mirror of
https://github.com/vanhauser-thc/thc-hydra.git
synced 2025-07-06 04:51:40 -07:00
new protocol module: adam6500
This commit is contained in:
van Hauser
parent
0cd82aae49
commit
333713288c
5 changed files with 187 additions and 5 deletions
1
CHANGES
1
CHANGES
|
|
@ -5,6 +5,7 @@ Release 8.4-dev
|
|||
* Proxy support re-implemented:
|
||||
- HYDRA_PROXY[_HTTP] environment can be a text file with up to 64 entries
|
||||
- HYDRA_PROXY_AUTH was deprecated, set login/password in HTTP_PROXY[_HTTP]
|
||||
* New protocol: adam6500 - this one is work in progress, please test and report
|
||||
* New protocol: rpcap! thanks to Petar Kaleychev <petar.kaleychev@gmail.com>
|
||||
* New command line option -y which disables -x 1aA interpretation, thanks to crondaemon for the patch
|
||||
* The protocols vnc, xmpp, telnet, imap, nntp and pcanywhere got accidentially long sleep commands due a patch in 8.2, fixed
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \
|
|||
hydra-oracle-listener.c hydra-svn.c hydra-pcanywhere.c hydra-sip.c \
|
||||
hydra-oracle.c hydra-vmauthd.c hydra-asterisk.c hydra-firebird.c hydra-afp.c hydra-ncp.c \
|
||||
hydra-oracle-sid.c hydra-http-proxy.c hydra-http-form.c hydra-irc.c \
|
||||
hydra-rdp.c hydra-s7-300.c hydra-redis.c \
|
||||
hydra-rdp.c hydra-s7-300.c hydra-redis.c hydra-adam6500.c \
|
||||
crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c hydra-rtsp.c hydra-time.c hydra-rpcap.c
|
||||
OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \
|
||||
hydra-telnet.o hydra-cisco.o hydra-http.o hydra-ftp.o hydra-imap.o \
|
||||
|
|
@ -29,7 +29,7 @@ OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \
|
|||
hydra-oracle-listener.o hydra-svn.o hydra-pcanywhere.o hydra-sip.o \
|
||||
hydra-oracle-sid.o hydra-oracle.o hydra-vmauthd.o hydra-asterisk.o hydra-firebird.o hydra-afp.o hydra-ncp.o \
|
||||
hydra-http-proxy.o hydra-http-form.o hydra-irc.o hydra-redis.o \
|
||||
hydra-rdp.o hydra-s7-300.c \
|
||||
hydra-rdp.o hydra-s7-300.c hydra-adam6500.o \
|
||||
crc32.o d3des.o bfg.o ntlm.o sasl.o hmacmd5.o hydra-mod.o hydra-rtsp.o hydra-time.o hydra-rpcap.o
|
||||
BINS = hydra pw-inspector
|
||||
|
||||
|
|
|
|||
163
hydra-adam6500.c
Normal file
163
hydra-adam6500.c
Normal file
|
|
@ -0,0 +1,163 @@
|
|||
#ifdef PALM
|
||||
#include "palm/hydra-mod.h"
|
||||
#else
|
||||
#include "hydra-mod.h"
|
||||
#endif
|
||||
|
||||
extern char *HYDRA_EXIT;
|
||||
|
||||
unsigned char adam6500_req1[] = {
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x01, 0x10,
|
||||
0x27, 0x0f, 0x00, 0x08, 0x10, 0x24, 0x30, 0x31,
|
||||
0x50, 0x57, 0x30, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f,
|
||||
0x1f, 0x1f, 0x1f, 0x0d, 0x00
|
||||
};
|
||||
unsigned char adam6500_resp1[] = {
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x10,
|
||||
0x27, 0x0f, 0x00, 0x08
|
||||
};
|
||||
unsigned char adam6500_req2[] = {
|
||||
0x01, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03,
|
||||
0x27, 0x0f, 0x00, 0x7d
|
||||
};
|
||||
unsigned char adam6500_resp2[] = {
|
||||
0x01, 0x00, 0x00, 0x00, 0x00, 0xfd, 0x01, 0x03,
|
||||
0xfa, 0x3f, 0x30, 0x31, 0x0d, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00
|
||||
};
|
||||
|
||||
int start_adam6500(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
|
||||
char *empty = "";
|
||||
char *pass;
|
||||
unsigned char buffer[300];
|
||||
int i;
|
||||
|
||||
if (strlen(pass = hydra_get_next_password()) == 0)
|
||||
pass = empty;
|
||||
|
||||
memcpy(buffer, adam6500_req1, sizeof(adam6500_req1));
|
||||
|
||||
for (i = 0; i < 8 && i < strlen(pass); i++)
|
||||
buffer[19 + i] = pass[i] ^ 0x3f;
|
||||
|
||||
if (hydra_send(s, buffer, sizeof(adam6500_req1), 0) < 0)
|
||||
return 1;
|
||||
|
||||
if (recv(s, buffer, sizeof(buffer), 0) == 12 && memcmp(buffer, adam6500_resp1, sizeof(adam6500_resp1)) == 0) {
|
||||
if (hydra_send(s, adam6500_req2, sizeof(adam6500_req2), 0) < 0)
|
||||
return 1;
|
||||
if (recv(s, buffer, sizeof(buffer), 0) == 259 && memcmp(buffer, adam6500_resp2, sizeof(adam6500_resp2)) == 0) {
|
||||
hydra_completed_pair();
|
||||
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
|
||||
return 3;
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
hydra_report_found_host(port, ip, "adam6500", fp);
|
||||
hydra_completed_pair_found();
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
void service_adam6500(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
|
||||
int run = 1, failc = 0, retry = 1, next_run = 1, sock = -1;
|
||||
int myport = PORT_ADAM6500, mysslport = PORT_ADAM6500_SSL;
|
||||
|
||||
hydra_register_socket(sp);
|
||||
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
|
||||
return;
|
||||
while (1) {
|
||||
next_run = 0;
|
||||
switch (run) {
|
||||
case 1: /* connect and service init function */
|
||||
{
|
||||
unsigned char *buf2;
|
||||
int f = 0;
|
||||
|
||||
if (sock >= 0)
|
||||
sock = hydra_disconnect(sock);
|
||||
// usleepn(275);
|
||||
if ((options & OPTION_SSL) == 0) {
|
||||
if (port != 0)
|
||||
myport = port;
|
||||
sock = hydra_connect_tcp(ip, myport);
|
||||
port = myport;
|
||||
} else {
|
||||
if (port != 0)
|
||||
mysslport = port;
|
||||
sock = hydra_connect_ssl(ip, mysslport, hostname);
|
||||
port = mysslport;
|
||||
}
|
||||
if (sock < 0) {
|
||||
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
|
||||
hydra_child_exit(1);
|
||||
}
|
||||
|
||||
next_run = 2;
|
||||
break;
|
||||
}
|
||||
case 2: /* run the cracking function */
|
||||
next_run = start_adam6500(sock, ip, port, options, miscptr, fp);
|
||||
break;
|
||||
case 3: /* clean exit */
|
||||
if (sock >= 0)
|
||||
sock = hydra_disconnect(sock);
|
||||
hydra_child_exit(0);
|
||||
return;
|
||||
default:
|
||||
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
|
||||
hydra_child_exit(0);
|
||||
#ifdef PALM
|
||||
return;
|
||||
#else
|
||||
hydra_child_exit(2);
|
||||
#endif
|
||||
}
|
||||
run = next_run;
|
||||
}
|
||||
}
|
||||
|
||||
int service_adam6500_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
|
||||
// called before the childrens are forked off, so this is the function
|
||||
// which should be filled if initial connections and service setup has to be
|
||||
// performed once only.
|
||||
//
|
||||
// fill if needed.
|
||||
//
|
||||
// return codes:
|
||||
// 0 all OK
|
||||
// -1 error, hydra will exit, so print a good error message here
|
||||
|
||||
return 0;
|
||||
}
|
||||
22
hydra.c
22
hydra.c
|
|
@ -26,6 +26,7 @@ extern void service_ldap2(char *ip, int sp, unsigned char options, char *miscptr
|
|||
extern void service_ldap3(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
extern void service_ldap3_cram_md5(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
extern void service_ldap3_digest_md5(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
extern void service_adam6500(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
extern void service_cisco(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
extern void service_cisco_enable(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
extern void service_vnc(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
|
|
@ -111,6 +112,7 @@ extern void service_oracle(char *ip, int sp, unsigned char options, char *miscpt
|
|||
extern int service_oracle_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
#endif
|
||||
|
||||
extern int service_adam6500_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
extern int service_cisco_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
extern int service_cisco_enable_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
extern int service_cvs_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
|
||||
|
|
@ -151,7 +153,7 @@ extern int service_rpcap_init(char *ip, int sp, unsigned char options, char *mis
|
|||
|
||||
// ADD NEW SERVICES HERE
|
||||
char *SERVICES =
|
||||
"asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rpcap rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp";
|
||||
"adam6500 asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rpcap rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp";
|
||||
|
||||
#define MAXBUF 520
|
||||
#define MAXLINESIZE ( ( MAXBUF / 2 ) - 4 )
|
||||
|
|
@ -355,7 +357,9 @@ void help(int ext) {
|
|||
printf(" -o FILE write found login/password pairs to FILE instead of stdout\n");
|
||||
if (ext)
|
||||
printf(" -f / -F exit when a login/pass pair is found (-M: -f per host, -F global)\n");
|
||||
printf(" -t TASKS run TASKS number of connects in parallel (per host, default: %d)\n", TASKS);
|
||||
printf(" -t TASKS run TASKS number of connects in parallel per target (default: %d)\n", TASKS);
|
||||
if (ext)
|
||||
printf(" -T TASKS run TASKS connects in parallel overall (for -M, default: %d)\n", MAXTASKS);
|
||||
if (ext)
|
||||
printf(" -w / -W TIME waittime for responses (%d) / between connects per thread (%d)\n", WAITTIME, conwait);
|
||||
if (ext)
|
||||
|
|
@ -1147,6 +1151,8 @@ void hydra_service_init(int target_no) {
|
|||
x = service_cisco_enable_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target);
|
||||
if (strcmp(hydra_options.service, "cvs") == 0)
|
||||
x = service_cvs_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target);
|
||||
if (strcmp(hydra_options.service, "adam6500") == 0)
|
||||
x = service_adam6500_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target);
|
||||
if (strcmp(hydra_options.service, "cisco") == 0)
|
||||
x = service_cisco_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target);
|
||||
#ifdef LIBFIREBIRD
|
||||
|
|
@ -1359,6 +1365,8 @@ int hydra_spawn_head(int head_no, int target_no) {
|
|||
service_http_proxy(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target);
|
||||
if (strcmp(hydra_options.service, "http-proxy-urlenum") == 0)
|
||||
service_http_proxy_urlenum(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target);
|
||||
if (strcmp(hydra_options.service, "adam6500") == 0)
|
||||
service_adam6500(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target);
|
||||
if (strcmp(hydra_options.service, "cisco") == 0)
|
||||
service_cisco(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target);
|
||||
if (strcmp(hydra_options.service, "cisco-enable") == 0)
|
||||
|
|
@ -1537,6 +1545,7 @@ int hydra_lookup_port(char *service) {
|
|||
{"ssh", PORT_SSH, PORT_SSH_SSL},
|
||||
{"sshkey", PORT_SSH, PORT_SSH_SSL},
|
||||
{"telnet", PORT_TELNET, PORT_TELNET_SSL},
|
||||
{"adam6500", PORT_ADAM6500, PORT_ADAM6500_SSL},
|
||||
{"cisco", PORT_TELNET, PORT_TELNET_SSL},
|
||||
{"cisco-enable", PORT_TELNET, PORT_TELNET_SSL},
|
||||
{"vnc", PORT_VNC, PORT_VNC_SSL},
|
||||
|
|
@ -2969,6 +2978,13 @@ int main(int argc, char *argv[]) {
|
|||
if (hydra_options.tasks > 4)
|
||||
fprintf(stderr, "[WARNING] you should set the number of parallel task to 4 for cisco services.\n");
|
||||
}
|
||||
if (strcmp(hydra_options.service, "adam6500") == 0) {
|
||||
i = 2;
|
||||
fprintf(stderr, "[WARNING] the module adam6500 is work in progress! please submit a pcap of a successful login as well as false positives to vh@thc.org\n");
|
||||
if (hydra_options.tasks > 1)
|
||||
fprintf(stderr, "[WARNING] reset the number of parallel task to 1 for adam6500 modbus authentication\n");
|
||||
hydra_options.tasks = 1;
|
||||
}
|
||||
if (strncmp(hydra_options.service, "snmpv", 5) == 0) {
|
||||
hydra_options.service[4] = hydra_options.service[5];
|
||||
hydra_options.service[5] = 0;
|
||||
|
|
@ -3272,7 +3288,7 @@ int main(int argc, char *argv[]) {
|
|||
if (hydra_options.colonfile != NULL
|
||||
|| ((hydra_options.login != NULL || hydra_options.loginfile != NULL) && (hydra_options.pass != NULL || hydra_options.passfile != NULL || hydra_options.bfg > 0)))
|
||||
bail
|
||||
("The redis, cisco, oracle-listener, s7-300, snmp and vnc modules are only using the -p or -P option, not login (-l, -L) or colon file (-C).\nUse the telnet module for cisco using \"Username:\" authentication.\n");
|
||||
("The redis, adam6500, cisco, oracle-listener, s7-300, snmp and vnc modules are only using the -p or -P option, not login (-l, -L) or colon file (-C).\nUse the telnet module for cisco using \"Username:\" authentication.\n");
|
||||
if ((hydra_options.login != NULL || hydra_options.loginfile != NULL) && (hydra_options.pass == NULL || hydra_options.passfile == NULL)) {
|
||||
hydra_options.pass = hydra_options.login;
|
||||
hydra_options.passfile = hydra_options.loginfile;
|
||||
|
|
|
|||
2
hydra.h
2
hydra.h
|
|
@ -94,6 +94,8 @@
|
|||
#define PORT_ORACLE_SSL 1521
|
||||
#define PORT_PCANYWHERE 5631
|
||||
#define PORT_PCANYWHERE_SSL 5631
|
||||
#define PORT_ADAM6500 502
|
||||
#define PORT_ADAM6500_SSL 502
|
||||
#define PORT_SAPR3 -1
|
||||
#define PORT_SAPR3_SSL -1
|
||||
#define PORT_SSH 22
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue