diff --git a/Android.mk b/Android.mk index 2638e06..8e414d1 100644 --- a/Android.mk +++ b/Android.mk @@ -40,6 +40,8 @@ LOCAL_SRC_FILES:= \ hydra-irc.c\ hydra-ldap.c\ hydra-mod.c\ + hydra-memcached.c\ + hydra-mongodb.c\ hydra-mssql.c\ hydra-mysql.c\ hydra-ncp.c\ @@ -90,7 +92,8 @@ LOCAL_STATIC_LIBRARIES := \ libiconv\ libneon\ libssl_static\ - libcrypto_static + libcrypto_static\ + libmemcached LOCAL_SHARED_LIBRARIES := \ libsqlite\ diff --git a/CHANGES b/CHANGES index 76354e3..d650eec 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,29 @@ Changelog for hydra ------------------- +Release 9.1-dev +* svn: updated to support past and new API +* http module now supports F=/S= string matching conditions (thanks to poucz@github) +* changed mysql module not to use mysql db as a default. if the user has not access to this db auth fails ... +* added -K command line switch to disable redo attempts (good for mass scanning) +* forgot to have the -m option in the hydra help output + + +Release 9.0 +* rdp: Revamped rdp module to use FreeRDP library (thanks to loianhtuan@github for the patch!) +* Added memcached module +* Added mongodb module +* http: http module now supports a= option to select http authentication type +* JSON output does now truncate the file if exists. +* Fixed svn module memory leaks +* Fixed rtsp module potential buffer overflow +* Fixed http module DIGEST-MD5 mode + + +Release 8.9.1 +* Clarification for rdp error message +* CIDR notation (hydra -l test -p test 192.168.0.0/24 ftp) was not detected, fixed + Release 8.8 * New web page: https://github.com/vanhauser-thc/thc-hydra diff --git a/INSTALL b/INSTALL index 8e33f87..2258405 100644 --- a/INSTALL +++ b/INSTALL @@ -2,7 +2,7 @@ type "./configure", then "make" and finally "sudo make install" For special modules you need to install software packages before you run "./configure": - Ubuntu/Debian: apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird2.1-dev libncp-dev libncurses5-dev + Ubuntu/Debian: apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev libncurses5-dev Redhat/Fedora: yum install openssl-devel pcre-devel ncpfs-devel postgresql-devel libssh-devel subversion-devel libncurses-devel OpenSuSE: zypper install libopenssl-devel pcre-devel libidn-devel ncpfs-devel libssh-devel postgresql-devel subversion-devel libncurses-devel diff --git a/Makefile.am b/Makefile.am index d65f7d7..ca82167 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ # # Makefile for Hydra - (c) 2001-2019 by van Hauser / THC # -OPTS=-I. -O3 +OPTS=-I. -O3 -march=native -flto # -Wall -g -pedantic LIBS=-lm BINDIR = /bin @@ -12,11 +12,11 @@ DESTDIR ?= SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \ hydra-telnet.c hydra-cisco.c hydra-http.c hydra-ftp.c hydra-imap.c \ hydra-pop3.c hydra-smb.c hydra-icq.c hydra-cisco-enable.c hydra-ldap.c \ - hydra-mysql.c hydra-mssql.c hydra-xmpp.c hydra-http-proxy-urlenum.c \ - hydra-snmp.c hydra-cvs.c hydra-smtp.c hydra-smtp-enum.c hydra-sapr3.c \ - hydra-ssh.c hydra-sshkey.c hydra-teamspeak.c hydra-postgres.c \ - hydra-rsh.c hydra-rlogin.c hydra-oracle-listener.c hydra-svn.c \ - hydra-pcanywhere.c hydra-sip.c hydra-oracle.c hydra-vmauthd.c \ + hydra-memcached.c hydra-mongodb.c hydra-mysql.c hydra-mssql.c hydra-xmpp.c \ + hydra-http-proxy-urlenum.c hydra-snmp.c hydra-cvs.c hydra-smtp.c \ + hydra-smtp-enum.c hydra-sapr3.c hydra-ssh.c hydra-sshkey.c hydra-teamspeak.c \ + hydra-postgres.c hydra-rsh.c hydra-rlogin.c hydra-oracle-listener.c \ + hydra-svn.c hydra-pcanywhere.c hydra-sip.c hydra-oracle.c hydra-vmauthd.c \ hydra-asterisk.c hydra-firebird.c hydra-afp.c hydra-ncp.c hydra-rdp.c \ hydra-oracle-sid.c hydra-http-proxy.c hydra-http-form.c hydra-irc.c \ hydra-s7-300.c hydra-redis.c hydra-adam6500.c hydra-rtsp.c \ @@ -25,11 +25,11 @@ SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \ OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \ hydra-telnet.o hydra-cisco.o hydra-http.o hydra-ftp.o hydra-imap.o \ hydra-pop3.o hydra-smb.o hydra-icq.o hydra-cisco-enable.o hydra-ldap.o \ - hydra-mysql.o hydra-mssql.o hydra-xmpp.o hydra-http-proxy-urlenum.o \ - hydra-snmp.o hydra-cvs.o hydra-smtp.o hydra-smtp-enum.o hydra-sapr3.o \ - hydra-ssh.o hydra-sshkey.o hydra-teamspeak.o hydra-postgres.o \ - hydra-rsh.o hydra-rlogin.o hydra-oracle-listener.o hydra-svn.o \ - hydra-pcanywhere.o hydra-sip.o hydra-oracle-sid.o hydra-oracle.o \ + hydra-memcached.o hydra-mongodb.o hydra-mysql.o hydra-mssql.o hydra-xmpp.o \ + hydra-http-proxy-urlenum.o hydra-snmp.o hydra-cvs.o hydra-smtp.o \ + hydra-smtp-enum.o hydra-sapr3.o hydra-ssh.o hydra-sshkey.o hydra-teamspeak.o \ + hydra-postgres.o hydra-rsh.o hydra-rlogin.o hydra-oracle-listener.o \ + hydra-svn.o hydra-pcanywhere.o hydra-sip.o hydra-oracle-sid.o hydra-oracle.o \ hydra-vmauthd.o hydra-asterisk.o hydra-firebird.o hydra-afp.o \ hydra-ncp.o hydra-http-proxy.o hydra-http-form.o hydra-irc.o \ hydra-redis.o hydra-rdp.o hydra-s7-300.c hydra-adam6500.o hydra-rtsp.o \ diff --git a/PROBLEMS b/PROBLEMS index 74dafd2..4fcbf44 100644 --- a/PROBLEMS +++ b/PROBLEMS @@ -3,5 +3,3 @@ List of known issues: * Cygwin: more than 30 tasks (-t 31 or more) will lead to a stack smash * OS X: brew installed modules are not compiled correctly and will crash hydra -* RDP module: disabled as it does not support the current protocol. Help needed! - diff --git a/README b/README deleted file mode 100644 index 3847215..0000000 --- a/README +++ /dev/null @@ -1,530 +0,0 @@ - - H Y D R A - - (c) 2001-2019 by van Hauser / THC - https://github.com/vanhauser-thc/thc-hydra - many modules were written by David (dot) Maciejak @ gmail (dot) com - BFG code by Jan Dlabal - - Licensed under AGPLv3 (see LICENSE file) - - Please do not use in military or secret service organizations, - or for illegal purposes. - - - -INTRODUCTION ------------- -Number one of the biggest security holes are passwords, as every password -security study shows. -This tool is a proof of concept code, to give researchers and security -consultants the possibility to show how easy it would be to gain unauthorized -access from remote to a system. - -THIS TOOL IS FOR LEGAL PURPOSES ONLY! - -There are already several login hacker tools available, however, none does -either support more than one protocol to attack or support parallized -connects. - -It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, -FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS. - -Currently this tool supports the following protocols: - Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, - HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, - HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, - HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, - Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, - Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, - SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, - VNC and XMPP. - -However the module engine for new services is very easy so it won't take a -long time until even more services are supported. -Your help in writing, enhancing or fixing modules is highly appreciated!! :-) - - - -WHERE TO GET ------------- -You can always find the newest release/production version of hydra at its -project page at https://github.com/vanhauser-thc/thc-hydra/releases -If you are interested in the current development state, the public development -repository is at Github: - svn co https://github.com/vanhauser-thc/thc-hydra - or - git clone https://github.com/vanhauser-thc/thc-hydra -Use the development version at your own risk. It contains new features and -new bugs. Things might not work! - - - -HOW TO COMPILE --------------- -To configure, compile and install hydra, just type: - -``` -./configure -make -make install -``` - -If you want the ssh module, you have to setup libssh (not libssh2!) on your -system, get it from http://www.libssh.org, for ssh v1 support you also need -to add "-DWITH_SSH1=On" option in the cmake command line. -IMPORTANT: If you compile on MacOS then you must do this - do not install libssh via brew! - -If you use Ubuntu/Debian, this will install supplementary libraries needed -for a few optional modules (note that some might not be available on your distribution): - -``` -apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ - libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \ - firebird-dev -``` - -This enables all optional modules and features with the exception of Oracle, -SAP R/3, NCP and the apple filing protocol - which you will need to download and -install from the vendor's web sites. - -For all other Linux derivates and BSD based systems, use the system -software installer and look for similarly named libraries like in the -command above. In all other cases, you have to download all source libraries -and compile them manually. - - - -SUPPORTED PLATFORMS -------------------- -- All UNIX platforms (Linux, *BSD, Solaris, etc.) -- MacOS (basically a BSD clone) -- Windows with Cygwin (both IPv4 and IPv6) -- Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq) - - - -HOW TO USE ----------- -If you just enter `hydra`, you will see a short summary of the important -options available. -Type `./hydra -h` to see all available command line options. - -Note that NO login/password file is included. Generate them yourself. -A default password list is however present, use "dpl4hydra.sh" to generate -a list. - -For Linux users, a GTK GUI is available, try `./xhydra` - -For the command line usage, the syntax is as follows: - For attacking one target or a network, you can use the new "://" style: - hydra [some command line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS - The old mode can be used for these too, and additionally if you want to - specify your targets from a text file, you *must* use this one: - -``` -hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS] -``` - -Via the command line options you specify which logins to try, which passwords, -if SSL should be used, how many parallel tasks to use for attacking, etc. - -PROTOCOL is the protocol you want to use for attacking, e.g. ftp, smtp, -http-get or many others are available -TARGET is the target you want to attack -MODULE-OPTIONS are optional values which are special per PROTOCOL module - -FIRST - select your target - you have three options on how to specify the target you want to attack: - 1. a single target on the command line: just put the IP or DNS address in - 2. a network range on the command line: CIDR specification like "192.168.0.0/24" - 3. a list of hosts in a text file: one line per entry (see below) - -SECOND - select your protocol - Try to avoid telnet, as it is unreliable to detect a correct or false login attempt. - Use a port scanner to see which protocols are enabled on the target. - -THIRD - check if the module has optional parameters - hydra -U PROTOCOL - e.g. hydra -U smtp - -FOURTH - the destination port - this is optional! if no port is supplied the default common port for the - PROTOCOL is used. - If you specify SSL to use ("-S" option), the SSL common port is used by default. - - -If you use "://" notation, you must use "[" "]" brackets if you want to supply -IPv6 addresses or CIDR ("192.168.0.0/24") notations to attack: - hydra [some command line options] ftp://[192.168.0.0/24]/ - hydra [some command line options] -6 smtps://[2001:db8::1]/NTLM - -Note that everything hydra does is IPv4 only! -If you want to attack IPv6 addresses, you must add the "-6" command line option. -All attacks are then IPv6 only! - -If you want to supply your targets via a text file, you can not use the :// -notation but use the old style and just supply the protocol (and module options): - hydra [some command line options] -M targets.txt ftp -You can supply also the port for each target entry by adding ":" after a -target entry in the file, e.g.: - -``` -foo.bar.com -target.com:21 -unusual.port.com:2121 -default.used.here.com -127.0.0.1 -127.0.0.1:2121 -``` - -Note that if you want to attach IPv6 targets, you must supply the -6 option -and *must* put IPv6 addresses in brackets in the file(!) like this: - -``` -foo.bar.com -target.com:21 -[fe80::1%eth0] -[2001::1] -[2002::2]:8080 -[2a01:24a:133:0:00:123:ff:1a] -``` - -LOGINS AND PASSWORDS --------------------- -You have many options on how to attack with logins and passwords -With -l for login and -p for password you tell hydra that this is the only -login and/or password to try. -With -L for logins and -P for passwords you supply text files with entries. -e.g.: - -``` -hydra -l admin -p password ftp://localhost/ -hydra -L default_logins.txt -p test ftp://localhost/ -hydra -l admin -P common_passwords.txt ftp://localhost/ -hydra -L logins.txt -P passwords.txt ftp://localhost/ -``` - -Additionally, you can try passwords based on the login via the "-e" option. -The "-e" option has three parameters: - -``` -s - try the login as password -n - try an empty password -r - reverse the login and try it as password -``` - -If you want to, e.g. try "try login as password and "empty password", you -specify "-e sn" on the command line. - -But there are two more modes for trying passwords than -p/-P: -You can use text file which where a login and password pair is separated by a colon, -e.g.: - -``` -admin:password -test:test -foo:bar -``` - -This is a common default account style listing, that is also generated by the -dpl4hydra.sh default account file generator supplied with hydra. -You use such a text file with the -C option - note that in this mode you -can not use -l/-L/-p/-P options (-e nsr however you can). -Example: - -``` -hydra -C default_accounts.txt ftp://localhost/ -``` - -And finally, there is a bruteforce mode with the -x option (which you can not -use with -p/-P/-C): - -``` --x minimum_length:maximum_length:charset -``` - -the charset definition is `a` for lowercase letters, `A` for uppercase letters, -`1` for numbers and for anything else you supply it is their real representation. -Examples: - -``` --x 1:3:a generate passwords from length 1 to 3 with all lowercase letters --x 2:5:/ generate passwords from length 2 to 5 containing only slashes --x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers -``` - -Example: - -``` -hydra -l ftp -x 3:3:a ftp://localhost/ -``` - -SPECIAL OPTIONS FOR MODULES ---------------------------- -Via the third command line parameter (TARGET SERVICE OPTIONAL) or the -m -command line option, you can pass one option to a module. -Many modules use this, a few require it! - -To see the special option of a module, type: - - hydra -U - -e.g. - - ./hydra -U http-post-form - -The special options can be passed via the -m parameter, as 3rd command line -option or in the service://target/option format. - -Examples (they are all equal): - -``` -./hydra -l test -p test -m PLAIN 127.0.0.1 imap -./hydra -l test -p test 127.0.0.1 imap PLAIN -./hydra -l test -p test imap://127.0.0.1/PLAIN -``` - -RESTORING AN ABORTED/CRASHED SESSION ------------------------------------- -When hydra is aborted with Control-C, killed or crashes, it leaves a -"hydra.restore" file behind which contains all necessary information to -restore the session. This session file is written every 5 minutes. -NOTE: the hydra.restore file can NOT be copied to a different platform (e.g. -from little endian to big endian, or from Solaris to AIX) - -HOW TO SCAN/CRACK OVER A PROXY ------------------------------- -The environment variable HYDRA_PROXY_HTTP defines the web proxy (this works -just for the http services!). -The following syntax is valid: - -``` -HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" -HYDRA_PROXY_HTTP="http://login:password@123.45.67.89:8080/" -HYDRA_PROXY_HTTP="proxylist.txt" -``` - -The last example is a text file containing up to 64 proxies (in the same -format definition as the other examples). - -For all other services, use the HYDRA_PROXY variable to scan/crack. -It uses the same syntax. eg: - -``` -HYDRA_PROXY=[connect|socks4|socks5]://[login:password@]proxy_addr:proxy_port -``` - -for example: - -``` -HYDRA_PROXY=connect://proxy.anonymizer.com:8000 -HYDRA_PROXY=socks4://auth:pw@127.0.0.1:1080 -HYDRA_PROXY=socksproxylist.txt -``` - -ADDITIONAL HINTS ----------------- -* sort your password files by likelihood and use the -u option to find - passwords much faster! -* uniq your dictionary files! this can save you a lot of time :-) - cat words.txt | sort | uniq > dictionary.txt -* if you know that the target is using a password policy (allowing users - only to choose a password with a minimum length of 6, containing a least one - letter and one number, etc. use the tool pw-inspector which comes along - with the hydra package to reduce the password list: - cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt - - -RESULTS OUTPUT --------------- - -The results are output to stdio along with the other information. Via the -o -command line option, the results can also be written to a file. Using -b, -the format of the output can be specified. Currently, these are supported: - -* `text` - plain text format -* `jsonv1` - JSON data using version 1.x of the schema (defined below). -* `json` - JSON data using the latest version of the schema, currently there - is only version 1. - -If using JSON output, the results file may not be valid JSON if there are -serious errors in booting Hydra. - - -JSON Schema ------------ -Here is an example of the JSON output. Notes on some of the fields: - -* `errormessages` - an array of zero or more strings that are normally printed - to stderr at the end of the Hydra's run. The text is very free form. -* `success` - indication if Hydra ran correctly without error (**NOT** if - passwords were detected). This parameter is either the JSON value `true` - or `false` depending on completion. -* `quantityfound` - How many username+password combinations discovered. -* `jsonoutputversion` - Version of the schema, 1.00, 1.01, 1.11, 2.00, - 2.03, etc. Hydra will make second tuple of the version to always be two - digits to make it easier for downstream processors (as opposed to v1.1 vs - v1.10). The minor-level versions are additive, so 1.02 will contain more - fields than version 1.00 and will be backward compatible. Version 2.x will - break something from version 1.x output. - -Version 1.00 example: -``` -{ - "errormessages": [ - "[ERROR] Error Message of Something", - "[ERROR] Another Message", - "These are very free form" - ], - "generator": { - "built": "2019-03-01 14:44:22", - "commandline": "hydra -b jsonv1 -o results.json ... ...", - "jsonoutputversion": "1.00", - "server": "127.0.0.1", - "service": "http-post-form", - "software": "Hydra", - "version": "v8.5" - }, - "quantityfound": 2, - "results": [ - { - "host": "127.0.0.1", - "login": "bill@example.com", - "password": "bill", - "port": 9999, - "service": "http-post-form" - }, - { - "host": "127.0.0.1", - "login": "joe@example.com", - "password": "joe", - "port": 9999, - "service": "http-post-form" - } - ], - "success": false -} -``` - - -SPEED ------ -through the parallelizing feature, this password cracker tool can be very -fast, however it depends on the protocol. The fastest are generally POP3 -and FTP. -Experiment with the task option (-t) to speed things up! The higher - the -faster ;-) (but too high - and it disables the service) - - - -STATISTICS ----------- -Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing -295 entries (294 tries invalid logins, 1 valid). Every test was run three -times (only for "1 task" just once), and the average noted down. - -``` - P A R A L L E L T A S K S -SERVICE 1 4 8 16 32 50 64 100 128 -------- -------------------------------------------------------------------- -telnet 23:20 5:58 2:58 1:34 1:05 0:33 0:45* 0:25* 0:55* -ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0:32 -pop3 92:10 27:16 13:56 6:42 2:55 1:57 1:24 1:14 0:50 -imap 31:05 7:41 3:51 1:58 1:01 0:39 0:32 0:25 0:21 -``` - -(*) -Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with -128 tasks, running four times resulted in timings between 28 and 97 seconds! -The reason for this is unknown... - -guesses per task (rounded up): - - 295 74 38 19 10 6 5 3 3 - -guesses possible per connect (depends on the server software and config): - - telnet 4 - ftp 6 - pop3 1 - imap 3 - - - -BUGS & FEATURES ---------------- -Hydra: -Email me or David if you find bugs or if you have written a new module. -vh@thc.org (and put "antispam" in the subject line) - - -You should use PGP to encrypt emails to vh@thc.org : - -``` ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v3.3.3 (vh@thc.org) - -mQINBFIp+7QBEADQcJctjohuYjBxq7MELAlFDvXRTeIqqh8kqHPOR018xKL09pZT -KiBWFBkU48xlR3EtV5fC1yEt8gDEULe5o0qtK1aFlYBtAWkflVNjDrs+Y2BpjITQ -FnAPHw0SOOT/jfcvmhNOZMzMU8lIubAVC4cVWoSWJbLTv6e0DRIPiYgXNT5Quh6c -vqhnI1C39pEo/W/nh3hSa16oTc5dtTLbi5kEbdzml78TnT0OASmWLI+xtYKnP+5k -Xv4xrXRMVk4L1Bv9WpCY/Jb6J8K8SJYdXPtbaIi4VjgVr5gvg9QC/d/QP2etmw3p -lJ1Ldv63x6nXsxnPq6MSOOw8+QqKc1dAgIA43k6SU4wLq9TB3x0uTKnnB8pA3ACI -zPeRN9LFkr7v1KUMeKKEdu8jUut5iKUJVu63lVYxuM5ODb6Owt3+UXgsSaQLu9nI -DZqnp/M6YTCJTJ+cJANN+uQzESI4Z2m9ITg/U/cuccN/LIDg8/eDXW3VsCqJz8Bf -lBSwMItMhs/Qwzqc1QCKfY3xcNGc4aFlJz4Bq3zSdw3mUjHYJYv1UkKntCtvvTCN -DiomxyBEKB9J7KNsOLI/CSst3MQWSG794r9ZjcfA0EWZ9u6929F2pGDZ3LiS7Jx5 -n+gdBDMe0PuuonLIGXzyIuMrkfoBeW/WdnOxh+27eemcdpCb68XtQCw6UQARAQAB -tB52YW4gSGF1c2VyICgyMDEzKSA8dmhAdGhjLm9yZz6JAjkEEwECACMCGwMCHgEC -F4AFAlIp/QcGCwkIAwcCBhUKCQgLAgUWAwIBAAAKCRDI8AEqhCFiv2R9D/9qTCJJ -xCH4BUbWIUhw1zRkn9iCVSwZMmfaAhz5PdVTjeTelimMh5qwK2MNAjpR7vCCd3BH -Z2VLB2Eoz9MOgSCxcMOnCDJjtCdCOeaxiASJt8qLeRMwdMOtznM8MnKCIO8X4oo4 -qH8eNj83KgpI50ERBCj/EMsgg07vSyZ9i1UXjFofFnbHRWSW9yZO16qD4F6r4SGz -dsfXARcO3QRI5lbjdGqm+g+HOPj1EFLAOxJAQOygz7ZN5fj+vPp+G/drONxNyVKp -QFtENpvqPdU9CqYh8ssazXTWeBi/TIs0q0EXkzqo7CQjfNb6tlRsg18FxnJDK/ga -V/1umTg41bQuVP9gGmycsiNI8Atr5DWqaF+O4uDmQxcxS0kX2YXQ4CSQJFi0pml5 -slAGL8HaAUbV7UnQEqpayPyyTEx1i0wK5ZCHYjLBfJRZCbmHX7SbviSAzKdo5JIl -Atuk+atgW3vC3hDTrBu5qlsFCZvbxS21PJ+9zmK7ySjAEFH/NKFmx4B8kb7rPAOM -0qCTv0pD/e4ogJCxVrqQ2XcCSJWxJL31FNAMnBZpVzidudNURG2v61h3ckkSB/fP -JnkRy/yxYWrdFBYkURImxD8iFD1atj1n3EI5HBL7p/9mHxf1DVJWz7rYQk+3czvs -IhBz7xGBz4nhpCi87VDEYttghYlJanbiRfNh3okCOAQTAQIAIgUCUin7tAIbAwYL -CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQyPABKoQhYr8OIA//cvkhoKay88yS -AjMQypach8C5CvP7eFCT11pkCt1DMAO/8Dt6Y/Ts10dPjohGdIX4PkoLTkQDwBDJ -HoLO75oqj0CYLlqDI4oHgf2uzd0Zv8f/11CQQCtut5oEK72mGNzv3GgVqg60z2KR -2vpxvGQmDwpDOPP620tf/LuRQgBpks7uazcbkAE2Br09YrUQSCBNHy8kirHW5m5C -nupMrcvuFx7mHKW1z3FuhM8ijG7oRmcBWfVoneQgIT3l2WBniXg1mKFhuUSV8Erc -XIcc11qsKshyqh0GWb2JfeXbAcTW8/4IwrCP+VfAyLO9F9khP6SnCmcNF9EVJyR6 -Aw+JMNRin7PgvsqbFhpkq9N+gVBAufz3DZoMTEbsMTtW4lYG6HMWhza2+8G9XyaL -ARAWhkNVsmQQ5T6qGkI19thB6E/T6ZorTxqeopNVA7VNK3RVlKpkmUu07w5bTD6V -l3Ti6XfcSQqzt6YX2/WUE8ekEG3rSesuJ5fqjuTnIIOjBxr+pPxkzdoazlu2zJ9F -n24fHvlU20TccEWXteXj9VFzV/zbPEQbEqmE16lV+bO8U7UHqCOdE83OMrbNKszl -7LSCbFhCDtflUsyClBt/OPnlLEHgEE1j9QkqdFFy90l4HqGwKvx7lUFDnuF8LYsb -/hcP4XhqjiGcjTPYBDK254iYrpOSMZSIRgQQEQIABgUCUioGfQAKCRBDlBVOdiii -tuddAJ4zMrge4qzajScIQcXYgIWMXVenCQCfYTNQPGkHVyp3dMhJ0NR21TYoYMC5 -Ag0EUin7tAEQAK5/AEIBLlA/TTgjUF3im6nu/rkWTM7/gs5H4W0a04kF4UPhaJUR -gCNlDfUnBFA0QD7Jja5LHYgLdoHXiFelPhGrbZel/Sw6sH2gkGCBtFMrVkm3u7tt -x3AZlprqqRH68Y5xTCEjGRncCAmaDgd2apgisJqXpu0dRDroFYpJFNH3vw9N2a62 -0ShNakYP4ykVG3jTDC4MSl2q3BO5dzn8GYFHU0CNz6nf3gZR+48BG+zmAT77peTS -+C4Mbd6LmMmB0cuS2kYiFRwE2B69UWguLHjpXFcu9/85JJVCl2CIab7l5hpqGmgw -G/yW8HFK04Yhew7ZJOXJfUYlv1EZzR5bOsZ8Z9inC6hvFmxuCYCFnvkiEI+pOxPA -oeNOkMaT/W4W+au0ZVt3Hx+oD0pkJb5if0jrCaoAD4gpWOte6LZA8mAbKTxkHPBr -rA9/JFis5CVNI688O6eDiJqCCJjPOQA+COJI+0V+tFa6XyHPB4LxA46RxtumUZMC -v/06sDJlXMNpZbSd5Fq95YfZd4l9Vr9VrvKXfbomn+akwUymP8RDyc6Z8BzjF4Y5 -02m6Ts0J0MnSYfEDqJPPZbMGB+GAgAqLs7FrZJQzOZTiOXOSIJsKMYsPIDWE8lXv -s77rs0rGvgvQfWzPsJlMIx6ryrMnAsfOkzM2GChGNX9+pABpgOdYII4bABEBAAGJ -Ah8EGAECAAkFAlIp+7QCGwwACgkQyPABKoQhYr+hrg/9Er0+HN78y6UWGFHu/KVK -d8M6ekaqjQndQXmzQaPQwsOHOvWdC+EtBoTdR3VIjAtX96uvzCRV3sb0XPB9S9eP -gRrO/t5+qTVTtjua1zzjZsMOr1SxhBgZ5+0U2aoY1vMhyIjUuwpKKNqj2uf+uj5Y -ZQbCNklghf7EVDHsYQ4goB9gsNT7rnmrzSc6UUuJOYI2jjtHp5BPMBHh2WtUVfYP -8JqDfQ+eJQr5NCFB24xMW8OxMJit3MGckUbcZlUa1wKiTb0b76fOjt0y/+9u1ykd -X+i27DAM6PniFG8BfqPq/E3iU20IZGYtaAFBuhhDWR3vGY4+r3OxdlFAJfBG9XDD -aEDTzv1XF+tEBo69GFaxXZGdk9//7qxcgiya4LL9Kltuvs82+ZzQhC09p8d3YSQN -cfaYObm4EwbINdKP7cr4anGFXvsLC9urhow/RNBLiMbRX/5qBzx2DayXtxEnDlSC -Mh7wCkNDYkSIZOrPVUFOCGxu7lloRgPxEetM5x608HRa3hDHoe5KvUBmmtavB/aR -zlGuZP1S6Y7S13ytiULSzTfUxJmyGYgNo+4ygh0i6Dudf9NLmV+i9aEIbLbd6bni -1B/y8hBSx3SVb4sQVRe3clBkfS1/mYjlldtYjzOwcd02x599KJlcChf8HnWFB7qT -zB3yrr+vYBT0uDWmxwPjiJs= -=ytEf ------END PGP PUBLIC KEY BLOCK----- -``` diff --git a/README.md b/README.md index 3847215..c6a9b94 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ access from remote to a system. THIS TOOL IS FOR LEGAL PURPOSES ONLY! There are already several login hacker tools available, however, none does -either support more than one protocol to attack or support parallized +either support more than one protocol to attack or support parallelized connects. It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, @@ -34,8 +34,8 @@ Currently this tool supports the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, - HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, - Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, + HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, + Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP. @@ -81,7 +81,8 @@ for a few optional modules (note that some might not be available on your distri ``` apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \ - firebird-dev + firebird-dev libmemcached-dev libgpg-error-dev \ + libgcrypt11-dev libgcrypt20-dev ``` This enables all optional modules and features with the exception of Oracle, @@ -149,7 +150,7 @@ THIRD - check if the module has optional parameters e.g. hydra -U smtp FOURTH - the destination port - this is optional! if no port is supplied the default common port for the + this is optional, if no port is supplied the default common port for the PROTOCOL is used. If you specify SSL to use ("-S" option), the SSL common port is used by default. @@ -166,7 +167,7 @@ All attacks are then IPv6 only! If you want to supply your targets via a text file, you can not use the :// notation but use the old style and just supply the protocol (and module options): hydra [some command line options] -M targets.txt ftp -You can supply also the port for each target entry by adding ":" after a +You can also supply the port for each target entry by adding ":" after a target entry in the file, e.g.: ``` diff --git a/configure b/configure index 88b1a05..5afd0da 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #!/bin/sh # -# uname -s = Linux | OpenBSD | FreeBSD +# uname -s = Linux | OpenBSD | FreeBSD | Darwin # uname -m = i636 or x86_64 if [ "$1" = "-h" -o "$1" = "--help" ]; then @@ -38,6 +38,7 @@ WSSL_LIB_PATH="" CURSES_PATH="" CURSES_IPATH="" CRYPTO_PATH="" +GPGERROR_IPATH="" IDN_PATH="" IDN_IPATH="" PR29_IPATH="" @@ -48,6 +49,12 @@ FIREBIRD_PATH="" FIREBIRD_IPATH="" MYSQL_PATH="" MYSQL_IPATH="" +MCACHED_PATH="" +MCACHED_IPATH="" +MONGODB_PATH="" +MONGODB_IPATH="" +BSON_PATH="" +BSON_IPATH="" AFP_PATH="" AFP_IPATH="" NCP_PATH="" @@ -63,6 +70,8 @@ NSL_PATH="" SOCKET_PATH="" MANDIR="" XHYDRA_SUPPORT="" +FREERDP2_PATH="" +WINPR2_PATH="" if [ '!' "X" = "X$*" ]; then while [ $# -gt 0 ] ; do @@ -117,6 +126,7 @@ echo "Starting hydra auto configuration ..." rm -f Makefile.in SYSS=`uname -s 2> /dev/null` SYSO=`uname -o 2> /dev/null` +SYSM=`uname -m 2> /dev/null` if [ "$SYSS" = "Linux" -o "$SYSS" = "OpenBSD" -o "$SYSS" = "FreeBSD" -o "$SYSS" = "NetBSD" -o "$SYSS" = "Darwin" ]; then SF=`uname -m | grep 64` if [ `uname -m` = "s390x" ]; then @@ -252,22 +262,33 @@ if [ "$SSL_IPATH" = "/usr/include" ]; then SSL_IPATH="" fi -echo "Checking for gcrypt (libgcrypt.so) ..." +echo "Checking for gcrypt (libgcrypt.so, gpg-error.h) ..." for i in $LIBDIRS ; do - if [ "X" = "X$GCRYPT_PATH" ]; then - if [ -f "$i/libgcrypt.so" -o -f "$i/libgcrypt.dylib" -o -f "$i/libgcrypt.a" -o -f "$i/libgcrypt.dll.a" -o -f "$i/libgcrypt.la" ]; then + if [ -f "$i/libgcrypt.so" -o -f "$i/libgcrypt.dylib" -o -f "$i/libgcrypt.a" -o -f "$i/libgcrypt.dll.a" -o -f "$i/libgcrypt.la" ]; then HAVE_GCRYPT="y" + fi +done + +for i in $INCDIRS ; do + if [ "X" = "X$GPGERROR_IPATH" ]; then + TMP_PATH=`/bin/ls $i/$SYSM*/gpg-error.h 2> /dev/null` + if [ -n "$TMP_PATH" ]; then + GPGERROR_IPATH="$i" + else + if [ -f "$i/gpg-error.h" ]; then + GPGERROR_IPATH="$i" + fi fi fi done -if [ -n "$HAVE_GCRYPT" ]; then - echo " ... found" + +if [ -n "$HAVE_GCRYPT" -a "X" != "X$GPGERROR_IPATH" ]; then + echo " ... found" else - echo " ... gcrypt not found, radmin2 module disabled" + echo " ... gcrypt not found, radmin2 module disabled" + HAVE_GCRYPT="" fi - - echo "Checking for idn (libidn.so) ..." for i in $LIBDIRS ; do if [ "X" = "X$IDN_PATH" ]; then @@ -549,6 +570,10 @@ for i in $INCDIRS ; do fi fi done +SYS_PARAM="" +if [ -f "$SDK_PATH/usr/include/sys/param.h" ]; then + SYS_PARAM=-DHAVE_SYS_PARAM_H +fi if [ "X" != "X$DEBUG" ]; then echo DEBUG: SVN_PATH=$SVN_PATH/libsvn_client-1 echo DEBUG: APR_PATH=$APR_PATH/libapr @@ -940,6 +965,218 @@ if [ "X" = "X$ORACLE_PATH" -o "X" = "X$ORACLE_IPATH" ]; then ORACLE_IPATH="" fi +echo "Checking for Memcached (libmemcached.so, memcached.h) ..." + + for i in $LIBDIRS ; do + if [ "X" = "X$MCACHED_PATH" ]; then + if [ -f "$i/libmemcached.so" -o -f "$i/libmemcached.dylib" -o -f "$i/libmemcached.a" ]; then + MCACHED_PATH="$i" + fi + fi + if [ "X" = "X$MCACHED_PATH" ]; then + TMP_LIB=`/bin/ls $i/libmemcached.so* 2> /dev/null | grep memcached` + if [ -n "$TMP_LIB" ]; then + MCACHED_PATH="$i" + fi + fi + if [ "X" = "X$MCACHED_PATH" ]; then + TMP_LIB=`/bin/ls $i/libmemcached.dll* 2> /dev/null | grep memcached` + if [ -n "$TMP_LIB" ]; then + MCACHED_PATH="$i" + fi + fi + done + + MCACHED_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$MCACHED_IPATH" ]; then + if [ -f "$i/memcached.h" ]; then + MCACHED_IPATH="$i" + fi + if [ -f "$i/libmemcached/memcached.h" ]; then + MCACHED_IPATH="$i/libmemcached" + fi + if [ -f "$i/libmemcached-1.0/memcached.h" ]; then + MCACHED_IPATH="$i/libmemcached-1.0" + fi + fi + done + +if [ "X" != "X$DEBUG" ]; then + echo DEBUG: MCACHED_PATH=$MCACHED_PATH/libmemcached + echo DEBUG: MCACHED_IPATH=$MCACHED_IPATH/memcached.h +fi + if [ -n "$MCACHED_PATH" -a -n "$MCACHED_IPATH" ]; then + echo " ... found" + fi + if [ "X" = "X$MCACHED_PATH" -o "X" = "X$MCACHED_IPATH" ]; then + echo " ... NOT found, module memcached disabled" + MCACHED_PATH="" + MCACHED_IPATH="" + fi + + +echo "Checking for Freerdp2 (libfreerdp2.so, freerdp/*.h, libwinpr2.so, winpr/*.h) ..." + + for i in $LIBDIRS ; do + if [ "X" = "X$FREERDP2_PATH" ]; then + if [ -f "$i/libfreerdp2.so" -o -f "$i/libfreerdp2.dylib" -o -f "$i/libfreerdp2.a" ]; then + FREERDP2_PATH="$i" + fi + fi + if [ "X" = "X$FREERDP2_PATH" ]; then + TMP_LIB=`/bin/ls $i/libfreerdp2*.so* 2> /dev/null | grep libfreerdp2` + if [ -n "$TMP_LIB" ]; then + FREERDP2_PATH="$i" + fi + fi + done + + FREERDP2_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$FREERDP2_IPATH" ]; then + if [ -f "$i/freerdp/freerdp.h" ]; then + FREERDP2_IPATH="$i/freerdp2" + fi + if [ -f "$i/freerdp2/freerdp/freerdp.h" ]; then + FREERDP2_IPATH="$i/freerdp2" + fi + fi + done + + for i in $LIBDIRS ; do + if [ "X" = "X$WINPR2_PATH" ]; then + if [ -f "$i/libwinpr2.so" -o -f "$i/libwinpr2.dylib" -o -f "$i/libwinpr2.a" ]; then + WINPR2_PATH="$i" + fi + fi + if [ "X" = "X$WINPR2_PATH" ]; then + TMP_LIB=`/bin/ls $i/winpr.dll* 2> /dev/null | grep winpr` + if [ -n "$TMP_LIB" ]; then + WINPR2_PATH="$i" + fi + fi + done + + WINPR2_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$WINPR2_IPATH" ]; then + if [ -f "$i/winpr.h" ]; then + WINPR2_IPATH="$i" + fi + if [ -f "$i/winpr2/winpr/winpr.h" ]; then + WINPR2_IPATH="$i/winpr2" + fi + fi + done + +if [ "X" != "X$DEBUG" ]; then + echo DEBUG: FREERDP2_PATH=$FREERDP2_PATH/ + echo DEBUG: FREERDP2_IPATH=$FREERDP2_IPATH/ + echo DEBUG: WINPR2_PATH=$WINPR2_PATH/ + echo DEBUG: WINPR2_IPATH=$WINPR2_IPATH/ +fi + + if [ -n "$FREERDP2_PATH" -a -n "$FREERDP2_IPATH" -a -n "$WINPR2_PATH" -a -n "$WINPR2_IPATH" ]; then + echo " ... found" + fi + if [ "X" = "X$FREERDP2_PATH" -o "X" = "X$FREERDP2_IPATH" -o "X" = "X$WINPR2_PATH" -o "X" = "X$WINPR2_IPATH" ]; then + echo " ... NOT found, module rdp disabled" + FREERDP2_PATH="" + FREERDP2_IPATH="" + WINPR2_PATH="" + WINPR2_IPATH="" + fi + +echo "Checking for Mongodb (libmongoc-1.0.so, mongoc.h, libbson-1.0.so, bson.h) ..." + + for i in $LIBDIRS ; do + if [ "X" = "X$MONGODB_PATH" ]; then + if [ -f "$i/libmongoc-1.0.so" -o -f "$i/libmongoc-1.0.dylib" -o -f "$i/libmongoc-1.0.a" ]; then + MONGODB_PATH="$i" + fi + fi + if [ "X" = "X$MONGODB_PATH" ]; then + TMP_LIB=`/bin/ls $i/libmongoc-*.so* 2> /dev/null | grep mongoc` + if [ -n "$TMP_LIB" ]; then + MONGODB_PATH="$i" + fi + fi + if [ "X" = "X$MONGODB_PATH" ]; then + TMP_LIB=`/bin/ls $i/libmongoc.dll* 2> /dev/null | grep mongoc` + if [ -n "$TMP_LIB" ]; then + MONGODB_PATH="$i" + fi + fi + done + + MONGODB_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$MONGODB_IPATH" ]; then + if [ -f "$i/mongoc.h" ]; then + MONGODB_IPATH="$i" + fi + if [ -f "$i/libmongoc/mongoc.h" ]; then + MONGODB_IPATH="$i/libmongoc" + fi + if [ -f "$i/libmongoc-1.0/mongoc.h" ]; then + MONGODB_IPATH="$i/libmongoc-1.0" + fi + fi + done + + for i in $LIBDIRS ; do + if [ "X" = "X$BSON_PATH" ]; then + if [ -f "$i/libbson-1.0.so" -o -f "$i/libbson-1.0.dylib" -o -f "$i/libbson-1.0.a" ]; then + BSON_PATH="$i" + fi + fi + if [ "X" = "X$BSON_PATH" ]; then + TMP_LIB=`/bin/ls $i/libbson-*.so* 2> /dev/null | grep mongoc` + if [ -n "$TMP_LIB" ]; then + BSON_PATH="$i" + fi + fi + if [ "X" = "X$BSON_PATH" ]; then + TMP_LIB=`/bin/ls $i/libbson.dll* 2> /dev/null | grep mongoc` + if [ -n "$TMP_LIB" ]; then + BSON_PATH="$i" + fi + fi + done + + BSON_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$BSON_IPATH" ]; then + if [ -f "$i/bson.h" ]; then + BSON_IPATH="$i" + fi + if [ -f "$i/libbson/bson.h" ]; then + BSON_IPATH="$i/libbson" + fi + if [ -f "$i/libbson-1.0/bson.h" ]; then + BSON_IPATH="$i/libbson-1.0" + fi + fi + done + +if [ "X" != "X$DEBUG" ]; then + echo DEBUG: MONGODB_PATH=$MONGODB_PATH/libmongoc + echo DEBUG: MONGODB_IPATH=$MONGODB_IPATH/libmongoc.h + echo DEBUG: BSON_PATH=$BSON_PATH/libbson + echo DEBUG: BSON_IPATH=$BSON_IPATH/libbson.h +fi + + if [ -n "$MONGODB_PATH" -a -n "$MONGODB_IPATH" -a -n "$BSON_PATH" -a -n "$BSON_IPATH" ]; then + echo " ... found" + fi + if [ "X" = "X$MONGODB_PATH" -o "X" = "X$MONGODB_IPATH" -o "X" = "X$BSON_PATH" -o "X" = "X$BSON_IPATH" ]; then + echo " ... NOT found, module mongodb disabled" + MONGODB_PATH="" + MONGODB_IPATH="" + BSON_PATH="" + BSON_IPATH="" + fi if [ "X" = "X$XHYDRA_SUPPORT" ]; then echo "Checking for GUI req's (pkg-config, gtk+-2.0) ..." @@ -1034,8 +1271,17 @@ XLIBS="" XLIBPATHS="" XIPATHS="" -if [ -n "$FIREBIRD_PATH" -o -n "$PCRE_PATH" -o -n "$IDN_PATH" -o -n "$SSL_PATH" -o -n "$CRYPTO_PATH" -o -n "$NSL_PATH" -o -n "$SOCKET_PATH" -o -n "$RESOLV_PATH" -o -n "$SAPR3_PATH" -o -n "$SSH_PATH" -o -n "$POSTGRES_PATH" -o -n "$SVN_PATH" -o -n "$NCP_PATH" -o -n "$CURSES_PATH" -o -n "$ORACLE_PATH" -o -n "$AFP_PATH" -o -n "$MYSQL_PATH" ]; then - XLIBPATHS="-L/usr/lib -L/usr/local/lib -L/lib" +if [ -n "$FIREBIRD_PATH" -o -n "$PCRE_PATH" -o -n "$IDN_PATH" -o -n "$SSL_PATH" -o -n "$CRYPTO_PATH" -o -n "$NSL_PATH" -o -n "$SOCKET_PATH" -o -n "$RESOLV_PATH" -o -n "$SAPR3_PATH" -o -n "$SSH_PATH" -o -n "$POSTGRES_PATH" -o -n "$SVN_PATH" -o -n "$NCP_PATH" -o -n "$CURSES_PATH" -o -n "$ORACLE_PATH" -o -n "$AFP_PATH" -o -n "$MYSQL_PATH" -o -n "$MCACHED_PATH" -o -n "$MONGOD_PATH" -o -n "$FREERDP2_PATH" -o -n "$WINPR2_PATH" ]; then + if [ "$SYSS" = "Darwin" ] && [ ! -d "/lib" ]; then + #for libraries installed with MacPorts + if [ -d "/opt/local/lib" ]; then + XLIBPATHS="-L/usr/lib -L/usr/local/lib -L/opt/local/lib" + else + XLIBPATHS="-L/usr/lib -L/usr/local/lib" + fi + else + XLIBPATHS="-L/usr/lib -L/usr/local/lib -L/lib" + fi fi if [ -n "$MYSQL_IPATH" ]; then XIPATHS="$XIPATHS -I$MYSQL_IPATH" @@ -1098,10 +1344,24 @@ fi if [ -n "$HAVE_GCRYPT" ]; then XDEFINES="$XDEFINES -DHAVE_GCRYPT" fi - +if [ -n "$MCACHED_PATH" ]; then + XDEFINES="$XDEFINES -DLIBMCACHED" +fi +if [ -n "$MONGODB_PATH" ]; then + XDEFINES="$XDEFINES -DLIBMONGODB" +fi +if [ -n "$BSON_PATH" ]; then + XDEFINES="$XDEFINES -DLIBBSON" +fi +if [ -n "$FREERDP2_PATH" ]; then + XDEFINES="$XDEFINES -DLIBFREERDP2" +fi +if [ -n "$WINPR2_PATH" ]; then + XDEFINES="$XDEFINES -DLIBWINPR2" +fi OLDPATH="" -for i in $SSL_PATH $FIREBIRD_PATH $WORACLE_LIB_PATH $PCRE_PATH $IDN_PATH $CRYPTO_PATH $SSH_PATH $NSL_PATH $SOCKET_PATH $RESOLV_PATH $SAPR3_PATH $POSTGRES_PATH $SVN_PATH $NCP_PATH $CURSES_PATH $ORACLE_PATH $AFP_PATH $MYSQL_PATH; do +for i in $SSL_PATH $FIREBIRD_PATH $WORACLE_LIB_PATH $PCRE_PATH $IDN_PATH $CRYPTO_PATH $SSH_PATH $NSL_PATH $SOCKET_PATH $RESOLV_PATH $SAPR3_PATH $POSTGRES_PATH $SVN_PATH $NCP_PATH $CURSES_PATH $ORACLE_PATH $AFP_PATH $MYSQL_PATH $MCACHED_PATH $MONGODB_PATH $BSON_PATH $FREERDP2_PATH $WINPR2_PATH; do if [ "$OLDPATH" = "$i" ]; then OLDPATH="$i" else @@ -1154,6 +1414,15 @@ fi if [ -n "$ORACLE_IPATH" ]; then XIPATHS="$XIPATHS -I$ORACLE_IPATH" fi +if [ -n "$MCACHED_IPATH" ]; then + XIPATHS="$XIPATHS -I$MCACHED_IPATH" +fi +if [ -n "$MONGODB_IPATH" ]; then + XIPATHS="$XIPATHS -I$MONGODB_IPATH -I$BSON_IPATH" +fi +if [ -n "$FREERDP2_IPATH" ]; then + XIPATHS="$XIPATHS -I$FREERDP2_IPATH -I$WINPR2_IPATH" +fi if [ -n "$HAVE_GCRYPT" ]; then XLIBS="$XLIBS -lgcrypt" fi @@ -1217,7 +1486,21 @@ fi if [ -n "$RESOLV_PATH" ]; then XLIBS="$XLIBS -lresolv" fi - +if [ -n "$MCACHED_PATH" ]; then + XLIBS="$XLIBS -lmemcached" +fi +if [ -n "$MONGODB_PATH" ]; then + XLIBS="$XLIBS -lmongoc-1.0" +fi +if [ -n "$BSON_PATH" ]; then + XLIBS="$XLIBS -lbson-1.0" +fi +if [ -n "$FREERDP2_PATH" ]; then + XLIBS="$XLIBS -lfreerdp2" +fi +if [ -n "$WINPR2_PATH" ]; then + XLIBS="$XLIBS -lwinpr2" +fi if [ -d /usr/kerberos/include ]; then XIPATHS="$XIPATHS -I/usr/kerberos/include" fi @@ -1244,7 +1527,7 @@ else fi if [ "X" != "X$DEBUG" ]; then - echo DEBUG: XDEFINES=$XDEFINES $MATH + echo DEBUG: XDEFINES=$XDEFINES $MATH $SYS_PARAM echo DEBUG: XLIBS=$XLIBS echo DEBUG: XLIBPATHS=$XLIBPATHS echo DEBUG: XIPATHS=$XIPATHS @@ -1262,7 +1545,7 @@ if [ "X" != "X$FHS" ]; then echo "MANDIR = /share/man/man1" >> Makefile.in echo "DATADIR = /share/hydra" >> Makefile.in fi -echo "XDEFINES=$XDEFINES $MATH" >> Makefile.in +echo "XDEFINES=$XDEFINES $MATH $SYS_PARAM" >> Makefile.in echo "XLIBS=$XLIBS" >> Makefile.in echo "XLIBPATHS=$XLIBPATHS" >> Makefile.in echo "XIPATHS=$XIPATHS" >> Makefile.in @@ -1300,7 +1583,7 @@ if [ "x$WINDRES" = "x" ]; then echo HYDRA_LOGO= >> Makefile echo PWI_LOGO= >> Makefile fi -if [ "$GCCSEC" = "yes" ] && [ "$SYSS" != "SunOS" ]; then +if [ "$GCCSEC" = "yes" ] && [ "$SYSS" != "SunOS" ] && [ "$SYSS" != "Darwin" ]; then echo "SEC=$GCCSECOPT" >> Makefile else echo "SEC=" >> Makefile diff --git a/hydra-afp.c b/hydra-afp.c index c940ce1..0e55f6f 100644 --- a/hydra-afp.c +++ b/hydra-afp.c @@ -54,7 +54,7 @@ static int32_t server_subconnect(struct afp_url url) { if (strlen(url.uamname) > 0) { if ((conn_req->uam_mask = find_uam_by_name(url.uamname)) == 0) { - fprintf(stderr, "[ERROR] Unknown UAM: %s", url.uamname); + fprintf(stderr, "[ERROR] Unknown UAM: %s\n", url.uamname); FREE(conn_req); FREE(server); return -1; diff --git a/hydra-asterisk.c b/hydra-asterisk.c index 5be7896..1ec351d 100644 --- a/hydra-asterisk.c +++ b/hydra-asterisk.c @@ -114,6 +114,7 @@ void service_asterisk(char *ip, int32_t sp, unsigned char options, char *miscptr if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); + break; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); diff --git a/hydra-ftp.c b/hydra-ftp.c index 6b853eb..504c0bd 100644 --- a/hydra-ftp.c +++ b/hydra-ftp.c @@ -155,10 +155,12 @@ void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); + break; case 4: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); + break; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); diff --git a/hydra-gtk/src/callbacks.c b/hydra-gtk/src/callbacks.c index 62c441c..5600f15 100644 --- a/hydra-gtk/src/callbacks.c +++ b/hydra-gtk/src/callbacks.c @@ -690,7 +690,7 @@ void on_btnSave_clicked(GtkButton * button, gpointer user_data) { text = gtk_text_buffer_get_text(outputbuf, &start, &end, TRUE); fd = open(filename, O_CREAT | O_TRUNC | O_WRONLY, 0644); - if (fd > 0) { + if (fd >= 0) { write(fd, text, strlen(text)); close(fd); } diff --git a/hydra-gtk/src/interface.c b/hydra-gtk/src/interface.c index f501d0b..6b665eb 100644 --- a/hydra-gtk/src/interface.c +++ b/hydra-gtk/src/interface.c @@ -248,6 +248,8 @@ GtkWidget *create_wndMain(void) { cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "ldap3"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "ldap3-crammd5"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "ldap3-digestmd5"); + cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "memcached"); + cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "mongodb"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "mssql"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "mysql"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "ncp"); diff --git a/hydra-http-form.c b/hydra-http-form.c index 875222f..1ac8721 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -50,10 +50,12 @@ Added fail or success condition, getting cookies, and allow 5 redirections by da */ #include "hydra-http.h" +#include "sasl.h" extern char *HYDRA_EXIT; char *buf; char *cond; +extern int32_t http_auth_mechanism; struct header_node { char *header; @@ -323,7 +325,7 @@ void hdrrep(ptr_header_node *ptr_head, char *oldvalue, char *newvalue) { if (cur_ptr->value) strcpy(cur_ptr->value, newvalue); else { - hydra_report(stderr, "[ERROR] Out of memory (hddrep)."); + hydra_report(stderr, "[ERROR] Out of memory (hddrep).\n"); hydra_child_exit(0); } } @@ -342,7 +344,7 @@ void hdrrepv(ptr_header_node *ptr_head, char *hdrname, char *new_value) { if (cur_ptr->value) strcpy(cur_ptr->value, new_value); else { - hydra_report(stderr, "[ERROR] Out of memory (hdrrepv %lu)", strlen(new_value) + 1); + hydra_report(stderr, "[ERROR] Out of memory (hdrrepv %lu)\n", strlen(new_value) + 1); hydra_child_exit(0); } } @@ -397,6 +399,29 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { */ while (*miscptr != 0) { switch (miscptr[0]) { + case 'a': // fall through + case 'A': // only for http, not http-form! + ptr = miscptr + 2; + + if (strncasecmp(ptr, "NTLM", 4) == 0) + http_auth_mechanism = AUTH_NTLM; + else if (strncasecmp(ptr, "MD5", 3) == 0 || strncasecmp(ptr, "DIGEST", 6) == 0) + http_auth_mechanism = AUTH_DIGESTMD5; + else if (strncasecmp(ptr, "BASIC", 4) == 0) + http_auth_mechanism = AUTH_BASIC; + else + fprintf(stderr, "[WARNING] unknown http auth type: %s\n", ptr); + + while (*ptr != 0 && *ptr != ':') + ptr++; + + if (*ptr != 0) { + *ptr = 0; + ptr += 1; + } + + miscptr = ptr; + break; case 'c': // fall through case 'C': ptr = miscptr + 2; @@ -416,7 +441,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { *(ptr - 1) = 0; if (*ptr != 0) { *ptr = 0; - ptr += 2; + ptr += 1; } ptr2 = ptr; while (*ptr2 != 0 && (*ptr2 != ':' || *(ptr2 - 1) == '\\')) @@ -434,7 +459,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { break; } // Error: abort execution - hydra_report(stderr, "[ERROR] Out of memory for HTTP headers (h)."); + hydra_report(stderr, "[ERROR] Out of memory for HTTP headers (h).\n"); return 0; case 'H': // add a new header, or replace an existing one's value @@ -447,7 +472,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { if (*ptr != 0) { *ptr = 0; - ptr += 2; + ptr += 1; } ptr2 = ptr; while (*ptr2 != 0 && (*ptr2 != ':' || *(ptr2 - 1) == '\\')) @@ -465,7 +490,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { break; } // Error: abort execution - hydra_report(stderr, "[ERROR] Out of memory for HTTP headers (H)."); + hydra_report(stderr, "[ERROR] Out of memory for HTTP headers (H).\n"); return 0; // no default } @@ -1079,6 +1104,7 @@ void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscpt * - 3 -> Disconnect and end with success. * - 4 -> Disconnect and end with error. */ + while (1) { if (run == 2) { if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { @@ -1235,11 +1261,18 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { ptr++; if (*ptr != 0) *ptr++ = 0; - cond = ptr; + + if ((ptr2 = rindex(ptr, ':')) != NULL) { + cond = ptr2 + 1; + *ptr2 = 0; + } else + cond = ptr; +/* while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) ptr++; if (*ptr != 0) *ptr++ = 0; +*/ optional1 = ptr; if (strstr(url, "\\:") != NULL) { if ((ptr = malloc(strlen(url))) != NULL) { @@ -1281,6 +1314,8 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { success_cond = 0; } + //printf("miscptr: %s, url=%s, variables=%s, ptr=%s, optional1: %s, cond: %s (%d)\n", miscptr, url, variables, ptr, optional1, cond, success_cond); + /* * Parse the user-supplied options. * Beware of the backslashes (\)! @@ -1299,7 +1334,7 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { strncat(proxy_string, proxy_authentication[selected_proxy], strlen(proxy_authentication[selected_proxy]) - 6); add_header(&ptr_head, "Proxy-Authorization", proxy_string, HEADER_TYPE_DEFAULT); } else { - hydra_report(stderr, "Out of memory for \"Proxy-Authorization\" header."); + hydra_report(stderr, "Out of memory for \"Proxy-Authorization\" header.\n"); return NULL; } if (getcookie) { @@ -1362,7 +1397,7 @@ void usage_http_form(const char *service) { " This is where most people get it wrong. You have to check the webapp what a\n" " failed string looks like and put it in this parameter!\n" "The following parameters are optional:\n" - " C=/page/uri to define a different page to gather initial cookies from\n" + " (c|C)=/page/uri to define a different page to gather initial cookies from\n" " (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n" " ^USER[64]^ and ^PASS[64]^ can also be put into these headers!\n" " Note: 'h' will add the user-defined header at the end\n" diff --git a/hydra-http-proxy.c b/hydra-http-proxy.c index cc9ad6b..cdeb714 100644 --- a/hydra-http-proxy.c +++ b/hydra-http-proxy.c @@ -8,7 +8,7 @@ char *http_proxy_buf = NULL; int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *hostname) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500]; - char url[210], host[30]; + char url[210], host[60]; char *header = ""; /* XXX TODO */ char *ptr, *fooptr; @@ -23,7 +23,7 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option } else { sprintf(url, "%.200s", miscptr); ptr = strstr(miscptr, "://"); // :// check is in hydra.c - sprintf(host, "Host: %.200s", ptr + 3); + sprintf(host, "Host: %.50s", ptr + 3); if ((ptr = index(host, '/')) != NULL) *ptr = 0; if ((ptr = index(host + 6, ':')) != NULL && host[0] != '[') diff --git a/hydra-http.c b/hydra-http.c index db9b500..3a6b378 100644 --- a/hydra-http.c +++ b/hydra-http.c @@ -1,19 +1,26 @@ #include "hydra-http.h" #include "sasl.h" + + extern char *HYDRA_EXIT; char *webtarget = NULL; char *slash = "/"; char *http_buf = NULL; + +#define END_CONDITION_MAX_LEN 100 +static char end_condition[END_CONDITION_MAX_LEN]; +int end_condition_type=-1; + int32_t webport, freemischttp = 0; -int32_t http_auth_mechanism = AUTH_BASIC; +int32_t http_auth_mechanism = AUTH_UNASSIGNED; int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *type, ptr_header_node ptr_head) { char *empty = ""; char *login, *pass, *buffer, buffer2[500]; char *header; char *ptr, *fooptr; - int32_t complete_line = 0; + int32_t complete_line = 0, buffer_size; char tmpreplybuf[1024] = "", *tmpreplybufptr; if (strlen(login = hydra_get_next_login()) == 0) @@ -26,7 +33,8 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha header = stringify_headers(&ptr_head); - if(!(buffer = malloc(strlen(header) + 500))) { + buffer_size = strlen(header) + 500; + if(!(buffer = malloc(buffer_size))) { free(header); return 3; } @@ -63,14 +71,14 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha char *pbuffer; pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest "); - strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer)); - buffer[sizeof(buffer) - 1] = '\0'; + strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), buffer_size - 1); + buffer[buffer_size - 1] = '\0'; fooptr = buffer2; sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header); if (fooptr == NULL) { - free(buffer); - free(header); + free(buffer); + free(header); return 3; } @@ -95,38 +103,37 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha //send the first.. if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) sprintf(buffer, - "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", + "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); else { if (use_proxy == 1) - sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", + sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, header); else - sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, + sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buf1, header); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - free(buffer); - free(header); + free(buffer); + free(header); return 1; } //receive challenge if (http_buf != NULL) free(http_buf); + http_buf = hydra_receive_line(s); - while (http_buf != NULL && (pos = hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM ")) == NULL) { - free(http_buf); - http_buf = hydra_receive_line(s); - } - if (http_buf == NULL) { - free(buffer); - free(header); - return 1; + if (verbose) + hydra_report(stderr, "[ERROR] Server did not answer\n"); + free(buffer); + free(header); + return 3; } + pos = hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM "); if (pos != NULL) { char *str; @@ -137,7 +144,11 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha if ((str = strchr(pos, '\n')) != NULL) { pos[str - pos] = 0; } + } else { + hydra_report(stderr, "[ERROR] It is not NTLM authentication type\n"); + return 3; } + //recover challenge from64tobits((char *) buf1, pos); free(http_buf); @@ -150,14 +161,14 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha //create the auth response if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) sprintf(buffer, - "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", + "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); else { if (use_proxy == 1) - sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", + sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, buf1, header); else - sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, + sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buf1, header); } @@ -218,8 +229,18 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha if (ptr != NULL) ptr++; if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) { - hydra_report_found_host(port, ip, "www", fp); - hydra_completed_pair_found(); +#ifdef HAVE_PCRE + if (end_condition_type >= 0 && hydra_string_match(http_buf, end_condition)!=end_condition_type) { +#else + if (end_condition_type >= 0 && (strstr(http_buf, end_condition) == NULL ? 0 : 1) != end_condition_type) { +#endif + if (debug) hydra_report(stderr, "End condition not match continue.\n"); + hydra_completed_pair(); + } else { + if (debug) hydra_report(stderr, "END condition %s match.\n",end_condition); + hydra_report_found_host(port, ip, "www", fp); + hydra_completed_pair_found(); + } if (http_buf != NULL) { free(http_buf); http_buf = NULL; @@ -230,7 +251,7 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha //the first authentication type failed, check the type from server header if ((hydra_strcasestr(http_buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) { - //seems the auth supported is not Basic shceme so testing further + //seems the auth supported is not Basic scheme so testing further int32_t find_auth = 0; if (hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM") != NULL) { @@ -247,8 +268,8 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha if (find_auth) { // free(http_buf); // http_buf = NULL; - free(buffer); - free(header); + free(buffer); + free(header); return 1; } } @@ -256,10 +277,12 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha } // free(http_buf); // http_buf = NULL; + free(buffer); free(header); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; + return 1; } @@ -310,9 +333,12 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI *ptr++ = 0; optional1 = ptr; - if (!parse_options(optional1, &ptr_head)) + if (!parse_options(optional1, &ptr_head)) // this function is in hydra-http-form.c !! run = 4; + if (http_auth_mechanism == AUTH_UNASSIGNED) + http_auth_mechanism = AUTH_BASIC; + while (1) { next_run = 0; switch (run) { @@ -383,12 +409,53 @@ int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *mis // 0 all OK // -1 error, hydra will exit, so print a good error message here + + + /*POU CODE */ + char * start=strstr(miscptr, "F="); + if(start==NULL) + start=strstr(miscptr, "S="); + + if (start !=NULL){ + if(start[0]=='F') + end_condition_type=0; + else + end_condition_type=1; + + int condition_len=strlen(start); + memset(end_condition,0,END_CONDITION_MAX_LEN); + if(condition_len>=END_CONDITION_MAX_LEN){ + hydra_report(stderr,"Condition string cannot be bigger than %u.",END_CONDITION_MAX_LEN); + return -1; + } + //copy condition witout starting string (F= or S= 2char) + strncpy(end_condition, start+2,condition_len-2); + if(debug) + hydra_report(stderr, "End condition is %s, mod is %d\n",end_condition,end_condition_type); + + if(*(start-1)==' ') + start--; + memset(start,'\0',condition_len); + if (debug) + hydra_report(stderr, "Modificated options:%s\n",miscptr); + }else{ + if (debug) + hydra_report(stderr, "Condition not found\n"); + } + + + + return 0; } void usage_http(const char* service) { printf("Module %s requires the page to authenticate.\n" "The following parameters are optional:\n" + " (a|A)=auth-type specify authentication mechanism to use: BASIC, NTLM or MD5\n" " (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n" - "For example: \"/secret\" or \"http://bla.com/foo/bar:H=Cookie\\: sessid=aaaa\" or \"https://test.com:8080/members\"\n\n", service); + " (F|S)=check for text in the HTTP reply. S= means if this text is found, a\n" + " valid account has been found, F= means if this string is present the\n" + " combination is invalid. Note: this must be the last option supplied.\n" + "For example: \"/secret\" or \"http://bla.com/foo/bar:H=Cookie\\: sessid=aaaa\" or \"https://test.com:8080/members:A=NTLM\"\n\n", service); } diff --git a/hydra-icq.c b/hydra-icq.c index 68fd667..86c968c 100644 --- a/hydra-icq.c +++ b/hydra-icq.c @@ -233,9 +233,11 @@ void service_icq(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); + break; default: fprintf(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); + break; } run = next_run; } diff --git a/hydra-ldap.c b/hydra-ldap.c index e00265e..d04d180 100644 --- a/hydra-ldap.c +++ b/hydra-ldap.c @@ -393,6 +393,7 @@ void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI if ((buf[0] != 0 && buf[9] == 0) || (buf[0] != 32 && buf[9] == 32)) { /* TLS option negociation goes well, now trying to connect */ + free(buf); if ((hydra_connect_to_ssl(sock, hostname) == -1) && verbose) { hydra_report(stderr, "[ERROR] Can't use TLS\n"); hydra_child_exit(1); @@ -403,6 +404,7 @@ void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } } else { hydra_report(stderr, "[ERROR] Can't use TLS %s\n", buf); + free(buf); hydra_child_exit(1); } } diff --git a/hydra-memcached.c b/hydra-memcached.c new file mode 100644 index 0000000..9065c1e --- /dev/null +++ b/hydra-memcached.c @@ -0,0 +1,179 @@ +//This plugin was written by +//Tested on memcached 1.5.6-0ubuntu1 + +#ifdef LIBMCACHED +#include +#endif + +#include "hydra-mod.h" + +#ifndef LIBMCACHED +void dummy_mcached() { + printf("\n"); +} +#else + +extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); + +extern char *HYDRA_EXIT; + +int mcached_send_com_quit(int32_t sock) { + char *com_quit = "quit\r\n"; + + if (hydra_send(sock, com_quit, strlen(com_quit), 0) < 0) + return 1; + return 0; +} + +int mcached_send_com_version(int32_t sock) { + char *com_version = "version\r\n"; + + if (hydra_send(sock, com_version, strlen(com_version), 0) < 0) + return 1; + return 0; +} + + + +int32_t start_mcached(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { + char *empty = ""; + char *login, *pass; + + memcached_server_st *servers = NULL; + memcached_return_t rc; + memcached_st *cache; + + if (strlen(login = hydra_get_next_login()) == 0) + login = empty; + if (strlen(pass = hydra_get_next_password()) == 0) + pass = empty; + + cache = memcached_create(NULL); + + rc = memcached_set_sasl_auth_data(cache, login, pass); + if (rc != MEMCACHED_SUCCESS) { + if (verbose) + hydra_report(stderr, "[ERROR] Couldn't setup SASL auth: %s\n", memcached_strerror(cache, rc)); + memcached_free(cache); + return 3; + } + + rc = memcached_behavior_set(cache, MEMCACHED_BEHAVIOR_BINARY_PROTOCOL, 1); + if (rc != MEMCACHED_SUCCESS) { + if (verbose) + hydra_report(stderr, "[ERROR] Couldn't use the binary protocol: %s\n", memcached_strerror(cache, rc)); + memcached_destroy_sasl_auth_data(cache); + memcached_free(cache); + return 3; + } + rc = memcached_behavior_set(cache, MEMCACHED_BEHAVIOR_CONNECT_TIMEOUT, 10000); + if (rc != MEMCACHED_SUCCESS) { + if (verbose) + hydra_report(stderr, "[ERROR] Couldn't set the connect timeout: %s\n", memcached_strerror(cache, rc)); + memcached_destroy_sasl_auth_data(cache); + memcached_free(cache); + return 3; + } + + servers = memcached_server_list_append(servers, hydra_address2string(ip), port, &rc); + rc = memcached_server_push(cache, servers); + if (rc != MEMCACHED_SUCCESS) { + if (verbose) + hydra_report(stderr, "[ERROR] Couldn't add server: %s\n", memcached_strerror(cache, rc)); + memcached_destroy_sasl_auth_data(cache); + memcached_free(cache); + return 3; + } + + rc = memcached_stat_execute(cache, "", NULL, NULL); + if (rc != MEMCACHED_SUCCESS) { + if (verbose) + hydra_report(stderr, "[ERROR] Couldn't get server stats: %s\n", memcached_strerror(cache, rc)); + memcached_destroy_sasl_auth_data(cache); + memcached_free(cache); + hydra_completed_pair_skip(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + return 3; + } + return 2; + } + + memcached_destroy_sasl_auth_data(cache); + memcached_free(cache); + + hydra_report_found_host(port, ip, "memcached", fp); + hydra_completed_pair_found(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 3; + + return 2; +} + +void service_mcached(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { + int32_t run = 1, next_run = 1, sock = -1; + + hydra_register_socket(sp); + + while (1) { + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return; + + switch (run) { + case 1: + next_run = start_mcached(sock, ip, port, options, miscptr, fp); + break; + case 2: + hydra_child_exit(0); + return; + default: + if (!verbose) + hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose option for more details\n"); + hydra_child_exit(2); + } + run = next_run; + } +} + +int32_t service_mcached_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { + // called before the childrens are forked off, so this is the function + // which should be filled if initial connections and service setup has to be + // performed once only. + + int32_t sock = -1; + int32_t myport = PORT_MCACHED; + char *buf; + + if (port != 0) + myport = port; + + sock = hydra_connect_tcp(ip, myport); + if (sock < 0) { + if (verbose || debug) + hydra_report(stderr, "[ERROR] Can not connect\n"); + return -1; + } + + if (mcached_send_com_version(sock)) { + if (verbose || debug) + hydra_report(stderr, "[ERROR] Can not send request\n"); + return -1; + } + + if (hydra_data_ready_timed(sock, 0, 1000) > 0) { + buf = hydra_receive_line(sock); + if (strstr(buf, "VERSION ")) { + hydra_report_found_host(port, ip, "memcached", fp); + mcached_send_com_quit(sock); + if (sock >= 0) + sock = hydra_disconnect(sock); + hydra_report(stderr, "[ERROR] Memcached server does not require any authentication\n"); + } + free(buf); + return -1; + } + if (sock >= 0) + sock = hydra_disconnect(sock); + return 0; +} + +#endif diff --git a/hydra-mod.c b/hydra-mod.c index 251ef27..9e7d862 100644 --- a/hydra-mod.c +++ b/hydra-mod.c @@ -33,7 +33,7 @@ int32_t do_retry = 1; int32_t module_auth_type = -1; int32_t intern_socket, extern_socket; char pair[260]; -char HYDRA_EXIT[5] = "\x00\xff\x00\xff\x00"; +char *HYDRA_EXIT = "\x00\xff\x00\xff\x00"; char *HYDRA_EMPTY = "\x00\x00\x00\x00"; char *fe80 = "\xfe\x80\x00"; int32_t fail = 0; @@ -85,7 +85,7 @@ void interrupt() { /* ----------------- internal functions ----------------- */ -int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int32_t type) { +int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t protocol) { int32_t s, ret = -1, ipv6 = 0, reset_selected = 0; #ifdef AF_INET6 @@ -102,6 +102,8 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 selected_proxy = random() % proxy_count; } + memset(&target, 0, sizeof(target)); + memset(&sin, 0, sizeof(sin)); #ifdef AF_INET6 memset(&target6, 0, sizeof(target6)); memset(&sin6, 0, sizeof(sin6)); @@ -111,10 +113,10 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 #ifdef AF_INET6 if (ipv6) - s = socket(AF_INET6, protocol, type); + s = socket(AF_INET6, type, protocol); else #endif - s = socket(PF_INET, protocol, type); + s = socket(PF_INET, type, protocol); if (s >= 0) { if (src_port != 0) { int32_t bind_ok = 0; @@ -468,7 +470,7 @@ RSA *ssl_temp_rsa_cb(SSL * ssl, int32_t export, int32_t keylength) { #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L BIGNUM *n; n = BN_new(); - RSA_get0_key(rsa, &n, NULL, NULL); + RSA_get0_key(rsa, (const struct bignum_st **)&n, NULL, NULL); ok = BN_zero(n); #else if (rsa->n == 0) @@ -580,10 +582,10 @@ int32_t internal__hydra_connect_to_ssl(int32_t socket, char *hostname) { return socket; } -int32_t internal__hydra_connect_ssl(char *host, int32_t port, int32_t protocol, int32_t type, char *hostname) { +int32_t internal__hydra_connect_ssl(char *host, int32_t port, int32_t type, int32_t protocol, char *hostname) { int32_t socket; - if ((socket = internal__hydra_connect(host, port, protocol, type)) < 0) + if ((socket = internal__hydra_connect(host, port, type, protocol)) < 0) return -1; return internal__hydra_connect_to_ssl(socket, hostname); @@ -935,74 +937,73 @@ int32_t hydra_recv_nb(int32_t socket, char *buf, uint32_t length) { } char *hydra_receive_line(int32_t socket) { - char buf[1024], *buff, *buff2, text[64]; - int32_t i, j = 1, k, got = 0; + char buf[1024], *buff, *buff2, pid[64]; + int32_t i, j, k, got = 0; if ((buff = malloc(sizeof(buf))) == NULL) { fprintf(stderr, "[ERROR] could not malloc\n"); return NULL; } + memset(buff, 0, sizeof(buf)); + if (debug) printf("[DEBUG] hydra_receive_line: waittime: %d, conwait: %d, socket: %d, pid: %d\n", waittime, conwait, socket, getpid()); if ((i = hydra_data_ready_timed(socket, (long) waittime, 0)) > 0) { - if ((got = internal__hydra_recv(socket, buff, sizeof(buf) - 1)) < 0) { + do { + j = internal__hydra_recv(socket, buf, sizeof(buf) - 1); + if (j > 0) { + for (k = 0; k < j; k++) + if (buf[k] == 0) + buf[k] = 32; + + buf[j] = 0; + + if ((buff2 = realloc(buff, got + j + 1)) == NULL) { + free(buff); + return NULL; + } + + buff = buff2; + memcpy(buff + got, &buf, j + 1); + got += j; + buff[got] = 0; + } else if (j < 0) { + // some error occured + got = -1; + } + } while (hydra_data_ready(socket) > 0 && j > 0 +#ifdef LIBOPENSSL + || use_ssl && SSL_pending(ssl) +#endif + ); + + if (got > 0) { + if (debug) { + sprintf(pid, "[DEBUG] RECV [pid:%d]", getpid()); + hydra_dump_data(buff, got, pid); + //hydra_report_debug(stderr, "DEBUG_RECV_BEGIN [pid:%d len:%d]|%s|END", getpid(), got, buff); + } + } else { + if (got < 0) { + if (debug) { + sprintf(pid, "[DEBUG] RECV [pid:%d]", getpid()); + hydra_dump_data((unsigned char*)"", -1, pid); + //hydra_report_debug(stderr, "DEBUG_RECV_BEGIN||END [pid:%d %d]", getpid(), i); + perror("recv"); + } + } free(buff); return NULL; } + + usleepn(100); } else { if (debug) printf("[DEBUG] hydra_data_ready_timed: %d, waittime: %d, conwait: %d, socket: %d\n", i, waittime, conwait, socket); } - if (got < 0) { - if (debug) { - sprintf(text, "[DEBUG] RECV [pid:%d]", getpid()); - hydra_dump_data((unsigned char*)"", -1, text); - //hydra_report_debug(stderr, "DEBUG_RECV_BEGIN||END [pid:%d %d]", getpid(), i); - perror("recv"); - } - free(buff); - return NULL; - } else { - if (got > 0) { - for (k = 0; k < got; k++) - if (buff[k] == 0) - buff[k] = 32; - buff[got] = 0; - usleepn(100); - } - } - - while (hydra_data_ready(socket) > 0 && j > 0) { - j = internal__hydra_recv(socket, buf, sizeof(buf) - 1); - if (j > 0) { - for (k = 0; k < j; k++) - if (buf[k] == 0) - buf[k] = 32; - buf[j] = 0; - if ((buff2 = realloc(buff, got + j + 1)) == NULL) { - free(buff); - return NULL; - } else - buff = buff2; - memcpy(buff + got, &buf, j + 1); - got += j; - buff[got] = 0; - } - usleepn(100); - } - - if (debug) { - sprintf(text, "[DEBUG] RECV [pid:%d]", getpid()); - hydra_dump_data(buff, got, text); - //hydra_report_debug(stderr, "DEBUG_RECV_BEGIN [pid:%d len:%d]|%s|END", getpid(), got, buff); - } - if (got == 0) { - free(buff); - return NULL; - } return buff; } diff --git a/hydra-mongodb.c b/hydra-mongodb.c new file mode 100644 index 0000000..f017c4c --- /dev/null +++ b/hydra-mongodb.c @@ -0,0 +1,184 @@ +//This plugin was written by +//Tested on mongodb-server 1:3.6.3-0ubuntu1 +//MONGODB-CR is been deprecated + +#ifdef LIBMONGODB +#include +#endif + +#include "hydra-mod.h" + +#ifndef LIBMONGODB +void dummy_mongodb() { + printf("\n"); +} +#else + +extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); + +extern char *HYDRA_EXIT; +char *buf; + +#define DEFAULT_DB "admin" + +int is_error_msg(char *msg) { + if (strstr(msg, "errmsg ")) { + if (debug) + hydra_report(stderr, "[ERROR] %s\n", msg); + return 1; + } + return 0; +} + +int require_auth(int32_t sock) { + unsigned char m_hdr[] = + "\x3f\x00\x00\x00" //messageLength (63) + "\x00\x00\x00\x41" //requestID + "\xff\xff\xff\xff" //responseTo + "\xd4\x07\x00\x00" //opCode (2004 OP_QUERY) + "\x00\x00\x00\x00" //flags + "\x61\x64\x6d\x69\x6e\x2e\x24\x63\x6d\x64\x00" //fullCollectionName (admin.$cmd) + "\x00\x00\x00\x00" //numberToSkip (0) + "\x01\x00\x00\x00" //numberToReturn (1) + "\x18\x00\x00\x00\x10\x6c\x69\x73\x74\x44\x61\x74\x61\x62\x61\x73\x65\x73\x00\x01\x00\x00\x00\x00"; //query ({"listDatabases"=>1}) + + if (hydra_send(sock, m_hdr, sizeof(m_hdr), 0) > 0) { + if (hydra_data_ready_timed(sock, 0, 1000) > 0) { + buf = hydra_receive_line(sock); + return is_error_msg(buf); + } + } + return 2; +} + +int32_t start_mongodb(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { + char *empty = ""; + char *login, *pass; + char uri[256]; + mongoc_client_t *client; + mongoc_database_t *database; + mongoc_collection_t *collection; + mongoc_cursor_t *cursor; + bson_t q; + const bson_t *doc; + bson_error_t error; + bool r; + + if (strlen(login = hydra_get_next_login()) == 0) + login = empty; + if (strlen(pass = hydra_get_next_password()) == 0) + pass = empty; + + mongoc_init(); + mongoc_log_set_handler (NULL, NULL); + bson_init(&q); + + snprintf(uri, sizeof(uri), "mongodb://%s:%s@%s/?authSource=%s",login, pass, hydra_address2string(ip), miscptr); + client = mongoc_client_new(uri); + if (!client) + return 3; + + mongoc_client_set_appname(client, "hydra"); + collection = mongoc_client_get_collection(client, miscptr, "test"); + cursor = mongoc_collection_find_with_opts(collection, &q, NULL, NULL); + r = mongoc_cursor_next(cursor, &doc); + if (!r) { + r = mongoc_cursor_error(cursor, &error); + if (r) { + if (verbose) + hydra_report(stderr, "[ERROR] Can not read document: %s\n", error.message); + mongoc_cursor_destroy(cursor); + mongoc_collection_destroy(collection); + mongoc_client_destroy(client); + mongoc_cleanup(); + hydra_completed_pair_skip(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + return 3; + } + return 2; + } + } + + mongoc_cursor_destroy(cursor); + mongoc_collection_destroy(collection); + mongoc_client_destroy(client); + mongoc_cleanup(); + + hydra_report_found_host(port, ip, "mongodb", fp); + hydra_completed_pair_found(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 3; + + return 2; +} + +void service_mongodb(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { + int32_t run = 1, next_run = 1, sock = -1; + + if (!miscptr) { + if (verbose) + hydra_report(stderr, "[INFO] Using default database \"admin\"\n"); + miscptr = DEFAULT_DB; + } + + hydra_register_socket(sp); + + while (1) { + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return; + + switch (run) { + case 1: + next_run = start_mongodb(sock, ip, port, options, miscptr, fp); + break; + case 2: + hydra_child_exit(0); + return; + default: + if (!verbose) + hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose option for more details\n"); + hydra_child_exit(2); + } + run = next_run; + } +} + +int32_t service_mongodb_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { + // called before the childrens are forked off, so this is the function + // which should be filled if initial connections and service setup has to be + // performed once only. + + int32_t myport = PORT_MONGODB; + int32_t sock = -1; + + if (port != 0) + myport = port; + + if ((options & OPTION_SSL) == 0) + sock = hydra_connect_tcp(ip, myport); + else + sock = hydra_connect_ssl(ip, myport, hostname); + + if (sock < 0) { + if (verbose || debug) + hydra_report(stderr, "[ERROR] Can not connect\n"); + return -1; + } + + if (!require_auth(sock)) { + hydra_report_found_host(port, ip, "mongodb", fp); + hydra_report(stderr, "[ERROR] Mongodb server does not require any authentication\n"); + if (sock >= 0) + sock = hydra_disconnect(sock); + return -1; + } + if (sock >= 0) + sock = hydra_disconnect(sock); + return 0; +} + +#endif + +void usage_mongodb(const char* service) { + printf("Module mongodb is optionally taking a database name to attack, default is \"admin\"\n\n"); +} diff --git a/hydra-mysql.c b/hydra-mysql.c index 0fda989..c33dc88 100644 --- a/hydra-mysql.c +++ b/hydra-mysql.c @@ -180,19 +180,13 @@ int32_t start_mysql(int32_t sock, char *ip, int32_t port, unsigned char options, char *response = NULL, *login = NULL, *pass = NULL; unsigned long response_len; char res = 0; - char database[256]; + char *database = NULL; login = hydra_get_next_login(); pass = hydra_get_next_password(); if (miscptr) - strncpy(database, miscptr, sizeof(database) - 1); - else { - strncpy(database, DEFAULT_DB, sizeof(database) - 1); - if (verbose) - hydra_report(stderr, "[VERBOSE] using default db 'mysql'\n"); - } - database[sizeof(database) - 1] = 0; + database = miscptr; /* read server greeting */ res = hydra_mysql_init(sock); diff --git a/hydra-pop3.c b/hydra-pop3.c index fe07eed..91d9c48 100644 --- a/hydra-pop3.c +++ b/hydra-pop3.c @@ -523,6 +523,7 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis p.pop3_auth_mechanism = AUTH_CLEAR; p.disable_tls = 1; + p.next = NULL; memcpy(p.ip, ip, 36); if ((options & OPTION_SSL) == 0) { diff --git a/hydra-rdp.c b/hydra-rdp.c index 8b9394c..c75e722 100644 --- a/hydra-rdp.c +++ b/hydra-rdp.c @@ -1,2456 +1,46 @@ /* - david: this module is heavily based on rdesktop v 1.7.0 - - rdesktop: A Remote Desktop Protocol client. - Protocol services - RDP layer - Copyright (C) Matthew Chapman 1999-2008 - Copyright 2003-2011 Peter Astrand for Cendio AB - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . - -note: - -this module was tested on w2k, xp, w2k3, w2k8 - -in terminal services configuration, in rdp-tcp properties -in Logon Settings tab, if 'Always prompt for password' is checked, -the password can't be passed interactively so there is no way -to test the credential (unless manually). - -it's advised to lower the number of parallel tasks as RDP server -can't handle multiple connections at the same time. -It's particularly true on windows XP - + This module is using freerdp2 lib + + Tested on: + - Windows 7 pro SP1 + - Windows 10 pro build 1809 + - Windows Server 2016 build 1607 */ #include "hydra-mod.h" -#ifndef LIBOPENSSL -#include +extern char *HYDRA_EXIT; +#ifndef LIBFREERDP2 void dummy_rdp() { printf("\n"); } #else -#include "rdp.h" -extern char *HYDRA_EXIT; - -BOOL g_encryption = True; -BOOL g_use_rdp5 = True; -BOOL g_console_session = False; -BOOL g_bitmap_cache = True; -BOOL g_bitmap_cache_persist_enable = False; -BOOL g_bitmap_compression = True; -BOOL g_desktop_save = True; -int32_t g_server_depth = -1; -int32_t os_version = 0; //2000 - -uint32 g_rdp5_performanceflags = RDP5_NO_WALLPAPER | RDP5_NO_FULLWINDOWDRAG | RDP5_NO_MENUANIMATIONS; - -/* Session Directory redirection */ -BOOL g_redirect = False; -uint32 g_redirect_flags = 0; - -uint32 g_reconnect_logonid = 0; -char g_reconnect_random[16]; -BOOL g_has_reconnect_random = False; -uint8 g_client_random[SEC_RANDOM_SIZE]; - -/* - 0 unknown - 1 success - 2 failed -*/ -#define LOGIN_UNKN 0 -#define LOGIN_SUCC 1 -#define LOGIN_FAIL 2 -int32_t login_result = LOGIN_UNKN; - -uint8 *g_next_packet; -uint32 g_rdp_shareid; - -/* Called during redirection to reset the state to support redirection */ -void rdp_reset_state(void) { - g_next_packet = NULL; /* reset the packet information */ - g_rdp_shareid = 0; - sec_reset_state(); -} - -static void rdesktop_reset_state(void) { - rdp_reset_state(); -} - -static RDP_ORDER_STATE g_order_state; - -#define TCP_STRERROR strerror(errno) -#define TCP_BLOCKS (errno == EWOULDBLOCK) - - -#ifndef INADDR_NONE -#define INADDR_NONE ((unsigned long) -1) -#endif - -#define STREAM_COUNT 1 - - -int32_t g_sock; -static struct stream g_in; -static struct stream g_out[STREAM_COUNT]; - -/* wait till socket is ready to write or timeout */ -static BOOL tcp_can_send(int32_t sck, int32_t millis) { - fd_set wfds; - struct timeval time; - int32_t sel_count; - - time.tv_sec = millis / 1000; - time.tv_usec = (millis * 1000) % 1000000; - FD_ZERO(&wfds); - FD_SET(sck, &wfds); - sel_count = select(sck + 1, 0, &wfds, 0, &time); - if (sel_count > 0) { - return True; - } - return False; -} - -/* Initialise TCP transport data packet */ -STREAM tcp_init(uint32 maxlen) { - static int32_t cur_stream_id = 0; - STREAM result = NULL; - - result = &g_out[cur_stream_id]; - cur_stream_id = (cur_stream_id + 1) % STREAM_COUNT; - - - if (maxlen > result->size) { - result->data = (uint8 *) xrealloc(result->data, maxlen); - result->size = maxlen; - } - - result->p = result->data; - result->end = result->data; // + result->size; - return result; -} - -/* Send TCP transport data packet */ -void tcp_send(STREAM s) { - int32_t length = s->end - s->data; - int32_t sent, total = 0; - - - while (total < length) { - sent = hydra_send(g_sock, (char *) (s->data + total), length - total, 0); - if (sent <= 0) { - if (sent == -1 && TCP_BLOCKS) { - tcp_can_send(g_sock, 100); - sent = 0; - } else { - if (g_sock && !login_result) - error("send: %s\n", TCP_STRERROR); - return; - } - } - total += sent; - } -} - -/* Receive a message on the TCP layer */ -STREAM tcp_recv(STREAM s, uint32 length) { - uint32 new_length, end_offset, p_offset; - int32_t rcvd = 0; - - if (s == NULL) { - /* read into "new" stream */ - g_in.data = (uint8 *) xmalloc(length); - g_in.size = length; - g_in.end = g_in.p = g_in.data; - s = &g_in; - } else { - /* append to existing stream */ - new_length = (s->end - s->data) + length; - if (new_length > s->size) { - p_offset = s->p - s->data; - end_offset = s->end - s->data; -//printf("length: %d, %p s->data, %p +%d s->p, %p +%d s->end, end-data %d, size %d\n", length, s->data, s->p, s->p - s->data, s->end, s->end - s->p, s->end - s->data, s->size); - s->data = (uint8 *) xrealloc(s->data, new_length); - s->size = new_length; - s->p = s->data + p_offset; - s->end = s->data + end_offset; - } - } - - - while (length > 0) { - rcvd = hydra_recv(g_sock, (char *) s->end, length); - if (rcvd < 0) { - if (rcvd == -1 && TCP_BLOCKS) { - rcvd = 0; - } else { - //error("recv: %s\n", TCP_STRERROR); - return NULL; - } - } else if (rcvd == 0) { - error("Connection closed\n"); - return NULL; - } - s->end += rcvd; - length -= rcvd; - } - - - return s; -} - -char *tcp_get_address() { - static char ipaddr[32]; - struct sockaddr_in sockaddr; - socklen_t len = sizeof(sockaddr); - - if (getsockname(g_sock, (struct sockaddr *) &sockaddr, &len) == 0) { - uint8 *ip = (uint8 *) & sockaddr.sin_addr; - - sprintf(ipaddr, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); - } else - strcpy(ipaddr, "127.0.0.1"); - return ipaddr; -} - -/* reset the state of the tcp layer */ -void tcp_reset_state(void) { - int32_t i; - - g_sock = -1; /* reset socket */ - - /* Clear the incoming stream */ - if (g_in.data != NULL) - free(g_in.data); - g_in.p = NULL; - g_in.end = NULL; - g_in.data = NULL; - g_in.size = 0; - g_in.iso_hdr = NULL; - g_in.mcs_hdr = NULL; - g_in.sec_hdr = NULL; - g_in.rdp_hdr = NULL; - g_in.channel_hdr = NULL; - - /* Clear the outgoing stream(s) */ - for (i = 0; i < STREAM_COUNT; i++) { - if (g_out[i].data != NULL) - free(g_out[i].data); - g_out[i].p = NULL; - g_out[i].end = NULL; - g_out[i].data = NULL; - g_out[i].size = 0; - g_out[i].iso_hdr = NULL; - g_out[i].mcs_hdr = NULL; - g_out[i].sec_hdr = NULL; - g_out[i].rdp_hdr = NULL; - g_out[i].channel_hdr = NULL; - } -} - -uint16 g_mcs_userid; - -/* Parse an ASN.1 BER header */ -static BOOL ber_parse_header(STREAM s, int32_t tagval, int32_t *length) { - int32_t tag, len; - - - if (tagval > 0xff) { - in_uint16_be(s, tag); - } else { - in_uint8(s, tag); - } - - if (tag != tagval) { - error("expected tag %d, got %d\n", tagval, tag); - return False; - } - - in_uint8(s, len); - - if (len & 0x80) { - len &= ~0x80; - *length = 0; - while (len--) - next_be(s, *length); - } else - *length = len; - - return s_check(s); -} - -/* Output an ASN.1 BER header */ -static void ber_out_header(STREAM s, int32_t tagval, int32_t length) { - - - if (tagval > 0xff) { - out_uint16_be(s, tagval); - } else { - out_uint8(s, tagval); - } - - if (length >= 0x80) { - out_uint8(s, 0x82); - out_uint16_be(s, length); - } else - out_uint8(s, length); -} - -/* Output an ASN.1 BER integer */ -static void ber_out_integer(STREAM s, int32_t value) { - ber_out_header(s, BER_TAG_INTEGER, 2); - out_uint16_be(s, value); -} - -/* Output a DOMAIN_PARAMS structure (ASN.1 BER) */ -static void mcs_out_domain_params(STREAM s, int32_t max_channels, int32_t max_users, int32_t max_tokens, int32_t max_pdusize) { - ber_out_header(s, MCS_TAG_DOMAIN_PARAMS, 32); - ber_out_integer(s, max_channels); - ber_out_integer(s, max_users); - ber_out_integer(s, max_tokens); - ber_out_integer(s, 1); /* num_priorities */ - ber_out_integer(s, 0); /* min_throughput */ - ber_out_integer(s, 1); /* max_height */ - ber_out_integer(s, max_pdusize); - ber_out_integer(s, 2); /* ver_protocol */ -} - -/* Parse a DOMAIN_PARAMS structure (ASN.1 BER) */ -static BOOL mcs_parse_domain_params(STREAM s) { - int32_t length = 0; - - ber_parse_header(s, MCS_TAG_DOMAIN_PARAMS, &length); - in_uint8s(s, length); - - return s_check(s); -} - -/* Send an MCS_CONNECT_INITIAL message (ASN.1 BER) */ -static void mcs_send_connect_initial(STREAM mcs_data) { - int32_t datalen = mcs_data->end - mcs_data->data; - int32_t length = 9 + 3 * 34 + 4 + datalen; - STREAM s; - - s = iso_init(length + 5); - - ber_out_header(s, MCS_CONNECT_INITIAL, length); - ber_out_header(s, BER_TAG_OCTET_STRING, 1); /* calling domain */ - out_uint8(s, 1); - ber_out_header(s, BER_TAG_OCTET_STRING, 1); /* called domain */ - out_uint8(s, 1); - - ber_out_header(s, BER_TAG_BOOLEAN, 1); - out_uint8(s, 0xff); /* upward flag */ - - mcs_out_domain_params(s, 34, 2, 0, 0xffff); /* target params */ - mcs_out_domain_params(s, 1, 1, 1, 0x420); /* min params */ - mcs_out_domain_params(s, 0xffff, 0xfc17, 0xffff, 0xffff); /* max params */ - - ber_out_header(s, BER_TAG_OCTET_STRING, datalen); - out_uint8p(s, mcs_data->data, datalen); - - s_mark_end(s); - iso_send(s); -} - -/* Expect a MCS_CONNECT_RESPONSE message (ASN.1 BER) */ -static BOOL mcs_recv_connect_response(STREAM mcs_data) { - uint8 result; - int32_t length = 0; - STREAM s; - - s = iso_recv(NULL); - if (s == NULL) - return False; - - ber_parse_header(s, MCS_CONNECT_RESPONSE, &length); - - ber_parse_header(s, BER_TAG_RESULT, &length); - in_uint8(s, result); - if (result != 0) { - error("MCS connect: %d\n", result); - return False; - } - - ber_parse_header(s, BER_TAG_INTEGER, &length); - in_uint8s(s, length); /* connect id */ - mcs_parse_domain_params(s); - - ber_parse_header(s, BER_TAG_OCTET_STRING, &length); - - sec_process_mcs_data(s); - /* - if (length > mcs_data->size) - { - error("MCS data length %d, expected %d\n", length, - mcs_data->size); - length = mcs_data->size; - } - - in_uint8a(s, mcs_data->data, length); - mcs_data->p = mcs_data->data; - mcs_data->end = mcs_data->data + length; - */ - return s_check_end(s); -} - -/* Send an EDrq message (ASN.1 PER) */ -static void mcs_send_edrq(void) { - STREAM s; - - s = iso_init(5); - - out_uint8(s, (MCS_EDRQ << 2)); - out_uint16_be(s, 1); /* height */ - out_uint16_be(s, 1); /* interval */ - - s_mark_end(s); - iso_send(s); -} - -/* Send an AUrq message (ASN.1 PER) */ -static void mcs_send_aurq(void) { - STREAM s; - - s = iso_init(1); - - out_uint8(s, (MCS_AURQ << 2)); - - s_mark_end(s); - iso_send(s); -} - -/* Expect a AUcf message (ASN.1 PER) */ -static BOOL mcs_recv_aucf(uint16 * mcs_userid) { - uint8 opcode, result; - STREAM s; - - s = iso_recv(NULL); - if (s == NULL) - return False; - - in_uint8(s, opcode); - if ((opcode >> 2) != MCS_AUCF) { - error("expected AUcf, got %d\n", opcode); - return False; - } - - in_uint8(s, result); - if (result != 0) { - error("AUrq: %d\n", result); - return False; - } - - if (opcode & 2) - in_uint16_be(s, *mcs_userid); - - return s_check_end(s); -} - -/* Send a CJrq message (ASN.1 PER) */ -static void mcs_send_cjrq(uint16 chanid) { - STREAM s; - - DEBUG_RDP5(("Sending CJRQ for channel #%d\n", chanid)); - - s = iso_init(5); - - out_uint8(s, (MCS_CJRQ << 2)); - out_uint16_be(s, g_mcs_userid); - out_uint16_be(s, chanid); - - s_mark_end(s); - iso_send(s); -} - -/* Expect a CJcf message (ASN.1 PER) */ -static BOOL mcs_recv_cjcf(void) { - uint8 opcode, result; - STREAM s; - - s = iso_recv(NULL); - if (s == NULL) - return False; - - in_uint8(s, opcode); - if ((opcode >> 2) != MCS_CJCF) { - error("expected CJcf, got %d\n", opcode); - return False; - } - - in_uint8(s, result); - if (result != 0) { - error("CJrq: %d\n", result); - return False; - } - - in_uint8s(s, 4); /* mcs_userid, req_chanid */ - if (opcode & 2) - in_uint8s(s, 2); /* join_chanid */ - - return s_check_end(s); -} - -/* Initialise an MCS transport data packet */ -STREAM mcs_init(int32_t length) { - STREAM s; - - s = iso_init(length + 8); - s_push_layer(s, mcs_hdr, 8); - - return s; -} - -/* Send an MCS transport data packet to a specific channel */ -void mcs_send_to_channel(STREAM s, uint16 channel) { - uint16 length; - - s_pop_layer(s, mcs_hdr); - length = s->end - s->p - 8; - length |= 0x8000; - - out_uint8(s, (MCS_SDRQ << 2)); - out_uint16_be(s, g_mcs_userid); - out_uint16_be(s, channel); - out_uint8(s, 0x70); /* flags */ - out_uint16_be(s, length); - - iso_send(s); -} - -/* Send an MCS transport data packet to the global channel */ -void mcs_send(STREAM s) { - mcs_send_to_channel(s, MCS_GLOBAL_CHANNEL); -} - -/* Receive an MCS transport data packet */ -STREAM mcs_recv(uint16 * channel, uint8 * rdpver) { - uint8 opcode, appid, length; - STREAM s; - - s = iso_recv(rdpver); - if (s == NULL) - return NULL; - if (rdpver != NULL) - if (*rdpver != 3) - return s; - in_uint8(s, opcode); - appid = opcode >> 2; - if (appid != MCS_SDIN) { - if (appid != MCS_DPUM) { - error("expected data, got %d\n", opcode); - } - return NULL; - } - in_uint8s(s, 2); /* userid */ - in_uint16_be(s, *channel); - in_uint8s(s, 1); /* flags */ - in_uint8(s, length); - if (length & 0x80) - in_uint8s(s, 1); /* second byte of length */ - return s; -} - -BOOL mcs_connect(char *server, STREAM mcs_data, char *username, BOOL reconnect) { - if (!iso_connect(server, username, reconnect)) - return False; - mcs_send_connect_initial(mcs_data); - if (!mcs_recv_connect_response(mcs_data)) - goto error; - mcs_send_edrq(); - mcs_send_aurq(); - if (!mcs_recv_aucf(&g_mcs_userid)) - goto error; - mcs_send_cjrq(g_mcs_userid + MCS_USERCHANNEL_BASE); - if (!mcs_recv_cjcf()) - goto error; - mcs_send_cjrq(MCS_GLOBAL_CHANNEL); - if (!mcs_recv_cjcf()) - goto error; - return True; -error: - iso_disconnect(); - return False; -} - -/* Disconnect from the MCS layer */ -void mcs_disconnect(void) { - iso_disconnect(); -} - -/* reset the state of the mcs layer */ -void mcs_reset_state(void) { - g_mcs_userid = 0; - iso_reset_state(); -} - -/* Send a self-contained ISO PDU */ -static void iso_send_msg(uint8 code) { - STREAM s; - - s = tcp_init(11); - - out_uint8(s, 3); /* version */ - out_uint8(s, 0); /* reserved */ - out_uint16_be(s, 11); /* length */ - - out_uint8(s, 6); /* hdrlen */ - out_uint8(s, code); - out_uint16(s, 0); /* dst_ref */ - out_uint16(s, 0); /* src_ref */ - out_uint8(s, 0); /* class */ - - s_mark_end(s); - tcp_send(s); -} - -static void iso_send_connection_request(char *username) { - STREAM s; - int32_t length = 30 + strlen(username); - - s = tcp_init(length); - - out_uint8(s, 3); /* version */ - out_uint8(s, 0); /* reserved */ - out_uint16_be(s, length); /* length */ - - out_uint8(s, length - 5); /* hdrlen */ - out_uint8(s, ISO_PDU_CR); - out_uint16(s, 0); /* dst_ref */ - out_uint16(s, 0); /* src_ref */ - out_uint8(s, 0); /* class */ - - out_uint8p(s, "Cookie: mstshash=", strlen("Cookie: mstshash=")); - out_uint8p(s, username, strlen(username)); - - out_uint8(s, 0x0d); /* Unknown */ - out_uint8(s, 0x0a); /* Unknown */ - - s_mark_end(s); - tcp_send(s); -} - -/* Send a single input event fast JL, this is required for win8 */ -void rdp_send_fast_input_kbd(uint32 time, uint16 flags, uint16 param1) { - STREAM s; - uint8 fast_flags = 0; - uint8 len = 4; - - fast_flags |= (flags & RDP_KEYRELEASE) ? FASTPATH_INPUT_KBDFLAGS_RELEASE : 0; - s = tcp_init(len); - out_uint8(s, (1 << 2)); //one event - out_uint8(s, len); - out_uint8(s, fast_flags | (FASTPATH_INPUT_EVENT_SCANCODE << 5)); - out_uint8(s, param1); - s_mark_end(s); - tcp_send(s); -} - -/* Send a single input event fast JL, this is required for win8 */ -void rdp_send_fast_input_mouse(uint32 time, uint16 flags, uint16 param1, uint16 param2) { - STREAM s; - uint8 len = 9; - - s = tcp_init(len); - out_uint8(s, (1 << 2)); //one event - out_uint8(s, len); - out_uint8(s, (FASTPATH_INPUT_EVENT_MOUSE << 5)); - out_uint16(s, flags); - out_uint16(s, param1); - out_uint16(s, param2); - s_mark_end(s); - tcp_send(s); -} - - -/* Receive a message on the ISO layer, return code */ -static STREAM iso_recv_msg(uint8 * code, uint8 * rdpver) { - STREAM s; - uint16 length; - uint8 version; - - s = tcp_recv(NULL, 4); - if (s == NULL) - return NULL; - in_uint8(s, version); - if (rdpver != NULL) - *rdpver = version; - if (version == 3) { - in_uint8s(s, 1); /* pad */ - in_uint16_be(s, length); - } else { - in_uint8(s, length); - if (length & 0x80) { - length &= ~0x80; - next_be(s, length); - } - } - if (length < 5) { - error("Bad packet header\n"); - return NULL; - } - s = tcp_recv(s, length - 4); - if (s == NULL) - return NULL; - if (version != 3) - return s; - in_uint8s(s, 1); /* hdrlen */ - in_uint8(s, *code); - if (*code == ISO_PDU_DT) { - in_uint8s(s, 1); /* eot */ - return s; - } - in_uint8s(s, 5); /* dst_ref, src_ref, class */ - return s; -} - -/* Initialise ISO transport data packet */ -STREAM iso_init(int32_t length) { - STREAM s; - - s = tcp_init(length + 7); - s_push_layer(s, iso_hdr, 7); - - return s; -} - -/* Send an ISO data PDU */ -void iso_send(STREAM s) { - uint16 length; - - s_pop_layer(s, iso_hdr); - length = s->end - s->p; - - out_uint8(s, 3); /* version */ - out_uint8(s, 0); /* reserved */ - out_uint16_be(s, length); - - out_uint8(s, 2); /* hdrlen */ - out_uint8(s, ISO_PDU_DT); /* code */ - out_uint8(s, 0x80); /* eot */ - - tcp_send(s); -} - -/* Receive ISO transport data packet */ -STREAM iso_recv(uint8 * rdpver) { - STREAM s; - uint8 code = 0; - - s = iso_recv_msg(&code, rdpver); - if (s == NULL) - return NULL; - if (rdpver != NULL) - if (*rdpver != 3) - return s; - if (code != ISO_PDU_DT) { - error("expected DT, got 0x%x\n", code); - return NULL; - } - return s; -} - -/* Establish a connection up to the ISO layer */ -BOOL iso_connect(char *server, char *username, BOOL reconnect) { - uint8 code = 0; - - if (reconnect) { - iso_send_msg(ISO_PDU_CR); - } else { - iso_send_connection_request(username); - } - if (iso_recv_msg(&code, NULL) == NULL) { - return False; - } - if (code != ISO_PDU_CC) { - error("expected CC, got 0x%x\n", code); - hydra_disconnect(g_sock); - return False; - } - - return True; -} - -/* Disconnect from the ISO layer */ -void iso_disconnect(void) { - iso_send_msg(ISO_PDU_DR); - g_sock = hydra_disconnect(g_sock); -} - -/* reset the state to support reconnecting */ -void iso_reset_state(void) { - tcp_reset_state(); -} - -static int32_t g_rc4_key_len; -static SSL_RC4 g_rc4_decrypt_key; -static SSL_RC4 g_rc4_encrypt_key; -static uint32 g_server_public_key_len; - -static uint8 g_sec_sign_key[16]; -static uint8 g_sec_decrypt_key[16]; -static uint8 g_sec_encrypt_key[16]; -static uint8 g_sec_decrypt_update_key[16]; -static uint8 g_sec_encrypt_update_key[16]; -static uint8 g_sec_crypted_random[SEC_MAX_MODULUS_SIZE]; - -uint16 g_server_rdp_version = 0; - -/* These values must be available to reset state - Session Directory */ -static int32_t g_sec_encrypt_use_count = 0; -static int32_t g_sec_decrypt_use_count = 0; - - -void ssl_sha1_init(SSL_SHA1 * sha1) { - SHA1_Init(sha1); -} - -void ssl_sha1_update(SSL_SHA1 * sha1, uint8 * data, uint32 len) { - SHA1_Update(sha1, data, len); -} - -void ssl_sha1_final(SSL_SHA1 * sha1, uint8 * out_data) { - SHA1_Final(out_data, sha1); -} - -void ssl_md5_init(SSL_MD5 * md5) { - MD5_Init(md5); -} - -void ssl_md5_update(SSL_MD5 * md5, uint8 * data, uint32 len) { - MD5_Update(md5, data, len); -} - -void ssl_md5_final(SSL_MD5 * md5, uint8 * out_data) { - MD5_Final(out_data, md5); -} - -void ssl_rc4_set_key(SSL_RC4 * rc4, uint8 * key, uint32 len) { - RC4_set_key(rc4, len, key); -} - -void ssl_rc4_crypt(SSL_RC4 * rc4, uint8 * in_data, uint8 * out_data, uint32 len) { - RC4(rc4, len, in_data, out_data); -} - -static void reverse(uint8 * p, int32_t len) { - int32_t i, j; - uint8 temp; - - for (i = 0, j = len - 1; i < j; i++, j--) { - temp = p[i]; - p[i] = p[j]; - p[j] = temp; - } -} - -void ssl_rsa_encrypt(uint8 * out, uint8 * in, int32_t len, uint32 modulus_size, uint8 * modulus, uint8 * exponent) { - BN_CTX *ctx; - BIGNUM *mod, *exp, *x, *y; - uint8 inr[SEC_MAX_MODULUS_SIZE]; - int32_t outlen; - - reverse(modulus, modulus_size); - reverse(exponent, SEC_EXPONENT_SIZE); - memcpy(inr, in, len); - reverse(inr, len); - - ctx = BN_CTX_new(); - mod = BN_new(); - exp = BN_new(); - x = BN_new(); - y = BN_new(); - - BN_bin2bn(modulus, modulus_size, mod); - BN_bin2bn(exponent, SEC_EXPONENT_SIZE, exp); - BN_bin2bn(inr, len, x); - BN_mod_exp(y, x, exp, mod, ctx); - outlen = BN_bn2bin(y, out); - reverse(out, outlen); - if (outlen < (int32_t) modulus_size) - memset(out + outlen, 0, modulus_size - outlen); - - BN_free(y); - BN_free(x); - BN_free(exp); - BN_free(mod); - BN_CTX_free(ctx); -} - -/* returns newly allocated X509 or NULL */ -X509 *ssl_cert_read(uint8 * data, uint32 len) { - /* this will move the data pointer but we don't care, we don't use it again */ - return d2i_X509(NULL, (D2I_X509_CONST unsigned char **) &data, len); -} - -static void ssl_cert_free(X509 * cert) { - X509_free(cert); -} - -/* returns newly allocated SSL_RKEY or NULL */ -SSL_RKEY *ssl_cert_to_rkey(X509 * cert, uint32 * key_len) { - EVP_PKEY *epk = NULL; - SSL_RKEY *lkey; - int32_t nid; - - /* By some reason, Microsoft sets the OID of the Public RSA key to - the oid for "MD5 with RSA Encryption" instead of "RSA Encryption" - - Kudos to Richard Levitte for the following (. intuitive .) - lines of code that resets the OID and let's us extract the key. */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - nid = X509_get_signature_nid(cert); -#else - nid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm); -#endif - if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption)) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -// fprintf(stderr, "[ERROR] the current experimental openssl-1.1 support in hydra does not support RDP :( \n"); -// hydra_child_exit(2); - X509_ALGOR *algor = X509_get0_tbs_sigalg(cert); - DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n")); - ASN1_OBJECT_free(algor->algorithm); - algor->algorithm = OBJ_nid2obj(NID_rsaEncryption); - //X509_ALGOR_set0(algor, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_SEQUENCE, NULL /*pbe_str*/); -#else - DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n")); - ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm); - cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption); -#endif - } - epk = X509_get_pubkey(cert); - if (NULL == epk) { - error("Failed to extract public key from certificate\n"); - return NULL; - } - - lkey = RSAPublicKey_dup(EVP_PKEY_get1_RSA(epk)); - EVP_PKEY_free(epk); - *key_len = RSA_size(lkey); - return lkey; -} - -int32_t ssl_cert_print_fp(FILE * fp, X509 * cert) { - return X509_print_fp(fp, cert); -} - -void ssl_rkey_free(SSL_RKEY * rkey) { - RSA_free(rkey); -} - -/* returns error */ -int32_t ssl_rkey_get_exp_mod(SSL_RKEY * rkey, uint8 * exponent, uint32 max_exp_len, uint8 * modulus, uint32 max_mod_len) { - int32_t len; - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - BIGNUM *n, *e, *d; - - n = BN_new(); - e = BN_new(); - RSA_get0_key(rkey, &n, &e, NULL); - if ((BN_num_bytes(e) > (int32_t) max_exp_len) || (BN_num_bytes(n) > (int32_t) max_mod_len)) { - return 1; - } - len = BN_bn2bin(e, exponent); - reverse(exponent, len); - len = BN_bn2bin(n, modulus); - reverse(modulus, len); - BN_free(n); - BN_free(e); -#else - if ((BN_num_bytes(rkey->e) > (int32_t) max_exp_len) || (BN_num_bytes(rkey->n) > (int32_t) max_mod_len)) - return 1; - len = BN_bn2bin(rkey->e, exponent); - reverse(exponent, len); - len = BN_bn2bin(rkey->n, modulus); - reverse(modulus, len); -#endif - return 0; -} - -/* returns boolean */ -BOOL ssl_sig_ok(uint8 * exponent, uint32 exp_len, uint8 * modulus, uint32 mod_len, uint8 * signature, uint32 sig_len) { - return True; -} - - -void ssl_hmac_md5(const void *key, int32_t key_len, const unsigned char *msg, int32_t msg_len, unsigned char *md) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - HMAC_CTX *ctx; - ctx = HMAC_CTX_new(); - HMAC(EVP_md5(), key, key_len, msg, msg_len, md, NULL); - HMAC_CTX_free(ctx); -#else - HMAC_CTX ctx; - HMAC_CTX_init(&ctx); - HMAC(EVP_md5(), key, key_len, msg, msg_len, md, NULL); - HMAC_CTX_cleanup(&ctx); -#endif -} - - -/* - * I believe this is based on SSLv3 with the following differences: - * MAC algorithm (5.2.3.1) uses only 32-bit length in place of seq_num/type/length fields - * MAC algorithm uses SHA1 and MD5 for the two hash functions instead of one or other - * key_block algorithm (6.2.2) uses 'X', 'YY', 'ZZZ' instead of 'A', 'BB', 'CCC' - * key_block partitioning is different (16 bytes each: MAC secret, decrypt key, encrypt key) - * encryption/decryption keys updated every 4096 packets - * See http://wp.netscape.com/eng/ssl3/draft302.txt - */ - -/* - * 48-byte transformation used to generate master secret (6.1) and key material (6.2.2). - * Both SHA1 and MD5 algorithms are used. - */ -void sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt) { - uint8 shasig[20]; - uint8 pad[4]; - SSL_SHA1 sha1; - SSL_MD5 md5; - int32_t i; - - for (i = 0; i < 3; i++) { - memset(pad, salt + i, i + 1); - - ssl_sha1_init(&sha1); - ssl_sha1_update(&sha1, pad, i + 1); - ssl_sha1_update(&sha1, in, 48); - ssl_sha1_update(&sha1, salt1, 32); - ssl_sha1_update(&sha1, salt2, 32); - ssl_sha1_final(&sha1, shasig); - - ssl_md5_init(&md5); - ssl_md5_update(&md5, in, 48); - ssl_md5_update(&md5, shasig, 20); - ssl_md5_final(&md5, &out[i * 16]); - } -} - -/* - * 16-byte transformation used to generate export keys (6.2.2). - */ -void sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2) { - SSL_MD5 md5; - - ssl_md5_init(&md5); - ssl_md5_update(&md5, in, 16); - ssl_md5_update(&md5, salt1, 32); - ssl_md5_update(&md5, salt2, 32); - ssl_md5_final(&md5, out); -} - -/* Reduce key entropy from 64 to 40 bits */ -static void sec_make_40bit(uint8 * key) { - key[0] = 0xd1; - key[1] = 0x26; - key[2] = 0x9e; -} - -/* Generate encryption keys given client and server randoms */ -static void sec_generate_keys(uint8 * client_random, uint8 * server_random, int32_t rc4_key_size) { - uint8 pre_master_secret[48]; - uint8 master_secret[48]; - uint8 key_block[48]; - - /* Construct pre-master secret */ - memcpy(pre_master_secret, client_random, 24); - memcpy(pre_master_secret + 24, server_random, 24); - - /* Generate master secret and then key material */ - sec_hash_48(master_secret, pre_master_secret, client_random, server_random, 'A'); - sec_hash_48(key_block, master_secret, client_random, server_random, 'X'); - - /* First 16 bytes of key material is MAC secret */ - memcpy(g_sec_sign_key, key_block, 16); - - /* Generate export keys from next two blocks of 16 bytes */ - sec_hash_16(g_sec_decrypt_key, &key_block[16], client_random, server_random); - sec_hash_16(g_sec_encrypt_key, &key_block[32], client_random, server_random); - - if (rc4_key_size == 1) { - DEBUG(("40-bit encryption enabled\n")); - sec_make_40bit(g_sec_sign_key); - sec_make_40bit(g_sec_decrypt_key); - sec_make_40bit(g_sec_encrypt_key); - g_rc4_key_len = 8; - } else { - DEBUG(("rc_4_key_size == %d, 128-bit encryption enabled\n", rc4_key_size)); - g_rc4_key_len = 16; - } - - /* Save initial RC4 keys as update keys */ - memcpy(g_sec_decrypt_update_key, g_sec_decrypt_key, 16); - memcpy(g_sec_encrypt_update_key, g_sec_encrypt_key, 16); - - /* Initialise RC4 state arrays */ - ssl_rc4_set_key(&g_rc4_decrypt_key, g_sec_decrypt_key, g_rc4_key_len); - ssl_rc4_set_key(&g_rc4_encrypt_key, g_sec_encrypt_key, g_rc4_key_len); -} - -static uint8 pad_54[40] = { - 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, - 54, 54, 54, - 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, - 54, 54, 54 -}; - -static uint8 pad_92[48] = { - 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, - 92, 92, 92, 92, 92, 92, 92, - 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, - 92, 92, 92, 92, 92, 92, 92 -}; - -/* Output a uint32 into a buffer (little-endian) */ -void buf_out_uint32(uint8 * buffer, uint32 value) { - buffer[0] = (value) & 0xff; - buffer[1] = (value >> 8) & 0xff; - buffer[2] = (value >> 16) & 0xff; - buffer[3] = (value >> 24) & 0xff; -} - -/* Generate a MAC hash (5.2.3.1), using a combination of SHA1 and MD5 */ -void sec_sign(uint8 * signature, int32_t siglen, uint8 * session_key, int32_t keylen, uint8 * data, int32_t datalen) { - uint8 shasig[20]; - uint8 md5sig[16]; - uint8 lenhdr[4]; - SSL_SHA1 sha1; - SSL_MD5 md5; - - buf_out_uint32(lenhdr, datalen); - - ssl_sha1_init(&sha1); - ssl_sha1_update(&sha1, session_key, keylen); - ssl_sha1_update(&sha1, pad_54, 40); - ssl_sha1_update(&sha1, lenhdr, 4); - ssl_sha1_update(&sha1, data, datalen); - ssl_sha1_final(&sha1, shasig); - - ssl_md5_init(&md5); - ssl_md5_update(&md5, session_key, keylen); - ssl_md5_update(&md5, pad_92, 48); - ssl_md5_update(&md5, shasig, 20); - ssl_md5_final(&md5, md5sig); - - memcpy(signature, md5sig, siglen); -} - -/* Update an encryption key */ -static void sec_update(uint8 * key, uint8 * update_key) { - uint8 shasig[20]; - SSL_SHA1 sha1; - SSL_MD5 md5; - SSL_RC4 update; - - ssl_sha1_init(&sha1); - ssl_sha1_update(&sha1, update_key, g_rc4_key_len); - ssl_sha1_update(&sha1, pad_54, 40); - ssl_sha1_update(&sha1, key, g_rc4_key_len); - ssl_sha1_final(&sha1, shasig); - - ssl_md5_init(&md5); - ssl_md5_update(&md5, update_key, g_rc4_key_len); - ssl_md5_update(&md5, pad_92, 48); - ssl_md5_update(&md5, shasig, 20); - ssl_md5_final(&md5, key); - - ssl_rc4_set_key(&update, key, g_rc4_key_len); - ssl_rc4_crypt(&update, key, key, g_rc4_key_len); - - if (g_rc4_key_len == 8) - sec_make_40bit(key); -} - -/* Encrypt data using RC4 */ -static void sec_encrypt(uint8 * data, int32_t length) { - if (g_sec_encrypt_use_count == 4096) { - sec_update(g_sec_encrypt_key, g_sec_encrypt_update_key); - ssl_rc4_set_key(&g_rc4_encrypt_key, g_sec_encrypt_key, g_rc4_key_len); - g_sec_encrypt_use_count = 0; - } - - ssl_rc4_crypt(&g_rc4_encrypt_key, data, data, length); - g_sec_encrypt_use_count++; -} - -/* Decrypt data using RC4 */ -void sec_decrypt(uint8 * data, int32_t length) { - if (g_sec_decrypt_use_count == 4096) { - sec_update(g_sec_decrypt_key, g_sec_decrypt_update_key); - ssl_rc4_set_key(&g_rc4_decrypt_key, g_sec_decrypt_key, g_rc4_key_len); - g_sec_decrypt_use_count = 0; - } - - ssl_rc4_crypt(&g_rc4_decrypt_key, data, data, length); - g_sec_decrypt_use_count++; -} - -/* Perform an RSA public key encryption operation */ -static void sec_rsa_encrypt(uint8 * out, uint8 * in, int32_t len, uint32 modulus_size, uint8 * modulus, uint8 * exponent) { - ssl_rsa_encrypt(out, in, len, modulus_size, modulus, exponent); -} - -/* Initialise secure transport packet */ -STREAM sec_init(uint32 flags, int32_t maxlen) { - int32_t hdrlen; - STREAM s; - -// if (!g_licence_issued) - hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4; -// else - -// hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0; - s = mcs_init(maxlen + hdrlen); - s_push_layer(s, sec_hdr, hdrlen); - - return s; -} - -/* Transmit secure transport packet over specified channel */ -void sec_send_to_channel(STREAM s, uint32 flags, uint16 channel) { - int32_t datalen; - - s_pop_layer(s, sec_hdr); - out_uint32_le(s, flags); - - if (flags & SEC_ENCRYPT) { - flags &= ~SEC_ENCRYPT; - datalen = s->end - s->p - 8; - - sec_sign(s->p, 8, g_sec_sign_key, g_rc4_key_len, s->p + 8, datalen); - sec_encrypt(s->p + 8, datalen); - } - - mcs_send_to_channel(s, channel); -} - -/* Transmit secure transport packet */ - -void sec_send(STREAM s, uint32 flags) { - sec_send_to_channel(s, flags, MCS_GLOBAL_CHANNEL); -} - - -/* Transfer the client random to the server */ -static void sec_establish_key(void) { - uint32 length = g_server_public_key_len + SEC_PADDING_SIZE; - uint32 flags = SEC_CLIENT_RANDOM; - STREAM s; - - s = sec_init(flags, length + 4); - - out_uint32_le(s, length); - out_uint8p(s, g_sec_crypted_random, g_server_public_key_len); - out_uint8s(s, SEC_PADDING_SIZE); - - s_mark_end(s); - sec_send(s, flags); -} - -/* Output a string in Unicode */ -void rdp_out_unistr(STREAM s, char *string, int32_t len) { - int32_t i = 0, j = 0; - - len += 2; - while (i < len) { - s->p[i++] = string[j++]; - s->p[i++] = 0; - } - s->p += len; -} - -/* Output connect initial data blob */ -static void sec_out_mcs_data(STREAM s) { - char *g_hostname = "hydra"; - int32_t hostlen = 2 * strlen(g_hostname); - int32_t length = 158 + 76 + 12 + 4; - -/* - if (g_num_channels > 0) - length += g_num_channels * 12 + 8; -*/ - if (hostlen > 30) - hostlen = 30; - - /* Generic Conference Control (T.124) ConferenceCreateRequest */ - out_uint16_be(s, 5); - out_uint16_be(s, 0x14); - out_uint8(s, 0x7c); - out_uint16_be(s, 1); - - out_uint16_be(s, (length | 0x8000)); /* remaining length */ - - out_uint16_be(s, 8); /* length? */ - out_uint16_be(s, 16); - out_uint8(s, 0); - out_uint16_le(s, 0xc001); - out_uint8(s, 0); - - out_uint32_le(s, 0x61637544); /* OEM ID: "Duca", as in Ducati. */ - out_uint16_be(s, ((length - 14) | 0x8000)); /* remaining length */ - - /* Client information */ - out_uint16_le(s, SEC_TAG_CLI_INFO); - out_uint16_le(s, 212); /* length */ - out_uint16_le(s, g_use_rdp5 ? 4 : 1); /* RDP version. 1 == RDP4, 4 == RDP5. */ - out_uint16_le(s, 8); - out_uint16_le(s, 800); - out_uint16_le(s, 600); - out_uint16_le(s, 0xca01); - out_uint16_le(s, 0xaa03); - out_uint32_le(s, 0x409); - out_uint32_le(s, 2600); /* Client build. We are now 2600 compatible :-) */ - - /* Unicode name of client, padded to 32 bytes */ - rdp_out_unistr(s, g_hostname, hostlen); - out_uint8s(s, 30 - hostlen); - - /* See - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wceddk40/html/cxtsksupportingremotedesktopprotocol.asp */ - out_uint32_le(s, 0x4); - out_uint32_le(s, 0x0); - out_uint32_le(s, 0xc); - out_uint8s(s, 64); /* reserved? 4 + 12 doublewords */ - out_uint16_le(s, 0xca01); /* colour depth? */ - out_uint16_le(s, 1); - - out_uint32(s, 0); - out_uint8(s, g_server_depth); - out_uint16_le(s, 0x0700); - out_uint8(s, 0); - out_uint32_le(s, 1); - out_uint8s(s, 64); /* End of client info */ - - out_uint16_le(s, SEC_TAG_CLI_4); - out_uint16_le(s, 12); - out_uint32_le(s, g_console_session ? 0xb : 9); - out_uint32(s, 0); - - /* Client encryption settings */ - out_uint16_le(s, SEC_TAG_CLI_CRYPT); - out_uint16_le(s, 12); /* length */ - out_uint32_le(s, g_encryption ? 0x3 : 0); /* encryption supported, 128-bit supported */ - out_uint32(s, 0); /* Unknown */ - -/* - DEBUG_RDP5(("g_num_channels is %d\n", g_num_channels)); - if (g_num_channels > 0) - { - out_uint16_le(s, SEC_TAG_CLI_CHANNELS); - out_uint16_le(s, g_num_channels * 12 + 8); // length - out_uint32_le(s, g_num_channels); // number of virtual channels - for (i = 0; i < g_num_channels; i++) - { - DEBUG_RDP5(("Requesting channel %s\n", g_channels[i].name)); - out_uint8a(s, g_channels[i].name, 8); - out_uint32_be(s, g_channels[i].flags); - } - } -*/ - s_mark_end(s); -} - -/* Parse a public key structure */ -static BOOL sec_parse_public_key(STREAM s, uint8 * modulus, uint8 * exponent) { - uint32 magic, modulus_len; - - in_uint32_le(s, magic); - - if (magic != SEC_RSA_MAGIC) { - error("RSA magic 0x%x\n", magic); - return False; - } - - in_uint32_le(s, modulus_len); - modulus_len -= SEC_PADDING_SIZE; - if ((modulus_len < SEC_MODULUS_SIZE) || (modulus_len > SEC_MAX_MODULUS_SIZE)) { - error("Bad server public key size (%u bits)\n", modulus_len * 8); - return False; - } - - in_uint8s(s, 8); /* modulus_bits, unknown */ - in_uint8a(s, exponent, SEC_EXPONENT_SIZE); - in_uint8a(s, modulus, modulus_len); - in_uint8s(s, SEC_PADDING_SIZE); - g_server_public_key_len = modulus_len; - - return s_check(s); -} - -/* Parse a public signature structure */ -static BOOL sec_parse_public_sig(STREAM s, uint32 len, uint8 * modulus, uint8 * exponent) { - uint8 signature[SEC_MAX_MODULUS_SIZE]; - uint32 sig_len; - - if (len != 72) { - return True; - } - memset(signature, 0, sizeof(signature)); - sig_len = len - 8; - in_uint8a(s, signature, sig_len); - return ssl_sig_ok(exponent, SEC_EXPONENT_SIZE, modulus, g_server_public_key_len, signature, sig_len); -} - -/* Parse a crypto information structure */ -static BOOL sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size, uint8 ** server_random, uint8 * modulus, uint8 * exponent) { - uint32 crypt_level, random_len, rsa_info_len; - uint32 cacert_len, cert_len, flags; - X509 *cacert, *server_cert; - SSL_RKEY *server_public_key; - uint16 tag, length; - uint8 *next_tag, *end; - - in_uint32_le(s, *rc4_key_size); /* 1 = 40-bit, 2 = 128-bit */ - in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */ - if (crypt_level == 0) /* no encryption */ - return False; - in_uint32_le(s, random_len); - in_uint32_le(s, rsa_info_len); - - if (random_len != SEC_RANDOM_SIZE) { - error("random len %d, expected %d\n", random_len, SEC_RANDOM_SIZE); - return False; - } - - in_uint8p(s, *server_random, random_len); - - /* RSA info */ - end = s->p + rsa_info_len; - if (end > s->end) - return False; - - in_uint32_le(s, flags); /* 1 = RDP4-style, 0x80000002 = X.509 */ - if (flags & 1) { - DEBUG_RDP5(("We're going for the RDP4-style encryption\n")); - in_uint8s(s, 8); /* unknown */ - - while (s->p < end) { - in_uint16_le(s, tag); - in_uint16_le(s, length); - - next_tag = s->p + length; - - switch (tag) { - case SEC_TAG_PUBKEY: - if (!sec_parse_public_key(s, modulus, exponent)) - return False; - DEBUG_RDP5(("Got Public key, RDP4-style\n")); - - break; - - case SEC_TAG_KEYSIG: - if (!sec_parse_public_sig(s, length, modulus, exponent)) - return False; - break; - - default: - unimpl("crypt tag 0x%x\n", tag); - } - - s->p = next_tag; - } - } else { - uint32 certcount; - - DEBUG_RDP5(("We're going for the RDP5-style encryption\n")); - in_uint32_le(s, certcount); /* Number of certificates */ - if (certcount < 2) { - error("Server didn't send enough X509 certificates\n"); - return False; - } - for (; certcount > 2; certcount--) { /* ignore all the certificates between the root and the signing CA */ - uint32 ignorelen; - X509 *ignorecert; - - DEBUG_RDP5(("Ignored certs left: %d\n", certcount)); - in_uint32_le(s, ignorelen); - DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen)); - ignorecert = ssl_cert_read(s->p, ignorelen); - in_uint8s(s, ignorelen); - if (ignorecert == NULL) { /* XXX: error out? */ - DEBUG_RDP5(("got a bad cert: this will probably screw up the rest of the communication\n")); - } -#ifdef WITH_DEBUG_RDP5 - DEBUG_RDP5(("cert #%d (ignored):\n", certcount)); - ssl_cert_print_fp(stdout, ignorecert); -#endif - } - /* Do da funky X.509 stuffy - - "How did I find out about this? I looked up and saw a - bright light and when I came to I had a scar on my forehead - and knew about X.500" - - Peter Gutman in a early version of - http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt - */ - in_uint32_le(s, cacert_len); - DEBUG_RDP5(("CA Certificate length is %d\n", cacert_len)); - cacert = ssl_cert_read(s->p, cacert_len); - in_uint8s(s, cacert_len); - if (NULL == cacert) { - error("Couldn't load CA Certificate from server\n"); - return False; - } - in_uint32_le(s, cert_len); - DEBUG_RDP5(("Certificate length is %d\n", cert_len)); - server_cert = ssl_cert_read(s->p, cert_len); - in_uint8s(s, cert_len); - if (NULL == server_cert) { - ssl_cert_free(cacert); - error("Couldn't load Certificate from server\n"); - return False; - } - ssl_cert_free(cacert); - in_uint8s(s, 16); /* Padding */ - server_public_key = ssl_cert_to_rkey(server_cert, &g_server_public_key_len); - if (NULL == server_public_key) { - DEBUG_RDP5(("Didn't parse X509 correctly\n")); - ssl_cert_free(server_cert); - return False; - } - ssl_cert_free(server_cert); - if ((g_server_public_key_len < SEC_MODULUS_SIZE) || (g_server_public_key_len > SEC_MAX_MODULUS_SIZE)) { - error("Bad server public key size (%u bits)\n", g_server_public_key_len * 8); - ssl_rkey_free(server_public_key); - return False; - } - if (ssl_rkey_get_exp_mod(server_public_key, exponent, SEC_EXPONENT_SIZE, modulus, SEC_MAX_MODULUS_SIZE) != 0) { - error("Problem extracting RSA exponent, modulus"); - ssl_rkey_free(server_public_key); - return False; - } - ssl_rkey_free(server_public_key); - return True; /* There's some garbage here we don't care about */ - } - return s_check_end(s); -} - -/* Process crypto information blob */ -static void sec_process_crypt_info(STREAM s) { - uint8 *server_random = NULL; - uint8 modulus[SEC_MAX_MODULUS_SIZE]; - uint8 exponent[SEC_EXPONENT_SIZE]; - uint32 rc4_key_size; - - memset(modulus, 0, sizeof(modulus)); - memset(exponent, 0, sizeof(exponent)); - if (!sec_parse_crypt_info(s, &rc4_key_size, &server_random, modulus, exponent)) { - DEBUG(("Failed to parse crypt info\n")); - return; - } - DEBUG(("Generating client random\n")); - generate_random(g_client_random); - sec_rsa_encrypt(g_sec_crypted_random, g_client_random, SEC_RANDOM_SIZE, g_server_public_key_len, modulus, exponent); - sec_generate_keys(g_client_random, server_random, rc4_key_size); -} - - -/* Process SRV_INFO, find RDP version supported by server */ -static void sec_process_srv_info(STREAM s) { - in_uint16_le(s, g_server_rdp_version); - if (verbose) - hydra_report(stderr, "[VERBOSE] Server RDP version is %d\n", g_server_rdp_version); - if (1 == g_server_rdp_version) { - g_use_rdp5 = 0; - g_server_depth = 8; - } -} - - -/* Process connect response data blob */ -void sec_process_mcs_data(STREAM s) { - uint16 tag, length; - uint8 *next_tag; - uint8 len; - - in_uint8s(s, 21); /* header (T.124 ConferenceCreateResponse) */ - in_uint8(s, len); - if (len & 0x80) - in_uint8(s, len); - - while (s->p < s->end) { - in_uint16_le(s, tag); - in_uint16_le(s, length); - - if (length <= 4) - return; - - next_tag = s->p + length - 4; - - switch (tag) { - case SEC_TAG_SRV_INFO: - sec_process_srv_info(s); - break; - - case SEC_TAG_SRV_CRYPT: - sec_process_crypt_info(s); - break; - - case SEC_TAG_SRV_CHANNELS: - break; - - default: - unimpl("response tag 0x%x\n", tag); - } - - s->p = next_tag; - } -} - -/* Receive secure transport packet */ -STREAM sec_recv(uint8 * rdpver) { - uint32 sec_flags; - uint16 channel = 0; - STREAM s; - - while ((s = mcs_recv(&channel, rdpver)) != NULL) { - if (rdpver != NULL) { - if (*rdpver != 3) { - if (*rdpver & 0x80) { - in_uint8s(s, 8); /* signature */ - sec_decrypt(s->p, s->end - s->p); - } - return s; - } - } - //if (g_encryption || !g_licence_issued) - if (g_encryption) { - in_uint32_le(s, sec_flags); - - if (sec_flags & SEC_ENCRYPT) { - in_uint8s(s, 8); /* signature */ - sec_decrypt(s->p, s->end - s->p); - } - - if (sec_flags & SEC_LICENCE_NEG) { - //licence_process(s); - continue; - } - - if (sec_flags & 0x0400) { /* SEC_REDIRECT_ENCRYPT */ - uint8 swapbyte; - - in_uint8s(s, 8); /* signature */ - sec_decrypt(s->p, s->end - s->p); - - /* Check for a redirect packet, starts with 00 04 */ - if (s->p[0] == 0 && s->p[1] == 4) { - /* for some reason the PDU and the length seem to be swapped. - This isn't good, but we're going to do a byte for byte - swap. So the first foure value appear as: 00 04 XX YY, - where XX YY is the little endian length. We're going to - use 04 00 as the PDU type, so after our swap this will look - like: XX YY 04 00 */ - swapbyte = s->p[0]; - s->p[0] = s->p[2]; - s->p[2] = swapbyte; - - swapbyte = s->p[1]; - s->p[1] = s->p[3]; - s->p[3] = swapbyte; - - swapbyte = s->p[2]; - s->p[2] = s->p[3]; - s->p[3] = swapbyte; - } -#ifdef WITH_DEBUG - /* warning! this debug statement will show passwords in the clear! */ - hexdump(s->p, s->end - s->p); -#endif - } - - } - - if (channel != MCS_GLOBAL_CHANNEL) { - if (rdpver != NULL) - *rdpver = 0xff; - return s; - } - - return s; - } - - return NULL; -} - -/* Establish a secure connection */ -BOOL sec_connect(char *server, char *username, BOOL reconnect) { - struct stream mcs_data; - - /* We exchange some RDP data during the MCS-Connect */ - mcs_data.size = 512; - mcs_data.end = mcs_data.p = mcs_data.data = (uint8 *) xmalloc(mcs_data.size); - sec_out_mcs_data(&mcs_data); - - if (!mcs_connect(server, &mcs_data, username, reconnect)) - return False; - if (g_encryption) - sec_establish_key(); - free(mcs_data.data); - mcs_data.data = NULL; - return True; -} - -/* Disconnect a connection */ -void sec_disconnect(void) { - mcs_disconnect(); -} - -/* reset the state of the sec layer */ -void sec_reset_state(void) { - g_server_rdp_version = 0; - g_sec_encrypt_use_count = 0; - g_sec_decrypt_use_count = 0; - mcs_reset_state(); -} - - - -/* Read field indicating which parameters are present */ -static void rdp_in_present(STREAM s, uint32 * present, uint8 flags, int32_t size) { - uint8 bits; - int32_t i; - - if (flags & RDP_ORDER_SMALL) { - size--; - } - - if (flags & RDP_ORDER_TINY) { - if (size < 2) - size = 0; - else - size -= 2; - } - - *present = 0; - for (i = 0; i < size; i++) { - in_uint8(s, bits); - *present |= bits << (i * 8); - } -} - -/* Read a co-ordinate (16-bit, or 8-bit delta) */ -static void rdp_in_coord(STREAM s, sint16 * coord, BOOL delta) { - sint8 change; - - if (delta) { - in_uint8(s, change); - *coord += change; - } else { - in_uint16_le(s, *coord); - } -} - -/* Read a colour entry */ -static void rdp_in_colour(STREAM s, uint32 * colour) { - uint32 i; - - in_uint8(s, i); - *colour = i; - in_uint8(s, i); - *colour |= i << 8; - in_uint8(s, i); - *colour |= i << 16; -} - -/* Parse bounds information */ -static BOOL rdp_parse_bounds(STREAM s, BOUNDS * bounds) { - uint8 present; - - in_uint8(s, present); - - if (present & 1) - rdp_in_coord(s, &bounds->left, False); - else if (present & 16) - rdp_in_coord(s, &bounds->left, True); - - if (present & 2) - rdp_in_coord(s, &bounds->top, False); - else if (present & 32) - rdp_in_coord(s, &bounds->top, True); - - if (present & 4) - rdp_in_coord(s, &bounds->right, False); - else if (present & 64) - rdp_in_coord(s, &bounds->right, True); - - if (present & 8) - rdp_in_coord(s, &bounds->bottom, False); - else if (present & 128) - rdp_in_coord(s, &bounds->bottom, True); - - return s_check(s); -} - -/* Process an opaque rectangle order */ -static void process_rect(STREAM s, RECT_ORDER * os, uint32 present, BOOL delta) { - uint32 i; - - if (present & 0x01) - rdp_in_coord(s, &os->x, delta); - - if (present & 0x02) - rdp_in_coord(s, &os->y, delta); - - if (present & 0x04) - rdp_in_coord(s, &os->cx, delta); - - if (present & 0x08) - rdp_in_coord(s, &os->cy, delta); - - if (present & 0x10) { - in_uint8(s, i); - os->colour = (os->colour & 0xffffff00) | i; - } - - if (present & 0x20) { - in_uint8(s, i); - os->colour = (os->colour & 0xffff00ff) | (i << 8); - } - - if (present & 0x40) { - in_uint8(s, i); - os->colour = (os->colour & 0xff00ffff) | (i << 16); - } - - DEBUG(("RECT(x=%d,y=%d,cx=%d,cy=%d,fg=0x%x)\n", os->x, os->y, os->cx, os->cy, os->colour)); -} - -/* Process a desktop save order */ -static void process_desksave(STREAM s, DESKSAVE_ORDER * os, uint32 present, BOOL delta) { - //int32_t width, height; - - if (present & 0x01) - in_uint32_le(s, os->offset); - - if (present & 0x02) - rdp_in_coord(s, &os->left, delta); - - if (present & 0x04) - rdp_in_coord(s, &os->top, delta); - - if (present & 0x08) - rdp_in_coord(s, &os->right, delta); - - if (present & 0x10) - rdp_in_coord(s, &os->bottom, delta); - - if (present & 0x20) - in_uint8(s, os->action); - - DEBUG(("DESKSAVE(l=%d,t=%d,r=%d,b=%d,off=%d,op=%d)\n", os->left, os->top, os->right, os->bottom, os->offset, os->action)); - - //width = os->right - os->left + 1; - //height = os->bottom - os->top + 1; -} - -/* Process a memory blt order */ -static void process_memblt(STREAM s, MEMBLT_ORDER * os, uint32 present, BOOL delta) { - //on win 7, vista, 2008, the login failed has to be catched here - if (present & 0x0001) { - in_uint8(s, os->cache_id); - in_uint8(s, os->colour_table); - } - - if (present & 0x0002) - rdp_in_coord(s, &os->x, delta); - - if (present & 0x0004) - rdp_in_coord(s, &os->y, delta); - - if (present & 0x0008) - rdp_in_coord(s, &os->cx, delta); - - if (present & 0x0010) - rdp_in_coord(s, &os->cy, delta); - - if (present & 0x0020) - in_uint8(s, os->opcode); - - if (present & 0x0040) - rdp_in_coord(s, &os->srcx, delta); - - if (present & 0x0080) - rdp_in_coord(s, &os->srcy, delta); - - if (present & 0x0100) - in_uint16_le(s, os->cache_idx); - - DEBUG(("MEMBLT(op=0x%x,x=%d,y=%d,cx=%d,cy=%d,id=%d,idx=%d)\n", os->opcode, os->x, os->y, os->cx, os->cy, os->cache_id, os->cache_idx)); - //MEMBLT(op=0xcc,x=640,y=128,cx=64,cy=64,id=2,idx=117) => win8 failed - - if ((os->opcode == 0xcc && os->x == 740 && os->y == 448 && os->cx == 60 && os->cy == 56 && os->cache_id == 2) || - (os->opcode == 0xcc && os->x == 640 && os->y == 128 && os->cx == 64 && os->cy == 64 && os->cache_id == 2 && os->cache_idx > 100)) { - if (debug) - hydra_report(stderr, "[DEBUG] Login failed from process_memblt\n"); - login_result = LOGIN_FAIL; - } -} - -/* Process a text order */ -static void process_text2(STREAM s, TEXT2_ORDER * os, uint32 present, BOOL delta) { - int32_t i; - - if (present & 0x000001) - in_uint8(s, os->font); - - if (present & 0x000002) - in_uint8(s, os->flags); - - if (present & 0x000004) - in_uint8(s, os->opcode); - - if (present & 0x000008) - in_uint8(s, os->mixmode); - - if (present & 0x000010) - rdp_in_colour(s, &os->fgcolour); - - if (present & 0x000020) - rdp_in_colour(s, &os->bgcolour); - - if (present & 0x000040) - in_uint16_le(s, os->clipleft); - - if (present & 0x000080) - in_uint16_le(s, os->cliptop); - - if (present & 0x000100) - in_uint16_le(s, os->clipright); - - if (present & 0x000200) - in_uint16_le(s, os->clipbottom); - - if (present & 0x000400) - in_uint16_le(s, os->boxleft); - - if (present & 0x000800) - in_uint16_le(s, os->boxtop); - - if (present & 0x001000) - in_uint16_le(s, os->boxright); - - if (present & 0x002000) - in_uint16_le(s, os->boxbottom); - - //rdp_parse_brush(s, &os->brush, present >> 14); - - if (present & 0x080000) - in_uint16_le(s, os->x); - - if (present & 0x100000) - in_uint16_le(s, os->y); - - if (present & 0x200000) { - in_uint8(s, os->length); - in_uint8a(s, os->text, os->length); - } - //printf("TEXT2(x=%d,y=%d,cl=%d,ct=%d,cr=%d,cb=%d,bl=%d,bt=%d,br=%d,bb=%d,bs=%d,bg=0x%x,fg=0x%x,font=%d,fl=0x%x,op=0x%x,mix=%d,n=%d)\n", os->x, os->y, os->clipleft, os->cliptop, os->clipright, os->clipbottom, os->boxleft, os->boxtop, os->boxright, os->boxbottom, , os->bgcolour, os->fgcolour, os->font, os->flags, os->opcode, os->mixmode, os->length); - - if (debug) { - printf("[DEBUG] process_text2: "); - - for (i = 0; i < os->length; i++) - printf("%02x ", os->text[i]); - printf(" *** "); - - printf("size: %d\n", os->length); - } - //there is no way to determine if the message from w2k is a success or failure at first - //so we identify it here and set the os version as win 2000 same for win2k3 - if (!memcmp(os->text, LOGON_MESSAGE_2K, 31)) { - os_version = 2000; - } - if (!memcmp(os->text, LOGON_MESSAGE_FAILED_2K3, 18)) { - os_version = 2003; - } - //on win2k, error can be fe 00 00 or fe 02 00 - if (((os->text[0] == 254) && (os->text[2] == 0)) || (!memcmp(os->text, LOGON_MESSAGE_FAILED_XP, 18))) { - if (debug) - hydra_report(stderr, "[DEBUG] login failed from process_text2\n"); - login_result = LOGIN_FAIL; - } else { - //if it's not an well known error and if it's not just traffic from win 2000 server - - if ((os_version == 2000) && (os->length > 50)) { - if (debug) - hydra_report(stderr, "[DEBUG] login success from process_text2\n"); - login_result = LOGIN_SUCC; - } - } -} - -/* Process a secondary order */ -static void process_secondary_order(STREAM s) { - /* The length isn't calculated correctly by the server. - * For very compact orders the length becomes negative - * so a signed integer must be used. */ - uint16 length; - //uint16 flags; - //uint8 type; - uint8 *next_order; - - in_uint16_le(s, length); - //in_uint16_le(s, flags); /* used by bmpcache2 */ - //in_uint8(s, type); - - next_order = s->p + (sint16) length + 7; - - /* - switch (type) - { - case RDP_ORDER_RAW_BMPCACHE: - break; - - case RDP_ORDER_COLCACHE: - break; - - case RDP_ORDER_BMPCACHE: - break; - - case RDP_ORDER_FONTCACHE: - process_fontcache(s); - break; - - case RDP_ORDER_RAW_BMPCACHE2: - break; - - case RDP_ORDER_BMPCACHE2: - break; - - case RDP_ORDER_BRUSHCACHE: - process_brushcache(s, flags); - break; - - default: - unimpl("secondary order %d\n", type); - } - */ - s->p = next_order; -} - -/* Process an order PDU */ -void process_orders(STREAM s, uint16 num_orders) { - RDP_ORDER_STATE *os = &g_order_state; - uint32 present; - uint8 order_flags; - int32_t size, processed = 0; - BOOL delta; - - while (processed < num_orders) { - in_uint8(s, order_flags); - - if (os_version == 2003) - os_version = 0; - - if (!(order_flags & RDP_ORDER_STANDARD)) { - //error("order parsing failed\n"); - //we detected the os is a win 2000 version and the next text msg will be either an error LOGON_MESSAGE_FAILED_2K - //or any other traffic indicating the logon was successfull, so we reset the os_version and let process_text2 handle the msg - if (os_version == 2003) - login_result = LOGIN_SUCC; - break; - } - - if (order_flags & RDP_ORDER_SECONDARY) { - process_secondary_order(s); - } else { - if (order_flags & RDP_ORDER_CHANGE) { - in_uint8(s, os->order_type); - } - - switch (os->order_type) { - case RDP_ORDER_TRIBLT: - case RDP_ORDER_TEXT2: - size = 3; - break; - - case RDP_ORDER_PATBLT: - case RDP_ORDER_MEMBLT: - case RDP_ORDER_LINE: - case RDP_ORDER_POLYGON2: - case RDP_ORDER_ELLIPSE2: - size = 2; - break; - - default: - size = 1; - } - - rdp_in_present(s, &present, order_flags, size); - - if (order_flags & RDP_ORDER_BOUNDS) { - if (!(order_flags & RDP_ORDER_LASTBOUNDS)) - rdp_parse_bounds(s, &os->bounds); - - } - - delta = order_flags & RDP_ORDER_DELTA; - -//printf("order %d\n", os->order_type); - - if (login_result) - return; - - switch (os->order_type) { - - case RDP_ORDER_RECT: - process_rect(s, &os->rect, present, delta); - break; - - case RDP_ORDER_DESKSAVE: - process_desksave(s, &os->desksave, present, delta); - break; - - case RDP_ORDER_MEMBLT: - process_memblt(s, &os->memblt, present, delta); - break; - - case RDP_ORDER_TEXT2: - process_text2(s, &os->text2, present, delta); - break; - - default: - if (debug) - printf("[DEBUG] unknown order_type: %d\n", os->order_type); - - } - } - - processed++; - } -} - -/* Reset order state */ -void reset_order_state(void) { - memset(&g_order_state, 0, sizeof(g_order_state)); - g_order_state.order_type = RDP_ORDER_PATBLT; -} - -/* Disconnect from the RDP layer */ -void rdp_disconnect(void) { - sec_disconnect(); -} - - -void rdp5_process(STREAM s) { - uint16 length, count; - uint8 type/*, ctype*/; - uint8 *next; - - struct stream *ts; - - while (s->p < s->end) { - in_uint8(s, type); - if (type & RDP5_COMPRESSED) { - //in_uint8(s, ctype); - in_uint16_le(s, length); - type ^= RDP5_COMPRESSED; - } else { - //ctype = 0; - in_uint16_le(s, length); - } - g_next_packet = next = s->p + length; - ts = s; -//printf("type: %d\n", type); - switch (type) { - case 0: /* update orders */ - in_uint16_le(ts, count); - process_orders(ts, count); - break; - - } - - s->p = next; - } -} - - -/* Receive an RDP packet */ -static STREAM rdp_recv(uint8 * type) { - static STREAM rdp_s; - uint16 length, pdu_type; - uint8 rdpver; - - if ((rdp_s == NULL) || (g_next_packet >= rdp_s->end) || (g_next_packet == NULL)) { - rdp_s = sec_recv(&rdpver); - if (rdp_s == NULL) - return NULL; - if (rdpver == 0xff) { - g_next_packet = rdp_s->end; - *type = 0; - return rdp_s; - } else if (rdpver != 3) { - /* rdp5_process should move g_next_packet ok */ - rdp5_process(rdp_s); - *type = 0; - return rdp_s; - } - - g_next_packet = rdp_s->p; - } else { - rdp_s->p = g_next_packet; - } - - in_uint16_le(rdp_s, length); - /* 32k packets are really 8, keepalive fix */ - if (length == 0x8000) { - g_next_packet += 8; - *type = 0; - return rdp_s; - } - in_uint16_le(rdp_s, pdu_type); - in_uint8s(rdp_s, 2); /* userid */ - *type = pdu_type & 0xf; - - g_next_packet += length; - return rdp_s; -} - -/* used in uiports and rdp_main_loop, processes the rdp packets waiting */ -BOOL rdp_loop(BOOL * deactivated, uint32 * ext_disc_reason) { - uint8 type; - BOOL cont = True; - STREAM s; - - while (cont) { - s = rdp_recv(&type); - - if (s == NULL) - return False; - switch (type) { - case RDP_PDU_DEMAND_ACTIVE: - process_demand_active(s); - *deactivated = False; - break; - case RDP_PDU_DEACTIVATE: - DEBUG(("RDP_PDU_DEACTIVATE\n")); - *deactivated = True; - break; - case RDP_PDU_REDIRECT: - break; - case RDP_PDU_DATA: - process_data_pdu(s, ext_disc_reason); - break; - case 0: - break; - default: - unimpl("PDU %d\n", type); - } - cont = g_next_packet < s->end; - } - return True; -} - -/* Process incoming packets */ -int32_t rdp_main_loop(BOOL * deactivated, uint32 * ext_disc_reason) { - while (rdp_loop(deactivated, ext_disc_reason)) { - if (login_result != LOGIN_UNKN) { - return login_result; - } - } - return 0; -} - - - -/* Parse a logon info packet */ -static void rdp_send_logon_info(uint32 flags, char *domain, char *user, char *password, char *program, char *directory) { - char *ipaddr = tcp_get_address(); - int32_t len_domain = 2 * strlen(domain); - int32_t len_user = 2 * strlen(user); - int32_t len_password = 2 * strlen(password); - int32_t len_program = 2 * strlen(program); - int32_t len_directory = 2 * strlen(directory); - int32_t len_ip = 2 * strlen(ipaddr); - int32_t len_dll = 2 * strlen("C:\\WINNT\\System32\\mstscax.dll"); - int32_t packetlen = 0; - uint32 sec_flags = g_encryption ? (SEC_LOGON_INFO | SEC_ENCRYPT) : SEC_LOGON_INFO; - STREAM s = NULL; - time_t t = time(NULL); - time_t tzone; - uint8 security_verifier[16]; - - if (!g_use_rdp5 || 1 == g_server_rdp_version) { - DEBUG_RDP5(("Sending RDP4-style Logon packet\n")); - - s = sec_init(sec_flags, 18 + len_domain + len_user + len_password + len_program + len_directory + 10); - - out_uint32(s, 0); - out_uint32_le(s, flags); - out_uint16_le(s, len_domain); - out_uint16_le(s, len_user); - out_uint16_le(s, len_password); - out_uint16_le(s, len_program); - out_uint16_le(s, len_directory); - rdp_out_unistr(s, domain, len_domain); - rdp_out_unistr(s, user, len_user); - rdp_out_unistr(s, password, len_password); - rdp_out_unistr(s, program, len_program); - rdp_out_unistr(s, directory, len_directory); - } else { - - flags |= RDP_LOGON_BLOB; - DEBUG_RDP5(("Sending RDP5-style Logon packet\n")); - packetlen = 4 + /* Unknown uint32 */ - 4 + /* flags */ - 2 + /* len_domain */ - 2 + /* len_user */ - (flags & RDP_LOGON_AUTO ? 2 : 0) + /* len_password */ - (flags & RDP_LOGON_BLOB && !(flags & RDP_LOGON_AUTO) ? 2 : 0) + /* Length of BLOB */ - 2 + /* len_program */ - 2 + /* len_directory */ - (0 < len_domain ? len_domain : 2) + /* domain */ - len_user + /* len user */ - (flags & RDP_LOGON_AUTO ? len_password : 0) + /* len pass */ - 0 + /* We have no 512 byte BLOB. Perhaps we must? */ - (flags & RDP_LOGON_BLOB && !(flags & RDP_LOGON_AUTO) ? 2 : 0) + /* After the BLOB is a unknown int16. If there is a BLOB, that is. */ - (0 < len_program ? len_program : 2) + /* program */ - (0 < len_directory ? len_directory : 2) + /* dir */ - 2 + /* Unknown (2) */ - 2 + /* Client ip length */ - len_ip + /* Client ip */ - 2 + /* DLL string length */ - len_dll + /* DLL string */ - 4 + /* zone */ - strlen("GTB, normaltid") * 2 + /* zonestring */ - 1 + /* len */ - 5 * 4 + /* some int32 */ - 2 * strlen("GTB, sommartid") + /* zonestring */ - 1 + /* len */ - 5 * 4 + /* some int32 */ - 2 * 4 + /* some int32 */ - (g_has_reconnect_random ? 14 + sizeof(security_verifier) : 2) + 105 + /* ??? we need this */ - 0; // end -//printf("pl: %d - flags %d - AUTO %d - BLOB %d\n", packetlen, flags, RDP_LOGON_AUTO, RDP_LOGON_BLOB); - - s = sec_init(sec_flags, packetlen); - DEBUG_RDP5(("Called sec_init with packetlen %d\n", packetlen)); - - out_uint32(s, 0); /* Unknown */ - out_uint32_le(s, flags); - out_uint16_le(s, len_domain); - out_uint16_le(s, len_user); - if (flags & RDP_LOGON_AUTO) { - out_uint16_le(s, len_password); - } - if (flags & RDP_LOGON_BLOB && !(flags & RDP_LOGON_AUTO)) { - out_uint16_le(s, 0); - } - out_uint16_le(s, len_program); - out_uint16_le(s, len_directory); - if (0 < len_domain) - rdp_out_unistr(s, domain, len_domain); - else - out_uint16_le(s, 0); - rdp_out_unistr(s, user, len_user); - if (flags & RDP_LOGON_AUTO) { - rdp_out_unistr(s, password, len_password); - } - if (flags & RDP_LOGON_BLOB && !(flags & RDP_LOGON_AUTO)) { - out_uint16_le(s, 0); - } - if (0 < len_program) { - rdp_out_unistr(s, program, len_program); - } else { - out_uint16_le(s, 0); - } - if (0 < len_directory) { - rdp_out_unistr(s, directory, len_directory); - } else { - out_uint16_le(s, 0); - } - /* TS_EXTENDED_INFO_PACKET */ - out_uint16_le(s, 2); /* clientAddressFamily = AF_INET */ - out_uint16_le(s, len_ip + 2); /* cbClientAddress, Length of client ip */ - rdp_out_unistr(s, ipaddr, len_ip); /* clientAddress */ - out_uint16_le(s, len_dll + 2); /* cbClientDir */ - rdp_out_unistr(s, "C:\\WINNT\\System32\\mstscax.dll", len_dll); /* clientDir */ - - /* TS_TIME_ZONE_INFORMATION */ - tzone = (mktime(gmtime(&t)) - mktime(localtime(&t))) / 60; - out_uint32_le(s, tzone); - rdp_out_unistr(s, "GTB, normaltid", 2 * strlen("GTB, normaltid")); - out_uint8s(s, 62 - 2 * strlen("GTB, normaltid")); - out_uint32_le(s, 0x0a0000); - out_uint32_le(s, 0x050000); - out_uint32_le(s, 3); - out_uint32_le(s, 0); - out_uint32_le(s, 0); - rdp_out_unistr(s, "GTB, sommartid", 2 * strlen("GTB, sommartid")); - out_uint8s(s, 62 - 2 * strlen("GTB, sommartid")); - out_uint32_le(s, 0x30000); - out_uint32_le(s, 0x050000); - out_uint32_le(s, 2); - out_uint32(s, 0); - out_uint32_le(s, 0xffffffc4); /* DaylightBias */ - - /* Rest of TS_EXTENDED_INFO_PACKET */ - out_uint32_le(s, 0xfffffffe); /* clientSessionId, consider changing to 0 */ - out_uint32_le(s, g_rdp5_performanceflags); - - /* Client Auto-Reconnect */ - if (g_has_reconnect_random) { - out_uint16_le(s, 28); /* cbAutoReconnectLen */ - /* ARC_CS_PRIVATE_PACKET */ - out_uint32_le(s, 28); /* cbLen */ - out_uint32_le(s, 1); /* Version */ - out_uint32_le(s, g_reconnect_logonid); /* LogonId */ - ssl_hmac_md5(g_reconnect_random, sizeof(g_reconnect_random), g_client_random, SEC_RANDOM_SIZE, security_verifier); - out_uint8a(s, security_verifier, sizeof(security_verifier)); - } else { - out_uint16_le(s, 0); /* cbAutoReconnectLen */ - } - - } - s_mark_end(s); - sec_send(s, sec_flags); -} - -/* Establish a connection up to the RDP layer */ -BOOL rdp_connect(char *server, uint32 flags, char *domain, char *login, char *password, char *command, char *directory, BOOL reconnect) { - - if (!sec_connect(server, login, reconnect)) - return False; - - rdp_send_logon_info(flags, domain, login, password, command, directory); - return True; -} - -int32_t start_rdp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +#include +freerdp * instance = 0; +BOOL rdp_connect(char *server, int32_t port, char *domain, char *login, char *password) { + int32_t err = 0; + + instance->settings->Username = login; + instance->settings->Password = password; + instance->settings->IgnoreCertificate = TRUE; + instance->settings->AuthenticationOnly = TRUE; + instance->settings->ServerHostname = server; + instance->settings->ServerPort = port; + instance->settings->Domain = domain; + freerdp_connect(instance); + err = freerdp_get_last_error(instance->context); + return err; +} + +/* Client program */ +int32_t start_rdp(char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; char *login, *pass; char server[64]; char domain[256]; - char shell[256]; - char directory[256]; - BOOL deactivated = 0; - uint32 flags, ext_disc_reason = 0; + int32_t login_result = 0; - flags = RDP_LOGON_NORMAL; - flags |= RDP_LOGON_AUTO; - - os_version = 0; - g_redirect = False; - g_redirect_flags = 0; - login_result = LOGIN_UNKN; - - shell[0] = directory[0] = 0; memset(domain, 0, sizeof(domain)); if (strlen(login = hydra_get_next_login()) == 0) @@ -2458,34 +48,43 @@ int32_t start_rdp(int32_t s, char *ip, int32_t port, unsigned char options, char if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; - strcpy(server, hydra_address2string(ip)); + strncpy(server, hydra_address2string(ip), sizeof(server) - 1); if ((miscptr != NULL) && (strlen(miscptr) > 0)) { strncpy(domain, miscptr, sizeof(domain) - 1); domain[sizeof(domain) - 1] = 0; } - if (!rdp_connect(server, flags, domain, login, pass, shell, directory, g_redirect)) - return 3; - - rdp_main_loop(&deactivated, &ext_disc_reason); - - if (login_result == LOGIN_SUCC) { - hydra_report_found_host(port, ip, "rdp", fp); - hydra_completed_pair_found(); - } else { - hydra_completed_pair(); + login_result = rdp_connect(server, port, domain, login, pass); + switch(login_result){ + case 0: + // login success + hydra_report_found_host(port, ip, "rdp", fp); + hydra_completed_pair_found(); + break; + case 0x00020009: + case 0x00020014: + case 0x00020015: + // login failure + hydra_completed_pair(); + break; + case 0x00020006: + case 0x00020008: + case 0x0002000c: + case 0x0002000d: + // cannot establish rdp connection, either the port is not opened or it's not rdp + return 3; + default: + if (verbose) { + hydra_report(stderr, "[ERROR] freerdp: %s (0x%.8x)\n", freerdp_get_last_error_string(login_result), login_result); + } + return login_result; } - - rdp_disconnect(); - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; - } -/* Client program */ void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1; int32_t myport = PORT_RDP; @@ -2496,746 +95,29 @@ void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; - while (1) { next_run = 0; switch (run) { case 1: /* run the cracking function */ - rdesktop_reset_state(); - g_sock = hydra_connect_tcp(ip, myport); - if (g_sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); - } - next_run = start_rdp(g_sock, ip, port, options, miscptr, fp); + next_run = start_rdp(ip, myport, options, miscptr, fp); break; case 2: /* clean exit */ - if (g_sock >= 0) - rdp_disconnect(); + freerdp_disconnect(instance); + freerdp_free(instance); hydra_child_exit(0); return; case 3: /* connection error case */ + hydra_report(stderr, "[ERROR] freerdp: %s\n", "The connection failed to establish."); + freerdp_free(instance); hydra_child_exit(1); return; default: - hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); } run = next_run; } } -/* Generate a 32-byte random for the secure transport code. */ -void generate_random(uint8 * random) { - struct stat st; - struct tms tmsbuf; - SSL_MD5 md5; - uint32 *r; - int32_t fd, n; - - /* If we have a kernel random device, try that first */ - if (((fd = open("/dev/urandom", O_RDONLY)) != -1) - || ((fd = open("/dev/random", O_RDONLY)) != -1)) { - n = read(fd, random, 32); - close(fd); - if (n == 32) - return; - } - - r = (uint32 *) random; - r[0] = (getpid()) | (getppid() << 16); - r[1] = (getuid()) | (getgid() << 16); - r[2] = times(&tmsbuf); /* system uptime (clocks) */ - gettimeofday((struct timeval *) &r[3], NULL); /* sec and usec */ - stat("/tmp", &st); - r[5] = st.st_atime; - r[6] = st.st_mtime; - r[7] = st.st_ctime; - - /* Hash both halves with MD5 to obscure possible patterns */ - ssl_md5_init(&md5); - ssl_md5_update(&md5, random, 16); - ssl_md5_final(&md5, random); - ssl_md5_update(&md5, random + 16, 16); - ssl_md5_final(&md5, random + 16); -} - -/* malloc; exit if out of memory */ -void *xmalloc(int32_t size) { - void *mem = malloc(size); - - if (mem == NULL) { - error("xmalloc %d\n", size); - return NULL; - } - return mem; -} - -/* strdup */ -char *xstrdup(const char *s) { - char *mem = strdup(s); - - if (mem == NULL) { - perror("strdup"); - return NULL; - } - return mem; -} - -/* realloc; exit if out of memory */ -void *xrealloc(void *oldmem, size_t size) { - void *mem; - - if (size == 0) - size = 1; -//printf("---? %p %d\n", oldmem, size); - mem = realloc(oldmem, size); -//printf("---!\n"); - if (mem == NULL) { - error("xrealloc %ld\n", size); - return NULL; - } - return mem; -} - -/* report an error */ -void error(char *format, ...) { - va_list ap; - - fprintf(stderr, "[ERROR]: "); - - va_start(ap, format); - hydra_report(stderr, format, ap); - va_end(ap); -} - -/* report a warning */ -void warning(char *format, ...) { - if (verbose) { - va_list ap; - - fprintf(stderr, "[VERBOSE]: "); - - va_start(ap, format); - hydra_report(stderr, format, ap); - va_end(ap); - } -} - -/* report an unimplemented protocol feature */ -void unimpl(char *format, ...) { - if (debug) { - va_list ap; - - fprintf(stderr, "[DEBUG] not implemented: "); - - va_start(ap, format); - hydra_report(stderr, format, ap); - va_end(ap); - } -} - -/* produce a hex dump */ -void hexdump(unsigned char *p, uint32_t len) { - unsigned char *line = p; - int32_t i, thisline, offset = 0; - - while (offset < len) { - printf("%04x ", offset); - thisline = len - offset; - if (thisline > 16) - thisline = 16; - - for (i = 0; i < thisline; i++) - printf("%02x ", line[i]); - - for (; i < 16; i++) - printf(" "); - - for (i = 0; i < thisline; i++) - printf("%c", (line[i] >= 0x20 && line[i] < 0x7f) ? line[i] : '.'); - - printf("\n"); - offset += thisline; - line += thisline; - } -} - -/* Initialise an RDP data packet */ -static STREAM rdp_init_data(int32_t maxlen) { - STREAM s; - - s = sec_init(g_encryption ? SEC_ENCRYPT : 0, maxlen + 18); - s_push_layer(s, rdp_hdr, 18); - - return s; -} - -/* Send an RDP data packet */ -static void rdp_send_data(STREAM s, uint8 data_pdu_type) { - uint16 length; - - s_pop_layer(s, rdp_hdr); - length = s->end - s->p; - - out_uint16_le(s, length); - out_uint16_le(s, (RDP_PDU_DATA | 0x10)); - out_uint16_le(s, (g_mcs_userid + 1001)); - - out_uint32_le(s, g_rdp_shareid); - out_uint8(s, 0); /* pad */ - out_uint8(s, 1); /* streamid */ - out_uint16_le(s, (length - 14)); - out_uint8(s, data_pdu_type); - out_uint8(s, 0); /* compress_type */ - out_uint16(s, 0); /* compress_len */ - - sec_send(s, g_encryption ? SEC_ENCRYPT : 0); -} - -/* Input a string in Unicode - * - * Returns str_len of string - */ -int32_t rdp_in_unistr(STREAM s, char *string, int32_t str_size, int32_t in_len) { - int32_t i = 0; - int32_t len = in_len / 2; - int32_t rem = 0; - - if (len > str_size - 1) { - warning("server sent an unexpectedly long string, truncating\n"); - len = str_size - 1; - rem = in_len - 2 * len; - } - - while (i < len) { - in_uint8a(s, &string[i++], 1); - in_uint8s(s, 1); - } - - in_uint8s(s, rem); - string[len] = 0; - return len; -} - -/* Send a control PDU */ -static void rdp_send_control(uint16 action) { - STREAM s; - - s = rdp_init_data(8); - - out_uint16_le(s, action); - out_uint16(s, 0); /* userid */ - out_uint32(s, 0); /* control id */ - - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_CONTROL); -} - -/* Send a synchronisation PDU */ -static void rdp_send_synchronise(void) { - STREAM s; - - s = rdp_init_data(4); - out_uint16_le(s, 1); /* type */ - out_uint16_le(s, 1002); - - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_SYNCHRONISE); -} - -/* Send a single input event */ -void rdp_send_input(uint32 time, uint16 message_type, uint16 device_flags, uint16 param1, uint16 param2) { - STREAM s; - - switch (message_type) { - case RDP_INPUT_MOUSE: - rdp_send_fast_input_mouse(time, device_flags, param1, param2); - break; - case RDP_INPUT_SCANCODE: - rdp_send_fast_input_kbd(time, device_flags, param1); - break; - default: - s = rdp_init_data(16); - out_uint16_le(s, 1); /* number of events */ - out_uint16(s, 0); /* pad */ - out_uint32_le(s, time); - out_uint16_le(s, message_type); - out_uint16_le(s, device_flags); - out_uint16_le(s, param1); - out_uint16_le(s, param2); - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_INPUT); - } -} - -/* Send an (empty) font information PDU */ -static void rdp_send_fonts(uint16 seq) { - STREAM s; - - s = rdp_init_data(8); - - out_uint16(s, 0); /* number of fonts */ - out_uint16_le(s, 0); /* pad? */ - out_uint16_le(s, seq); /* unknown */ - out_uint16_le(s, 0x32); /* entry size */ - - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_FONT2); -} - -/* Output general capability set */ -static void rdp_out_general_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_GENERAL); - out_uint16_le(s, RDP_CAPLEN_GENERAL); - out_uint16_le(s, 1); /* OS major type */ - out_uint16_le(s, 3); /* OS minor type */ - out_uint16_le(s, 0x200); /* Protocol version */ - out_uint16(s, 0); /* Pad */ - out_uint16(s, 0); /* Compression types */ - out_uint16_le(s, g_use_rdp5 ? 0x40d : 0); - /* Pad, according to T.128. 0x40d seems to - trigger - the server to start sending RDP5 packets. - However, the value is 0x1d04 with W2KTSK and - NT4MS. Hmm.. Anyway, thankyou, Microsoft, - for sending such information in a padding - field.. */ - out_uint16(s, 0); /* Update capability */ - out_uint16(s, 0); /* Remote unshare capability */ - out_uint16(s, 0); /* Compression level */ - out_uint16(s, 0); /* Pad */ -} - -/* Output bitmap capability set */ -static void rdp_out_bitmap_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_BITMAP); - out_uint16_le(s, RDP_CAPLEN_BITMAP); - out_uint16_le(s, g_server_depth); /* Preferred colour depth */ - out_uint16_le(s, 1); /* Receive 1 BPP */ - out_uint16_le(s, 1); /* Receive 4 BPP */ - out_uint16_le(s, 1); /* Receive 8 BPP */ - out_uint16_le(s, 800); /* Desktop width */ - out_uint16_le(s, 600); /* Desktop height */ - out_uint16(s, 0); /* Pad */ - out_uint16(s, 1); /* Allow resize */ - out_uint16_le(s, g_bitmap_compression ? 1 : 0); /* Support compression */ - out_uint16(s, 0); /* Unknown */ - out_uint16_le(s, 1); /* Unknown */ - out_uint16(s, 0); /* Pad */ -} - -/* Output order capability set */ -static void rdp_out_order_caps(STREAM s) { - uint8 order_caps[32]; - - memset(order_caps, 0, 32); - order_caps[0] = 1; /* dest blt */ - order_caps[1] = 1; /* pat blt */ - order_caps[2] = 1; /* screen blt */ - order_caps[3] = (g_bitmap_cache ? 1 : 0); /* memblt */ - order_caps[4] = 0; /* triblt */ - order_caps[8] = 1; /* line */ - order_caps[9] = 1; /* line */ - order_caps[10] = 1; /* rect */ - order_caps[11] = (g_desktop_save ? 1 : 0); /* desksave */ - order_caps[13] = 1; /* memblt */ - order_caps[14] = 1; /* triblt */ - order_caps[20] = 1; /* polygon */ - order_caps[21] = 1; /* polygon2 */ - order_caps[22] = 1; /* polyline */ - order_caps[25] = 1; /* ellipse */ - order_caps[26] = 1; /* ellipse2 */ - order_caps[27] = 1; /* text2 */ - out_uint16_le(s, RDP_CAPSET_ORDER); - out_uint16_le(s, RDP_CAPLEN_ORDER); - - out_uint8s(s, 20); /* Terminal desc, pad */ - out_uint16_le(s, 1); /* Cache X granularity */ - out_uint16_le(s, 20); /* Cache Y granularity */ - out_uint16(s, 0); /* Pad */ - out_uint16_le(s, 1); /* Max order level */ - out_uint16_le(s, 0x147); /* Number of fonts */ - out_uint16_le(s, 0x2a); /* Capability flags */ - out_uint8p(s, order_caps, 32); /* Orders supported */ - out_uint16_le(s, 0x6a1); /* Text capability flags */ - out_uint8s(s, 6); /* Pad */ - out_uint32_le(s, g_desktop_save == False ? 0 : 0x38400); /* Desktop cache size */ - out_uint32(s, 0); /* Unknown */ - out_uint32_le(s, 0x4e4); /* Unknown */ -} - -/* Output bitmap cache capability set */ -static void rdp_out_bmpcache_caps(STREAM s) { - int32_t Bpp; - - out_uint16_le(s, RDP_CAPSET_BMPCACHE); - out_uint16_le(s, RDP_CAPLEN_BMPCACHE); - Bpp = (g_server_depth + 7) / 8; /* bytes per pixel */ - out_uint8s(s, 24); /* unused */ - out_uint16_le(s, 0x258); /* entries */ - out_uint16_le(s, 0x100 * Bpp); /* max cell size */ - out_uint16_le(s, 0x12c); /* entries */ - out_uint16_le(s, 0x400 * Bpp); /* max cell size */ - out_uint16_le(s, 0x106); /* entries */ - out_uint16_le(s, 0x1000 * Bpp); /* max cell size */ -} - -/* Output bitmap cache v2 capability set */ -static void rdp_out_bmpcache2_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_BMPCACHE2); - out_uint16_le(s, RDP_CAPLEN_BMPCACHE2); - out_uint16_le(s, g_bitmap_cache_persist_enable ? 2 : 0); /* version */ - out_uint16_be(s, 3); /* number of caches in this set */ - - /* max cell size for cache 0 is 16x16, 1 = 32x32, 2 = 64x64, etc */ - out_uint32_le(s, BMPCACHE2_C0_CELLS); - out_uint32_le(s, BMPCACHE2_C1_CELLS); - out_uint32_le(s, BMPCACHE2_C2_CELLS); - out_uint8s(s, 20); /* other bitmap caches not used */ -} - -/* Output control capability set */ -static void rdp_out_control_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_CONTROL); - out_uint16_le(s, RDP_CAPLEN_CONTROL); - out_uint16(s, 0); /* Control capabilities */ - out_uint16(s, 0); /* Remote detach */ - out_uint16_le(s, 2); /* Control interest */ - out_uint16_le(s, 2); /* Detach interest */ -} - -/* Output activation capability set */ -static void rdp_out_activate_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_ACTIVATE); - out_uint16_le(s, RDP_CAPLEN_ACTIVATE); - out_uint16(s, 0); /* Help key */ - out_uint16(s, 0); /* Help index key */ - out_uint16(s, 0); /* Extended help key */ - out_uint16(s, 0); /* Window activate */ -} - -/* Output pointer capability set */ -static void rdp_out_pointer_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_POINTER); - out_uint16_le(s, RDP_CAPLEN_POINTER); - out_uint16(s, 0); /* Colour pointer */ - out_uint16_le(s, 20); /* Cache size */ -} - -/* Output new pointer capability set */ -static void rdp_out_newpointer_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_POINTER); - out_uint16_le(s, RDP_CAPLEN_NEWPOINTER); - out_uint16_le(s, 1); /* Colour pointer */ - out_uint16_le(s, 20); /* Cache size */ - out_uint16_le(s, 20); /* Cache size for new pointers */ -} - -/* Output share capability set */ -static void rdp_out_share_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_SHARE); - out_uint16_le(s, RDP_CAPLEN_SHARE); - out_uint16(s, 0); /* userid */ - out_uint16(s, 0); /* pad */ -} - -/* Output colour cache capability set */ -static void rdp_out_colcache_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_COLCACHE); - out_uint16_le(s, RDP_CAPLEN_COLCACHE); - out_uint16_le(s, 6); /* cache size */ - out_uint16(s, 0); /* pad */ -} - -/* Output brush cache capability set */ -static void rdp_out_brushcache_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_BRUSHCACHE); - out_uint16_le(s, RDP_CAPLEN_BRUSHCACHE); - out_uint32_le(s, 1); /* cache type */ -} - -static uint8 caps_0x0d[] = { - 0x01, 0x00, 0x00, 0x00, 0x09, 0x04, 0x00, 0x00, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00 -}; - -static uint8 caps_0x0c[] = { 0x01, 0x00, 0x00, 0x00 }; - -static uint8 caps_0x0e[] = { 0x01, 0x00, 0x00, 0x00 }; - -static uint8 caps_0x10[] = { - 0xFE, 0x00, 0x04, 0x00, 0xFE, 0x00, 0x04, 0x00, - 0xFE, 0x00, 0x08, 0x00, 0xFE, 0x00, 0x08, 0x00, - 0xFE, 0x00, 0x10, 0x00, 0xFE, 0x00, 0x20, 0x00, - 0xFE, 0x00, 0x40, 0x00, 0xFE, 0x00, 0x80, 0x00, - 0xFE, 0x00, 0x00, 0x01, 0x40, 0x00, 0x00, 0x08, - 0x00, 0x01, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00 -}; - -/* Output unknown capability sets */ -static void rdp_out_unknown_caps(STREAM s, uint16 id, uint16 length, uint8 * caps) { - out_uint16_le(s, id); - out_uint16_le(s, length); - out_uint8p(s, caps, length - 4); -} - -#define RDP5_FLAG 0x0030 - -/* Send a confirm active PDU */ -static void rdp_send_confirm_active(void) { - STREAM s; - uint32 sec_flags = g_encryption ? (RDP5_FLAG | SEC_ENCRYPT) : RDP5_FLAG; - uint16 caplen = - RDP_CAPLEN_GENERAL + RDP_CAPLEN_BITMAP + RDP_CAPLEN_ORDER + - RDP_CAPLEN_COLCACHE + RDP_CAPLEN_ACTIVATE + RDP_CAPLEN_CONTROL + RDP_CAPLEN_SHARE + RDP_CAPLEN_BRUSHCACHE + 0x58 + 0x08 + 0x08 + 0x34 /* unknown caps */ + - 4 /* w2k fix, sessionid */ ; - - if (g_use_rdp5) { - caplen += RDP_CAPLEN_BMPCACHE2; - caplen += RDP_CAPLEN_NEWPOINTER; - } else { - caplen += RDP_CAPLEN_BMPCACHE; - caplen += RDP_CAPLEN_POINTER; - } - - s = sec_init(sec_flags, 6 + 14 + caplen + sizeof(RDP_SOURCE)); - - out_uint16_le(s, 2 + 14 + caplen + sizeof(RDP_SOURCE)); - out_uint16_le(s, (RDP_PDU_CONFIRM_ACTIVE | 0x10)); /* Version 1 */ - out_uint16_le(s, (g_mcs_userid + 1001)); - - out_uint32_le(s, g_rdp_shareid); - out_uint16_le(s, 0x3ea); /* userid */ - out_uint16_le(s, sizeof(RDP_SOURCE)); - out_uint16_le(s, caplen); - - out_uint8p(s, RDP_SOURCE, sizeof(RDP_SOURCE)); - out_uint16_le(s, 0xe); /* num_caps */ - out_uint8s(s, 2); /* pad */ - - rdp_out_general_caps(s); - rdp_out_bitmap_caps(s); - rdp_out_order_caps(s); - if (g_use_rdp5) { - rdp_out_bmpcache2_caps(s); - rdp_out_newpointer_caps(s); - } else { - rdp_out_bmpcache_caps(s); - rdp_out_pointer_caps(s); - } - - rdp_out_colcache_caps(s); - rdp_out_activate_caps(s); - rdp_out_control_caps(s); - rdp_out_share_caps(s); - rdp_out_brushcache_caps(s); - - rdp_out_unknown_caps(s, 0x0d, 0x58, caps_0x0d); /* CAPSTYPE_INPUT */ - rdp_out_unknown_caps(s, 0x0c, 0x08, caps_0x0c); /* CAPSTYPE_SOUND */ - rdp_out_unknown_caps(s, 0x0e, 0x08, caps_0x0e); /* CAPSTYPE_FONT */ - rdp_out_unknown_caps(s, 0x10, 0x34, caps_0x10); /* CAPSTYPE_GLYPHCACHE */ - - s_mark_end(s); - sec_send(s, sec_flags); -} - -/* Process a general capability set */ -static void rdp_process_general_caps(STREAM s) { - uint16 pad2octetsB; /* rdp5 flags? */ - - in_uint8s(s, 10); - in_uint16_le(s, pad2octetsB); - if (!pad2octetsB) - g_use_rdp5 = False; -} - -/* Process a bitmap capability set */ -static void rdp_process_bitmap_caps(STREAM s) { - uint16 width, height, depth; - - in_uint16_le(s, depth); - in_uint8s(s, 6); - in_uint16_le(s, width); - in_uint16_le(s, height); - DEBUG(("setting desktop size and depth to: %dx%dx%d\n", width, height, depth)); -} - -/* Process server capabilities */ -static void rdp_process_server_caps(STREAM s, uint16 length) { - int32_t n; - uint8 *next, *start; - uint16 ncapsets, capset_type, capset_length; - - start = s->p; - - in_uint16_le(s, ncapsets); - in_uint8s(s, 2); /* pad */ - - for (n = 0; n < ncapsets; n++) { - if (s->p > start + length) - return; - - in_uint16_le(s, capset_type); - in_uint16_le(s, capset_length); - - next = s->p + capset_length - 4; - - switch (capset_type) { - case RDP_CAPSET_GENERAL: - rdp_process_general_caps(s); - break; - - case RDP_CAPSET_BITMAP: - rdp_process_bitmap_caps(s); - break; - } - - s->p = next; - } -} - -/* Respond to a demand active PDU */ -static void process_demand_active(STREAM s) { - uint8 type; - uint16 len_src_descriptor, len_combined_caps; - - in_uint32_le(s, g_rdp_shareid); - in_uint16_le(s, len_src_descriptor); - in_uint16_le(s, len_combined_caps); - in_uint8s(s, len_src_descriptor); - - DEBUG(("DEMAND_ACTIVE(id=0x%x)\n", g_rdp_shareid)); - rdp_process_server_caps(s, len_combined_caps); - - rdp_send_confirm_active(); - rdp_send_synchronise(); - rdp_send_control(RDP_CTL_COOPERATE); - rdp_send_control(RDP_CTL_REQUEST_CONTROL); - rdp_recv(&type); /* RDP_PDU_SYNCHRONIZE */ - rdp_recv(&type); /* RDP_CTL_COOPERATE */ - rdp_recv(&type); /* RDP_CTL_GRANT_CONTROL */ - rdp_send_input(0, 0, 0, 0, 0); /* RDP_INPUT_SYNCHRONIZE */ - // here? XXX TODO BUGFIX - - if (g_use_rdp5) { - rdp_send_fonts(3); - } else { - rdp_send_fonts(1); - rdp_send_fonts(2); - } - - rdp_recv(&type); /* RDP_PDU_UNKNOWN 0x28 (Fonts?) */ - reset_order_state(); -} - -/* Process an update PDU */ -static void process_update_pdu(STREAM s) { - uint16 update_type, count; - - in_uint16_le(s, update_type); - - //ui_begin_update(); - switch (update_type) { - case RDP_UPDATE_ORDERS: - in_uint8s(s, 2); /* pad */ - in_uint16_le(s, count); - in_uint8s(s, 2); /* pad */ - process_orders(s, count); - break; - - case RDP_UPDATE_BITMAP: - //process_bitmap_updates(s); - break; - - case RDP_UPDATE_PALETTE: - //process_palette(s); - break; - - case RDP_UPDATE_SYNCHRONIZE: - break; - - default: - unimpl("update %d\n", update_type); - } -} - - -/* Process a disconnect PDU */ -void process_disconnect_pdu(STREAM s, uint32 * ext_disc_reason) { - in_uint32_le(s, *ext_disc_reason); - - DEBUG(("Received disconnect PDU\n")); -} - -/* Process data PDU */ -static BOOL process_data_pdu(STREAM s, uint32 * ext_disc_reason) { - uint8 data_pdu_type; - //uint8 ctype; - uint16 clen; - //uint32 len; - - in_uint8s(s, 6); /* shareid, pad, streamid */ - //in_uint16_le(s, len); - in_uint8(s, data_pdu_type); - //in_uint8(s, ctype); - in_uint16_le(s, clen); - clen -= 18; - - switch (data_pdu_type) { - case RDP_DATA_PDU_UPDATE: - process_update_pdu(s); - break; - - case RDP_DATA_PDU_CONTROL: - DEBUG(("Received Control PDU\n")); - break; - - case RDP_DATA_PDU_SYNCHRONISE: - DEBUG(("Received Sync PDU\n")); - break; - - case RDP_DATA_PDU_POINTER: - //process_pointer_pdu(s); - break; - - case RDP_DATA_PDU_BELL: - //ui_bell(); - break; - - case RDP_DATA_PDU_LOGON: - DEBUG(("Received Logon PDU\n")); - /* User logged on */ - login_result = LOGIN_SUCC; - return 1; - break; - - case RDP_DATA_PDU_DISCONNECT: - process_disconnect_pdu(s, ext_disc_reason); - - /* We used to return true and disconnect immediately here, but - * Windows Vista sends a disconnect PDU with reason 0 when - * reconnecting to a disconnected session, and MSTSC doesn't - * drop the connection. I think we should just save the status. - */ - break; - - default: - unimpl("data PDU %d\n", data_pdu_type); - } - return False; -} -#endif - int32_t service_rdp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be @@ -3247,9 +129,20 @@ int32_t service_rdp_init(char *ip, int32_t sp, unsigned char options, char *misc // 0 all OK // -1 error, hydra will exit, so print a good error message here + // Disable freerdp output + wLog* root = WLog_GetRoot(); + WLog_SetStringLogLevel(root, "OFF"); + + // Init freerdp instance + instance = freerdp_new(); + if (instance == NULL || freerdp_context_new(instance) == FALSE) { + hydra_report(stderr, "[ERROR] freerdp init failed\n"); + return -1; + } return 0; } void usage_rdp(const char* service) { printf("Module rdp is optionally taking the windows domain name.\n" "For example:\nhydra rdp://192.168.0.1/firstdomainname -l john -p doe\n\n"); } +#endif diff --git a/hydra-redis.c b/hydra-redis.c index 76a6afb..c230453 100644 --- a/hydra-redis.c +++ b/hydra-redis.c @@ -15,7 +15,7 @@ int32_t start_redis(int32_t s, char *ip, int32_t port, unsigned char options, ch snprintf(pass_num, 50, "%d", pass_len); memset(buffer, 0, sizeof(buffer)); - sprintf(buffer, "*2\r\n$4\r\nAUTH\r\n$%.250s\r\n%.250s\r\n", pass_num, pass); + sprintf(buffer, "*2\r\n$4\r\nAUTH\r\n$%.50s\r\n%.250s\r\n", pass_num, pass); if (debug) hydra_report(stderr, "[DEBUG] Auth:\n %s\n", buffer); @@ -95,6 +95,7 @@ void service_redis_core(char *ip, int32_t sp, unsigned char options, char *miscp if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); + break; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); @@ -128,7 +129,7 @@ int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *mi // performed once only. // return codes: // 0 - when the server is redis and it requires password - // 1 - when the server is not redis or when the server does not require password + // n - when the server is not redis or when the server does not require password int32_t sock = -1; int32_t myport = PORT_REDIS, mysslport = PORT_REDIS_SSL; @@ -150,7 +151,7 @@ int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *mi printf("[VERBOSE] Initial redis password authentication test and response test ...\n"); if (sock < 0) { hydra_report(stderr, "[ERROR] Can not connect to port %d on the target\n", myport); - hydra_child_exit(1); + return 3; } // generating ping request as redis-cli if (debug) @@ -160,22 +161,22 @@ int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *mi // $4 // ping if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) { - return 1; + return 2; } buf = hydra_receive_line(sock); if (debug) printf("[DEBUG] buf = %s\n", buf); // authentication test if (strstr(buf, "+PONG") != NULL) { // the server does not require password - hydra_report(stderr, "[!] The server does not require password.\n"); + hydra_report(stderr, "[!] The server %s does not require password.\n", hostname); free(buf); - return 1; + return 2; } // server response test if (strstr(buf, "-NOAUTH Authentication required") == NULL && strstr(buf, "-ERR operation not permitted") == NULL) { hydra_report(stderr, "[ERROR] The server is not redis, exit.\n"); free(buf); - return 1; + return 2; } if (verbose) printf("[VERBOSE] The redis server requires password.\n"); diff --git a/hydra-rpcap.c b/hydra-rpcap.c index 2fa4956..ff15956 100644 --- a/hydra-rpcap.c +++ b/hydra-rpcap.c @@ -111,6 +111,7 @@ void service_rpcap(char *ip, int32_t sp, unsigned char options, char *miscptr, F if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); + break; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); @@ -153,7 +154,7 @@ int32_t service_rpcap_init(char *ip, int32_t sp, unsigned char options, char *mi buf = hydra_receive_line(sock); - if (strstr(buf, "NULL autentication not permitted") == NULL) { + if (strstr(buf, "NULL authentication not permitted") == NULL) { hydra_report(stderr, "[!] rpcap error or no need of authentication!\n"); free(buf); return 1; diff --git a/hydra-rtsp.c b/hydra-rtsp.c index e0eb6b5..444ba0c 100644 --- a/hydra-rtsp.c +++ b/hydra-rtsp.c @@ -78,10 +78,12 @@ void create_core_packet(int32_t control, char *ip, int32_t port) { } int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; - char *login, *pass, buffer[500], buffer2[500]; - + char *login, *pass, buffer[1030], buffer2[500]; char *lresp; + memset(buffer, 0, sizeof(buffer)); + memset(buffer2, 0, sizeof(buffer2)); + if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) @@ -95,12 +97,13 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha lresp = hydra_receive_line(s); if (lresp == NULL) { - fprintf(stderr, "[ERROR] no server reply"); + hydra_report(stderr, "[ERROR] no server reply\n"); return 1; } if (is_NotFound(lresp)) { - printf("[INFO] Server does not need credentials\n"); + free(lresp); + hydra_report(stderr, "[INFO] Server does not need credentials\n"); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { return 3; @@ -112,52 +115,63 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha if (use_Basic_Auth(lresp) == 1) { - sprintf(buffer2, "%.260s:%.260s", login, pass); + free(lresp); + sprintf(buffer2, "%.249s:%.249s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - sprintf(buffer, "%sAuthorization: : Basic %s\r\n\r\n", packet2, buffer2); + sprintf(buffer, "%.500sAuthorization: : Basic %.500s\r\n\r\n", packet2, buffer2); if (debug) { hydra_report(stderr, "C:%s\n", buffer); } } + else { + if (use_Digest_Auth(lresp) == 1) { + char *dbuf = NULL; + char aux[500] = ""; + char *pbuffer = hydra_strcasestr(lresp, "WWW-Authenticate: Digest "); - if (use_Digest_Auth(lresp) == 1) { - char *dbuf = NULL; - char aux[500] = ""; - - char *pbuffer = hydra_strcasestr(lresp, "WWW-Authenticate: Digest "); - - strncpy(aux, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer)); - aux[sizeof(aux) - 1] = '\0'; + strncpy(aux, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(aux)); + aux[sizeof(aux) - 1] = '\0'; + free(lresp); #ifdef LIBOPENSSL - sasl_digest_md5(dbuf, login, pass, aux, miscptr, "rtsp", hydra_address2string(ip), port, ""); + sasl_digest_md5(dbuf, login, pass, aux, miscptr, "rtsp", hydra_address2string(ip), port, ""); #else - printf("[ERROR] Digest auth required but compiled without OpenSSL/MD5 support\n"); - return 3; + hydra_report(stderr, "[ERROR] Digest auth required but compiled without OpenSSL/MD5 support\n"); + return 3; #endif - if (dbuf == NULL) { - fprintf(stderr, "[ERROR] digest generation failed\n"); - return 3; - } - sprintf(buffer, "%sAuthorization: Digest %s\r\n\r\n", packet2, dbuf); + if (dbuf == NULL) { + hydra_report(stderr, "[ERROR] digest generation failed\n"); + return 3; + } + sprintf(buffer, "%.500sAuthorization: Digest %.500s\r\n\r\n", packet2, dbuf); - if (debug) { - hydra_report(stderr, "C:%s\n", buffer); + if (debug) { + hydra_report(stderr, "C:%s\n", buffer); + } } } + if (strlen(buffer) == 0) { + hydra_report(stderr, "[ERROR] could not identify HTTP authentication used\n"); + return 1; + } + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } lresp = NULL; - lresp = hydra_receive_line(s); + + if (lresp == NULL) { + hydra_report(stderr, "[ERROR] no server reply\n"); + return 1; + } if ((is_NotFound(lresp))) { - + free(lresp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { @@ -165,8 +179,8 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha } return 1; - } + free(lresp); hydra_completed_pair(); } diff --git a/hydra-smb.c b/hydra-smb.c index 0337ffd..c46fd0f 100644 --- a/hydra-smb.c +++ b/hydra-smb.c @@ -1212,7 +1212,7 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; - strcpy(ipaddr_str, hydra_address2string(ip)); + strncpy(ipaddr_str, hydra_address2string(ip), sizeof(ipaddr_str) - 1); SMBSessionRet = SMBSessionSetup(s, login, pass, miscptr); if (SMBSessionRet == -1) @@ -1240,38 +1240,32 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char hydra_report(stderr, "[ERROR] Invalid parameter status received, either the account or the method used are not valid\n"); hydra_completed_pair_skip(); } else if (SMBerr == 0x00006E) { /* Valid password, GPO Disabling Remote Connections Using NULL Passwords */ - if (verbose) - hydra_report(stderr, "[VERBOSE] Valid password, GPO Disabling Remote Connections Using NULL Passwords\n"); + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, GPO Disabling Remote Connections Using NULL Passwords\n", port, ipaddr_str, login); hydra_report_found_host(port, ip, "smb", fp); hydra_completed_pair_found(); } else if (SMBerr == 0x00015B) { /* Valid password, GPO "Deny access to this computer from the network" */ - if (verbose) - hydra_report(stderr, "[VERBOSE] Valid password, GPO Deny access to this computer from the network\n"); + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, GPO Deny access to this computer from the network\n", port, ipaddr_str, login); hydra_report_found_host(port, ip, "smb", fp); hydra_completed_pair_found(); } else if (SMBerr == 0x000193) { /* Valid password, account expired */ - if (verbose) - hydra_report(stderr, "[VERBOSE] Valid password, account expired\n"); + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, account expired\n", port, ipaddr_str, login); hydra_report_found_host(port, ip, "smb", fp); hydra_completed_pair_found(); } else if ((SMBerr == 0x000224) || (SMBerr == 0xC20002)) { /* Valid password, account expired */ - if (verbose) - hydra_report(stderr, "[VERBOSE] Valid password, password expired and must be changed on next logon\n"); + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, password expired and must be changed on next logon\n", port, ipaddr_str, login); hydra_report_found_host(port, ip, "smb", fp); hydra_completed_pair_found(); } else if ((SMBerr == 0x00006F) || (SMBerr == 0xC10002)) { /* Invalid logon hours */ - if (verbose) - hydra_report(stderr, "[VERBOSE] Valid password, but logon hours invalid\n"); + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, but logon hours invalid\n", port, ipaddr_str, login); hydra_report_found_host(port, ip, "smb", fp); hydra_completed_pair_found(); } else if (SMBerr == 0x050001) { /* AS/400 -- Incorrect password */ - if (verbose) - fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: Incorrect password or account disabled\n", port, ipaddr_str, login); + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Error: Incorrect password or account disabled\n", port, ipaddr_str, login); if ((miscptr) && (strstr(miscptr, "LM"))) hydra_report(stderr, "[INFO] LM dialect may be disabled, try LMV2 instead\n"); hydra_completed_pair_skip(); } else if (SMBerr == 0x000024) { /* change password on next login [success] */ - fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD\n", port, ipaddr_str, login); + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD\n", port, ipaddr_str, login); hydra_completed_pair_found(); } else if (SMBerr == 0x00006D) { /* STATUS_LOGON_FAILURE */ hydra_completed_pair(); diff --git a/hydra-smtp-enum.c b/hydra-smtp-enum.c index ebcd379..c26ac63 100644 --- a/hydra-smtp-enum.c +++ b/hydra-smtp-enum.c @@ -216,8 +216,8 @@ void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscpt smtp_enum_cmd = RCPT; } if (debug) { + hydra_report(stdout, "[VERBOSE] "); switch (smtp_enum_cmd) { - hydra_report(stdout, "[VERBOSE] "); case VRFY: hydra_report(stdout, "using SMTP VRFY command\n"); break; diff --git a/hydra-snmp.c b/hydra-snmp.c index 5ffc4ef..a9adb17 100644 --- a/hydra-snmp.c +++ b/hydra-snmp.c @@ -111,7 +111,7 @@ void password_to_key_md5(u_char * password, /* IN */ if (mylen < 8) { memset(bpass, 0, sizeof(bpass)); - strcpy(bpass, password); + strncpy(bpass, password, sizeof(bpass) - 1); while (mylen < 8) { strcat(bpass, password); mylen += passwordlen; diff --git a/hydra-ssh.c b/hydra-ssh.c index 2f1d2d5..1ca2815 100644 --- a/hydra-ssh.c +++ b/hydra-ssh.c @@ -126,6 +126,7 @@ void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL ssh_finalize(); ssh_free(session); hydra_child_exit(0); + break; case 3: ssh_disconnect(session); ssh_finalize(); @@ -133,12 +134,14 @@ void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL if (verbose) fprintf(stderr, "[ERROR] ssh protocol error\n"); hydra_child_exit(2); + break; case 4: ssh_disconnect(session); ssh_finalize(); ssh_free(session); fprintf(stderr, "[ERROR] ssh target does not support password auth\n"); hydra_child_exit(2); + break; default: ssh_disconnect(session); ssh_finalize(); diff --git a/hydra-sshkey.c b/hydra-sshkey.c index a9b85b2..7a51389 100644 --- a/hydra-sshkey.c +++ b/hydra-sshkey.c @@ -124,18 +124,21 @@ void service_sshkey(char *ip, int32_t sp, unsigned char options, char *miscptr, ssh_finalize(); ssh_free(session); hydra_child_exit(0); + break; case 3: ssh_disconnect(session); ssh_finalize(); ssh_free(session); fprintf(stderr, "[ERROR] ssh protocol error\n"); hydra_child_exit(2); + break; case 4: ssh_disconnect(session); ssh_finalize(); ssh_free(session); fprintf(stderr, "[ERROR] ssh target does not support pubkey auth\n"); hydra_child_exit(2); + break; default: ssh_disconnect(session); ssh_finalize(); diff --git a/hydra-svn.c b/hydra-svn.c index 207b32f..91d8503 100644 --- a/hydra-svn.c +++ b/hydra-svn.c @@ -6,12 +6,19 @@ /* needed on openSUSE */ #define _GNU_SOURCE +#if !defined PATH_MAX && defined HAVE_SYS_PARAM_H +#include +#endif + +#include #include #include #include #include #include +#if SVN_VER_MINOR > 7 #include +#endif #endif @@ -54,7 +61,9 @@ int32_t start_svn(int32_t s, char *ip, int32_t port, unsigned char options, char //int32_t ipv6 = 0; char URL[1024]; char URLBRANCH[256]; + #if SVN_VER_MINOR > 7 const char *canonical; + #endif apr_pool_t *pool; svn_error_t *err; svn_opt_revision_t revision; @@ -78,17 +87,23 @@ int32_t start_svn(int32_t s, char *ip, int32_t port, unsigned char options, char err = svn_config_ensure(NULL, pool); if (err) { + svn_pool_destroy(pool); svn_handle_error2(err, stderr, FALSE, "hydra: "); return 4; } - //if ((err = svn_client_create_context(&ctx, pool))) { +#if SVN_VER_MINOR > 7 if ((err = svn_client_create_context2(&ctx, NULL, pool))) { +#else + if ((err = svn_client_create_context(&ctx, pool))) { +#endif + svn_pool_destroy(pool); svn_handle_error2(err, stderr, FALSE, "hydra: "); return 4; } if ((err = svn_config_get_config(&(ctx->config), NULL, pool))) { + svn_pool_destroy(pool); svn_handle_error2(err, stderr, FALSE, "hydra: "); return 4; } @@ -105,11 +120,16 @@ int32_t start_svn(int32_t s, char *ip, int32_t port, unsigned char options, char revision.kind = svn_opt_revision_head; snprintf(URL, sizeof(URL), "svn://%s:%d/%s", hydra_address2string_beautiful(ip), port, URLBRANCH); dirents = SVN_DIRENT_KIND; + #if SVN_VER_MINOR > 9 + canonical = svn_uri_canonicalize(URL, pool); + err = svn_client_list4(canonical, &revision, &revision, NULL, svn_depth_unknown, dirents, FALSE, FALSE, (svn_client_list_func2_t) print_dirdummy, NULL, ctx, pool); + #elif SVN_VER_MINOR > 7 canonical = svn_uri_canonicalize(URL, pool); - //err = svn_client_list2(canonical, &revision, &revision, svn_depth_unknown, dirents, FALSE, print_dirdummy, NULL, ctx, pool); err = svn_client_list3(canonical, &revision, &revision, svn_depth_unknown, dirents, FALSE, FALSE, (svn_client_list_func2_t) print_dirdummy, NULL, ctx, pool); + #else + err = svn_client_list2(URL, &revision, &revision, svn_depth_unknown, dirents, FALSE, print_dirdummy, NULL, ctx, pool); + #endif - svn_pool_clear(pool); svn_pool_destroy(pool); if (err) { @@ -207,6 +227,14 @@ int32_t service_svn_init(char *ip, int32_t sp, unsigned char options, char *misc // 0 all OK // -1 error, hydra will exit, so print a good error message here +#ifdef LIBSVN + if (verbose) + hydra_report(stderr, "[VERBOSE] detected subversion library v%d.%d\n", SVN_VER_MAJOR, SVN_VER_MINOR); + if (SVN_VER_MAJOR != 1 && SVN_VER_MINOR >= 5) { + hydra_report(stderr, "[ERROR] unsupported subversion library v%d.%d, exiting!\n", SVN_VER_MAJOR, SVN_VER_MINOR); + return -1; + } +#endif return 0; } diff --git a/hydra-vmauthd.c b/hydra-vmauthd.c index 95ba53f..06f656f 100644 --- a/hydra-vmauthd.c +++ b/hydra-vmauthd.c @@ -134,6 +134,7 @@ void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr, if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); + break; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); diff --git a/hydra-vnc.c b/hydra-vnc.c index 6dc3cdd..4d9d706 100644 --- a/hydra-vnc.c +++ b/hydra-vnc.c @@ -77,6 +77,7 @@ int32_t start_vnc(int32_t s, char *ip, int32_t port, unsigned char options, char case 0x0: hydra_report(stderr, "[ERROR] VNC server told us to quit %c\n", buf[3]); hydra_child_exit(0); + break; case 0x1: hydra_report(fp, "VNC server does not require authentication.\n"); if (fp != stdout) @@ -84,6 +85,7 @@ int32_t start_vnc(int32_t s, char *ip, int32_t port, unsigned char options, char hydra_report_found_host(port, ip, "vnc", fp); hydra_completed_pair_found(); hydra_child_exit(2); + break; case 0x2: //VNC security type supported is the only type supported for now if (vnc_client_version == RFB37) { @@ -108,7 +110,7 @@ int32_t start_vnc(int32_t s, char *ip, int32_t port, unsigned char options, char } break; default: - hydra_report(stderr, "[ERROR] unknown VNC security type\n"); + hydra_report(stderr, "[ERROR] unknown VNC security type 0x%x\n", buf2[3]); hydra_child_exit(2); } @@ -194,8 +196,8 @@ void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL } if (verbose) hydra_report(stderr, "[VERBOSE] Server banner is %s\n", buf); - if (((strstr(buf, "RFB 004.001") != NULL) || (strstr(buf, "RFB 003.007") != NULL) || (strstr(buf, "RFB 003.008") != NULL))) { - //using proto version 003.008 to talk to server 004.001 same for 3.7 and 3.8 + if (((strstr(buf, "RFB 005.000") != NULL) || (strstr(buf, "RFB 004") != NULL) || (strstr(buf, "RFB 003.007") != NULL) || (strstr(buf, "RFB 003.008") != NULL))) { + //using proto version 003.007 to talk to server 005.xxx and 004.xxx same for 3.7 and 3.8 vnc_client_version = RFB37; free(buf); buf = strdup("RFB 003.007\n"); diff --git a/hydra.1 b/hydra.1 index 37ddf3e..b8033b7 100644 --- a/hydra.1 +++ b/hydra.1 @@ -1,6 +1,6 @@ .TH "HYDRA" "1" "01/01/2019" .SH NAME -hydra \- a very fast network logon cracker which support many different services +hydra \- a very fast network logon cracker which supports many different services .SH SYNOPSIS .B hydra [[[\-l LOGIN|\-L FILE] [\-p PASS|\-P FILE|\-x OPT \-y]] | [\-C FILE]] diff --git a/hydra.c b/hydra.c index 01fd321..a6b052b 100644 --- a/hydra.c +++ b/hydra.c @@ -30,6 +30,7 @@ void usage_svn(const char* service); void usage_ncp(const char* service); void usage_firebird(const char* service); void usage_mysql(const char* service); +void usage_mongodb(const char* service); void usage_irc(const char* service); void usage_postgres(const char* service); void usage_telnet(const char* service); @@ -109,6 +110,8 @@ extern void service_oracle_sid(char *ip, int32_t sp, unsigned char options, char extern int32_t service_oracle_sid_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); extern void service_sip(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); extern int32_t service_sip_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +#endif +#ifdef LIBFREERDP2 extern void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); extern int32_t service_rdp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); #endif @@ -146,7 +149,14 @@ extern int32_t service_oracle_init(char *ip, int32_t sp, unsigned char options, extern void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); extern int32_t service_radmin2_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); #endif - +#ifdef LIBMCACHED +extern void service_mcached(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern int32_t service_mcached_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +#endif +#ifdef LIBMONGODB +extern void service_mongodb(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern int32_t service_mongodb_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +#endif extern int32_t service_adam6500_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); extern int32_t service_cisco_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); @@ -186,7 +196,7 @@ extern int32_t service_rpcap_init(char *ip, int32_t sp, unsigned char options, c // ADD NEW SERVICES HERE char *SERVICES = - "adam6500 asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp"; + "adam6500 asterisk afp cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp"; #define MAXBUF 520 #define MAXLINESIZE ( ( MAXBUF / 2 ) - 4 ) @@ -204,9 +214,11 @@ char *SERVICES = #define RESTOREFILE "./hydra.restore" #define PROGRAM "Hydra" -#define VERSION "v8.8" +#define VERSION "v9.1-dev" #define AUTHOR "van Hauser/THC" #define EMAIL "" +#define AUTHOR2 "David Maciejak" +#define EMAIL2 "" #define RESOURCE "https://github.com/vanhauser-thc/thc-hydra" extern char *hydra_strcasestr(const char *haystack, const char *needle); @@ -295,7 +307,7 @@ typedef struct { } hydra_portlist; // external vars -extern char HYDRA_EXIT[5]; +extern char *HYDRA_EXIT; #if !defined(ANDROID) && !defined(__BIONIC__) extern int32_t errno; #endif @@ -381,7 +393,13 @@ static const struct { { "ldap3", service_ldap_init, service_ldap3, usage_ldap }, { "ldap3-crammd5", service_ldap_init, service_ldap3_cram_md5, usage_ldap }, { "ldap3-digestmd5", service_ldap_init, service_ldap3_digest_md5, usage_ldap }, +#ifdef LIBMCACHED + {"memcached", service_mcached_init, service_mcached, NULL}, +#endif SERVICE(mssql), +#ifdef LIBMONGODB +SERVICE3("mongodb", mongodb), +#endif #ifdef HAVE_MATH_H SERVICE3("mysql", mysql), #endif @@ -404,7 +422,7 @@ static const struct { #endif SERVICE(redis), SERVICE(rexec), -#ifdef LIBOPENSSL +#ifdef LIBFREERDP2 SERVICE3("rdp", rdp), #endif SERVICE(rlogin), @@ -459,7 +477,7 @@ void help(int32_t ext) { #ifdef HAVE_MATH_H " [-x MIN:MAX:CHARSET]" #endif - " [-c TIME] [-ISOuvVd46] " + " [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] " //"[server service [OPT]]|" "[service://server[:PORT][/OPT]]\n"); PRINT_NORMAL(ext, "\nOptions:\n"); @@ -493,10 +511,12 @@ void help(int32_t ext) { " -4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)\n" " -v / -V / -d verbose mode / show login+pass for each attempt / debug mode \n" " -O use old SSL v2 and v3\n" + " -K do not redo failed attempts (good for -M mass scanning)\n" " -q do not print messages about connection errors\n", MAXTASKS, WAITTIME, conwait ); PRINT_NORMAL(ext, " -U service module usage details\n" + " -m OPT options specific for a module, see -U output for information\n" " -h more command line options (COMPLETE HELP)\n" " server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)\n" " service the service to crack (see below for supported protocols)\n" @@ -575,7 +595,7 @@ void hydra_debug(int32_t force, char *string) { if (!debug && !force) return; - printf("[DEBUG] Code: %s Time: %lu\n", string, (uint64_t) time(NULL)); + printf("[DEBUG] Code: %s Time: %" hPRIu64 "\n", string, (uint64_t) time(NULL)); printf("[DEBUG] Options: mode %d ssl %d restore %d showAttempt %d tasks %d max_use %d tnp %d tpsal %d tprl %d exit_found %d miscptr %s service %s\n", hydra_options.mode, hydra_options.ssl, hydra_options.restore, hydra_options.showAttempt, hydra_options.tasks, hydra_options.max_use, @@ -583,7 +603,7 @@ void hydra_debug(int32_t force, char *string) { hydra_options.try_password_reverse_login, hydra_options.exit_found, STR_NULL(hydra_options.miscptr), hydra_options.service); - printf("[DEBUG] Brains: active %d targets %d finished %d todo_all %lu todo %lu sent %lu found %lu countlogin %lu sizelogin %lu countpass %lu sizepass %lu\n", + printf("[DEBUG] Brains: active %d targets %d finished %d todo_all %" hPRIu64 " todo %" hPRIu64 " sent %" hPRIu64 " found %" hPRIu64 " countlogin %" hPRIu64 " sizelogin %" hPRIu64 " countpass %" hPRIu64 " sizepass %" hPRIu64 "\n", hydra_brains.active, hydra_brains.targets, hydra_brains.finished, hydra_brains.todo_all + total_redo_count, hydra_brains.todo, hydra_brains.sent, hydra_brains.found, @@ -595,7 +615,7 @@ void hydra_debug(int32_t force, char *string) { for (i = 0; i < hydra_brains.targets; i++) { hydra_target* target = hydra_targets[i]; printf - ("[DEBUG] Target %d - target %s ip %s login_no %lu pass_no %lu sent %lu pass_state %d redo_state %d (%d redos) use_count %d failed %d done %d fail_count %d login_ptr %s pass_ptr %s\n", + ("[DEBUG] Target %d - target %s ip %s login_no %" hPRIu64 " pass_no %" hPRIu64 " sent %" hPRIu64 " pass_state %d redo_state %d (%d redos) use_count %d failed %d done %d fail_count %d login_ptr %s pass_ptr %s\n", i, STR_NULL(target->target), hydra_address2string_beautiful(target->ip), target->login_no, target->pass_no, target->sent, target->pass_state, target->redo_state, target->redo, @@ -649,7 +669,7 @@ void hydra_restore_write(int32_t print_msg) { } if ((f = fopen(RESTOREFILE, "w")) == NULL) { - fprintf(stderr, "[ERROR] Can not create restore file (%s) - \n", RESTOREFILE); + fprintf(stderr, "[ERROR] Can not create restore file (%s) - ", RESTOREFILE); perror(""); process_restore = 0; return; @@ -1027,15 +1047,17 @@ void fill_mem(char *ptr, FILE * fd, int32_t colonmode) { char tmp[MAXBUF + 4] = "", *ptr2; uint32_t len; int32_t only_one_empty_line = 0; + +int read_flag = 0; #ifdef HAVE_ZLIB gzFile fp = gzdopen(fileno(fd), "r"); - while (!gzeof(fp)) { + while (!gzeof(fp) && !read_flag) { if (gzgets(fp, tmp, MAXLINESIZE) != NULL) { #else FILE *fp = fd; - while (!feof(fp)) { + while (!feof(fp) && !read_flag) { if (fgets(tmp, MAXLINESIZE, fp) != NULL) { #endif if (tmp[0] != 0) { @@ -1063,6 +1085,8 @@ void fill_mem(char *ptr, FILE * fd, int32_t colonmode) { ptr++; } } + } else { + read_flag = 1; } } #ifdef HAVE_ZLIB @@ -1111,8 +1135,17 @@ void hydra_service_init(int32_t target_no) { else hydra_targets[target_no]->done = TARGET_ERROR; hydra_brains.finished++; - if (hydra_brains.targets == 1) + if (hydra_brains.targets == 1) { + if (hydra_brains.ofp != NULL && hydra_brains.ofp != stdout) { + if (hydra_options.outfile_format == FORMAT_JSONV1) { + char json_error[120]; + snprintf(json_error, sizeof(json_error), "[ERROR] unexpected result connecting to target %s port %d", hydra_address2string_beautiful(t->ip), t->port); + fprintf(hydra_brains.ofp, "\n\t],\n\"success\": false,\n\"errormessages\": [ \"%s\" ],\n\"quantityfound\": %" hPRIu64 " }\n", json_error, hydra_brains.found); + } + fclose(hydra_brains.ofp); + } exit(-1); + } } } @@ -1240,6 +1273,8 @@ int32_t hydra_lookup_port(char *service) { {"oracle-listener", PORT_ORACLE, PORT_ORACLE_SSL}, {"oracle-sid", PORT_ORACLE, PORT_ORACLE_SSL}, {"oracle", PORT_ORACLE, PORT_ORACLE_SSL}, + {"memcached", PORT_MCACHED, PORT_MCACHED_SSL}, + {"mongodb", PORT_MONGODB, PORT_MONGODB}, {"mssql", PORT_MSSQL, PORT_MSSQL_SSL}, {"mysql", PORT_MYSQL, PORT_MYSQL_SSL}, {"postgres", PORT_POSTGRES, PORT_POSTGRES_SSL}, @@ -1348,7 +1383,7 @@ void hydra_kill_head(int32_t head_no, int32_t killit, int32_t fail) { void hydra_increase_fail_count(int32_t target_no, int32_t head_no) { int32_t i, k, maxfail = 0; - if (target_no < 0) + if (target_no < 0 || hydra_options.skip_redo) return; if (hydra_targets[target_no]->ok) { @@ -1370,6 +1405,7 @@ void hydra_increase_fail_count(int32_t target_no, int32_t head_no) { if (k <= 1) { // we need to put this in a list, otherwise we fail one login+pw test if (hydra_targets[target_no]->done == TARGET_ACTIVE + && hydra_options.skip_redo == 0 && hydra_targets[target_no]->redo <= hydra_options.max_use * 2 && ((hydra_heads[head_no]->current_login_ptr != empty_login && hydra_heads[head_no]->current_pass_ptr != empty_login) || (hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL))) { @@ -1402,6 +1438,7 @@ void hydra_increase_fail_count(int32_t target_no, int32_t head_no) { } else { // we need to put this in a list, otherwise we fail one login+pw test if (hydra_targets[target_no]->done == TARGET_ACTIVE + && hydra_options.skip_redo == 0 && hydra_targets[target_no]->redo <= hydra_options.max_use * 2 && ((hydra_heads[head_no]->current_login_ptr != empty_login && hydra_heads[head_no]->current_pass_ptr != empty_login) || (hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL))) { @@ -1508,14 +1545,14 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { if (debug) printf - ("[DEBUG] send_next_pair_init target %d, head %d, redo %d, redo_state %d, pass_state %d. loop_mode %d, curlogin %s, curpass %s, tlogin %s, tpass %s, logincnt %lu/%lu, passcnt %lu/%lu, loop_cnt %d\n", + ("[DEBUG] send_next_pair_init target %d, head %d, redo %d, redo_state %d, pass_state %d. loop_mode %d, curlogin %s, curpass %s, tlogin %s, tpass %s, logincnt %" hPRIu64 "/%" hPRIu64 ", passcnt %" hPRIu64 "/%" hPRIu64 ", loop_cnt %d\n", target_no, head_no, hydra_targets[target_no]->redo, hydra_targets[target_no]->redo_state, hydra_targets[target_no]->pass_state, hydra_options.loop_mode, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->login_ptr, hydra_targets[target_no]->pass_ptr, hydra_targets[target_no]->login_no, hydra_brains.countlogin, hydra_targets[target_no]->pass_no, hydra_brains.countpass, loop_cnt); if (loop_cnt > (hydra_brains.countlogin * 2) + 1 && loop_cnt > (hydra_brains.countpass * 2) + 1) { if (debug) - printf("[DEBUG] too many loops in send_next_pair, returning -1 (loop_cnt %d, sent %lu, todo %lu)\n", loop_cnt, hydra_targets[target_no]->sent, hydra_brains.todo); + printf("[DEBUG] too many loops in send_next_pair, returning -1 (loop_cnt %d, sent %" hPRIu64 ", todo %" hPRIu64 ")\n", loop_cnt, hydra_targets[target_no]->sent, hydra_brains.todo); return -1; } @@ -1525,7 +1562,7 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { snpdone = 1; } else { if (debug && (hydra_heads[head_no]->current_login_ptr != NULL || hydra_heads[head_no]->current_pass_ptr != NULL)) - printf("[COMPLETED] target %s - login \"%s\" - pass \"%s\" - child %d - %lu of %lu\n", + printf("[COMPLETED] target %s - login \"%s\" - pass \"%s\" - child %d - %" hPRIu64 " of %" hPRIu64 "\n", hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, head_no, hydra_targets[target_no]->sent, hydra_brains.todo + hydra_targets[target_no]->redo); hydra_heads[head_no]->redo = 0; @@ -1835,7 +1872,7 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { return 0; // not prevent disabling it, if its needed its already done in the above line } if (debug || hydra_options.showAttempt) { - printf("[%sATTEMPT] target %s - login \"%s\" - pass \"%s\" - %lu of %lu [child %d] (%d/%d)\n", + printf("[%sATTEMPT] target %s - login \"%s\" - pass \"%s\" - %" hPRIu64 " of %" hPRIu64 " [child %d] (%d/%d)\n", hydra_targets[target_no]->redo_state ? "REDO-" : snp_is_redo ? "RE-" : "", hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->sent, hydra_brains.todo + hydra_targets[target_no]->redo, head_no, hydra_targets[target_no]->redo_state ? hydra_targets[target_no]->redo_state - 1 : 0, hydra_targets[target_no]->redo); } @@ -2047,7 +2084,7 @@ void process_proxy_line(int32_t type, char *string) { } int main(int argc, char *argv[]) { - char *proxy_string = NULL, *device = NULL, *memcheck, *cmdtarget = NULL; + char *proxy_string = NULL, *device = NULL, *memcheck; char *outfile_format_tmp; FILE *lfp = NULL, *pfp = NULL, *cfp = NULL, *ifp = NULL, *rfp = NULL, *proxyfp; size_t countinfile = 1, sizeinfile = 0; @@ -2064,7 +2101,7 @@ int main(int argc, char *argv[]) { struct sockaddr_in6 *ipv6 = NULL; struct sockaddr_in *ipv4 = NULL; - printf("%s %s (c) 2019 by %s - Please do not use in military or secret service organizations, or for illegal purposes.\n\n", PROGRAM, VERSION, AUTHOR); + printf("%s %s (c) 2019 by %s & %s - Please do not use in military or secret service organizations, or for illegal purposes.\n\n", PROGRAM, VERSION, AUTHOR, AUTHOR2); #ifndef LIBAFP SERVICES = hydra_string_replace(SERVICES, "afp ", ""); strcat(unsupported, "afp "); @@ -2073,6 +2110,14 @@ int main(int argc, char *argv[]) { SERVICES = hydra_string_replace(SERVICES, "firebird ", ""); strcat(unsupported, "firebird "); #endif +#ifndef LIBMCACHED + SERVICES = hydra_string_replace(SERVICES, "memcached ", ""); + strcat(unsupported, "memcached "); +#endif +#ifndef LIBMONGODB + SERVICES = hydra_string_replace(SERVICES, "mongodb ", ""); + strcat(unsupported, "mongodb "); +#endif #ifndef LIBMYSQLCLIENT SERVICES = hydra_string_replace(SERVICES, "mysql ", "mysql(v4) "); strcat(unsupported, "mysql5 "); @@ -2107,9 +2152,10 @@ int main(int argc, char *argv[]) { SERVICES = hydra_string_replace(SERVICES, "svn ", ""); strcat(unsupported, "svn "); #endif + #ifndef LIBOPENSSL // for ftps - SERVICES = hydra_string_replace(SERVICES, " ftps", ""); + SERVICES = hydra_string_replace(SERVICES, "ftp[s]", "ftp"); // for pop3 SERVICES = hydra_string_replace(SERVICES, "pop3[s]", "pop3"); // for imap @@ -2126,8 +2172,6 @@ int main(int argc, char *argv[]) { SERVICES = hydra_string_replace(SERVICES, "[-{cram|digest}md5]", ""); // for sip SERVICES = hydra_string_replace(SERVICES, " sip", ""); - // for rdp - SERVICES = hydra_string_replace(SERVICES, " rdp", ""); // for oracle-listener SERVICES = hydra_string_replace(SERVICES, " oracle-listener", ""); // general @@ -2136,6 +2180,12 @@ int main(int argc, char *argv[]) { SERVICES = hydra_string_replace(SERVICES, " oracle-sid", ""); strcat(unsupported, "SSL-services (ftps, sip, rdp, oracle-services, ...) "); #endif + +#ifndef LIBFREERDP2 + // for rdp + SERVICES = hydra_string_replace(SERVICES, " rdp", ""); +#endif + #ifndef HAVE_MATH_H if (strlen(unsupported) > 0) strcat(unsupported, "and "); @@ -2181,7 +2231,7 @@ int main(int argc, char *argv[]) { help(1); if (argc < 2) help(0); - while ((i = getopt(argc, argv, "hIq64Rrde:vVl:fFg:L:p:OP:o:b:M:C:t:T:m:w:W:s:SUux:yc:")) >= 0) { + while ((i = getopt(argc, argv, "hIq64Rrde:vVl:fFg:L:p:OP:o:b:M:C:t:T:m:w:W:s:SUux:yc:K")) >= 0) { switch (i) { case 'h': help(1); @@ -2189,6 +2239,9 @@ int main(int argc, char *argv[]) { case 'q': quiet = 1; break; + case 'K': + hydra_options.skip_redo = 1; + break; case 'O': old_ssl = 1; break; @@ -2270,11 +2323,11 @@ int main(int argc, char *argv[]) { break; case 'b': outfile_format_tmp = optarg; - if (0==strcasecmp(outfile_format_tmp,"text")) + if (strcasecmp(outfile_format_tmp,"text") == 0) hydra_options.outfile_format = FORMAT_PLAIN_TEXT; - else if (0==strcasecmp(outfile_format_tmp,"json")) // latest json formatting. + else if (strcasecmp(outfile_format_tmp,"json") == 0) // latest json formatting. hydra_options.outfile_format = FORMAT_JSONV1; - else if (0==strcasecmp(outfile_format_tmp,"jsonv1")) + else if (strcasecmp(outfile_format_tmp,"jsonv1") == 0) hydra_options.outfile_format = FORMAT_JSONV1; else { fprintf(stderr, "[ERROR] Output file format must be (text, json, jsonv1)\n"); @@ -2371,6 +2424,9 @@ int main(int argc, char *argv[]) { if (!setupterm(NULL, 1, NULL) && (tigetnum("colors") <= 0)) { colored_output = 0; } + if (cur_term) { + del_curterm(cur_term); + } } #else //don't want border line effect so disabling color output @@ -2430,7 +2486,7 @@ int main(int argc, char *argv[]) { // check if targetdef follow syntax ://[:][/] or it's a syntax error char *targetdef = strdup(argv[optind]); char *service_pos, *target_pos, *port_pos = NULL, *param_pos = NULL; - cmdtarget = argv[optind]; + cmdlinetarget = argv[optind]; if ((targetdef != NULL) && (strstr(targetdef, "://") != NULL)) { service_pos = strstr(targetdef, "://"); @@ -2483,7 +2539,7 @@ int main(int argc, char *argv[]) { printf("[DEBUG] opt:%d argc:%d mod:%s tgt:%s port:%u misc:%s\n", optind, argc, hydra_options.service, hydra_options.server, hydra_options.port, hydra_options.miscptr); } else { hydra_options.server = NULL; - hydra_options.service = NULL; + hydra_options.service = NULL; if (modusage) { hydra_options.service = targetdef; @@ -2532,7 +2588,7 @@ int main(int argc, char *argv[]) { if (strcmp(hydra_options.service, "afp") == 0 || strcmp(hydra_options.service, "firebird") == 0 || strncmp(hydra_options.service, "mysql", 5) == 0 || strcmp(hydra_options.service, "ncp") == 0 || strcmp(hydra_options.service, "oracle") == 0 || strcmp(hydra_options.service, "postgres") == 0 || strncmp(hydra_options.service, "ssh", 3) == 0 || strcmp(hydra_options.service, "sshkey") == 0 || strcmp(hydra_options.service, "svn") == 0 || - strcmp(hydra_options.service, "sapr3") == 0) { + strcmp(hydra_options.service, "sapr3") == 0 || strcmp(hydra_options.service, "memcached") == 0 || strcmp(hydra_options.service, "mongodb") == 0) { fprintf(stderr, "[WARNING] module %s does not support HYDRA_PROXY* !\n", hydra_options.service); proxy_string = NULL; } @@ -2609,6 +2665,24 @@ int main(int argc, char *argv[]) { fprintf(stderr, "[WARNING] The icq module is not working with the modern protocol version! (somebody else will need to fix this as I don't care for icq)\n"); i = 1; } + if (strcmp(hydra_options.service, "memcached") == 0) +#ifdef LIBMCACHED + i = 1; +#else + bail("Compiled without LIBMCACHED support, module not available!"); +#endif + + if (strcmp(hydra_options.service, "mongodb") == 0) +#ifdef LIBMONGODB + { + i = 1; + if (hydra_options.miscptr == NULL || (strlen(hydra_options.miscptr) == 0)) + fprintf(stderr, "[INFO] The mongodb db wasn't passed so using admin by default\n"); + } +#else + bail("Compiled without LIBMONGODB support, module not available!"); +#endif + if (strcmp(hydra_options.service, "mysql") == 0) { i = 1; if (hydra_options.tasks > 4) { @@ -2665,6 +2739,7 @@ int main(int argc, char *argv[]) { #else bail("Compiled without LIBNCP support, module not available!"); #endif + if (strcmp(hydra_options.service, "pcanywhere") == 0) i = 1; if (strcmp(hydra_options.service, "http-proxy") == 0) { @@ -2720,10 +2795,15 @@ int main(int argc, char *argv[]) { #endif } if ((strcmp(hydra_options.service, "smb") == 0) || (strcmp(hydra_options.service, "smbnt") == 0) || - (strcmp(hydra_options.service, "sip") == 0) || (strcmp(hydra_options.service, "rdp") == 0) || + (strcmp(hydra_options.service, "sip") == 0) || (strcmp(hydra_options.service, "oracle-listener") == 0) || (strcmp(hydra_options.service, "oracle-sid") == 0)) { #ifndef LIBOPENSSL bail("Compiled without OPENSSL support, module not available!"); +#endif + } + if (strcmp(hydra_options.service, "rdp") == 0){ +#ifndef LIBFREERDP2 + bail("Compiled without FREERDP2 support, module not available!"); #endif } if (strcmp(hydra_options.service, "pcnfs") == 0) { @@ -3022,17 +3102,15 @@ int main(int argc, char *argv[]) { if (strcmp(hydra_options.service, "irc") == 0) i = 1; if (strcmp(hydra_options.service, "rdp") == 0) { - //if (hydra_options.tasks > 4) - // fprintf(stderr, "[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover\n"); - //if (hydra_options.tasks > 4) { - // fprintf(stderr, "[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)\n"); - // hydra_options.tasks = 4; - //} - //if (conwait == 0) - // hydra_options.conwait = conwait = 1; - //printf("[WARNING] the rdp module is currently reported to be unreliable, most likely against new Windows version. Please test, report - and if possible, fix.\n"); - printf("[ERROR] the rdp module does not support the current protocol, hence it is disabled. If you want to add it, please contact vh@thc.org\n"); - exit(-1); + if (hydra_options.tasks > 4) + fprintf(stderr, "[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover\n"); + if (hydra_options.tasks > 4) { + fprintf(stderr, "[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)\n"); + hydra_options.tasks = 4; + } + if (conwait == 0) + hydra_options.conwait = conwait = 1; + printf("[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.\n"); i = 1; } if (strcmp(hydra_options.service, "radmin2") == 0) { @@ -3117,9 +3195,19 @@ int main(int argc, char *argv[]) { hydra_options.max_use = MAXTASKS; } // script kiddie patch - if (hydra_options.server != NULL && (hydra_strcasestr(hydra_options.server, "gmail.") != NULL || hydra_strcasestr(hydra_options.server, "googlemail.") != NULL)) - fprintf(stderr, "[WARNING] Google Mail has bruteforce detection and sends false positives. You are not doing anything illegal right?!\n"); - + if (hydra_options.server != NULL && ( + hydra_strcasestr(hydra_options.server, ".outlook.com") != NULL || + hydra_strcasestr(hydra_options.server, ".hotmail.com") != NULL || + hydra_strcasestr(hydra_options.server, ".yahoo.") != NULL || + hydra_strcasestr(hydra_options.server, ".gmx.") != NULL || + hydra_strcasestr(hydra_options.server, ".web.de") != NULL || + hydra_strcasestr(hydra_options.server, ".gmail.") != NULL || + hydra_strcasestr(hydra_options.server, "googlemail.") != NULL + )) { + fprintf(stderr, "[WARNING] Google Mail and others have bruteforce and hydra detection and sends false positives. You are not doing anything illegal right?!\n"); + fprintf(stderr, "[WARNING] !read the above!\n"); + sleep(5); + } if (hydra_options.colonfile == NULL) { if (hydra_options.loginfile != NULL) { if ((lfp = fopen(hydra_options.loginfile, "r")) == NULL) { @@ -3133,11 +3221,11 @@ int main(int argc, char *argv[]) { exit(-1); } if (hydra_brains.countlogin > MAX_LINES) { - fprintf(stderr, "[ERROR] Maximum number of logins is %d, this file has %lu entries.\n", MAX_LINES, hydra_brains.countlogin); + fprintf(stderr, "[ERROR] Maximum number of logins is %d, this file has %" hPRIu64 " entries.\n", MAX_LINES, hydra_brains.countlogin); exit(-1); } if (hydra_brains.sizelogin > MAX_BYTES) { - fprintf(stderr, "[ERROR] Maximum size of the login file is %d, this file has %lu bytes.\n", MAX_BYTES, (uint64_t) hydra_brains.sizelogin); + fprintf(stderr, "[ERROR] Maximum size of the login file is %d, this file has %" hPRIu64 " bytes.\n", MAX_BYTES, (uint64_t) hydra_brains.sizelogin); exit(-1); } login_ptr = malloc(hydra_brains.sizelogin + hydra_brains.countlogin + 8); @@ -3162,11 +3250,11 @@ int main(int argc, char *argv[]) { exit(-1); } if (hydra_brains.countpass > MAX_LINES) { - fprintf(stderr, "[ERROR] Maximum number of passwords is %d, this file has %lu entries.\n", MAX_LINES, hydra_brains.countpass); + fprintf(stderr, "[ERROR] Maximum number of passwords is %d, this file has %" hPRIu64 " entries.\n", MAX_LINES, hydra_brains.countpass); exit(-1); } if (hydra_brains.sizepass > MAX_BYTES) { - fprintf(stderr, "[ERROR] Maximum size of the password file is %d, this file has %lu bytes.\n", MAX_BYTES, (uint64_t) hydra_brains.sizepass); + fprintf(stderr, "[ERROR] Maximum size of the password file is %d, this file has %" hPRIu64 " bytes.\n", MAX_BYTES, (uint64_t) hydra_brains.sizepass); exit(-1); } pass_ptr = malloc(hydra_brains.sizepass + hydra_brains.countpass + 8); @@ -3209,11 +3297,11 @@ int main(int argc, char *argv[]) { exit(-1); } if (hydra_brains.countlogin > MAX_LINES / 2) { - fprintf(stderr, "[ERROR] Maximum number of colon file entries is %d, this file has %lu entries.\n", MAX_LINES / 2, hydra_brains.countlogin); + fprintf(stderr, "[ERROR] Maximum number of colon file entries is %d, this file has %" hPRIu64 " entries.\n", MAX_LINES / 2, hydra_brains.countlogin); exit(-1); } if (hydra_brains.sizelogin > MAX_BYTES / 2) { - fprintf(stderr, "[ERROR] Maximum size of the colon file is %d, this file has %lu bytes.\n", MAX_BYTES / 2, (uint64_t) hydra_brains.sizelogin); + fprintf(stderr, "[ERROR] Maximum size of the colon file is %d, this file has %" hPRIu64 " bytes.\n", MAX_BYTES / 2, (uint64_t) hydra_brains.sizelogin); exit(-1); } csv_ptr = malloc(hydra_brains.sizelogin + 2 * hydra_brains.countlogin + 8); @@ -3301,9 +3389,9 @@ int main(int argc, char *argv[]) { fprintf(stderr, "Error: no target server given, nor -M option used\n"); exit(-1); } else if (index(hydra_options.server, '/') != NULL) { - if (cmdtarget == NULL) + if (cmdlinetarget == NULL) bail("You seem to mix up \"service://target:port/options\" syntax with \"target service options\" syntax. Read the README on how to use hydra correctly!"); - if (strstr(cmdtarget, "://") != NULL) { + if (strstr(cmdlinetarget, "://") != NULL) { tmpptr = index(hydra_options.server, '/'); if (tmpptr != NULL) *tmpptr = 0; @@ -3436,7 +3524,7 @@ int main(int argc, char *argv[]) { bail("No login/password combination given!"); if (hydra_brains.todo < hydra_options.tasks) { if (verbose && hydra_options.tasks != TASKS) - printf("[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to %lu\n", hydra_brains.todo); + printf("[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to %" hPRIu64 "\n", hydra_brains.todo); hydra_options.tasks = hydra_brains.todo; } } @@ -3471,18 +3559,18 @@ int main(int argc, char *argv[]) { if (hydra_options.ssl) options = options | OPTION_SSL; - printf("[DATA] max %d task%s per %d server%s, overall %d task%s, %lu login tr", + printf("[DATA] max %d task%s per %d server%s, overall %d task%s, %" hPRIu64 " login tr", hydra_options.tasks, hydra_options.tasks == 1 ? "" : "s", hydra_brains.targets, hydra_brains.targets == 1 ? "" : "s", hydra_options.max_use, hydra_options.max_use == 1 ? "" : "s", hydra_brains.todo); printf("%s", hydra_brains.todo == 1 ? "y" : "ies"); if (hydra_options.colonfile == NULL) { - printf(" (l:%lu/p:%lu), ~%lu tr", + printf(" (l:%" hPRIu64 "/p:%" hPRIu64 "), ~%" hPRIu64 " tr", (uint64_t) hydra_brains.countlogin, (uint64_t) hydra_brains.countpass, math2); } else { - printf(", ~%lu tr", math2); + printf(", ~%" hPRIu64 " tr", math2); } printf("%s", math2 == 1 ? "y" : "ies"); printf(" per task\n"); @@ -3504,23 +3592,29 @@ int main(int argc, char *argv[]) { // printf("[DATA] with additional data %s\n", hydra_options.miscptr); if (hydra_options.outfile_ptr != NULL) { - if ((hydra_brains.ofp = fopen(hydra_options.outfile_ptr, "a+")) == NULL) { + char outfile_open_type[] = "a+"; //Default open in a+ mode + if (hydra_options.outfile_format == FORMAT_JSONV1 && hydra_options.restore != 1) { + outfile_open_type[0] = 'w'; //Creat new outfile, if using JSON output and not using -R. The open mode should be "w+". + } + if ((hydra_brains.ofp = fopen(hydra_options.outfile_ptr, outfile_open_type)) == NULL) { perror("[ERROR] Error creating outputfile"); exit(-1); } if (hydra_options.outfile_format == FORMAT_JSONV1) { - fprintf(hydra_brains.ofp, "{ \"generator\": {\n" + if (hydra_options.restore != 1) { // No JSON head while using -R + fprintf(hydra_brains.ofp, "{ \"generator\": {\n" "\t\"software\": \"%s\", \"version\": \"%s\", \"built\": \"%s\",\n" "\t\"server\": \"%s\", \"service\": \"%s\", \"jsonoutputversion\": \"1.00\",\n" "\t\"commandline\": \"%s", PROGRAM, VERSION, hydra_build_time(), hydra_options.server == NULL ? hydra_options.infile_ptr : hydra_options.server, hydra_options.service, prg); - for (i = 1; i < argc; i++) { - char *t = hydra_string_replace(argv[i],"\"","\\\""); - fprintf(hydra_brains.ofp, " %s", t); - free(t); + for (i = 1; i < argc; i++) { + char *t = hydra_string_replace(argv[i],"\"","\\\""); + fprintf(hydra_brains.ofp, " %s", t); + free(t); + } + fprintf(hydra_brains.ofp, "\"\n\t},\n\"results\": ["); } - fprintf(hydra_brains.ofp, "\"\n\t},\n\"results\": ["); } else { // else default is plain text aka == 0 fprintf(hydra_brains.ofp, "# %s %s run at %s on %s %s (%s", PROGRAM, VERSION, hydra_build_time(), hydra_options.server == NULL ? hydra_options.infile_ptr : hydra_options.server, hydra_options.service, prg); @@ -3683,7 +3777,7 @@ int main(int argc, char *argv[]) { for (head_no = 0; head_no < hydra_options.max_use; head_no++) { if (debug > 1 && hydra_heads[head_no]->active != HEAD_DISABLED) printf("[DEBUG] head_no[%d] to target_no %d active %d\n", head_no, hydra_heads[head_no]->target_no, hydra_heads[head_no]->active); - + switch (hydra_heads[head_no]->active) { case HEAD_DISABLED: break; @@ -3839,7 +3933,7 @@ int main(int argc, char *argv[]) { case 'C': // head reports connect error fck = write(hydra_heads[head_no]->sp[0], "Q", 1); if (debug) { - printf("[ATTEMPT-ERROR] target %s - login \"%s\" - pass \"%s\" - child %d - %lu of %lu\n", + printf("[ATTEMPT-ERROR] target %s - login \"%s\" - pass \"%s\" - child %d - %" hPRIu64 " of %" hPRIu64 "\n", hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, head_no, hydra_targets[hydra_heads[head_no]->target_no]->sent, hydra_brains.todo); } @@ -3918,7 +4012,7 @@ int main(int argc, char *argv[]) { for (j = 0; j < hydra_options.max_use; j++) if (hydra_heads[j]->active >= HEAD_UNUSED) k++; - printf("[STATUS] %.2f tries/min, %lu tries in %02lu:%02luh, %lu to do in %02lu:%02luh, %d active\n", (1.0 * hydra_brains.sent) / (((elapsed_status - starttime) * 1.0) / 60), // tries/min + printf("[STATUS] %.2f tries/min, %" hPRIu64 " tries in %02" hPRIu64 ":%02" hPRIu64 "h, %" hPRIu64 " to do in %02" hPRIu64 ":%02" hPRIu64 "h, %d active\n", (1.0 * hydra_brains.sent) / (((elapsed_status - starttime) * 1.0) / 60), // tries/min hydra_brains.sent, // tries (uint64_t) ((elapsed_status - starttime) / 3600), // hours (uint64_t) (((elapsed_status - starttime) % 3600) / 60), // minutes @@ -3963,16 +4057,16 @@ int main(int argc, char *argv[]) { fprintf(stderr, "[ERROR] illegal target result value (%d=>%d)\n", i, hydra_targets[i]->done); } - printf("%d of %d target%s%scompleted, %lu valid password", + printf("%d of %d target%s%scompleted, %" hPRIu64 " valid password", hydra_brains.targets - j - k - error, hydra_brains.targets, hydra_brains.targets == 1 ? " " : "s ", hydra_brains.found > 0 ? "successfully " : "", hydra_brains.found); - printf("%s", hydra_brains.found == 1 ? "" : "s"); + printf("%s", hydra_brains.found < 2 ? "" : "s"); printf(" found\n"); error += j; k = 0; - for (j = 0; j < hydra_options.max_use; j++) - if (hydra_heads[j]->active == HEAD_ACTIVE) + for (i = 0; i < hydra_options.max_use; i++) + if (hydra_heads[i]->active == HEAD_ACTIVE) k++; if (error == 0 && k == 0) { @@ -4017,13 +4111,9 @@ int main(int argc, char *argv[]) { strncat(json_error,tmp_str,STRMAX); strncat(json_error,"\"",STRMAX); error = 1; - if (*json_error) { - strncat(json_error,", ", STRMAX); - } - error = 1; } if (error) { - snprintf(tmp_str, STRMAX, "[ERROR] %d target%s did not complete", j, j == 1 ? "" : "s"); + snprintf(tmp_str, STRMAX, "[ERROR] %d target%s did not complete", j, j < 1 ? "" : "s"); fprintf(stderr, "%s\n", tmp_str); if (*json_error) { strncat(json_error,", ", STRMAX); @@ -4037,7 +4127,7 @@ int main(int argc, char *argv[]) { printf("%s (%s) finished at %s\n", PROGRAM, RESOURCE, hydra_build_time()); if (hydra_brains.ofp != NULL && hydra_brains.ofp != stdout) { if (hydra_options.outfile_format == FORMAT_JSONV1) { - fprintf(hydra_brains.ofp, "\n\t],\n\"success\": %s,\n\"errormessages\": [ %s ],\n\"quantityfound\": %lu }\n", + fprintf(hydra_brains.ofp, "\n\t],\n\"success\": %s,\n\"errormessages\": [ %s ],\n\"quantityfound\": %" hPRIu64 " }\n", (error ? "false" : "true"), json_error, hydra_brains.found); } fclose(hydra_brains.ofp); diff --git a/hydra.h b/hydra.h index 2859de8..dc158ec 100644 --- a/hydra.h +++ b/hydra.h @@ -3,11 +3,18 @@ #include #ifdef __sun #include -#elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX) +#elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX) || defined(__APPLE__) #include #else #include #endif + +#if defined(_INTTYPES_H) || defined(__CLANG_INTTYPES_H) + #define hPRIu64 PRIu64 +#else + #define hPRIu64 "lu" +#endif + #include #include #include @@ -144,6 +151,9 @@ #define PORT_RPCAP 2002 #define PORT_RPCAP_SSL 2002 #define PORT_RADMIN2 4899 +#define PORT_MCACHED 11211 +#define PORT_MCACHED_SSL 11211 +#define PORT_MONGODB 27017 #define False 0 #define True 1 @@ -211,6 +221,7 @@ typedef struct { char *service; char bfg; _Bool rainy; + int32_t skip_redo; } hydra_option; #define _HYDRA_H diff --git a/pw-inspector.c b/pw-inspector.c index 86eb352..11afdc5 100644 --- a/pw-inspector.c +++ b/pw-inspector.c @@ -28,7 +28,7 @@ void help() { printf(" -u upcase characters (A,B,C,D, etc.)\n"); printf(" -n numbers (1,2,3,4, etc.)\n"); printf(" -p printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)\n"); - printf(" -s special characters - all others not withint the sets above\n"); + printf(" -s special characters - all others not within the sets above\n"); printf("\n%s reads passwords in and prints those which meet the requirements.\n", PROGRAM); printf("The return code is the number of valid passwords found, 0 if none was found.\n"); printf("Use for security: check passwords, if 0 is returned, reject password choice.\n"); diff --git a/rdp.h b/rdp.h deleted file mode 100644 index 1d3c7c4..0000000 --- a/rdp.h +++ /dev/null @@ -1,634 +0,0 @@ -/* - david: this file is based on header files from rdesktop project - - rdesktop: A Remote Desktop Protocol client. - Master include file - Copyright (C) Matthew Chapman 1999-2008 - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . - -*/ - -#include "hydra-mod.h" - -#include -#include -#include -#ifdef _WIN32 -#define WINVER 0x0400 -#include -#include -#include -#define DIR int32_t -#else -#include -#include -#ifdef HAVE_SYS_SELECT_H -#include -#else -#include -#include -#endif -#endif -#include /* PATH_MAX */ -#ifdef HAVE_SYSEXITS_H -#include -#endif - -#include /* stat */ -#include /* gettimeofday */ -#include /* times */ -#include -#include - -//fixme - -/* The system could not log you on. Make sure your User name and domain are correct [FAILED] */ -#define LOGON_MESSAGE_FAILED_XP "\x00\x00\x01\x06\x02\x06\x04\x09\x05\x05\x04\x06\x06\x05\x02\x04\x07\x06" -#define LOGON_MESSAGE_FAILED_2K3 "\x00\x00\x01\x08\x02\x07\x03\x07\x04\x07\x05\x05\x01\x05\x04\x07\x03\x05" -#define LOGON_MESSAGE_FAILED_2K8 "not needed" - -#define LOGON_MESSAGE_2K "\x00\x00\x01\x06\x02\x07\x04\x0a\x05\x08\x06\x0a\x01\x05\x07\x0a\x08\x0b\x05\x03\x09\x07\x01\x07\x0a\x07\x0b\x09\xff\x00\x1c" - -/* The local policy of this system does not permit you to logon interactively. [SUCCESS] */ -#define LOGON_MESSAGE_NO_INTERACTIVE_XP "\x00\x00\x01\x06\x02\x06\x04\x09\x05\x02\x06\x06\x07\x05\x04\x06\x08\x05" -#define LOGON_MESSAGE_NO_INTERACTIVE_2K3 "??" - -/* Unable to log you on because your account has been locked out [FAILED] */ -#define LOGON_MESSAGE_LOCKED_XP "\x00\x00\x01\x07\x02\x06\x03\x06\x04\x06\x05\x02\x07\x09\x08\x04\x04\x09" -#define LOGON_MESSAGE_LOCKED_2K3 "??" - -/* Your account has been disabled. Please see your system administrator. [ERROR] */ -/* Your account has expired. Please see your system administrator. [ERROR] */ -#define LOGON_MESSAGE_DISABLED_XP "\x00\x00\x01\x06\x02\x06\x03\x06\x05\x07\x06\x06\x06\x05\x01\x05\x02\x06" -#define LOGON_MESSAGE_DISABLED_2K3 "??" - -/* Your password has expired and must be changed. [SUCCESS] */ -#define LOGON_MESSAGE_EXPIRED_XP "\x00\x00\x01\x06\x02\x06\x03\x06\x05\x07\x06\x06\x07\x06\x07\x05\x08\x05" -#define LOGON_MESSAGE_EXPIRED_2K3 "??" - -/* You are required to change your password at first logon. [SUCCESS] */ -#define LOGON_MESSAGE_MUST_CHANGE_XP "\x00\x00\x01\x06\x02\x06\x04\x09\x05\x06\x06\x04\x05\x09\x06\x04\x07\x06" -#define LOGON_MESSAGE_MUST_CHANGE_2K3 "??" - -/* The terminal server has exceeded the maximum number of allowed connections. [SUCCESS] */ -#define LOGON_MESSAGE_MSTS_MAX_2K3 "\x00\x00\x01\x06\x02\x07\x01\x07\x05\x07\x24\x0a\x25\x0a\x0b\x07\x0b\x06\x26" - - -#define DEBUG(args) { if (debug) {hydra_report(stderr, "[DEBUG] "); printf args; }} -#define DEBUG_RDP5(args){ if (debug) {hydra_report(stderr, "[DEBUG] RDP5 "); printf args; }} - -#define STRNCPY(dst,src,n) { strncpy(dst,src,n-1); dst[n-1] = 0; } - -#ifndef MIN -#define MIN(x,y) (((x) < (y)) ? (x) : (y)) -#endif - -#ifndef MAX -#define MAX(x,y) (((x) > (y)) ? (x) : (y)) -#endif - -/* timeval macros */ -#ifndef timerisset -#define timerisset(tvp)\ - ((tvp)->tv_sec || (tvp)->tv_usec) -#endif -#ifndef timercmp -#define timercmp(tvp, uvp, cmp)\ - ((tvp)->tv_sec cmp (uvp)->tv_sec ||\ - (tvp)->tv_sec == (uvp)->tv_sec &&\ - (tvp)->tv_usec cmp (uvp)->tv_usec) -#endif -#ifndef timerclear -#define timerclear(tvp)\ - ((tvp)->tv_sec = (tvp)->tv_usec = 0) -#endif - -/* If configure does not define the endianess, try - to find it out */ -#if !defined(L_ENDIAN) && !defined(B_ENDIAN) -#if __BYTE_ORDER == __LITTLE_ENDIAN -#define L_ENDIAN -#elif __BYTE_ORDER == __BIG_ENDIAN -#define B_ENDIAN -#else -#error Unknown endianness. Edit rdp.h. -#endif -#endif /* B_ENDIAN, L_ENDIAN from configure */ - -/* No need for alignment on x86 and amd64 */ -#if !defined(NEED_ALIGN) -#if !(defined(__x86__) || defined(__x86_64__) || \ - defined(__AMD64__) || defined(_M_IX86) || \ - defined(__i386__)) -#define NEED_ALIGN -#endif -#endif - -/* Parser state */ -typedef struct stream -{ - unsigned char *p; - unsigned char *end; - unsigned char *data; - uint32_t size; - - /* Offsets of various headers */ - unsigned char *iso_hdr; - unsigned char *mcs_hdr; - unsigned char *sec_hdr; - unsigned char *rdp_hdr; - unsigned char *channel_hdr; - -} - *STREAM; - -#define s_push_layer(s,h,n) { (s)->h = (s)->p; (s)->p += n; } -#define s_pop_layer(s,h) (s)->p = (s)->h; -#define s_mark_end(s) (s)->end = (s)->p; -#define s_check(s) ((s)->p <= (s)->end) -#define s_check_rem(s,n) ((s)->p + n <= (s)->end) -#define s_check_end(s) ((s)->p == (s)->end) - -#if defined(L_ENDIAN) && !defined(NEED_ALIGN) -#define in_uint16_le(s,v) { v = *(uint16 *)((s)->p); (s)->p += 2; } -#define in_uint32_le(s,v) { v = *(uint32 *)((s)->p); (s)->p += 4; } -#define out_uint16_le(s,v) { *(uint16 *)((s)->p) = v; (s)->p += 2; } -#define out_uint32_le(s,v) { *(uint32 *)((s)->p) = v; (s)->p += 4; } - -#else -#define in_uint16_le(s,v) { v = *((s)->p++); v += *((s)->p++) << 8; } -#define in_uint32_le(s,v) { in_uint16_le(s,v) \ - v += *((s)->p++) << 16; v += *((s)->p++) << 24; } -#define out_uint16_le(s,v) { *((s)->p++) = (v) & 0xff; *((s)->p++) = ((v) >> 8) & 0xff; } -#define out_uint32_le(s,v) { out_uint16_le(s, (v) & 0xffff); out_uint16_le(s, ((v) >> 16) & 0xffff); } -#endif - -#if defined(B_ENDIAN) && !defined(NEED_ALIGN) -#define in_uint16_be(s,v) { v = *(uint16 *)((s)->p); (s)->p += 2; } -#define in_uint32_be(s,v) { v = *(uint32 *)((s)->p); (s)->p += 4; } -#define out_uint16_be(s,v) { *(uint16 *)((s)->p) = v; (s)->p += 2; } -#define out_uint32_be(s,v) { *(uint32 *)((s)->p) = v; (s)->p += 4; } - -#define B_ENDIAN_PREFERRED -#define in_uint16(s,v) in_uint16_be(s,v) -#define in_uint32(s,v) in_uint32_be(s,v) -#define out_uint16(s,v) out_uint16_be(s,v) -#define out_uint32(s,v) out_uint32_be(s,v) - -#else -#define in_uint16_be(s,v) { v = *((s)->p++); next_be(s,v); } -#define in_uint32_be(s,v) { in_uint16_be(s,v); next_be(s,v); next_be(s,v); } -#define out_uint16_be(s,v) { *((s)->p++) = ((v) >> 8) & 0xff; *((s)->p++) = (v) & 0xff; } -#define out_uint32_be(s,v) { out_uint16_be(s, ((v) >> 16) & 0xffff); out_uint16_be(s, (v) & 0xffff); } -#endif - -#ifndef B_ENDIAN_PREFERRED -#define in_uint16(s,v) in_uint16_le(s,v) -#define in_uint32(s,v) in_uint32_le(s,v) -#define out_uint16(s,v) out_uint16_le(s,v) -#define out_uint32(s,v) out_uint32_le(s,v) -#endif - -#define in_uint8(s,v) v = *((s)->p++); -#define in_uint8p(s,v,n) { v = (s)->p; (s)->p += n; } -#define in_uint8a(s,v,n) { memcpy(v,(s)->p,n); (s)->p += n; } -#define in_uint8s(s,n) (s)->p += n; -#define out_uint8(s,v) *((s)->p++) = v; -#define out_uint8p(s,v,n) { memcpy((s)->p,v,n); (s)->p += n; } -#define out_uint8a(s,v,n) out_uint8p(s,v,n); -#define out_uint8s(s,n) { memset((s)->p,0,n); (s)->p += n; } - -#define next_be(s,v) v = ((v) << 8) + *((s)->p++); - -typedef unsigned char uint8; -typedef signed char sint8; -typedef unsigned short uint16; -typedef signed short sint16; -typedef uint32_t uint32; -typedef int32_t sint32; - -typedef struct _BOUNDS -{ - sint16 left; - sint16 top; - sint16 right; - sint16 bottom; - -} -BOUNDS; - -/* PSTCACHE */ -typedef uint8 HASH_KEY[8]; - -#ifndef PATH_MAX -#define PATH_MAX 256 -#endif - -#define RDP_ORDER_STANDARD 0x01 -#define RDP_ORDER_SECONDARY 0x02 -#define RDP_ORDER_BOUNDS 0x04 -#define RDP_ORDER_CHANGE 0x08 -#define RDP_ORDER_DELTA 0x10 -#define RDP_ORDER_LASTBOUNDS 0x20 -#define RDP_ORDER_SMALL 0x40 -#define RDP_ORDER_TINY 0x80 - -enum RDP_ORDER_TYPE -{ - RDP_ORDER_DESTBLT = 0, - RDP_ORDER_PATBLT = 1, - RDP_ORDER_SCREENBLT = 2, - RDP_ORDER_LINE = 9, - RDP_ORDER_RECT = 10, - RDP_ORDER_DESKSAVE = 11, - RDP_ORDER_MEMBLT = 13, - RDP_ORDER_TRIBLT = 14, - RDP_ORDER_POLYGON = 20, - RDP_ORDER_POLYGON2 = 21, - RDP_ORDER_POLYLINE = 22, - RDP_ORDER_ELLIPSE = 25, - RDP_ORDER_ELLIPSE2 = 26, - RDP_ORDER_TEXT2 = 27 -}; - -enum RDP_SECONDARY_ORDER_TYPE -{ - RDP_ORDER_RAW_BMPCACHE = 0, - RDP_ORDER_COLCACHE = 1, - RDP_ORDER_BMPCACHE = 2, - RDP_ORDER_FONTCACHE = 3, - RDP_ORDER_RAW_BMPCACHE2 = 4, - RDP_ORDER_BMPCACHE2 = 5, - RDP_ORDER_BRUSHCACHE = 7 -}; - -typedef struct _RECT_ORDER -{ - sint16 x; - sint16 y; - sint16 cx; - sint16 cy; - uint32 colour; - -} -RECT_ORDER; - -typedef struct _DESKSAVE_ORDER -{ - uint32 offset; - sint16 left; - sint16 top; - sint16 right; - sint16 bottom; - uint8 action; - -} -DESKSAVE_ORDER; - -typedef struct _MEMBLT_ORDER -{ - uint8 colour_table; - uint8 cache_id; - sint16 x; - sint16 y; - sint16 cx; - sint16 cy; - uint8 opcode; - sint16 srcx; - sint16 srcy; - uint16 cache_idx; - -} -MEMBLT_ORDER; - -#define MAX_DATA 256 -#define MAX_TEXT 256 - -typedef struct _TEXT2_ORDER -{ - uint8 font; - uint8 flags; - uint8 opcode; - uint8 mixmode; - uint32 bgcolour; - uint32 fgcolour; - sint16 clipleft; - sint16 cliptop; - sint16 clipright; - sint16 clipbottom; - sint16 boxleft; - sint16 boxtop; - sint16 boxright; - sint16 boxbottom; - sint16 x; - sint16 y; - uint8 length; - uint8 text[MAX_TEXT]; - -} -TEXT2_ORDER; - -typedef struct _RDP_ORDER_STATE -{ - uint8 order_type; - BOUNDS bounds; - - RECT_ORDER rect; - DESKSAVE_ORDER desksave; - MEMBLT_ORDER memblt; - TEXT2_ORDER text2; -} -RDP_ORDER_STATE; - -#define WINDOWS_CODEPAGE "UTF-16LE" - -/* ISO PDU codes */ -enum ISO_PDU_CODE -{ - ISO_PDU_CR = 0xE0, /* Connection Request */ - ISO_PDU_CC = 0xD0, /* Connection Confirm */ - ISO_PDU_DR = 0x80, /* Disconnect Request */ - ISO_PDU_DT = 0xF0, /* Data */ - ISO_PDU_ER = 0x70 /* Error */ -}; - -/* MCS PDU codes */ -enum MCS_PDU_TYPE -{ - MCS_EDRQ = 1, /* Erect Domain Request */ - MCS_DPUM = 8, /* Disconnect Provider Ultimatum */ - MCS_AURQ = 10, /* Attach User Request */ - MCS_AUCF = 11, /* Attach User Confirm */ - MCS_CJRQ = 14, /* Channel Join Request */ - MCS_CJCF = 15, /* Channel Join Confirm */ - MCS_SDRQ = 25, /* Send Data Request */ - MCS_SDIN = 26 /* Send Data Indication */ -}; - -#define MCS_CONNECT_INITIAL 0x7f65 -#define MCS_CONNECT_RESPONSE 0x7f66 - -#define BER_TAG_BOOLEAN 1 -#define BER_TAG_INTEGER 2 -#define BER_TAG_OCTET_STRING 4 -#define BER_TAG_RESULT 10 -#define MCS_TAG_DOMAIN_PARAMS 0x30 - -#define MCS_GLOBAL_CHANNEL 1003 -#define MCS_USERCHANNEL_BASE 1001 - -/* RDP secure transport constants */ -#define SEC_RANDOM_SIZE 32 -#define SEC_MODULUS_SIZE 64 -#define SEC_MAX_MODULUS_SIZE 256 -#define SEC_PADDING_SIZE 8 -#define SEC_EXPONENT_SIZE 4 - -#define SEC_CLIENT_RANDOM 0x0001 -#define SEC_ENCRYPT 0x0008 -#define SEC_LOGON_INFO 0x0040 -#define SEC_LICENCE_NEG 0x0080 -#define SEC_REDIRECT_ENCRYPT 0x0C00 - -#define SEC_TAG_SRV_INFO 0x0c01 -#define SEC_TAG_SRV_CRYPT 0x0c02 -#define SEC_TAG_SRV_CHANNELS 0x0c03 - -#define SEC_TAG_CLI_INFO 0xc001 -#define SEC_TAG_CLI_CRYPT 0xc002 -#define SEC_TAG_CLI_CHANNELS 0xc003 -#define SEC_TAG_CLI_4 0xc004 - -#define SEC_TAG_PUBKEY 0x0006 -#define SEC_TAG_KEYSIG 0x0008 - -#define SEC_RSA_MAGIC 0x31415352 /* RSA1 */ - -/* RDP PDU codes */ -enum RDP_PDU_TYPE -{ - RDP_PDU_DEMAND_ACTIVE = 1, - RDP_PDU_CONFIRM_ACTIVE = 3, - RDP_PDU_REDIRECT = 4, /* MS Server 2003 Session Redirect */ - RDP_PDU_DEACTIVATE = 6, - RDP_PDU_DATA = 7 -}; - -enum RDP_DATA_PDU_TYPE -{ - RDP_DATA_PDU_UPDATE = 2, - RDP_DATA_PDU_CONTROL = 20, - RDP_DATA_PDU_POINTER = 27, - RDP_DATA_PDU_INPUT = 28, - RDP_DATA_PDU_SYNCHRONISE = 31, - RDP_DATA_PDU_BELL = 34, - RDP_DATA_PDU_CLIENT_WINDOW_STATUS = 35, - RDP_DATA_PDU_LOGON = 38, /* PDUTYPE2_SAVE_SESSION_INFO */ - RDP_DATA_PDU_FONT2 = 39, - RDP_DATA_PDU_KEYBOARD_INDICATORS = 41, - RDP_DATA_PDU_DISCONNECT = 47 -}; - -enum RDP_SAVE_SESSION_PDU_TYPE -{ - INFOTYPE_LOGON = 0, - INFOTYPE_LOGON_LONG = 1, - INFOTYPE_LOGON_PLAINNOTIFY = 2, - INFOTYPE_LOGON_EXTENDED_INF = 3 -}; - -enum RDP_LOGON_INFO_EXTENDED_TYPE -{ - LOGON_EX_AUTORECONNECTCOOKIE = 1, - LOGON_EX_LOGONERRORS = 2 -}; - -enum RDP_CONTROL_PDU_TYPE -{ - RDP_CTL_REQUEST_CONTROL = 1, - RDP_CTL_GRANT_CONTROL = 2, - RDP_CTL_DETACH = 3, - RDP_CTL_COOPERATE = 4 -}; - -enum RDP_UPDATE_PDU_TYPE -{ - RDP_UPDATE_ORDERS = 0, - RDP_UPDATE_BITMAP = 1, - RDP_UPDATE_PALETTE = 2, - RDP_UPDATE_SYNCHRONIZE = 3 -}; - -/* RDP bitmap cache (version 2) constants */ -#define BMPCACHE2_C0_CELLS 0x78 -#define BMPCACHE2_C1_CELLS 0x78 -#define BMPCACHE2_C2_CELLS 0x150 -#define BMPCACHE2_NUM_PSTCELLS 0x9f6 - -#define PDU_FLAG_FIRST 0x01 -#define PDU_FLAG_LAST 0x02 - -/* RDP capabilities */ -#define RDP_CAPSET_GENERAL 1 /* Maps to generalCapabilitySet in T.128 page 138 */ -#define RDP_CAPLEN_GENERAL 0x18 -#define OS_MAJOR_TYPE_UNIX 4 -#define OS_MINOR_TYPE_XSERVER 7 - -#define RDP_CAPSET_BITMAP 2 -#define RDP_CAPLEN_BITMAP 0x1C - -#define RDP_CAPSET_ORDER 3 -#define RDP_CAPLEN_ORDER 0x58 - -#define RDP_CAPSET_BMPCACHE 4 -#define RDP_CAPLEN_BMPCACHE 0x28 - -#define RDP_CAPSET_CONTROL 5 -#define RDP_CAPLEN_CONTROL 0x0C - -#define RDP_CAPSET_ACTIVATE 7 -#define RDP_CAPLEN_ACTIVATE 0x0C - -#define RDP_CAPSET_POINTER 8 -#define RDP_CAPLEN_POINTER 0x08 -#define RDP_CAPLEN_NEWPOINTER 0x0a - -#define RDP_CAPSET_SHARE 9 -#define RDP_CAPLEN_SHARE 0x08 - -#define RDP_CAPSET_COLCACHE 10 -#define RDP_CAPLEN_COLCACHE 0x08 - -#define RDP_CAPSET_BRUSHCACHE 15 -#define RDP_CAPLEN_BRUSHCACHE 0x08 - -#define RDP_CAPSET_BMPCACHE2 19 -#define RDP_CAPLEN_BMPCACHE2 0x28 - -#define RDP_SOURCE "MSTSC" - -/* Logon flags */ -#define RDP_LOGON_AUTO 0x0008 -#define RDP_LOGON_NORMAL 0x0033 -#define RDP_LOGON_COMPRESSION 0x0080 /* mppc compression with 8kB histroy buffer */ -#define RDP_LOGON_BLOB 0x0100 -#define RDP_LOGON_COMPRESSION2 0x0200 /* rdp5 mppc compression with 64kB history buffer */ -#define RDP_LOGON_LEAVE_AUDIO 0x2000 - -#define RDP5_DISABLE_NOTHING 0x00 -#define RDP5_NO_WALLPAPER 0x01 -#define RDP5_NO_FULLWINDOWDRAG 0x02 -#define RDP5_NO_MENUANIMATIONS 0x04 -#define RDP5_NO_THEMING 0x08 -#define RDP5_NO_CURSOR_SHADOW 0x20 -#define RDP5_NO_CURSORSETTINGS 0x40 /* disables cursor blinking */ - -/* compression types */ -#define RDP_MPPC_BIG 0x01 -#define RDP_MPPC_COMPRESSED 0x20 -#define RDP_MPPC_RESET 0x40 -#define RDP_MPPC_FLUSH 0x80 -#define RDP_MPPC_DICT_SIZE 65536 - -#define RDP5_COMPRESSED 0x80 - -#ifndef _SSL_H -#define _SSL_H - -#include -#include -#include -#include -#include -#include -#include - -#if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x0090800f) -#define D2I_X509_CONST const -#else -#define D2I_X509_CONST -#endif - -#define SSL_RC4 RC4_KEY -#define SSL_SHA1 SHA_CTX -#define SSL_MD5 MD5_CTX -#define SSL_CERT X509 -#define SSL_RKEY RSA -#endif - -/* for win8 */ -#define KBD_FLAG_DOWN 0x4000 -#define KBD_FLAG_UP 0x8000 -#define RDP_KEYRELEASE (KBD_FLAG_DOWN | KBD_FLAG_UP) -#define FASTPATH_INPUT_KBDFLAGS_RELEASE 1 -#define FASTPATH_INPUT_EVENT_SCANCODE 0 -#define FASTPATH_INPUT_EVENT_MOUSE 1 -#define RDP_INPUT_MOUSE 0x8001 -#define RDP_INPUT_SCANCODE 4 - -/* iso.c */ -STREAM iso_init(int32_t length); -void iso_send(STREAM s); -STREAM iso_recv(uint8 * rdpver); -BOOL iso_connect(char *server, char *username, BOOL reconnect); -void iso_disconnect(void); -void iso_reset_state(void); -/* mcs.c */ -STREAM mcs_init(int32_t length); -void mcs_send_to_channel(STREAM s, uint16 channel); -void mcs_send(STREAM s); -STREAM mcs_recv(uint16 * channel, uint8 * rdpver); -BOOL mcs_connect(char *server, STREAM mcs_data, char *username, BOOL reconnect); -void mcs_disconnect(void); -void mcs_reset_state(void); -/* orders.c */ -void process_orders(STREAM s, uint16 num_orders); -void reset_order_state(void); -/* rdesktop.c */ -void generate_random(uint8 * random); -void *xmalloc(int32_t size); -void exit_if_null(void *ptr); -char *xstrdup(const char *s); -void *xrealloc(void *oldmem, size_t size); -void error(char *format, ...); -void warning(char *format, ...); -void unimpl(char *format, ...); -void hexdump(unsigned char *p, uint32_t len); -/* rdp.c */ -static void process_demand_active(STREAM s); -static BOOL process_data_pdu(STREAM s, uint32 * ext_disc_reason); -/* secure.c */ -void sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt); -void sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2); -void buf_out_uint32(uint8 * buffer, uint32 value); -void sec_sign(uint8 * signature, int32_t siglen, uint8 * session_key, int32_t keylen, uint8 * data, - int32_t datalen); -void sec_decrypt(uint8 * data, int32_t length); -STREAM sec_init(uint32 flags, int32_t maxlen); -void sec_send_to_channel(STREAM s, uint32 flags, uint16 channel); -void sec_send(STREAM s, uint32 flags); -void sec_process_mcs_data(STREAM s); -STREAM sec_recv(uint8 * rdpver); -BOOL sec_connect(char *server, char *username, BOOL reconnect); -void sec_disconnect(void); -void sec_reset_state(void); -/* tcp.c */ -STREAM tcp_init(uint32 maxlen); -void tcp_send(STREAM s); -STREAM tcp_recv(STREAM s, uint32 length); -BOOL tcp_connect(char *server); -void tcp_disconnect(void); -char *tcp_get_address(void); -void tcp_reset_state(void); diff --git a/sasl.h b/sasl.h index 29622d7..459a5ab 100644 --- a/sasl.h +++ b/sasl.h @@ -19,6 +19,7 @@ #define AUTH_BASIC 11 #define AUTH_LM 12 #define AUTH_LMv2 13 +#define AUTH_UNASSIGNED 14 #if LIBIDN #include diff --git a/web/CHANGES b/web/CHANGES deleted file mode 100644 index 76354e3..0000000 --- a/web/CHANGES +++ /dev/null @@ -1,814 +0,0 @@ -Changelog for hydra -------------------- - - -Release 8.8 -* New web page: https://github.com/vanhauser-thc/thc-hydra -* added PROBLEMS file with known issues -* rdp: disabled the module as it does not support the current protocol. If you want to add it contact me -* ldap: fixed a dumb strlen on a potential null pointer -* http-get/http-post: - - now supports H=/h= parameters same as http-form (thanks to mathewmarcus@github for the patch) - - 403/404 errors are now always registered as failed attempts -* mysql module: a non-default port was not working, fixed -* added -w timeout support to ssh module -* fixed various memory leaks in http-form module -* corrected hydra return code to be 0 on success -* added patch from debian maintainers which fixes spellings -* fixed weird crash on x64 systems -* many warning fixes by crondaemon - - -Release 8.6 -* added radmin2 module by catatonic prime - great work! -* smb module now checks if SMBv1 is supported by the server and if signing is required -* http-form module now supports URLs up to 6000 bytes (thanks to petrock6@github for the patch) -* Fix for SSL connections that failed with error:00000000:lib(0):func(0):reason(0) (thanks gaia@github for reporting) -* Added new command line option: - -c TIME: seconds between login attempts (over all threads, so -t 1 is recommended) -* Options put after -R (for loading a restore file) are now honored (and were disallowed before) -* merged several patches by Diadlo@github to make the code easier readable. thanks for that! -* merged a patch by Diadlo@github that moves the help output to the invididual module - - -Release 8.5 -* New command line option: - -b : format option for -o output file (json only so far, happy for patches supporting others :) ) - thanks to veggiespam for the patch -* ./configure now honors the CC enviroment variable if present -* Fix for the restore file crash on some x64 platforms (finally! thanks to lukas227!) -* Changed the format of the restore file to detect cross platform copies -* Fixed a bug in the NCP module -* Favor strrchr() over rindex() -* Added refactoring patch by diadlo -* Updated man page with missing command line options - - -Release 8.4 -! Reports came in that the rdp module is not working reliable sometimes, most likely against new Windows versions. please test, report and if possible send a fix -* Proxy support re-implemented: - - HYDRA_PROXY[_HTTP] environment can be a text file with up to 64 entries - - HYDRA_PROXY_AUTH was deprecated, set login/password in HTTP_PROXY[_HTTP] -* New protocol: adam6500 - this one is work in progress, please test and report -* New protocol: rpcap - thanks to Petar Kaleychev -* New command line options: - -y : disables -x 1aA interpretation, thanks to crondaemon for the patch - -I : ignore an existing hydra.restore file (don't wait for 10 seconds) -* hydra-svn: works now with the current libsvn version -* hydra-ssh: initial check for password auth support now uses login supplied -* Fixed dpl4hydra to be able to update from the web again -* Fixed crash when -U was used without any service (thanks to thecarterb for reporting) -* Updated default password lists -* The protocols vnc, xmpp, telnet, imap, nntp and pcanywhere got accidentially long sleep commands due a patch in 8.2, fixed -* Added special error message for clueless users :) - - -Release 8.3 -* Support for upcoming OpenSSL 1.1 added. needs testing. -* Fixed hydra redo bug (issue #113) -* Updated xhydra for new hydra features and options -* Some more command line error checking -* Ensured unneeded sockets are closed - -Release 8.2 -* Added RTSP module, thanks to jjavi89 for supplying! -* Added patch for ssh that fixes hydra stopping to connect, thanks to ShantonRU for the patch -* Added new -O option to hydra to support SSL servers that do not suport TLS -* Added xhydra gtk patche by Petar Kaleychev to support modules that do not use usernames -* Added patch to redis for initial service checking by Petar Kaleychev - thanks a lot! -* Added support in hydra-http for http-post (content length 0) -* Fixed important bug in http-*://server/url command line processing -* Added SSL SNI support -* Fixed bug in HTTP Form redirection following - thanks for everyone who reported and especially to Hayden Young for setting up a test page for debugging -* Better library finding in ./configure for SVN + support for Darwin Homebrew (and further enhanced) -* Fixed http-form module crash that only occurs on *BSD/OSX systems. Thanks to zdk for reporting! -* Fixed for SSL connection to support TLSv1.2 etc. -* Support for different RSA keylengths, thanks to fann95 for the patch -* Fixed a bug where the cisco-enable module was not working with the password-only logon mode -* Fixed an out of memory bug in http-form -* Fixed imap PLAIN method -* Fixed -x option to bail if it would generate too many passwords (more than 4 billion) -* Added warning if HYDRA_PROXY_CONNECT environment is detected, that is an outdated setting -* Added --fhs switch to configure (for Linux distribution usage) -* ... your patch? - - -Release 8.1 -* David Maciejak, my co-maintainer moved to a different job and country and can not help with Hydra anymore - sadly! Wish you all the best! -* Added patch from Ander Juaristi which adds h/H header options for http-form-*, great work, thanks! -* Fixed the -M option, works now with many many targets :-) -* -M option now supports ports, add a colon in between: "host:port", or, if IPv6, "[ipv6ipaddress]:port" -* Found login:password combinations are now printed with the name specified (hostname or IP), not always IP -* Fixed for cisco-enable if an intial Login/Password is used (thanks to joswr1te for reporting) -* Added patch by tux-mind for better MySQL compilation and an Android patches and Makefile. Thanks! -* Added xhydra gtk patches by Petar Kaleychev to support -h, -U, -f, -F, -q and -e r options, thanks! -* Added patch for teamspeak to better identify server errors and auth failures (thanks to Petar Kaleychev) -* Fixed a crash in the cisco module (thanks to Anatoly Mamaev for reporting) -* Small fix for HTTP form module for redirect pages where a S= string match would not work (thanks to mkosmach for reporting) -* Updated configure to detect subversion packages on current Cygwin -* Fixed RDP module to support the port option (thanks to and.enshin(at)gmail.com) - - -Release 8.0 -! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra -* Added module for redis (submitted by Alejandro Ramos, thanks!) -* Added patch which adds Unicode support for the SMB module (thanks to Max Kosmach) -* Added initial interactive password authentication test for ssh (thanks to Joshua Houghton) -* Added patch for xhydra that adds bruteforce generator to the GUI (thanks to Petar Kaleychev) -* Target on the command line can now be a CIDR definition, e.g. 192.168.0.0/24 -* with -M , you can now specify a port for each entry (use "target:port" per line) -* Verified that hydra compiles cleanly on QNX / Blackberry 10 :-) -* Bugfixes for -x option: - - password tries were lost when connection errors happened (thanks to Vineet Kumar for reporting) - - fixed crash when used together with -e option -* Fixed a bug that hydra would not compile without libssh (introduced in v7.6) -* Various bugfixes if many targets where attacked in parallel -* Cygwin's Postgresql is working again, hence configure detection re-enabled -* Added gcc compilation security options (if detected to be supported by configure script) -* Enhancements to the secure compilation options -* Checked code with cppcheck and fixed some minor issues. -* Checked code with Coverity. Fixed a lot of small and medium issues. - - -Release 7.6 -* Added a wizard script for hydra based on a script by Shivang Desai -* Added module for Siemens S7-300 (submitted by Alexander Timorin and Sergey Gordeychik, thanks!) -* HTTP HEAD/GET: MD5 digest auth was not working, fixed (thanks to Paul Kenyon) -* SMTP Enum: HELO is now always sent, better 500 error detection -* hydra main: - - fixed a bug in the IPv6 address parsing when a port was supplied - - added info message for pop3, imap and smtp protocol usage -* hydra GTK: missed some services, added -* dpl4hydra.sh: - - added Siemens S7-300 common passwords to default password list - - more broad searching in the list -* Performed code indention on all C files :-) -* Makefile patch to ensure .../etc directory is there (thanks to vonnyfly) - - -Release 7.5 -* Moved the license from GPLv3 to AGPLv3 (see LICENSE file) -* Added module for Asterisk Call Manager -* Added support for Android where some functions are not available -* hydra main: - - reduced the screen output if run without -h, full screen with -h - - fix for IPv6 and port parsing with service://[ipv6address]:port/OPTIONS - - fixed -o output (thanks to www417) - - warning if HYDRA_PROXY is defined but the module does not use it - - fixed an issue with large input files and long entries -* hydra library: - - SSL connections are now fixed to SSLv3 as some SSL servers fail otherwise, report if this gives you problems - - removed support for old OPENSSL libraries -* HTTP Form module: - - login and password values are now encoded if special characters are present - - ^USER^ and ^PASS^ are now also supported in H= header values - - if you the colon as a value in your option string, you can now escape it with \: - but do not encode a \ with \\ -* Mysql module: protocol 10 is now supported -* SMTP, POP3, IMAP modules: Disabled the TLS in default. TLS must now be - defined as an option "TLS" if required. This increases performance. -* Cisco module: fixed a small bug (thanks to Vitaly McLain) -* Postgres module: libraries on Cygwin are buggy at the moment, module is therefore - disabled on Cygwin - - -Release 7.4.3 FIX RELEASES for bugs introduced in 7.4 -* Quickfix for people who do not have libssh installed (won't compile otherwise) -* Quickfix for http-get/http-head and irc module which would not run due a new feature. -* Fix for the ssh module that breaks an endless loop if a service becomes unavailable (thanks to shark0der(at)gmail(dot)com for reporting) - - -Release 7.4 -* New module: SSHKEY - for testing for ssh private keys (thanks to deadbyte(at)toucan-system(dot)com!) -* Added support for win8 and win2012 server to the RDP module -* Better target distribution if -M is used -* Added colored output (needs libcurses) -* Better library detection for current Cygwin and OS X -* Fixed the -W option -* Fixed a bug when the -e option was used without -u, -l, -L or -C, only half of the logins were tested -* Fixed HTTP Form module false positive when no answer was received from the server -* Fixed SMB module return code for invalid hours logon and LM auth disabled -* Fixed http-{get|post-form} from xhydra -* Added OS/390 mainframe 64bit support (thanks to dan(at)danny(dot)cz) -* Added limits to input files for -L, -P, -C and -M - people were using unhealthy large files! ;-) -* Added debug mode option to usage (thanks to Anold Black) - - -Release 7.3 -* Hydra main: - - Added -F switch to quit all targets if one pair was found (for -M) - - Fixed a bug where hydra would terminate after reporting a successful - login when an account would accept any password - - Fixed a bug with very large wordlists (thanks to sheepdestroyer for reporting!) - - Enhanced the module help -* configure script: - - Added fix Oracle library inclusion, thanks to Brandon Archer! - - Added --nostrip option to prevent binary stripping (requested by Fedora - maintainer) -* Added a Makefile patch by the Debian maintainers to support their - SecurityHardeningBuildFlags for the wheezy build as requested -* dpl4hydra: added install directory support -* All code: message cleanups -* SNMP module - - originally already supported write and v2 although this was not in the - module help output. Added :-) - - added SNMPv3 MD5/SHA1 authentication support, though beta still -* HTTP module: - - fixed HTTP NTLM auth session - - implemented errata fix for HTTP digest md5-sess algorithm - - set default path to / -* HTTP Form module: - - set default path to / - - support HTTP/1.0 redirects - - fix failed condition check when pcre is not used -* IMAP module: fixed auth detection -* POP3 module: Updated auth and capability detection -* Oracle module: fixed bad handling -* Oracle listener module: fixed hash size handling -* Telnet/Cisco/Cisco-enable modules: support "press ENTER" prompts -* FTP module: - - Fixed a bug where 530 messages were incorrectly handled - - Clarification for the usage of ftps -* Mysql module: added patch from Redhat/Fedora that fixes compile problems -* Added IDN and PCRE support for Cygwin - - -Release 7.2 -* Speed-up http modules auth mechanism detection -* Fixed -C colonfile mode when empty login/passwords were used (thanks to - will(at)configitnow(dot)com for reporting) -* The -f switch was not working for postgres, afp, socks5, firebird and ncp, - thanks to Richard Whitcroft for reporting! -* Fixed NTLM auth in http-proxy/http-proxy-url module -* Fixed URL when being redirected in http-form module, thanks to gash(at)chaostreff(dot)at -* Fix MSSQL success login condition, thanks to whistle_master(at)live(dot)com -* Fix http form module: optional headers and 3xx status redirect, thx to Gash -* Fix in configure script for --prefix option, thanks to dazzlepod -* Update of the dpl4hydra script by Roland Kessler, thanks! -* Small fix for hydra man page, thanks to brad(at)comstyle(dot)com - - -Release 7.1 -* Added HTTP Proxy URL enumeration module -* Added SOCKS4/SOCKS5 proxy support with authentication -* Added IPv6 support for SOCKS5 module -* Added -e r option to try the reversed login as password -* Rewrote -x functionality as the code caused too much trouble (thanks to - murder.net7(at)gmail.com for reporting one of the issues) -* Fixed a bug with multiple hosts (-M) and http modules against targets that - are virtual servers. Well spotted by Tyler Krpata! -* Fixed SVN IPv6 support and updated deprecated calls -* Fixed RDP failed child connection returned value and false positive issues - reported by Wangchaohui, thanks! -* Fixed restore file functionality, was not working together with -o option -* Fix in http-form module for bug introduced in 7.0 -* Fixed xhydra specific parameter value for http-proxy module -* minor enhancements - - -Release 7.0 -* New main engine for hydra: better performance, flexibility and stability -* New option -u - loop around users, not passwords -* Option -e now also works with -x and -C -* Added RDP module, domain can be passed as argument -* Added other_domain option to smb module to test trusted domains -* Small enhancement for http and http-proxy module for standard ignoring servers -* Lots of bugfixes, especially with many tasks, multiple targets and restore file -* Fixes for a few http-form issues -* Fix smb module NTLM hash use -* Fixed Firebird module deprecated API call -* Fixed for dpl4hydra to work on old sed implementations (OS/X ...) -* Fixed makefile to install dpl4hydra (thx @sitecrea) -* Fixed local buffer overflow in debug output function (required -d to be used) -* Fixed xhydra running warnings and correct quit action event - - -Release 6.5 -* Improved HTTP form module: getting cookie, fail or success condition, follow - multiple redirections, support cookie gathering URL, multiple user defined - headers -* Added interface support for IPv6, needed for connecting to link local fe80:: - addresses. Works only on Linux and OS/X. Information for Solaris and *BSD welcome -* Added -W waittime between connects option -* The -x bruteforce mode now allows for generated password amounts > 2 billion -* Fix if -L was used together with -x -* Fixes for http- modules when the http-...://target/options format was used -* Fixed a bug in the restore file write function that could lead to a crash -* Fixed XMPP module jabber init request and challenge response check, thx "F e L o R e T" -* Fix: if a proxy was used, unresolveable targets were disabled. now its fine -* Fix for service://host/ usage if a colon was used after the URI without a - port defined - - -Release 6.4 -* Update SIP module to extract and use external IP addr return from server error to bypass NAT -* Update SIP module to use SASL lib -* Update email modules to check clear mode when TLS mode failed -* Update Oracle Listener module to work with Oracle DB 9.2 -* Update LDAP module to support Windows 2008 active directory simple auth -* Fix to the connection adaptation engine which would loose planned attempts -* Fix make script for CentOS, reported by ya0wei -* Print error when a service limits connections and few pairs have to be tested -* Improved Mysql module to only init/close when needed -* Added patch from the FreeBSD maintainers -* Module usage help does not need a target to be specified anymore -* Configure script now honors /etc/ld.so.conf.d/ directory -* Add more SMB dialects - - -Release 6.3 -* Added patch by Petar Kaleychev which adds nice icons to cygwin hydra files -* Added patch by Gauillaume Rousse which fixes a warning display -* New Oracle module (for databases via OCI, for TNS Listener passwd, for SID enumeration) -* New SMTP user enum module (using VRFY, EXPN or RCPT command) -* Memory leak fix for -x bruteforcing option reported by Alex Lau -* Fix for svn module, for some versions it needs one more lib, thanks to the - Debian team for reporting! -* Fix ssh module, on connection refused a credential could be lost -* Fix http-form module, a redirect was not always followed -* QA on all modules for memory leaks -* Better gtk detection (to not even try xhydra compilation when its useless) -* First blant attempt for configuring to x64 systems (Linux and *BSD) -* Updated network password cracker comparison on the web page (for hydra and new ncrack) -* Indented all source code - - -Release 6.2 -* Added a patch by Jan Dlabal which adds password generation bruteforcing (no more password files :-) ) -* Forgot to rename ssh2 to ssh in xhydra, fixed -* Add support for CRAM-MD5 and DIGEST-MD5 auth to ldap module -* Fix SASL PLAIN auth method issue -* Add TLS negotiation support for smtp-auth, pop3, imap, ftp and ldap -* Added man pages from Debian maintainers -* Checked Teamspeak module, works on TS2 protocol -* Add support for SCRAM-SHA1 (RFC 5802), first auth cracker to support it, yeah ! -* New module: XMPP with TLS negotiation and LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1 support -* Add SCRAM-SHA1 auth to IMAP module -* Add module usage help (-U) -* Add support for RFC 4013: Internationalized Strings in SASL ("SASLPrep") -* Rename smtpauth module to smtp -* Add SASL + TLS support for NNTP -* Bugfix SASL DIGEST-MD5, response could be wrong sometime, mainly on 64bits systems -* Bugfix rlogin module, some auth failure could not be detected accurately -* Bugfix rsh module, some auth failure could not be detected accurately -* New module: IRC is not dead ! use to find general server password and /oper credential -* Add SSL support for VMware Authentication Daemon module -* Bugfix CVS module, should work now, why does nobody report this ?? -* Bugfix Telnet module, when line mode is not available -* Add support for new syntax ://[:][/] -* Add TLS support for SIP -* STILL OPEN: Fixed a problem in hydra where a login+pw test was lost when an arm/child was quitting - - -Release 6.1 -* More license updates for the files for the Debian guys -* Fix for the configure script to correctly detect postgresql -* Add checks for libssh v0.4 and support for ssh v1 -* Merge all latest crypto code in sasl files -* Fix SVN compilation issue on openSUSE (tested with v11.3) - - -Release 6.0 -* Added GPL exception clause to license to allow linking to OpenSSL - Debian people need this -* IPv6 support finally added. Note: sip and socks5 modules do not support IPv6 yet -* Changes to code and configure script to ensure clean compile on Solaris 11, - OSX, FreeBSD 8.1, Cygwin and Linux -* Bugfix for SIP module, thanks to yori(at)counterhackchallenges(dot)com -* Compile fixes for systems without OpenSSL or old OpenSSL installations -* Eliminated compile time warnings -* xhydra updates to support the new features (david@) -* Added CRAM-MD5, DIGEST-MD5 auth mechanism to the smtp-auth module (david@) -* Added LOGIN, PLAIN, CRAM-(MD5,SHA1,SHA256) and DIGEST-MD5 auth mechanisms to the imap and pop3 modules (david@) -* Added APOP auth to POP3 module (david@) -* Added NTLM and DIGEST-MD5 to http-auth module and DIGEST-MD5 to http-proxy module (david@) -* Fixed VNC module for None and VLC auth (david@) -* Fixes for LDAP module (david@) -* Bugfix Telnet module linemode option negotiation using win7 (david@) -* Bugfix SSH module when max auth connection is reached (david@) - - -Release 5.9 -* Update for the subversion module for newer SVN versions (thanks to David Maciejak @ GMAIL dot com) -* Another patch by David to add the PLAIN auth mechanism to the smtp-auth module -* mysql module now has two implementations and uses a library when found (again - thanks to David Maciejak @ GMAIL dot com - what would hydra be without him) -* camiloculpian @ gmail dot com submitted a logo for hydra - looks cool, thanks! -* better FTP 530 error code detection -* bugfix for the SVN module for non-standard ports (again david@) - - -Release 5.8 -* Added Apple Filing Protocol (thank to "never tired" David Maciejak @ GMAIL dot com) -* Fixed a big bug in the SSL option (-S) - - -Release 5.7 -* Added ncp support plus minor fixes (by David Maciejak @ GMAIL dot com) -* Added an old patch to fix a memory from SSL and speed it up too from kan(at)dcit.cz -* Removed unnecessary compiler warnings -* Enhanced the SSH2 module based on an old patch from aris(at)0xbadc0de.be -* Fixed small local defined overflow in the teamspeak module. Does it still work anyway?? - - -Release 5.6 PRIVATE VERSION -########### -* Moved to GPLv3 License (lots of people wanted that) -* Upgraded ssh2 module to libssh-0.4.x (thanks to aris (at) 0xbadc0de.be for - the 0.2 basis) -* Added firebird support (by David Maciejak @ GMAIL dot com) -* Added SIP MD5 auth patch (by Jean-Baptiste Aviat 100 -! Soon to come: v5.0 - some cool new features to arrive on your pentest - machine! - - -Release 4.6 -########### -* Snakebyte delivered a module for Teamspeak -* Snakebyte updated the rexec module for the Hydra Palm version -* Snakebyte updated xhydra to support the new Telnet success response option -* Clarified the Licence -* Updated the ldap module to support v3, note that "ldap" is now specified as - "ldap2" or "ldap3". Added wrong version detection. - - -Release 4.5 -########### -* The configure script now detects Cygwin automatically :-) -* The telnet module now handles the OPT special input. Specify the string - which is displayed after successfully a login. Use this if you have false - positives. -* Made smtp-auth module more flexible in EHLO/HELO handling -* Fixed some glitches in the SAP/R3 module (correct sysnr, better port - handling) thanks to ngregoire@exaprobe.com ! -* Fixed some glitches in the http/https module -* Fixed a big bug in snakebyte's snmp module -* Warning msg is now displayed if the deprecated icq module is used -* Added warning message to the ssh2 module during compilation as many people - use the newest libssh version which is broken. - - -Release 4.4 -########### -* Fixed another floating point exception *sigh* -* Fixed -C colon mode -* Added EHLO support for the smtp-auth module, required for some smtpd - - -Release 4.3 -########### -* Fixed a divide by zero bug in the status report function -* Added functionality for skipping accounts (cvs is so nice to report this) -* Snakebyte sent in a patch for cvs for skipping nonexisting accounts -* sent in a patch to fix proxy support for the HTTP module - without proxy authentication - - -Release 4.2 -########### -* Snakebyte sent in modules for SNMP and CVS - great work! -* Snakebyte also expanded the gtk gui to support the two new modules -* Justin sent in a module for smtp-auth ... thanks! -* master_up@post.cz sent in some few patches to fix small glitches -* Incorporated a check from the openbsd port - - -Release 4.1 -########### -* Snakebyte wrote a very nice GTK GUI for hydra! enjoy! -* due a bug, sometimes hydra would kill process -1 ... baaaad boy! -* found passwords are now also printed to stdout if -o option is used -* reported that hydra wouldn't complain on ssh2 option if - compiled without support, fixed -* made an official port for FreeBSD and sent me a - diff to exchange the MD4 of libdes to openssl -* noticed that hydra will crash on big wordlists as - the result of the mallocs there were not checked, fixed -* Snakebyte expanded his PalmOS Version of hydra to nntp and fixed vnc -* Increased the wait time for children from 5 to 15 seconds, as e.g. - snakebyte reported detection problems -* Fixed some display glitches - - -Release v4.0 -############ -# -# This is a summary of changes of the D1 to D5 beta releases and shows -# what makes v4.0 different from 3.1. -# Have fun. Lots of it. -# -# By the way: I need someone to program a nice GTK frontend for hydra, -# would YOU like to do that and receive the fame? Send an email to vh@thc.org ! -# -* For the first time there is not only a UNIX/source release but additionally: - ! Windows release (cygwin compile with dll's) - ! PalmPilot release - ! ARM processor release (for all your Zaurus, iPaq etc. running Linux) -* There are new service attack modules: - ! ms-sql - ! sap r/3 (requires a library) - ! ssh v2 (requires a library) -* Enhancements/Fixes to service attack modules: - ! vnc module didnt work correctly, fixed - ! mysql module supports newer versions now - ! http module received a minor fix and has better virtual host support now - ! http-proxy supports now an optional URL - ! socks5 checks now for false positives and daemons without authentication -* The core code (hydra.c) was rewritten from scratch - ! rewrote the internal distribution functions from scratch. code is now - safer, less error prone, easier to read. - ! multiple target support rewritten which now includes intelligent load - balancing based on success, error and load rate - ! intelligently detect maximum connect numbers for services (per server if - multiple targets are used) - ! intelligent restore file writing - ! Faster (up to 15%) - ! Full Cygwin and Cygwin IPv6 support -* added new tool: pw-inspector - it can be used to just try passwords which - matches the target's password policy -# -# This should be more than enough! :-) -# - -... the rest below is history ... - -########################################################################### -# -# New Hydra v4.0 code branch -# -Release D5 -* added patches by kan@dcit.cz which enhance the proxy module and provide - a small fix for the http module -* small beautifcations to make the compiler happy -! This is the final beta version before public release - - please test everything! - -Release D4 -* Tick made an update to his configure-arm -* snakebyte@gmx.de added imap, vnc and cisco module support to PalmPilot -* fixed VNC module -* enhanced mysql module to work also with 4.0.x (and all future protocol 10 - mysql protocol types) -* enhanced socks5 module to identify daemons which do not require - authentication, and false positive check (otherwise dante would report all - tries as successful) -* fixed a bug in configure for D3 which resulted in compile problems on - several platforms requiring libcrypto - -Release D3 -* added sapr3 attack module (requires libsdk.a and saprfc.h) -* added ssh2 attack module (requires libssh) -* snakebyte@gmx.de added telnet module support for PalmPilot -* fixed the mssql module, should work now -* fixed -e option bug -* fixed -C option bug (didnt work at all!!) -* fixed double detection (with -e option) plus added simple dictionary - double detection -* target port is now displayed on start - -Release D2 -* added better virtual host support to the www/http/https/ssl module - (based on a patch from alla@scanit.be) -* added ARM support (does not work for libdes yet, ssl works), done by - Tick -* added Palm support (well, in reality it is more a rewrite which can use - the hydra-modules), done by snakebyte -* added ms-sql attack module (code based on perl script form HD Moore - , thanks for contributing) - -Release D1 (3 March 2003) -* rewrote the internal distribution functions from scratch. code is now - safer, less error prone, easier to read. -* multiple target support rewritten which now includes intelligent load - balancing based on success, error and load rate -* intelligently detect maximum connect numbers for services (per server if - multiple targets are used) -* intelligent restore file writing -* Faster (up to 15%) -* Full Cygwin and Cygwin IPv6 support -* added new tool: pw-inspector - it can be used to just try passwords which - matches the target's password policy - -########################################################################### - -v3.0 (FEBRUARY 2004) PUBLIC RELEASE -* added a restore function to enable you to continue aborted/crashed - sessions. Just type "hydra -R" to continue a session. - NOTE: this does not work with the -M option! This feature is then disabled! -* added a module for http proxy authentication cracking ("http-proxy") :-) -* added HTTP and SSL/CONNECT proxy support. SSL/CONNECT proxy support works - for *all* TCP protocols, you just need to find a proxy which allows you to - CONNECT on port 23 ... - The environment variable HYDRA_PROXY_HTTP defines the web proxy. The - following syntax is valid: HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" - Same for HYDRA_PROXY_CONNECT. - If you require authentication for the proxy, use the HYDRA_PROXY_AUTH - environment variable: - HYDRA_PROXY_AUTH="login:password" -* fixed parallel host scanning engine (thanks to m0j0.j0j0 for reporting) -* A status, speed and time to completion report is now printed every minute. -* finally updated the README - -v2.9 (FEBRUARY 2004) PRIVATE RELEASE -... - -v2.8 (JANUARY 2004) PRIVATE RELEASE -... - -v2.7 (JANUARY 2004) PUBLIC RELEASE -* small fix for the parallel host code (thanks to m0j0@foofus.net) - -v2.6 (DECEMBER 2003) PUBLIC RELEASE -* fixed a compiling problem for picky compilers. - -v2.5 (NOVEMBER 2003) PUBLIC RELEASE -* added a big patch from m0j0@foofus.net which adds: - - AAA authentication to the cisco-enable module - - Running the attacks on hosts in parallel - - new smbnt module, which uses lanman hashes for authentication, needs libdes - ! great work and thanks ! -* changed code to compile easily on FreeBSD -* changed configure to compile easily on MacOS X - Panther (cool OS btw ...) - -v2.4 (AUGUST 2003) PUBLIC RELEASE -* public release -=== 2.3 stuff=== -* added mysql module (thanks to mcbethh@u-n-f.com) -* small fix in vnc (thanks to the Nessus team) -* added credits for vnc-module (FX/Phenolite) -* new ./configure script for better Solaris and *BSD support (copied from amap) -* updated to new email/www addresses => www.thc.org - -v2.2 (OCTOBER 2002) PUBLIC RELEASE -* fixed a bug in the -P passwordfile handling ... uhhh ... thanks to all - the many people who reported that bug! -* added check if a password in -P passwordfile was already done via the - -e n|s switch - -v2.1 (APRIL 2002) PUBLIC RELEASE -* added ldap cracking mode (thanks to myself, eh ;-) -* added -e option to try null passwords ("-e n") and passwords equal to the - login ("-e s"). When specifying -e, -p/-P is optional (and vice versa) -* when a login is found, hydra will now go on with the next login - -v2.0 (APRIL 2002) PRIVATE RELEASE -! with v1.1.14 of Nessus, Hydra is a Nessus plugin! -* incorporated code to make hydra a nessus plugin (thanks to deraison@cvs.nessus.org !) -* added smb/samba/CIFS cracking mode (thanks to deraison@cvs.nessus.org !) -* added cisco-enable cracking mode (thanks to J.Marx@secunet.de !) -* minor enhancements and fixes - -v1.7 (MARCH 2002) PRIVATE RELEASE -* configure change to better detect OpenSSL -* ported to Solaris - -v1.6 (FEBRUARY 2002) PUBLIC RELEASE -* added socks5 support (thanks to bigbud@weed.tc !) - -v1.5 (DECEMBER 2001) PRIVATE RELEASE -* added -S option for SSL support (for all TCP based protocols) -* added -f option to stop attacking once a valid login/pw has been discovered -* made modules more hydra-mod compliant -* configure stuff thrown out - was not really used and too complicated, - wrote my own, lets hope it works everywhere ;-) - -v1.4 (DECEMBER 2001) PUBLIC RELEASE -* added REXEC cracking module -* added NNTP cracking module -* added VNC cracking module (plus the 3DES library, which is needed) - some - of the code ripped from FX/Phenolite :-) thanks a lot -* added PCNFS cracking module -* added ICQ cracking module (thanks to ocsic !!) -* for the pcnfs cracking module, I had to add the hydra_connect_udp function -* added several compactibility stuff to work with all the M$ crap - -v1.3 (September 2001) PUBLIC RELEASE -* uh W2K telnetd sends null bytes in negotiation mode. workaround implemented. -* Rewrote the finish functions which would sometimes hang. Shutdowns are faster - now as well. -* Fixed the line count (it was always one to much) -* Put more information in the outpufile (-o) -* Removed some configure crap. - -v1.2 (August 2001) PRIVATE RELEASE -* Fixed a BIG bug which resulted in accounts being checked serveral times. ugh -* Fixed the bug which showed the wrong password for a telnet hack. Works for - me. please test. -* Added http basic authentication cracking. Works for me. please test. -* Fixed the ftp cracker module for occasions where a long welcome message was - displayed for ftp. -* Removed some compiler warnings. - -v1.1 (May 2001) PUBLIC RELEASE -* Added wait+reconnect functionality to hydra-mod -* Additional wait+reconnect for cisco module -* Added small waittimes to all attack modules to prevent too fast reconnects -* Added cisco Username/Password support to the telnet module -* Fixed a deadlock in the modules, plus an additional one in the telnet module - -v1.0 (April 2001) PUBLIC RELEASE -* Verified that all service modules really work, no fix necessary ;-) - ... so let's make it public -* Changed the LICENCE - -v0.6 (April 2001) PRIVATE RELEASE -* Added hydra-cisco.c for the cisco 3 times "Password:" type -* Added hydra-imap.c for the imap service -* Fixed a bug in hydra-mod.c: empty logins resulted in an empty - hydra_get_next_password() :-(, additionally the blocking/recv works better - now. (no, not better - perfect ;-) -* Fixed a bug in hydra-telnet.c: too many false alarms for success due some - mis-thinking on my side and I also implemented a more flexible checking -* Fixed hydra-ftp.c to allow more weird reactions -* Fixed all ;-) memory leaks - -v0.5 (December 2000) PUBLIC RELEASE -* NOTE WE HAVE GOT A NEW WWW ADDRESS -> www.thehackerschoice.com -* added telnet protocol -* exchanged snprintf with sprintf(%.250s) to let it compile on more platforms - but still have buffer overflow protection. -* fixed a bug in Makefile.in (introduced by Plasmo ,-) - -v0.4 (August 2000) PUBLIC RELEASE -* Plasmoid added a ./configure script. thanks! - -v0.3 (August 2000) -* first release diff --git a/web/README b/web/README deleted file mode 100644 index 3847215..0000000 --- a/web/README +++ /dev/null @@ -1,530 +0,0 @@ - - H Y D R A - - (c) 2001-2019 by van Hauser / THC - https://github.com/vanhauser-thc/thc-hydra - many modules were written by David (dot) Maciejak @ gmail (dot) com - BFG code by Jan Dlabal - - Licensed under AGPLv3 (see LICENSE file) - - Please do not use in military or secret service organizations, - or for illegal purposes. - - - -INTRODUCTION ------------- -Number one of the biggest security holes are passwords, as every password -security study shows. -This tool is a proof of concept code, to give researchers and security -consultants the possibility to show how easy it would be to gain unauthorized -access from remote to a system. - -THIS TOOL IS FOR LEGAL PURPOSES ONLY! - -There are already several login hacker tools available, however, none does -either support more than one protocol to attack or support parallized -connects. - -It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, -FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS. - -Currently this tool supports the following protocols: - Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, - HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, - HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, - HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, - Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, - Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, - SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, - VNC and XMPP. - -However the module engine for new services is very easy so it won't take a -long time until even more services are supported. -Your help in writing, enhancing or fixing modules is highly appreciated!! :-) - - - -WHERE TO GET ------------- -You can always find the newest release/production version of hydra at its -project page at https://github.com/vanhauser-thc/thc-hydra/releases -If you are interested in the current development state, the public development -repository is at Github: - svn co https://github.com/vanhauser-thc/thc-hydra - or - git clone https://github.com/vanhauser-thc/thc-hydra -Use the development version at your own risk. It contains new features and -new bugs. Things might not work! - - - -HOW TO COMPILE --------------- -To configure, compile and install hydra, just type: - -``` -./configure -make -make install -``` - -If you want the ssh module, you have to setup libssh (not libssh2!) on your -system, get it from http://www.libssh.org, for ssh v1 support you also need -to add "-DWITH_SSH1=On" option in the cmake command line. -IMPORTANT: If you compile on MacOS then you must do this - do not install libssh via brew! - -If you use Ubuntu/Debian, this will install supplementary libraries needed -for a few optional modules (note that some might not be available on your distribution): - -``` -apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ - libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \ - firebird-dev -``` - -This enables all optional modules and features with the exception of Oracle, -SAP R/3, NCP and the apple filing protocol - which you will need to download and -install from the vendor's web sites. - -For all other Linux derivates and BSD based systems, use the system -software installer and look for similarly named libraries like in the -command above. In all other cases, you have to download all source libraries -and compile them manually. - - - -SUPPORTED PLATFORMS -------------------- -- All UNIX platforms (Linux, *BSD, Solaris, etc.) -- MacOS (basically a BSD clone) -- Windows with Cygwin (both IPv4 and IPv6) -- Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq) - - - -HOW TO USE ----------- -If you just enter `hydra`, you will see a short summary of the important -options available. -Type `./hydra -h` to see all available command line options. - -Note that NO login/password file is included. Generate them yourself. -A default password list is however present, use "dpl4hydra.sh" to generate -a list. - -For Linux users, a GTK GUI is available, try `./xhydra` - -For the command line usage, the syntax is as follows: - For attacking one target or a network, you can use the new "://" style: - hydra [some command line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS - The old mode can be used for these too, and additionally if you want to - specify your targets from a text file, you *must* use this one: - -``` -hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS] -``` - -Via the command line options you specify which logins to try, which passwords, -if SSL should be used, how many parallel tasks to use for attacking, etc. - -PROTOCOL is the protocol you want to use for attacking, e.g. ftp, smtp, -http-get or many others are available -TARGET is the target you want to attack -MODULE-OPTIONS are optional values which are special per PROTOCOL module - -FIRST - select your target - you have three options on how to specify the target you want to attack: - 1. a single target on the command line: just put the IP or DNS address in - 2. a network range on the command line: CIDR specification like "192.168.0.0/24" - 3. a list of hosts in a text file: one line per entry (see below) - -SECOND - select your protocol - Try to avoid telnet, as it is unreliable to detect a correct or false login attempt. - Use a port scanner to see which protocols are enabled on the target. - -THIRD - check if the module has optional parameters - hydra -U PROTOCOL - e.g. hydra -U smtp - -FOURTH - the destination port - this is optional! if no port is supplied the default common port for the - PROTOCOL is used. - If you specify SSL to use ("-S" option), the SSL common port is used by default. - - -If you use "://" notation, you must use "[" "]" brackets if you want to supply -IPv6 addresses or CIDR ("192.168.0.0/24") notations to attack: - hydra [some command line options] ftp://[192.168.0.0/24]/ - hydra [some command line options] -6 smtps://[2001:db8::1]/NTLM - -Note that everything hydra does is IPv4 only! -If you want to attack IPv6 addresses, you must add the "-6" command line option. -All attacks are then IPv6 only! - -If you want to supply your targets via a text file, you can not use the :// -notation but use the old style and just supply the protocol (and module options): - hydra [some command line options] -M targets.txt ftp -You can supply also the port for each target entry by adding ":" after a -target entry in the file, e.g.: - -``` -foo.bar.com -target.com:21 -unusual.port.com:2121 -default.used.here.com -127.0.0.1 -127.0.0.1:2121 -``` - -Note that if you want to attach IPv6 targets, you must supply the -6 option -and *must* put IPv6 addresses in brackets in the file(!) like this: - -``` -foo.bar.com -target.com:21 -[fe80::1%eth0] -[2001::1] -[2002::2]:8080 -[2a01:24a:133:0:00:123:ff:1a] -``` - -LOGINS AND PASSWORDS --------------------- -You have many options on how to attack with logins and passwords -With -l for login and -p for password you tell hydra that this is the only -login and/or password to try. -With -L for logins and -P for passwords you supply text files with entries. -e.g.: - -``` -hydra -l admin -p password ftp://localhost/ -hydra -L default_logins.txt -p test ftp://localhost/ -hydra -l admin -P common_passwords.txt ftp://localhost/ -hydra -L logins.txt -P passwords.txt ftp://localhost/ -``` - -Additionally, you can try passwords based on the login via the "-e" option. -The "-e" option has three parameters: - -``` -s - try the login as password -n - try an empty password -r - reverse the login and try it as password -``` - -If you want to, e.g. try "try login as password and "empty password", you -specify "-e sn" on the command line. - -But there are two more modes for trying passwords than -p/-P: -You can use text file which where a login and password pair is separated by a colon, -e.g.: - -``` -admin:password -test:test -foo:bar -``` - -This is a common default account style listing, that is also generated by the -dpl4hydra.sh default account file generator supplied with hydra. -You use such a text file with the -C option - note that in this mode you -can not use -l/-L/-p/-P options (-e nsr however you can). -Example: - -``` -hydra -C default_accounts.txt ftp://localhost/ -``` - -And finally, there is a bruteforce mode with the -x option (which you can not -use with -p/-P/-C): - -``` --x minimum_length:maximum_length:charset -``` - -the charset definition is `a` for lowercase letters, `A` for uppercase letters, -`1` for numbers and for anything else you supply it is their real representation. -Examples: - -``` --x 1:3:a generate passwords from length 1 to 3 with all lowercase letters --x 2:5:/ generate passwords from length 2 to 5 containing only slashes --x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers -``` - -Example: - -``` -hydra -l ftp -x 3:3:a ftp://localhost/ -``` - -SPECIAL OPTIONS FOR MODULES ---------------------------- -Via the third command line parameter (TARGET SERVICE OPTIONAL) or the -m -command line option, you can pass one option to a module. -Many modules use this, a few require it! - -To see the special option of a module, type: - - hydra -U - -e.g. - - ./hydra -U http-post-form - -The special options can be passed via the -m parameter, as 3rd command line -option or in the service://target/option format. - -Examples (they are all equal): - -``` -./hydra -l test -p test -m PLAIN 127.0.0.1 imap -./hydra -l test -p test 127.0.0.1 imap PLAIN -./hydra -l test -p test imap://127.0.0.1/PLAIN -``` - -RESTORING AN ABORTED/CRASHED SESSION ------------------------------------- -When hydra is aborted with Control-C, killed or crashes, it leaves a -"hydra.restore" file behind which contains all necessary information to -restore the session. This session file is written every 5 minutes. -NOTE: the hydra.restore file can NOT be copied to a different platform (e.g. -from little endian to big endian, or from Solaris to AIX) - -HOW TO SCAN/CRACK OVER A PROXY ------------------------------- -The environment variable HYDRA_PROXY_HTTP defines the web proxy (this works -just for the http services!). -The following syntax is valid: - -``` -HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" -HYDRA_PROXY_HTTP="http://login:password@123.45.67.89:8080/" -HYDRA_PROXY_HTTP="proxylist.txt" -``` - -The last example is a text file containing up to 64 proxies (in the same -format definition as the other examples). - -For all other services, use the HYDRA_PROXY variable to scan/crack. -It uses the same syntax. eg: - -``` -HYDRA_PROXY=[connect|socks4|socks5]://[login:password@]proxy_addr:proxy_port -``` - -for example: - -``` -HYDRA_PROXY=connect://proxy.anonymizer.com:8000 -HYDRA_PROXY=socks4://auth:pw@127.0.0.1:1080 -HYDRA_PROXY=socksproxylist.txt -``` - -ADDITIONAL HINTS ----------------- -* sort your password files by likelihood and use the -u option to find - passwords much faster! -* uniq your dictionary files! this can save you a lot of time :-) - cat words.txt | sort | uniq > dictionary.txt -* if you know that the target is using a password policy (allowing users - only to choose a password with a minimum length of 6, containing a least one - letter and one number, etc. use the tool pw-inspector which comes along - with the hydra package to reduce the password list: - cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt - - -RESULTS OUTPUT --------------- - -The results are output to stdio along with the other information. Via the -o -command line option, the results can also be written to a file. Using -b, -the format of the output can be specified. Currently, these are supported: - -* `text` - plain text format -* `jsonv1` - JSON data using version 1.x of the schema (defined below). -* `json` - JSON data using the latest version of the schema, currently there - is only version 1. - -If using JSON output, the results file may not be valid JSON if there are -serious errors in booting Hydra. - - -JSON Schema ------------ -Here is an example of the JSON output. Notes on some of the fields: - -* `errormessages` - an array of zero or more strings that are normally printed - to stderr at the end of the Hydra's run. The text is very free form. -* `success` - indication if Hydra ran correctly without error (**NOT** if - passwords were detected). This parameter is either the JSON value `true` - or `false` depending on completion. -* `quantityfound` - How many username+password combinations discovered. -* `jsonoutputversion` - Version of the schema, 1.00, 1.01, 1.11, 2.00, - 2.03, etc. Hydra will make second tuple of the version to always be two - digits to make it easier for downstream processors (as opposed to v1.1 vs - v1.10). The minor-level versions are additive, so 1.02 will contain more - fields than version 1.00 and will be backward compatible. Version 2.x will - break something from version 1.x output. - -Version 1.00 example: -``` -{ - "errormessages": [ - "[ERROR] Error Message of Something", - "[ERROR] Another Message", - "These are very free form" - ], - "generator": { - "built": "2019-03-01 14:44:22", - "commandline": "hydra -b jsonv1 -o results.json ... ...", - "jsonoutputversion": "1.00", - "server": "127.0.0.1", - "service": "http-post-form", - "software": "Hydra", - "version": "v8.5" - }, - "quantityfound": 2, - "results": [ - { - "host": "127.0.0.1", - "login": "bill@example.com", - "password": "bill", - "port": 9999, - "service": "http-post-form" - }, - { - "host": "127.0.0.1", - "login": "joe@example.com", - "password": "joe", - "port": 9999, - "service": "http-post-form" - } - ], - "success": false -} -``` - - -SPEED ------ -through the parallelizing feature, this password cracker tool can be very -fast, however it depends on the protocol. The fastest are generally POP3 -and FTP. -Experiment with the task option (-t) to speed things up! The higher - the -faster ;-) (but too high - and it disables the service) - - - -STATISTICS ----------- -Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing -295 entries (294 tries invalid logins, 1 valid). Every test was run three -times (only for "1 task" just once), and the average noted down. - -``` - P A R A L L E L T A S K S -SERVICE 1 4 8 16 32 50 64 100 128 -------- -------------------------------------------------------------------- -telnet 23:20 5:58 2:58 1:34 1:05 0:33 0:45* 0:25* 0:55* -ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0:32 -pop3 92:10 27:16 13:56 6:42 2:55 1:57 1:24 1:14 0:50 -imap 31:05 7:41 3:51 1:58 1:01 0:39 0:32 0:25 0:21 -``` - -(*) -Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with -128 tasks, running four times resulted in timings between 28 and 97 seconds! -The reason for this is unknown... - -guesses per task (rounded up): - - 295 74 38 19 10 6 5 3 3 - -guesses possible per connect (depends on the server software and config): - - telnet 4 - ftp 6 - pop3 1 - imap 3 - - - -BUGS & FEATURES ---------------- -Hydra: -Email me or David if you find bugs or if you have written a new module. -vh@thc.org (and put "antispam" in the subject line) - - -You should use PGP to encrypt emails to vh@thc.org : - -``` ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v3.3.3 (vh@thc.org) - -mQINBFIp+7QBEADQcJctjohuYjBxq7MELAlFDvXRTeIqqh8kqHPOR018xKL09pZT -KiBWFBkU48xlR3EtV5fC1yEt8gDEULe5o0qtK1aFlYBtAWkflVNjDrs+Y2BpjITQ -FnAPHw0SOOT/jfcvmhNOZMzMU8lIubAVC4cVWoSWJbLTv6e0DRIPiYgXNT5Quh6c -vqhnI1C39pEo/W/nh3hSa16oTc5dtTLbi5kEbdzml78TnT0OASmWLI+xtYKnP+5k -Xv4xrXRMVk4L1Bv9WpCY/Jb6J8K8SJYdXPtbaIi4VjgVr5gvg9QC/d/QP2etmw3p -lJ1Ldv63x6nXsxnPq6MSOOw8+QqKc1dAgIA43k6SU4wLq9TB3x0uTKnnB8pA3ACI -zPeRN9LFkr7v1KUMeKKEdu8jUut5iKUJVu63lVYxuM5ODb6Owt3+UXgsSaQLu9nI -DZqnp/M6YTCJTJ+cJANN+uQzESI4Z2m9ITg/U/cuccN/LIDg8/eDXW3VsCqJz8Bf -lBSwMItMhs/Qwzqc1QCKfY3xcNGc4aFlJz4Bq3zSdw3mUjHYJYv1UkKntCtvvTCN -DiomxyBEKB9J7KNsOLI/CSst3MQWSG794r9ZjcfA0EWZ9u6929F2pGDZ3LiS7Jx5 -n+gdBDMe0PuuonLIGXzyIuMrkfoBeW/WdnOxh+27eemcdpCb68XtQCw6UQARAQAB -tB52YW4gSGF1c2VyICgyMDEzKSA8dmhAdGhjLm9yZz6JAjkEEwECACMCGwMCHgEC -F4AFAlIp/QcGCwkIAwcCBhUKCQgLAgUWAwIBAAAKCRDI8AEqhCFiv2R9D/9qTCJJ -xCH4BUbWIUhw1zRkn9iCVSwZMmfaAhz5PdVTjeTelimMh5qwK2MNAjpR7vCCd3BH -Z2VLB2Eoz9MOgSCxcMOnCDJjtCdCOeaxiASJt8qLeRMwdMOtznM8MnKCIO8X4oo4 -qH8eNj83KgpI50ERBCj/EMsgg07vSyZ9i1UXjFofFnbHRWSW9yZO16qD4F6r4SGz -dsfXARcO3QRI5lbjdGqm+g+HOPj1EFLAOxJAQOygz7ZN5fj+vPp+G/drONxNyVKp -QFtENpvqPdU9CqYh8ssazXTWeBi/TIs0q0EXkzqo7CQjfNb6tlRsg18FxnJDK/ga -V/1umTg41bQuVP9gGmycsiNI8Atr5DWqaF+O4uDmQxcxS0kX2YXQ4CSQJFi0pml5 -slAGL8HaAUbV7UnQEqpayPyyTEx1i0wK5ZCHYjLBfJRZCbmHX7SbviSAzKdo5JIl -Atuk+atgW3vC3hDTrBu5qlsFCZvbxS21PJ+9zmK7ySjAEFH/NKFmx4B8kb7rPAOM -0qCTv0pD/e4ogJCxVrqQ2XcCSJWxJL31FNAMnBZpVzidudNURG2v61h3ckkSB/fP -JnkRy/yxYWrdFBYkURImxD8iFD1atj1n3EI5HBL7p/9mHxf1DVJWz7rYQk+3czvs -IhBz7xGBz4nhpCi87VDEYttghYlJanbiRfNh3okCOAQTAQIAIgUCUin7tAIbAwYL -CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQyPABKoQhYr8OIA//cvkhoKay88yS -AjMQypach8C5CvP7eFCT11pkCt1DMAO/8Dt6Y/Ts10dPjohGdIX4PkoLTkQDwBDJ -HoLO75oqj0CYLlqDI4oHgf2uzd0Zv8f/11CQQCtut5oEK72mGNzv3GgVqg60z2KR -2vpxvGQmDwpDOPP620tf/LuRQgBpks7uazcbkAE2Br09YrUQSCBNHy8kirHW5m5C -nupMrcvuFx7mHKW1z3FuhM8ijG7oRmcBWfVoneQgIT3l2WBniXg1mKFhuUSV8Erc -XIcc11qsKshyqh0GWb2JfeXbAcTW8/4IwrCP+VfAyLO9F9khP6SnCmcNF9EVJyR6 -Aw+JMNRin7PgvsqbFhpkq9N+gVBAufz3DZoMTEbsMTtW4lYG6HMWhza2+8G9XyaL -ARAWhkNVsmQQ5T6qGkI19thB6E/T6ZorTxqeopNVA7VNK3RVlKpkmUu07w5bTD6V -l3Ti6XfcSQqzt6YX2/WUE8ekEG3rSesuJ5fqjuTnIIOjBxr+pPxkzdoazlu2zJ9F -n24fHvlU20TccEWXteXj9VFzV/zbPEQbEqmE16lV+bO8U7UHqCOdE83OMrbNKszl -7LSCbFhCDtflUsyClBt/OPnlLEHgEE1j9QkqdFFy90l4HqGwKvx7lUFDnuF8LYsb -/hcP4XhqjiGcjTPYBDK254iYrpOSMZSIRgQQEQIABgUCUioGfQAKCRBDlBVOdiii -tuddAJ4zMrge4qzajScIQcXYgIWMXVenCQCfYTNQPGkHVyp3dMhJ0NR21TYoYMC5 -Ag0EUin7tAEQAK5/AEIBLlA/TTgjUF3im6nu/rkWTM7/gs5H4W0a04kF4UPhaJUR -gCNlDfUnBFA0QD7Jja5LHYgLdoHXiFelPhGrbZel/Sw6sH2gkGCBtFMrVkm3u7tt -x3AZlprqqRH68Y5xTCEjGRncCAmaDgd2apgisJqXpu0dRDroFYpJFNH3vw9N2a62 -0ShNakYP4ykVG3jTDC4MSl2q3BO5dzn8GYFHU0CNz6nf3gZR+48BG+zmAT77peTS -+C4Mbd6LmMmB0cuS2kYiFRwE2B69UWguLHjpXFcu9/85JJVCl2CIab7l5hpqGmgw -G/yW8HFK04Yhew7ZJOXJfUYlv1EZzR5bOsZ8Z9inC6hvFmxuCYCFnvkiEI+pOxPA -oeNOkMaT/W4W+au0ZVt3Hx+oD0pkJb5if0jrCaoAD4gpWOte6LZA8mAbKTxkHPBr -rA9/JFis5CVNI688O6eDiJqCCJjPOQA+COJI+0V+tFa6XyHPB4LxA46RxtumUZMC -v/06sDJlXMNpZbSd5Fq95YfZd4l9Vr9VrvKXfbomn+akwUymP8RDyc6Z8BzjF4Y5 -02m6Ts0J0MnSYfEDqJPPZbMGB+GAgAqLs7FrZJQzOZTiOXOSIJsKMYsPIDWE8lXv -s77rs0rGvgvQfWzPsJlMIx6ryrMnAsfOkzM2GChGNX9+pABpgOdYII4bABEBAAGJ -Ah8EGAECAAkFAlIp+7QCGwwACgkQyPABKoQhYr+hrg/9Er0+HN78y6UWGFHu/KVK -d8M6ekaqjQndQXmzQaPQwsOHOvWdC+EtBoTdR3VIjAtX96uvzCRV3sb0XPB9S9eP -gRrO/t5+qTVTtjua1zzjZsMOr1SxhBgZ5+0U2aoY1vMhyIjUuwpKKNqj2uf+uj5Y -ZQbCNklghf7EVDHsYQ4goB9gsNT7rnmrzSc6UUuJOYI2jjtHp5BPMBHh2WtUVfYP -8JqDfQ+eJQr5NCFB24xMW8OxMJit3MGckUbcZlUa1wKiTb0b76fOjt0y/+9u1ykd -X+i27DAM6PniFG8BfqPq/E3iU20IZGYtaAFBuhhDWR3vGY4+r3OxdlFAJfBG9XDD -aEDTzv1XF+tEBo69GFaxXZGdk9//7qxcgiya4LL9Kltuvs82+ZzQhC09p8d3YSQN -cfaYObm4EwbINdKP7cr4anGFXvsLC9urhow/RNBLiMbRX/5qBzx2DayXtxEnDlSC -Mh7wCkNDYkSIZOrPVUFOCGxu7lloRgPxEetM5x608HRa3hDHoe5KvUBmmtavB/aR -zlGuZP1S6Y7S13ytiULSzTfUxJmyGYgNo+4ygh0i6Dudf9NLmV+i9aEIbLbd6bni -1B/y8hBSx3SVb4sQVRe3clBkfS1/mYjlldtYjzOwcd02x599KJlcChf8HnWFB7qT -zB3yrr+vYBT0uDWmxwPjiJs= -=ytEf ------END PGP PUBLIC KEY BLOCK----- -``` diff --git a/web/index.html b/web/index.html deleted file mode 100644 index 6786d7f..0000000 --- a/web/index.html +++ /dev/null @@ -1,206 +0,0 @@ - - -THC-HYDRA - fast and flexible network login hacker - -
-
-
-
-
-
-
-

-
-
-
-
 THC-Hydra

-

- A very fast network logon cracker which support many different services.
- See feature sets and services coverage page - incl. a speed comparison against ncrack and medusa

-

- Current Version: 8.6
- Last update 2017-07-21
-

-

-

-
-
- [0x00] News and Changelog
-
-
-        Check out the feature sets and services coverage page - including a speed comparison against ncrack and medusa (yes, we win :-) )
-        Development code is available at a public github repository: https://github.com/vanhauser-thc/thc-hydra
-        There is a new section below for online tutorials.
-        Read below for Linux compilation notes.
-        
-
-        CHANGELOG for 8.6
-        ===================
-        ! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra
-        
-        ! Reports came in that the rdp module is not working reliable sometimes, most likely against new Windows versions. please test, report and if possible send a fix
-        * added radmin2 module by catatonic prime - great work!
-        * smb module now checks if SMBv1 is supported by the server and if signing is required
-        * http-form module now supports URLs up to 6000 bytes (thanks to petrock6@github for the patch)
-        * Fix for SSL connections that failed with error:00000000:lib(0):func(0):reason(0) (thanks gaia@github for reporting)
-        * Added new command line option:
-          -c TIME: seconds between login attempts (over all threads, so -t 1 is recommended)
-        * Options put after -R (for loading a restore file) are now honored (and were disallowed before)
-        * merged several patches by Diadlo@github to make the code easier readable. thanks for that!
-        * merged a patch by Diadlo@github that moves the help output to the invididual module
-
-	You can also take a look at the full CHANGES file
-
-
- [0x01] Introduction
-
-	Welcome to the mini website of the THC Hydra project.
-
-	Number one of the biggest security holes are passwords, as every password security study shows.
-	Hydra is a parallized login cracker which supports numerous protocols to attack. New modules
-	are easy to add, beside that, it is flexible and very fast.
-
-        Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1, OpenBSD, OSX,
-        QNX/Blackberry, and is made available under GPLv3 with a special OpenSSL license expansion.
-
-	Currently this tool supports:
-	  Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST,
-	  HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-POST, HTTPS-HEAD,
-	  HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle,
-	  PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, S7-300, SAP/R3, SIP, SMB, SMTP,
-	  SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
-
-        For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported.
-
-	This tool is a proof of concept code, to give researchers and security consultants the 
-	possiblity to show how easy it would be to gain unauthorized access from remote to a system.
-
-        The program was written van Hauser and is additiionally supported by David Maciejak.
-
-
- [0x02] Screenshots
-
-	
-	(1) Target selection
-
-	
-	(2) Login/Password setup
-
-	
-	(3) Hydra start and output
-
-
- [0x03] Documentation 
- 
-	Hydra comes with a rather long README file that describes the
-	details about the usage and special options.
-	
-	But sometimes detailed online help can vastly improve your efficency.
-	The following links on the global internet are a recommended read.
-	
-          General usage and options: http://www.aldeid.com/wiki/Thc-hydra
-                                     http://resources.infosecinstitute.com/online-dictionary-attack-with-hydra/
-
-          HTTP basic auth: https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29
-                           http://www.sillychicken.co.nz/Security/how-to-brute-force-your-router-in-windows.html
-
-          HTTP form based auth: http://www.art0.org/security/performing-a-dictionary-attack-on-an-http-login-form-using-hydra
-                                http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html
-                                http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html
-                                https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29
-
-          Multiple protocols: http://wiki.bywire.org/Hydra
-                              http://www.attackvector.org/brute-force-with-thc-hydra/
-                              http://www.madirish.net/content/hydra-brute-force-utility
-          
-          Telnet: http://www.theprohack.com/2009/04/basics-of-cracking-ftp-and-telnet.html
-                  http://www.adeptus-mechanicus.com/codex/bflog/bflog.html
-	
-        For those people testing with DVWA, this is what you want:
-          hydra -l admin -p password   http-get-form "/dvwa/login.php:username=^USER^&password=^PASS^&submit=Login:Login failed"
-
-	If you find other good ones, just email them in ( vh(at)thc(dot)org ).
-
-
- [0x04] Disclaimer
-
-	1. Please do not use in military or secret service organizations or for illegal purposes.
-	2. The Affero General Public License Version 3 (AGPLv3) applies to this code.
-	3. A special license expansion for OpenSSL is included which is required for the Debian people
-
-
- [0x05] The Art of Downloading: Source and Binaries
- 
-	1. PRODUCTION/RELEASE VERSION:
-	   The source code of state-of-the-art Hydra: hydra-8.6.tar.gz
-	   (compiles on all UNIX based platforms - even MacOS X, Cygwin on Windows, ARM-Linux, Android, iPhone, Blackberry 10, etc.)
-
-        2. DEVELOPMENT VERSION:
-           You can download and compile the current development version of hydra always in its public GITHUB repository:
-           https://github.com/vanhauser-thc/thc-hydra by either
-             svn co https://github.com/vanhauser-thc/thc-hydra
-           or
-             git clone https://github.com/vanhauser-thc/thc-hydra.git
-           Note that this is the development state! New features - and new bugs. Things might not work!
-
-	3. The source code of an old, deprecated version of Hydra ONLY in case v7.x gives you problems on unusual and old platforms:
-	   hydra-5.9.1-src.tar.gz
-
-	4. The Win32/Cywin binary release: --- not anymore ---
-	   Install cygwin from http://www.cygwin.com
-	   and compile it yourself. If you do not have cygwin installed - how
-	   do you think you will do proper securiy testing? duh ...
-
-        5. ARM and Palm binaries here are old and not longer maintained:
-	     ARM:  hydra-5.0-arm.tar.gz
-             Palm: hydra-4.6-palm.zip
-
-
- [0x06] Compilation Help
-
-        Hydra compiles fine on all platforms that have gcc - Linux, all BSD, Mac OS/X, Cygwin on Windows, Solaris, etc.
-        It should even compile on historical SunOS, Ultrix etc. platforms :-)
-        
-        There are many optional modules for network protocols like SSH, SVN etc. that require libraries.
-        If they are not found, these optional libraries will not be supported in your binary.
-        
-        If you are on Linux, the following commands install all necessary libraries:
- 
-        Ubuntu/Debian:  apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird2.1-dev libncp-dev libncurses5-dev
-        Redhat/Fedora:  yum install openssl-devel pcre-devel ncpfs-devel postgresql-devel libssh-devel subversion-devel libncurses-devel
-        OpenSuSE:       zypper install libopenssl-devel pcre-devel libidn-devel ncpfs-devel libssh-devel postgresql-devel subversion-devel libncurses-devel
-        
-        This enables all optional modules and features with the exception of Oracle, SAP R/3 and the
-        Apple filing protocol - which you will need to download and install from the vendor's web sites.
-        For Oracle this is (install the basic and SDK packages): http://www.oracle.com/technetwork/database/features/instant-client/index.html
-
-        For all other Linux derivates and BSD based systems, use the system software installer and look for
-        similar named libraries like in the command above.
-        In all other cases you have to download all source libraries and compile them manually; 
-        the configure script output tells you what is missing and where to get it from.
-        
-
- [0x07] Development & Contributions
-
-	Your contributions are more than welcomed!
-	
-	If you find bugs, coded enhancements or wrote a new attack module for a service,
-	please send them to vh (at) thc (dot) org
-
-	Interesting attack modules would be:
-	OSPF, BGP, PIM, PPTP, ...
-	(or anything else you might be able to do (and is not there yet))
-	
-	Please note that you can also download and commit via github: https://github.com/vanhauser-thc/thc-hydra
-
- 
- Comments and suggestions are welcome.
-
- Yours sincerly,
-
- van Hauser
- The Hackers Choice
- http://www.thc.org/thc-hydra
-
-
- diff --git a/web/network_password_cracker_comparison.html b/web/network_password_cracker_comparison.html deleted file mode 100644 index ac3aa69..0000000 --- a/web/network_password_cracker_comparison.html +++ /dev/null @@ -1,917 +0,0 @@ - - - - - - - - - - - - State of network password cracker art - Comparison Of Features and Services - hydra - - - - - - - -
-
-
- -

Comparison of Features and Services Coverage

- - - -
-
-

Contents

- -
-

Introduction

-

Hydra is born more than 10 years ago, this page is used as a recap of the functionalities it provides, but also -the differences in feature sets, services coverage and code between the most -popular network authentication cracker tools available. Each feature is compared against -Hydra as of the current version. This table is updated as new -features are added to the project. If you find any inaccuracies - on this page please do not hesitate to contact us. -

Below, Yes means it is supported, No means it is not supported, Unknown means the support is partial -

-

- -

Code Comparison

-

This table just lists latest available versions and platforms compatibility.

- - - - - - - - - - -
Code - Hydra - Medusa - Ncrack -
Version - 8.6 - 2.2 - 0.4 alpha -
Last Update - July 2017 - November 2015 - April 2011 -
Supported Platforms - Linux, *BSD, Solaris, Mac OS X, any Unix, Windows (Cygwin) - Linux, *BSD, Solaris and Mac OS X - Linux, *BSD, Mac OS X, Windows -

- -

Features Table

-

This table lists the feature sets of each tools. -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Feature - Hydra - Medusa - Ncrack -
License - AGPLv3 - GPLv2 - GPLv2 + Nmap terms -
IPv6 Support -Yes -No -Yes -
Graphic User Interface -Yes -Yes -No -
Internationalized support (RFC 4013) -Yes -No -No -
HTTP proxy support -Yes -Yes -No -
SOCKS proxy support -Yes -No -No -
# of supported protocols - 51 - 22 - 7 -

- -

Services Coverage

-

This table lists the services coverage of each tools. For each services, many authentication methods are possible. If you require other ways or find issues in Hydra, please -contact us as the service depends on RFC implementations, some adjustements may be needed. -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Service - Details - Hydra - Medusa - Ncrack -
ADAM-6500 - -Yes -No -No -
AFP - -Yes -Yes -No -
Asterisk - -Yes -No -No -
Cisco Password - -Yes -No -No -
Cisco Enable - -Yes -No -No -
CVS - -Yes -Yes -No -
Firebird - -Yes -No -No -
FTP -Yes -Yes -Yes -
SSL supportAUTH TLS & FTP over SSL -AUTH TLS & FTP over SSL -No -
HTTP -Method(s)GET, HEAD, POST -GET -GET -
Basic AuthYes -Yes -Yes -
DIGEST-MD5 AuthYes -Yes -No -
NTLM AuthYes -Yes -No -
SSL supportHTTPS -HTTPS -HTTPS -
HTTP Form -Method(s)GET, POST -GET, POST -No -
SSL supportHTTPS -HTTPS -No -
HTTP Proxy -Basic AuthYes -No -No -
DIGEST-MD5 AuthYes -No -No -
NTLM AuthYes -No -No -
SSL supportHTTPS -No -No -
HTTP PROXY URL Enumeration - -Yes -No -No -
ICQ -v5 -Yes 1 -No -No -
IMAP -LOGIN supportYes -Yes -No -
AUTH LOGIN supportYes -No -No -
AUTH PLAIN supportYes -Yes -No -
AUTH CRAM-MD5 supportYes -No -No -
AUTH CRAM-SHA1 supportYes -No -No -
AUTH CRAM-SHA256 supportYes -No -No -
AUTH DIGEST-MD5 supportYes -No -No -
AUTH NTLM supportYes -Yes -No -
AUTH SCRAM-SHA1 supportYes -No -No -
SSL supportIMAPS & STARTTLS -IMAPS & STARTTLS -No -
IRC -General server password -Yes -No -No -
OPER mode password -Yes -No -No -
LDAP -v2, Simple supportYes -No -No -
v3, Simple supportYes -No -No -
v3, AUTH CRAM-MD5 supportYes -No -No -
v3, AUTH DIGEST-MD5 supportYes -No -No -
MS-SQL - -Yes -Yes -No -
MySQL -v3.x -Yes -Yes -No -
v4.x -Yes -Yes -No -
v5.x -Yes -Yes -No -
NCP - -Yes -Yes -No -
NNTP -USER support -Yes -Yes -No -
AUTH LOGIN support -Yes -No -No -
AUTH PLAIN support -Yes -No -No -
AUTH CRAM-MD5 support -Yes -No -No -
AUTH DIGEST-MD5 support -Yes -No -No -
AUTH NTLM support -Yes -No -No -
SSL support -STARTTLS & NNTP over SSL -No -No -
Oracle -DatabaseYes -Yes 2 -No -
TNS ListenerYes -No -No -
SID EnumerationYes -No -No -
PC-NFS -Yes -No -No -
pcAnywhere -Native Authentication -Yes 1 -Yes -No -
OS Based Authentication (MS) -No -Yes -No -
POP3 -USER supportYes -Yes -Yes -
APOP supportYes -No -No -
AUTH LOGIN supportYes -Yes -No -
AUTH PLAIN supportYes -Yes -No -
AUTH CRAM-MD5 supportYes -No -No -
AUTH CRAM-SHA1 supportYes -No -No -
AUTH CRAM-SHA256 supportYes -No -No -
AUTH DIGEST-MD5 supportYes -No -No -
AUTH NTLM supportYes -Yes -No -
SSL SupportPOP3S & STARTTLS -POP3S & STARTTLS -POP3S -
PostgreSQL - -Yes -Yes -No -
Asterisk - -Yes -No -No -
RDP -Windows Workstation -Yes -Yes 2 -Yes -
Windows Server -Yes -Yes 2 -Partial -
Domain Auth -Yes -Yes 2 -No -
REDIS - -Yes -No -No -
REXEC - -Yes -Yes -No -
RLOGIN - -Yes -Yes -No -
RPCAP - -Yes -No -No -
RSH - -Yes -Yes -No -
RTSP - -Yes -No -No -
SAP R/3 - -Yes 1 -No -No -
Siemens S7-300 - -Yes -No -No -
SIP -Yes 1 -No -No -
SSL supportSIP over SSL -No -No -
SMB -NetBIOS ModeYes -Yes -No -
W2K Native ModeYes -Yes -Yes -
Hash modeYes -Yes -No -
Clear Text AuthYes -Yes -No -
LMv1 AuthYes -Yes -Yes -
LMv2 AuthYes -Yes -Yes -
NTLMv1 AuthYes -Yes -Yes -
NTLMv2 AuthYes -Yes -Yes -
SMTP -AUTH LOGIN supportYes -Yes -No -
AUTH PLAIN supportYes -Yes -No -
AUTH CRAM-MD5 supportYes -No -No -
AUTH DIGEST-MD5 supportYes -No -No -
AUTH NTLM supportYes -Yes -No -
SSL supportSMTPS & STARTTLS -SMTPS & STARTTLS -No -
SMTP User Enum -VRFY cmdYes -Yes -No -
EXPN cmdYes -Yes -No -
RCPT TO cmdYes -Yes -No -
SNMP -v1 -Yes -Yes -No -
v2c -Yes -Yes -No -
v3 -Partial (MD5/SHA1 auth only)(MD5/SHA1 auth only) -No -No -
SOCKS -v5, Password Auth -Yes -No -No -
SSH -v1Yes -No -No -
v2Yes -Yes -Yes -
SSH Keys -v1, v2 -Yes -No -No -
Subversion (SVN) - -Yes -Yes -No -
TeamSpeak -TS2 -Yes 1 -No -No -
Telnet - -Yes -Yes -Yes -
XMPP -AUTH LOGIN supportYes -No -No -
AUTH PLAIN supportYes -No -No -
AUTH CRAM-MD5 supportYes -No -No -
AUTH DIGEST-MD5 supportYes -No -No -
AUTH SCRAM-SHA1 supportYes -No -No -
VMware Auth Daemon -v1.00 / v1.10 -Yes -Yes -No -
SSL support -Yes -Yes -No -
VNC -RFB 3.x password support -Yes -Yes -No -
RFB 3.x user+password support -No -Partial(UltraVNC only) -No -
RFB 4.x password support -Yes -Yes -No -
RFB 4.x user+password support -No -Partial(UltraVNC only) -No -

- -

Speed Comparison

-

This table gives some speed data (in second) for 2 popular services supported by each cracking tool (as of September 2011). The value displayed is the min value of 3 consecutive runs. -Each tool was configured to run 1, 4 and 16 task(s)/job(s) at a time. A login and password lists corresponding to 20 attempts was used. The smaller the value the better.

- - - - - - - - - - - - - - - - -
Speed (in s) - Hydra - Medusa - Ncrack -
1 Task / FTP module - 11.93 - 12.97 - 18.01 -
4 Tasks / FTP module - 4.20 - 5.24 - 9.01 -
16 Tasks / FTP module - 2.44 - 2.71 - 12.01 -
1 Task / SSH v2 module - 32.56 - 33.84 - 45.02 -
4 Tasks / SSH v2 module - 10.95 - Broken - Missed -
16 Tasks / SSH v2 module - 5.14 - Broken - Missed -

- - -

Notes

-
  1. These Hydra modules have not been checked with latest version of softwares/protocols available. -
    2. -
  2. Medusa support is relying on a script or a wrapper. -
- -
- -
-
-
-
- -
- -
- - diff --git a/web/webfiles/css/commonPrint.css b/web/webfiles/css/commonPrint.css deleted file mode 100644 index ecf146d..0000000 --- a/web/webfiles/css/commonPrint.css +++ /dev/null @@ -1,267 +0,0 @@ -/* -** MediaWiki Print style sheet for CSS2-capable browsers. -** Copyright Gabriel Wicke, http://www.aulinx.de/ -** -** Derived from the plone (http://plone.org/) styles -** Copyright Alexander Limi -*/ - -/* Thanks to A List Apart (http://alistapart.com/) for useful extras */ -a.stub, -a.new{ color:#ba0000; text-decoration:none; } - -#toc { - /*border:1px solid #2f6fab;*/ - border:1px solid #aaaaaa; - background-color:#f9f9f9; - padding:5px; -} -.tocindent { - margin-left: 2em; -} -.tocline { - margin-bottom: 0px; -} - -/* images */ -div.floatright { - float: right; - clear: right; - margin: 0; - position:relative; - border: 0.5em solid White; - border-width: 0.5em 0 0.8em 1.4em; -} -div.floatright p { font-style: italic;} -div.floatleft { - float: left; - margin: 0.3em 0.5em 0.5em 0; - position:relative; - border: 0.5em solid White; - border-width: 0.5em 1.4em 0.8em 0; -} -div.floatleft p { font-style: italic; } -/* thumbnails */ -div.thumb { - margin-bottom: 0.5em; - border-style: solid; border-color: White; - width: auto; - overflow: hidden; -} -div.thumb div { - border:1px solid #cccccc; - padding: 3px !important; - background-color:#f9f9f9; - font-size: 94%; - text-align: center; -} -div.thumb div a img { - border:1px solid #cccccc; -} -div.thumb div div.thumbcaption { - border: none; - padding: 0.3em 0 0.1em 0; -} -div.magnify { display: none; } -div.tright { - float: right; - clear: right; - border-width: 0.5em 0 0.8em 1.4em; -} -div.tleft { - float: left; - margin-right:0.5em; - border-width: 0.5em 1.4em 0.8em 0; -} -img.thumbborder { - border: 1px solid #dddddd; -} - -/* table standards */ -table.rimage { - float:right; - width:1pt; - position:relative; - margin-left:1em; - margin-bottom:1em; - text-align:center; -} - -body { - background: White; - /*font-size: 11pt !important;*/ - color: Black; - margin: 0; - padding: 0; -} - -.noprint, -div#jump-to-nav, -div.top, -div#column-one, -#colophon, -.editsection, -.toctoggle, -.tochidden, -div#f-poweredbyico, -div#f-copyrightico, -li#viewcount, -li#about, -li#disclaimer, -li#privacy { - /* Hides all the elements irrelevant for printing */ - display: none; -} - -ul { - list-style-type: square; -} - -#content { - background: none; - border: none ! important; - padding: 0 ! important; - margin: 0 ! important; -} -#footer { - background : white; - color : black; - border-top: 1px solid black; -} - -h1, h2, h3, h4, h5, h6 { - font-weight: bold; -} - -p, .documentDescription { - margin: 1em 0 ! important; - line-height: 1.2em; -} - -.tocindent p { - margin: 0 0 0 0 ! important; -} - -pre { - border: 1pt dashed black; - white-space: pre; - font-size: 8pt; - overflow: auto; - padding: 1em 0; - background : white; - color : black; -} - -table.listing, -table.listing td { - border: 1pt solid black; - border-collapse: collapse; -} - -a { - color: Black !important; - background: none !important; - padding: 0 !important; -} - -a:link, a:visited { - color: #520; - background: transparent; - text-decoration: underline; -} - -#content a.external.text:after, #content a.external.autonumber:after { - /* Expand URLs for printing */ - content: " (" attr(href) ") "; -} - -#globalWrapper { - width: 100% !important; - min-width: 0 !important; -} - -#content { - background : white; - color : black; -} - -#column-content { - margin: 0 !important; -} - -#column-content #content { - padding: 1em; - margin: 0 !important; -} -/* MSIE/Win doesn't understand 'inherit' */ -a, a.external, a.new, a.stub { - color: black ! important; - text-decoration: none ! important; -} - -/* Continue ... */ -a, a.external, a.new, a.stub { - color: inherit ! important; - text-decoration: inherit ! important; -} - -img { border: none; } -img.tex { vertical-align: middle; } -span.texhtml { font-family: serif; } - -#siteNotice { display: none; } - -table.gallery { - border: 1px solid #cccccc; - margin: 2px; - padding: 2px; - background-color:#ffffff; -} - -table.gallery tr { - vertical-align:top; -} - -div.gallerybox { - border: 1px solid #cccccc; - margin: 2px; - background-color:#f9f9f9; - width: 150px; -} - -div.gallerybox div.thumb { - text-align: center; - border: 1px solid #cccccc; - margin: 2px; -} - -div.gallerytext { - font-size: 94%; - padding: 2px 4px; -} - -/* -** Diff rendering -*/ -table.diff { background:white; } -td.diff-otitle { background:#ffffff; } -td.diff-ntitle { background:#ffffff; } -td.diff-addedline { - background:#ccffcc; - font-size: smaller; - border: solid 2px black; -} -td.diff-deletedline { - background:#ffffaa; - font-size: smaller; - border: dotted 2px black; -} -td.diff-context { - background:#eeeeee; - font-size: smaller; -} -.diffchange { - color: silver; - font-weight: bold; - text-decoration: underline; -} diff --git a/web/webfiles/css/index.css b/web/webfiles/css/index.css deleted file mode 100644 index f010367..0000000 --- a/web/webfiles/css/index.css +++ /dev/null @@ -1,2 +0,0 @@ -/* generated user stylesheet */ -a.new, #quickbar a.new { color: #CC2200; } diff --git a/web/webfiles/css/index_002.css b/web/webfiles/css/index_002.css deleted file mode 100644 index aba5a86..0000000 --- a/web/webfiles/css/index_002.css +++ /dev/null @@ -1 +0,0 @@ -/* CSS placed here will affect the print output */ \ No newline at end of file diff --git a/web/webfiles/css/index_003.css b/web/webfiles/css/index_003.css deleted file mode 100644 index bf5c91c..0000000 --- a/web/webfiles/css/index_003.css +++ /dev/null @@ -1 +0,0 @@ -/** CSS placed here will be applied to all skins */ \ No newline at end of file diff --git a/web/webfiles/css/index_004.css b/web/webfiles/css/index_004.css deleted file mode 100644 index 3b97146..0000000 --- a/web/webfiles/css/index_004.css +++ /dev/null @@ -1,20 +0,0 @@ -/** 
 */
-#footer { text-align: center; border: none; padding: 0; }
-#p-cactions li.selected { border-color: #708090; padding: 0 0 .2em 0; font-weight: bold; }
-pre
-{
-    generic-family: "Envy Code R", "Liberation Mono", Consolas, "Lucida Console", monospace;
-
-    /* border: 1px solid #dbdbdb; */
-
-    border: 1px solid #cfcfcf;
-    background-color: #fefefe;
-    line-height: 1.1em;
-    padding: 0.55em;
-/*
-    -moz-border-radius-topright: 0.5em;
-    -webkit-border-top-right-radius: 0.5em;
-    border-radius-topright: 0.5em;
-*/
-}
-/**
*/ \ No newline at end of file diff --git a/web/webfiles/css/main.css b/web/webfiles/css/main.css deleted file mode 100644 index a864cc9..0000000 --- a/web/webfiles/css/main.css +++ /dev/null @@ -1,1461 +0,0 @@ -/* -** MediaWiki 'monobook' style sheet for CSS2-capable browsers. -** Copyright Gabriel Wicke - http://wikidev.net/ -** License: GPL (http://www.gnu.org/copyleft/gpl.html) -** -** Loosely based on http://www.positioniseverything.net/ordered-floats.html by Big John -** and the Plone 2.0 styles, see http://plone.org/ (Alexander Limi,Joe Geldart & Tom Croucher, -** Michael Zeltner and Geir Bækholt) -** All you guys rock :) -*/ - -#column-content { - width: 100%; - float: right; - margin: 0 0 .6em -12.2em; - padding: 0; -} - -#content { - margin: 2.2em 0 0 2.2em; - padding: 0 1em 1.5em 1em; - background: white; - color: black; - border: 1px solid #aaa; - border-right: none; - line-height: 1.5em; - position: relative; - z-index: 2; -} - -#column-one { - padding-top: 30px; -} - -#content { - background: white; - color: black; - border: 1px solid #aaa; - border-right: none; - line-height: 1.5em; -} - -/* Font size: -** We take advantage of keyword scaling- browsers won't go below 9px -** More at http://www.w3.org/2003/07/30-font-size -** http://style.cleverchimp.com/font_size_intervals/altintervals.html -*/ - -body { - font: x-small sans-serif; - background-color: #ffffff; - font-family: Verdana, helvetica, sans-serif; - font-size: 10px; - color: black; - margin: 0; - padding: 0; -} - -/* scale back up to a sane default */ -#globalWrapper { - font-size: 127%; - width: 100%; - margin: 0; - padding: 0; -} -.visualClear { - clear: both; -} - -/* general styles */ - -table { - font-size: 100%; - color: black; - /* we don't want the bottom borders of

s to be visible through - floated tables */ - background-color: white; -} -fieldset table { - /* but keep table layouts in forms clean... */ - background: none; -} - -a:link, a:visited, a:active { text-decoration: underline; color: #173F99 } -a:hover { color: #505050 } - -a.stub { - color: #772233; -} -a.new, #p-personal a.new { - color: #ba0000; -} -a.new:visited, #p-personal a.new:visited { - color: #a55858; -} - -img { - border: none; - vertical-align: middle; -} -p { - margin: .4em 0 .5em 0; - line-height: 1.5em; -} -p img { - margin: 0; -} - -hr { - height: 1px; - color: #aaa; - background-color: #aaa; - border: 0; - margin: .2em 0 .2em 0; -} - -h1, h2, h3, h4, h5, h6 { - color: black; - background: none; - font-weight: normal; - margin: 0; - padding-top: .5em; - padding-bottom: .17em; - border-bottom: 1px solid #aaa; -} -h1 { font-size: 188%; } -h1 .editsection { font-size: 53%; } -h2 { font-size: 150%; } -h2 .editsection { font-size: 67%; } -h3, h4, h5, h6 { - border-bottom: none; - font-weight: bold; -} -h3 { font-size: 132%; } -h3 .editsection { font-size: 76%; font-weight: normal; } -h4 { font-size: 116%; } -h4 .editsection { font-size: 86%; font-weight: normal; } -h5 { font-size: 100%; } -h5 .editsection { font-weight: normal; } -h6 { font-size: 80%; } -h6 .editsection { font-size: 125%; font-weight: normal; } - -ul { - line-height: 1.5em; - list-style-type: square; - margin: .3em 0 0 1.5em; - padding: 0; - list-style-image: url(bullet.gif); -} -ol { - line-height: 1.5em; - margin: .3em 0 0 3.2em; - padding: 0; - list-style-image: none; -} -li { - margin-bottom: .1em; -} -dt { - font-weight: bold; - margin-bottom: .1em; -} -dl { - margin-top: .2em; - margin-bottom: .5em; -} -dd { - line-height: 1.5em; - margin-left: 2em; - margin-bottom: .1em; -} - -fieldset { - border: 1px solid #2f6fab; - margin: 1em 0 1em 0; - padding: 0 1em 1em; - line-height: 1.5em; -} -fieldset.nested { - margin: 0 0 0.5em 0; - padding: 0 0.5em 0.5em; -} -legend { - padding: .5em; - font-size: 95%; -} -form { - border: none; - margin: 0; -} - -textarea { - width: 100%; - padding: .1em; -} - -input.historysubmit { - padding: 0 .3em .3em .3em !important; - font-size: 94%; - cursor: pointer; - height: 1.7em !important; - margin-left: 1.6em; -} -select { - vertical-align: top; -} -abbr, acronym, .explain { - border-bottom: 1px dotted black; - color: black; - background: none; - cursor: help; -} -q { - font-family: Times, "Times New Roman", serif; - font-style: italic; -} -/* disabled for now -blockquote { - font-family: Times, "Times New Roman", serif; - font-style: italic; -}*/ -code { - background-color: #f9f9f9; -} -pre { - padding: 1em; - border: 1px dashed #2f6fab; - color: black; - background-color: #f9f9f9; - line-height: 1.1em; -} - -/* -** the main content area -*/ - -#siteSub { - display: none; -} -#jump-to-nav { - display: none; -} - -#contentSub, #contentSub2 { - font-size: 84%; - line-height: 1.2em; - margin: 0 0 1.4em 1em; - color: #7d7d7d; - width: auto; -} -span.subpages { - display: block; -} - -/* Some space under the headers in the content area */ -#bodyContent h1, #bodyContent h2 { - margin-bottom: .6em; -} -#bodyContent h3, #bodyContent h4, #bodyContent h5 { - margin-bottom: .3em; -} -.firstHeading { - margin-bottom: .1em; - /* These two rules hack around bug 2013 (fix for more limited bug 11325). - When bug 2013 is fixed properly, they should be removed. */ - line-height: 1.2em; - padding-bottom: 0; -} - -/* user notification thing */ -.usermessage { - background-color: #ffce7b; - border: 1px solid #ffa500; - color: black; - font-weight: bold; - margin: 2em 0 1em; - padding: .5em 1em; - vertical-align: middle; -} -#siteNotice { - text-align: center; - font-size: 95%; - padding: 0 .9em; -} -#siteNotice p { - margin: 0; - padding: 0; -} -.success { - color: green; - font-size: larger; -} -.error { - color: red; - font-size: larger; -} -.errorbox, .successbox { - font-size: larger; - border: 2px solid; - padding: .5em 1em; - float: left; - margin-bottom: 2em; - color: #000; -} -.errorbox { - border-color: red; - background-color: #fff2f2; -} -.successbox { - border-color: green; - background-color: #dfd; -} -.errorbox h2, .successbox h2 { - font-size: 1em; - font-weight: bold; - display: inline; - margin: 0 .5em 0 0; - border: none; -} - -.catlinks { - border: 1px solid #aaa; - background-color: #f9f9f9; - padding: 5px; - margin-top: 1em; - clear: both; -} -/* currently unused, intended to be used by a metadata box -in the bottom-right corner of the content area */ -.documentDescription { - /* The summary text describing the document */ - font-weight: bold; - display: block; - margin: 1em 0; - line-height: 1.5em; -} -.documentByLine { - text-align: right; - font-size: 90%; - clear: both; - font-weight: normal; - color: #76797c; -} - -/* emulate center */ -.center { - width: 100%; - text-align: center; -} -*.center * { - margin-left: auto; - margin-right: auto; -} -/* small for tables and similar */ -.small, .small * { - font-size: 94%; -} -table.small { - font-size: 100%; -} - -/* -** content styles -*/ - -#toc, -.toc, -.mw-warning { - border: 1px solid #aaa; - background-color: #f9f9f9; - padding: 5px; - font-size: 95%; -} -#toc h2, -.toc h2 { - display: inline; - border: none; - padding: 0; - font-size: 100%; - font-weight: bold; -} -#toc #toctitle, -.toc #toctitle, -#toc .toctitle, -.toc .toctitle { - text-align: center; -} -#toc ul, -.toc ul { - list-style-type: none; - list-style-image: none; - margin-left: 0; - padding-left: 0; - text-align: left; -} -#toc ul ul, -.toc ul ul { - margin: 0 0 0 2em; -} -#toc .toctoggle, -.toc .toctoggle { - font-size: 94%; -} - -.mw-warning { - margin-left: 50px; - margin-right: 50px; - text-align: center; -} - -/* images */ -div.floatright, table.floatright { - clear: right; - float: right; - position: relative; - margin: 0 0 .5em .5em; - border: 0; -/* - border: .5em solid white; - border-width: .5em 0 .8em 1.4em; -*/ -} -div.floatright p { font-style: italic; } -div.floatleft, table.floatleft { - float: left; - clear: left; - position: relative; - margin: 0 .5em .5em 0; - border: 0; -/* - margin: .3em .5em .5em 0; - border: .5em solid white; - border-width: .5em 1.4em .8em 0; -*/ -} -div.floatleft p { font-style: italic; } -/* thumbnails */ -div.thumb { - margin-bottom: .5em; - border-style: solid; - border-color: white; - width: auto; -} -div.thumbinner { - border: 1px solid #ccc; - padding: 3px !important; - background-color: #f9f9f9; - font-size: 94%; - text-align: center; - overflow: hidden; -} -html .thumbimage { - border: 1px solid #ccc; -} -html .thumbcaption { - border: none; - text-align: left; - line-height: 1.4em; - padding: 3px !important; - font-size: 94%; -} -div.magnify { - float: right; - border: none !important; - background: none !important; -} -div.magnify a, div.magnify img { - display: block; - border: none !important; - background: none !important; -} -div.tright { - clear: right; - float: right; - border-width: .5em 0 .8em 1.4em; -} -div.tleft { - float: left; - clear: left; - margin-right: .5em; - border-width: .5em 1.4em .8em 0; -} -img.thumbborder { - border: 1px solid #dddddd; -} -.hiddenStructure { - display: none; -} - -/* -** classes for special content elements like town boxes -** intended to be referenced directly from the wiki src -*/ - -/* -** User styles -*/ -/* table standards */ -table.rimage { - float: right; - position: relative; - margin-left: 1em; - margin-bottom: 1em; - text-align: center; -} -.toccolours { - border: 1px solid #aaa; - background-color: #f9f9f9; - padding: 5px; - font-size: 95%; -} - -/* -** edit views etc -*/ -.special li { - line-height: 1.4em; - margin: 0; - padding: 0; -} - -/* -** keep the whitespace in front of the ^=, hides rule from konqueror -** this is css3, the validator doesn't like it when validating as css2 -*/ -#bodyContent a.external, -#bodyContent a[href ^="gopher://"] { - background: url(external.png) center right no-repeat; - padding-right: 13px; -} -#bodyContent a[href ^="https://"], -.link-https { - background: url(lock_icon.gif) center right no-repeat; - padding-right: 16px; -} -#bodyContent a[href ^="mailto:"], -.link-mailto { - background: url(mail_icon.gif) center right no-repeat; - padding-right: 18px; -} -#bodyContent a[href ^="news://"] { - background: url(news_icon.png) center right no-repeat; - padding-right: 18px; -} -#bodyContent a[href ^="ftp://"], -.link-ftp { - background: url(file_icon.gif) center right no-repeat; - padding-right: 18px; -} -#bodyContent a[href ^="irc://"], -#bodyContent a.extiw[href ^="irc://"], -.link-irc { - background: url(discussionitem_icon.gif) center right no-repeat; - padding-right: 18px; -} -#bodyContent a.external[href $=".ogg"], #bodyContent a.external[href $=".OGG"], -#bodyContent a.external[href $=".mid"], #bodyContent a.external[href $=".MID"], -#bodyContent a.external[href $=".midi"], #bodyContent a.external[href $=".MIDI"], -#bodyContent a.external[href $=".mp3"], #bodyContent a.external[href $=".MP3"], -#bodyContent a.external[href $=".wav"], #bodyContent a.external[href $=".WAV"], -#bodyContent a.external[href $=".wma"], #bodyContent a.external[href $=".WMA"], -.link-audio { - background: url("audio.png") center right no-repeat; - padding-right: 13px; -} -#bodyContent a.external[href $=".ogm"], #bodyContent a.external[href $=".OGM"], -#bodyContent a.external[href $=".avi"], #bodyContent a.external[href $=".AVI"], -#bodyContent a.external[href $=".mpeg"], #bodyContent a.external[href $=".MPEG"], -#bodyContent a.external[href $=".mpg"], #bodyContent a.external[href $=".MPG"], -.link-video { - background: url("video.png") center right no-repeat; - padding-right: 13px; -} -#bodyContent a.external[href $=".pdf"], #bodyContent a.external[href $=".PDF"], -#bodyContent a.external[href *=".pdf#"], #bodyContent a.external[href *=".PDF#"], -#bodyContent a.external[href *=".pdf?"], #bodyContent a.external[href *=".PDF?"], -.link-document { - background: url("document.png") center right no-repeat; - padding-right: 12px; -} - -/* disable interwiki styling */ -#bodyContent a.extiw, -#bodyContent a.extiw:active { - color: #36b; - background: none; - padding: 0; -} -#bodyContent a.external { - color: #36b; -} -/* this can be used in the content area to switch off -special external link styling */ -#bodyContent .plainlinks a { - background: none !important; - padding: 0 !important; -} - -/* -** the personal toolbar -*/ - -#p-personal { - width: 100%; - white-space: nowrap; - padding: 0; - margin: 0; - position: absolute; - top: 9.2em; - z-index: 0; - border: none; - background: none; - overflow: visible; - line-height: 1.2em; -} - -#p-personal h5 { - display: none; -} -#p-personal .portlet, -#p-personal .pBody { - padding: 0; - margin: 0; - border: none; - z-index: 0; - overflow: visible; - background: none; -} -/* this is the ul contained in the portlet */ -#p-personal ul { - border: none; - line-height: 1.4em; - color: #2f6fab; - padding: 0 2em 0 3em; - margin: 0; - text-align: right; - text-transform: lowercase; - list-style: none; - z-index: 0; - background: none; - cursor: default; -} -#p-personal li { - z-index: 0; - border: none; - padding: 0; - display: inline; - color: #2f6fab; - margin-left: 1em; - line-height: 1.2em; - background: none; -} -#p-personal li.active { - font-weight: bold; -} -#p-personal li a { - text-decoration: none; - color: #005896; - padding-bottom: 0.2em; - background: none; -} -#p-personal li a:hover { - background-color: white; - padding-bottom: 0.2em; - text-decoration: none; -} - - -/* the icon in front of the user name, single quotes -in bg url to hide it from iemac */ -li#pt-userpage, -li#pt-anonuserpage, -li#pt-login { - background: url(user.gif) top left no-repeat; - padding-left: 20px; - text-transform: none; -} -#p-personal ul { - text-transform: lowercase; -} -#p-personal li.active { - font-weight: bold; -} -/* -** the page-related actions- page/talk, edit etc -*/ - -/* -** the page-related actions- page/talk, edit etc -*/ -#p-cactions { - position: absolute; - top: 10.5em; - left: 12.2em; - margin: 0; - white-space: nowrap; - width: 76%; - line-height: 1.1em; - overflow: visible; - background: none; - border-collapse: collapse; - padding-left: 1em; - list-style: none; - font-size: 95%; -} -#p-cactions .hiddenStructure { - display: none; -} -#p-cactions ul { - list-style: none; -} -#p-cactions li { - display: inline; - border: 1px solid #aaa; - border-bottom: none; - padding: 0 0 .1em 0; - margin: 0 .3em 0 0; - overflow: visible; - background: white; -} -#p-cactions li.selected { - border-color: #fabd23; - padding: 0 0 .2em 0; - font-weight: bold; -} -#p-cactions li a { - background-color: #fbfbfb; - color: #002bb8; - border: none; - padding: 0 .8em .3em; - text-decoration: none; - text-transform: lowercase; - position: relative; - z-index: 0; - margin: 0; -} -#p-cactions li.selected a { - z-index: 3; - background-color: #fff; - padding: 0 1em .2em!important; -} -#p-cactions .new a { - color: #ba0000; -} -#p-cactions li a:hover { - z-index: 3; - text-decoration: none; - background-color: #fff; -} -#p-cactions h5 { - display: none; -} -#p-cactions li.istalk { - margin-right: 0; -} -#p-cactions li.istalk a { - padding-right: .5em; -} -#p-cactions #ca-addsection a { - padding-left: .4em; - padding-right: .4em; -} -/* offsets to distinguish the tab groups */ -li#ca-talk { - margin-right: 1.6em; -} -li#ca-watch, li#ca-unwatch, li#ca-varlang-0, li#ca-print { - margin-left: 1.6em; -} - - -#p-cactions .pBody { - font-size: 1em; - background-color: transparent; - color: inherit; - border-collapse: inherit; - border: 0; - padding: 0; -} -#p-cactions .hiddenStructure { - display: none; -} -#p-cactions li a { - text-transform: lowercase; -} - -#p-lang { - position: relative; - z-index: 3; -} - -/* TODO: #t-iscite is only used by the Cite extension, come up with some - * system which allows extensions to add to this file on the fly - */ -#t-ispermalink, #t-iscite { - color: #999; -} -/* -** footer -*/ -#footer { - background-color: white; - border-top: 1px solid #fabd23; - border-bottom: 1px solid #fabd23; - margin: .6em 0 1em 0; - padding: .4em 0 1.2em 0; - text-align: center; - font-size: 90%; - margin-left: 20px; -} -#footer li { - display: inline; - margin: 0 1.3em; -} -#f-poweredbyico, #f-copyrightico { - margin: 0 8px; - position: relative; - top: -2px; /* Bump it up just a tad */ -} -#f-poweredbyico { - float: right; - height: 1%; -} -#f-copyrightico { - float: left; - height: 1%; -} - -/* js pref toc */ -#preftoc { - margin: 0; - padding: 0; - width: 100%; - clear: both; -} -#preftoc li { - background-color: #f0f0f0; - color: #000; -} -#preftoc li { - margin: 1px -2px 1px 2px; - float: left; - padding: 2px 0 3px 0; - border: 1px solid #fff; - border-right-color: #716f64; - border-bottom: 0; - position: relative; - white-space: nowrap; - list-style-type: none; - list-style-image: none; - z-index: 3; -} -#preftoc li.selected { - font-weight: bold; - background-color: #f9f9f9; - border: 1px solid #aaa; - border-bottom: none; - cursor: default; - top: 1px; - padding-top: 2px; - margin-right: -3px; -} -#preftoc > li.selected { - top: 2px; -} -#preftoc a, -#preftoc a:active { - display: block; - color: #000; - padding: 0 .7em; - position: relative; - text-decoration: none; -} -#preftoc li.selected a { - cursor: default; - text-decoration: none; -} -#prefcontrol { - padding-top: 2em; - clear: both; -} -#preferences { - margin: 0; - border: 1px solid #aaa; - clear: both; - padding: 1.5em; - background-color: #F9F9F9; -} -.prefsection { - border: none; - padding: 0; - margin: 0; -} -.prefsection fieldset { - border: 1px solid #aaa; - float: left; - margin-right: 2em; -} -.prefsection legend { - font-weight: bold; -} -.prefsection table, .prefsection legend { - background-color: #F9F9F9; -} -.mainLegend { - display: none; -} -div.prefsectiontip { - font-size: x-small; - padding: .2em 2em; - color: #666; -} -.btnSavePrefs { - font-weight: bold; - padding-left: .3em; - padding-right: .3em; -} - -.preferences-login { - clear: both; - margin-bottom: 1.5em; -} - -.prefcache { - font-size: 90%; - margin-top: 2em; -} - -div#userloginForm form, -div#userlogin form#userlogin2 { - margin: 0 3em 1em 0; - border: 1px solid #aaa; - clear: both; - padding: 1.5em 2em; - background-color: #f9f9f9; - float: left; -} -.rtl div#userloginForm form, -.rtl div#userlogin form#userlogin2 { - float: right; -} - -div#userloginForm table, -div#userlogin form#userlogin2 table { - background-color: #f9f9f9; -} - -div#userloginForm h2, -div#userlogin form#userlogin2 h2 { - padding-top: 0; -} - -div#userlogin .captcha, -div#userloginForm .captcha { - border: 1px solid #bbb; - padding: 1.5em 2em; - background-color: white; -} - -#loginend, #signupend { - clear: both; -} - -#userloginprompt, #languagelinks { - font-size: 85%; -} - -#login-sectiontip { - font-size: 85%; - line-height: 1.2; - padding-top: 2em; -} - -#userlogin .loginText, #userlogin .loginPassword { - width: 12em; -} - -#userloginlink a, #wpLoginattempt, #wpCreateaccount { - font-weight: bold; -} - -/* -** IE/Mac fixes, hope to find a validating way to move this -** to a separate stylesheet. This would work but doesn't validate: -** @import("IEMacFixes.css"); -*/ -/* tabs: border on the a, not the div */ -* > html #p-cactions li { border: none; } -* > html #p-cactions li a { - border: 1px solid #aaa; - border-bottom: none; -} -* > html #p-cactions li.selected a { border-color: #fabd23; } -/* footer icons need a fixed width */ -* > html #f-poweredbyico, -* > html #f-copyrightico { width: 88px; } -* > html #bodyContent, -* > html #bodyContent pre { - overflow-x: auto; - width: 100%; - padding-bottom: 25px; -} - -/* more IE fixes */ -/* float/negative margin brokenness */ -* html #footer {margin-top: 0;} -* html #column-content { - display: inline; - margin-bottom: 0; -} -* html div.editsection { font-size: smaller; } -#pagehistory li.selected { position: relative; } - -/* Mac IE 5.0 fix; floated content turns invisible */ -* > html #column-content { - float: none; -} -* > html #column-one { - position: absolute; - left: 0; - top: 0; -} -* > html #footer { - margin-left: 13.2em; -} -.redirectText { - font-size: 150%; - margin: 5px; -} - -.printfooter { - display: none; -} - -.not-patrolled { - background-color: #ffa; -} -div.patrollink { - clear: both; - font-size: 75%; - text-align: right; -} -span.newpage, span.minor, span.bot { - font-weight: bold; -} -span.unpatrolled { - font-weight: bold; - color: red; -} - -.sharedUploadNotice { - font-style: italic; -} - -span.updatedmarker { - color: black; - background-color: #0f0; -} - -table.gallery { - border: 1px solid #ccc; - margin: 2px; - padding: 2px; - background-color: white; -} - -table.gallery tr { - vertical-align: top; -} - -table.gallery td { - vertical-align: top; - background-color: #f9f9f9; - border: solid 2px white; -} -/* Keep this temporarily so that cached pages will display right */ -table.gallery td.galleryheader { - text-align: center; - font-weight: bold; -} -table.gallery caption { - font-weight: bold; -} - -div.gallerybox { - margin: 2px; -} - -div.gallerybox div.thumb { - text-align: center; - border: 1px solid #ccc; - margin: 2px; -} - -div.gallerytext { - overflow: hidden; - font-size: 94%; - padding: 2px 4px; -} - -span.comment { - font-style: italic; -} - -span.changedby { - font-size: 95%; -} - -.previewnote { - text-indent: 3em; - color: #c00; - border-bottom: 1px solid #aaa; - padding-bottom: 1em; - margin-bottom: 1em; -} - -.previewnote p { - margin: 0; - padding: 0; -} - -.editExternally { - border: 1px solid gray; - background-color: #ffffff; - padding: 3px; - margin-top: 0.5em; - float: left; - font-size: small; - text-align: center; -} -.editExternallyHelp { - font-style: italic; - color: gray; -} - -.toggle { - margin-left: 2em; - text-indent: -2em; -} - -/* Classes for EXIF data display */ -table.mw_metadata { - font-size: 0.8em; - margin-left: 0.5em; - margin-bottom: 0.5em; - width: 300px; -} - -table.mw_metadata caption { - font-weight: bold; -} - -table.mw_metadata th { - font-weight: normal; -} - -table.mw_metadata td { - padding: 0.1em; -} - -table.mw_metadata { - border: none; - border-collapse: collapse; -} - -table.mw_metadata td, table.mw_metadata th { - text-align: center; - border: 1px solid #aaaaaa; - padding-left: 0.1em; - padding-right: 0.1em; -} - -table.mw_metadata th { - background-color: #f9f9f9; -} - -table.mw_metadata td { - background-color: #fcfcfc; -} - -table.collapsed tr.collapsable { - display: none; -} - - -/* filetoc */ -ul#filetoc { - text-align: center; - border: 1px solid #aaaaaa; - background-color: #f9f9f9; - padding: 5px; - font-size: 95%; - margin-bottom: 0.5em; - margin-left: 0; - margin-right: 0; -} - -#filetoc li { - display: inline; - list-style-type: none; - padding-right: 2em; -} - -input#wpSummary { - width: 80%; -} - -/* @bug 1714 */ -input#wpSave, input#wpDiff { - margin-right: 0.33em; -} - -#wpSave { - font-weight: bold; -} - -/* Classes for article validation */ - -table.revisionform_default { - border: 1px solid #000000; -} - -table.revisionform_focus { - border: 1px solid #000000; - background-color:#00BBFF; -} - -tr.revision_tr_default { - background-color:#EEEEEE; -} - -tr.revision_tr_first { - background-color:#DDDDDD; -} - -p.revision_saved { - color: green; - font-weight:bold; -} - -#mw_trackbacks { - border: solid 1px #bbbbff; - background-color: #eeeeff; - padding: 0.2em; -} - - -/* Allmessages table */ - -#allmessagestable th { - background-color: #b2b2ff; -} - -#allmessagestable tr.orig { - background-color: #ffe2e2; -} - -#allmessagestable tr.new { - background-color: #e2ffe2; -} - -#allmessagestable tr.def { - background-color: #f0f0ff; -} - - -/* noarticletext */ -div.noarticletext { - border: 1px solid #ccc; - background: #fff; - padding: .2em 1em; - color: #000; -} - -div#searchTargetContainer { - left: 10px; - top: 10px; - width: 90%; - background: white; -} - -div#searchTarget { - padding: 3px; - margin: 5px; - background: #F0F0F0; - border: solid 1px blue; -} - -div#searchTarget ul li { - list-style: none; -} - -div#searchTarget ul li:before { - color: orange; - content: "\00BB \0020"; -} - -div#searchTargetHide { - float:right; - border:solid 1px black; - background:#DCDCDC; - padding:2px; -} - -#powersearch p { - margin-top:0px; -} - -div.multipageimagenavbox { - border: solid 1px silver; - padding: 4px; - margin: 1em; - background: #f0f0f0; -} - -div.multipageimagenavbox div.thumb { - border: none; - margin-left: 2em; - margin-right: 2em; -} - -div.multipageimagenavbox hr { - margin: 6px; -} - -table.multipageimage td { - text-align: center; -} - -/** Special:Version */ - -table#sv-ext, table#sv-hooks, table#sv-software { - margin: 1em; - padding:0em; -} - -#sv-ext td, #sv-hooks td, #sv-software td, -#sv-ext th, #sv-hooks th, #sv-software th { - border: 1px solid #A0A0A0; - padding: 0 0.15em 0 0.15em; -} -#sv-ext th, #sv-hooks th, #sv-software th { - background-color: #F0F0F0; - color: black; - padding: 0 0.15em 0 0.15em; -} -tr.sv-space{ - height: 0.8em; - border:none; -} -tr.sv-space td { display: none; } - -/* - Table pager (e.g. Special:Imagelist) - - remove underlines from the navigation link - - collapse borders - - set the borders to outsets (similar to Special:Allmessages) - - remove line wrapping for all td and th, set background color - - restore line wrapping for the last two table cells (description and size) -*/ -.TablePager { min-width: 80%; } -.TablePager_nav a { text-decoration: none; } -.TablePager { border-collapse: collapse; } -.TablePager, .TablePager td, .TablePager th { - border: 1px solid #aaaaaa; - padding: 0 0.15em 0 0.15em; -} -.TablePager th { background-color: #eeeeff } -.TablePager td { background-color: #ffffff } -.TablePager tr:hover td { background-color: #eeeeff } - -.imagelist td, .imagelist th { white-space: nowrap } -.imagelist .TablePager_col_links { background-color: #eeeeff } -.imagelist .TablePager_col_img_description { white-space: normal } -.imagelist th.TablePager_sort { background-color: #ccccff } - -.templatesUsed { margin-top: 1.5em; } - -.mw-summary-preview { - margin: 0.1em 0; -} - -/* Friendlier slave lag warnings */ -div.mw-lag-warn-normal, -div.mw-lag-warn-high { - padding: 3px; - text-align: center; - margin: 3px auto; -} -div.mw-lag-warn-normal { - border: 1px solid #FFCC66; - background-color: #FFFFCC; -} -div.mw-lag-warn-high { - font-weight: bold; - border: 2px solid #FF0033; - background-color: #FFCCCC; -} - -.MediaTransformError { - background-color: #ccc; - padding: 0.1em; -} -.MediaTransformError td { - text-align: center; - vertical-align: middle; - font-size: 90%; -} - -/** Special:Search stuff */ -div#mw-search-interwiki-caption { - text-align: center; - font-weight: bold; - font-size: 95%; -} - -.mw-search-interwiki-project { - font-size: 97%; - text-align: left; - padding-left: 0.2em; - padding-right: 0.15em; - padding-bottom: 0.2em; - padding-top: 0.15em; - background: #cae8ff; -} - -/* God-damned hack for the crappy layout */ -.os-suggest { - font-size: 127%; -} - - -.top { vertical-align: middle; text-align: center; padding: 0px; font-family: Verdana, helvitica, sans-serif; font-size: 12px; } - -.sidebar { - position: absolute; - padding-left: 3px; - top: 11.5em; -} - -.inspbox { - margin-left: 5px; - margin-top: 5px; - margin-bottom: 5px; - width: 145px; -} - -#footer { text-align: center; border: none; padding: 0; } -#p-cactions li.selected { border-color: #708090; padding: 0 0 .2em 0; font-weight: bold; } -pre -{ - generic-family: "Envy Code R", "Liberation Mono", Consolas, "Lucida Console", monospace; - - /* border: 1px solid #dbdbdb; */ - - border: 1px solid #cfcfcf; - background-color: #fefefe; - line-height: 1.1em; - padding: 0.55em; - -} diff --git a/web/webfiles/css/shared.css b/web/webfiles/css/shared.css deleted file mode 100644 index 7404a15..0000000 --- a/web/webfiles/css/shared.css +++ /dev/null @@ -1,320 +0,0 @@ -/** - * CSS in this file is used by *all* skins (that have any CSS at all). Be - * careful what you put in here, since what looks good in one skin may not in - * another, but don't ignore the poor non-Monobook users either. - */ -.mw-plusminus-null { color: #aaa; } - -.texvc { direction: ltr; unicode-bidi: embed; } -img.tex { vertical-align: middle; } -span.texhtml { font-family: serif; } - -/* add a bit of margin space between the preview and the toolbar */ -/* this replaces the ugly


we used to insert into the page source */ -#wikiPreview.ontop { margin-bottom: 1em; } - -/* Stop floats from intruding into edit area in previews */ -#toolbar, #wpTextbox1 { clear: both; } - -div#mw-js-message { - margin: 1em 5%; - padding: 0.5em 2.5%; - border: solid 1px #ddd; - background-color: #fcfcfc; -} - -/* Edit section links */ -.editsection { - float: right; - margin-left: 5px; -} - -/** - * File histories - */ -table.filehistory { - border:1px solid #ccc; - border-collapse:collapse; -} - -table.filehistory th, -table.filehistory td { - padding: 0 0.2em 0 0.2em; - vertical-align:top; - border:1px solid #ccc; -} -table.filehistory th { - text-align: left; -} -table.filehistory td.mw-imagepage-filesize, -table.filehistory th.mw-imagepage-filesize { - white-space:nowrap; -} - -table.filehistory td.filehistory-selected { - font-weight: bold; -} - -/* - * rev_deleted stuff - */ -li span.deleted, span.history-deleted { - text-decoration: line-through; - color: #888; - font-style: italic; -} - -/** - * Forms - */ -body.ltr td.mw-label { text-align: right; } -body.ltr td.mw-input { text-align: left; } -body.ltr td.mw-submit { text-align: left; } -body.rtl td.mw-label { text-align: left; } -body.rtl td.mw-input { text-align: right; } -body.rtl td.mw-submit { text-align: right; } - -td.mw-label { vertical-align: top; } -td.mw-submit { white-space: nowrap; } - -/** - * Image captions - */ -body.rtl .thumbcaption { text-align:right; } -body.rtl .magnify { float:left; } - -body.ltr .thumbcaption { text-align:left; } -body.ltr .magnify { float:right; } - -/** - * Hidden categories - */ -.mw-hidden-cats-hidden { display: none; } -.catlinks-allhidden { display: none; } - -/* Convenience links to edit block, delete and protect reasons */ -p.mw-ipb-conveniencelinks, p.mw-protect-editreasons, -p.mw-filedelete-editreasons, p.mw-delete-editreasons { - font-size: 90%; - float: right; -} - -/* Search results */ -div.searchresult { - font-size: 95%; - width:38em; -} -.mw-search-results li { - padding-bottom: 1em; - list-style:none; -} -.mw-search-result-data { - color: green; - font-size: 97%; -} - -td#mw-search-menu { - padding-left:6em; - font-size:85%; -} - -div#mw-search-interwiki { - float: right; - width: 18em; - border-style: solid; - border-color: #AAAAAA; - border-width: 1px; - margin-top: 2ex; -} - -div#mw-search-interwiki li { - font-size: 95%; -} - -.mw-search-interwiki-more { - float: right; - font-size: 90%; -} - -span.searchalttitle { - font-size: 95%; -} - -div.searchdidyoumean { - font-size: 127%; - margin-bottom: 1ex; - margin-top: 1ex; - /* Note that this color won't affect the link, as desired. */ - color: #c00; -} - -div.searchdidyoumean em { - font-weight: bold; -} - -.searchmatch { - font-weight: bold; -} - -div.searchresults { - border:1px solid darkblue; - padding-top: 10px; - padding-bottom: 10px; - padding-left: 20px; - padding-right: 20px; -} - -/* - * UserRights stuff - */ -.mw-userrights-disabled { - color: #888; -} - -table.mw-userrights-groups * td,table.mw-userrights-groups * th { - padding-right: 1.5em; -} - -/* - * OpenSearch ajax suggestions - */ -.os-suggest { - overflow: auto; - overflow-x: hidden; - position: absolute; - top: 0px; - left: 0px; - width: 0px; - background-color: white; - background-color: Window; - border-style: solid; - border-color: #AAAAAA; - border-width: 1px; - z-index:99; - visibility:hidden; - font-size:95%; -} - -table.os-suggest-results { - font-size: 95%; - cursor: pointer; - border: 0; - border-collapse: collapse; - width: 100%; -} - -td.os-suggest-result, td.os-suggest-result-hl { - white-space: nowrap; - background-color: white; - background-color: Window; - color: black; - color: WindowText; - padding: 2px; -} -td.os-suggest-result-hl, -td.os-suggest-result-hl-webkit { - background-color: #4C59A6; - color: white; -} -td.os-suggest-result-hl { - /* System colors are misimplemented in Safari 3.0 and earlier, - making highlighted text illegible... */ - background-color: Highlight; - color: HighlightText; -} - -.os-suggest-toggle { - position: relative; - left: 1ex; - font-size: 65%; -} -.os-suggest-toggle-def { - position: absolute; - top: 0px; - left: 0px; - font-size: 65%; - visibility: hidden; -} - -/* Page history styling */ -/* the auto-generated edit comments */ -.autocomment { color: gray; } -#pagehistory .history-user { - margin-left: 0.4em; - margin-right: 0.2em; -} -#pagehistory span.minor { font-weight: bold; } -#pagehistory li { border: 1px solid white; } -#pagehistory li.selected { - background-color: #f9f9f9; - border: 1px dashed #aaa; -} - -/* - * Special:ListGroupRights styling - * Special:Statistics styling -*/ - -table.mw-listgrouprights-table, -table.mw-statistics-table { - border: 1px solid #ccc; - border-collapse: collapse; -} - -table.mw-listgrouprights-table tr { - vertical-align: top; -} - -table.mw-listgrouprights-table td, table.mw-listgrouprights-table th, -table.mw-statistics-table td, table.mw-statistics-table th { - padding: 0.5em 0.2em 0.5em 0.2em; - border: 1px solid #ccc; -} - -td.mw-statistics-numbers { - text-align: right; -} - -/* Special:SpecialPages styling */ -h4.mw-specialpagesgroup { - background-color: #dcdcdc; - padding: 2px; - margin: .3em 0em 0em 0em; -} -.mw-specialpagerestricted { - font-weight: bold; -} - -#shared-image-dup, #shared-image-conflict { - font-style: italic; -} - -/* Special:EmailUser styling */ -table.mw-emailuser-table { - width: 98%; -} -td#mw-emailuser-sender, td#mw-emailuser-recipient { - font-weight: bold; -} - -/* - * Recreating deleted page warning - * Reupload file warning - * Page protection warning - * incl. log entries for these warnings - */ -div.mw-warning-with-logexcerpt { - padding: 3px; - margin-bottom: 3px; - border: 2px solid #2F6FAB; -} -div.mw-warning-with-logexcerpt ul li { - font-size: 90%; -} - -/* (show/hide) revision deletion links */ -span.mw-revdelundel-link, -strong.mw-revdelundel-link { - font-family: monospace; - font-size: smaller -} \ No newline at end of file diff --git a/web/webfiles/img/Cross.png b/web/webfiles/img/Cross.png deleted file mode 100644 index e006129..0000000 Binary files a/web/webfiles/img/Cross.png and /dev/null differ diff --git a/web/webfiles/img/Tick.png b/web/webfiles/img/Tick.png deleted file mode 100644 index d5f75ba..0000000 Binary files a/web/webfiles/img/Tick.png and /dev/null differ diff --git a/web/webfiles/img/Unknown.png b/web/webfiles/img/Unknown.png deleted file mode 100644 index c67c7a6..0000000 Binary files a/web/webfiles/img/Unknown.png and /dev/null differ diff --git a/web/webfiles/img/gnu-fdl.png b/web/webfiles/img/gnu-fdl.png deleted file mode 100644 index 1371aba..0000000 Binary files a/web/webfiles/img/gnu-fdl.png and /dev/null differ diff --git a/web/webfiles/img/hydra_pass.jpg b/web/webfiles/img/hydra_pass.jpg deleted file mode 100644 index 35b15b0..0000000 Binary files a/web/webfiles/img/hydra_pass.jpg and /dev/null differ diff --git a/web/webfiles/img/hydra_start.jpg b/web/webfiles/img/hydra_start.jpg deleted file mode 100644 index 841d780..0000000 Binary files a/web/webfiles/img/hydra_start.jpg and /dev/null differ diff --git a/web/webfiles/img/hydra_target.jpg b/web/webfiles/img/hydra_target.jpg deleted file mode 100644 index 9670bff..0000000 Binary files a/web/webfiles/img/hydra_target.jpg and /dev/null differ diff --git a/web/webfiles/img/xhydra.png b/web/webfiles/img/xhydra.png deleted file mode 100644 index 39f2704..0000000 Binary files a/web/webfiles/img/xhydra.png and /dev/null differ diff --git a/web/xhydra.png b/web/xhydra.png deleted file mode 100644 index 39f2704..0000000 Binary files a/web/xhydra.png and /dev/null differ diff --git a/xhydra.jpg b/xhydra.jpg index 008d256..b0ed22e 100644 Binary files a/xhydra.jpg and b/xhydra.jpg differ