github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-08-21 05:43:52 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #165 from PetarKaleychev/master

Browse source 
New module: rpcap
This commit is contained in:
van Hauser 2016-10-12 19:53:17 +02:00 committed by GitHub
commit 3f6ea5b20a
4 changed files with 181 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Makefile.am
View file

@ -19,7 +19,7 @@ SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \
hydra-oracle.c hydra-vmauthd.c hydra-asterisk.c hydra-firebird.c hydra-afp.c hydra-ncp.c \ hydra-oracle.c hydra-vmauthd.c hydra-asterisk.c hydra-firebird.c hydra-afp.c hydra-ncp.c \
hydra-oracle-sid.c hydra-http-proxy.c hydra-http-form.c hydra-irc.c \ hydra-oracle-sid.c hydra-http-proxy.c hydra-http-form.c hydra-irc.c \
hydra-rdp.c hydra-s7-300.c hydra-redis.c \ hydra-rdp.c hydra-s7-300.c hydra-redis.c \
crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c hydra-rtsp.c hydra-time.c crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c hydra-rtsp.c hydra-time.c hydra-rpcap.c
OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \ OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \
hydra-telnet.o hydra-cisco.o hydra-http.o hydra-ftp.o hydra-imap.o \ hydra-telnet.o hydra-cisco.o hydra-http.o hydra-ftp.o hydra-imap.o \
hydra-pop3.o hydra-smb.o hydra-icq.o hydra-cisco-enable.o hydra-ldap.o \ hydra-pop3.o hydra-smb.o hydra-icq.o hydra-cisco-enable.o hydra-ldap.o \
@ -30,7 +30,7 @@ OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \
hydra-oracle-sid.o hydra-oracle.o hydra-vmauthd.o hydra-asterisk.o hydra-firebird.o hydra-afp.o hydra-ncp.o \ hydra-oracle-sid.o hydra-oracle.o hydra-vmauthd.o hydra-asterisk.o hydra-firebird.o hydra-afp.o hydra-ncp.o \
hydra-http-proxy.o hydra-http-form.o hydra-irc.o hydra-redis.o \ hydra-http-proxy.o hydra-http-form.o hydra-irc.o hydra-redis.o \
hydra-rdp.o hydra-s7-300.c \ hydra-rdp.o hydra-s7-300.c \
crc32.o d3des.o bfg.o ntlm.o sasl.o hmacmd5.o hydra-mod.o hydra-rtsp.o hydra-time.o crc32.o d3des.o bfg.o ntlm.o sasl.o hmacmd5.o hydra-mod.o hydra-rtsp.o hydra-time.o hydra-rpcap.o
BINS = hydra pw-inspector BINS = hydra pw-inspector
EXTRA_DIST = README README.arm README.palm CHANGES TODO INSTALL LICENSE \ EXTRA_DIST = README README.arm README.palm CHANGES TODO INSTALL LICENSE \

167
hydra-rpcap.c Normal file
View file

@ -0,0 +1,167 @@
// rpcap
// Petar Kaleychev
#include "hydra-mod.h"
extern char *HYDRA_EXIT;
char *buf;
int start_rpcap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[1024];
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
char bfr1[] = "\x00";
char bfr2[] = "\x08";
char bfr3[] = "\x00\x00\x00\x00\x00";
char bfr4[] = " ";
bfr4[0] = strlen(login) + strlen(pass) + 8;
char bfr5[] = "\x00";
char bfr6[] = "\x01"; // x01 - when a password is required, x00 - when no need of password
char bfr7[] = "\x00\x00\x00";
char bfr8[] = " ";
bfr8[0] = strlen(login);
char bfr9[] = "\x00";
char bfr10[] = " ";
bfr10[0] = strlen(pass);
memset(buffer, 0, sizeof(buffer));
memcpy(buffer, bfr1, 1);
memcpy(buffer + 1, bfr2, 1);
memcpy(buffer + 2, bfr3, 5);
memcpy(buffer + 7, bfr4, 1);
memcpy(buffer + 8, bfr5, 1);
memcpy(buffer + 9, bfr6, 1);
memcpy(buffer + 10, bfr7, 3);
memcpy(buffer + 13, bfr8, 1);
memcpy(buffer + 14, bfr9, 1);
memcpy(buffer + 15, bfr10, 1);
memcpy(buffer + 16, login, strlen(login));
memcpy(buffer + 16 + strlen(login), pass, strlen(pass));
if (hydra_send(s, buffer, 16 + strlen(login) + strlen(pass), 0) < 0) {
return 1;
}
buf = hydra_receive_line(s);
if (buf[1] == '\x88') {
hydra_report_found_host(port, ip, "rpcap", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
}
/*
if (strstr(buf, "Logon failure") == NULL) {
hydra_report(stderr, "[ERROR] rpcap error or service shutdown: %s\n", buf);
free(buf);
return 4;
}
*/
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
}
void service_rpcap(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
int run = 1, next_run = 1, sock = -1;
int myport = PORT_RPCAP, mysslport = PORT_RPCAP_SSL;
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
sock = hydra_disconnect(sock);
//usleep(300000);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());
hydra_child_exit(1);
}
next_run = 2;
break;
case 2: /* run the cracking function */
next_run = start_rpcap(sock, ip, port, options, miscptr, fp);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}
int service_rpcap_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname) {
// called before the childrens are forked off, performed once only.
// return codes:
// 0 - rpcap with authentication
// 1 - rpcap error or no need of authentication
int sock = -1;
int myport = PORT_RPCAP, mysslport = PORT_RPCAP_SSL;
char buffer[] = "\x00\x08\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00";
hydra_register_socket(sp);
if (sock >= 0)
sock = hydra_disconnect(sock);
if ((options & OPTION_SSL) == 0) {
if (port != 0)
myport = port;
sock = hydra_connect_tcp(ip, myport);
port = myport;
} else {
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Can not connect to port %d on the target\n", myport);
hydra_child_exit(1);
}
if (hydra_send(sock, buffer, 16, 0) < 0) {
return 1;
}
buf = hydra_receive_line(sock);
if (strstr(buf, "NULL autentication not permitted") == NULL) {
hydra_report(stderr, "[!] rpcap error or no need of authentication!\n");
free(buf);
return 1;
}
free(buf);
sock = hydra_disconnect(sock);
return 0;
}

11
hydra.c
View file

@ -55,6 +55,7 @@ extern void service_redis(char *ip, int sp, unsigned char options, char *miscptr
extern void service_http_proxy_urlenum(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_http_proxy_urlenum(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
extern void service_s7_300(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_s7_300(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
extern void service_rtsp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_rtsp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
extern void service_rpcap(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
// ADD NEW SERVICES HERE // ADD NEW SERVICES HERE
@ -143,13 +144,14 @@ extern int service_vnc_init(char *ip, int sp, unsigned char options, char *miscp
extern int service_xmpp_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern int service_xmpp_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
extern int service_s7_300_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern int service_s7_300_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
extern int service_rtsp_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern int service_rtsp_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
extern int service_rpcap_init(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
// ADD NEW SERVICES HERE // ADD NEW SERVICES HERE
// ADD NEW SERVICES HERE // ADD NEW SERVICES HERE
char *SERVICES = char *SERVICES =
"asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp"; "asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rpcap rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp";
#define MAXBUF 520 #define MAXBUF 520
#define MAXLINESIZE ( ( MAXBUF / 2 ) - 4 ) #define MAXLINESIZE ( ( MAXBUF / 2 ) - 4 )
@ -1251,6 +1253,8 @@ void hydra_service_init(int target_no) {
x = service_s7_300_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target); x = service_s7_300_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target);
if (strcmp(hydra_options.service, "rtsp") == 0) if (strcmp(hydra_options.service, "rtsp") == 0)
x = service_rtsp_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target); x = service_rtsp_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target);
if (strcmp(hydra_options.service, "rpcap") == 0)
x = service_rpcap_init(hydra_targets[target_no]->ip, -1, options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[target_no]->target);
// ADD NEW SERVICES HERE // ADD NEW SERVICES HERE
@ -1453,6 +1457,8 @@ int hydra_spawn_head(int head_no, int target_no) {
service_s7_300(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target); service_s7_300(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target);
if (strcmp(hydra_options.service, "rtsp") == 0) if (strcmp(hydra_options.service, "rtsp") == 0)
service_rtsp(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target); service_rtsp(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target);
if (strcmp(hydra_options.service, "rpcap") == 0)
service_rpcap(hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target);
// ADD NEW SERVICES HERE // ADD NEW SERVICES HERE
@ -1551,6 +1557,7 @@ int hydra_lookup_port(char *service) {
{"asterisk", PORT_ASTERISK, PORT_ASTERISK_SSL}, {"asterisk", PORT_ASTERISK, PORT_ASTERISK_SSL},
{"s7-300", PORT_S7_300, PORT_S7_300_SSL}, {"s7-300", PORT_S7_300, PORT_S7_300_SSL},
{"rtsp", PORT_RTSP, PORT_RTSP_SSL}, {"rtsp", PORT_RTSP, PORT_RTSP_SSL},
{"rpcap", PORT_RPCAP, PORT_RPCAP_SSL},
// ADD NEW SERVICES HERE - add new port numbers to hydra.h // ADD NEW SERVICES HERE - add new port numbers to hydra.h
{"", PORT_NOPORT, PORT_NOPORT} {"", PORT_NOPORT, PORT_NOPORT}
}; };
@ -3079,6 +3086,8 @@ int main(int argc, char *argv[]) {
} }
if (strcmp(hydra_options.service, "rtsp") == 0) if (strcmp(hydra_options.service, "rtsp") == 0)
i = 1; i = 1;
if (strcmp(hydra_options.service, "rpcap") == 0)
i = 1;
if (strcmp(hydra_options.service, "s7-300") == 0) { if (strcmp(hydra_options.service, "s7-300") == 0) {
if (hydra_options.tasks > 8) { if (hydra_options.tasks > 8) {
fprintf(stderr, "[INFO] Reduced number of tasks to 8 (the PLC does not like more connections)\n"); fprintf(stderr, "[INFO] Reduced number of tasks to 8 (the PLC does not like more connections)\n");

2
hydra.h
View file

@ -132,6 +132,8 @@
#define PORT_REDIS_SSL 6379 #define PORT_REDIS_SSL 6379
#define PORT_RTSP 554 #define PORT_RTSP 554
#define PORT_RTSP_SSL 554 #define PORT_RTSP_SSL 554
#define PORT_RPCAP 2002
#define PORT_RPCAP_SSL 2002
#define False 0 #define False 0
#define True 1 #define True 1