diff --git a/CHANGES b/CHANGES index 8f44f5f..36529d8 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,7 @@ Release 8.4-dev * Proxy support re-implemented: - HYDRA_PROXY[_HTTP] environment can be a text file with up to 64 entries - HYDRA_PROXY_AUTH was deprecated, set login/password in HTTP_PROXY[_HTTP] +* New protocol: adam6500 - this one is work in progress, please test and report * New protocol: rpcap! thanks to Petar Kaleychev * New command line option -y which disables -x 1aA interpretation, thanks to crondaemon for the patch * The protocols vnc, xmpp, telnet, imap, nntp and pcanywhere got accidentially long sleep commands due a patch in 8.2, fixed diff --git a/Makefile.am b/Makefile.am index 14cbc34..c904b09 100644 --- a/Makefile.am +++ b/Makefile.am @@ -18,7 +18,7 @@ SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \ hydra-oracle-listener.c hydra-svn.c hydra-pcanywhere.c hydra-sip.c \ hydra-oracle.c hydra-vmauthd.c hydra-asterisk.c hydra-firebird.c hydra-afp.c hydra-ncp.c \ hydra-oracle-sid.c hydra-http-proxy.c hydra-http-form.c hydra-irc.c \ - hydra-rdp.c hydra-s7-300.c hydra-redis.c \ + hydra-rdp.c hydra-s7-300.c hydra-redis.c hydra-adam6500.c \ crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c hydra-rtsp.c hydra-time.c hydra-rpcap.c OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \ hydra-telnet.o hydra-cisco.o hydra-http.o hydra-ftp.o hydra-imap.o \ @@ -29,7 +29,7 @@ OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \ hydra-oracle-listener.o hydra-svn.o hydra-pcanywhere.o hydra-sip.o \ hydra-oracle-sid.o hydra-oracle.o hydra-vmauthd.o hydra-asterisk.o hydra-firebird.o hydra-afp.o hydra-ncp.o \ hydra-http-proxy.o hydra-http-form.o hydra-irc.o hydra-redis.o \ - hydra-rdp.o hydra-s7-300.c \ + hydra-rdp.o hydra-s7-300.c hydra-adam6500.o \ crc32.o d3des.o bfg.o ntlm.o sasl.o hmacmd5.o hydra-mod.o hydra-rtsp.o hydra-time.o hydra-rpcap.o BINS = hydra pw-inspector diff --git a/hydra-adam6500.c b/hydra-adam6500.c new file mode 100644 index 0000000..fc45ddb --- /dev/null +++ b/hydra-adam6500.c @@ -0,0 +1,163 @@ +#ifdef PALM +#include "palm/hydra-mod.h" +#else +#include "hydra-mod.h" +#endif + +extern char *HYDRA_EXIT; + +unsigned char adam6500_req1[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x01, 0x10, + 0x27, 0x0f, 0x00, 0x08, 0x10, 0x24, 0x30, 0x31, + 0x50, 0x57, 0x30, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, + 0x1f, 0x1f, 0x1f, 0x0d, 0x00 +}; +unsigned char adam6500_resp1[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x10, + 0x27, 0x0f, 0x00, 0x08 +}; +unsigned char adam6500_req2[] = { + 0x01, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03, + 0x27, 0x0f, 0x00, 0x7d +}; +unsigned char adam6500_resp2[] = { + 0x01, 0x00, 0x00, 0x00, 0x00, 0xfd, 0x01, 0x03, + 0xfa, 0x3f, 0x30, 0x31, 0x0d, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00 +}; + +int start_adam6500(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { + char *empty = ""; + char *pass; + unsigned char buffer[300]; + int i; + + if (strlen(pass = hydra_get_next_password()) == 0) + pass = empty; + + memcpy(buffer, adam6500_req1, sizeof(adam6500_req1)); + + for (i = 0; i < 8 && i < strlen(pass); i++) + buffer[19 + i] = pass[i] ^ 0x3f; + + if (hydra_send(s, buffer, sizeof(adam6500_req1), 0) < 0) + return 1; + + if (recv(s, buffer, sizeof(buffer), 0) == 12 && memcmp(buffer, adam6500_resp1, sizeof(adam6500_resp1)) == 0) { + if (hydra_send(s, adam6500_req2, sizeof(adam6500_req2), 0) < 0) + return 1; + if (recv(s, buffer, sizeof(buffer), 0) == 259 && memcmp(buffer, adam6500_resp2, sizeof(adam6500_resp2)) == 0) { + hydra_completed_pair(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 3; + return 1; + } + } + + hydra_report_found_host(port, ip, "adam6500", fp); + hydra_completed_pair_found(); + + return 1; +} + +void service_adam6500(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) { + int run = 1, failc = 0, retry = 1, next_run = 1, sock = -1; + int myport = PORT_ADAM6500, mysslport = PORT_ADAM6500_SSL; + + hydra_register_socket(sp); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return; + while (1) { + next_run = 0; + switch (run) { + case 1: /* connect and service init function */ + { + unsigned char *buf2; + int f = 0; + + if (sock >= 0) + sock = hydra_disconnect(sock); +// usleepn(275); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; + } + if (sock < 0) { + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); + hydra_child_exit(1); + } + + next_run = 2; + break; + } + case 2: /* run the cracking function */ + next_run = start_adam6500(sock, ip, port, options, miscptr, fp); + break; + case 3: /* clean exit */ + if (sock >= 0) + sock = hydra_disconnect(sock); + hydra_child_exit(0); + return; + default: + hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); + hydra_child_exit(0); +#ifdef PALM + return; +#else + hydra_child_exit(2); +#endif + } + run = next_run; + } +} + +int service_adam6500_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) { + // called before the childrens are forked off, so this is the function + // which should be filled if initial connections and service setup has to be + // performed once only. + // + // fill if needed. + // + // return codes: + // 0 all OK + // -1 error, hydra will exit, so print a good error message here + + return 0; +} diff --git a/hydra.c b/hydra.c index a51da2c..37ad5eb 100644 --- a/hydra.c +++ b/hydra.c @@ -26,6 +26,7 @@ extern void service_ldap2(char *ip, int sp, unsigned char options, char *miscptr extern void service_ldap3(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_ldap3_cram_md5(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_ldap3_digest_md5(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); +extern void service_adam6500(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_cisco(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_cisco_enable(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_vnc(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); @@ -111,6 +112,7 @@ extern void service_oracle(char *ip, int sp, unsigned char options, char *miscpt extern int service_oracle_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); #endif +extern int service_adam6500_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern int service_cisco_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern int service_cisco_enable_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern int service_cvs_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); @@ -151,7 +153,7 @@ extern int service_rpcap_init(char *ip, int sp, unsigned char options, char *mis // ADD NEW SERVICES HERE char *SERVICES = - "asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rpcap rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp"; + "adam6500 asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rpcap rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp"; #define MAXBUF 520 #define MAXLINESIZE ( ( MAXBUF / 2 ) - 4 ) @@ -355,7 +357,9 @@ void help(int ext) { printf(" -o FILE write found login/password pairs to FILE instead of stdout\n"); if (ext) printf(" -f / -F exit when a login/pass pair is found (-M: -f per host, -F global)\n"); - printf(" -t TASKS run TASKS number of connects in parallel (per host, default: %d)\n", TASKS); + printf(" -t TASKS run TASKS number of connects in parallel per target (default: %d)\n", TASKS); + if (ext) + printf(" -T TASKS run TASKS connects in parallel overall (for -M, default: %d)\n", MAXTASKS); if (ext) printf(" -w / -W TIME waittime for responses (%d) / between connects per thread (%d)\n", WAITTIME, conwait); if (ext) @@ -1147,6 +1151,8 @@ void hydra_service_init(int target_no) { x = service_cisco_enable_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target); if (strcmp(hydra_options.service, "cvs") == 0) x = service_cvs_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target); + if (strcmp(hydra_options.service, "adam6500") == 0) + x = service_adam6500_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target); if (strcmp(hydra_options.service, "cisco") == 0) x = service_cisco_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target); #ifdef LIBFIREBIRD @@ -1359,6 +1365,8 @@ int hydra_spawn_head(int head_no, int target_no) { service_http_proxy(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target); if (strcmp(hydra_options.service, "http-proxy-urlenum") == 0) service_http_proxy_urlenum(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target); + if (strcmp(hydra_options.service, "adam6500") == 0) + service_adam6500(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target); if (strcmp(hydra_options.service, "cisco") == 0) service_cisco(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target); if (strcmp(hydra_options.service, "cisco-enable") == 0) @@ -1537,6 +1545,7 @@ int hydra_lookup_port(char *service) { {"ssh", PORT_SSH, PORT_SSH_SSL}, {"sshkey", PORT_SSH, PORT_SSH_SSL}, {"telnet", PORT_TELNET, PORT_TELNET_SSL}, + {"adam6500", PORT_ADAM6500, PORT_ADAM6500_SSL}, {"cisco", PORT_TELNET, PORT_TELNET_SSL}, {"cisco-enable", PORT_TELNET, PORT_TELNET_SSL}, {"vnc", PORT_VNC, PORT_VNC_SSL}, @@ -2969,6 +2978,13 @@ int main(int argc, char *argv[]) { if (hydra_options.tasks > 4) fprintf(stderr, "[WARNING] you should set the number of parallel task to 4 for cisco services.\n"); } + if (strcmp(hydra_options.service, "adam6500") == 0) { + i = 2; + fprintf(stderr, "[WARNING] the module adam6500 is work in progress! please submit a pcap of a successful login as well as false positives to vh@thc.org\n"); + if (hydra_options.tasks > 1) + fprintf(stderr, "[WARNING] reset the number of parallel task to 1 for adam6500 modbus authentication\n"); + hydra_options.tasks = 1; + } if (strncmp(hydra_options.service, "snmpv", 5) == 0) { hydra_options.service[4] = hydra_options.service[5]; hydra_options.service[5] = 0; @@ -3272,7 +3288,7 @@ int main(int argc, char *argv[]) { if (hydra_options.colonfile != NULL || ((hydra_options.login != NULL || hydra_options.loginfile != NULL) && (hydra_options.pass != NULL || hydra_options.passfile != NULL || hydra_options.bfg > 0))) bail - ("The redis, cisco, oracle-listener, s7-300, snmp and vnc modules are only using the -p or -P option, not login (-l, -L) or colon file (-C).\nUse the telnet module for cisco using \"Username:\" authentication.\n"); + ("The redis, adam6500, cisco, oracle-listener, s7-300, snmp and vnc modules are only using the -p or -P option, not login (-l, -L) or colon file (-C).\nUse the telnet module for cisco using \"Username:\" authentication.\n"); if ((hydra_options.login != NULL || hydra_options.loginfile != NULL) && (hydra_options.pass == NULL || hydra_options.passfile == NULL)) { hydra_options.pass = hydra_options.login; hydra_options.passfile = hydra_options.loginfile; diff --git a/hydra.h b/hydra.h index 260d4d4..54373d4 100644 --- a/hydra.h +++ b/hydra.h @@ -94,6 +94,8 @@ #define PORT_ORACLE_SSL 1521 #define PORT_PCANYWHERE 5631 #define PORT_PCANYWHERE_SSL 5631 +#define PORT_ADAM6500 502 +#define PORT_ADAM6500_SSL 502 #define PORT_SAPR3 -1 #define PORT_SAPR3_SSL -1 #define PORT_SSH 22