra_brains.sent / (elapsed_status - starttime))

2
xhydra.1
View file

@ -23,7 +23,7 @@ Currently this tool supports:
.BR pw-inspector (1).
.br
.SH AUTHOR
hydra was written by van Hauser <vh@thc.org> and co-maintained by David Maciejak <david.maciejak@gmail.com>.
hydra was written by van Hauser <vh@thc.org>
.PP
This manual page was written by Daniel Echeverry <epsilon77@gmail.com>,