github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-08-20 05:13:51 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Formatting

Browse source
This commit is contained in:
Catatonic Prime 2016-11-13 20:37:35 +00:00
commit 0c2e02135d
1 changed files with 130 additions and 120 deletions
Download patch file Download diff file Expand all files Collapse all files

244
hydra-radmin2.c
View file

@ -15,7 +15,7 @@ extern int blockDecrypt(cipherInstance *cipher, keyInstance *key,CONST BYTE *inp
//RAdmin 2.x //RAdmin 2.x
struct rmessage{ struct rmessage {
char magic; //Indicates version, probably? char magic; //Indicates version, probably?
unsigned int length; //Total message size of data. unsigned int length; //Total message size of data.
unsigned int checksum; //Checksum from type to end of data. unsigned int checksum; //Checksum from type to end of data.
@ -24,12 +24,12 @@ struct rmessage{
}; };
/* /*
* Usage: sum = checksum(message); * Usage: sum = checksum(message);
* Function: Returns a 4 byte little endian sum of the messages typecode+data. This data is zero padded for alignment. * Function: Returns a 4 byte little endian sum of the messages typecode+data. This data is zero padded for alignment.
* Example message (big endian): * Example message (big endian):
* [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)]) * [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)])
* Sum: is 0f43d461 (big endian) * Sum: is 0f43d461 (big endian)
*/ */
unsigned int checksum(struct rmessage *msg) { unsigned int checksum(struct rmessage *msg) {
int blen; int blen;
unsigned char *stream; unsigned char *stream;
@ -55,10 +55,10 @@ unsigned int checksum(struct rmessage *msg) {
} }
/* /*
* Usage: challenge_request(message); * Usage: challenge_request(message);
* Function: Modifies message to reflect a request for a challenge. Updates the checksum as appropriate. * Function: Modifies message to reflect a request for a challenge. Updates the checksum as appropriate.
*/ */
void challenge_request(struct rmessage *msg) { void challenge_request(struct rmessage *msg) {
msg->magic = 0x01; msg->magic = 0x01;
msg->length = 0x01; msg->length = 0x01;
msg->type = 0x1b; msg->type = 0x1b;
@ -66,9 +66,9 @@ void challenge_request(struct rmessage *msg) {
} }
/* /*
* Usage: challenge_request(message); * Usage: challenge_request(message);
* Function: Modifies message to reflect a response to a challenge. Updates the checksum as appropriate. * Function: Modifies message to reflect a response to a challenge. Updates the checksum as appropriate.
*/ */
void challenge_response(struct rmessage *msg, unsigned char *solution) { void challenge_response(struct rmessage *msg, unsigned char *solution) {
msg->magic = 0x01; msg->magic = 0x01;
msg->length = 0x21; msg->length = 0x21;
@ -78,9 +78,9 @@ void challenge_response(struct rmessage *msg, unsigned char *solution) {
} }
/* /*
* Usage: buffer = message2buffer(message); send(buffer, message->length + 10); free(buffer) * Usage: buffer = message2buffer(message); send(buffer, message->length + 10); free(buffer)
* Function: Allocates a buffer for transmission and fills the buffer with message data such that it is ready to transmit. * Function: Allocates a buffer for transmission and fills the buffer with message data such that it is ready to transmit.
*/ */
//TODO: conver to a sendMessage() function? //TODO: conver to a sendMessage() function?
char *message2buffer(struct rmessage *msg) { char *message2buffer(struct rmessage *msg) {
char *data; char *data;
@ -208,122 +208,132 @@ void service_radmin2(char *ip, int sp, unsigned char options, char *miscptr, FIL
return; return;
} }
// Get a password to work with. while(1) {
strncpy(password, hydra_get_next_password(), 101); // Get a password to work with.
MD5_Init(&md5c); strncpy(password, hydra_get_next_password(), 101);
MD5_Update(&md5c, password, 100); MD5_Init(&md5c);
MD5_Final(rawkey, &md5c); MD5_Update(&md5c, password, 100);
//Copy raw md5 data into ASCIIZ string MD5_Final(rawkey, &md5c);
for(index = 0; index < 16; index++) { //Copy raw md5 data into ASCIIZ string
sprintf((pkey+index*2), "%02x", rawkey[index]); for(index = 0; index < 16; index++) {
} sprintf((pkey+index*2), "%02x", rawkey[index]);
}
/* Typical conversation goes as follows... /* Typical conversation goes as follows...
0) connect to server 0) connect to server
1) request challenge 1) request challenge
2) receive 32 byte challenge response 2) receive 32 byte challenge response
3) send 32 byte challenge solution 3) send 32 byte challenge solution
4) receive 1 byte auth success/fail message 4) receive 1 byte auth success/fail message
*/ */
// 0) Connect to the server // 0) Connect to the server
sock = hydra_connect_tcp(ip, myport); sock = hydra_connect_tcp(ip, myport);
if(sock < 0) { if(sock < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int)getpid()); hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int)getpid());
hydra_child_exit(1); hydra_child_exit(1);
} }
// 1) request challenge (working) // 1) request challenge (working)
msg = calloc(1, sizeof(struct rmessage)); msg = calloc(1, sizeof(struct rmessage));
challenge_request(msg); challenge_request(msg);
request = message2buffer(msg); request = message2buffer(msg);
hydra_send(sock, request, 10, 0); hydra_send(sock, request, 10, 0);
free(msg); free(msg);
free(request); free(request);
//2) receive response (working) //2) receive response (working)
index = 0; index = 0;
while(index < 42) { //We're always expecting back a 42 byte buffer from a challenge request. while(index < 42) { //We're always expecting back a 42 byte buffer from a challenge request.
switch(hydra_data_ready(sock)) { switch(hydra_data_ready(sock)) {
case -1: case -1:
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno));
hydra_child_exit(1);
break;
case 0:
//keep waiting...
break;
default:
bytecount = hydra_recv(sock, buffer+index, 42 - index);
if(bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno)); hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno));
hydra_child_exit(1); hydra_child_exit(1);
} break;
index += bytecount; case 0:
//keep waiting...
break;
default:
bytecount = hydra_recv(sock, buffer+index, 42 - index);
if(bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;
}
} }
}
//3) Send challenge solution. //3) Send challenge solution.
//3.a) generate a new message from the buffer //3.a) generate a new message from the buffer
msg = buffer2message(buffer); msg = buffer2message(buffer);
//3.b) encrypt data received using pkey & known IV //3.b) encrypt data received using pkey & known IV
index = makeKey(&key, DIR_ENCRYPT, 128, pkey); index = makeKey(&key, DIR_ENCRYPT, 128, pkey);
if(index != TRUE) { if(index != TRUE) {
hydra_report(stderr, "Error: Child with pid %d terminating, make key error (%08x)\n", (int)getpid(), index); hydra_report(stderr, "Error: Child with pid %d terminating, make key error (%08x)\n", (int)getpid(), index);
hydra_child_exit(1); hydra_child_exit(1);
} }
index = cipherInit(&cipher, MODE_CBC, IV); index = cipherInit(&cipher, MODE_CBC, IV);
if(index != TRUE) { if(index != TRUE) {
hydra_report(stderr, "Error: Child with pid %d terminating, cipher init error(%08x)\n", (int)getpid(), index); hydra_report(stderr, "Error: Child with pid %d terminating, cipher init error(%08x)\n", (int)getpid(), index);
hydra_child_exit(1); hydra_child_exit(1);
} }
index = blockEncrypt(&cipher, &key, msg->data, 32 * 8, encrypted); index = blockEncrypt(&cipher, &key, msg->data, 32 * 8, encrypted);
if(index <= 0) { if(index <= 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, encrypt error(%08x)\n", (int)getpid(), index); hydra_report(stderr, "Error: Child with pid %d terminating, encrypt error(%08x)\n", (int)getpid(), index);
hydra_child_exit(1); hydra_child_exit(1);
} }
//3.c) half sum - this is the solution to the challenge. //3.c) half sum - this is the solution to the challenge.
for(index=0; index < 16; index++) { for(index=0; index < 16; index++) {
*(encrypted+index) += *(encrypted+index+16); *(encrypted+index) += *(encrypted+index+16);
} }
memset((encrypted+16), 0x00, 16); memset((encrypted+16), 0x00, 16);
//3.d) send half sum //3.d) send half sum
challenge_response(msg, encrypted); challenge_response(msg, encrypted);
request = message2buffer(msg); request = message2buffer(msg);
hydra_send(sock, request, 42, 0); hydra_send(sock, request, 42, 0);
free(msg); free(msg);
free(request); free(request);
//4) receive auth success/failure //4) receive auth success/failure
index = 0; index = 0;
while(index < 10) { //We're always expecting back a 42 byte buffer from a challenge request. while(index < 10) { //We're always expecting back a 42 byte buffer from a challenge request.
switch(hydra_data_ready(sock)) { switch(hydra_data_ready(sock)) {
case -1: case -1:
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno));
hydra_child_exit(1);
break;
case 0:
//keep waiting...
break;
default:
bytecount = hydra_recv(sock, buffer+index, 10 - index);
if(bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno)); hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno));
hydra_child_exit(1); hydra_child_exit(1);
} break;
index += bytecount; case 0:
//keep waiting...
break;
default:
bytecount = hydra_recv(sock, buffer+index, 10 - index);
if(bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;
}
} }
msg = buffer2message(buffer);
switch(msg->type) {
case 0x0a:
hydra_completed_pair_found();
break;
case 0x0b:
hydra_completed_pair();
hydra_disconnect(sock);
break;
default:
hydra_report(stderr, "Error: Child with pid %d terminating, protocol error\n", (int)getpid());
hydra_child_exit(2);
}
} }
msg = buffer2message(buffer);
if(msg->type == 0x0a) {
hydra_completed_pair_found();
}
//5) Disconnect
hydra_disconnect(sock);
} }
int service_radmin2_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) { int service_radmin2_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
@ -334,8 +344,8 @@ int service_radmin2_init(char *ip, int sp, unsigned char options, char *miscptr,
// fill if needed. // fill if needed.
// //
// return codes: // return codes:
// 0 all OK // 0 all OK
// -1 error, hydra will exit, so print a good error message here // -1 error, hydra will exit, so print a good error message here
return 0; return 0;
} }