diff --git a/hydra.c b/hydra.c index 00a32aa..56ded02 100644 --- a/hydra.c +++ b/hydra.c @@ -15,6 +15,37 @@ #include #endif +void usage_oracle(const char* service); +void usage_oracle_listener(const char* service); +void usage_cvs(const char* service); +void usage_xmpp(const char* service); +void usage_pop3(const char* service); +void usage_rdp(const char* service); +void usage_s7_300(const char* service); +void usage_nntp(const char* service); +void usage_imap(const char* service); +void usage_smtp_enum(const char* service); +void usage_smtp(const char* service); +void usage_svn(const char* service); +void usage_ncp(const char* service); +void usage_firebird(const char* service); +void usage_mysql(const char* service); +void usage_irc(const char* service); +void usage_postgres(const char* service); +void usage_telnet(const char* service); +void usage_sapr3(const char* service); +void usage_sshkey(const char* service); +void usage_cisco_enable(const char* service); +void usage_cisco(const char* service); +void usage_ldap(const char* service); +void usage_smb(const char* service); +void usage_http_form(const char* service); +void usage_http_proxy(const char* service); +void usage_http_proxy_urlenum(const char* service); +void usage_snmp(const char* service); +void usage_http(const char* service); + + extern void service_asterisk(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_telnet(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_ftp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); @@ -347,6 +378,106 @@ int snpdone, snp_is_redo, snpbuflen, snpi, snpj, snpdont; #include "performance.h" +typedef void (*service_t)(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); +typedef int (*service_init_t)(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); +typedef void (*service_usage_t)(const char* service); + +#define SERVICE2(name, func) { name, service_##func##_init, service_##func, NULL } +#define SERVICE(name) { #name, service_##name##_init, service_##name, NULL } +#define SERVICE3(name, func) { name, service_##func##_init, service_##func, usage_##func } + +static const struct { + const char* name; + service_init_t init; + service_t exec; + service_usage_t usage; +} services[] = { + SERVICE(adam6500), +#ifdef LIBAFP + SERVICE(afp), +#endif + SERVICE(asterisk), + SERVICE3("cisco", cisco), + SERVICE3("cisco-enable", cisco_enable), + SERVICE3("cvs", cvs), +#ifdef LIBFIREBIRD + SERVICE3("firebird", firebird), +#endif + SERVICE(ftp), + { "ftps", service_ftp_init, service_ftps }, + { "http-get", service_http_init, service_http_get, usage_http }, + { "http-get-form", service_http_form_init, service_http_get_form, usage_http_form }, + { "http-head", service_http_init, service_http_head, NULL }, + { "http-form", service_http_form_init, NULL, usage_http_form }, + { "http-post", NULL, service_http_post, usage_http }, + { "http-post-form", service_http_form_init, service_http_post_form, usage_http_form }, + SERVICE3("http-proxy", http_proxy), + SERVICE3("http-proxy-urlenum", http_proxy_urlenum), + SERVICE(icq), + SERVICE3("imap", imap), + SERVICE3("irc", irc), + { "ldap2", service_ldap_init, service_ldap2, usage_ldap }, + { "ldap3", service_ldap_init, service_ldap3, usage_ldap }, + { "ldap3-crammd5", service_ldap_init, service_ldap3_cram_md5, usage_ldap }, + { "ldap3-digestmd5", service_ldap_init, service_ldap3_digest_md5, usage_ldap }, + SERVICE(mssql), +#ifdef HAVE_MATH_H + SERVICE3("mysql", mysql), +#endif +#ifdef LIBNCP + SERVICE3("ncp", ncp), +#endif + SERVICE3("nntp", nntp), +#ifdef LIBORACLE + SERVICE3("oracle", oracle), +#endif +#ifdef LIBOPENSSL + SERVICE3("oracle-listener", oracle_listener), + SERVICE2("oracle-sid", oracle_sid), +#endif + SERVICE(pcanywhere), + SERVICE(pcnfs), + SERVICE3("pop3", pop3), +#ifdef LIBPOSTGRES + SERVICE3("postgres", postgres), +#endif + SERVICE(redis), + SERVICE(rexec), +#ifdef LIBOPENSSL + SERVICE3("rdp", rdp), +#endif + SERVICE(rlogin), + SERVICE(rsh), + SERVICE(rtsp), + SERVICE(rpcap), + SERVICE3("s7-300", s7_300), +#ifdef LIBSAPR3 + SERVICE3("sarp3", sapr3), +#endif +#ifdef LIBOPENSSL + SERVICE(sip), + SERVICE3("smbnt", smb), + SERVICE3("smb", smb), +#endif + SERVICE3("smtp", smtp), + SERVICE3("smtp-enum", smtp_enum), + SERVICE3("snmp", snmp), + SERVICE(socks5), +#ifdef LIBSSH + { "ssh", NULL, service_ssh }, + SERVICE3("sshkey", sshkey), +#endif +#ifdef LIBSVN + SERVICE3("svn", svn), +#endif + SERVICE(teamspeak), + SERVICE3("telnet", telnet), + SERVICE(vmauthd), + SERVICE(vnc), + { "xmpp", service_xmpp_init, NULL, usage_xmpp } +}; + + #define PRINT_NORMAL(ext, text, ...) printf(text, ##__VA_ARGS__) #define PRINT_EXTEND(ext, text, ...) do { \ if (ext) \ @@ -447,236 +578,231 @@ void help_bfg() { exit(-1); } -void module_usage() { - int find = 0; +void usage_oracle(const char* service) { + printf("Module oracle / ora is optionally taking the ORACLE SID, default is \"ORCL\"\n\n"); +} - if (hydra_options.service) { - printf("\nHelp for module %s:\n============================================================================\n", hydra_options.service); - if ((strcmp(hydra_options.service, "oracle") == 0) || (strcmp(hydra_options.service, "ora") == 0)) { - printf("Module oracle / ora is optionally taking the ORACLE SID, default is \"ORCL\"\n\n"); - find = 1; - } - if ((strcmp(hydra_options.service, "oracle-listener") == 0) || (strcmp(hydra_options.service, "tns") == 0)) { - printf("Module oracle-listener / tns is optionally taking the mode the password is stored as, could be PLAIN (default) or CLEAR\n\n"); - find = 1; - } - if (strcmp(hydra_options.service, "cvs") == 0) { - printf("Module cvs is optionally taking the repository name to attack, default is \"/root\"\n\n"); - find = 1; - } - if (strcmp(hydra_options.service, "xmpp") == 0) { - printf("Module xmpp is optionally taking one authentication type of:\n" - " LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1\n\n" - "Note, the target passed should be a fdqn as the value is used in the Jabber init request, example: hermes.jabber.org\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "pop3") == 0)) { - printf("Module pop3 is optionally taking one authentication type of:\n" - " CLEAR (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n" - " CRAM-SHA256, DIGEST-MD5, NTLM.\n" "Additionally TLS encryption via STLS can be enforced with the TLS option.\n\n" "Example: pop3://target/TLS:PLAIN\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "rdp") == 0)) { - printf("Module rdp is optionally taking the windows domain name.\n" "For example:\nhydra rdp://192.168.0.1/firstdomainname -l john -p doe\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "s7-300") == 0)) { - printf("Module S7-300 is for a special Siemens PLC. It either requires only a password or no authentication, so just use the -p or -P option.\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "nntp") == 0)) { - printf("Module nntp is optionally taking one authentication type of:\n" " USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "imap") == 0)) { - printf("Module imap is optionally taking one authentication type of:\n" - " CLEAR or APOP (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n" - " CRAM-SHA256, DIGEST-MD5, NTLM\n" "Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: imap://target/TLS:PLAIN\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "smtp-enum")) == 0) { - printf("Module smtp-enum is optionally taking one SMTP command of:\n\n" - "VRFY (default), EXPN, RCPT (which will connect using \"root\" account)\n" - "login parameter is used as username and password parameter as the domain name\n" - "For example to test if john@localhost exists on 192.168.0.1:\n" "hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "smtp")) == 0) { - printf("Module smtp is optionally taking one authentication type of:\n" - " LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n" - "Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: smtp://target/TLS:PLAIN\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "svn") == 0)) { - printf("Module svn is optionally taking the repository name to attack, default is \"trunk\"\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "ncp") == 0)) { - printf("Module ncp is optionally taking the full context, for example \".O=cx\"\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "firebird") == 0)) { - printf("Module firebird is optionally taking the database path to attack,\n" "default is \"C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb\"\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "mysql") == 0)) { - printf("Module mysql is optionally taking the database to attack, default is \"mysql\"\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "irc") == 0)) { - printf("Module irc is optionally taking the general server password, if the server is requiring one\n" "and none is passed the password from -p/-P will be used\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "postgres") == 0)) { - printf("Module postgres is optionally taking the database to attack, default is \"template1\"\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "telnet") == 0)) { - printf("Module telnet is optionally taking the string which is displayed after\n" - "a successful login (case insensitive), use if the default in the telnet\n" "module produces too many false positives\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "sapr3") == 0)) { - printf("Module sapr3 requires the client id, a number between 0 and 99\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "sshkey") == 0)) { - printf("Module sshkey does not provide additional options, although the semantic for\n" - "options -p and -P is changed:\n" - " -p expects a path to an unencrypted private key in PEM format.\n" - " -P expects a filename containing a list of path to some unencrypted\n" " private keys in PEM format.\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "cisco-enable") == 0)) { - printf("Module cisco-enable is optionally taking the logon password for the cisco device\n" - "Note: if AAA authentication is used, use the -l option for the username\n" - "and the optional parameter for the password of the user.\n" - "Examples:\n" - " hydra -P pass.txt target cisco-enable (direct console access)\n" - " hydra -P pass.txt -m cisco target cisco-enable (Logon password cisco)\n" - " hydra -l foo -m bar -P pass.txt target cisco-enable (AAA Login foo, password bar)\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "cisco") == 0)) { - printf("Module cisco is optionally taking the keyword ENTER, it then sends an initial\n" "ENTER when connecting to the service.\n"); - find = 1; - } - if (!find && ((strcmp(hydra_options.service, "ldap2") == 0) - || (strcmp(hydra_options.service, "ldap3") == 0) - || (strcmp(hydra_options.service, "ldap3-crammd5") == 0) - || (strcmp(hydra_options.service, "ldap3-digestmd5") == 0)) - ) { - printf("Module %s is optionally taking the DN (depending of the auth method choosed\n" - "Note: you can also specify the DN as login when Simple auth method is used).\n" - "The keyword \"^USER^\" is replaced with the login.\n" - "Special notes for Simple method has 3 operation modes: anonymous, (no user no pass),\n" - "unauthenticated (user but no pass), user/pass authenticated (user and pass).\n" - "So don't forget to set empty string as user/pass to test all modes.\n" - "Hint: to authenticate to a windows active directy ldap, this is usually\n" - " cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com\n\n", hydra_options.service); - find = 1; - } - if (!find && ((strcmp(hydra_options.service, "smb") == 0) || (strcmp(hydra_options.service, "smbnt") == 0))) { - printf("Module smb default value is set to test both local and domain account, using a simple password with NTLM dialect.\n" - "Note: you can set the group type using LOCAL or DOMAIN keyword\n" - " or other_domain:{value} to specify a trusted domain.\n" - " you can set the password type using HASH or MACHINE keyword\n" - " (to use the Machine's NetBIOS name as the password).\n" - " you can set the dialect using NTLMV2, NTLM, LMV2, LM keyword.\n" - "Example: \n" - " hydra smb://microsoft.com -l admin -p tooeasy -m \"local lmv2\"\n" - " hydra smb://microsoft.com -l admin -p D5731CFC6C2A069C21FD0D49CAEBC9EA:2126EE7712D37E265FD63F2C84D2B13D::: -m \"local hash\"\n" - " hydra smb://microsoft.com -l admin -p tooeasy -m \"other_domain:SECONDDOMAIN\"\n\n"); - find = 1; - } - if (!find && ((strcmp(hydra_options.service, "http-get-form") == 0) - || (strcmp(hydra_options.service, "https-get-form") == 0) - || (strcmp(hydra_options.service, "http-post-form") == 0) - || (strcmp(hydra_options.service, "https-post-form") == 0) - || (strncmp(hydra_options.service, "http-form", 9) == 0) - || (strncmp(hydra_options.service, "https-form", 10) == 0) - ) - ) { - printf("Module %s requires the page and the parameters for the web form.\n\n" - "By default this module is configured to follow a maximum of 5 redirections in\n" - "a row. It always gathers a new cookie from the same URL without variables\n" - "The parameters take three \":\" separated values, plus optional values.\n" - "(Note: if you need a colon in the option string as value, escape it with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n" - "\nSyntax: :
:[:[:]\n" - "First is the page on the server to GET or POST to (URL).\n" - "Second is the POST/GET variables (taken from either the browser, proxy, etc.\n" - " with usernames and passwords being replaced in the \"^USER^\" and \"^PASS^\"\n" - " placeholders (FORM PARAMETERS)\n" - "Third is the string that it checks for an *invalid* login (by default)\n" - " Invalid condition login check can be preceded by \"F=\", successful condition\n" - " login check must be preceded by \"S=\".\n" - " This is where most people get it wrong. You have to check the webapp what a\n" - " failed string looks like and put it in this parameter!\n" - "The following parameters are optional:\n" - " C=/page/uri to define a different page to gather initial cookies from\n" - " (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n" - " ^USER^ and ^PASS^ can also be put into these headers!\n" - " Note: 'h' will add the user-defined header at the end\n" - " regardless it's already being sent by Hydra or not.\n" - " 'H' will replace the value of that header if it exists, by the\n" - " one supplied by the user, or add the header at the end\n" - "Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\\).\n" - " All colons that are not option separators should be escaped (see the examples above and below).\n" - " You can specify a header without escaping the colons, but that way you will not be able to put colons\n" - " in the header value itself, as they will be interpreted by hydra as option separators.\n" - "\nExamples:\n" - " \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n" - " \"/login.php:user=^USER^&pass=^PASS^&colon=colon\\:escape:S=authlog=.*success\"\n" - " \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n" - " \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n" - " \"/exchweb/bin/auth/owaauth.dll:destination=http%%3A%%2F%%2F%%2Fexchange&flags=0&username=%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb\"\n", - hydra_options.service); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "http-proxy") == 0)) { - printf("Module http-proxy is optionally taking the page to authenticate at.\n" - "Default is http://www.microsoft.com/)\n" "Basic, DIGEST-MD5 and NTLM are supported and negotiated automatically.\n\n"); - find = 1; - } - if (!find && (strcmp(hydra_options.service, "http-proxy-urlenum") == 0)) { - printf("Module http-proxy-urlenum only uses the -L option, not -x or -p/-P option.\n" - "The -L loginfile must contain the URL list to try through the proxy.\n" - "The proxy credentials cann be put as the optional parameter, e.g.\n" - " hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum user:pass\n" " hydra -L urllist.txt http-proxy-urlenum://target.com:3128/user:pass\n\n"); - find = 1; - } - if (!find && (strncmp(hydra_options.service, "snmp", 4) == 0)) { - printf("Module snmp is optionally taking the following parameters:\n"); - printf(" READ perform read requests (default)\n"); - printf(" WRITE perform write requests\n"); - printf(" 1 use SNMP version 1 (default)\n"); - printf(" 2 use SNMP version 2\n"); - printf(" 3 use SNMP version 3\n"); - printf(" Note that SNMP version 3 usually uses both login and passwords!\n"); - printf(" SNMP version 3 has the following optional sub parameters:\n"); - printf(" MD5 use MD5 authentication (default)\n"); - printf(" SHA use SHA authentication\n"); - printf(" DES use DES encryption\n"); - printf(" AES use AES encryption\n"); - printf(" if no -p/-P parameter is given, SNMPv3 noauth is performed, which\n"); - printf(" only requires a password (or username) not both.\n"); - printf("To combine the options, use colons (\":\"), e.g.:\n"); - printf(" hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ target.com snmp\n"); - printf(" hydra -P pass.txt -m 2 target.com snmp\n"); - find = 1; - } - if (!find && ((strcmp(hydra_options.service, "http-get") == 0) - || (strcmp(hydra_options.service, "https-get") == 0) - || (strcmp(hydra_options.service, "http-post") == 0) - || (strcmp(hydra_options.service, "https-post") == 0)) - ) { - printf("Module %s requires the page to authenticate.\n" - "For example: \"/secret\" or \"http://bla.com/foo/bar\" or \"https://test.com:8080/members\"\n\n", hydra_options.service); - find = 1; - } - } - if (!find) // this is also printed if the module does not exist at all +void usage_oracle_listener(const char* service) { + printf("Module oracle-listener / tns is optionally taking the mode the password is stored as, could be PLAIN (default) or CLEAR\n\n"); +} + +void usage_cvs(const char* service) { + printf("Module cvs is optionally taking the repository name to attack, default is \"/root\"\n\n"); +} + +void usage_xmpp(const char* service) { + printf("Module xmpp is optionally taking one authentication type of:\n" + " LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1\n\n" + "Note, the target passed should be a fdqn as the value is used in the Jabber init request, example: hermes.jabber.org\n\n"); +} + +void usage_pop3(const char* service) { + printf("Module pop3 is optionally taking one authentication type of:\n" + " CLEAR (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n" + " CRAM-SHA256, DIGEST-MD5, NTLM.\n" "Additionally TLS encryption via STLS can be enforced with the TLS option.\n\n" "Example: pop3://target/TLS:PLAIN\n"); +} + +void usage_rdp(const char* service) { + printf("Module rdp is optionally taking the windows domain name.\n" "For example:\nhydra rdp://192.168.0.1/firstdomainname -l john -p doe\n\n"); +} + +void usage_s7_300(const char* service) { + printf("Module S7-300 is for a special Siemens PLC. It either requires only a password or no authentication, so just use the -p or -P option.\n\n"); +} + +void usage_nntp(const char* service) { + printf("Module nntp is optionally taking one authentication type of:\n" " USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n"); +} + +void usage_imap(const char* service) { + printf("Module imap is optionally taking one authentication type of:\n" + " CLEAR or APOP (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n" + " CRAM-SHA256, DIGEST-MD5, NTLM\n" "Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: imap://target/TLS:PLAIN\n"); +} + +void usage_smtp_enum(const char* service) { + printf("Module smtp-enum is optionally taking one SMTP command of:\n\n" + "VRFY (default), EXPN, RCPT (which will connect using \"root\" account)\n" + "login parameter is used as username and password parameter as the domain name\n" + "For example to test if john@localhost exists on 192.168.0.1:\n" "hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost\n\n"); +} + +void usage_smtp(const char* service) { + printf("Module smtp is optionally taking one authentication type of:\n" + " LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n" + "Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: smtp://target/TLS:PLAIN\n"); +} + +void usage_svn(const char* service) { + printf("Module svn is optionally taking the repository name to attack, default is \"trunk\"\n\n"); +} + +void usage_ncp(const char* service) { + printf("Module ncp is optionally taking the full context, for example \".O=cx\"\n\n"); +} + +void usage_firebird(const char* service) { + printf("Module firebird is optionally taking the database path to attack,\n" "default is \"C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb\"\n\n"); +} + +void usage_mysql(const char* service) { + printf("Module mysql is optionally taking the database to attack, default is \"mysql\"\n\n"); +} + +void usage_irc(const char* service) { + printf("Module irc is optionally taking the general server password, if the server is requiring one\n" "and none is passed the password from -p/-P will be used\n\n"); +} + +void usage_postgres(const char* service) { + printf("Module postgres is optionally taking the database to attack, default is \"template1\"\n\n"); +} + +void usage_telnet(const char* service) { + printf("Module telnet is optionally taking the string which is displayed after\n" + "a successful login (case insensitive), use if the default in the telnet\n" "module produces too many false positives\n\n"); +} + +void usage_sapr3(const char* service) { + printf("Module sapr3 requires the client id, a number between 0 and 99\n\n"); +} + +void usage_sshkey(const char* service) { + printf("Module sshkey does not provide additional options, although the semantic for\n" + "options -p and -P is changed:\n" + " -p expects a path to an unencrypted private key in PEM format.\n" + " -P expects a filename containing a list of path to some unencrypted\n" " private keys in PEM format.\n\n"); +} + +void usage_cisco_enable(const char* service) { + printf("Module cisco-enable is optionally taking the logon password for the cisco device\n" + "Note: if AAA authentication is used, use the -l option for the username\n" + "and the optional parameter for the password of the user.\n" + "Examples:\n" + " hydra -P pass.txt target cisco-enable (direct console access)\n" + " hydra -P pass.txt -m cisco target cisco-enable (Logon password cisco)\n" + " hydra -l foo -m bar -P pass.txt target cisco-enable (AAA Login foo, password bar)\n"); +} + +void usage_cisco(const char* service) { + printf("Module cisco is optionally taking the keyword ENTER, it then sends an initial\n" "ENTER when connecting to the service.\n"); +} + +void usage_ldap(const char* service) { + printf("Module %s is optionally taking the DN (depending of the auth method choosed\n" + "Note: you can also specify the DN as login when Simple auth method is used).\n" + "The keyword \"^USER^\" is replaced with the login.\n" + "Special notes for Simple method has 3 operation modes: anonymous, (no user no pass),\n" + "unauthenticated (user but no pass), user/pass authenticated (user and pass).\n" + "So don't forget to set empty string as user/pass to test all modes.\n" + "Hint: to authenticate to a windows active directy ldap, this is usually\n" + " cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com\n\n", service); +} + +void usage_smb(const char* service) { + printf("Module smb default value is set to test both local and domain account, using a simple password with NTLM dialect.\n" + "Note: you can set the group type using LOCAL or DOMAIN keyword\n" + " or other_domain:{value} to specify a trusted domain.\n" + " you can set the password type using HASH or MACHINE keyword\n" + " (to use the Machine's NetBIOS name as the password).\n" + " you can set the dialect using NTLMV2, NTLM, LMV2, LM keyword.\n" + "Example: \n" + " hydra smb://microsoft.com -l admin -p tooeasy -m \"local lmv2\"\n" + " hydra smb://microsoft.com -l admin -p D5731CFC6C2A069C21FD0D49CAEBC9EA:2126EE7712D37E265FD63F2C84D2B13D::: -m \"local hash\"\n" + " hydra smb://microsoft.com -l admin -p tooeasy -m \"other_domain:SECONDDOMAIN\"\n\n"); +} + +void usage_http_form(const char* service) { + printf("Module %s requires the page and the parameters for the web form.\n\n" + "By default this module is configured to follow a maximum of 5 redirections in\n" + "a row. It always gathers a new cookie from the same URL without variables\n" + "The parameters take three \":\" separated values, plus optional values.\n" + "(Note: if you need a colon in the option string as value, escape it with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n" + "\nSyntax: ::[:[:]\n" + "First is the page on the server to GET or POST to (URL).\n" + "Second is the POST/GET variables (taken from either the browser, proxy, etc.\n" + " with usernames and passwords being replaced in the \"^USER^\" and \"^PASS^\"\n" + " placeholders (FORM PARAMETERS)\n" + "Third is the string that it checks for an *invalid* login (by default)\n" + " Invalid condition login check can be preceded by \"F=\", successful condition\n" + " login check must be preceded by \"S=\".\n" + " This is where most people get it wrong. You have to check the webapp what a\n" + " failed string looks like and put it in this parameter!\n" + "The following parameters are optional:\n" + " C=/page/uri to define a different page to gather initial cookies from\n" + " (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n" + " ^USER^ and ^PASS^ can also be put into these headers!\n" + " Note: 'h' will add the user-defined header at the end\n" + " regardless it's already being sent by Hydra or not.\n" + " 'H' will replace the value of that header if it exists, by the\n" + " one supplied by the user, or add the header at the end\n" + "Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\\).\n" + " All colons that are not option separators should be escaped (see the examples above and below).\n" + " You can specify a header without escaping the colons, but that way you will not be able to put colons\n" + " in the header value itself, as they will be interpreted by hydra as option separators.\n" + "\nExamples:\n" + " \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n" + " \"/login.php:user=^USER^&pass=^PASS^&colon=colon\\:escape:S=authlog=.*success\"\n" + " \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n" + " \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n" + " \"/exchweb/bin/auth/owaauth.dll:destination=http%%3A%%2F%%2F%%2Fexchange&flags=0&username=%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb\"\n", + service); +} + +void usage_http_proxy(const char* service) { + printf("Module http-proxy is optionally taking the page to authenticate at.\n" + "Default is http://www.microsoft.com/)\n" "Basic, DIGEST-MD5 and NTLM are supported and negotiated automatically.\n\n"); +} + +void usage_http_proxy_urlenum(const char* service) { + printf("Module http-proxy-urlenum only uses the -L option, not -x or -p/-P option.\n" + "The -L loginfile must contain the URL list to try through the proxy.\n" + "The proxy credentials cann be put as the optional parameter, e.g.\n" + " hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum user:pass\n" " hydra -L urllist.txt http-proxy-urlenum://target.com:3128/user:pass\n\n"); +} + +void usage_snmp(const char* service) { + printf("Module snmp is optionally taking the following parameters:\n" + " READ perform read requests (default)\n" + " WRITE perform write requests\n" + " 1 use SNMP version 1 (default)\n" + " 2 use SNMP version 2\n" + " 3 use SNMP version 3\n" + " Note that SNMP version 3 usually uses both login and passwords!\n" + " SNMP version 3 has the following optional sub parameters:\n" + " MD5 use MD5 authentication (default)\n" + " SHA use SHA authentication\n" + " DES use DES encryption\n" + " AES use AES encryption\n" + " if no -p/-P parameter is given, SNMPv3 noauth is performed, which\n" + " only requires a password (or username) not both.\n" + "To combine the options, use colons (\":\"), e.g.:\n" + " hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ target.com snmp\n" + " hydra -P pass.txt -m 2 target.com snmp\n"); +} + +void usage_http(const char* service) { + printf("Module %s requires the page to authenticate.\n" + "For example: \"/secret\" or \"http://bla.com/foo/bar\" or \"https://test.com:8080/members\"\n\n", service); +} + +void module_usage() { + int i; + if (!hydra_options.service) { printf("The Module %s does not need or support optional parameters\n", hydra_options.service); + exit(0); + } + + printf("\nHelp for module %s:\n============================================================================\n", hydra_options.service); + for (i = 0; i < sizeof(services) / sizeof(services[0]); i++) { + if (strcmp(hydra_options.service, services[i].name) == 0) { + if (services[i].usage) { + services[i].usage(hydra_options.service); + exit(0); + } + } + } + + printf("The Module %s does not need or support optional parameters\n", hydra_options.service); exit(0); } @@ -1204,102 +1330,6 @@ char *hydra_build_time() { return (char *) &datetime; } -typedef void (*service_t)(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); -typedef int (*service_init_t)(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); - -#define SERVICE2(name, func) { name, service_##func##_init, service_##func } -#define SERVICE(name) { #name, service_##name##_init, service_##name } - -static const struct { - const char* name; - service_init_t init; - service_t exec; -} services[] = { - SERVICE(adam6500), -#ifdef LIBAFP - SERVICE(afp), -#endif - SERVICE(asterisk), - SERVICE(cisco), - SERVICE2("cisco-enable", cisco_enable), - SERVICE(cvs), -#ifdef LIBFIREBIRD - SERVICE(firebird), -#endif - SERVICE(ftp), - { "ftps", service_ftp_init, service_ftps }, - { "http-get", service_http_init, service_http_get }, - { "http-get-form", service_http_form_init, service_http_get_form }, - { "http-head", service_http_init, service_http_head }, - { "http-form", service_http_form_init, NULL }, - { "http-post", NULL, service_http_post }, - { "http-post-form", service_http_form_init, service_http_post_form }, - SERVICE2("http-proxy", http_proxy), - SERVICE2("http-proxy-urlenum", http_proxy_urlenum), - SERVICE(icq), - SERVICE(imap), - SERVICE(irc), - { "ldap2", service_ldap_init, service_ldap2 }, - { "ldap3", service_ldap_init, service_ldap3 }, - { "ldap3-crammd5", service_ldap_init, service_ldap3_cram_md5 }, - { "ldap3-digestmd5", service_ldap_init, service_ldap3_digest_md5 }, - SERVICE(mssql), -#ifdef HAVE_MATH_H - SERVICE(mysql), -#endif -#ifdef LIBNCP - SERVICE(ncp), -#endif - SERVICE(nntp), -#ifdef LIBORACLE - SERVICE(oracle), -#endif -#ifdef LIBOPENSSL - SERVICE2("oracle-listener", oracle_listener), - SERVICE2("oracle-sid", oracle_sid), -#endif - SERVICE(pcanywhere), - SERVICE(pcnfs), - SERVICE(pop3), -#ifdef LIBPOSTGRES - SERVICE(postgres), -#endif - SERVICE(redis), - SERVICE(rexec), -#ifdef LIBOPENSSL - SERVICE(rdp), -#endif - SERVICE(rlogin), - SERVICE(rsh), - SERVICE(rtsp), - SERVICE(rpcap), - SERVICE2("s7-300", s7_300), -#ifdef LIBSAPR3 - SERVICE(sapr3), -#endif -#ifdef LIBOPENSSL - SERVICE(sip), - SERVICE2("smbnt", smb), - SERVICE(smb), -#endif - SERVICE(smtp), - SERVICE2("smtp-enum", smtp_enum), - SERVICE(snmp), - SERVICE(socks5), -#ifdef LIBSSH - { "ssh", NULL, service_ssh }, - SERVICE(sshkey), -#endif -#ifdef LIBSVN - SERVICE(svn), -#endif - SERVICE(teamspeak), - SERVICE(telnet), - SERVICE(vmauthd), - SERVICE(vnc), - { "xmpp", service_xmpp_init, NULL } -}; - void hydra_service_init(int target_no) { int x = 99; int i;