github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-08-20 21:33:51 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #232 from Diadlo/usage_service

Browse source 
Usage service
This commit is contained in:
van Hauser 2017-06-22 01:02:27 +02:00 committed by GitHub
commit 5bcc39c6a4
1 changed files with 354 additions and 324 deletions
Download patch file Download diff file Expand all files Collapse all files

678
hydra.c
View file

@ -15,6 +15,37 @@
#include <term.h> #include <term.h>
#endif #endif
void usage_oracle(const char* service);
void usage_oracle_listener(const char* service);
void usage_cvs(const char* service);
void usage_xmpp(const char* service);
void usage_pop3(const char* service);
void usage_rdp(const char* service);
void usage_s7_300(const char* service);
void usage_nntp(const char* service);
void usage_imap(const char* service);
void usage_smtp_enum(const char* service);
void usage_smtp(const char* service);
void usage_svn(const char* service);
void usage_ncp(const char* service);
void usage_firebird(const char* service);
void usage_mysql(const char* service);
void usage_irc(const char* service);
void usage_postgres(const char* service);
void usage_telnet(const char* service);
void usage_sapr3(const char* service);
void usage_sshkey(const char* service);
void usage_cisco_enable(const char* service);
void usage_cisco(const char* service);
void usage_ldap(const char* service);
void usage_smb(const char* service);
void usage_http_form(const char* service);
void usage_http_proxy(const char* service);
void usage_http_proxy_urlenum(const char* service);
void usage_snmp(const char* service);
void usage_http(const char* service);
extern void service_asterisk(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_asterisk(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
extern void service_telnet(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_telnet(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
extern void service_ftp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname); extern void service_ftp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
@ -347,6 +378,106 @@ int snpdone, snp_is_redo, snpbuflen, snpi, snpj, snpdont;
#include "performance.h" #include "performance.h"
typedef void (*service_t)(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
typedef int (*service_init_t)(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
typedef void (*service_usage_t)(const char* service);
#define SERVICE2(name, func) { name, service_##func##_init, service_##func, NULL }
#define SERVICE(name) { #name, service_##name##_init, service_##name, NULL }
#define SERVICE3(name, func) { name, service_##func##_init, service_##func, usage_##func }
static const struct {
const char* name;
service_init_t init;
service_t exec;
service_usage_t usage;
} services[] = {
SERVICE(adam6500),
#ifdef LIBAFP
SERVICE(afp),
#endif
SERVICE(asterisk),
SERVICE3("cisco", cisco),
SERVICE3("cisco-enable", cisco_enable),
SERVICE3("cvs", cvs),
#ifdef LIBFIREBIRD
SERVICE3("firebird", firebird),
#endif
SERVICE(ftp),
{ "ftps", service_ftp_init, service_ftps },
{ "http-get", service_http_init, service_http_get, usage_http },
{ "http-get-form", service_http_form_init, service_http_get_form, usage_http_form },
{ "http-head", service_http_init, service_http_head, NULL },
{ "http-form", service_http_form_init, NULL, usage_http_form },
{ "http-post", NULL, service_http_post, usage_http },
{ "http-post-form", service_http_form_init, service_http_post_form, usage_http_form },
SERVICE3("http-proxy", http_proxy),
SERVICE3("http-proxy-urlenum", http_proxy_urlenum),
SERVICE(icq),
SERVICE3("imap", imap),
SERVICE3("irc", irc),
{ "ldap2", service_ldap_init, service_ldap2, usage_ldap },
{ "ldap3", service_ldap_init, service_ldap3, usage_ldap },
{ "ldap3-crammd5", service_ldap_init, service_ldap3_cram_md5, usage_ldap },
{ "ldap3-digestmd5", service_ldap_init, service_ldap3_digest_md5, usage_ldap },
SERVICE(mssql),
#ifdef HAVE_MATH_H
SERVICE3("mysql", mysql),
#endif
#ifdef LIBNCP
SERVICE3("ncp", ncp),
#endif
SERVICE3("nntp", nntp),
#ifdef LIBORACLE
SERVICE3("oracle", oracle),
#endif
#ifdef LIBOPENSSL
SERVICE3("oracle-listener", oracle_listener),
SERVICE2("oracle-sid", oracle_sid),
#endif
SERVICE(pcanywhere),
SERVICE(pcnfs),
SERVICE3("pop3", pop3),
#ifdef LIBPOSTGRES
SERVICE3("postgres", postgres),
#endif
SERVICE(redis),
SERVICE(rexec),
#ifdef LIBOPENSSL
SERVICE3("rdp", rdp),
#endif
SERVICE(rlogin),
SERVICE(rsh),
SERVICE(rtsp),
SERVICE(rpcap),
SERVICE3("s7-300", s7_300),
#ifdef LIBSAPR3
SERVICE3("sarp3", sapr3),
#endif
#ifdef LIBOPENSSL
SERVICE(sip),
SERVICE3("smbnt", smb),
SERVICE3("smb", smb),
#endif
SERVICE3("smtp", smtp),
SERVICE3("smtp-enum", smtp_enum),
SERVICE3("snmp", snmp),
SERVICE(socks5),
#ifdef LIBSSH
{ "ssh", NULL, service_ssh },
SERVICE3("sshkey", sshkey),
#endif
#ifdef LIBSVN
SERVICE3("svn", svn),
#endif
SERVICE(teamspeak),
SERVICE3("telnet", telnet),
SERVICE(vmauthd),
SERVICE(vnc),
{ "xmpp", service_xmpp_init, NULL, usage_xmpp }
};
#define PRINT_NORMAL(ext, text, ...) printf(text, ##__VA_ARGS__) #define PRINT_NORMAL(ext, text, ...) printf(text, ##__VA_ARGS__)
#define PRINT_EXTEND(ext, text, ...) do { \ #define PRINT_EXTEND(ext, text, ...) do { \
if (ext) \ if (ext) \
@ -447,236 +578,231 @@ void help_bfg() {
exit(-1); exit(-1);
} }
void module_usage() { void usage_oracle(const char* service) {
int find = 0; printf("Module oracle / ora is optionally taking the ORACLE SID, default is \"ORCL\"\n\n");
}
if (hydra_options.service) { void usage_oracle_listener(const char* service) {
printf("\nHelp for module %s:\n============================================================================\n", hydra_options.service); printf("Module oracle-listener / tns is optionally taking the mode the password is stored as, could be PLAIN (default) or CLEAR\n\n");
if ((strcmp(hydra_options.service, "oracle") == 0) || (strcmp(hydra_options.service, "ora") == 0)) { }
printf("Module oracle / ora is optionally taking the ORACLE SID, default is \"ORCL\"\n\n");
find = 1; void usage_cvs(const char* service) {
} printf("Module cvs is optionally taking the repository name to attack, default is \"/root\"\n\n");
if ((strcmp(hydra_options.service, "oracle-listener") == 0) || (strcmp(hydra_options.service, "tns") == 0)) { }
printf("Module oracle-listener / tns is optionally taking the mode the password is stored as, could be PLAIN (default) or CLEAR\n\n");
find = 1; void usage_xmpp(const char* service) {
} printf("Module xmpp is optionally taking one authentication type of:\n"
if (strcmp(hydra_options.service, "cvs") == 0) { " LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1\n\n"
printf("Module cvs is optionally taking the repository name to attack, default is \"/root\"\n\n"); "Note, the target passed should be a fdqn as the value is used in the Jabber init request, example: hermes.jabber.org\n\n");
find = 1; }
}
if (strcmp(hydra_options.service, "xmpp") == 0) { void usage_pop3(const char* service) {
printf("Module xmpp is optionally taking one authentication type of:\n" printf("Module pop3 is optionally taking one authentication type of:\n"
" LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1\n\n" " CLEAR (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n"
"Note, the target passed should be a fdqn as the value is used in the Jabber init request, example: hermes.jabber.org\n\n"); " CRAM-SHA256, DIGEST-MD5, NTLM.\n" "Additionally TLS encryption via STLS can be enforced with the TLS option.\n\n" "Example: pop3://target/TLS:PLAIN\n");
find = 1; }
}
if (!find && (strcmp(hydra_options.service, "pop3") == 0)) { void usage_rdp(const char* service) {
printf("Module pop3 is optionally taking one authentication type of:\n" printf("Module rdp is optionally taking the windows domain name.\n" "For example:\nhydra rdp://192.168.0.1/firstdomainname -l john -p doe\n\n");
" CLEAR (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n" }
" CRAM-SHA256, DIGEST-MD5, NTLM.\n" "Additionally TLS encryption via STLS can be enforced with the TLS option.\n\n" "Example: pop3://target/TLS:PLAIN\n");
find = 1; void usage_s7_300(const char* service) {
} printf("Module S7-300 is for a special Siemens PLC. It either requires only a password or no authentication, so just use the -p or -P option.\n\n");
if (!find && (strcmp(hydra_options.service, "rdp") == 0)) { }
printf("Module rdp is optionally taking the windows domain name.\n" "For example:\nhydra rdp://192.168.0.1/firstdomainname -l john -p doe\n\n");
find = 1; void usage_nntp(const char* service) {
} printf("Module nntp is optionally taking one authentication type of:\n" " USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n");
if (!find && (strcmp(hydra_options.service, "s7-300") == 0)) { }
printf("Module S7-300 is for a special Siemens PLC. It either requires only a password or no authentication, so just use the -p or -P option.\n\n");
find = 1; void usage_imap(const char* service) {
} printf("Module imap is optionally taking one authentication type of:\n"
if (!find && (strcmp(hydra_options.service, "nntp") == 0)) { " CLEAR or APOP (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n"
printf("Module nntp is optionally taking one authentication type of:\n" " USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n"); " CRAM-SHA256, DIGEST-MD5, NTLM\n" "Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: imap://target/TLS:PLAIN\n");
find = 1; }
}
if (!find && (strcmp(hydra_options.service, "imap") == 0)) { void usage_smtp_enum(const char* service) {
printf("Module imap is optionally taking one authentication type of:\n" printf("Module smtp-enum is optionally taking one SMTP command of:\n\n"
" CLEAR or APOP (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n" "VRFY (default), EXPN, RCPT (which will connect using \"root\" account)\n"
" CRAM-SHA256, DIGEST-MD5, NTLM\n" "Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: imap://target/TLS:PLAIN\n"); "login parameter is used as username and password parameter as the domain name\n"
find = 1; "For example to test if john@localhost exists on 192.168.0.1:\n" "hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost\n\n");
} }
if (!find && (strcmp(hydra_options.service, "smtp-enum")) == 0) {
printf("Module smtp-enum is optionally taking one SMTP command of:\n\n" void usage_smtp(const char* service) {
"VRFY (default), EXPN, RCPT (which will connect using \"root\" account)\n" printf("Module smtp is optionally taking one authentication type of:\n"
"login parameter is used as username and password parameter as the domain name\n" " LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n"
"For example to test if john@localhost exists on 192.168.0.1:\n" "hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost\n\n"); "Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: smtp://target/TLS:PLAIN\n");
find = 1; }
}
if (!find && (strcmp(hydra_options.service, "smtp")) == 0) { void usage_svn(const char* service) {
printf("Module smtp is optionally taking one authentication type of:\n" printf("Module svn is optionally taking the repository name to attack, default is \"trunk\"\n\n");
" LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n" }
"Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: smtp://target/TLS:PLAIN\n");
find = 1; void usage_ncp(const char* service) {
} printf("Module ncp is optionally taking the full context, for example \".O=cx\"\n\n");
if (!find && (strcmp(hydra_options.service, "svn") == 0)) { }
printf("Module svn is optionally taking the repository name to attack, default is \"trunk\"\n\n");
find = 1; void usage_firebird(const char* service) {
} printf("Module firebird is optionally taking the database path to attack,\n" "default is \"C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb\"\n\n");
if (!find && (strcmp(hydra_options.service, "ncp") == 0)) { }
printf("Module ncp is optionally taking the full context, for example \".O=cx\"\n\n");
find = 1; void usage_mysql(const char* service) {
} printf("Module mysql is optionally taking the database to attack, default is \"mysql\"\n\n");
if (!find && (strcmp(hydra_options.service, "firebird") == 0)) { }
printf("Module firebird is optionally taking the database path to attack,\n" "default is \"C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb\"\n\n");
find = 1; void usage_irc(const char* service) {
} printf("Module irc is optionally taking the general server password, if the server is requiring one\n" "and none is passed the password from -p/-P will be used\n\n");
if (!find && (strcmp(hydra_options.service, "mysql") == 0)) { }
printf("Module mysql is optionally taking the database to attack, default is \"mysql\"\n\n");
find = 1; void usage_postgres(const char* service) {
} printf("Module postgres is optionally taking the database to attack, default is \"template1\"\n\n");
if (!find && (strcmp(hydra_options.service, "irc") == 0)) { }
printf("Module irc is optionally taking the general server password, if the server is requiring one\n" "and none is passed the password from -p/-P will be used\n\n");
find = 1; void usage_telnet(const char* service) {
} printf("Module telnet is optionally taking the string which is displayed after\n"
if (!find && (strcmp(hydra_options.service, "postgres") == 0)) { "a successful login (case insensitive), use if the default in the telnet\n" "module produces too many false positives\n\n");
printf("Module postgres is optionally taking the database to attack, default is \"template1\"\n\n"); }
find = 1;
} void usage_sapr3(const char* service) {
if (!find && (strcmp(hydra_options.service, "telnet") == 0)) { printf("Module sapr3 requires the client id, a number between 0 and 99\n\n");
printf("Module telnet is optionally taking the string which is displayed after\n" }
"a successful login (case insensitive), use if the default in the telnet\n" "module produces too many false positives\n\n");
find = 1; void usage_sshkey(const char* service) {
} printf("Module sshkey does not provide additional options, although the semantic for\n"
if (!find && (strcmp(hydra_options.service, "sapr3") == 0)) { "options -p and -P is changed:\n"
printf("Module sapr3 requires the client id, a number between 0 and 99\n\n"); " -p expects a path to an unencrypted private key in PEM format.\n"
find = 1; " -P expects a filename containing a list of path to some unencrypted\n" " private keys in PEM format.\n\n");
} }
if (!find && (strcmp(hydra_options.service, "sshkey") == 0)) {
printf("Module sshkey does not provide additional options, although the semantic for\n" void usage_cisco_enable(const char* service) {
"options -p and -P is changed:\n" printf("Module cisco-enable is optionally taking the logon password for the cisco device\n"
" -p expects a path to an unencrypted private key in PEM format.\n" "Note: if AAA authentication is used, use the -l option for the username\n"
" -P expects a filename containing a list of path to some unencrypted\n" " private keys in PEM format.\n\n"); "and the optional parameter for the password of the user.\n"
find = 1; "Examples:\n"
} " hydra -P pass.txt target cisco-enable (direct console access)\n"
if (!find && (strcmp(hydra_options.service, "cisco-enable") == 0)) { " hydra -P pass.txt -m cisco target cisco-enable (Logon password cisco)\n"
printf("Module cisco-enable is optionally taking the logon password for the cisco device\n" " hydra -l foo -m bar -P pass.txt target cisco-enable (AAA Login foo, password bar)\n");
"Note: if AAA authentication is used, use the -l option for the username\n" }
"and the optional parameter for the password of the user.\n"
"Examples:\n" void usage_cisco(const char* service) {
" hydra -P pass.txt target cisco-enable (direct console access)\n" printf("Module cisco is optionally taking the keyword ENTER, it then sends an initial\n" "ENTER when connecting to the service.\n");
" hydra -P pass.txt -m cisco target cisco-enable (Logon password cisco)\n" }
" hydra -l foo -m bar -P pass.txt target cisco-enable (AAA Login foo, password bar)\n");
find = 1; void usage_ldap(const char* service) {
} printf("Module %s is optionally taking the DN (depending of the auth method choosed\n"
if (!find && (strcmp(hydra_options.service, "cisco") == 0)) { "Note: you can also specify the DN as login when Simple auth method is used).\n"
printf("Module cisco is optionally taking the keyword ENTER, it then sends an initial\n" "ENTER when connecting to the service.\n"); "The keyword \"^USER^\" is replaced with the login.\n"
find = 1; "Special notes for Simple method has 3 operation modes: anonymous, (no user no pass),\n"
} "unauthenticated (user but no pass), user/pass authenticated (user and pass).\n"
if (!find && ((strcmp(hydra_options.service, "ldap2") == 0) "So don't forget to set empty string as user/pass to test all modes.\n"
|| (strcmp(hydra_options.service, "ldap3") == 0) "Hint: to authenticate to a windows active directy ldap, this is usually\n"
|| (strcmp(hydra_options.service, "ldap3-crammd5") == 0) " cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com\n\n", service);
|| (strcmp(hydra_options.service, "ldap3-digestmd5") == 0)) }
) {
printf("Module %s is optionally taking the DN (depending of the auth method choosed\n" void usage_smb(const char* service) {
"Note: you can also specify the DN as login when Simple auth method is used).\n" printf("Module smb default value is set to test both local and domain account, using a simple password with NTLM dialect.\n"
"The keyword \"^USER^\" is replaced with the login.\n" "Note: you can set the group type using LOCAL or DOMAIN keyword\n"
"Special notes for Simple method has 3 operation modes: anonymous, (no user no pass),\n" " or other_domain:{value} to specify a trusted domain.\n"
"unauthenticated (user but no pass), user/pass authenticated (user and pass).\n" " you can set the password type using HASH or MACHINE keyword\n"
"So don't forget to set empty string as user/pass to test all modes.\n" " (to use the Machine's NetBIOS name as the password).\n"
"Hint: to authenticate to a windows active directy ldap, this is usually\n" " you can set the dialect using NTLMV2, NTLM, LMV2, LM keyword.\n"
" cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com\n\n", hydra_options.service); "Example: \n"
find = 1; " hydra smb://microsoft.com -l admin -p tooeasy -m \"local lmv2\"\n"
} " hydra smb://microsoft.com -l admin -p D5731CFC6C2A069C21FD0D49CAEBC9EA:2126EE7712D37E265FD63F2C84D2B13D::: -m \"local hash\"\n"
if (!find && ((strcmp(hydra_options.service, "smb") == 0) || (strcmp(hydra_options.service, "smbnt") == 0))) { " hydra smb://microsoft.com -l admin -p tooeasy -m \"other_domain:SECONDDOMAIN\"\n\n");
printf("Module smb default value is set to test both local and domain account, using a simple password with NTLM dialect.\n" }
"Note: you can set the group type using LOCAL or DOMAIN keyword\n"
" or other_domain:{value} to specify a trusted domain.\n" void usage_http_form(const char* service) {
" you can set the password type using HASH or MACHINE keyword\n" printf("Module %s requires the page and the parameters for the web form.\n\n"
" (to use the Machine's NetBIOS name as the password).\n" "By default this module is configured to follow a maximum of 5 redirections in\n"
" you can set the dialect using NTLMV2, NTLM, LMV2, LM keyword.\n" "a row. It always gathers a new cookie from the same URL without variables\n"
"Example: \n" "The parameters take three \":\" separated values, plus optional values.\n"
" hydra smb://microsoft.com -l admin -p tooeasy -m \"local lmv2\"\n" "(Note: if you need a colon in the option string as value, escape it with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n"
" hydra smb://microsoft.com -l admin -p D5731CFC6C2A069C21FD0D49CAEBC9EA:2126EE7712D37E265FD63F2C84D2B13D::: -m \"local hash\"\n" "\nSyntax: <url>:<form parameters>:<condition string>[:<optional>[:<optional>]\n"
" hydra smb://microsoft.com -l admin -p tooeasy -m \"other_domain:SECONDDOMAIN\"\n\n"); "First is the page on the server to GET or POST to (URL).\n"
find = 1; "Second is the POST/GET variables (taken from either the browser, proxy, etc.\n"
} " with usernames and passwords being replaced in the \"^USER^\" and \"^PASS^\"\n"
if (!find && ((strcmp(hydra_options.service, "http-get-form") == 0) " placeholders (FORM PARAMETERS)\n"
|| (strcmp(hydra_options.service, "https-get-form") == 0) "Third is the string that it checks for an *invalid* login (by default)\n"
|| (strcmp(hydra_options.service, "http-post-form") == 0) " Invalid condition login check can be preceded by \"F=\", successful condition\n"
|| (strcmp(hydra_options.service, "https-post-form") == 0) " login check must be preceded by \"S=\".\n"
|| (strncmp(hydra_options.service, "http-form", 9) == 0) " This is where most people get it wrong. You have to check the webapp what a\n"
|| (strncmp(hydra_options.service, "https-form", 10) == 0) " failed string looks like and put it in this parameter!\n"
) "The following parameters are optional:\n"
) { " C=/page/uri to define a different page to gather initial cookies from\n"
printf("Module %s requires the page and the parameters for the web form.\n\n" " (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n"
"By default this module is configured to follow a maximum of 5 redirections in\n" " ^USER^ and ^PASS^ can also be put into these headers!\n"
"a row. It always gathers a new cookie from the same URL without variables\n" " Note: 'h' will add the user-defined header at the end\n"
"The parameters take three \":\" separated values, plus optional values.\n" " regardless it's already being sent by Hydra or not.\n"
"(Note: if you need a colon in the option string as value, escape it with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n" " 'H' will replace the value of that header if it exists, by the\n"
"\nSyntax: <url>:<form parameters>:<condition string>[:<optional>[:<optional>]\n" " one supplied by the user, or add the header at the end\n"
"First is the page on the server to GET or POST to (URL).\n" "Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\\).\n"
"Second is the POST/GET variables (taken from either the browser, proxy, etc.\n" " All colons that are not option separators should be escaped (see the examples above and below).\n"
" with usernames and passwords being replaced in the \"^USER^\" and \"^PASS^\"\n" " You can specify a header without escaping the colons, but that way you will not be able to put colons\n"
" placeholders (FORM PARAMETERS)\n" " in the header value itself, as they will be interpreted by hydra as option separators.\n"
"Third is the string that it checks for an *invalid* login (by default)\n" "\nExamples:\n"
" Invalid condition login check can be preceded by \"F=\", successful condition\n" " \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n"
" login check must be preceded by \"S=\".\n" " \"/login.php:user=^USER^&pass=^PASS^&colon=colon\\:escape:S=authlog=.*success\"\n"
" This is where most people get it wrong. You have to check the webapp what a\n" " \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n"
" failed string looks like and put it in this parameter!\n" " \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n"
"The following parameters are optional:\n" " \"/exchweb/bin/auth/owaauth.dll:destination=http%%3A%%2F%%2F<target>%%2Fexchange&flags=0&username=<domain>%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb\"\n",
" C=/page/uri to define a different page to gather initial cookies from\n" service);
" (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n" }
" ^USER^ and ^PASS^ can also be put into these headers!\n"
" Note: 'h' will add the user-defined header at the end\n" void usage_http_proxy(const char* service) {
" regardless it's already being sent by Hydra or not.\n" printf("Module http-proxy is optionally taking the page to authenticate at.\n"
" 'H' will replace the value of that header if it exists, by the\n" "Default is http://www.microsoft.com/)\n" "Basic, DIGEST-MD5 and NTLM are supported and negotiated automatically.\n\n");
" one supplied by the user, or add the header at the end\n" }
"Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\\).\n"
" All colons that are not option separators should be escaped (see the examples above and below).\n" void usage_http_proxy_urlenum(const char* service) {
" You can specify a header without escaping the colons, but that way you will not be able to put colons\n" printf("Module http-proxy-urlenum only uses the -L option, not -x or -p/-P option.\n"
" in the header value itself, as they will be interpreted by hydra as option separators.\n" "The -L loginfile must contain the URL list to try through the proxy.\n"
"\nExamples:\n" "The proxy credentials cann be put as the optional parameter, e.g.\n"
" \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n" " hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum user:pass\n" " hydra -L urllist.txt http-proxy-urlenum://target.com:3128/user:pass\n\n");
" \"/login.php:user=^USER^&pass=^PASS^&colon=colon\\:escape:S=authlog=.*success\"\n" }
" \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n"
" \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n" void usage_snmp(const char* service) {
" \"/exchweb/bin/auth/owaauth.dll:destination=http%%3A%%2F%%2F<target>%%2Fexchange&flags=0&username=<domain>%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb\"\n", printf("Module snmp is optionally taking the following parameters:\n"
hydra_options.service); " READ perform read requests (default)\n"
find = 1; " WRITE perform write requests\n"
} " 1 use SNMP version 1 (default)\n"
if (!find && (strcmp(hydra_options.service, "http-proxy") == 0)) { " 2 use SNMP version 2\n"
printf("Module http-proxy is optionally taking the page to authenticate at.\n" " 3 use SNMP version 3\n"
"Default is http://www.microsoft.com/)\n" "Basic, DIGEST-MD5 and NTLM are supported and negotiated automatically.\n\n"); " Note that SNMP version 3 usually uses both login and passwords!\n"
find = 1; " SNMP version 3 has the following optional sub parameters:\n"
} " MD5 use MD5 authentication (default)\n"
if (!find && (strcmp(hydra_options.service, "http-proxy-urlenum") == 0)) { " SHA use SHA authentication\n"
printf("Module http-proxy-urlenum only uses the -L option, not -x or -p/-P option.\n" " DES use DES encryption\n"
"The -L loginfile must contain the URL list to try through the proxy.\n" " AES use AES encryption\n"
"The proxy credentials cann be put as the optional parameter, e.g.\n" " if no -p/-P parameter is given, SNMPv3 noauth is performed, which\n"
" hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum user:pass\n" " hydra -L urllist.txt http-proxy-urlenum://target.com:3128/user:pass\n\n"); " only requires a password (or username) not both.\n"
find = 1; "To combine the options, use colons (\":\"), e.g.:\n"
} " hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ target.com snmp\n"
if (!find && (strncmp(hydra_options.service, "snmp", 4) == 0)) { " hydra -P pass.txt -m 2 target.com snmp\n");
printf("Module snmp is optionally taking the following parameters:\n"); }
printf(" READ perform read requests (default)\n");
printf(" WRITE perform write requests\n"); void usage_http(const char* service) {
printf(" 1 use SNMP version 1 (default)\n"); printf("Module %s requires the page to authenticate.\n"
printf(" 2 use SNMP version 2\n"); "For example: \"/secret\" or \"http://bla.com/foo/bar\" or \"https://test.com:8080/members\"\n\n", service);
printf(" 3 use SNMP version 3\n"); }
printf(" Note that SNMP version 3 usually uses both login and passwords!\n");
printf(" SNMP version 3 has the following optional sub parameters:\n"); void module_usage() {
printf(" MD5 use MD5 authentication (default)\n"); int i;
printf(" SHA use SHA authentication\n"); if (!hydra_options.service) {
printf(" DES use DES encryption\n");
printf(" AES use AES encryption\n");
printf(" if no -p/-P parameter is given, SNMPv3 noauth is performed, which\n");
printf(" only requires a password (or username) not both.\n");
printf("To combine the options, use colons (\":\"), e.g.:\n");
printf(" hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ target.com snmp\n");
printf(" hydra -P pass.txt -m 2 target.com snmp\n");
find = 1;
}
if (!find && ((strcmp(hydra_options.service, "http-get") == 0)
|| (strcmp(hydra_options.service, "https-get") == 0)
|| (strcmp(hydra_options.service, "http-post") == 0)
|| (strcmp(hydra_options.service, "https-post") == 0))
) {
printf("Module %s requires the page to authenticate.\n"
"For example: \"/secret\" or \"http://bla.com/foo/bar\" or \"https://test.com:8080/members\"\n\n", hydra_options.service);
find = 1;
}
}
if (!find) // this is also printed if the module does not exist at all
printf("The Module %s does not need or support optional parameters\n", hydra_options.service); printf("The Module %s does not need or support optional parameters\n", hydra_options.service);
exit(0);
}
printf("\nHelp for module %s:\n============================================================================\n", hydra_options.service);
for (i = 0; i < sizeof(services) / sizeof(services[0]); i++) {
if (strcmp(hydra_options.service, services[i].name) == 0) {
if (services[i].usage) {
services[i].usage(hydra_options.service);
exit(0);
}
}
}
printf("The Module %s does not need or support optional parameters\n", hydra_options.service);
exit(0); exit(0);
} }
@ -1204,102 +1330,6 @@ char *hydra_build_time() {
return (char *) &datetime; return (char *) &datetime;
} }
typedef void (*service_t)(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
typedef int (*service_init_t)(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port, char *hostname);
#define SERVICE2(name, func) { name, service_##func##_init, service_##func }
#define SERVICE(name) { #name, service_##name##_init, service_##name }
static const struct {
const char* name;
service_init_t init;
service_t exec;
} services[] = {
SERVICE(adam6500),
#ifdef LIBAFP
SERVICE(afp),
#endif
SERVICE(asterisk),
SERVICE(cisco),
SERVICE2("cisco-enable", cisco_enable),
SERVICE(cvs),
#ifdef LIBFIREBIRD
SERVICE(firebird),
#endif
SERVICE(ftp),
{ "ftps", service_ftp_init, service_ftps },
{ "http-get", service_http_init, service_http_get },
{ "http-get-form", service_http_form_init, service_http_get_form },
{ "http-head", service_http_init, service_http_head },
{ "http-form", service_http_form_init, NULL },
{ "http-post", NULL, service_http_post },
{ "http-post-form", service_http_form_init, service_http_post_form },
SERVICE2("http-proxy", http_proxy),
SERVICE2("http-proxy-urlenum", http_proxy_urlenum),
SERVICE(icq),
SERVICE(imap),
SERVICE(irc),
{ "ldap2", service_ldap_init, service_ldap2 },
{ "ldap3", service_ldap_init, service_ldap3 },
{ "ldap3-crammd5", service_ldap_init, service_ldap3_cram_md5 },
{ "ldap3-digestmd5", service_ldap_init, service_ldap3_digest_md5 },
SERVICE(mssql),
#ifdef HAVE_MATH_H
SERVICE(mysql),
#endif
#ifdef LIBNCP
SERVICE(ncp),
#endif
SERVICE(nntp),
#ifdef LIBORACLE
SERVICE(oracle),
#endif
#ifdef LIBOPENSSL
SERVICE2("oracle-listener", oracle_listener),
SERVICE2("oracle-sid", oracle_sid),
#endif
SERVICE(pcanywhere),
SERVICE(pcnfs),
SERVICE(pop3),
#ifdef LIBPOSTGRES
SERVICE(postgres),
#endif
SERVICE(redis),
SERVICE(rexec),
#ifdef LIBOPENSSL
SERVICE(rdp),
#endif
SERVICE(rlogin),
SERVICE(rsh),
SERVICE(rtsp),
SERVICE(rpcap),
SERVICE2("s7-300", s7_300),
#ifdef LIBSAPR3
SERVICE(sapr3),
#endif
#ifdef LIBOPENSSL
SERVICE(sip),
SERVICE2("smbnt", smb),
SERVICE(smb),
#endif
SERVICE(smtp),
SERVICE2("smtp-enum", smtp_enum),
SERVICE(snmp),
SERVICE(socks5),
#ifdef LIBSSH
{ "ssh", NULL, service_ssh },
SERVICE(sshkey),
#endif
#ifdef LIBSVN
SERVICE(svn),
#endif
SERVICE(teamspeak),
SERVICE(telnet),
SERVICE(vmauthd),
SERVICE(vnc),
{ "xmpp", service_xmpp_init, NULL }
};
void hydra_service_init(int target_no) { void hydra_service_init(int target_no) {
int x = 99; int x = 99;
int i; int i;