github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-08-19 21:03:52 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Formatting

Browse source
This commit is contained in:
Catatonic Prime 2016-11-13 20:37:35 +00:00
commit 0c2e02135d
1 changed files with 130 additions and 120 deletions
Download patch file Download diff file Expand all files Collapse all files

250
hydra-radmin2.c
View file

@ -15,7 +15,7 @@ extern int blockDecrypt(cipherInstance *cipher, keyInstance *key,CONST BYTE *inp
//RAdmin 2.x //RAdmin 2.x
struct rmessage{ struct rmessage {
char magic; //Indicates version, probably? char magic; //Indicates version, probably?
unsigned int length; //Total message size of data. unsigned int length; //Total message size of data.
unsigned int checksum; //Checksum from type to end of data. unsigned int checksum; //Checksum from type to end of data.
@ -24,12 +24,12 @@ struct rmessage{
}; };
/* /*
* Usage: sum = checksum(message); * Usage: sum = checksum(message);
* Function: Returns a 4 byte little endian sum of the messages typecode+data. This data is zero padded for alignment. * Function: Returns a 4 byte little endian sum of the messages typecode+data. This data is zero padded for alignment.
* Example message (big endian): * Example message (big endian):
* [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)]) * [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)])
* Sum: is 0f43d461 (big endian) * Sum: is 0f43d461 (big endian)
*/ */
unsigned int checksum(struct rmessage *msg) { unsigned int checksum(struct rmessage *msg) {
int blen; int blen;
unsigned char *stream; unsigned char *stream;
@ -55,10 +55,10 @@ unsigned int checksum(struct rmessage *msg) {
} }
/* /*
* Usage: challenge_request(message); * Usage: challenge_request(message);
* Function: Modifies message to reflect a request for a challenge. Updates the checksum as appropriate. * Function: Modifies message to reflect a request for a challenge. Updates the checksum as appropriate.
*/ */
void challenge_request(struct rmessage *msg) { void challenge_request(struct rmessage *msg) {
msg->magic = 0x01; msg->magic = 0x01;
msg->length = 0x01; msg->length = 0x01;
msg->type = 0x1b; msg->type = 0x1b;
@ -66,9 +66,9 @@ void challenge_request(struct rmessage *msg) {
} }
/* /*
* Usage: challenge_request(message); * Usage: challenge_request(message);
* Function: Modifies message to reflect a response to a challenge. Updates the checksum as appropriate. * Function: Modifies message to reflect a response to a challenge. Updates the checksum as appropriate.
*/ */
void challenge_response(struct rmessage *msg, unsigned char *solution) { void challenge_response(struct rmessage *msg, unsigned char *solution) {
msg->magic = 0x01; msg->magic = 0x01;
msg->length = 0x21; msg->length = 0x21;
@ -78,9 +78,9 @@ void challenge_response(struct rmessage *msg, unsigned char *solution) {
} }
/* /*
* Usage: buffer = message2buffer(message); send(buffer, message->length + 10); free(buffer) * Usage: buffer = message2buffer(message); send(buffer, message->length + 10); free(buffer)
* Function: Allocates a buffer for transmission and fills the buffer with message data such that it is ready to transmit. * Function: Allocates a buffer for transmission and fills the buffer with message data such that it is ready to transmit.
*/ */
//TODO: conver to a sendMessage() function? //TODO: conver to a sendMessage() function?
char *message2buffer(struct rmessage *msg) { char *message2buffer(struct rmessage *msg) {
char *data; char *data;
@ -207,123 +207,133 @@ void service_radmin2(char *ip, int sp, unsigned char options, char *miscptr, FIL
if( memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { if( memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
return; return;
} }
// Get a password to work with.
strncpy(password, hydra_get_next_password(), 101);
MD5_Init(&md5c);
MD5_Update(&md5c, password, 100);
MD5_Final(rawkey, &md5c);
//Copy raw md5 data into ASCIIZ string
for(index = 0; index < 16; index++) {
sprintf((pkey+index*2), "%02x", rawkey[index]);
}
/* Typical conversation goes as follows... while(1) {
0) connect to server // Get a password to work with.
1) request challenge strncpy(password, hydra_get_next_password(), 101);
2) receive 32 byte challenge response MD5_Init(&md5c);
3) send 32 byte challenge solution MD5_Update(&md5c, password, 100);
4) receive 1 byte auth success/fail message MD5_Final(rawkey, &md5c);
*/ //Copy raw md5 data into ASCIIZ string
// 0) Connect to the server for(index = 0; index < 16; index++) {
sock = hydra_connect_tcp(ip, myport); sprintf((pkey+index*2), "%02x", rawkey[index]);
if(sock < 0) { }
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int)getpid());
hydra_child_exit(1);
}
// 1) request challenge (working) /* Typical conversation goes as follows...
msg = calloc(1, sizeof(struct rmessage)); 0) connect to server
challenge_request(msg); 1) request challenge
request = message2buffer(msg); 2) receive 32 byte challenge response
hydra_send(sock, request, 10, 0); 3) send 32 byte challenge solution
free(msg); 4) receive 1 byte auth success/fail message
free(request); */
// 0) Connect to the server
sock = hydra_connect_tcp(ip, myport);
if(sock < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int)getpid());
hydra_child_exit(1);
}
//2) receive response (working) // 1) request challenge (working)
index = 0; msg = calloc(1, sizeof(struct rmessage));
while(index < 42) { //We're always expecting back a 42 byte buffer from a challenge request. challenge_request(msg);
switch(hydra_data_ready(sock)) { request = message2buffer(msg);
case -1: hydra_send(sock, request, 10, 0);
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno)); free(msg);
hydra_child_exit(1); free(request);
break;
case 0: //2) receive response (working)
//keep waiting... index = 0;
break; while(index < 42) { //We're always expecting back a 42 byte buffer from a challenge request.
default: switch(hydra_data_ready(sock)) {
bytecount = hydra_recv(sock, buffer+index, 42 - index); case -1:
if(bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno)); hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno));
hydra_child_exit(1); hydra_child_exit(1);
} break;
index += bytecount; case 0:
//keep waiting...
break;
default:
bytecount = hydra_recv(sock, buffer+index, 42 - index);
if(bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;
}
} }
}
//3) Send challenge solution.
//3.a) generate a new message from the buffer //3) Send challenge solution.
msg = buffer2message(buffer);
//3.b) encrypt data received using pkey & known IV //3.a) generate a new message from the buffer
index = makeKey(&key, DIR_ENCRYPT, 128, pkey); msg = buffer2message(buffer);
if(index != TRUE) {
hydra_report(stderr, "Error: Child with pid %d terminating, make key error (%08x)\n", (int)getpid(), index);
hydra_child_exit(1);
}
index = cipherInit(&cipher, MODE_CBC, IV); //3.b) encrypt data received using pkey & known IV
if(index != TRUE) { index = makeKey(&key, DIR_ENCRYPT, 128, pkey);
hydra_report(stderr, "Error: Child with pid %d terminating, cipher init error(%08x)\n", (int)getpid(), index); if(index != TRUE) {
hydra_child_exit(1); hydra_report(stderr, "Error: Child with pid %d terminating, make key error (%08x)\n", (int)getpid(), index);
} hydra_child_exit(1);
}
index = blockEncrypt(&cipher, &key, msg->data, 32 * 8, encrypted); index = cipherInit(&cipher, MODE_CBC, IV);
if(index <= 0) { if(index != TRUE) {
hydra_report(stderr, "Error: Child with pid %d terminating, encrypt error(%08x)\n", (int)getpid(), index); hydra_report(stderr, "Error: Child with pid %d terminating, cipher init error(%08x)\n", (int)getpid(), index);
hydra_child_exit(1); hydra_child_exit(1);
} }
//3.c) half sum - this is the solution to the challenge.
for(index=0; index < 16; index++) {
*(encrypted+index) += *(encrypted+index+16);
}
memset((encrypted+16), 0x00, 16);
//3.d) send half sum index = blockEncrypt(&cipher, &key, msg->data, 32 * 8, encrypted);
challenge_response(msg, encrypted); if(index <= 0) {
request = message2buffer(msg); hydra_report(stderr, "Error: Child with pid %d terminating, encrypt error(%08x)\n", (int)getpid(), index);
hydra_send(sock, request, 42, 0); hydra_child_exit(1);
free(msg); }
free(request);
//4) receive auth success/failure //3.c) half sum - this is the solution to the challenge.
index = 0; for(index=0; index < 16; index++) {
while(index < 10) { //We're always expecting back a 42 byte buffer from a challenge request. *(encrypted+index) += *(encrypted+index+16);
switch(hydra_data_ready(sock)) { }
case -1: memset((encrypted+16), 0x00, 16);
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno));
hydra_child_exit(1); //3.d) send half sum
break; challenge_response(msg, encrypted);
case 0: request = message2buffer(msg);
//keep waiting... hydra_send(sock, request, 42, 0);
break; free(msg);
default: free(request);
bytecount = hydra_recv(sock, buffer+index, 10 - index);
if(bytecount < 0) { //4) receive auth success/failure
index = 0;
while(index < 10) { //We're always expecting back a 42 byte buffer from a challenge request.
switch(hydra_data_ready(sock)) {
case -1:
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno)); hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno));
hydra_child_exit(1); hydra_child_exit(1);
} break;
index += bytecount; case 0:
//keep waiting...
break;
default:
bytecount = hydra_recv(sock, buffer+index, 10 - index);
if(bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;
}
} }
msg = buffer2message(buffer);
switch(msg->type) {
case 0x0a:
hydra_completed_pair_found();
break;
case 0x0b:
hydra_completed_pair();
hydra_disconnect(sock);
break;
default:
hydra_report(stderr, "Error: Child with pid %d terminating, protocol error\n", (int)getpid());
hydra_child_exit(2);
}
} }
msg = buffer2message(buffer);
if(msg->type == 0x0a) {
hydra_completed_pair_found();
}
//5) Disconnect
hydra_disconnect(sock);
} }
int service_radmin2_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) { int service_radmin2_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
@ -334,8 +344,8 @@ int service_radmin2_init(char *ip, int sp, unsigned char options, char *miscptr,
// fill if needed. // fill if needed.
// //
// return codes: // return codes:
// 0 all OK // 0 all OK
// -1 error, hydra will exit, so print a good error message here // -1 error, hydra will exit, so print a good error message here
return 0; return 0;
} }