github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-08-19 21:03:52 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into master

Browse source
This commit is contained in:
e2002e 2020-09-10 12:52:26 +02:00 committed by GitHub
commit 60a9924547
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
92 changed files with 7264 additions and 6402 deletions
Download patch file Download diff file Expand all files Collapse all files

117
.clang-format Normal file
View file

@ -0,0 +1,117 @@
---
Language: Cpp
AccessModifierOffset: -2
AlignAfterOpenBracket: Align
AlignConsecutiveAssignments: false
AlignConsecutiveDeclarations: false
AlignEscapedNewlines: Right
AlignOperands: true
AlignTrailingComments: true
AllowAllParametersOfDeclarationOnNextLine: true
AllowShortBlocksOnASingleLine: false
AllowShortCaseLabelsOnASingleLine: false
AllowShortFunctionsOnASingleLine: All
AllowShortIfStatementsOnASingleLine: false
AllowShortLoopsOnASingleLine: false
AlwaysBreakAfterDefinitionReturnType: None
AlwaysBreakAfterReturnType: None
AlwaysBreakBeforeMultilineStrings: false
AlwaysBreakTemplateDeclarations: false
BinPackArguments: true
BinPackParameters: true
BraceWrapping:
AfterClass: false
AfterControlStatement: false
AfterEnum: false
AfterFunction: false
AfterNamespace: false
AfterObjCDeclaration: false
AfterStruct: false
AfterUnion: false
AfterExternBlock: false
BeforeCatch: false
BeforeElse: false
IndentBraces: false
SplitEmptyFunction: true
SplitEmptyRecord: true
SplitEmptyNamespace: true
BreakBeforeBinaryOperators: None
BreakBeforeBraces: Attach
BreakBeforeInheritanceComma: false
BreakInheritanceList: BeforeColon
BreakBeforeTernaryOperators: true
BreakConstructorInitializersBeforeComma: false
BreakConstructorInitializers: BeforeColon
BreakAfterJavaFieldAnnotations: false
BreakStringLiterals: true
ColumnLimit: 512
CommentPragmas: '^ IWYU pragma:'
CompactNamespaces: true
ConstructorInitializerAllOnOneLineOrOnePerLine: false
ConstructorInitializerIndentWidth: 4
ContinuationIndentWidth: 4
Cpp11BracedListStyle: true
DerivePointerAlignment: false
DisableFormat: false
ExperimentalAutoDetectBinPacking: false
FixNamespaceComments: true
ForEachMacros:
- foreach
- Q_FOREACH
- BOOST_FOREACH
IncludeBlocks: Preserve
IncludeCategories:
- Regex: '^"(llvm|llvm-c|clang|clang-c)/'
Priority: 2
- Regex: '^(<|"(gtest|gmock|isl|json)/)'
Priority: 3
- Regex: '.*'
Priority: 1
IncludeIsMainRegex: '(Test)?$'
IndentCaseLabels: false
IndentPPDirectives: None
IndentWidth: 2
IndentWrappedFunctionNames: false
JavaScriptQuotes: Leave
JavaScriptWrapImports: true
KeepEmptyLinesAtTheStartOfBlocks: false
MacroBlockBegin: ''
MacroBlockEnd: ''
MaxEmptyLinesToKeep: 1
NamespaceIndentation: None
ObjCBinPackProtocolList: Auto
ObjCBlockIndentWidth: 2
ObjCSpaceAfterProperty: false
ObjCSpaceBeforeProtocolList: true
PenaltyBreakAssignment: 2
PenaltyBreakBeforeFirstCallParameter: 19
PenaltyBreakComment: 300
PenaltyBreakFirstLessLess: 120
PenaltyBreakString: 1000
PenaltyBreakTemplateDeclaration: 10
PenaltyExcessCharacter: 1000000
PenaltyReturnTypeOnItsOwnLine: 60
PointerAlignment: Right
ReflowComments: true
SortIncludes: true
SortUsingDeclarations: true
SpaceAfterCStyleCast: false
SpaceAfterTemplateKeyword: true
SpaceBeforeAssignmentOperators: true
SpaceBeforeCpp11BracedList: false
SpaceBeforeCtorInitializerColon: true
SpaceBeforeInheritanceColon: true
SpaceBeforeParens: ControlStatements
SpaceBeforeRangeBasedForLoopColon: true
SpaceInEmptyParentheses: false
SpacesBeforeTrailingComments: 1
SpacesInAngles: false
SpacesInContainerLiterals: true
SpacesInCStyleCastParentheses: false
SpacesInParentheses: false
SpacesInSquareBrackets: false
Standard: Cpp11
TabWidth: 2
UseTab: Never
...

1
.gitignore vendored
View file

@ -13,3 +13,4 @@ hydra-gtk/stamp-h
pw-inspector
pw-inspector.exe
hydra.restore
*~

14
CHANGES
View file

@ -2,11 +2,21 @@ Changelog for hydra
-------------------
Release 9.1-dev
* enable gcc 10 support for xhydra too :)
* rdb: support for libfreerdp3 (thanks to animetauren)
* new module: smb2 which also supports smb3 (uses libsmbclient-dev) (thanks to Karim Kanso for the module!)
* oracle: added success condition (thanks to kazkansouh), compile on Cygwin (thanks to maaaaz)
* rtsp: fixed crash in MD5 auth
* svn: updated to support past and new API
* http module now supports F=/S= string matching conditions (thanks to poucz@github)
* changed mysql module not to use mysql db as a default. if the user has not access to this db auth fails ...
* http: now supports F=/S= string matching conditions (thanks to poucz@github)
* http-proxy: buffer fix, 404 success condition (thanks to kazkansouh)
* mysql: changed not to use mysql db as a default. if the user has not access to this db auth fails ...
* sasl: buffer fix (thanks to TenGbps)
* fixed help for https modules (thanks to Jab2870)
* added -K command line switch to disable redo attempts (good for mass scanning)
* forgot to have the -m option in the hydra help output
* gcc-10 support and various cleanups by Jeroen Roovers, thanks!
* added .clang-format and formatted all code
Release 9.0

19
Makefile.am
View file

@ -1,13 +1,16 @@
#
# Makefile for Hydra - (c) 2001-2019 by van Hauser / THC <vh@thc.org>
# Makefile for Hydra - (c) 2001-2020 by van Hauser / THC <vh@thc.org>
#
OPTS=-I. -O3 -march=native -flto
WARN_CLANG=-Wformat-nonliteral -Wstrncat-size -Wformat-security -Wsign-conversion -Wconversion -Wfloat-conversion -Wshorten-64-to-32 -Wuninitialized -Wmissing-variable-declarations -Wmissing-declarations
WARN_GCC=-Wformat=2 -Wformat-overflow=2 -Wformat-nonliteral -Wformat-truncation=2 -Wnull-dereference -Wstrict-overflow=2 -Wstringop-overflow=4 -Walloca-larger-than=4096 -Wtype-limits -Wconversion -Wtrampolines -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fno-common -Wcast-align
CFLAGS ?= -g
OPTS=-I. -O3 $(CFLAGS) -fcommon -Wl,--allow-multiple-definition
# -Wall -g -pedantic
LIBS=-lm
BINDIR = /bin
MANDIR ?= /man/man1/
DATADIR ?= /etc
DESTDIR ?=
BINDIR = /bin
MANDIR = /man/man1/
DATADIR = /etc
SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \
hydra-telnet.c hydra-cisco.c hydra-http.c hydra-ftp.c hydra-imap.c \
@ -21,7 +24,8 @@ SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \
hydra-oracle-sid.c hydra-http-proxy.c hydra-http-form.c hydra-irc.c \
hydra-s7-300.c hydra-redis.c hydra-adam6500.c hydra-rtsp.c \
hydra-rpcap.c hydra-radmin2.c \
hydra-time.c crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c
hydra-time.c crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c \
hydra-smb2.c
OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \
hydra-telnet.o hydra-cisco.o hydra-http.o hydra-ftp.o hydra-imap.o \
hydra-pop3.o hydra-smb.o hydra-icq.o hydra-cisco-enable.o hydra-ldap.o \
@ -34,7 +38,8 @@ OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \
hydra-ncp.o hydra-http-proxy.o hydra-http-form.o hydra-irc.o \
hydra-redis.o hydra-rdp.o hydra-s7-300.c hydra-adam6500.o hydra-rtsp.o \
hydra-rpcap.o hydra-radmin2.o \
crc32.o d3des.o bfg.o ntlm.o sasl.o hmacmd5.o hydra-mod.o hydra-time.o
crc32.o d3des.o bfg.o ntlm.o sasl.o hmacmd5.o hydra-mod.o hydra-time.o \
hydra-smb2.o
BINS = hydra pw-inspector
EXTRA_DIST = README README.arm README.palm CHANGES TODO INSTALL LICENSE \

7
README.md
View file

@ -1,7 +1,7 @@
H Y D R A
(c) 2001-2019 by van Hauser / THC
(c) 2001-2020 by van Hauser / THC
<vh@thc.org> https://github.com/vanhauser-thc/thc-hydra
many modules were written by David (dot) Maciejak @ gmail (dot) com
BFG code by Jan Dlabal <dlabaljan@gmail.com>
@ -10,6 +10,9 @@
Please do not use in military or secret service organizations,
or for illegal purposes.
(This is the wish of the author and non-binding. Many people working
in these organizations do not care for laws and ethics anyways.
You are not one of the "good" ones if you ignore this.)
@ -379,7 +382,7 @@ Version 1.00 example:
"These are very free form"
],
"generator": {
"built": "2019-03-01 14:44:22",
"built": "2020-03-01 14:44:22",
"commandline": "hydra -b jsonv1 -o results.json ... ...",
"jsonoutputversion": "1.00",
"server": "127.0.0.1",

5
TODO
View file

@ -1,4 +1,9 @@
./configure:
- add test for -march=native
--- this is old ---
Prio 1:
* add cookie support to hydra-http.c
* hydra-smb more than 1 connection?

40
bfg.c
View file

@ -1,12 +1,12 @@
/* code original by Jan Dlabal <dlabaljan@gmail.com>, partially rewritten by vh,
rainy tweaks by yvain douard*/
rainy tweaks by owein <yvain29@gmail.com>*/
#include <ctype.h>
#include <math.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <math.h>
#include <ctype.h>
#ifdef __sun
#include <sys/int_types.h>
#elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX)
@ -25,17 +25,23 @@ extern int32_t debug;
static int32_t add_single_char(char ch, char flags, int32_t *crs_len) {
if ((ch >= '2' && ch <= '9') || ch == '0') {
if ((flags & BF_NUMS) > 0) {
printf("[ERROR] character %c defined in -x although the whole number range was already defined by '1', ignored\n", ch);
printf("[ERROR] character %c defined in -x although the whole number "
"range was already defined by '1', ignored\n",
ch);
return 0;
}
//printf("[WARNING] adding character %c for -x, note that '1' will add all numbers from 0-9\n", ch);
// printf("[WARNING] adding character %c for -x, note that '1' will add all
// numbers from 0-9\n", ch);
}
if (tolower((int32_t)ch) >= 'b' && tolower((int32_t)ch) <= 'z') {
if ((ch <= 'Z' && (flags & BF_UPPER) > 0) || (ch > 'Z' && (flags & BF_UPPER) > 0)) {
printf("[ERROR] character %c defined in -x although the whole letter range was already defined by '%c', ignored\n", ch, ch <= 'Z' ? 'A' : 'a');
printf("[ERROR] character %c defined in -x although the whole letter "
"range was already defined by '%c', ignored\n",
ch, ch <= 'Z' ? 'A' : 'a');
return 0;
}
//printf("[WARNING] adding character %c for -x, note that '%c' will add all %scase letters\n", ch, ch <= 'Z' ? 'A' : 'a', ch <= 'Z' ? "up" : "low");
// printf("[WARNING] adding character %c for -x, note that '%c' will add all
// %scase letters\n", ch, ch <= 'Z' ? 'A' : 'a', ch <= 'Z' ? "up" : "low");
}
(*crs_len)++;
if (BF_CHARSMAX - *crs_len < 1) {
@ -55,6 +61,7 @@ static int32_t add_single_char(char ch, char flags, int32_t* crs_len) {
int32_t bf_init(char *arg) {
bf_options.rotate = 0;
bf_options.strafe = 0;
int32_t i = 0;
int32_t crs_len = 0;
char flags = 0;
@ -68,7 +75,8 @@ int32_t bf_init(char *arg) {
}
bf_options.from = atoi(arg);
if (bf_options.from < 1 || bf_options.from > 127) {
fprintf(stderr, "Error: minimum length must be between 1 and 127, format: -x min:max:types\n");
fprintf(stderr, "Error: minimum length must be between 1 and 127, format: "
"-x min:max:types\n");
return 1;
}
arg = tmp + 1;
@ -88,7 +96,8 @@ int32_t bf_init(char *arg) {
tmp++;
if (bf_options.from > bf_options.to) {
fprintf(stderr, "Error: you specified a minimum length higher than the maximum length!\n");
fprintf(stderr, "Error: you specified a minimum length higher than the "
"maximum length!\n");
return 1;
}
@ -168,6 +177,7 @@ int32_t bf_init(char *arg) {
bf_options.crs_len = crs_len;
bf_options.current = bf_options.from;
memset((char *) bf_options.state, 0, sizeof(bf_options.state));
if (debug)
@ -176,7 +186,6 @@ int32_t bf_init(char *arg) {
return 0;
}
uint64_t bf_get_pcount() {
int32_t i;
double count = 0;
@ -185,7 +194,8 @@ uint64_t bf_get_pcount() {
for (i = bf_options.from; i <= bf_options.to; i++)
count += (pow((double)bf_options.crs_len, (double)i));
if (count >= 0xffffffff) {
fprintf(stderr, "\n[ERROR] definition for password bruteforce (-x) generates more than 4 billion passwords\n");
fprintf(stderr, "\n[ERROR] definition for password bruteforce (-x) "
"generates more than 4 billion passwords - this is not a bug in the program, it is just not feasible to try so many attempts. Try a calculator how long that would take. duh.\n");
exit(-1);
}
@ -193,6 +203,13 @@ uint64_t bf_get_pcount() {
return foo;
}
int accu(int value) {
int i = 0, a;
for (a = 1; a <= value; ++a) {
i += a;
}
return i;
}
char *bf_next(_Bool rainy) {
int32_t i, pos = bf_options.current - 1;
@ -231,6 +248,7 @@ char *bf_next(_Bool rainy) {
else
for (i = 0; i < bf_options.current; i++)
bf_options.ptr[i] = bf_options.crs[bf_options.state[i]];
bf_options.ptr[bf_options.current] = 0;
if (debug) {

7
bfg.h
View file

@ -24,7 +24,9 @@
#define BF_WEBSITE "http://houbysoft.com/bfg/"
#define BF_BUFLEN 1024
#define BF_CHARSMAX 256 /* how many max possibilities there are for characters, normally it's 2^8 = 256 */
#define BF_CHARSMAX \
256 /* how many max possibilities there are for characters, normally it's \
2^8 = 256 */
#define BF_LOWER 1
#define BF_UPPER 2
@ -41,9 +43,10 @@ typedef struct {
char *crs; /* internal representation of charset */
char *ptr; /* ptr to the last generated password */
uint32_t disable_symbols;
uint64_t rotate;
uint64_t strafe;
/* accumulator for the rain */
} bf_option;
extern bf_option bf_options;

285
configure vendored
View file

@ -72,6 +72,10 @@ MANDIR=""
XHYDRA_SUPPORT=""
FREERDP2_PATH=""
WINPR2_PATH=""
FREERDP3_PATH=""
WINPR3_PATH=""
SMBC_PATH=""
SMBC_IPATH=""
if [ '!' "X" = "X$*" ]; then
while [ $# -gt 0 ] ; do
@ -143,7 +147,7 @@ fi
# On macOS /usr/include only exists if one has installed the Command Line Tools package.
# If this is an Xcode-only system we need to look inside the SDK for headers.
SDK_PATH=""
if [ "$SYSS" = "Darwin" ] && [ ! -d "/usr/include" ]; then
if [ "$SYSS" = "Darwin" -a ! -d "/usr/include" ]; then
SDK_PATH=`xcrun --show-sdk-path`
fi
LIBDIRS=`cat /etc/ld.so.conf /etc/ld.so.conf.d/* 2> /dev/null | grep -v '^#' | sort | uniq`
@ -153,8 +157,8 @@ fi
if [ -d "/Library/Developer/CommandLineTools/usr/lib" ]; then
LIBDIRS="$LIBDIRS /Library/Developer/CommandLineTools/usr/lib /Library/Developer/CommandLineTools/lib"
fi
LIBDIRS="$LIBDIRS /lib /usr/lib /usr/local/lib /opt/local/lib"
INCDIRS="$SDK_PATH/usr/include /usr/local/include /opt/include /opt/local/include"
LIBDIRS="$LIBDIRS /lib /usr/lib /usr/local/lib /opt/local/lib /mingw64/lib /mingw64/bin"
INCDIRS="$SDK_PATH/usr/include /usr/local/include /opt/include /opt/local/include /mingw64/include"
if [ -n "$PREFIX" ]; then
if [ -d "$PREFIX/lib" ]; then
LIBDIRS="$LIBDIRS $PREFIX/lib"
@ -166,7 +170,7 @@ fi
STRIP="strip"
echo
echo "Checking for zlib (libz.so, zlib.h) ..."
echo "Checking for zlib (libz/zlib.h) ..."
for i in $INCDIRS; do
if [ -f "$i/zlib.h" ]; then
HAVE_ZLIB="y"
@ -179,7 +183,7 @@ else
echo " ... zlib not found, gzip support disabled"
fi
echo "Checking for openssl (libssl, libcrypto, ssl.h, sha.h) ..."
echo "Checking for openssl (libssl/libcrypto/ssl.h/sha.h) ..."
if [ "X" != "X$DEBUG" ]; then
echo DEBUG: SSL_LIB=$LIBDIRS `ls -d /*ssl /usr/*ssl /opt/*ssl /usr/local/*ssl /opt/local/*ssl /*ssl/lib /usr/*ssl/lib /opt/*ssl/lib /usr/local/*ssl/lib /opt/local/*ssl/lib 2> /dev/null`
echo DEBUG: SSL_INC=$INCDIRS `ls -d /*ssl/include /opt/*ssl/include /usr/*ssl/include /usr/local/*ssl/include 2> /dev/null`
@ -262,7 +266,7 @@ if [ "$SSL_IPATH" = "/usr/include" ]; then
SSL_IPATH=""
fi
echo "Checking for gcrypt (libgcrypt.so, gpg-error.h) ..."
echo "Checking for gcrypt (libgcrypt/gpg-error.h) ..."
for i in $LIBDIRS ; do
if [ -f "$i/libgcrypt.so" -o -f "$i/libgcrypt.dylib" -o -f "$i/libgcrypt.a" -o -f "$i/libgcrypt.dll.a" -o -f "$i/libgcrypt.la" ]; then
HAVE_GCRYPT="y"
@ -289,7 +293,7 @@ else
HAVE_GCRYPT=""
fi
echo "Checking for idn (libidn.so) ..."
echo "Checking for idn (libidn) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$IDN_PATH" ]; then
if [ -f "$i/libidn.so" -o -f "$i/libidn.dylib" -o -f "$i/libidn.a" -o -f "$i/libidn.dll.a" -o -f "$i/libidn.la" ]; then
@ -331,7 +335,7 @@ if [ "X" = "X$IDN_PATH" -o "X" = "X$IDN_IPATH" ]; then
PR29_IPATH=""
fi
echo "Checking for curses (libcurses.so / term.h) ..."
echo "Checking for curses (libcurses/term.h) ..."
for i in $LIBDIRS; do
if [ "X" = "X$CURSES_PATH" ]; then
if [ -f "$i/libcurses.so" -o -f "$i/libcurses.dylib" -o -f "$i/libcurses.a" ]; then
@ -374,7 +378,7 @@ if [ "X" = "X$CURSES_PATH" -o "X" = "X$CURSES_IPATH" ]; then
CURSES_IPATH=""
fi
echo "Checking for pcre (libpcre.so, pcre.h) ..."
echo "Checking for pcre (libpcre/pcre.h) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$PCRE_PATH" ]; then
if [ -f "$i/libpcre.so" -o -f "$i/libpcre.dylib" -o -f "$i/libpcre.a" ]; then
@ -414,7 +418,7 @@ if [ "X" = "X$PCRE_PATH" -o "X" = "X$PCRE_IPATH" ]; then
PCRE_IPATH=""
fi
echo "Checking for Postgres (libpq.so, libpq-fe.h) ..."
echo "Checking for Postgres (libpq/libpq-fe.h) ..."
#if [ "$SYSO" = "Cygwin" ]; then
# echo " ... DISABLED - postgres is buggy in Cygwin at the moment"
# POSTGRES_PATH=""
@ -441,7 +445,7 @@ echo "Checking for Postgres (libpq.so, libpq-fe.h) ..."
done
POSTGRES_IPATH=
for i in $INCDIRS \
/opt/p*sql*/include /usr/*p*sql*/include /usr/local/*psql*/include
/opt/p*sql*/include /usr/*p*sql*/include /usr/local/*psql*/include /mingw64/include
do
if [ "X" = "X$POSTGRES_IPATH" ]; then
if [ -f "$i/libpq-fe.h" ]; then
@ -470,7 +474,7 @@ fi
fi
#fi
echo "Checking for SVN (libsvn_client-1 libapr-1.so libaprutil-1.so) ..."
echo "Checking for SVN (libsvn_client-1/libapr-1/libaprutil-1) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$SVN_PATH" ]; then
if [ -f "$i/libsvn_client-1.so" ]; then
@ -600,7 +604,7 @@ if [ "X" = "X$SVN_PATH" -o "X" = "X$APR_PATH" ]; then
echo " ... NOT found, module svn disabled"
fi
echo "Checking for firebird (libfbclient.so) ..."
echo "Checking for firebird (libfbclient) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$FIREBIRD_PATH" ]; then
if [ -f "$i/libfbclient.so" -o -f "$i/libfbclient.dylib" -o -f "$i/libfbclient.a" ]; then
@ -625,6 +629,9 @@ for i in $INCDIRS ; do
if [ -f "$i/ibase.h" ]; then
FIREBIRD_IPATH="$i"
fi
if [ -f "$i/firebird/ibase.h" ]; then
FIREBIRD_IPATH="$i/firebird"
fi
fi
done
if [ "X" != "X$DEBUG" ]; then
@ -640,7 +647,7 @@ if [ "X" = "X$FIREBIRD_PATH" -o "X" = "X$FIREBIRD_IPATH" ]; then
FIREBIRD_IPATH=""
fi
echo "Checking for MYSQL client (libmysqlclient.so, math.h) ..."
echo "Checking for MYSQL client (libmysqlclient/math.h) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$MYSQL_PATH" ]; then
if [ -f "$i/libmysqlclient.so" -o -f "$i/libmysqlclient.dylib" -o -f "$i/libmysqlclient.a" ]; then
@ -689,7 +696,7 @@ if [ -f "$SDK_PATH/usr/include/math.h" ]; then
else
echo " ... math.h not found, module Mysql disabled"
fi
echo "Checking for AFP (libafpclient.so) ..."
echo "Checking for AFP (libafpclient) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$AFP_PATH" ]; then
if [ -f "$i/libafpclient.so" -o -f "$i/libafpclient.so" -o -f "$i/libafpclient.a" ]; then
@ -729,7 +736,7 @@ if [ "X" = "X$AFP_PATH" -o "X" = "X$AFP_IPATH" ]; then
AFP_IPATH=""
fi
echo "Checking for NCP (libncp.so / nwcalls.h) ..."
echo "Checking for NCP (libncp/nwcalls.h) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$NCP_PATH" ]; then
if [ -f "$i/libncp.so" -o -f "$i/libncp.dylib" -o -f "$i/libncp.a" ]; then
@ -859,7 +866,7 @@ if [ "$SSH_IPATH" = "/usr/include" ]; then
SSH_IPATH=""
fi
echo "Checking for Oracle (libocci.so libclntsh.so / oci.h and libaio.so) ..."
echo "Checking for Oracle (libocci/libclntsh/oci.h/libaio/liboci) ..."
#assume if we find oci.h other headers should also be in that dir
#for libs we will test the 2
if [ "X" != "X$WORACLE_PATH" ]; then
@ -889,6 +896,11 @@ for i in $LIBDIRS ; do
ORACLE_PATH="$i"
fi
fi
if [ "X" = "X$ORACLE_PATH" ]; then
if [ -f "$i/liboci.a" -a -f "$i/oci.dll" ]; then
ORACLE_PATH="$i"
fi
fi
if [ "X" = "X$ORACLE_PATH" ]; then
TMP_LIB=`/bin/ls $i/libocci.so.* 2> /dev/null | grep occi.`
if [ -n "$TMP_LIB" ]; then
@ -902,23 +914,17 @@ for i in $LIBDIRS ; do
fi
fi
if [ "X" = "X$ORACLE_PATH" ]; then
TMP_LIB=`/bin/ls $i/libocci.dll* 2> /dev/null | grep occi.`
TMP_LIB=`/bin/ls $i/oci.dll* 2> /dev/null | grep occi.`
if [ -n "$TMP_LIB" ]; then
ORACLE_PATH="$i"
fi
if [ "X" != "X$ORACLE_PATH" ]; then
TMP_LIB=`/bin/ls $i/libclntsh.dll* 2> /dev/null | grep clntsh.`
if [ -z "$TMP_LIB" ]; then
ORACLE_PATH=""
fi
fi
fi
done
if [ "X" != "X$DEBUG" ]; then
echo DEBUG: ORACLE_PATH=$ORACLE_PATH/libocci
fi
#check for Kernel Asynchronous I/O (AIO) lib support
if [ "X" != "X$ORACLE_PATH" ]; then
#check for Kernel Asynchronous I/O (AIO) lib support, no need on Cygwin
if [ "X" != "X$ORACLE_PATH" -a "$SYSO" != "Cygwin" ]; then
LIBAIO=""
for i in $LIBDIRS ; do
if [ "X" = "X$LIBAIO" ]; then
@ -946,11 +952,9 @@ if [ "X" != "X$DEBUG" ]; then
fi
for i in $INCDIRS ; do
if [ "X" != "X$ORACLE_PATH" ]; then
if [ -f "$i/oci.h" ]; then
ORACLE_IPATH="$i"
fi
fi
done
if [ "X" != "X$DEBUG" ]; then
echo DEBUG: ORACLE_IPATH=$ORACLE_IPATH/oci.h
@ -965,7 +969,7 @@ if [ "X" = "X$ORACLE_PATH" -o "X" = "X$ORACLE_IPATH" ]; then
ORACLE_IPATH=""
fi
echo "Checking for Memcached (libmemcached.so, memcached.h) ..."
echo "Checking for Memcached (libmemcached/memcached.h) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$MCACHED_PATH" ]; then
@ -1015,12 +1019,84 @@ fi
MCACHED_IPATH=""
fi
echo "Checking for Freerdp3 (libfreerdp3/freerdp.h/libwinpr3/winpr.h) ..."
echo "Checking for Freerdp2 (libfreerdp2.so, freerdp/*.h, libwinpr2.so, winpr/*.h) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$FREERDP3_PATH" ]; then
if [ -f "$i/libfreerdp3.so" -o -f "$i/libfreerdp3.dylib" -o -f "$i/libfreerdp3.a" -o -f "$i/libfreerdp3.dll.a" ]; then
FREERDP3_PATH="$i"
fi
fi
if [ "X" = "X$FREERDP3_PATH" ]; then
TMP_LIB=`/bin/ls $i/libfreerdp3*.so* 2> /dev/null | grep libfreerdp3`
if [ -n "$TMP_LIB" ]; then
FREERDP3_PATH="$i"
fi
fi
done
FREERDP3_IPATH=
for i in $INCDIRS ; do
if [ "X" = "X$FREERDP3_IPATH" ]; then
if [ -f "$i/freerdp/freerdp.h" ]; then
FREERDP3_IPATH="$i/freerdp3"
fi
if [ -f "$i/freerdp3/freerdp/freerdp.h" ]; then
FREERDP3_IPATH="$i/freerdp3"
fi
fi
done
for i in $LIBDIRS ; do
if [ "X" = "X$WINPR3_PATH" ]; then
if [ -f "$i/libwinpr3.so" -o -f "$i/libwinpr3.dylib" -o -f "$i/libwinpr3.a" ]; then
WINPR3_PATH="$i"
fi
fi
if [ "X" = "X$WINPR3_PATH" ]; then
TMP_LIB=`/bin/ls $i/libwinpr3.dll.a 2> /dev/null | grep winpr`
if [ -n "$TMP_LIB" ]; then
WINPR3_PATH="$i"
fi
fi
done
WINPR3_IPATH=
for i in $INCDIRS ; do
if [ "X" = "X$WINPR3_IPATH" ]; then
if [ -f "$i/winpr.h" ]; then
WINPR3_IPATH="$i"
fi
if [ -f "$i/winpr3/winpr/winpr.h" ]; then
WINPR3_IPATH="$i/winpr3"
fi
fi
done
if [ "X" != "X$DEBUG" ]; then
echo DEBUG: FREERDP3_PATH=$FREERDP3_PATH/
echo DEBUG: FREERDP3_IPATH=$FREERDP3_IPATH/
echo DEBUG: WINPR3_PATH=$WINPR3_PATH/
echo DEBUG: WINPR3_IPATH=$WINPR3_IPATH/
fi
if [ -n "$FREERDP3_PATH" -a -n "$FREERDP3_IPATH" -a -n "$WINPR3_PATH" -a -n "$WINPR3_IPATH" ]; then
echo " ... found"
fi
if [ "X" = "X$FREERDP3_PATH" -o "X" = "X$FREERDP3_IPATH" -o "X" = "X$WINPR3_PATH" -o "X" = "X$WINPR3_IPATH" ]; then
echo " ... NOT found, checking for freerdp2 module next..."
FREERDP3_PATH=""
FREERDP3_IPATH=""
WINPR3_PATH=""
WINPR3_IPATH=""
fi
if [ "X" = "X$FREERDP3_PATH" -o "X" = "X$FREERDP3_IPATH" -o "X" = "X$WINPR3_PATH" -o "X" = "X$WINPR3_IPATH" ]; then
echo "Checking for Freerdp2 (libfreerdp2/freerdp.h/libwinpr2/winpr.h) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$FREERDP2_PATH" ]; then
if [ -f "$i/libfreerdp2.so" -o -f "$i/libfreerdp2.dylib" -o -f "$i/libfreerdp2.a" ]; then
if [ -f "$i/libfreerdp2.so" -o -f "$i/libfreerdp2.dylib" -o -f "$i/libfreerdp2.a" -o -f "$i/libfreerdp2.dll.a" ]; then
FREERDP2_PATH="$i"
fi
fi
@ -1051,7 +1127,7 @@ echo "Checking for Freerdp2 (libfreerdp2.so, freerdp/*.h, libwinpr2.so, winpr/*.
fi
fi
if [ "X" = "X$WINPR2_PATH" ]; then
TMP_LIB=`/bin/ls $i/winpr.dll* 2> /dev/null | grep winpr`
TMP_LIB=`/bin/ls $i/libwinpr2.dll.a 2> /dev/null | grep winpr`
if [ -n "$TMP_LIB" ]; then
WINPR2_PATH="$i"
fi
@ -1087,8 +1163,9 @@ fi
WINPR2_PATH=""
WINPR2_IPATH=""
fi
fi
echo "Checking for Mongodb (libmongoc-1.0.so, mongoc.h, libbson-1.0.so, bson.h) ..."
echo "Checking for Mongodb (libmongoc-1.0/mongoc.h/libbson-1.0/bson.h) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$MONGODB_PATH" ]; then
@ -1178,8 +1255,56 @@ fi
BSON_IPATH=""
fi
echo "Checking for smbclient (libsmbclient/libsmbclient.h) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$SMBC_PATH" ]; then
if [ -f "$i/libsmbclient.so" -o -f "$i/libsmbclient.dylib" -o -f "$i/libsmbclient.a" ]; then
SMBC_PATH="$i"
fi
fi
if [ "X" = "X$SMBC_PATH" ]; then
TMP_LIB=`/bin/ls $i/libsmbclient.so* 2> /dev/null | grep smbclient`
if [ -n "$TMP_LIB" ]; then
SMBC_PATH="$i"
fi
fi
if [ "X" = "X$SMBC_PATH" ]; then
TMP_LIB=`/bin/ls $i/libsmbclient.dll* 2> /dev/null | grep smbclient`
if [ -n "$TMP_LIB" ]; then
SMBC_PATH="$i"
fi
fi
done
SMBC_IPATH=
for i in $INCDIRS ; do
if [ "X" = "X$SMBC_IPATH" ]; then
if [ -f "$i/libsmbclient.h" ]; then
SMBC_IPATH="$i"
fi
if [ -f "$i/samba-4.0/libsmbclient.h" ]; then
SMBC_IPATH="$i/samba-4.0"
fi
fi
done
if [ "X" != "X$DEBUG" ]; then
echo DEBUG: SMBC_PATH=$SMBC_PATH/libsmbclient
echo DEBUG: SMBC_IPATH=$SMBC_IPATH/libsmbclient.h
fi
if [ -n "$SMBC_PATH" -a -n "$SMBC_IPATH" ]; then
echo " ... found"
fi
if [ "X" = "X$SMBC_PATH" -o "X" = "X$SMBC_IPATH" ]; then
echo " ... NOT found, module smb2 disabled"
SMBC_PATH=""
SMBC_IPATH=""
fi
if [ "X" = "X$XHYDRA_SUPPORT" ]; then
echo "Checking for GUI req's (pkg-config, gtk+-2.0) ..."
echo "Checking for GUI req's (pkg-config/gtk+-2.0) ..."
XHYDRA_SUPPORT=`pkg-config --help > /dev/null 2>&1 || echo disabled`
if [ "X" = "X$XHYDRA_SUPPORT" ]; then
XHYDRA_SUPPORT=`pkg-config --modversion gtk+-2.0 2> /dev/null`
@ -1271,8 +1396,32 @@ XLIBS=""
XLIBPATHS=""
XIPATHS=""
if [ -n "$FIREBIRD_PATH" -o -n "$PCRE_PATH" -o -n "$IDN_PATH" -o -n "$SSL_PATH" -o -n "$CRYPTO_PATH" -o -n "$NSL_PATH" -o -n "$SOCKET_PATH" -o -n "$RESOLV_PATH" -o -n "$SAPR3_PATH" -o -n "$SSH_PATH" -o -n "$POSTGRES_PATH" -o -n "$SVN_PATH" -o -n "$NCP_PATH" -o -n "$CURSES_PATH" -o -n "$ORACLE_PATH" -o -n "$AFP_PATH" -o -n "$MYSQL_PATH" -o -n "$MCACHED_PATH" -o -n "$MONGOD_PATH" -o -n "$FREERDP2_PATH" -o -n "$WINPR2_PATH" ]; then
if [ "$SYSS" = "Darwin" ] && [ ! -d "/lib" ]; then
if [ -n "$FIREBIRD_PATH" -o \
-n "$PCRE_PATH" -o \
-n "$IDN_PATH" -o \
-n "$SSL_PATH" -o \
-n "$CRYPTO_PATH" -o \
-n "$NSL_PATH" -o \
-n "$SOCKET_PATH" -o \
-n "$RESOLV_PATH" -o \
-n "$SAPR3_PATH" -o \
-n "$SSH_PATH" -o \
-n "$POSTGRES_PATH" -o \
-n "$SVN_PATH" -o \
-n "$NCP_PATH" -o \
-n "$CURSES_PATH" -o \
-n "$ORACLE_PATH" -o \
-n "$AFP_PATH" -o \
-n "$MYSQL_PATH" -o \
-n "$MCACHED_PATH" -o \
-n "$MONGOD_PATH" -o \
-n "$FREERDP2_PATH" -o \
-n "$WINPR2_PATH" -o \
-n "$FREERDP3_PATH" -o \
-n "$WINPR3_PATH" -o \
-n "$SMBC_PATH" \
]; then
if [ "$SYSS" = "Darwin" -a ! -d "/lib" ]; then
#for libraries installed with MacPorts
if [ -d "/opt/local/lib" ]; then
XLIBPATHS="-L/usr/lib -L/usr/local/lib -L/opt/local/lib"
@ -1354,14 +1503,48 @@ if [ -n "$BSON_PATH" ]; then
XDEFINES="$XDEFINES -DLIBBSON"
fi
if [ -n "$FREERDP2_PATH" ]; then
XDEFINES="$XDEFINES -DLIBFREERDP2"
XDEFINES="$XDEFINES -DLIBFREERDP"
fi
if [ -n "$WINPR2_PATH" ]; then
XDEFINES="$XDEFINES -DLIBWINPR2"
fi
if [ -n "$FREERDP3_PATH" ]; then
XDEFINES="$XDEFINES -DLIBFREERDP"
fi
if [ -n "$WINPR3_PATH" ]; then
XDEFINES="$XDEFINES -DLIBWINPR3"
fi
if [ -n "$SMBC_PATH" ]; then
XDEFINES="$XDEFINES -DLIBSMBCLIENT"
fi
OLDPATH=""
for i in $SSL_PATH $FIREBIRD_PATH $WORACLE_LIB_PATH $PCRE_PATH $IDN_PATH $CRYPTO_PATH $SSH_PATH $NSL_PATH $SOCKET_PATH $RESOLV_PATH $SAPR3_PATH $POSTGRES_PATH $SVN_PATH $NCP_PATH $CURSES_PATH $ORACLE_PATH $AFP_PATH $MYSQL_PATH $MCACHED_PATH $MONGODB_PATH $BSON_PATH $FREERDP2_PATH $WINPR2_PATH; do
for i in $SSL_PATH \
$FIREBIRD_PATH \
$WORACLE_LIB_PATH \
$PCRE_PATH \
$IDN_PATH \
$CRYPTO_PATH \
$SSH_PATH \
$NSL_PATH \
$SOCKET_PATH \
$RESOLV_PATH \
$SAPR3_PATH \
$POSTGRES_PATH \
$SVN_PATH \
$NCP_PATH \
$CURSES_PATH \
$ORACLE_PATH \
$AFP_PATH \
$MYSQL_PATH \
$MCACHED_PATH \
$MONGODB_PATH \
$BSON_PATH \
$FREERDP2_PATH \
$WINPR2_PATH \
$FREERDP3_PATH \
$WINPR3_PATH \
$SMBC_PATH; do
if [ "$OLDPATH" = "$i" ]; then
OLDPATH="$i"
else
@ -1423,6 +1606,12 @@ fi
if [ -n "$FREERDP2_IPATH" ]; then
XIPATHS="$XIPATHS -I$FREERDP2_IPATH -I$WINPR2_IPATH"
fi
if [ -n "$FREERDP3_IPATH" ]; then
XIPATHS="$XIPATHS -I$FREERDP3_IPATH -I$WINPR3_IPATH"
fi
if [ -n "$SMBC_IPATH" ]; then
XIPATHS="$XIPATHS -I$SMBC_IPATH"
fi
if [ -n "$HAVE_GCRYPT" ]; then
XLIBS="$XLIBS -lgcrypt"
fi
@ -1438,9 +1627,12 @@ fi
if [ -n "$NCP_PATH" ]; then
XLIBS="$XLIBS -lncp"
fi
if [ -n "$ORACLE_PATH" ]; then
if [ -n "$ORACLE_PATH" -a "$SYSO" != "Cygwin" ]; then
XLIBS="$XLIBS -locci -lclntsh"
fi
if [ -n "$ORACLE_PATH" -a "$SYSO" = "Cygwin" ]; then
XLIBS="$XLIBS -loci"
fi
if [ -n "$FIREBIRD_PATH" ]; then
XLIBS="$XLIBS -lfbclient"
fi
@ -1501,6 +1693,15 @@ fi
if [ -n "$WINPR2_PATH" ]; then
XLIBS="$XLIBS -lwinpr2"
fi
if [ -n "$FREERDP3_PATH" ]; then
XLIBS="$XLIBS -lfreerdp3"
fi
if [ -n "$WINPR3_PATH" ]; then
XLIBS="$XLIBS -lwinpr3"
fi
if [ -n "$SMBC_PATH" ]; then
XLIBS="$XLIBS -lsmbclient"
fi
if [ -d /usr/kerberos/include ]; then
XIPATHS="$XIPATHS -I/usr/kerberos/include"
fi
@ -1560,9 +1761,9 @@ cat Makefile.in >> Makefile
# ignore errors if this uname call fails
### Current Cygwin is up to speed :-)
WINDRES=""
if [ "$SYSO" = "Cygwin" ]; then
if [ "$SYSO" = "Cygwin" -o "$SYSO" = "Msys" ]; then
echo
echo "Cygwin detected, if compilation fails just update your installation."
echo "Cygwin/MSYS2 detected, if compilation fails just update your installation."
echo
WINDRES=`which windres`
test -x "$WINDRES" && {
@ -1583,7 +1784,7 @@ if [ "x$WINDRES" = "x" ]; then
echo HYDRA_LOGO= >> Makefile
echo PWI_LOGO= >> Makefile
fi
if [ "$GCCSEC" = "yes" ] && [ "$SYSS" != "SunOS" ] && [ "$SYSS" != "Darwin" ]; then
if [ "$GCCSEC" = "yes" -a "$SYSS" != "SunOS" -a "$SYSS" != "Darwin" ]; then
echo "SEC=$GCCSECOPT" >> Makefile
else
echo "SEC=" >> Makefile

52
crc32.c
View file

@ -49,51 +49,13 @@
#include <stdint.h>
#endif
uint32_t crc32_tab[] = {
0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f,
0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2,
0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7,
0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,
0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172,
0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c,
0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59,
0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423,
0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106,
0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433,
0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d,
0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e,
0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,
0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65,
0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7,
0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0,
0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa,
0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81,
0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a,
0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84,
0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1,
0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,
0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc,
0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e,
0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b,
0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55,
0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28,
0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d,
0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f,
0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38,
0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,
0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777,
0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69,
0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2,
0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc,
0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693,
0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94,
0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d
};
uint32_t crc32_tab[] = {0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 0x3c03e4d1,
0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934,
0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 0xaa0a4c5f,
0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe,
0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,
0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69,
0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d};
#ifndef HAVE_ZLIB

209
d3des.c
View file

@ -48,38 +48,17 @@ static unsigned long KnL[32] = { 0L };
0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67 };
*/
static unsigned short bytebit[8] = {
01, 02, 04, 010, 020, 040, 0100, 0200
};
static unsigned short bytebit[8] = {01, 02, 04, 010, 020, 040, 0100, 0200};
static unsigned long bigbyte[24] = {
0x800000L, 0x400000L, 0x200000L, 0x100000L,
0x80000L, 0x40000L, 0x20000L, 0x10000L,
0x8000L, 0x4000L, 0x2000L, 0x1000L,
0x800L, 0x400L, 0x200L, 0x100L,
0x80L, 0x40L, 0x20L, 0x10L,
0x8L, 0x4L, 0x2L, 0x1L
};
static unsigned long bigbyte[24] = {0x800000L, 0x400000L, 0x200000L, 0x100000L, 0x80000L, 0x40000L, 0x20000L, 0x10000L, 0x8000L, 0x4000L, 0x2000L, 0x1000L, 0x800L, 0x400L, 0x200L, 0x100L, 0x80L, 0x40L, 0x20L, 0x10L, 0x8L, 0x4L, 0x2L, 0x1L};
/* Use the key schedule specified in the Standard (ANSI X3.92-1981). */
static unsigned char pc1[56] = {
56, 48, 40, 32, 24, 16, 8, 0, 57, 49, 41, 33, 25, 17,
9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35,
62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21,
13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3
};
static unsigned char pc1[56] = {56, 48, 40, 32, 24, 16, 8, 0, 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3};
static unsigned char totrot[16] = {
1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28
};
static unsigned char totrot[16] = {1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28};
static unsigned char pc2[48] = {
13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9,
22, 18, 11, 3, 25, 7, 15, 6, 26, 19, 12, 1,
40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47,
43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31
};
static unsigned char pc2[48] = {13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9, 22, 18, 11, 3, 25, 7, 15, 6, 26, 19, 12, 1, 40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47, 43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31};
void deskey(key, edf) /* Thanks to James Gillogly & Phil Karn! */
unsigned char *key;
@ -126,8 +105,7 @@ void deskey(key, edf) /* Thanks to James Gillogly & Phil Karn! */
return;
}
static void cookey(raw1)
register unsigned long *raw1;
static void cookey(raw1) register unsigned long *raw1;
{
register unsigned long *cook, *raw0;
unsigned long dough[32];
@ -149,8 +127,7 @@ static void cookey(raw1)
return;
}
void cpkey(into)
register unsigned long *into;
void cpkey(into) register unsigned long *into;
{
register unsigned long *from, *endp;
@ -160,8 +137,7 @@ void cpkey(into)
return;
}
void usekey(from)
register unsigned long *from;
void usekey(from) register unsigned long *from;
{
register unsigned long *to, *endp;
@ -180,8 +156,7 @@ void des(unsigned char *inblock, unsigned char *outblock) {
return;
}
static void scrunch(outof, into)
register unsigned char *outof;
static void scrunch(outof, into) register unsigned char *outof;
register unsigned long *into;
{
*into = (*outof++ & 0xffL) << 24;
@ -195,8 +170,7 @@ static void scrunch(outof, into)
return;
}
static void unscrun(outof, into)
register unsigned long *outof;
static void unscrun(outof, into) register unsigned long *outof;
register unsigned char *into;
{
*into++ = (*outof >> 24) & 0xffL;
@ -210,160 +184,31 @@ static void unscrun(outof, into)
return;
}
static unsigned long SP1[64] = {
0x01010400L, 0x00000000L, 0x00010000L, 0x01010404L,
0x01010004L, 0x00010404L, 0x00000004L, 0x00010000L,
0x00000400L, 0x01010400L, 0x01010404L, 0x00000400L,
0x01000404L, 0x01010004L, 0x01000000L, 0x00000004L,
0x00000404L, 0x01000400L, 0x01000400L, 0x00010400L,
0x00010400L, 0x01010000L, 0x01010000L, 0x01000404L,
0x00010004L, 0x01000004L, 0x01000004L, 0x00010004L,
0x00000000L, 0x00000404L, 0x00010404L, 0x01000000L,
0x00010000L, 0x01010404L, 0x00000004L, 0x01010000L,
0x01010400L, 0x01000000L, 0x01000000L, 0x00000400L,
0x01010004L, 0x00010000L, 0x00010400L, 0x01000004L,
0x00000400L, 0x00000004L, 0x01000404L, 0x00010404L,
0x01010404L, 0x00010004L, 0x01010000L, 0x01000404L,
0x01000004L, 0x00000404L, 0x00010404L, 0x01010400L,
0x00000404L, 0x01000400L, 0x01000400L, 0x00000000L,
0x00010004L, 0x00010400L, 0x00000000L, 0x01010004L
};
static unsigned long SP1[64] = {0x01010400L, 0x00000000L, 0x00010000L, 0x01010404L, 0x01010004L, 0x00010404L, 0x00000004L, 0x00010000L, 0x00000400L, 0x01010400L, 0x01010404L, 0x00000400L, 0x01000404L, 0x01010004L, 0x01000000L, 0x00000004L, 0x00000404L, 0x01000400L, 0x01000400L, 0x00010400L, 0x00010400L, 0x01010000L, 0x01010000L, 0x01000404L, 0x00010004L, 0x01000004L, 0x01000004L, 0x00010004L, 0x00000000L, 0x00000404L, 0x00010404L, 0x01000000L,
0x00010000L, 0x01010404L, 0x00000004L, 0x01010000L, 0x01010400L, 0x01000000L, 0x01000000L, 0x00000400L, 0x01010004L, 0x00010000L, 0x00010400L, 0x01000004L, 0x00000400L, 0x00000004L, 0x01000404L, 0x00010404L, 0x01010404L, 0x00010004L, 0x01010000L, 0x01000404L, 0x01000004L, 0x00000404L, 0x00010404L, 0x01010400L, 0x00000404L, 0x01000400L, 0x01000400L, 0x00000000L, 0x00010004L, 0x00010400L, 0x00000000L, 0x01010004L};
static unsigned long SP2[64] = {
0x80108020L, 0x80008000L, 0x00008000L, 0x00108020L,
0x00100000L, 0x00000020L, 0x80100020L, 0x80008020L,
0x80000020L, 0x80108020L, 0x80108000L, 0x80000000L,
0x80008000L, 0x00100000L, 0x00000020L, 0x80100020L,
0x00108000L, 0x00100020L, 0x80008020L, 0x00000000L,
0x80000000L, 0x00008000L, 0x00108020L, 0x80100000L,
0x00100020L, 0x80000020L, 0x00000000L, 0x00108000L,
0x00008020L, 0x80108000L, 0x80100000L, 0x00008020L,
0x00000000L, 0x00108020L, 0x80100020L, 0x00100000L,
0x80008020L, 0x80100000L, 0x80108000L, 0x00008000L,
0x80100000L, 0x80008000L, 0x00000020L, 0x80108020L,
0x00108020L, 0x00000020L, 0x00008000L, 0x80000000L,
0x00008020L, 0x80108000L, 0x00100000L, 0x80000020L,
0x00100020L, 0x80008020L, 0x80000020L, 0x00100020L,
0x00108000L, 0x00000000L, 0x80008000L, 0x00008020L,
0x80000000L, 0x80100020L, 0x80108020L, 0x00108000L
};
static unsigned long SP2[64] = {0x80108020L, 0x80008000L, 0x00008000L, 0x00108020L, 0x00100000L, 0x00000020L, 0x80100020L, 0x80008020L, 0x80000020L, 0x80108020L, 0x80108000L, 0x80000000L, 0x80008000L, 0x00100000L, 0x00000020L, 0x80100020L, 0x00108000L, 0x00100020L, 0x80008020L, 0x00000000L, 0x80000000L, 0x00008000L, 0x00108020L, 0x80100000L, 0x00100020L, 0x80000020L, 0x00000000L, 0x00108000L, 0x00008020L, 0x80108000L, 0x80100000L, 0x00008020L,
0x00000000L, 0x00108020L, 0x80100020L, 0x00100000L, 0x80008020L, 0x80100000L, 0x80108000L, 0x00008000L, 0x80100000L, 0x80008000L, 0x00000020L, 0x80108020L, 0x00108020L, 0x00000020L, 0x00008000L, 0x80000000L, 0x00008020L, 0x80108000L, 0x00100000L, 0x80000020L, 0x00100020L, 0x80008020L, 0x80000020L, 0x00100020L, 0x00108000L, 0x00000000L, 0x80008000L, 0x00008020L, 0x80000000L, 0x80100020L, 0x80108020L, 0x00108000L};
static unsigned long SP3[64] = {
0x00000208L, 0x08020200L, 0x00000000L, 0x08020008L,
0x08000200L, 0x00000000L, 0x00020208L, 0x08000200L,
0x00020008L, 0x08000008L, 0x08000008L, 0x00020000L,
0x08020208L, 0x00020008L, 0x08020000L, 0x00000208L,
0x08000000L, 0x00000008L, 0x08020200L, 0x00000200L,
0x00020200L, 0x08020000L, 0x08020008L, 0x00020208L,
0x08000208L, 0x00020200L, 0x00020000L, 0x08000208L,
0x00000008L, 0x08020208L, 0x00000200L, 0x08000000L,
0x08020200L, 0x08000000L, 0x00020008L, 0x00000208L,
0x00020000L, 0x08020200L, 0x08000200L, 0x00000000L,
0x00000200L, 0x00020008L, 0x08020208L, 0x08000200L,
0x08000008L, 0x00000200L, 0x00000000L, 0x08020008L,
0x08000208L, 0x00020000L, 0x08000000L, 0x08020208L,
0x00000008L, 0x00020208L, 0x00020200L, 0x08000008L,
0x08020000L, 0x08000208L, 0x00000208L, 0x08020000L,
0x00020208L, 0x00000008L, 0x08020008L, 0x00020200L
};
static unsigned long SP3[64] = {0x00000208L, 0x08020200L, 0x00000000L, 0x08020008L, 0x08000200L, 0x00000000L, 0x00020208L, 0x08000200L, 0x00020008L, 0x08000008L, 0x08000008L, 0x00020000L, 0x08020208L, 0x00020008L, 0x08020000L, 0x00000208L, 0x08000000L, 0x00000008L, 0x08020200L, 0x00000200L, 0x00020200L, 0x08020000L, 0x08020008L, 0x00020208L, 0x08000208L, 0x00020200L, 0x00020000L, 0x08000208L, 0x00000008L, 0x08020208L, 0x00000200L, 0x08000000L,
0x08020200L, 0x08000000L, 0x00020008L, 0x00000208L, 0x00020000L, 0x08020200L, 0x08000200L, 0x00000000L, 0x00000200L, 0x00020008L, 0x08020208L, 0x08000200L, 0x08000008L, 0x00000200L, 0x00000000L, 0x08020008L, 0x08000208L, 0x00020000L, 0x08000000L, 0x08020208L, 0x00000008L, 0x00020208L, 0x00020200L, 0x08000008L, 0x08020000L, 0x08000208L, 0x00000208L, 0x08020000L, 0x00020208L, 0x00000008L, 0x08020008L, 0x00020200L};
static unsigned long SP4[64] = {
0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,
0x00802080L, 0x00800081L, 0x00800001L, 0x00002001L,
0x00000000L, 0x00802000L, 0x00802000L, 0x00802081L,
0x00000081L, 0x00000000L, 0x00800080L, 0x00800001L,
0x00000001L, 0x00002000L, 0x00800000L, 0x00802001L,
0x00000080L, 0x00800000L, 0x00002001L, 0x00002080L,
0x00800081L, 0x00000001L, 0x00002080L, 0x00800080L,
0x00002000L, 0x00802080L, 0x00802081L, 0x00000081L,
0x00800080L, 0x00800001L, 0x00802000L, 0x00802081L,
0x00000081L, 0x00000000L, 0x00000000L, 0x00802000L,
0x00002080L, 0x00800080L, 0x00800081L, 0x00000001L,
0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,
0x00802081L, 0x00000081L, 0x00000001L, 0x00002000L,
0x00800001L, 0x00002001L, 0x00802080L, 0x00800081L,
0x00002001L, 0x00002080L, 0x00800000L, 0x00802001L,
0x00000080L, 0x00800000L, 0x00002000L, 0x00802080L
};
static unsigned long SP4[64] = {0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L, 0x00802080L, 0x00800081L, 0x00800001L, 0x00002001L, 0x00000000L, 0x00802000L, 0x00802000L, 0x00802081L, 0x00000081L, 0x00000000L, 0x00800080L, 0x00800001L, 0x00000001L, 0x00002000L, 0x00800000L, 0x00802001L, 0x00000080L, 0x00800000L, 0x00002001L, 0x00002080L, 0x00800081L, 0x00000001L, 0x00002080L, 0x00800080L, 0x00002000L, 0x00802080L, 0x00802081L, 0x00000081L,
0x00800080L, 0x00800001L, 0x00802000L, 0x00802081L, 0x00000081L, 0x00000000L, 0x00000000L, 0x00802000L, 0x00002080L, 0x00800080L, 0x00800081L, 0x00000001L, 0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L, 0x00802081L, 0x00000081L, 0x00000001L, 0x00002000L, 0x00800001L, 0x00002001L, 0x00802080L, 0x00800081L, 0x00002001L, 0x00002080L, 0x00800000L, 0x00802001L, 0x00000080L, 0x00800000L, 0x00002000L, 0x00802080L};
static unsigned long SP5[64] = {
0x00000100L, 0x02080100L, 0x02080000L, 0x42000100L,
0x00080000L, 0x00000100L, 0x40000000L, 0x02080000L,
0x40080100L, 0x00080000L, 0x02000100L, 0x40080100L,
0x42000100L, 0x42080000L, 0x00080100L, 0x40000000L,
0x02000000L, 0x40080000L, 0x40080000L, 0x00000000L,
0x40000100L, 0x42080100L, 0x42080100L, 0x02000100L,
0x42080000L, 0x40000100L, 0x00000000L, 0x42000000L,
0x02080100L, 0x02000000L, 0x42000000L, 0x00080100L,
0x00080000L, 0x42000100L, 0x00000100L, 0x02000000L,
0x40000000L, 0x02080000L, 0x42000100L, 0x40080100L,
0x02000100L, 0x40000000L, 0x42080000L, 0x02080100L,
0x40080100L, 0x00000100L, 0x02000000L, 0x42080000L,
0x42080100L, 0x00080100L, 0x42000000L, 0x42080100L,
0x02080000L, 0x00000000L, 0x40080000L, 0x42000000L,
0x00080100L, 0x02000100L, 0x40000100L, 0x00080000L,
0x00000000L, 0x40080000L, 0x02080100L, 0x40000100L
};
static unsigned long SP5[64] = {0x00000100L, 0x02080100L, 0x02080000L, 0x42000100L, 0x00080000L, 0x00000100L, 0x40000000L, 0x02080000L, 0x40080100L, 0x00080000L, 0x02000100L, 0x40080100L, 0x42000100L, 0x42080000L, 0x00080100L, 0x40000000L, 0x02000000L, 0x40080000L, 0x40080000L, 0x00000000L, 0x40000100L, 0x42080100L, 0x42080100L, 0x02000100L, 0x42080000L, 0x40000100L, 0x00000000L, 0x42000000L, 0x02080100L, 0x02000000L, 0x42000000L, 0x00080100L,
0x00080000L, 0x42000100L, 0x00000100L, 0x02000000L, 0x40000000L, 0x02080000L, 0x42000100L, 0x40080100L, 0x02000100L, 0x40000000L, 0x42080000L, 0x02080100L, 0x40080100L, 0x00000100L, 0x02000000L, 0x42080000L, 0x42080100L, 0x00080100L, 0x42000000L, 0x42080100L, 0x02080000L, 0x00000000L, 0x40080000L, 0x42000000L, 0x00080100L, 0x02000100L, 0x40000100L, 0x00080000L, 0x00000000L, 0x40080000L, 0x02080100L, 0x40000100L};
static unsigned long SP6[64] = {
0x20000010L, 0x20400000L, 0x00004000L, 0x20404010L,
0x20400000L, 0x00000010L, 0x20404010L, 0x00400000L,
0x20004000L, 0x00404010L, 0x00400000L, 0x20000010L,
0x00400010L, 0x20004000L, 0x20000000L, 0x00004010L,
0x00000000L, 0x00400010L, 0x20004010L, 0x00004000L,
0x00404000L, 0x20004010L, 0x00000010L, 0x20400010L,
0x20400010L, 0x00000000L, 0x00404010L, 0x20404000L,
0x00004010L, 0x00404000L, 0x20404000L, 0x20000000L,
0x20004000L, 0x00000010L, 0x20400010L, 0x00404000L,
0x20404010L, 0x00400000L, 0x00004010L, 0x20000010L,
0x00400000L, 0x20004000L, 0x20000000L, 0x00004010L,
0x20000010L, 0x20404010L, 0x00404000L, 0x20400000L,
0x00404010L, 0x20404000L, 0x00000000L, 0x20400010L,
0x00000010L, 0x00004000L, 0x20400000L, 0x00404010L,
0x00004000L, 0x00400010L, 0x20004010L, 0x00000000L,
0x20404000L, 0x20000000L, 0x00400010L, 0x20004010L
};
static unsigned long SP6[64] = {0x20000010L, 0x20400000L, 0x00004000L, 0x20404010L, 0x20400000L, 0x00000010L, 0x20404010L, 0x00400000L, 0x20004000L, 0x00404010L, 0x00400000L, 0x20000010L, 0x00400010L, 0x20004000L, 0x20000000L, 0x00004010L, 0x00000000L, 0x00400010L, 0x20004010L, 0x00004000L, 0x00404000L, 0x20004010L, 0x00000010L, 0x20400010L, 0x20400010L, 0x00000000L, 0x00404010L, 0x20404000L, 0x00004010L, 0x00404000L, 0x20404000L, 0x20000000L,
0x20004000L, 0x00000010L, 0x20400010L, 0x00404000L, 0x20404010L, 0x00400000L, 0x00004010L, 0x20000010L, 0x00400000L, 0x20004000L, 0x20000000L, 0x00004010L, 0x20000010L, 0x20404010L, 0x00404000L, 0x20400000L, 0x00404010L, 0x20404000L, 0x00000000L, 0x20400010L, 0x00000010L, 0x00004000L, 0x20400000L, 0x00404010L, 0x00004000L, 0x00400010L, 0x20004010L, 0x00000000L, 0x20404000L, 0x20000000L, 0x00400010L, 0x20004010L};
static unsigned long SP7[64] = {
0x00200000L, 0x04200002L, 0x04000802L, 0x00000000L,
0x00000800L, 0x04000802L, 0x00200802L, 0x04200800L,
0x04200802L, 0x00200000L, 0x00000000L, 0x04000002L,
0x00000002L, 0x04000000L, 0x04200002L, 0x00000802L,
0x04000800L, 0x00200802L, 0x00200002L, 0x04000800L,
0x04000002L, 0x04200000L, 0x04200800L, 0x00200002L,
0x04200000L, 0x00000800L, 0x00000802L, 0x04200802L,
0x00200800L, 0x00000002L, 0x04000000L, 0x00200800L,
0x04000000L, 0x00200800L, 0x00200000L, 0x04000802L,
0x04000802L, 0x04200002L, 0x04200002L, 0x00000002L,
0x00200002L, 0x04000000L, 0x04000800L, 0x00200000L,
0x04200800L, 0x00000802L, 0x00200802L, 0x04200800L,
0x00000802L, 0x04000002L, 0x04200802L, 0x04200000L,
0x00200800L, 0x00000000L, 0x00000002L, 0x04200802L,
0x00000000L, 0x00200802L, 0x04200000L, 0x00000800L,
0x04000002L, 0x04000800L, 0x00000800L, 0x00200002L
};
static unsigned long SP7[64] = {0x00200000L, 0x04200002L, 0x04000802L, 0x00000000L, 0x00000800L, 0x04000802L, 0x00200802L, 0x04200800L, 0x04200802L, 0x00200000L, 0x00000000L, 0x04000002L, 0x00000002L, 0x04000000L, 0x04200002L, 0x00000802L, 0x04000800L, 0x00200802L, 0x00200002L, 0x04000800L, 0x04000002L, 0x04200000L, 0x04200800L, 0x00200002L, 0x04200000L, 0x00000800L, 0x00000802L, 0x04200802L, 0x00200800L, 0x00000002L, 0x04000000L, 0x00200800L,
0x04000000L, 0x00200800L, 0x00200000L, 0x04000802L, 0x04000802L, 0x04200002L, 0x04200002L, 0x00000002L, 0x00200002L, 0x04000000L, 0x04000800L, 0x00200000L, 0x04200800L, 0x00000802L, 0x00200802L, 0x04200800L, 0x00000802L, 0x04000002L, 0x04200802L, 0x04200000L, 0x00200800L, 0x00000000L, 0x00000002L, 0x04200802L, 0x00000000L, 0x00200802L, 0x04200000L, 0x00000800L, 0x04000002L, 0x04000800L, 0x00000800L, 0x00200002L};
static unsigned long SP8[64] = {
0x10001040L, 0x00001000L, 0x00040000L, 0x10041040L,
0x10000000L, 0x10001040L, 0x00000040L, 0x10000000L,
0x00040040L, 0x10040000L, 0x10041040L, 0x00041000L,
0x10041000L, 0x00041040L, 0x00001000L, 0x00000040L,
0x10040000L, 0x10000040L, 0x10001000L, 0x00001040L,
0x00041000L, 0x00040040L, 0x10040040L, 0x10041000L,
0x00001040L, 0x00000000L, 0x00000000L, 0x10040040L,
0x10000040L, 0x10001000L, 0x00041040L, 0x00040000L,
0x00041040L, 0x00040000L, 0x10041000L, 0x00001000L,
0x00000040L, 0x10040040L, 0x00001000L, 0x00041040L,
0x10001000L, 0x00000040L, 0x10000040L, 0x10040000L,
0x10040040L, 0x10000000L, 0x00040000L, 0x10001040L,
0x00000000L, 0x10041040L, 0x00040040L, 0x10000040L,
0x10040000L, 0x10001000L, 0x10001040L, 0x00000000L,
0x10041040L, 0x00041000L, 0x00041000L, 0x00001040L,
0x00001040L, 0x00040040L, 0x10000000L, 0x10041000L
};
static unsigned long SP8[64] = {0x10001040L, 0x00001000L, 0x00040000L, 0x10041040L, 0x10000000L, 0x10001040L, 0x00000040L, 0x10000000L, 0x00040040L, 0x10040000L, 0x10041040L, 0x00041000L, 0x10041000L, 0x00041040L, 0x00001000L, 0x00000040L, 0x10040000L, 0x10000040L, 0x10001000L, 0x00001040L, 0x00041000L, 0x00040040L, 0x10040040L, 0x10041000L, 0x00001040L, 0x00000000L, 0x00000000L, 0x10040040L, 0x10000040L, 0x10001000L, 0x00041040L, 0x00040000L,
0x00041040L, 0x00040000L, 0x10041000L, 0x00001000L, 0x00000040L, 0x10040040L, 0x00001000L, 0x00041040L, 0x10001000L, 0x00000040L, 0x10000040L, 0x10040000L, 0x10040040L, 0x10000000L, 0x00040000L, 0x10001040L, 0x00000000L, 0x10041040L, 0x00040040L, 0x10000040L, 0x10040000L, 0x10001000L, 0x10001040L, 0x00000000L, 0x10041040L, 0x00041000L, 0x00041000L, 0x00001040L, 0x00001040L, 0x00040040L, 0x10000000L, 0x10041000L};
static void desfunc(block, keys)
register unsigned long *block, *keys;
static void desfunc(block, keys) register unsigned long *block, *keys;
{
register unsigned long fval, work, right, leftt;
register int32_t round;

9
hmacmd5.c
View file

@ -34,8 +34,8 @@
*/
#ifdef LIBOPENSSL
#include <string.h>
#include "hmacmd5.h"
#include <string.h>
#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
@ -107,15 +107,12 @@ void hmac_md5_init_limK_to_64(const unsigned char *key, int32_t key_len, HMACMD5
update hmac_md5 "inner" buffer
***********************************************************************/
void hmac_md5_update(const unsigned char *text, int32_t text_len, HMACMD5Context * ctx) {
MD5_Update(&ctx->ctx, (void *) text, text_len); /* then text of datagram */
}
void hmac_md5_update(const unsigned char *text, int32_t text_len, HMACMD5Context *ctx) { MD5_Update(&ctx->ctx, (void *)text, text_len); /* then text of datagram */ }
/***********************************************************************
finish off hmac_md5 "inner" buffer and generate outer one.
***********************************************************************/
void hmac_md5_final(unsigned char *digest, HMACMD5Context * ctx)
{
void hmac_md5_final(unsigned char *digest, HMACMD5Context *ctx) {
MD5_CTX ctx_o;
MD5_Final(digest, &ctx->ctx);

3
hmacmd5.h
View file

@ -47,11 +47,8 @@ typedef struct {
#endif /* _HMAC_MD5_H */
void hmac_md5_init_rfc2104(const unsigned char *key, int32_t key_len, HMACMD5Context *ctx);
void hmac_md5_init_limK_to_64(const unsigned char *key, int32_t key_len, HMACMD5Context *ctx);
void hmac_md5_update(const unsigned char *text, int32_t text_len, HMACMD5Context *ctx);
void hmac_md5_final(unsigned char *digest, HMACMD5Context *ctx);
void hmac_md5(unsigned char key[16], unsigned char *data, int32_t data_len, unsigned char *digest);

56
hydra-adam6500.c
View file

@ -6,55 +6,13 @@
extern char *HYDRA_EXIT;
unsigned char adam6500_req1[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x01, 0x10,
0x27, 0x0f, 0x00, 0x08, 0x10, 0x24, 0x30, 0x31,
0x50, 0x57, 0x30, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f,
0x1f, 0x1f, 0x1f, 0x0d, 0x00
};
unsigned char adam6500_resp1[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x10,
0x27, 0x0f, 0x00, 0x08
};
unsigned char adam6500_req2[] = {
0x01, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03,
0x27, 0x0f, 0x00, 0x7d
};
unsigned char adam6500_resp2[] = {
0x01, 0x00, 0x00, 0x00, 0x00, 0xfd, 0x01, 0x03,
0xfa, 0x3f, 0x30, 0x31, 0x0d, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00
};
unsigned char adam6500_req1[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x01, 0x10, 0x27, 0x0f, 0x00, 0x08, 0x10, 0x24, 0x30, 0x31, 0x50, 0x57, 0x30, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x0d, 0x00};
unsigned char adam6500_resp1[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x10, 0x27, 0x0f, 0x00, 0x08};
unsigned char adam6500_req2[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03, 0x27, 0x0f, 0x00, 0x7d};
unsigned char adam6500_resp2[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0xfd, 0x01, 0x03, 0xfa, 0x3f, 0x30, 0x31, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
int32_t start_adam6500(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";

18
hydra-afp.c
View file

@ -9,9 +9,7 @@
#include "hydra-mod.h"
#ifndef LIBAFP
void dummy_afp() {
printf("\n");
}
void dummy_afp() { printf("\n"); }
#else
#define FREE(x) \
@ -20,9 +18,9 @@ void dummy_afp() {
x = NULL; \
}
#include <stdio.h>
#include <afpfs-ng/afp.h>
#include <afpfs-ng/libafpclient.h>
#include <stdio.h>
extern char *HYDRA_EXIT;
@ -50,7 +48,8 @@ static int32_t server_subconnect(struct afp_url url) {
conn_req->url = url;
conn_req->url.requested_version = 31;
//fprintf(stderr, "AFP connection - username: %s password: %s server: %s\n", url.username, url.password, url.servername);
// fprintf(stderr, "AFP connection - username: %s password: %s server: %s\n",
// url.username, url.password, url.servername);
if (strlen(url.uamname) > 0) {
if ((conn_req->uam_mask = find_uam_by_name(url.uamname)) == 0) {
@ -69,7 +68,8 @@ static int32_t server_subconnect(struct afp_url url) {
// FREE(server);
return -1;
}
//fprintf(stderr, "Connected to server: %s via UAM: %s\n", server->server_name_printable, uam_bitmap_to_string(server->using_uam));
// fprintf(stderr, "Connected to server: %s via UAM: %s\n",
// server->server_name_printable, uam_bitmap_to_string(server->using_uam));
FREE(conn_req);
FREE(server);
@ -88,7 +88,6 @@ int32_t start_afp(int32_t s, char *ip, int32_t port, unsigned char options, char
init_uams();
afp_default_url(&tmpurl);
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
@ -110,7 +109,6 @@ int32_t start_afp(int32_t s, char *ip, int32_t port, unsigned char options, char
return 3;
return 2;
} else {
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
@ -127,7 +125,6 @@ void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
@ -139,7 +136,8 @@ void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
port = myport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}

11
hydra-asterisk.c
View file

@ -6,7 +6,6 @@
#include "hydra-mod.h"
extern char *HYDRA_EXIT;
char *buf;
@ -41,7 +40,10 @@ int32_t start_asterisk(int32_t s, char *ip, int32_t port, unsigned char options,
hydra_report(stderr, "[DEBUG] S: %s\n", buf);
if (buf == NULL || (strstr(buf, "Response: ") == NULL)) {
hydra_report(stderr, "[ERROR] Asterisk Call Manager protocol error or service shutdown: %s\n", buf);
hydra_report(stderr,
"[ERROR] Asterisk Call Manager protocol error or service "
"shutdown: %s\n",
buf);
free(buf);
return 4;
}
@ -100,7 +102,10 @@ void service_asterisk(char *ip, int32_t sp, unsigned char options, char *miscptr
if (buf == NULL || strstr(buf, "Asterisk Call Manager/") == NULL) {
/* check the first line */
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not an Asterisk Call Manager protocol or service shutdown: %s\n", buf);
hydra_report(stderr,
"[ERROR] Not an Asterisk Call Manager protocol or "
"service shutdown: %s\n",
buf);
hydra_child_exit(2);
}
free(buf);

42
hydra-cisco-enable.c
View file

@ -42,8 +42,7 @@ int32_t start_cisco_enable(int32_t s, char *ip, int32_t port, unsigned char opti
}
}
if (buf != NULL
&& (strstr(buf, "assw") != NULL || strstr(buf, "ad ") != NULL || strstr(buf, "attempt") != NULL || strstr(buf, "fail") != NULL || strstr(buf, "denied") != NULL)) {
if (buf != NULL && (strstr(buf, "assw") != NULL || strstr(buf, "ad ") != NULL || strstr(buf, "attempt") != NULL || strstr(buf, "fail") != NULL || strstr(buf, "denied") != NULL)) {
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
@ -87,7 +86,8 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
port = mysslport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
@ -101,7 +101,8 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
sprintf(buffer, "%.250s\r\n", login);
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t)getpid());
hydra_child_exit(2);
}
}
@ -117,7 +118,8 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
sprintf(buffer, "%.250s\r\n", miscptr);
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t)getpid());
hydra_child_exit(2);
}
}
@ -132,7 +134,11 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
}
if (strstr(buf, "assw") != NULL) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating - can not login, can not login\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr,
"[ERROR] Child with pid %d terminating - can not login, can "
"not login\n",
(int32_t)getpid());
hydra_child_exit(2);
}
free(buf);
@ -147,7 +153,8 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
sprintf(buffer, "%.250s\r\n", "ena");
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'ena'\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'ena'\n", (int32_t)getpid());
hydra_child_exit(2);
}
@ -160,7 +167,11 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
if (failc < retry) {
next_run = 1;
failc++;
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d was disconnected - retrying (%d of %d retries)\n", (int32_t) getpid(), failc, retry);
if (quiet != 1)
fprintf(stderr,
"[ERROR] Child with pid %d was disconnected - retrying "
"(%d of %d retries)\n",
(int32_t)getpid(), failc, retry);
sleep(3);
break;
} else {
@ -180,7 +191,8 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
case 3: /* clean exit */
sprintf(buffer, "%.250s\r\n", "exit");
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'exit'\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'exit'\n", (int32_t)getpid());
hydra_child_exit(0);
}
if (sock >= 0)
@ -211,11 +223,15 @@ int32_t service_cisco_enable_init(char *ip, int32_t sp, unsigned char options, c
}
void usage_cisco_enable(const char *service) {
printf("Module cisco-enable is optionally taking the logon password for the cisco device\n"
"Note: if AAA authentication is used, use the -l option for the username\n"
printf("Module cisco-enable is optionally taking the logon password for the "
"cisco device\n"
"Note: if AAA authentication is used, use the -l option for the "
"username\n"
"and the optional parameter for the password of the user.\n"
"Examples:\n"
" hydra -P pass.txt target cisco-enable (direct console access)\n"
" hydra -P pass.txt -m cisco target cisco-enable (Logon password cisco)\n"
" hydra -l foo -m bar -P pass.txt target cisco-enable (AAA Login foo, password bar)\n");
" hydra -P pass.txt -m cisco target cisco-enable (Logon password "
"cisco)\n"
" hydra -l foo -m bar -P pass.txt target cisco-enable (AAA Login "
"foo, password bar)\n");
}

14
hydra-cisco.c
View file

@ -95,7 +95,6 @@ int32_t start_cisco(int32_t s, char *ip, int32_t port, unsigned char options, ch
}
} while (buf != NULL && strlen(buf) <= 1);
}
}
if (buf != NULL && (strstr(buf, "assw") != NULL || strstr(buf, "ad ") != NULL || strstr(buf, "attempt") != NULL || strstr(buf, "ailur") != NULL)) {
@ -160,11 +159,16 @@ void service_cisco(char *ip, int32_t sp, unsigned char options, char *miscptr, F
if (failc < retry) {
next_run = 1;
failc++;
if (quiet != 1) hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - retrying (%d of %d retries)\n", (int32_t) getpid(), failc, retry);
if (quiet != 1)
hydra_report(stderr,
"[ERROR] Child with pid %d was disconnected - "
"retrying (%d of %d retries)\n",
(int32_t)getpid(), failc, retry);
sleep(3);
break;
} else {
if (quiet != 1) hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - exiting\n", (int32_t) getpid());
if (quiet != 1)
hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - exiting\n", (int32_t)getpid());
hydra_child_exit(0);
}
}
@ -214,5 +218,7 @@ int32_t service_cisco_init(char *ip, int32_t sp, unsigned char options, char *mi
}
void usage_cisco(const char *service) {
printf("Module cisco is optionally taking the keyword ENTER, it then sends an initial\n" "ENTER when connecting to the service.\n");
printf("Module cisco is optionally taking the keyword ENTER, it then sends "
"an initial\n"
"ENTER when connecting to the service.\n");
}

11
hydra-cvs.c
View file

@ -30,13 +30,7 @@ int32_t start_cvs(int32_t s, char *ip, int32_t port, unsigned char options, char
/ 87 ? 105 O 35 _ 56 o 48
*/
char key[] = { 0, 120, 53, 0, 0, 109, 72, 108, 70, 64, 76, 67, 116, 74, 68, 87,
111, 52, 75, 119, 49, 34, 82, 81, 95, 65, 112, 86, 118, 110, 122, 105,
0, 57, 83, 43, 46, 102, 40, 89, 38, 103, 45, 50, 42, 123, 91, 35,
125, 55, 54, 66, 124, 126, 59, 47, 92, 71, 115, 0, 0, 0, 0, 56,
0, 121, 117, 104, 101, 100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48,
58, 113, 32, 90, 44, 98, 60, 51, 33, 97, 62
};
char key[] = {0, 120, 53, 0, 0, 109, 72, 108, 70, 64, 76, 67, 116, 74, 68, 87, 111, 52, 75, 119, 49, 34, 82, 81, 95, 65, 112, 86, 118, 110, 122, 105, 0, 57, 83, 43, 46, 102, 40, 89, 38, 103, 45, 50, 42, 123, 91, 35, 125, 55, 54, 66, 124, 126, 59, 47, 92, 71, 115, 0, 0, 0, 0, 56, 0, 121, 117, 104, 101, 100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48, 58, 113, 32, 90, 44, 98, 60, 51, 33, 97, 62};
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
@ -151,5 +145,6 @@ int32_t service_cvs_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_cvs(const char *service) {
printf("Module cvs is optionally taking the repository name to attack, default is \"/root\"\n\n");
printf("Module cvs is optionally taking the repository name to attack, "
"default is \"/root\"\n\n");
}

14
hydra-firebird.c
View file

@ -14,13 +14,11 @@ the msg: "no permission for direct access to security database"
#include "hydra-mod.h"
#ifndef LIBFIREBIRD
void dummy_firebird() {
printf("\n");
}
void dummy_firebird() { printf("\n"); }
#else
#include <stdio.h>
#include <ibase.h>
#include <stdio.h>
#define DEFAULT_DB "C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb"
@ -95,7 +93,6 @@ void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
@ -112,7 +109,8 @@ void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr
port = mysslport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
@ -160,5 +158,7 @@ int32_t service_firebird_init(char *ip, int32_t sp, unsigned char options, char
}
void usage_firebird(const char *service) {
printf("Module firebird is optionally taking the database path to attack,\n" "default is \"C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb\"\n\n");
printf("Module firebird is optionally taking the database path to attack,\n"
"default is \"C:\\Program "
"Files\\Firebird\\Firebird_1_5\\security.fdb\"\n\n");
}

11
hydra-ftp.c
View file

@ -20,7 +20,8 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
/* special hack to identify 530 user unknown msg. suggested by Jean-Baptiste.BEAUFRETON@turbomeca.fr */
/* special hack to identify 530 user unknown msg. suggested by
* Jean-Baptiste.BEAUFRETON@turbomeca.fr */
if (buf[0] == '5' && buf[1] == '3' && buf[2] == '0') {
if (verbose)
printf("[INFO] user %s does not exist, skipping\n", login);
@ -169,13 +170,9 @@ void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr
}
}
void service_ftp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 0);
}
void service_ftp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 0); }
void service_ftps(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 1);
}
void service_ftps(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 1); }
int32_t service_ftp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function

5
hydra-gtk/Makefile.in
View file

@ -61,8 +61,9 @@ CC = @CC@
MAINT = @MAINT@
MAKEINFO = @MAKEINFO@
PACKAGE = @PACKAGE@
PACKAGE_CFLAGS = @PACKAGE_CFLAGS@
PACKAGE_LIBS = @PACKAGE_LIBS@
PACKAGE_CFLAGS = @PACKAGE_CFLAGS@ -fcommon -Wl,--allow-multiple-definition
PACKAGE_LDFLAGS = -fcommon -Wl,--allow-multiple-definition
PACKAGE_LIBS = -fcommon -Wl,--allow-multiple-definition @PACKAGE_LIBS@
PKG_CONFIG = @PKG_CONFIG@
VERSION = @VERSION@

8
hydra-gtk/configure vendored
View file

@ -2233,15 +2233,15 @@ if test "$ac_test_CFLAGS" = set; then
CFLAGS=$ac_save_CFLAGS
elif test $ac_cv_prog_cc_g = yes; then
if test "$GCC" = yes; then
CFLAGS="-g -O2"
CFLAGS="-g -O2 -fcommon -Wl,--allow-multiple-definition"
else
CFLAGS="-g"
CFLAGS="-g -fcommon -Wl,--allow-multiple-definition"
fi
else
if test "$GCC" = yes; then
CFLAGS="-O2"
CFLAGS="-O2 -fcommon -Wl,--allow-multiple-definition"
else
CFLAGS=
CFLAGS="-fcommon -Wl,--allow-multiple-definition"
fi
fi
echo "$as_me:$LINENO: checking for $CC option to accept ANSI C" >&5

4
hydra-gtk/src/Makefile.in
View file

@ -61,8 +61,8 @@ CC = @CC@
MAINT = @MAINT@
MAKEINFO = @MAKEINFO@
PACKAGE = @PACKAGE@
PACKAGE_CFLAGS = @PACKAGE_CFLAGS@
PACKAGE_LIBS = @PACKAGE_LIBS@
PACKAGE_CFLAGS = @PACKAGE_CFLAGS@ -fcommon -Wl,--allow-multiple-definition
PACKAGE_LIBS = -fcommon -Wl,--allow-multiple-definition @PACKAGE_LIBS@
PKG_CONFIG = @PKG_CONFIG@
VERSION = @VERSION@

61
hydra-gtk/src/callbacks.c
View file

@ -15,29 +15,27 @@
#include "interface.h"
#include "support.h"
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
int hydra_pid = 0;
char port[10];
char tasks[10];
char timeout[10];
char smbparm[12];
char smbparm[128];
char sapr3id[4];
char passLoginNull[4];
#define BUF_S 1024
void hydra_select_file(GtkEntry *widget, char *text) {
@ -45,8 +43,7 @@ void hydra_select_file(GtkEntry * widget, char *text) {
GtkWidget *dialog;
char *filename;
dialog = gtk_file_chooser_dialog_new(text, (GtkWindow *) wndMain, GTK_FILE_CHOOSER_ACTION_OPEN,
GTK_STOCK_OPEN, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL);
dialog = gtk_file_chooser_dialog_new(text, (GtkWindow *)wndMain, GTK_FILE_CHOOSER_ACTION_OPEN, GTK_STOCK_OPEN, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL);
if (gtk_dialog_run(GTK_DIALOG(dialog)) == GTK_RESPONSE_ACCEPT) {
filename = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(dialog));
@ -274,7 +271,7 @@ int hydra_get_options(char *options[]) {
options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget);
} else if (!strcmp(tmp, "smb")) {
memset(smbparm, 0, 12);
memset(smbparm, 0, sizeof(smbparm));
widget = lookup_widget(GTK_WIDGET(wndMain), "chkDomain");
widget2 = lookup_widget(GTK_WIDGET(wndMain), "chkLocal");
@ -300,7 +297,18 @@ int hydra_get_options(char *options[]) {
strcat(smbparm, "Hash");
}
options[i++] = smbparm;
} else if (!strcmp(tmp, "smb2")) {
memset(smbparm, 0, sizeof(smbparm));
options[i++] = "-m";
options[i++] = smbparm;
widget = lookup_widget(GTK_WIDGET(wndMain), "chkNTLM");
int pth = gtk_toggle_button_get_active((GtkToggleButton *)widget);
widget = lookup_widget(GTK_WIDGET(wndMain), "entSMB2Workgroup");
snprintf(smbparm, sizeof(smbparm) - 1, "nthash:%s workgroup:{%s}", pth ? "true" : "false", (char *)gtk_entry_get_text((GtkEntry *)widget));
} else if (!strcmp(tmp, "sapr3")) {
widget = lookup_widget(GTK_WIDGET(wndMain), "spnSAPR3");
j = gtk_spin_button_get_value_as_int((GtkSpinButton *)widget);
@ -335,7 +343,6 @@ int hydra_get_options(char *options[]) {
widget = lookup_widget(GTK_WIDGET(wndMain), "radioProxy");
if (!gtk_toggle_button_get_active((GtkToggleButton *)widget)) {
widget2 = lookup_widget(GTK_WIDGET(wndMain), "entHTTPProxy");
widget = lookup_widget(GTK_WIDGET(wndMain), "radioProxy2");
@ -389,7 +396,6 @@ int update_statusbar() {
i = hydra_get_options(options);
for (j = 1; j < i; j++) {
statustext = g_string_append(statustext, options[j]);
statustext = g_string_append_c(statustext, ' ');
}
@ -432,7 +438,6 @@ int read_into(int fd) {
gtk_text_buffer_get_iter_at_offset(outputbuf, &outputiter, -1);
if ((passline = strstr(in_buf, "password: ")) == NULL) {
gtk_text_buffer_insert(outputbuf, &outputiter, in_buf, result);
} else {
@ -450,10 +455,8 @@ int read_into(int fd) {
if (end - in_buf - result > 0) {
gtk_text_buffer_insert(outputbuf, &outputiter, end + 1, -1);
}
}
if (strstr(in_buf, " finished at ") != NULL) {
gtk_text_buffer_insert_with_tags_by_name(outputbuf, &outputiter, "<finished>\n\n", -1, "bold", NULL);
}
@ -515,7 +518,6 @@ static int wait_hydra_output(gpointer data) {
return TRUE;
}
/* assumes a successfull pipe() won't set the fd's to -1 */
static void close_pipe(int *pipe) {
if (-1 != pipe[0]) {
@ -535,8 +537,7 @@ static void close_pipe(int *pipe) {
*/
int *popen_re_unbuffered(char *command) {
static int p_r[2] = { -1, -1 }, p_e[2] = {
-1, -1};
static int p_r[2] = {-1, -1}, p_e[2] = {-1, -1};
static int *pfd = NULL;
char *options[128];
@ -605,21 +606,15 @@ int *popen_re_unbuffered(char *command) {
return pfd;
}
void on_quit1_activate(GtkMenuItem * menuitem, gpointer user_data) {
gtk_main_quit();
}
void on_quit1_activate(GtkMenuItem *menuitem, gpointer user_data) { gtk_main_quit(); }
void on_about1_activate(GtkMenuItem * menuitem, gpointer user_data) {
}
void on_about1_activate(GtkMenuItem *menuitem, gpointer user_data) {}
void on_btnStart_clicked(GtkButton *button, gpointer user_data) {
int *fd = NULL;
fd = popen_re_unbuffered(NULL);
g_timeout_add(200, wait_hydra_output, fd);
}
void on_btnStop_clicked(GtkButton *button, gpointer user_data) {
@ -629,7 +624,6 @@ void on_btnStop_clicked(GtkButton * button, gpointer user_data) {
}
}
void on_wndMain_destroy(GtkObject *object, gpointer user_data) {
if (hydra_pid != 0) {
kill(hydra_pid, SIGTERM);
@ -638,22 +632,18 @@ void on_wndMain_destroy(GtkObject * object, gpointer user_data) {
gtk_main_quit();
}
gboolean on_entTargetFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data) {
hydra_select_file((GtkEntry *)widget, "Select target list");
gtk_widget_grab_focus(widget);
return TRUE;
}
gboolean on_entUsernameFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data) {
hydra_select_file((GtkEntry *)widget, "Select username list");
gtk_widget_grab_focus(widget);
return TRUE;
}
gboolean on_entPassFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data) {
hydra_select_file((GtkEntry *)widget, "Select password list");
gtk_widget_grab_focus(widget);
@ -677,8 +667,7 @@ void on_btnSave_clicked(GtkButton * button, gpointer user_data) {
GtkTextIter start;
GtkTextIter end;
dialog = gtk_file_chooser_dialog_new("Save output", (GtkWindow *) wndMain, GTK_FILE_CHOOSER_ACTION_SAVE,
GTK_STOCK_SAVE, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL);
dialog = gtk_file_chooser_dialog_new("Save output", (GtkWindow *)wndMain, GTK_FILE_CHOOSER_ACTION_SAVE, GTK_STOCK_SAVE, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL);
if (gtk_dialog_run(GTK_DIALOG(dialog)) == GTK_RESPONSE_ACCEPT) {
filename = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(dialog));
@ -704,7 +693,8 @@ void on_btnSave_clicked(GtkButton * button, gpointer user_data) {
void on_chkColon_toggled(GtkToggleButton *togglebutton, gpointer user_data) {
GtkWidget *user, *pass;
user = lookup_widget(GTK_WIDGET(wndMain), "frmUsername");;
user = lookup_widget(GTK_WIDGET(wndMain), "frmUsername");
;
pass = lookup_widget(GTK_WIDGET(wndMain), "frmPass");
if (gtk_toggle_button_get_active(togglebutton)) {
@ -719,7 +709,8 @@ void on_chkColon_toggled(GtkToggleButton * togglebutton, gpointer user_data) {
void on_chkDisUser_toggled(GtkToggleButton *togglebutton, gpointer user_data) {
GtkWidget *radioUsername1, *radioUsername2, *entUsername, *entUsernameFile;
radioUsername1 = lookup_widget(GTK_WIDGET(wndMain), "radioUsername1");;
radioUsername1 = lookup_widget(GTK_WIDGET(wndMain), "radioUsername1");
;
radioUsername2 = lookup_widget(GTK_WIDGET(wndMain), "radioUsername2");
entUsername = lookup_widget(GTK_WIDGET(wndMain), "entUsername");
entUsernameFile = lookup_widget(GTK_WIDGET(wndMain), "entUsernameFile");

68
hydra-gtk/src/interface.c
View file

@ -7,13 +7,13 @@
#include <config.h>
#endif
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/types.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <string.h>
#include <stdio.h>
#include <string.h>
#include <gdk/gdkkeysyms.h>
#include <gtk/gtk.h>
@ -22,12 +22,9 @@
#include "interface.h"
#include "support.h"
#define GLADE_HOOKUP_OBJECT(component,widget,name) \
g_object_set_data_full (G_OBJECT (component), name, \
gtk_widget_ref (widget), (GDestroyNotify) gtk_widget_unref)
#define GLADE_HOOKUP_OBJECT(component, widget, name) g_object_set_data_full(G_OBJECT(component), name, gtk_widget_ref(widget), (GDestroyNotify)gtk_widget_unref)
#define GLADE_HOOKUP_OBJECT_NO_REF(component,widget,name) \
g_object_set_data (G_OBJECT (component), name, widget)
#define GLADE_HOOKUP_OBJECT_NO_REF(component, widget, name) g_object_set_data(G_OBJECT(component), name, widget)
GtkWidget *create_wndMain(void) {
GtkWidget *wndMain;
@ -171,6 +168,9 @@ GtkWidget *create_wndMain(void) {
GtkWidget *btnClear;
GtkWidget *label4;
GtkWidget *statusbar;
GtkWidget *lblSMB2;
GtkWidget *entSMB2Workgroup;
GtkWidget *fraSMB2;
GtkAccelGroup *accel_group;
GtkTooltips *tooltips;
@ -273,6 +273,7 @@ GtkWidget *create_wndMain(void) {
cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "sapr3");
cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "sip");
cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "smb");
cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "smb2");
cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "smtp");
cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "snmp");
cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "socks5");
@ -311,7 +312,6 @@ GtkWidget *create_wndMain(void) {
gtk_table_attach(GTK_TABLE(table8), label6, 0, 1, 3, 4, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_misc_set_alignment(GTK_MISC(label6), 0, 0.5);
chkIPV6 = gtk_check_button_new_with_mnemonic("Prefer IPV6");
gtk_widget_set_name(chkIPV6, "chkIPV6");
gtk_widget_show(chkIPV6);
@ -388,25 +388,19 @@ GtkWidget *create_wndMain(void) {
chkServiceDetails = gtk_check_button_new_with_mnemonic("Service Module Usage Details");
gtk_widget_set_name(chkServiceDetails, "chkServiceDetails");
gtk_widget_show(chkServiceDetails);
gtk_table_attach (GTK_TABLE (table9), chkServiceDetails, 2, 3, 2, 3,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND), 0, 0);
gtk_table_attach(GTK_TABLE(table9), chkServiceDetails, 2, 3, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_tooltips_set_tip(tooltips, chkServiceDetails, "Service Module Usage Details", NULL);
chkCompleteHelp = gtk_check_button_new_with_mnemonic("COMPLETE HELP");
gtk_widget_set_name(chkCompleteHelp, "chkCompleteHelp");
gtk_widget_show(chkCompleteHelp);
gtk_table_attach (GTK_TABLE (table9), chkCompleteHelp, 0, 2, 2, 3,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND), 0, 0);
gtk_table_attach(GTK_TABLE(table9), chkCompleteHelp, 0, 2, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_tooltips_set_tip(tooltips, chkCompleteHelp, "Complete Help", NULL);
chkOldSSL = gtk_check_button_new_with_mnemonic("Use old SSL");
gtk_widget_set_name(chkOldSSL, "chkOldSSL");
gtk_widget_show(chkOldSSL);
gtk_table_attach (GTK_TABLE (table9), chkOldSSL, 1, 2, 0, 1,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND), 0, 0);
gtk_table_attach(GTK_TABLE(table9), chkOldSSL, 1, 2, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_tooltips_set_tip(tooltips, chkOldSSL, "Enable to use old SSL (the target must have SSL enabled!)", NULL);
label29 = gtk_label_new("Output Options");
@ -519,18 +513,14 @@ GtkWidget *create_wndMain(void) {
radioGenerate = gtk_radio_button_new_with_mnemonic(NULL, "Generate");
gtk_widget_set_name(radioGenerate, "radioGenerate");
gtk_widget_show(radioGenerate);
gtk_table_attach (GTK_TABLE (table3), radioGenerate, 0, 1, 2, 3,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0);
gtk_table_attach(GTK_TABLE(table3), radioGenerate, 0, 1, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0);
gtk_radio_button_set_group(GTK_RADIO_BUTTON(radioGenerate), radioPass1_group);
radioPass1_group = gtk_radio_button_get_group(GTK_RADIO_BUTTON(radioGenerate));
entGeneration = gtk_entry_new();
gtk_widget_set_name(entGeneration, "entGeneration");
gtk_widget_show(entGeneration);
gtk_table_attach (GTK_TABLE (table3), entGeneration, 1, 2, 2, 3,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0);
gtk_table_attach(GTK_TABLE(table3), entGeneration, 1, 2, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0);
gtk_tooltips_set_tip(tooltips, entGeneration, "Generate passwords", NULL);
gtk_entry_set_text(GTK_ENTRY(entGeneration), "1:1:a");
@ -739,17 +729,13 @@ GtkWidget *create_wndMain(void) {
chkExitF = gtk_check_button_new_with_mnemonic("Exit after first found pair (global)");
gtk_widget_set_name(chkExitF, "chkExitF");
gtk_widget_show(chkExitF);
gtk_table_attach (GTK_TABLE (table10), chkExitF, 0, 2, 3, 4,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND), 0, 0);
gtk_table_attach(GTK_TABLE(table10), chkExitF, 0, 2, 3, 4, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_tooltips_set_tip(tooltips, chkExitF, "Enable this to stop all attacking processes once a valid login/password pair is found (global)", NULL);
chkNoErr = gtk_check_button_new_with_mnemonic("Do not print messages about connection errors");
gtk_widget_set_name(chkNoErr, "chkNoErr");
gtk_widget_show(chkNoErr);
gtk_table_attach (GTK_TABLE (table10), chkNoErr, 0, 2, 4, 5,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND), 0, 0);
gtk_table_attach(GTK_TABLE(table10), chkNoErr, 0, 2, 4, 5, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_tooltips_set_tip(tooltips, chkNoErr, "Do not print messages about connection errors", NULL);
label30 = gtk_label_new("Performance Options");
@ -849,25 +835,42 @@ GtkWidget *create_wndMain(void) {
gtk_widget_set_name(chkLocal, "chkLocal");
gtk_widget_show(chkLocal);
gtk_box_pack_start(GTK_BOX(hbox2), chkLocal, TRUE, TRUE, 0);
gtk_tooltips_set_tip(tooltips, chkLocal, "Just attack local accounts", NULL);
gtk_tooltips_set_tip(tooltips, chkLocal, "Just attack local accounts (only valid for smb module)", NULL);
chkDomain = gtk_check_button_new_with_mnemonic("domain accounts");
gtk_widget_set_name(chkDomain, "chkDomain");
gtk_widget_show(chkDomain);
gtk_box_pack_start(GTK_BOX(hbox2), chkDomain, TRUE, TRUE, 0);
gtk_tooltips_set_tip(tooltips, chkDomain, "Attack domain and local accounts", NULL);
gtk_tooltips_set_tip(tooltips, chkDomain, "Attack domain and local accounts (only valid for smb module)", NULL);
chkNTLM = gtk_check_button_new_with_mnemonic("Interpret passes as NTLM hashes");
gtk_widget_set_name(chkNTLM, "chkNTLM");
gtk_widget_show(chkNTLM);
gtk_box_pack_start(GTK_BOX(hbox2), chkNTLM, FALSE, FALSE, 0);
gtk_tooltips_set_tip(tooltips, chkNTLM, "Interpret passes as NTML hashes", NULL);
gtk_tooltips_set_tip(tooltips, chkNTLM, "Interpret passes as NTML hashes (valid for both smb and smb2 modules)", NULL);
label18 = gtk_label_new("SMB");
gtk_widget_set_name(label18, "label18");
gtk_widget_show(label18);
gtk_frame_set_label_widget(GTK_FRAME(frame6), label18);
fraSMB2 = gtk_frame_new(NULL);
gtk_widget_set_name(fraSMB2, "fraSMB2");
gtk_widget_show(fraSMB2);
gtk_box_pack_start(GTK_BOX(vbox4), fraSMB2, TRUE, TRUE, 0);
entSMB2Workgroup = gtk_entry_new();
gtk_widget_set_name(entSMB2Workgroup, "entSMB2Workgroup");
gtk_widget_show(entSMB2Workgroup);
gtk_container_add(GTK_CONTAINER(fraSMB2), entSMB2Workgroup);
gtk_tooltips_set_tip(tooltips, entSMB2Workgroup, "Workgroup to use for SMB authentication (only valid for smb2 module)", NULL);
gtk_entry_set_text(GTK_ENTRY(entSMB2Workgroup), "WORKGROUP");
lblSMB2 = gtk_label_new("SMB2 Workgroup");
gtk_widget_set_name(lblSMB2, "lblSMB2");
gtk_widget_show(lblSMB2);
gtk_frame_set_label_widget(GTK_FRAME(fraSMB2), lblSMB2);
frame7 = gtk_frame_new(NULL);
gtk_widget_set_name(frame7, "frame7");
gtk_widget_show(frame7);
@ -1164,6 +1167,7 @@ GtkWidget *create_wndMain(void) {
GLADE_HOOKUP_OBJECT(wndMain, label4, "label4");
GLADE_HOOKUP_OBJECT(wndMain, statusbar, "statusbar");
GLADE_HOOKUP_OBJECT_NO_REF(wndMain, tooltips, "tooltips");
GLADE_HOOKUP_OBJECT(wndMain, entSMB2Workgroup, "entSMB2Workgroup");
gtk_window_add_accel_group(GTK_WINDOW(wndMain), accel_group);

12
hydra-gtk/src/main.c
View file

@ -8,19 +8,21 @@
#include <config.h>
#endif
#include <gtk/gtk.h>
#include <string.h>
#include "callbacks.h"
#include "interface.h"
#include "support.h"
#include "callbacks.h"
#include <gtk/gtk.h>
#include <string.h>
char *hydra_path1 = "./hydra";
char *hydra_path2 = "/usr/local/bin/hydra";
char *hydra_path3 = "/usr/bin/hydra";
GtkWidget *wndMain;
char *HYDRA_BIN;
guint message_id;
int main(int argc, char *argv[]) {
extern GtkWidget *wndMain;
int i;
extern guint message_id;
GtkWidget *output;
@ -60,7 +62,6 @@ int main(int argc, char *argv[]) {
wndMain = create_wndMain();
gtk_widget_show(wndMain);
/* if we can't use the new cool file chooser, the save button gets disabled */
#ifndef GTK_TYPE_FILE_CHOOSER
GtkWidget *btnSave;
@ -69,7 +70,6 @@ int main(int argc, char *argv[]) {
gtk_widget_set_sensitive(btnSave, FALSE);
#endif
/* update the statusbar every now and then */
g_timeout_add(600, update_statusbar, NULL);

15
hydra-gtk/src/support.c
View file

@ -7,11 +7,11 @@
#include <config.h>
#endif
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <gtk/gtk.h>
@ -41,9 +41,7 @@ GtkWidget *lookup_widget(GtkWidget * widget, const gchar * widget_name) {
static GList *pixmaps_directories = NULL;
/* Use this function to set the directory containing installed pixmaps. */
void add_pixmap_directory(const gchar * directory) {
pixmaps_directories = g_list_prepend(pixmaps_directories, g_strdup(directory));
}
void add_pixmap_directory(const gchar *directory) { pixmaps_directories = g_list_prepend(pixmaps_directories, g_strdup(directory)); }
/* This is an internally used function to find pixmap files. */
static gchar *find_pixmap_file(const gchar *filename) {
@ -52,8 +50,7 @@ static gchar *find_pixmap_file(const gchar * filename) {
/* We step through each of the pixmaps directory to find it. */
elem = pixmaps_directories;
while (elem) {
gchar *pathname = g_strdup_printf("%s%s%s", (gchar *) elem->data,
G_DIR_SEPARATOR_S, filename);
gchar *pathname = g_strdup_printf("%s%s%s", (gchar *)elem->data, G_DIR_SEPARATOR_S, filename);
if (g_file_test(pathname, G_FILE_TEST_EXISTS))
return pathname;

9
hydra-gtk/src/support.h
View file

@ -21,11 +21,9 @@
*/
GtkWidget *lookup_widget(GtkWidget *widget, const gchar *widget_name);
/* Use this function to set the directory containing installed pixmaps. */
void add_pixmap_directory(const gchar *directory);
/*
* Private Functions.
*/
@ -39,7 +37,6 @@ GdkPixbuf *create_pixbuf(const gchar * filename);
/* This is used to set ATK action descriptions. */
void glade_set_atk_action_description(AtkAction *action, const gchar *action_name, const gchar *description);
GtkWidget *wndMain;
char *HYDRA_BIN;
guint message_id;
extern GtkWidget *wndMain;
extern char *HYDRA_BIN;
extern guint message_id;

154
hydra-http-form.c
View file

@ -45,7 +45,8 @@ rewritten by David Maciejak
Fix and issue with strtok use and implement 1 step location follow if HTTP
3xx code is returned (david dot maciejak at gmail dot com)
Added fail or success condition, getting cookies, and allow 5 redirections by david
Added fail or success condition, getting cookies, and allow 5 redirections by
david
*/
@ -195,7 +196,8 @@ int32_t add_or_update_cookie(ptr_cookie_node * ptr_cookie, char *cookie_expr) {
cookie_name = strndup(cookie_expr, cookie_value - cookie_expr);
cookie_value = strdup(cookie_value + 1);
// we've got the cookie's name and value, now it's time to insert or update the list
// we've got the cookie's name and value, now it's time to insert or update
// the list
if (*ptr_cookie == NULL) {
// no cookies
append_cookie(cookie_name, cookie_value, ptr_cookie);
@ -257,23 +259,20 @@ int32_t add_header(ptr_header_node * ptr_head, char *header, char *value, char t
ptr_header_node existing_hdr, new_ptr;
// get to the last header
for (cur_ptr = *ptr_head; cur_ptr && cur_ptr->next; cur_ptr = cur_ptr->next);
for (cur_ptr = *ptr_head; cur_ptr && cur_ptr->next; cur_ptr = cur_ptr->next)
;
char *new_header = strdup(header);
char *new_value = strdup(value);
if (new_header && new_value) {
if ((type == HEADER_TYPE_USERHEADER) ||
(type == HEADER_TYPE_DEFAULT && !header_exists(ptr_head, new_header, HEADER_TYPE_USERHEADER_REPL)) ||
(type == HEADER_TYPE_USERHEADER_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT)) ||
(type == HEADER_TYPE_DEFAULT_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT))
) {
if ((type == HEADER_TYPE_USERHEADER) || (type == HEADER_TYPE_DEFAULT && !header_exists(ptr_head, new_header, HEADER_TYPE_USERHEADER_REPL)) || (type == HEADER_TYPE_USERHEADER_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT)) || (type == HEADER_TYPE_DEFAULT_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT))) {
/*
* We are in one of the following scenarios:
* 1. A default header with no user-supplied headers that replace it.
* 2. A user-supplied header that must be appended (option 'h').
* 3. A user-supplied header that must replace a default header (option 'h'),
* but no default headers exist with that name.
* 3. A user-supplied header that must replace a default header
* (option 'h'), but no default headers exist with that name.
*
* In either case we just add the header to the list.
*/
@ -393,6 +392,9 @@ char *stringify_headers(ptr_header_node *ptr_head) {
int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) {
char *ptr, *ptr2;
if (miscptr == NULL)
return 1;
/*
* Parse the user-supplied options.
* Beware of the backslashes (\)!
@ -432,6 +434,16 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) {
sprintf(cookieurl, "%.1000s", hydra_strrep(miscptr + 2, "\\:", ":"));
miscptr = ptr;
break;
case 'g': // fall through
case 'G':
ptr = miscptr + 2;
while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\'))
ptr++;
if (*ptr != 0)
*ptr++ = 0;
getcookie = 0;
miscptr = ptr;
break;
case 'h':
// add a new header at the end
ptr = miscptr + 2;
@ -568,7 +580,6 @@ char *html_encode(char *string) {
return ret;
}
/*
int32_t analyze_server_response(int32_t socket)
return 0 or 1 when the cond regex is matched
@ -632,27 +643,33 @@ int32_t analyze_server_response(int32_t s) {
tmpname[sizeof(tmpname) - 2] = 0;
ptr = index(tmpname, '=');
*(++ptr) = 0;
// is the cookie already in the cookiejar? (so, does it have to be replaced?)
// is the cookie already in the cookiejar? (so, does it have to be
// replaced?)
if ((ptr = hydra_strcasestr(cookie, tmpname)) != NULL) {
// yes it is.
// if the cookie is not in the beginning of the cookiejar, copy the ones before
// if the cookie is not in the beginning of the cookiejar, copy the
// ones before
if (ptr != cookie && *(ptr - 1) == ' ') {
strncpy(tmpcookie, cookie, ptr - cookie - 2);
tmpcookie[ptr - cookie - 2] = 0;
}
ptr += strlen(tmpname);
// if there are any cookies after this one in the cookiejar, copy them over
// if there are any cookies after this one in the cookiejar, copy
// them over
if ((ptr2 = strstr(ptr, "; ")) != NULL) {
ptr2 += 2;
strncat(tmpcookie, ptr2, sizeof(tmpcookie) - strlen(tmpcookie) - 1);
}
if (debug)
printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: %s\n", tmpname, cookie, tmpcookie);
printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: "
"%s\n",
tmpname, cookie, tmpcookie);
strcpy(cookie, tmpcookie);
}
}
ptr = index(str, '=');
// only copy the cookie if it has a value (otherwise the server wants to delete the cookie)
// only copy the cookie if it has a value (otherwise the server wants to
// delete the cookie)
if (ptr != NULL && *(ptr + 1) != ';' && *(ptr + 1) != 0 && *(ptr + 1) != '\n' && *(ptr + 1) != '\r') {
if (strlen(cookie) > 0)
strncat(cookie, "; ", sizeof(cookie) - strlen(cookie) - 1);
@ -691,8 +708,7 @@ void hydra_reconnect(int32_t s, char *ip, int32_t port, unsigned char options, c
}
}
int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *hostname, char *type, ptr_header_node ptr_head,
ptr_cookie_node ptr_cookie) {
int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname, char *type, ptr_header_node ptr_head, ptr_cookie_node ptr_cookie) {
char *empty = "";
char *login, *pass, clogin[256], cpass[256], b64login[345], b64pass[345];
char header[8096], *upd3variables;
@ -925,7 +941,9 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
found = analyze_server_response(s);
if (auth_flag) { // we received a 401 error - user is using wrong module
hydra_report(stderr, "[ERROR] the target is using HTTP auth, not a web form, received HTTP error code 401. Use module \"http%s-get\" instead.\n",
hydra_report(stderr,
"[ERROR] the target is using HTTP auth, not a web form, received HTTP "
"error code 401. Use module \"http%s-get\" instead.\n",
(options & OPTION_SSL) > 0 ? "s" : "");
return 4;
}
@ -1089,8 +1107,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
return 1;
}
void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname, char *type, ptr_header_node * ptr_head,
ptr_cookie_node * ptr_cookie) {
void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname, char *type, ptr_header_node *ptr_head, ptr_cookie_node *ptr_cookie) {
int32_t run = 1, next_run = 1, sock = -1;
int32_t myport = PORT_HTTP, mysslport = PORT_HTTP_SSL;
@ -1238,6 +1255,7 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
} else
webtarget = NULL;
}
if (cmdlinetarget != NULL && webtarget == NULL)
webtarget = cmdlinetarget;
else if (webtarget == NULL && cmdlinetarget == NULL)
@ -1252,20 +1270,32 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
sprintf(bufferurl, "%.6096s", miscptr);
url = bufferurl;
ptr = url;
while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\'))
ptr++;
if (*ptr != 0)
*ptr++ = 0;
variables = ptr;
while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\'))
ptr++;
if (*ptr != 0)
*ptr++ = 0;
if ((ptr2 = rindex(ptr, ':')) != NULL) {
cond = ptr2 + 1;
*ptr2 = 0;
} else
cond = ptr;
/*
while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\'))
ptr++;
if (*ptr != 0)
*ptr++ = 0;
*/
if (ptr == cond)
optional1 = NULL;
else
optional1 = ptr;
if (strstr(url, "\\:") != NULL) {
@ -1286,6 +1316,11 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
cond = ptr;
}
}
// printf("ptr: %s ptr2: %s cond: %s url: %s variables: %s optional1:
// %s\n", ptr, ptr2, cond, url, variables, optional1 == NULL ? "null" :
// optional1);
if (url == NULL || variables == NULL || cond == NULL /*|| optional1 == NULL */)
hydra_child_exit(2);
@ -1308,7 +1343,8 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
success_cond = 0;
}
//fprintf(stderr, "miscptr: %s, url=%s, variables=%s, ptr=%s, optional1: %s, cond: %s (%d)\n", miscptr, url, variables, ptr, optional1, cond, success_cond);
// printf("miscptr: %s, url=%s, variables=%s, ptr=%s, optional1: %s, cond: %s
// (%d)\n", miscptr, url, variables, ptr, optional1, cond, success_cond);
/*
* Parse the user-supplied options.
@ -1322,10 +1358,10 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
// proxy with authentication
add_header(&ptr_head, "Host", webtarget, HEADER_TYPE_DEFAULT);
add_header(&ptr_head, "User-Agent", "Mozilla 5.0 (Hydra Proxy Auth)", HEADER_TYPE_DEFAULT);
proxy_string = (char *) malloc(strlen(proxy_authentication[selected_proxy]) + 6);
proxy_string = (char *)malloc(strlen(proxy_authentication[selected_proxy]) + 10);
if (proxy_string) {
strcpy(proxy_string, "Basic ");
strncat(proxy_string, proxy_authentication[selected_proxy], strlen(proxy_authentication[selected_proxy]) - 6);
strcat(proxy_string, proxy_authentication[selected_proxy]);
add_header(&ptr_head, "Proxy-Authorization", proxy_string, HEADER_TYPE_DEFAULT);
} else {
hydra_report(stderr, "Out of memory for \"Proxy-Authorization\" header.\n");
@ -1376,37 +1412,63 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
void usage_http_form(const char *service) {
printf("Module %s requires the page and the parameters for the web form.\n\n"
"By default this module is configured to follow a maximum of 5 redirections in\n"
"a row. It always gathers a new cookie from the same URL without variables\n"
"The parameters take three \":\" separated values, plus optional values.\n"
"(Note: if you need a colon in the option string as value, escape it with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n"
"\nSyntax: <url>:<form parameters>:<condition string>[:<optional>[:<optional>]\n"
"By default this module is configured to follow a maximum of 5 "
"redirections in\n"
"a row. It always gathers a new cookie from the same URL without "
"variables\n"
"The parameters take three \":\" separated values, plus optional "
"values.\n"
"(Note: if you need a colon in the option string as value, escape it "
"with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n"
"\nSyntax: <url>:<form parameters>:<condition "
"string>[:<optional>[:<optional>]\n"
"First is the page on the server to GET or POST to (URL).\n"
"Second is the POST/GET variables (taken from either the browser, proxy, etc.\n"
" with url-encoded (resp. base64-encoded) usernames and passwords being replaced in the\n"
" \"^USER^\" (resp. \"^USER64^\") and \"^PASS^\" (resp. \"^PASS64^\") placeholders (FORM PARAMETERS)\n"
"Second is the POST/GET variables (taken from either the browser, proxy, "
"etc.\n"
" with url-encoded (resp. base64-encoded) usernames and passwords being "
"replaced in the\n"
" \"^USER^\" (resp. \"^USER64^\") and \"^PASS^\" (resp. \"^PASS64^\") "
"placeholders (FORM PARAMETERS)\n"
"Third is the string that it checks for an *invalid* login (by default)\n"
" Invalid condition login check can be preceded by \"F=\", successful condition\n"
" Invalid condition login check can be preceded by \"F=\", successful "
"condition\n"
" login check must be preceded by \"S=\".\n"
" This is where most people get it wrong. You have to check the webapp what a\n"
" This is where most people get it wrong. You have to check the webapp "
"what a\n"
" failed string looks like and put it in this parameter!\n"
"The following parameters are optional:\n"
" (c|C)=/page/uri to define a different page to gather initial cookies from\n"
" (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n"
" ^USER[64]^ and ^PASS[64]^ can also be put into these headers!\n"
" (c|C)=/page/uri to define a different page to gather initial "
"cookies from\n"
" (g|G)= skip pre-requests - only use this when no pre-cookies are required\n"
" (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each "
"request\n"
" ^USER[64]^ and ^PASS[64]^ can also be put into these "
"headers!\n"
" Note: 'h' will add the user-defined header at the end\n"
" regardless it's already being sent by Hydra or not.\n"
" 'H' will replace the value of that header if it exists, by the\n"
" one supplied by the user, or add the header at the end\n"
"Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\\).\n"
" All colons that are not option separators should be escaped (see the examples above and below).\n"
" You can specify a header without escaping the colons, but that way you will not be able to put colons\n"
" in the header value itself, as they will be interpreted by hydra as option separators.\n"
" 'H' will replace the value of that header if it "
"exists, by the\n"
" one supplied by the user, or add the header at the "
"end\n"
"Note that if you are going to put colons (:) in your headers you should "
"escape them with a backslash (\\).\n"
" All colons that are not option separators should be escaped (see the "
"examples above and below).\n"
" You can specify a header without escaping the colons, but that way you "
"will not be able to put colons\n"
" in the header value itself, as they will be interpreted by hydra as "
"option separators.\n"
"\nExamples:\n"
" \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n"
" \"/login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=authlog=.*success\"\n"
" \"/"
"login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=authlog=.*"
"success\"\n"
" \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n"
" \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n"
" \"/exchweb/bin/auth/owaauth.dll:destination=http%%3A%%2F%%2F<target>%%2Fexchange&flags=0&username=<domain>%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb\"\n",
" \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic "
"dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n"
" \"/exchweb/bin/auth/"
"owaauth.dll:destination=http%%3A%%2F%%2F<target>%%2Fexchange&flags=0&"
"username=<domain>%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:"
"reason=:C=/exchweb\"\n",
service);
}

40
hydra-http-proxy-urlenum.c
View file

@ -75,7 +75,10 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha
http_proxy_auth_mechanism = AUTH_BASIC;
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
url, host, buffer2, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
@ -105,14 +108,18 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha
http_proxy_auth_mechanism = AUTH_NTLM;
// send auth and receive challenge
//send auth request: let the server send it's own hostname and domainname
// send auth request: let the server send it's own hostname and
// domainname
buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2));
/* to be portable, no snprintf, buffer is big enough so it can't overflow */
/* to be portable, no snprintf, buffer is big enough so it can't
* overflow */
// send the first..
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n",
url, host, buf1, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
@ -143,8 +150,10 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha
// Send response
buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n",
url, host, buf1, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
@ -161,7 +170,7 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha
} else {
#ifdef LIBOPENSSL
if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) {
char *pbuffer;
char *pbuffer, *result;
http_proxy_auth_mechanism = AUTH_DIGESTMD5;
pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest ");
@ -169,8 +178,8 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha
buffer[sizeof(buffer) - 1] = '\0';
pbuffer = buffer2;
sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (pbuffer == NULL)
result = sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (result == NULL)
return 3;
if (debug)
@ -256,7 +265,8 @@ void service_http_proxy_urlenum(char *ip, int32_t sp, unsigned char options, cha
port = mysslport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -293,8 +303,12 @@ int32_t service_http_proxy_urlenum_init(char *ip, int32_t sp, unsigned char opti
}
void usage_http_proxy_urlenum(const char *service) {
printf("Module http-proxy-urlenum only uses the -L option, not -x or -p/-P option.\n"
printf("Module http-proxy-urlenum only uses the -L option, not -x or -p/-P "
"option.\n"
"The -L loginfile must contain the URL list to try through the proxy.\n"
"The proxy credentials cann be put as the optional parameter, e.g.\n"
" hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum user:pass\n" " hydra -L urllist.txt http-proxy-urlenum://target.com:3128/user:pass\n\n");
" hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum "
"user:pass\n"
" hydra -L urllist.txt "
"http-proxy-urlenum://target.com:3128/user:pass\n\n");
}

104
hydra-http-proxy.c
View file

@ -7,10 +7,10 @@ char *http_proxy_buf = NULL;
int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
char url[210], host[60];
char *login, *pass, buffer[5000], buffer2[4500];
char url[510], host[60];
char *header = ""; /* XXX TODO */
char *ptr, *fooptr;
char *ptr, *fooptr, *auth_hdr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
@ -21,7 +21,7 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
strcpy(url, "http://www.microsoft.com/");
strcpy(host, "Host: www.microsoft.com\r\n");
} else {
sprintf(url, "%.200s", miscptr);
sprintf(url, "%.500s", miscptr);
ptr = strstr(miscptr, "://"); // :// check is in hydra.c
sprintf(host, "Host: %.50s", ptr + 3);
if ((ptr = index(host, '/')) != NULL)
@ -50,24 +50,32 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
if (debug) {
hydra_report(stderr,
"S:%-.*s\n",
(int)(strchr(http_proxy_buf, '\r') - http_proxy_buf),
http_proxy_buf);
}
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) {
while (http_proxy_buf != NULL &&
(auth_hdr = hydra_strcasestr(http_proxy_buf,
"Proxy-Authenticate:")) == NULL) {
free(http_proxy_buf);
http_proxy_buf = hydra_receive_line(s);
}
if (http_proxy_buf == NULL) {
if (auth_hdr == NULL) {
if (verbose)
hydra_report(stderr, "[ERROR] Proxy seems not to require authentication\n");
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
if (debug) {
hydra_report(stderr,
"S:%-.*s\n",
(int)(strchr(auth_hdr, '\r') - auth_hdr),
auth_hdr);
}
// after the first query we should have been disconnected from web server
s = hydra_disconnect(s);
@ -78,11 +86,15 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
}
}
if (http_proxy_auth_mechanism == AUTH_BASIC || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Basic") != NULL) {
if (http_proxy_auth_mechanism == AUTH_BASIC || hydra_strcasestr(auth_hdr, "Proxy-Authenticate: Basic") != NULL) {
http_proxy_auth_mechanism = AUTH_BASIC;
auth_hdr = NULL;
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\n%s\r\n",
url, host, buffer2, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
@ -102,24 +114,32 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
return 3;
}
if (debug)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
if (debug) {
hydra_report(stderr,
"S:%-.*s\n",
(int)(strchr(http_proxy_buf, '\r') - http_proxy_buf),
http_proxy_buf);
}
} else {
if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM") != NULL) {
if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(auth_hdr, "Proxy-Authenticate: NTLM") != NULL) {
unsigned char buf1[4096];
unsigned char buf2[4096];
char *pos = NULL;
http_proxy_auth_mechanism = AUTH_NTLM;
auth_hdr = NULL;
// send auth and receive challenge
// send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2));
/* to be portable, no snprintf, buffer is big enough so it can't overflow */
/* to be portable, no snprintf, buffer is big enough so it can't overflow
*/
// send the first..
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n",
url, host, buf1, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 3;
@ -151,7 +171,10 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
// Send response
buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n",
url, host, buf1, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
@ -169,19 +192,19 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
return 3;
} else {
#ifdef LIBOPENSSL
if (hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest") != NULL) {
char *pbuffer;
if (hydra_strcasestr(auth_hdr, "Proxy-Authenticate: Digest") != NULL) {
char *pbuffer, *result;
http_proxy_auth_mechanism = AUTH_DIGESTMD5;
auth_hdr == NULL;
pbuffer = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest ");
strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
pbuffer = NULL;
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (fooptr == NULL)
result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (result == NULL)
return 3;
if (debug)
@ -196,8 +219,12 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
http_proxy_buf = hydra_receive_line(s);
}
if (debug && http_proxy_buf != NULL)
hydra_report(stderr, "S:%s\n", http_proxy_buf);
if (debug && http_proxy_buf != NULL) {
hydra_report(stderr,
"S:%-.*s\n",
(int)(strchr(http_proxy_buf, '\r') - http_proxy_buf),
http_proxy_buf);
}
if (http_proxy_buf == NULL)
return 3;
@ -205,9 +232,13 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
} else
#endif
{
if (http_proxy_buf != NULL) {
if (auth_hdr != NULL) {
// buf[strlen(http_proxy_buf) - 1] = '\0';
hydra_report(stderr, "Unsupported Auth type:\n%s\n", http_proxy_buf);
hydra_report(stderr,
"Unsupported Auth type:\n%-.*s\n",
(int)(strchr(http_proxy_buf, '\r') - auth_hdr),
auth_hdr);
auth_hdr = NULL;
free(http_proxy_buf);
http_proxy_buf = NULL;
} else {
@ -219,7 +250,11 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
}
ptr = ((char *)index(http_proxy_buf, ' ')) + 1;
if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2')) {
if (*ptr == '2' ||
(*ptr == '3' && *(ptr + 2) == '1') ||
(*ptr == '3' && *(ptr + 2) == '2') ||
(*ptr == '4' && *(ptr + 2) == '4')
) {
hydra_report_found_host(port, ip, "http-proxy", fp);
hydra_completed_pair_found();
free(http_proxy_buf);
@ -277,7 +312,8 @@ void service_http_proxy(char *ip, int32_t sp, unsigned char options, char *miscp
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -315,5 +351,7 @@ int32_t service_http_proxy_init(char *ip, int32_t sp, unsigned char options, cha
void usage_http_proxy(const char *service) {
printf("Module http-proxy is optionally taking the page to authenticate at.\n"
"Default is http://www.microsoft.com/)\n" "Basic, DIGEST-MD5 and NTLM are supported and negotiated automatically.\n\n");
"Default is http://www.microsoft.com/)\n"
"Basic, DIGEST-MD5 and NTLM are supported and negotiated "
"automatically.\n\n");
}

115
hydra-http.c
View file

@ -1,8 +1,6 @@
#include "hydra-http.h"
#include "sasl.h"
extern char *HYDRA_EXIT;
char *webtarget = NULL;
char *slash = "/";
@ -53,14 +51,24 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
/* again: no snprintf to be portable. don't worry, buffer can't overflow */
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
sprintf(buffer,
"%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: "
"close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
sprintf(buffer,
"%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: "
"close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buffer2, header);
else
sprintf(buffer, "%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header);
sprintf(buffer,
"%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: "
"close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\n%s\r\n",
type, miscptr, webtarget, buffer2, header);
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
@ -68,15 +76,15 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
#ifdef LIBOPENSSL
case AUTH_DIGESTMD5: {
char *pbuffer;
char *pbuffer, *result;
pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest ");
strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), buffer_size - 1);
buffer[buffer_size - 1] = '\0';
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header);
if (fooptr == NULL) {
result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header);
if (result == NULL) {
free(buffer);
free(header);
return 3;
@ -85,8 +93,7 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (debug)
hydra_report(stderr, "C:%s\n", buffer2);
strcpy(buffer, buffer2);
}
break;
} break;
#endif
case AUTH_NTLM: {
@ -103,15 +110,21 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
// send the first..
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, header);
else
sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget,
buf1, header);
sprintf(buffer,
"%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, miscptr, webtarget, buf1, header);
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
@ -161,21 +174,26 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
// create the auth response
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, header);
else
sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget,
buf1, header);
sprintf(buffer,
"%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, miscptr, webtarget, buf1, header);
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
}
break;
} break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
@ -191,7 +209,8 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
tmpreplybuf[0] = 0;
while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (index(http_buf, '\n') == NULL && complete_line == 0))) {
if (debug) printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf);
if (debug)
printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf);
if (tmpreplybuf[0] == 0 && strstr(http_buf, "HTTP/1.") != NULL) {
strncpy(tmpreplybuf, http_buf, sizeof(tmpreplybuf) - 1);
tmpreplybuf[sizeof(tmpreplybuf) - 1] = 0;
@ -204,7 +223,8 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
strcat(tmpreplybufptr, http_buf);
free(http_buf);
http_buf = tmpreplybufptr;
if (debug) printf("http_buf now: %s\n", http_buf);
if (debug)
printf("http_buf now: %s\n", http_buf);
}
} else {
free(http_buf);
@ -234,10 +254,12 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
#else
if (end_condition_type >= 0 && (strstr(http_buf, end_condition) == NULL ? 0 : 1) != end_condition_type) {
#endif
if (debug) hydra_report(stderr, "End condition not match continue.\n");
if (debug)
hydra_report(stderr, "End condition not match continue.\n");
hydra_completed_pair();
} else {
if (debug) hydra_report(stderr, "END condition %s match.\n",end_condition);
if (debug)
hydra_report(stderr, "END condition %s match.\n", end_condition);
hydra_report_found_host(port, ip, "www", fp);
hydra_completed_pair_found();
}
@ -313,8 +335,7 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
*ptr2 = 0;
} else
webtarget = hostname;
} else
if (strlen(miscptr) == 0)
} else if (strlen(miscptr) == 0)
miscptr = strdup("/");
if (webtarget == NULL)
webtarget = hostname;
@ -333,7 +354,8 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
*ptr++ = 0;
optional1 = ptr;
if (!parse_options(optional1, &ptr_head)) // this function is in hydra-http-form.c !!
if (!parse_options(optional1,
&ptr_head)) // this function is in hydra-http-form.c !!
run = 4;
if (http_auth_mechanism == AUTH_UNASSIGNED)
@ -360,7 +382,8 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
if (sock < 0) {
if (freemischttp)
free(miscptr);
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -386,17 +409,11 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
}
}
void service_http_get(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_http(ip, sp, options, miscptr, fp, port, hostname, "GET");
}
void service_http_get(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_http(ip, sp, options, miscptr, fp, port, hostname, "GET"); }
void service_http_post(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_http(ip, sp, options, miscptr, fp, port, hostname, "POST");
}
void service_http_post(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_http(ip, sp, options, miscptr, fp, port, hostname, "POST"); }
void service_http_head(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_http(ip, sp, options, miscptr, fp, port, hostname, "HEAD");
}
void service_http_head(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_http(ip, sp, options, miscptr, fp, port, hostname, "HEAD"); }
int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
@ -409,8 +426,6 @@ int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *mis
// 0 all OK
// -1 error, hydra will exit, so print a good error message here
/*POU CODE */
char *start = strstr(miscptr, "F=");
if (start == NULL)
@ -443,19 +458,23 @@ int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *mis
hydra_report(stderr, "Condition not found\n");
}
return 0;
}
void usage_http(const char *service) {
printf("Module %s requires the page to authenticate.\n"
"The following parameters are optional:\n"
" (a|A)=auth-type specify authentication mechanism to use: BASIC, NTLM or MD5\n"
" (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n"
" (F|S)=check for text in the HTTP reply. S= means if this text is found, a\n"
" valid account has been found, F= means if this string is present the\n"
" combination is invalid. Note: this must be the last option supplied.\n"
"For example: \"/secret\" or \"http://bla.com/foo/bar:H=Cookie\\: sessid=aaaa\" or \"https://test.com:8080/members:A=NTLM\"\n\n", service);
" (a|A)=auth-type specify authentication mechanism to use: BASIC, "
"NTLM or MD5\n"
" (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each "
"request\n"
" (F|S)=check for text in the HTTP reply. S= means if this text is "
"found, a\n"
" valid account has been found, F= means if this string is "
"present the\n"
" combination is invalid. Note: this must be the last option "
"supplied.\n"
"For example: \"/secret\" or \"http://bla.com/foo/bar:H=Cookie\\: "
"sessid=aaaa\" or \"https://test.com:8080/members:A=NTLM\"\n\n",
service);
}

36
hydra-icq.c
View file

@ -4,32 +4,10 @@ extern char *HYDRA_EXIT;
extern int32_t child_head_no;
int32_t seq = 1;
const unsigned char icq5_table[] = {
0x59, 0x60, 0x37, 0x6B, 0x65, 0x62, 0x46, 0x48, 0x53, 0x61, 0x4C,
0x59, 0x60, 0x57, 0x5B, 0x3D, 0x5E, 0x34, 0x6D, 0x36, 0x50, 0x3F,
0x6F, 0x67, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x47, 0x63, 0x39, 0x50,
0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 0x69, 0x48, 0x33, 0x31, 0x64,
0x35, 0x5A, 0x4A, 0x42, 0x56, 0x40, 0x67, 0x53, 0x41, 0x07, 0x6C,
0x49, 0x58, 0x3B, 0x4D, 0x46, 0x68, 0x43, 0x69, 0x48, 0x33, 0x31,
0x44, 0x65, 0x62, 0x46, 0x48, 0x53, 0x41, 0x07, 0x6C, 0x69, 0x48,
0x33, 0x51, 0x54, 0x5D, 0x4E, 0x6C, 0x49, 0x38, 0x4B, 0x55, 0x4A,
0x62, 0x46, 0x48, 0x33, 0x51, 0x34, 0x6D, 0x36, 0x50, 0x5F, 0x5F,
0x5F, 0x3F, 0x6F, 0x47, 0x63, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64,
0x35, 0x5A, 0x6A, 0x52, 0x6E, 0x3C, 0x51, 0x34, 0x6D, 0x36, 0x50,
0x5F, 0x5F, 0x3F, 0x4F, 0x37, 0x4B, 0x35, 0x5A, 0x4A, 0x62, 0x66,
0x58, 0x3B, 0x4D, 0x66, 0x58, 0x5B, 0x5D, 0x4E, 0x6C, 0x49, 0x58,
0x3B, 0x4D, 0x66, 0x58, 0x3B, 0x4D, 0x46, 0x48, 0x53, 0x61, 0x4C,
0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 0x55, 0x6A, 0x32, 0x3E, 0x44,
0x45, 0x52, 0x6E, 0x3C, 0x31, 0x64, 0x55, 0x6A, 0x52, 0x4E, 0x6C,
0x69, 0x48, 0x53, 0x61, 0x4C, 0x39, 0x30, 0x6F, 0x47, 0x63, 0x59,
0x60, 0x57, 0x5B, 0x3D, 0x3E, 0x64, 0x35, 0x3A, 0x3A, 0x5A, 0x6A,
0x52, 0x4E, 0x6C, 0x69, 0x48, 0x53, 0x61, 0x6C, 0x49, 0x58, 0x3B,
0x4D, 0x46, 0x68, 0x63, 0x39, 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x67,
0x53, 0x41, 0x25, 0x41, 0x3C, 0x51, 0x54, 0x3D, 0x5E, 0x54, 0x5D,
0x4E, 0x4C, 0x39, 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43,
0x69, 0x48, 0x33, 0x51, 0x54, 0x5D, 0x6E, 0x3C, 0x31, 0x64, 0x35,
0x5A, 0x00, 0x00
};
const unsigned char icq5_table[] = {0x59, 0x60, 0x37, 0x6B, 0x65, 0x62, 0x46, 0x48, 0x53, 0x61, 0x4C, 0x59, 0x60, 0x57, 0x5B, 0x3D, 0x5E, 0x34, 0x6D, 0x36, 0x50, 0x3F, 0x6F, 0x67, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x47, 0x63, 0x39, 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 0x69, 0x48, 0x33, 0x31, 0x64, 0x35, 0x5A, 0x4A, 0x42, 0x56, 0x40, 0x67, 0x53, 0x41, 0x07, 0x6C, 0x49, 0x58, 0x3B, 0x4D, 0x46, 0x68, 0x43, 0x69, 0x48,
0x33, 0x31, 0x44, 0x65, 0x62, 0x46, 0x48, 0x53, 0x41, 0x07, 0x6C, 0x69, 0x48, 0x33, 0x51, 0x54, 0x5D, 0x4E, 0x6C, 0x49, 0x38, 0x4B, 0x55, 0x4A, 0x62, 0x46, 0x48, 0x33, 0x51, 0x34, 0x6D, 0x36, 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x63, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 0x35, 0x5A, 0x6A, 0x52, 0x6E, 0x3C, 0x51, 0x34, 0x6D, 0x36, 0x50, 0x5F, 0x5F, 0x3F, 0x4F, 0x37, 0x4B, 0x35,
0x5A, 0x4A, 0x62, 0x66, 0x58, 0x3B, 0x4D, 0x66, 0x58, 0x5B, 0x5D, 0x4E, 0x6C, 0x49, 0x58, 0x3B, 0x4D, 0x66, 0x58, 0x3B, 0x4D, 0x46, 0x48, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 0x55, 0x6A, 0x32, 0x3E, 0x44, 0x45, 0x52, 0x6E, 0x3C, 0x31, 0x64, 0x55, 0x6A, 0x52, 0x4E, 0x6C, 0x69, 0x48, 0x53, 0x61, 0x4C, 0x39, 0x30, 0x6F, 0x47, 0x63, 0x59, 0x60, 0x57, 0x5B, 0x3D, 0x3E,
0x64, 0x35, 0x3A, 0x3A, 0x5A, 0x6A, 0x52, 0x4E, 0x6C, 0x69, 0x48, 0x53, 0x61, 0x6C, 0x49, 0x58, 0x3B, 0x4D, 0x46, 0x68, 0x63, 0x39, 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x67, 0x53, 0x41, 0x25, 0x41, 0x3C, 0x51, 0x54, 0x3D, 0x5E, 0x54, 0x5D, 0x4E, 0x4C, 0x39, 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 0x69, 0x48, 0x33, 0x51, 0x54, 0x5D, 0x6E, 0x3C, 0x31, 0x64, 0x35, 0x5A, 0x00, 0x00};
void fix_packet(char *buf, int32_t len) {
unsigned long c1, c2;
@ -188,7 +166,8 @@ int32_t start_icq(int32_t sock, char *ip, int32_t port, FILE * output, char *mis
break;
}
/* if((buf[2] != 10 || buf[3] != 0) && (buf[2] != 250 || buf[3] != 0)) */
/* if((buf[2] != 10 || buf[3] != 0) && (buf[2] != 250 || buf[3] != 0))
*/
}
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
@ -221,7 +200,8 @@ void service_icq(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
sock = hydra_disconnect(sock);
sock = hydra_connect_udp(ip, myport);
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;

66
hydra-imap.c
View file

@ -20,7 +20,8 @@ char *imap_read_server_capacity(int32_t sock) {
if (strstr(buf, "CAPABILITY") != NULL && buf[0] == '*') {
resp = 1;
usleepn(300);
/* we got the capability info then get the completed warning info from server */
/* we got the capability info then get the completed warning info from
* server */
while (hydra_data_ready(sock)) {
free(buf);
buf = hydra_receive_line(sock);
@ -40,7 +41,7 @@ char *imap_read_server_capacity(int32_t sock) {
}
int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";
char *empty = "", *result = NULL;
char *login, *pass, buffer[500], buffer2[500], *fooptr;
if (strlen(login = hydra_get_next_login()) == 0)
@ -103,7 +104,9 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
free(buf);
memset(buffer2, 0, sizeof(buffer2));
sasl_plain(buffer2, login, pass);
result = sasl_plain(buffer2, login, pass);
if (result == NULL)
return 3;
sprintf(buffer, "%.250s\r\n", buffer2);
break;
@ -120,7 +123,6 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
switch (imap_auth_mechanism) {
case AUTH_CRAMMD5:
sprintf(buffer, "%d AUTHENTICATE CRAM-MD5\r\n", counter);
break;
@ -161,20 +163,23 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
switch (imap_auth_mechanism) {
case AUTH_CRAMMD5: {
sasl_cram_md5(buffer2, pass, buffer);
result = sasl_cram_md5(buffer2, pass, buffer);
if (result == NULL)
return 3;
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
case AUTH_CRAMSHA1: {
sasl_cram_sha1(buffer2, pass, buffer);
result = sasl_cram_sha1(buffer2, pass, buffer);
if (result == NULL)
return 3;
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
case AUTH_CRAMSHA256: {
sasl_cram_sha256(buffer2, pass, buffer);
result = sasl_cram_sha256(buffer2, pass, buffer);
if (result == NULL)
return 3;
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
}
hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer));
@ -183,8 +188,7 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
strcpy(buffer, tmp_buffer);
free(preplogin);
}
break;
} break;
case AUTH_DIGESTMD5: {
sprintf(buffer, "%d AUTHENTICATE DIGEST-MD5\r\n", counter);
@ -206,16 +210,15 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
hydra_report(stderr, "DEBUG S: %s\n", buffer);
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "imap", NULL, 0, NULL);
if (fooptr == NULL)
result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "imap", NULL, 0, NULL);
if (result == NULL)
return 3;
if (debug)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
} break;
case AUTH_SCRAMSHA1: {
char clientfirstmessagebare[200];
char serverfirstmessage[200];
@ -267,16 +270,15 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
memset(buffer2, 0, sizeof(buffer2));
fooptr = buffer2;
sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage);
if (fooptr == NULL) {
result = sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage);
if (result == NULL) {
hydra_report(stderr, "[ERROR] Can't compute client response\n");
return 1;
}
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
}
break;
} break;
#endif
case AUTH_NTLM: {
unsigned char buf1[4096];
@ -320,8 +322,7 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
} break;
default:
// clear authentication
sprintf(buffer, "%d LOGIN \"%.100s\" \"%.100s\"\r\n", counter, login, pass);
@ -415,14 +416,16 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
}
#ifdef LIBOPENSSL
if (!disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
/* check for STARTTLS, if available we may have access to more basic
* auth methods */
if (strstr(buf, "STARTTLS") != NULL) {
hydra_send(sock, "2 STARTTLS\r\n", strlen("2 STARTTLS\r\n"), 0);
counter++;
free(buf);
buf = hydra_receive_line(sock);
if (buf == NULL || (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL)) {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer "
"received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock, hostname) == -1)) {
@ -444,7 +447,8 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
hydra_child_exit(2);
}
} else
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n");
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is "
"not supported by the server\n");
}
#endif
@ -487,7 +491,6 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
free(buf);
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
if (strstr(miscptr, "CLEAR"))
imap_auth_mechanism = AUTH_CLEAR;
@ -588,5 +591,8 @@ int32_t service_imap_init(char *ip, int32_t sp, unsigned char options, char *mis
void usage_imap(const char *service) {
printf("Module imap is optionally taking one authentication type of:\n"
" CLEAR or APOP (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n"
" CRAM-SHA256, DIGEST-MD5, NTLM\n" "Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: imap://target/TLS:PLAIN\n");
" CRAM-SHA256, DIGEST-MD5, NTLM\n"
"Additionally TLS encryption via STARTTLS can be enforced with the "
"TLS option.\n\n"
"Example: imap://target/TLS:PLAIN\n");
}

23
hydra-irc.c
View file

@ -7,7 +7,6 @@ RFC 1459: Internet Relay Chat Protocol
*/
extern char *HYDRA_EXIT;
char *buf;
char buffer[300] = "";
int32_t myport = PORT_IRC, mysslport = PORT_IRC_SSL;
@ -106,10 +105,16 @@ int32_t start_pass_irc(int32_t s, char *ip, int32_t port, unsigned char options,
#endif
hydra_report_pass_found(port, ip, "irc", fp);
hydra_completed_pair_found();
hydra_report(stderr, "[INFO] Server password '%s' is working, you can pass it as argument\nto irc module to then try login/password oper mode\n", pass);
hydra_report(stderr,
"[INFO] Server password '%s' is working, you can pass it as "
"argument\nto irc module to then try login/password oper mode\n",
pass);
} else {
if (verbose && (miscptr != NULL))
hydra_report(stderr, "[VERBOSE] Server is requesting a general password, '%s' you entered is not working\n", miscptr);
hydra_report(stderr,
"[VERBOSE] Server is requesting a general password, '%s' "
"you entered is not working\n",
miscptr);
hydra_completed_pair();
}
@ -181,10 +186,14 @@ void service_irc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
hydra_child_exit(0);
}
/* ERROR :Bad password is returned from ngircd when it s waiting for a server password */
/* ERROR :Bad password is returned from ngircd when it s waiting for a
* server password */
if ((ret > 0) && (strstr(buffer, " 001 ") == NULL)) {
/* seems we not successfully connected */
hydra_report(stderr, "[ERROR] should not be able to identify server msg, please report it\n%s\n", buffer);
hydra_report(stderr,
"[ERROR] should not be able to identify server msg, "
"please report it\n%s\n",
buffer);
hydra_child_exit(0);
}
@ -224,5 +233,7 @@ int32_t service_irc_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_irc(const char *service) {
printf("Module irc is optionally taking the general server password, if the server is requiring one, and if none is passed the password from -p/-P will be used\n\n");
printf("Module irc is optionally taking the general server password, if the "
"server is requiring one, and if none is passed the password from "
"-p/-P will be used\n\n");
}

64
hydra-ldap.c
View file

@ -8,7 +8,7 @@ int32_t counter;
int32_t tls_required = 0;
int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname, char version, int32_t auth_method) {
char *empty = "";
char *empty = "", *result = NULL;
char *login = "", *pass, *fooptr = "";
unsigned char buffer[512];
int32_t length = 0;
@ -123,8 +123,8 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha
ptr = strstr((char *)buf, "<");
fooptr = buf2;
sasl_cram_md5(fooptr, pass, ptr);
if (fooptr == NULL)
result = sasl_cram_md5(fooptr, pass, ptr);
if (result == NULL)
return 1;
counter++;
if (strstr(miscptr, "^USER^") != NULL) {
@ -180,8 +180,8 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL);
if (fooptr == NULL) {
result = sasl_digest_md5(fooptr, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL);
if (result == NULL) {
free(buf);
return 3;
}
@ -306,13 +306,19 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha
if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 53) {
if (verbose)
hydra_report(stderr, "[VERBOSE] Server unwilling to perform action, maybe deny by server config or too busy when tried login: %s password: %s\n", login, pass);
hydra_report(stderr,
"[VERBOSE] Server unwilling to perform action, maybe deny by server "
"config or too busy when tried login: %s password: %s\n",
login, pass);
free(buf);
return 1;
}
if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 2) {
hydra_report(stderr, "[ERROR] Invalid protocol version, you tried ldap%c, better try ldap%c\n", version + '0', version == 2 ? '3' : '2');
hydra_report(stderr,
"[ERROR] Invalid protocol version, you tried ldap%c, better "
"try ldap%c\n",
version + '0', version == 2 ? '3' : '2');
free(buf);
hydra_child_exit(2);
sleep(1);
@ -335,7 +341,6 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
}
} else {
if (buf[9] != 49 && buf[9] != 2 && buf[9] != 53) {
hydra_report(stderr, "[ERROR] Uh, unknown LDAP response! Please report this: \n");
print_hex((unsigned char *)buf, 24);
@ -382,8 +387,10 @@ void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
}
counter = 1;
if (tls_required) {
/* Start TLS operation OID = 1.3.6.1.4.1.1466.20037 according to RFC 2830 */
char confidentiality_required[] = "\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";
/* Start TLS operation OID = 1.3.6.1.4.1.1466.20037 according to RFC
* 2830 */
char confidentiality_required[] = "\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31"
"\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";
if (hydra_send(sock, confidentiality_required, strlen(confidentiality_required), 0) < 0)
hydra_child_exit(1);
@ -427,21 +434,13 @@ void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
}
}
void service_ldap2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ldap(ip, sp, options, miscptr, fp, port, hostname, 2, AUTH_CLEAR);
}
void service_ldap2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 2, AUTH_CLEAR); }
void service_ldap3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CLEAR);
}
void service_ldap3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CLEAR); }
void service_ldap3_cram_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CRAMMD5);
}
void service_ldap3_cram_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CRAMMD5); }
void service_ldap3_digest_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_DIGESTMD5);
}
void service_ldap3_digest_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_DIGESTMD5); }
int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
@ -454,7 +453,8 @@ int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *mis
// 0 all OK
// -1 error, hydra will exit, so print a good error message here
if (miscptr != NULL && strlen(miscptr) > 220) {
fprintf(stderr, "[ERROR] the option string to this module may not be larger than 220 bytes\n");
fprintf(stderr, "[ERROR] the option string to this module may not be "
"larger than 220 bytes\n");
return -1;
}
@ -462,12 +462,18 @@ int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *mis
}
void usage_ldap(const char *service) {
printf("Module %s is optionally taking the DN (depending of the auth method choosed\n"
"Note: you can also specify the DN as login when Simple auth method is used).\n"
printf("Module %s is optionally taking the DN (depending of the auth method "
"choosed\n"
"Note: you can also specify the DN as login when Simple auth method "
"is used).\n"
"The keyword \"^USER^\" is replaced with the login.\n"
"Special notes for Simple method has 3 operation modes: anonymous, (no user no pass),\n"
"unauthenticated (user but no pass), user/pass authenticated (user and pass).\n"
"Special notes for Simple method has 3 operation modes: anonymous, "
"(no user no pass),\n"
"unauthenticated (user but no pass), user/pass authenticated (user "
"and pass).\n"
"So don't forget to set empty string as user/pass to test all modes.\n"
"Hint: to authenticate to a windows active directory ldap, this is usually\n"
" cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com\n\n", service);
"Hint: to authenticate to a windows active directory ldap, this is "
"usually\n"
" cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com\n\n",
service);
}

9
hydra-memcached.c
View file

@ -8,9 +8,7 @@
#include "hydra-mod.h"
#ifndef LIBMCACHED
void dummy_mcached() {
printf("\n");
}
void dummy_mcached() { printf("\n"); }
#else
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
@ -33,8 +31,6 @@ int mcached_send_com_version(int32_t sock) {
return 0;
}
int32_t start_mcached(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";
char *login, *pass;
@ -127,7 +123,8 @@ void service_mcached(char *ip, int32_t sp, unsigned char options, char *miscptr,
return;
default:
if (!verbose)
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose option for more details\n");
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose "
"option for more details\n");
hydra_child_exit(2);
}
run = next_run;

203
hydra-mod.c
View file

@ -1,10 +1,10 @@
#include "hydra-mod.h"
#include <arpa/inet.h>
#ifdef LIBOPENSSL
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/ssl.h>
#endif
#ifdef HAVE_PCRE
#include <pcre.h>
@ -63,17 +63,20 @@ void alarming() {
fail++;
alarm_went_off++;
/* uh, I think it's not good for performance if we try to reconnect to a timeout system!
* if (fail > MAX_CONNECT_RETRY) {
/* uh, I think it's not good for performance if we try to reconnect to a
* timeout system! if (fail > MAX_CONNECT_RETRY) {
*/
//fprintf(stderr, "Process %d: Can not connect [timeout], process exiting\n", (int32_t) getpid());
// fprintf(stderr, "Process %d: Can not connect [timeout], process exiting\n",
// (int32_t) getpid());
if (debug)
printf("DEBUG_CONNECT_TIMEOUT\n");
hydra_child_exit(1);
/*
* } else {
* if (verbose) fprintf(stderr, "Process %d: Can not connect [timeout], retrying (%d of %d retries)\n", (int32_t)getpid(), fail, MAX_CONNECT_RETRY);
* if (verbose) fprintf(stderr, "Process %d: Can not connect [timeout],
* retrying (%d of %d retries)\n", (int32_t)getpid(), fail,
* MAX_CONNECT_RETRY);
* }
*/
}
@ -167,7 +170,6 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
}
}
if (use_proxy > 0 && proxy_count > 0) {
if (proxy_string_ip[selected_proxy][0] == 4) {
memcpy(&target.sin_addr.s_addr, &proxy_string_ip[selected_proxy][1], 4);
target.sin_family = AF_INET;
@ -223,7 +225,10 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
fail++;
if (verbose) {
if (do_retry && fail <= MAX_CONNECT_RETRY)
fprintf(stderr, "Process %d: Can not connect [unreachable], retrying (%d of %d retries)\n", (int32_t) getpid(), fail, MAX_CONNECT_RETRY);
fprintf(stderr,
"Process %d: Can not connect [unreachable], retrying (%d "
"of %d retries)\n",
(int32_t)getpid(), fail, MAX_CONNECT_RETRY);
else
fprintf(stderr, "Process %d: Can not connect [unreachable]\n", (int32_t)getpid());
}
@ -234,7 +239,8 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
printf("DEBUG_CONNECT_UNREACHABLE\n");
/* we wont quit here, thats up to the module to decide what to do
* fprintf(stderr, "Process %d: Can not connect [unreachable], process exiting\n", (int32_t)getpid());
* fprintf(stderr, "Process %d: Can not connect
* [unreachable], process exiting\n", (int32_t)getpid());
* hydra_child_exit(1);
*/
extern_socket = -1;
@ -280,7 +286,10 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
else
snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\n\r\n", hydra_address2string(host), port);
else if (host[0] == 16)
snprintf(buf, 4096, "CONNECT [%s]:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication[selected_proxy]);
snprintf(buf, 4096,
"CONNECT [%s]:%d HTTP/1.0\r\nProxy-Authorization: Basic "
"%s\r\n\r\n",
hydra_address2string(host), port, proxy_authentication[selected_proxy]);
else
snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication[selected_proxy]);
@ -326,7 +335,8 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
err = 1;
}
if ((unsigned char)buf[1] == SOCKS_NOMETHOD) {
hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication method negotiation failed\n");
hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication method "
"negotiation failed\n");
err = 1;
}
/* SOCKS_DOMAIN not supported here, do we need it ? */
@ -439,7 +449,10 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
}
}
} else {
hydra_report(stderr, "[ERROR] Unknown proxy type: %s, valid type are \"connect\", \"socks4\" or \"socks5\"\n", proxy_string_type[selected_proxy]);
hydra_report(stderr,
"[ERROR] Unknown proxy type: %s, valid type are "
"\"connect\", \"socks4\" or \"socks5\"\n",
proxy_string_type[selected_proxy]);
err = 1;
}
}
@ -466,24 +479,25 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
#if defined(LIBOPENSSL) && !defined(LIBRESSL_VERSION_NUMBER)
RSA *ssl_temp_rsa_cb(SSL *ssl, int32_t export, int32_t keylength) {
int32_t ok = 0;
int32_t nok = 0;
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
BIGNUM *n;
n = BN_new();
if ((n = BN_new()) == NULL)
nok = 1;
RSA_get0_key(rsa, (const struct bignum_st **)&n, NULL, NULL);
ok = BN_zero(n);
BN_zero(n);
#else
if (rsa->n == 0)
ok = 1;
nok = 1;
#endif
if(ok == 0 && RSA_size(rsa)!=(keylength/8)){ // n is not zero
if (nok == 0 && RSA_size(rsa) != (keylength / 8)) { // n is not zero
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
BN_free(n);
#endif
RSA_free(rsa);
rsa = NULL;
}
if (ok != 0) { // n is zero
if (nok != 0) { // n is zero
#if defined(NO_RSA_LEGACY) || OPENSSL_VERSION_NUMBER >= 0x10100000L
RSA *rsa = RSA_new();
BIGNUM *f4 = BN_new();
@ -623,9 +637,11 @@ void hydra_child_exit(int32_t code) {
__fck = write(intern_socket, "C", 1);
else if (code == 2) /* application protocol error or service shutdown */
__fck = write(intern_socket, "E", 1);
// code 3 means exit without telling mommy about it - a bad idea. mommy should know
// code 3 means exit without telling mommy about it - a bad idea. mommy should
// know
else if (code == -1 || code > 3) {
fprintf(stderr, "[TOTAL FUCKUP] a module should not use hydra_child_exit(-1) ! Fix it in the source please ...\n");
fprintf(stderr, "[TOTAL FUCKUP] a module should not use "
"hydra_child_exit(-1) ! Fix it in the source please ...\n");
__fck = write(intern_socket, "E", 1);
}
do {
@ -636,9 +652,7 @@ void hydra_child_exit(int32_t code) {
exit(0); // might be killed before reaching this
}
void hydra_register_socket(int32_t s) {
intern_socket = s;
}
void hydra_register_socket(int32_t s) { intern_socket = s; }
char *hydra_get_next_pair() {
if (pair[0] == 0) {
@ -736,19 +750,20 @@ void hydra_report_found(int32_t port, char *svc, FILE * fp) {
/*
if (!strcmp(svc, "rsh"))
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m\n", port, svc, hydra_get_next_login());
else
fprintf(fp, "[%d][%s] login: %s\n", port, svc, hydra_get_next_login());
else if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m password: \e[32m%s\e[0m\n", port, svc, hydra_get_next_login(), hydra_get_next_password());
else
fprintf(fp, "[%d][%s] login: %s password: %s\n", port, svc, hydra_get_next_login(), hydra_get_next_password());
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m\n",
port, svc, hydra_get_next_login()); else fprintf(fp, "[%d][%s] login: %s\n",
port, svc, hydra_get_next_login()); else if (colored_output) fprintf(fp,
"[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m password:
\e[32m%s\e[0m\n", port, svc, hydra_get_next_login(),
hydra_get_next_password()); else fprintf(fp, "[%d][%s] login: %s password:
%s\n", port, svc, hydra_get_next_login(), hydra_get_next_password());
if (stdout != fp) {
if (!strcmp(svc, "rsh"))
printf("[%d][%s] login: %s\n", port, svc, hydra_get_next_login());
else
printf("[%d][%s] login: %s password: %s\n", port, svc, hydra_get_next_login(), hydra_get_next_password());
printf("[%d][%s] login: %s password: %s\n", port, svc,
hydra_get_next_login(), hydra_get_next_password());
}
fflush(fp);
@ -760,11 +775,11 @@ void hydra_report_pass_found(int32_t port, char *ip, char *svc, FILE * fp) {
/*
strcpy(ipaddr_str, hydra_address2string(ip));
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password());
else
fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
if (stdout != fp)
printf("[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password:
\e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); else
fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str,
hydra_get_next_password()); if (stdout != fp) printf("[%d][%s] host: %s
password: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
fflush(fp);
*/
}
@ -777,33 +792,34 @@ void hydra_report_found_host(int32_t port, char *ip, char *svc, FILE * fp) {
keyw = "domain";
if (!strcmp(svc, "rsh") || !strcmp(svc, "oracle-sid"))
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login());
else
fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_login());
else if (!strcmp(svc, "snmp3"))
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password());
else
fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
else if (!strcmp(svc, "cisco-enable") || !strcmp(svc, "cisco"))
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password());
else
fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
else if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m %s: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw,
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login:
\e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login()); else
fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str,
hydra_get_next_login()); else if (!strcmp(svc, "snmp3")) if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login:
\e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); else
fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str,
hydra_get_next_password()); else if (!strcmp(svc, "cisco-enable") ||
!strcmp(svc, "cisco")) if (colored_output) fprintf(fp,
"[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password:
\e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); else
fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str,
hydra_get_next_password()); else if (colored_output) fprintf(fp,
"[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m
%s: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw,
hydra_get_next_password());
else
fprintf(fp, "[%d][%s] host: %s login: %s %s: %s\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw, hydra_get_next_password());
if (stdout != fp) {
if (!strcmp(svc, "rsh") || !strcmp(svc, "oracle-sid"))
printf("[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_login());
else if (!strcmp(svc, "snmp3"))
printf("[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
fprintf(fp, "[%d][%s] host: %s login: %s %s: %s\n", port, svc,
ipaddr_str, hydra_get_next_login(), keyw, hydra_get_next_password()); if
(stdout != fp) { if (!strcmp(svc, "rsh") || !strcmp(svc, "oracle-sid"))
printf("[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str,
hydra_get_next_login()); else if (!strcmp(svc, "snmp3")) printf("[%d][%s]
host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
else if (!strcmp(svc, "cisco-enable") || !strcmp(svc, "cisco"))
printf("[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
else
printf("[%d][%s] host: %s login: %s %s: %s\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw, hydra_get_next_password());
printf("[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str,
hydra_get_next_password()); else printf("[%d][%s] host: %s login: %s %s:
%s\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw,
hydra_get_next_password());
}
fflush(fp);
fflush(stdout);
@ -814,12 +830,13 @@ void hydra_report_found_host_msg(int32_t port, char *ip, char *svc, FILE * fp, c
/*
strcpy(ipaddr_str, hydra_address2string(ip));
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m password: \e[32m%s\e[0m [%s]\n", port, svc, ipaddr_str, hydra_get_next_login(),
hydra_get_next_password(), msg);
else
fprintf(fp, "[%d][%s] host: %s login: %s password: %s [%s]\n", port, svc, ipaddr_str, hydra_get_next_login(), hydra_get_next_password(), msg);
if (stdout != fp)
printf("[%d][%s] host: %s login: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_login(), hydra_get_next_password());
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login:
\e[32m%s\e[0m password: \e[32m%s\e[0m [%s]\n", port, svc, ipaddr_str,
hydra_get_next_login(), hydra_get_next_password(), msg); else fprintf(fp,
"[%d][%s] host: %s login: %s password: %s [%s]\n", port, svc,
ipaddr_str, hydra_get_next_login(), hydra_get_next_password(), msg); if
(stdout != fp) printf("[%d][%s] host: %s login: %s password: %s\n",
port, svc, ipaddr_str, hydra_get_next_login(), hydra_get_next_password());
fflush(fp);
*/
}
@ -885,9 +902,7 @@ int32_t hydra_data_ready_writing_timed(int32_t socket, long sec, long usec) {
return (my_select(socket + 1, &fds, NULL, NULL, sec, usec));
}
int32_t hydra_data_ready_writing(int32_t socket) {
return (hydra_data_ready_writing_timed(socket, 30, 0));
}
int32_t hydra_data_ready_writing(int32_t socket) { return (hydra_data_ready_writing_timed(socket, 30, 0)); }
int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec) {
fd_set fds;
@ -897,9 +912,7 @@ int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec) {
return (my_select(socket + 1, &fds, NULL, NULL, sec, usec));
}
int32_t hydra_data_ready(int32_t socket) {
return (hydra_data_ready_timed(socket, 0, 100));
}
int32_t hydra_data_ready(int32_t socket) { return (hydra_data_ready_timed(socket, 0, 100)); }
int32_t hydra_recv(int32_t socket, char *buf, uint32_t length) {
int32_t ret;
@ -909,7 +922,8 @@ int32_t hydra_recv(int32_t socket, char *buf, uint32_t length) {
if (debug) {
sprintf(text, "[DEBUG] RECV [pid:%d]", getpid());
hydra_dump_data(buf, ret, text);
//hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]", buf, getpid(), ret);
// hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]",
// buf, getpid(), ret);
}
return ret;
}
@ -930,7 +944,8 @@ int32_t hydra_recv_nb(int32_t socket, char *buf, uint32_t length) {
if (debug) {
sprintf(text, "[DEBUG] RECV [pid:%d]", getpid());
hydra_dump_data(buf, ret, text);
//hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]", buf, getpid(), ret);
// hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]",
// buf, getpid(), ret);
}
}
return ret;
@ -948,7 +963,9 @@ char *hydra_receive_line(int32_t socket) {
memset(buff, 0, sizeof(buf));
if (debug)
printf("[DEBUG] hydra_receive_line: waittime: %d, conwait: %d, socket: %d, pid: %d\n", waittime, conwait, socket, getpid());
printf("[DEBUG] hydra_receive_line: waittime: %d, conwait: %d, socket: %d, "
"pid: %d\n",
waittime, conwait, socket, getpid());
if ((i = hydra_data_ready_timed(socket, (long)waittime, 0)) > 0) {
do {
@ -983,14 +1000,16 @@ char *hydra_receive_line(int32_t socket) {
if (debug) {
sprintf(pid, "[DEBUG] RECV [pid:%d]", getpid());
hydra_dump_data(buff, got, pid);
//hydra_report_debug(stderr, "DEBUG_RECV_BEGIN [pid:%d len:%d]|%s|END", getpid(), got, buff);
// hydra_report_debug(stderr, "DEBUG_RECV_BEGIN [pid:%d len:%d]|%s|END",
// getpid(), got, buff);
}
} else {
if (got < 0) {
if (debug) {
sprintf(pid, "[DEBUG] RECV [pid:%d]", getpid());
hydra_dump_data((unsigned char *)"", -1, pid);
//hydra_report_debug(stderr, "DEBUG_RECV_BEGIN||END [pid:%d %d]", getpid(), i);
// hydra_report_debug(stderr, "DEBUG_RECV_BEGIN||END [pid:%d %d]",
// getpid(), i);
perror("recv");
}
}
@ -1001,7 +1020,9 @@ char *hydra_receive_line(int32_t socket) {
usleepn(100);
} else {
if (debug)
printf("[DEBUG] hydra_data_ready_timed: %d, waittime: %d, conwait: %d, socket: %d\n", i, waittime, conwait, socket);
printf("[DEBUG] hydra_data_ready_timed: %d, waittime: %d, conwait: %d, "
"socket: %d\n",
i, waittime, conwait, socket);
}
return buff;
@ -1024,12 +1045,13 @@ int32_t hydra_send(int32_t socket, char *buf, uint32_t size, int32_t options) {
else
debugbuf[k] = buf[k];
debugbuf[size] = 0;
hydra_report_debug(stderr, "DEBUG_SEND_BEGIN|%s|END [pid:%d]", debugbuf, getpid());
free(debugbuf);
hydra_report_debug(stderr, "DEBUG_SEND_BEGIN|%s|END [pid:%d]",
debugbuf, getpid()); free(debugbuf);
}*/
}
/* if (hydra_data_ready_writing(socket)) < 1) return -1; XXX maybe needed in the future */
/* if (hydra_data_ready_writing(socket)) < 1) return -1; XXX maybe needed
* in the future */
return (internal__hydra_send(socket, buf, size, options));
}
@ -1045,15 +1067,16 @@ int32_t make_to_lower(char *buf) {
char *hydra_strrep(char *string, char *oldpiece, char *newpiece) {
int32_t str_index, newstr_index, oldpiece_index, end, new_len, old_len, cpy_len;
char *c, oldstring[6096], newstring[6096]; //updated due to issue 192 on github.
char *c, oldstring[6096],
newstring[6096]; // updated due to issue 192 on github.
static char finalstring[6096];
if (string == NULL || oldpiece == NULL || newpiece == NULL || strlen(string) >= sizeof(oldstring) - 1
|| (strlen(string) + strlen(newpiece) - strlen(oldpiece) >= sizeof(newstring) - 1 && strlen(string) > strlen(oldpiece)))
if (string == NULL || oldpiece == NULL || newpiece == NULL || strlen(string) >= sizeof(oldstring) - 1 || (strlen(string) + strlen(newpiece) - strlen(oldpiece) >= sizeof(newstring) - 1 && strlen(string) > strlen(oldpiece)))
return NULL;
if (strlen(string) > 6000) {
hydra_report(stderr, "[ERROR] Supplied URL or POST data too large. Max limit is 6000 characters.\n");
hydra_report(stderr, "[ERROR] Supplied URL or POST data too large. Max "
"limit is 6000 characters.\n");
exit(-1);
}
@ -1262,9 +1285,7 @@ char *hydra_address2string_beautiful(char *address) {
return NULL; // not reached
}
void hydra_set_srcport(int32_t port) {
src_port = port;
}
void hydra_set_srcport(int32_t port) { src_port = port; }
#ifdef HAVE_PCRE
int32_t hydra_string_match(char *str, const char *regex) {
@ -1291,9 +1312,9 @@ int32_t hydra_string_match(char *str, const char *regex) {
* str_replace.c implements a str_replace PHP like function
* Copyright (C) 2009 chantra <chantra__A__debuntu__D__org>
*
* Create a new string with [substr] being replaced ONCE by [replacement] in [string]
* Returns the new string, or NULL if out of memory.
* The caller is responsible for freeing this new string.
* Create a new string with [substr] being replaced ONCE by [replacement] in
* [string] Returns the new string, or NULL if out of memory. The caller is
* responsible for freeing this new string.
*
*/
char *hydra_string_replace(const char *string, const char *substr, const char *replacement) {

19
hydra-mongodb.c
View file

@ -9,9 +9,7 @@
#include "hydra-mod.h"
#ifndef LIBMONGODB
void dummy_mongodb() {
printf("\n");
}
void dummy_mongodb() { printf("\n"); }
#else
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
@ -31,16 +29,17 @@ int is_error_msg(char *msg) {
}
int require_auth(int32_t sock) {
unsigned char m_hdr[] =
"\x3f\x00\x00\x00" //messageLength (63)
unsigned char m_hdr[] = "\x3f\x00\x00\x00" // messageLength (63)
"\x00\x00\x00\x41" // requestID
"\xff\xff\xff\xff" // responseTo
"\xd4\x07\x00\x00" // opCode (2004 OP_QUERY)
"\x00\x00\x00\x00" // flags
"\x61\x64\x6d\x69\x6e\x2e\x24\x63\x6d\x64\x00" //fullCollectionName (admin.$cmd)
"\x61\x64\x6d\x69\x6e\x2e\x24\x63\x6d\x64\x00" // fullCollectionName
// (admin.$cmd)
"\x00\x00\x00\x00" // numberToSkip (0)
"\x01\x00\x00\x00" // numberToReturn (1)
"\x18\x00\x00\x00\x10\x6c\x69\x73\x74\x44\x61\x74\x61\x62\x61\x73\x65\x73\x00\x01\x00\x00\x00\x00"; //query ({"listDatabases"=>1})
"\x18\x00\x00\x00\x10\x6c\x69\x73\x74\x44\x61\x74\x61\x62\x61\x73\x65\x73"
"\x00\x01\x00\x00\x00\x00"; // query ({"listDatabases"=>1})
if (hydra_send(sock, m_hdr, sizeof(m_hdr), 0) > 0) {
if (hydra_data_ready_timed(sock, 0, 1000) > 0) {
@ -136,7 +135,8 @@ void service_mongodb(char *ip, int32_t sp, unsigned char options, char *miscptr,
return;
default:
if (!verbose)
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose option for more details\n");
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose "
"option for more details\n");
hydra_child_exit(2);
}
run = next_run;
@ -180,5 +180,6 @@ int32_t service_mongodb_init(char *ip, int32_t sp, unsigned char options, char *
#endif
void usage_mongodb(const char *service) {
printf("Module mongodb is optionally taking a database name to attack, default is \"admin\"\n\n");
printf("Module mongodb is optionally taking a database name to attack, "
"default is \"admin\"\n\n");
}

28
hydra-mssql.c
View file

@ -5,19 +5,22 @@
extern char *HYDRA_EXIT;
char *buf;
unsigned char p_hdr[] =
"\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00";
unsigned char p_pk2[] =
"\x30\x30\x30\x30\x30\x30\x61\x30\x00\x00"
unsigned char p_hdr[] = "\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00";
unsigned char p_pk2[] = "\x30\x30\x30\x30\x30\x30\x61\x30\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x20\x18\x81\xb8\x2c\x08\x03"
"\x01\x06\x0a\x09\x01\x01\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x73\x71\x75\x65\x6c\x64\x61"
"\x20\x31\x2e\x30\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00";
unsigned char p_pk3[] =
"\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00";
unsigned char p_pk3[] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
@ -38,12 +41,17 @@ unsigned char p_pk3[] =
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x04\x02\x00\x00\x4d\x53\x44"
"\x42\x4c\x49\x42\x00\x00\x00\x07\x06\x00\x00" "\x00\x00\x0d\x11\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00";
unsigned char p_lng[] =
"\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00"
"\x42\x4c\x49\x42\x00\x00\x00\x07\x06\x00\x00"
"\x00\x00\x0d\x11\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00";
unsigned char p_lng[] = "\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x30\x30\x30\x00\x00" "\x00\x03\x00\x00\x00";
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x30\x30\x30\x00\x00"
"\x00\x03\x00\x00\x00";
int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";

41
hydra-mysql.c
View file

@ -1,19 +1,16 @@
/* mysql 3.2x.x to 4.x support - by mcbethh (at) u-n-f (dot) com */
/* david (dot) maciejak (at) gmail (dot) com for using libmysqlclient-dev, adding support for mysql version 5.x */
/* david (dot) maciejak (at) gmail (dot) com for using libmysqlclient-dev,
* adding support for mysql version 5.x */
#include "hydra-mod.h"
#ifndef HAVE_MATH_H
#include <stdio.h>
void dummy_mysql() {
printf("\n");
}
void dummy_mysql() { printf("\n"); }
void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
printf("\n");
}
void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { printf("\n"); }
#else
#include <math.h>
@ -41,7 +38,8 @@ extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
extern char *HYDRA_EXIT;
char mysqlsalt[9];
/* modified hydra_receive_line, I've striped code which changed every 0x00 to 0x20 */
/* modified hydra_receive_line, I've striped code which changed every 0x00 to
* 0x20 */
char *hydra_mysql_receive_line(int32_t socket) {
char buf[300], *buff, *buff2;
int32_t i = 0, j = 0, buff_size = 300;
@ -108,7 +106,10 @@ char hydra_mysql_init(int32_t sock) {
return 2;
}
if (protocol > 10) {
fprintf(stderr, "[INFO] This is protocol version %d, only v10 is supported, not sure if it will work\n", protocol);
fprintf(stderr,
"[INFO] This is protocol version %d, only v10 is supported, not "
"sure if it will work\n",
protocol);
}
server_version = &buf[5];
pos = buf + strlen(server_version) + 10;
@ -116,7 +117,8 @@ char hydra_mysql_init(int32_t sock) {
if (!strstr(server_version, "3.") && !strstr(server_version, "4.") && strstr(server_version, "5.")) {
#ifndef LIBMYSQLCLIENT
hydra_report(stderr, "[ERROR] Not an MySQL protocol or unsupported version,\ncheck configure to see if libmysql is found\n");
hydra_report(stderr, "[ERROR] Not an MySQL protocol or unsupported version,\ncheck "
"configure to see if libmysql is found\n");
#endif
free(buf);
return 2;
@ -130,10 +132,7 @@ char hydra_mysql_init(int32_t sock) {
char *hydra_mysql_prepare_auth(char *login, char *pass) {
unsigned char *response;
unsigned long login_len = strlen(login) > 32 ? 32 : strlen(login);
unsigned long response_len = 4 /* header */ +
2 /* client flags */ +
3 /* max packet len */ +
login_len + 1 + 8 /* scrambled password len */ ;
unsigned long response_len = 4 /* header */ + 2 /* client flags */ + 3 /* max packet len */ + login_len + 1 + 8 /* scrambled password len */;
response = (unsigned char *)malloc(response_len + 4);
if (response == NULL) {
@ -221,7 +220,8 @@ int32_t start_mysql(int32_t sock, char *ip, int32_t port, unsigned char options,
}
if (my_errno == 1251) {
hydra_report(stderr, "[ERROR] Client does not support authentication protocol requested by server\n");
hydra_report(stderr, "[ERROR] Client does not support authentication "
"protocol requested by server\n");
}
/*
@ -324,7 +324,8 @@ void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, F
port = myport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -349,8 +350,6 @@ void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, F
#ifndef LIBMYSQLCLIENT
#endif
/************************************************************************/
@ -391,7 +390,8 @@ void hydra_hash_password(unsigned long *result, const char *password) {
nr2 += (nr2 << 8) ^ nr;
add += tmp;
}
result[0] = nr & (((unsigned long) 1L << 31) - 1L); /* Don't use sign bit (str2int) */ ;
result[0] = nr & (((unsigned long)1L << 31) - 1L); /* Don't use sign bit (str2int) */
;
result[1] = nr2 & (((unsigned long)1L << 31) - 1L);
return;
}
@ -433,5 +433,6 @@ int32_t service_mysql_init(char *ip, int32_t sp, unsigned char options, char *mi
}
void usage_mysql(const char *service) {
printf("Module mysql is optionally taking the database to attack, default is \"mysql\"\n\n");
printf("Module mysql is optionally taking the database to attack, default is "
"\"mysql\"\n\n");
}

20
hydra-ncp.c
View file

@ -10,19 +10,16 @@
*
*/
#include "hydra-mod.h"
#ifndef LIBNCP
void dummy_ncp() {
printf("\n");
}
void dummy_ncp() { printf("\n"); }
#else
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <ncp/nwcalls.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
extern char *HYDRA_EXIT;
extern int32_t child_head_no;
@ -37,7 +34,6 @@ typedef struct __NCP_DATA {
//#define NCP_DEBUG
int32_t start_ncp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *login;
char *pass;
char context[256];
@ -47,13 +43,11 @@ int32_t start_ncp(int32_t s, char *ip, int32_t port, unsigned char options, char
_NCP_DATA *session;
session = malloc(sizeof(_NCP_DATA));
memset(session, 0, sizeof(_NCP_DATA));
login = empty;
pass = empty;
if (strlen(login = hydra_get_next_login()) == 0) {
login = empty;
} else {
@ -152,7 +146,8 @@ void service_ncp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
sock = hydra_connect_tcp(ip, myport);
port = myport;
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -198,5 +193,6 @@ int32_t service_ncp_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_ncp(const char *service) {
printf("Module ncp is optionally taking the full context, for example \".O=cx\"\n\n");
printf("Module ncp is optionally taking the full context, for example "
"\".O=cx\"\n\n");
}

31
hydra-nntp.c
View file

@ -48,7 +48,7 @@ char *nntp_read_server_capacity(int32_t sock) {
}
int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "\"\"";
char *empty = "\"\"", *result = NULL;
char *login, *pass, buffer[500], buffer2[500], *fooptr;
int32_t i = 1;
@ -112,7 +112,9 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
free(buf);
memset(buffer, 0, sizeof(buffer));
sasl_plain(buffer, login, pass);
result = sasl_plain(buffer, login, pass);
if (result == NULL)
return 3;
char tmp_buffer[sizeof(buffer)];
sprintf(tmp_buffer, "%.250s\r\n", buffer);
@ -147,7 +149,9 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
free(buf);
memset(buffer2, 0, sizeof(buffer2));
sasl_cram_md5(buffer2, pass, buffer);
result = sasl_cram_md5(buffer2, pass, buffer);
if (result == NULL)
return 3;
sprintf(buffer, "%s %.250s", preplogin, buffer2);
hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer));
@ -156,8 +160,7 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
sprintf(tmp_buffer, "%.250s\r\n", buffer);
strcpy(buffer, tmp_buffer);
free(preplogin);
}
break;
} break;
case AUTH_DIGESTMD5: {
sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n");
@ -179,16 +182,15 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (debug)
hydra_report(stderr, "DEBUG S: %s\n", buffer);
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL);
if (fooptr == NULL)
result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL);
if (result == NULL)
return 3;
if (debug)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
} break;
#endif
@ -217,8 +219,7 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "%s\r\n", (char *)buf1);
}
break;
} break;
default: {
sprintf(buffer, "AUTHINFO USER %.250s\r\n", login);
@ -237,10 +238,8 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
free(buf);
sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass);
} break;
}
break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
@ -426,7 +425,6 @@ SASL PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5
if (strncmp(miscptr, "NTLM", 4) == 0)
nntp_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
switch (nntp_auth_mechanism) {
@ -487,5 +485,6 @@ int32_t service_nntp_init(char *ip, int32_t sp, unsigned char options, char *mis
}
void usage_nntp(const char *service) {
printf("Module nntp is optionally taking one authentication type of:\n" " USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n");
printf("Module nntp is optionally taking one authentication type of:\n"
" USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n");
}

22
hydra-oracle-listener.c
View file

@ -13,9 +13,7 @@ at http://marcellmajor.com/frame_listenerhash.html
#include "hydra-mod.h"
#ifndef LIBOPENSSL
#include <stdio.h>
void dummy_oracle_listener() {
printf("\n");
}
void dummy_oracle_listener() { printf("\n"); }
#else
#include "sasl.h"
#include <openssl/des.h>
@ -180,12 +178,10 @@ int32_t ora_hash_password(char *pass) {
}
int32_t start_oracle_listener(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
unsigned char tns_packet_begin[22] = {
"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00"
};
unsigned char tns_packet_end[32] = {
"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
};
unsigned char tns_packet_begin[22] = {"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e"
"\x00\x00\x01\x00"};
unsigned char tns_packet_end[32] = {"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"};
char *empty = "";
char *pass;
@ -212,7 +208,10 @@ int32_t start_oracle_listener(int32_t s, char *ip, int32_t port, unsigned char o
}
pass = (char *)hash;
}
snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE=)(VERSION=169869568)))", pass);
snprintf(connect_string, sizeof(connect_string),
"(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)("
"PASSWORD=%s)(SERVICE=)(VERSION=169869568)))",
pass);
if (hash != NULL)
free(hash);
@ -339,7 +338,8 @@ int32_t service_oracle_listener_init(char *ip, int32_t sp, unsigned char options
}
void usage_oracle_listener(const char *service) {
printf("Module oracle-listener / tns is optionally taking the mode the password is stored as, could be PLAIN (default) or CLEAR\n\n");
printf("Module oracle-listener / tns is optionally taking the mode the "
"password is stored as, could be PLAIN (default) or CLEAR\n\n");
}
#endif

24
hydra-oracle-sid.c
View file

@ -11,9 +11,7 @@ find a big list on the Internet
#include "hydra-mod.h"
#ifndef LIBOPENSSL
#include <stdio.h>
void dummy_oracle_sid() {
printf("\n");
}
void dummy_oracle_sid() { printf("\n"); }
#else
#include <openssl/des.h>
#define HASHSIZE 16
@ -22,19 +20,16 @@ extern char *HYDRA_EXIT;
char *buf;
unsigned char *hash;
int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
/*
PP is the packet length
XX is the length of connect data
PP + tns_packet_begin + XX + tns_packet_end
*/
unsigned char tns_packet_begin[22] = {
"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00"
};
unsigned char tns_packet_end[32] = {
"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
};
unsigned char tns_packet_begin[22] = {"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e"
"\x00\x00\x01\x00"};
unsigned char tns_packet_end[32] = {"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"};
char *empty = "";
char *login;
char connect_string[200];
@ -47,8 +42,10 @@ int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char option
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))", login,
hydra_address2string(ip), port);
snprintf(connect_string, sizeof(connect_string),
"(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)("
"USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))",
login, hydra_address2string(ip), port);
siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string);
if (siz > 255) {
buffer2[0] = 1;
@ -72,7 +69,8 @@ int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char option
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
//if no error reported. it should be a resend packet type 00 08 00 00 0b 00 00 00, 4 is refuse
// if no error reported. it should be a resend packet type 00 08 00 00 0b 00
// 00 00, 4 is refuse
if ((strstr(buf, "ERR=") == NULL) && (buf[4] != 4)) {
hydra_report_found_host(port, ip, "oracle-sid", fp);
hydra_completed_pair_found();

79
hydra-oracle.c
View file

@ -4,8 +4,8 @@ david: code is based on SNORT spo_database.c
tested with :
-instantclient_10_2 on Oracle 10.2.0
-instantclient-basic-linux.*-11.2.0.3.0.zip + instantclient-sdk-linux.*-11.2.0.3.0.zip
on Oracle 9i and on Oracle 11g
-instantclient-basic-linux.*-11.2.0.3.0.zip +
instantclient-sdk-linux.*-11.2.0.3.0.zip on Oracle 9i and on Oracle 11g
*/
@ -13,14 +13,13 @@ on Oracle 9i and on Oracle 11g
#ifndef LIBORACLE
void dummy_oracle() {
printf("\n");
}
void dummy_oracle() { printf("\n"); }
#else
#include <oci.h>
#include <sys/types.h>
#include <stdbool.h>
extern char *HYDRA_EXIT;
@ -55,14 +54,17 @@ int32_t start_oracle(int32_t s, char *ip, int32_t port, unsigned char options, c
/*
To use the Easy Connect naming method, PHP must be linked with Oracle 10g or greater Client libraries.
The Easy Connect string for Oracle 10g is of the form: [//]host_name[:port][/service_name].
With Oracle 11g, the syntax is: [//]host_name[:port][/service_name][:server_type][/instance_name].
Service names can be found by running the Oracle utility lsnrctl status on the database server machine.
To use the Easy Connect naming method, PHP must be linked with Oracle 10g
or greater Client libraries. The Easy Connect string for Oracle 10g is of
the form: [//]host_name[:port][/service_name]. With Oracle 11g, the syntax
is: [//]host_name[:port][/service_name][:server_type][/instance_name].
Service names can be found by running the Oracle utility lsnrctl status on
the database server machine.
The tnsnames.ora file can be in the Oracle Net search path, which includes $ORACLE_HOME/network/admin
and /etc. Alternatively set TNS_ADMIN so that $TNS_ADMIN/tnsnames.ora is read. Make sure the web
daemon has read access to the file.
The tnsnames.ora file can be in the Oracle Net search path, which includes
$ORACLE_HOME/network/admin and /etc. Alternatively set TNS_ADMIN so that
$TNS_ADMIN/tnsnames.ora is read. Make sure the web daemon has read access
to the file.
*/
@ -83,17 +85,21 @@ int32_t start_oracle(int32_t s, char *ip, int32_t port, unsigned char options, c
return 4;
}
bool success = true;
if (OCILogon(o_environment, o_error, &o_servicecontext, (const OraText *)login, strlen(login), (const OraText *)pass, strlen(pass), (const OraText *)buffer, strlen(buffer))) {
success = false;
OCIErrorGet(o_error, 1, NULL, &o_errorcode, o_errormsg, sizeof(o_errormsg), OCI_HTYPE_ERROR);
//database: oracle_error: ORA-01017: invalid username/password; logon denied
//database: oracle_error: ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
//database: oracle_error: ORA-28000: the account is locked
//Failed login attempts is set to 10 by default
// database: oracle_error: ORA-01017: invalid username/password; logon
// denied database: oracle_error: ORA-12514: TNS:listener does not currently
// know of service requested in connect descriptor database: oracle_error:
// ORA-28000: the account is locked Failed login attempts is set to 10 by
// default
if (verbose) {
hydra_report(stderr, "[VERBOSE] database: oracle_error: %s\n", o_errormsg);
}
if (strstr((const char *)o_errormsg, "ORA-12514") != NULL) {
hydra_report(stderr, "[ERROR] ORACLE SID is not valid, you should try to enumerate them.\n");
hydra_report(stderr, "[ERROR] ORACLE SID is not valid, you should try to "
"enumerate them.\n");
hydra_completed_pair();
return 3;
}
@ -104,32 +110,26 @@ int32_t start_oracle(int32_t s, char *ip, int32_t port, unsigned char options, c
return 3;
return 2;
}
if (o_error) {
OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR);
// ORA-28002: the password will expire within 7 days
if (strstr((const char *)o_errormsg, "ORA-28002") != NULL) {
hydra_report(stderr, "[INFO] ORACLE account %s password will expire soon.\n", login);
success = true;
}
}
hydra_completed_pair();
//by default, set in sqlnet.ora, the trace file is generated in pwd to log any errors happening,
//as we don't care, we are deleting the file
//set these parameters to not generate the file
//LOG_DIRECTORY_CLIENT = /dev/null
//LOG_FILE_CLIENT = /dev/null
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 2;
} else {
if (success) {
OCILogoff(o_servicecontext, o_error);
if (o_error) {
OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR);
}
hydra_report_found_host(port, ip, "oracle", fp);
hydra_completed_pair_found();
} else {
hydra_completed_pair();
}
if (o_error) {
OCIHandleFree((dvoid *)o_error, OCI_HTYPE_ERROR);
}
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
return success ? 1 : 2;
}
void service_oracle(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
@ -165,11 +165,15 @@ void service_oracle(char *ip, int32_t sp, unsigned char options, char *miscptr,
break;
case 2:
next_run = start_oracle(sock, ip, port, options, miscptr, fp);
hydra_child_exit(0);
break;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
// by default, set in sqlnet.ora, the trace file is generated in pwd to log
// any errors happening, as we don't care, we are deleting the file set
// these parameters to not generate the file LOG_DIRECTORY_CLIENT =
// /dev/null LOG_FILE_CLIENT = /dev/null
unlink("sqlnet.log");
hydra_child_exit(0);
return;
@ -198,5 +202,6 @@ int32_t service_oracle_init(char *ip, int32_t sp, unsigned char options, char *m
}
void usage_oracle(const char *service) {
printf("Module oracle / ora is optionally taking the ORACLE SID, default is \"ORCL\"\n\n");
printf("Module oracle / ora is optionally taking the ORACLE SID, default is "
"\"ORCL\"\n\n");
}

12
hydra-pcanywhere.c
View file

@ -71,7 +71,6 @@ void pca_encrypt(char *cleartxt) {
passwd[strlen(passwd)] = '\0';
strcpy(cleartxt, passwd);
}
}
void pca_decrypt(char *password) {
@ -119,7 +118,6 @@ int32_t start_pcanywhere(int32_t s, char *ip, int32_t port, unsigned char option
server[3] = "Enter login name";
server[4] = "denying connection";
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
@ -158,13 +156,15 @@ int32_t start_pcanywhere(int32_t s, char *ip, int32_t port, unsigned char option
if (i == 0 || i == 3)
clean_buffer(buffer, ret);
if (debug) show_buffer(buffer, ret);
if (debug)
show_buffer(buffer, ret);
if (i == 2) {
clean_buffer(buffer, ret);
buffer[sizeof(buffer) - 1] = 0;
if (strstr(buffer, server[i + 2]) != NULL) {
fprintf(stderr, "[ERROR] PC Anywhere host denying connection because you have requested a lower encrypt level\n");
fprintf(stderr, "[ERROR] PC Anywhere host denying connection because "
"you have requested a lower encrypt level\n");
return 3;
}
}
@ -233,7 +233,6 @@ void service_pcanywhere(char *ip, int32_t sp, unsigned char options, char *miscp
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
@ -251,7 +250,8 @@ void service_pcanywhere(char *ip, int32_t sp, unsigned char options, char *miscp
port = mysslport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}

7
hydra-pcnfs.c
View file

@ -66,7 +66,9 @@ int32_t start_pcnfs(int32_t s, char *ip, int32_t port, unsigned char options, ch
prh->len_passwd = htonl(63);
prh->len_comments = htonl(254);
strcpy(prh->comments, " Hydra - THC password cracker - visit https://github.com/vanhauser-thc/thc-hydra - use only allowed for legal purposes ");
strcpy(prh->comments, " Hydra - THC password cracker - visit "
"https://github.com/vanhauser-thc/thc-hydra - use only "
"allowed for legal purposes ");
strcpy(prh->name, "localhost");
ptr = prh->id;
@ -161,7 +163,8 @@ void service_pcnfs(char *ip, int32_t sp, unsigned char options, char *miscptr, F
sock = hydra_disconnect(sock);
// usleepn(275);
if ((sock = hydra_connect_udp(ip, port)) < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;

83
hydra-pop3.c
View file

@ -88,7 +88,6 @@ char *pop3_read_server_capacity(int32_t sock) {
free(buf);
ptr = buf = hydra_receive_line(sock);
if (buf != NULL) {
/*
exchange capa:
@ -99,7 +98,8 @@ STLS
*/
if (strstr(buf, "\r\n.\r\n") != NULL && buf[0] == '+') {
resp = 1;
/* we got the capability info then get the completed warning info from server */
/* we got the capability info then get the completed warning info from
* server */
while (hydra_data_ready(sock)) {
free(buf);
buf = hydra_receive_line(sock);
@ -118,7 +118,7 @@ STLS
}
int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "\"\"";
char *empty = "\"\"", *result = NULL;
char *login, *pass, buffer[500], buffer2[500], *fooptr;
if (strlen(login = hydra_get_next_login()) == 0)
@ -150,8 +150,7 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
pbuffer += 2;
}
sprintf(buffer, "APOP %s %s\r\n", login, buffer2);
}
break;
} break;
#endif
case AUTH_LOGIN: {
@ -186,8 +185,7 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
strcpy(buffer2, pass);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
}
break;
} break;
case AUTH_PLAIN: {
sprintf(buffer, "AUTH PLAIN\r\n");
@ -204,13 +202,14 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
free(buf);
memset(buffer, 0, sizeof(buffer));
sasl_plain(buffer, login, pass);
result = sasl_plain(buffer, login, pass);
if (result == NULL)
return 3;
char tmp_buffer[sizeof(buffer)];
sprintf(tmp_buffer, "%.250s\r\n", buffer);
strcpy(buffer, tmp_buffer);
}
break;
} break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:
@ -266,20 +265,23 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
switch (p->pop3_auth_mechanism) {
case AUTH_CRAMMD5: {
sasl_cram_md5(buffer2, pass, buffer);
result = sasl_cram_md5(buffer2, pass, buffer);
if (result == NULL)
return 3;
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
case AUTH_CRAMSHA1: {
sasl_cram_sha1(buffer2, pass, buffer);
result = sasl_cram_sha1(buffer2, pass, buffer);
if (result == NULL)
return 3;
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
case AUTH_CRAMSHA256: {
sasl_cram_sha256(buffer2, pass, buffer);
result = sasl_cram_sha256(buffer2, pass, buffer);
if (result == NULL)
return 3;
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
}
hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer));
@ -287,8 +289,7 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
sprintf(tmp_buffer, "%.250s\r\n", buffer);
strcpy(buffer, tmp_buffer);
free(preplogin);
}
break;
} break;
case AUTH_DIGESTMD5: {
sprintf(buffer, "AUTH DIGEST-MD5\r\n");
@ -311,16 +312,15 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
hydra_report(stderr, "[DEBUG] S: %s\n", buffer);
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "pop", NULL, 0, NULL);
if (fooptr == NULL)
result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "pop", NULL, 0, NULL);
if (result == NULL)
return 3;
if (debug)
hydra_report(stderr, "[DEBUG] C: %s\n", buffer2);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
} break;
#endif
case AUTH_NTLM: {
@ -361,8 +361,7 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
} break;
default:
sprintf(buffer, "USER %.250s\r\n", login);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
@ -433,7 +432,6 @@ void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
@ -470,11 +468,13 @@ void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
#ifdef LIBOPENSSL
if (!p->disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
/* check for STARTTLS, if available we may have access to more basic
* auth methods */
hydra_send(sock, "STLS\r\n", strlen("STLS\r\n"), 0);
buf = hydra_receive_line(sock);
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer "
"received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock, hostname) == -1)) {
@ -512,7 +512,6 @@ void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
}
}
int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
int32_t myport = PORT_POP3, mysslport = PORT_POP3_SSL;
char *ptr = NULL;
@ -584,13 +583,15 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
#ifdef LIBOPENSSL
if (!p.disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
/* check for STARTTLS, if available we may have access to more basic auth
* methods */
if (strstr(buf, "STLS") != NULL) {
hydra_send(sock, "STLS\r\n", strlen("STLS\r\n"), 0);
free(buf);
buf = hydra_receive_line(sock);
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer "
"received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock, hostname) == -1)) {
@ -616,7 +617,8 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
}
}
} else
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n");
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not "
"supported by the server\n");
}
#endif
@ -625,7 +627,6 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
}
hydra_disconnect(sock);
if (verbose)
hydra_report(stderr, "[VERBOSE] CAPABILITY: %s", buf);
@ -648,7 +649,8 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
which are supported.
*/
/* which mean threre will *always* have a space before the LOGIN auth keyword */
/* which mean threre will *always* have a space before the LOGIN auth keyword
*/
if ((strstr(buf, " LOGIN") == NULL) && (strstr(buf, "NTLM") != NULL)) {
p.pop3_auth_mechanism = AUTH_NTLM;
}
@ -688,12 +690,10 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
#else
p.pop3_auth_mechanism = AUTH_CLEAR;
#endif
}
free(buf);
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
if (strstr(miscptr, "CLEAR"))
p.pop3_auth_mechanism = AUTH_CLEAR;
@ -722,7 +722,6 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
if (strstr(miscptr, "NTLM"))
p.pop3_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
@ -765,7 +764,6 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
case AUTH_NTLM:
hydra_report(stderr, "[VERBOSE] using POP3 NTLM AUTH mechanism\n");
break;
}
}
@ -780,5 +778,8 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
void usage_pop3(const char *service) {
printf("Module pop3 is optionally taking one authentication type of:\n"
" CLEAR (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n"
" CRAM-SHA256, DIGEST-MD5, NTLM.\n" "Additionally TLS encryption via STLS can be enforced with the TLS option.\n\n" "Example: pop3://target/TLS:PLAIN\n");
" CRAM-SHA256, DIGEST-MD5, NTLM.\n"
"Additionally TLS encryption via STLS can be enforced with the TLS "
"option.\n\n"
"Example: pop3://target/TLS:PLAIN\n");
}

12
hydra-postgres.c
View file

@ -8,9 +8,7 @@
#include "hydra-mod.h"
#ifndef LIBPOSTGRES
void dummy_postgres() {
printf("\n");
}
void dummy_postgres() { printf("\n"); }
#else
#include "libpq-fe.h" // Postgres connection functions
@ -42,7 +40,6 @@ int32_t start_postgres(int32_t s, char *ip, int32_t port, unsigned char options,
* Building the connection string
*/
snprintf(connection_string, sizeof(connection_string), "host = '%s' dbname = '%s' user = '%s' password = '%s' ", hydra_address2string(ip), database, login, pass);
if (verbose)
@ -74,7 +71,6 @@ void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
@ -92,7 +88,8 @@ void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr
port = mysslport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -133,5 +130,6 @@ int32_t service_postgres_init(char *ip, int32_t sp, unsigned char options, char
}
void usage_postgres(const char *service) {
printf("Module postgres is optionally taking the database to attack, default is \"template1\"\n\n");
printf("Module postgres is optionally taking the database to attack, default "
"is \"template1\"\n\n");
}

69
hydra-radmin2.c
View file

@ -19,10 +19,10 @@ struct rmessage {
/*
* Usage: sum = checksum(message);
* Function: Returns a 4 byte little endian sum of the messages typecode+data. This data is zero padded for alignment.
* Example message (big endian):
* [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)])
* Sum: is 0f43d461 (big endian)
* Function: Returns a 4 byte little endian sum of the messages typecode+data.
* This data is zero padded for alignment. Example message (big endian):
* [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9
* 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)]) Sum: is 0f43d461 (big endian)
*/
uint32_t checksum(struct rmessage *msg) {
int32_t blen;
@ -50,7 +50,8 @@ uint32_t checksum(struct rmessage *msg) {
/*
* Usage: challenge_request(message);
* Function: Modifies message to reflect a request for a challenge. Updates the checksum as appropriate.
* Function: Modifies message to reflect a request for a challenge. Updates the
* checksum as appropriate.
*/
void challenge_request(struct rmessage *msg) {
msg->magic = 0x01;
@ -61,7 +62,8 @@ void challenge_request(struct rmessage *msg) {
/*
* Usage: challenge_request(message);
* Function: Modifies message to reflect a response to a challenge. Updates the checksum as appropriate.
* Function: Modifies message to reflect a response to a challenge. Updates the
* checksum as appropriate.
*/
void challenge_response(struct rmessage *msg, unsigned char *solution) {
msg->magic = 0x01;
@ -72,8 +74,9 @@ void challenge_response(struct rmessage *msg, unsigned char *solution) {
}
/*
* Usage: buffer = message2buffer(message); send(buffer, message->length + 10); free(buffer)
* Function: Allocates a buffer for transmission and fills the buffer with message data such that it is ready to transmit.
* Usage: buffer = message2buffer(message); send(buffer, message->length + 10);
* free(buffer) Function: Allocates a buffer for transmission and fills the
* buffer with message data such that it is ready to transmit.
*/
// TODO: conver to a sendMessage() function?
char *message2buffer(struct rmessage *msg) {
@ -163,10 +166,7 @@ struct rmessage *buffer2message(char *buffer) {
return msg;
}
int32_t start_radmin2(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) {
return 0;
}
int32_t start_radmin2(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { return 0; }
void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
#ifdef HAVE_GCRYPT
@ -200,7 +200,6 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
}
while (1) {
/* Typical conversation goes as follows...
0) connect to server
1) request challenge
@ -225,7 +224,8 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
// 2) receive response (working)
index = 0;
while(index < 42) { //We're always expecting back a 42 byte buffer from a challenge request.
while (index < 42) { // We're always expecting back a 42 byte buffer from a
// challenge request.
switch (hydra_data_ready(sock)) {
case -1:
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
@ -237,7 +237,10 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
default:
bytecount = hydra_recv(sock, buffer + index, 42 - index);
if (bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
hydra_report(stderr,
"Error: Child with pid %d terminating, receive "
"error\nerror:\t%s\n",
(int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;
@ -252,10 +255,14 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
hydra_get_next_pair();
strncpy(password, hydra_get_next_password(), sizeof(password) - 1);
//MD5 the password to generate the password key, this is used with twofish below.
// MD5 the password to generate the password key, this is used with twofish
// below.
err = gcry_md_open(&md, GCRY_MD_MD5, 0);
if (err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_md_open error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_md_open error "
"(%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
gcry_md_reset(md);
@ -273,25 +280,37 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
// 3.b) encrypt data received using pkey & known IV
err = gcry_cipher_open(&cipher, GCRY_CIPHER_TWOFISH128, GCRY_CIPHER_MODE_CBC, 0);
if (err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_open error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_open "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_setiv(cipher, IV, 16);
if (err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_setiv error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_setiv "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_setkey(cipher, rawkey, 16);
if (err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_setkey error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_setkey "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_encrypt(cipher, encrypted, 32, msg->data, 32);
if (err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_encrypt error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_encrypt "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
@ -312,7 +331,8 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
// 4) receive auth success/failure
index = 0;
while(index < 10) { //We're always expecting back a 42 byte buffer from a challenge request.
while (index < 10) { // We're always expecting back a 42 byte buffer from a
// challenge request.
switch (hydra_data_ready(sock)) {
case -1:
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
@ -324,7 +344,10 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
default:
bytecount = hydra_recv(sock, buffer + index, 10 - index);
if (bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
hydra_report(stderr,
"Error: Child with pid %d terminating, receive "
"error\nerror:\t%s\n",
(int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;

24
hydra-rdp.c
View file

@ -1,5 +1,5 @@
/*
This module is using freerdp2 lib
This module is using freerdp3 lib
Tested on:
- Windows 7 pro SP1
@ -10,10 +10,8 @@
#include "hydra-mod.h"
extern char *HYDRA_EXIT;
#ifndef LIBFREERDP2
void dummy_rdp() {
printf("\n");
}
#ifndef LIBFREERDP
void dummy_rdp() { printf("\n"); }
#else
#include <freerdp/freerdp.h>
@ -68,11 +66,19 @@ int32_t start_rdp(char *ip, int32_t port, unsigned char options, char *miscptr,
// login failure
hydra_completed_pair();
break;
case 0x0002000d:
hydra_report(stderr,
"[%d][rdp] account on %s might be valid but account not "
"active for remote desktop: login: %s password: %s, "
"continuing attacking the account.\n",
port, hydra_address2string_beautiful(ip), login, pass);
hydra_completed_pair();
break;
case 0x00020006:
case 0x00020008:
case 0x0002000c:
case 0x0002000d:
// cannot establish rdp connection, either the port is not opened or it's not rdp
// cannot establish rdp connection, either the port is not opened or it's
// not rdp
return 3;
default:
if (verbose) {
@ -143,6 +149,8 @@ int32_t service_rdp_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_rdp(const char *service) {
printf("Module rdp is optionally taking the windows domain name.\n" "For example:\nhydra rdp://192.168.0.1/firstdomainname -l john -p doe\n\n");
printf("Module rdp is optionally taking the windows domain name.\n"
"For example:\nhydra rdp://192.168.0.1/firstdomainname -l john -p "
"doe\n\n");
}
#endif

19
hydra-redis.c
View file

@ -104,16 +104,14 @@ void service_redis_core(char *ip, int32_t sp, unsigned char options, char *miscp
}
}
void service_redis(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_redis_core(ip, sp, options, miscptr, fp, port, hostname, 0);
}
void service_redis(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_redis_core(ip, sp, options, miscptr, fp, port, hostname, 0); }
/*
* Initial password authentication test and response test for the redis server,
* added by Petar Kaleychev <petar.kaleychev@gmail.com>
* The service_redis_init function is generating ping request as redis-cli (command line interface).
* You can use redis-cli to connect with Redis. After start of the redis-server in another terminal the following:
* % ./redis-cli
* The service_redis_init function is generating ping request as redis-cli
* (command line interface). You can use redis-cli to connect with Redis. After
* start of the redis-server in another terminal the following: % ./redis-cli
* redis> ping
* when the server does not require password, leads to:
* PONG
@ -121,7 +119,8 @@ void service_redis(char *ip, int32_t sp, unsigned char options, char *miscptr, F
* (error) NOAUTH Authentication required.
* or
* (error) ERR operation not permitted (for older redis versions)
* That is used for initial password authentication and redis server response tests in service_redis_init
* That is used for initial password authentication and redis server response
* tests in service_redis_init
*/
int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
@ -129,7 +128,8 @@ int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *mi
// performed once only.
// return codes:
// 0 - when the server is redis and it requires password
// n - when the server is not redis or when the server does not require password
// n - when the server is not redis or when the server does not require
// password
int32_t sock = -1;
int32_t myport = PORT_REDIS, mysslport = PORT_REDIS_SSL;
@ -148,7 +148,8 @@ int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *mi
port = mysslport;
}
if (verbose)
printf("[VERBOSE] Initial redis password authentication test and response test ...\n");
printf("[VERBOSE] Initial redis password authentication test and response "
"test ...\n");
if (sock < 0) {
hydra_report(stderr, "[ERROR] Can not connect to port %d on the target\n", myport);
return 3;

2
hydra-rexec.c
View file

@ -5,7 +5,6 @@
#define COMMAND "/bin/ls /"
extern char *HYDRA_EXIT;
char *buf;
int32_t start_rexec(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";
@ -89,7 +88,6 @@ void service_rexec(char *ip, int32_t sp, unsigned char options, char *miscptr, F
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}

5
hydra-rlogin.c
View file

@ -8,11 +8,9 @@ client have to use port from 512 -> 1023 or server is denying the connection
no memleaks found on 110425
*/
#define TERM "vt100/9600"
extern char *HYDRA_EXIT;
char *buf;
int32_t start_rlogin(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";
@ -79,7 +77,8 @@ int32_t start_rlogin(int32_t s, char *ip, int32_t port, unsigned char options, c
hydra_completed_pair();
}
} else {
/* if password is asked a second time, it means the pass we provided is wrong */
/* if password is asked a second time, it means the pass we provided is
* wrong */
hydra_completed_pair();
}

8
hydra-rpcap.c
View file

@ -21,7 +21,8 @@ int32_t start_rpcap(int32_t s, char *ip, int32_t port, unsigned char options, ch
char bfr4[] = " ";
bfr4[0] = strlen(login) + strlen(pass) + 8;
char bfr5[] = "\x00";
char bfr6[] = "\x01"; // x01 - when a password is required, x00 - when no need of password
char bfr6[] = "\x01"; // x01 - when a password is required, x00 - when no need
// of password
char bfr7[] = "\x00\x00\x00";
char bfr8[] = " ";
bfr8[0] = strlen(login);
@ -59,9 +60,8 @@ int32_t start_rpcap(int32_t s, char *ip, int32_t port, unsigned char options, ch
}
/*
if (strstr(buf, "Logon failure") == NULL) {
hydra_report(stderr, "[ERROR] rpcap error or service shutdown: %s\n", buf);
free(buf);
return 4;
hydra_report(stderr, "[ERROR] rpcap error or service shutdown: %s\n",
buf); free(buf); return 4;
}
*/
free(buf);

1
hydra-rsh.c
View file

@ -11,7 +11,6 @@ no memleaks found on 110425
*/
extern char *HYDRA_EXIT;
char *buf;
int32_t start_rsh(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";

29
hydra-rtsp.c
View file

@ -6,18 +6,16 @@
//
//
#include <stdio.h>
#include "hydra-mod.h"
#include <string.h>
#include "sasl.h"
#include <stdio.h>
#include <string.h>
extern char *HYDRA_EXIT;
char *buf;
char packet[500];
char packet2[500];
int32_t is_Unauthorized(char *s) {
if (strstr(s, "401 Unauthorized") != NULL) {
return 1;
} else {
@ -26,7 +24,6 @@ int32_t is_Unauthorized(char *s) {
}
int32_t is_NotFound(char *s) {
if (strstr(s, "404 Stream Not Found") != NULL) {
return 1;
} else {
@ -35,7 +32,6 @@ int32_t is_NotFound(char *s) {
}
int32_t is_Authorized(char *s) {
if (strstr(s, "200 OK") != NULL) {
return 1;
} else {
@ -44,7 +40,6 @@ int32_t is_Authorized(char *s) {
}
int32_t use_Basic_Auth(char *s) {
if (strstr(s, "WWW-Authenticate: Basic") != NULL) {
return 1;
} else {
@ -53,7 +48,6 @@ int32_t use_Basic_Auth(char *s) {
}
int32_t use_Digest_Auth(char *s) {
if (strstr(s, "WWW-Authenticate: Digest") != NULL) {
return 1;
} else {
@ -61,8 +55,6 @@ int32_t use_Digest_Auth(char *s) {
}
}
void create_core_packet(int32_t control, char *ip, int32_t port) {
char *target = hydra_address2string(ip);
@ -110,11 +102,9 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
return 1;
} else {
create_core_packet(1, ip, port);
if (use_Basic_Auth(lresp) == 1) {
free(lresp);
sprintf(buffer2, "%.249s:%.249s", login, pass);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
@ -124,24 +114,23 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (debug) {
hydra_report(stderr, "C:%s\n", buffer);
}
}
else {
} else {
if (use_Digest_Auth(lresp) == 1) {
char *dbuf = NULL;
char aux[500] = "";
char aux[500] = "", dbuf[500] = "", *result = NULL;
char *pbuffer = hydra_strcasestr(lresp, "WWW-Authenticate: Digest ");
strncpy(aux, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(aux));
aux[sizeof(aux) - 1] = '\0';
free(lresp);
#ifdef LIBOPENSSL
sasl_digest_md5(dbuf, login, pass, aux, miscptr, "rtsp", hydra_address2string(ip), port, "");
result = sasl_digest_md5(dbuf, login, pass, aux, miscptr, "rtsp", hydra_address2string(ip), port, "");
#else
hydra_report(stderr, "[ERROR] Digest auth required but compiled without OpenSSL/MD5 support\n");
hydra_report(stderr, "[ERROR] Digest auth required but compiled "
"without OpenSSL/MD5 support\n");
return 3;
#endif
if (dbuf == NULL) {
if (result == NULL) {
hydra_report(stderr, "[ERROR] digest generation failed\n");
return 3;
}
@ -178,7 +167,6 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha
return 3;
}
return 1;
}
free(lresp);
hydra_completed_pair();
@ -201,7 +189,6 @@ void service_rtsp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0) {

27
hydra-s7-300.c
View file

@ -1,4 +1,5 @@
// submitted by Alexander Timorin <ATimorin@ptsecurity.com> and Sergey Gordeychik
// submitted by Alexander Timorin <ATimorin@ptsecurity.com> and Sergey
// Gordeychik
#include "hydra-mod.h"
@ -6,14 +7,22 @@
extern char *HYDRA_EXIT;
unsigned char p_cotp[] = "\x03\x00\x00\x16\x11\xe0\x00\x00\x00\x17" "\x00\xc1\x02\x01\x00\xc2\x02\x01\x02\xc0" "\x01\x0a";
unsigned char p_cotp[] = "\x03\x00\x00\x16\x11\xe0\x00\x00\x00\x17"
"\x00\xc1\x02\x01\x00\xc2\x02\x01\x02\xc0"
"\x01\x0a";
unsigned char p_s7_negotiate_pdu[] = "\x03\x00\x00\x19\x02\xf0\x80\x32\x01\x00" "\x00\x02\x00\x00\x08\x00\x00\xf0\x00\x00" "\x01\x00\x01\x01\xe0";
unsigned char p_s7_negotiate_pdu[] = "\x03\x00\x00\x19\x02\xf0\x80\x32\x01\x00"
"\x00\x02\x00\x00\x08\x00\x00\xf0\x00\x00"
"\x01\x00\x01\x01\xe0";
unsigned char p_s7_read_szl[] = "\x03\x00\x00\x21\x02\xf0\x80\x32\x07\x00" "\x00\x03\x00\x00\x08\x00\x08\x00\x01\x12" "\x04\x11\x44\x01\x00\xff\x09\x00\x04\x01" "\x32\x00\x04";
unsigned char p_s7_password_request[] = "\x03\x00\x00\x25\x02\xf0\x80\x32\x07\x00" "\x00\x00\x00\x00\x08\x00\x0c\x00\x01\x12" "\x04\x11\x45\x01\x00\xff\x09\x00\x08";
unsigned char p_s7_read_szl[] = "\x03\x00\x00\x21\x02\xf0\x80\x32\x07\x00"
"\x00\x03\x00\x00\x08\x00\x08\x00\x01\x12"
"\x04\x11\x44\x01\x00\xff\x09\x00\x04\x01"
"\x32\x00\x04";
unsigned char p_s7_password_request[] = "\x03\x00\x00\x25\x02\xf0\x80\x32\x07\x00"
"\x00\x00\x00\x00\x08\x00\x0c\x00\x01\x12"
"\x04\x11\x45\x01\x00\xff\x09\x00\x08";
int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";
@ -276,7 +285,8 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m
// 0xd602 - wrong password
if (ret > 30) {
if ((buffer[27] == '\x00' && buffer[28] == '\x00') || (buffer[27] == '\xd6' && buffer[28] == '\x05')) {
hydra_report(stderr, "[INFO] No password protection enabled, no password tests are necessary!\n");
hydra_report(stderr, "[INFO] No password protection enabled, no password "
"tests are necessary!\n");
return 1;
}
}
@ -287,5 +297,6 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m
}
void usage_s7_300(const char *service) {
printf("Module S7-300 is for a special Siemens PLC. It either requires only a password or no authentication, so just use the -p or -P option.\n\n");
printf("Module S7-300 is for a special Siemens PLC. It either requires only a "
"password or no authentication, so just use the -p or -P option.\n\n");
}

16
hydra-sapr3.c
View file

@ -1,13 +1,11 @@
#include "hydra-mod.h"
// checked for memleaks on 110425, none found
#ifndef LIBSAPR3
void dummy_sapr3() {
printf("\n");
}
void dummy_sapr3() { printf("\n"); }
#else
#include <saprfc.h>
#include <ctype.h>
#include <saprfc.h>
/* temporary workaround fix */
const int32_t *__ctype_tolower;
@ -28,7 +26,8 @@ int32_t start_sapr3(int32_t s, char *ip, int32_t port, unsigned char options, ch
int32_t sysnr = port % 100;
char opts[] = "RFCINI=N RFCTRACE=N BALANCE=N DEBUG=N TRACE=0 ABAP_DEBUG=0";
// char opts[] = "RFCINI=N RFCTRACE=Y BALANCE=N DEBUG=Y TRACE=Y ABAP_DEBUG=Y";
// char opts[] = "RFCINI=N RFCTRACE=Y BALANCE=N DEBUG=Y TRACE=Y
// ABAP_DEBUG=Y";
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
@ -66,7 +65,8 @@ int32_t start_sapr3(int32_t s, char *ip, int32_t port, unsigned char options, ch
// printf ("DEBUG: %d Connectstring \"%s\"\n",sizeof(error_info),buffer);
handle = RfcOpenEx(buffer, &error_info);
//printf("DEBUG: handle %d, key %s, message %s\n", handle, error_info.key, error_info.message);
// printf("DEBUG: handle %d, key %s, message %s\n", handle, error_info.key,
// error_info.message);
if (handle <= RFC_HANDLE_NULL)
return 3;
@ -131,6 +131,4 @@ int32_t service_sapr3_init(char *ip, int32_t sp, unsigned char options, char *mi
return 0;
}
void usage_sapr3(const char* service) {
printf("Module sapr3 requires the client id, a number between 0 and 99\n\n");
}
void usage_sapr3(const char *service) { printf("Module sapr3 requires the client id, a number between 0 and 99\n\n"); }

44
hydra-sip.c
View file

@ -10,13 +10,11 @@
#ifndef LIBOPENSSL
#include <stdio.h>
void dummy_sip() {
printf("\n");
}
void dummy_sip() { printf("\n"); }
#else
#include <stdint.h>
#include "sasl.h"
#include <stdint.h>
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
@ -25,7 +23,6 @@ char *get_iface_ip(uint64_t ip);
int32_t cseq;
extern char *HYDRA_EXIT;
#define SIP_MAX_BUF 1024
void empty_register(char *buf, char *host, char *lhost, int32_t port, int32_t lport, char *user) {
@ -51,7 +48,7 @@ int32_t get_sip_code(char *buf) {
}
int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, unsigned char options, char *miscptr, FILE *fp) {
char *login, *pass, *host, buffer[SIP_MAX_BUF];
char *login, *pass, *host, buffer[SIP_MAX_BUF], *result = NULL;
int32_t i;
char buf[SIP_MAX_BUF];
@ -74,12 +71,14 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u
}
int32_t has_sip_cred = 0;
int32_t try = 0;
int32_t try
= 0;
/* We have to check many times because server may begin to send "100 Trying"
* before "401 Unauthorized" */
while (try < 2 && !has_sip_cred) {
try++;
try
++;
if (hydra_data_ready_timed(s, 3, 0) > 0) {
i = hydra_recv(s, (char *)buf, sizeof(buf) - 1);
if (i > 0)
@ -94,13 +93,17 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u
// if we already tried to connect, exit
if (external_ip_addr[0]) {
hydra_report(stdout, "[ERROR] Get error code 606 : session is not acceptable by the server\n");
hydra_report(stdout, "[ERROR] Get error code 606 : session is not "
"acceptable by the server\n");
return 2;
}
if (verbose)
hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not acceptable by the server,\n"
"maybe it's an addressing issue as you are using NAT, trying to reconnect\n" "using addr from the server reply\n");
hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not "
"acceptable by the server,\n"
"maybe it's an addressing issue as you are "
"using NAT, trying to reconnect\n"
"using addr from the server reply\n");
/*
SIP/2.0 606 Not Acceptable
Via: SIP/2.0/UDP 192.168.0.21:46759;received=82.227.229.137
@ -135,7 +138,9 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u
hydra_report(stderr, "[INFO] S: %s\n", buf);
char buffer2[512];
sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL);
result = sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL);
if (result == NULL)
return 3;
memset(buffer, 0, SIP_MAX_BUF);
snprintf(buffer, SIP_MAX_BUF,
@ -143,7 +148,11 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u
"Via: SIP/2.0/UDP %s:%i\n"
"From: <sip:%s@%s>\n"
"To: <sip:%s@%s>\n"
"Call-ID: 1337@%s\n" "CSeq: %i REGISTER\n" "Authorization: Digest %s\n" "Content-Length: 0\n\n", host, lip, lport, login, host, login, host, host, cseq, buffer2);
"Call-ID: 1337@%s\n"
"CSeq: %i REGISTER\n"
"Authorization: Digest %s\n"
"Content-Length: 0\n\n",
host, lip, lport, login, host, login, host, host, cseq, buffer2);
cseq++;
if (debug)
@ -151,12 +160,14 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 3;
}
try = 0;
try
= 0;
int32_t has_resp = 0;
int32_t sip_code = 0;
while (try < 2 && !has_resp) {
try++;
try
++;
if (hydra_data_ready_timed(s, 5, 0) > 0) {
memset(buf, 0, sizeof(buf));
if ((i = hydra_recv(s, (char *)buf, sizeof(buf) - 1)) >= 0)
@ -192,7 +203,8 @@ void service_sip(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
// FIXME IPV6
if (ip[0] != 4) {
fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are appreciated.\n");
fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are "
"appreciated.\n");
hydra_child_exit(2);
}

369
hydra-smb.c
View file

@ -1,17 +1,14 @@
#include "hydra-mod.h"
#ifndef LIBOPENSSL
void dummy_smb() {
printf("\n");
}
void dummy_smb() { printf("\n"); }
#else
#include <openssl/md4.h>
#include <openssl/des.h>
#include "hmacmd5.h"
#include "sasl.h"
#include <openssl/des.h>
#include <openssl/md4.h>
// FIXME XXX BUG: several malloc()s without return code checking
/*
http://technet.microsoft.com/en-us/library/cc960646.aspx
@ -80,18 +77,15 @@ http://technet.microsoft.com/en-us/library/cc960646.aspx
#define WIN2000_NATIVEMODE 1
#define WIN_NETBIOSMODE 2
#define PLAINTEXT 10
#define ENCRYPTED 11
#ifndef CHAR_BIT
#define CHAR_BIT 8
#endif
#ifndef TIME_T_MIN
#define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
: ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
#define TIME_T_MIN ((time_t)0 < (time_t)-1 ? (time_t)0 : ~(time_t)0 << (sizeof(time_t) * CHAR_BIT - 1))
#endif
#ifndef TIME_T_MAX
#define TIME_T_MAX (~(time_t)0 - TIME_T_MIN)
@ -102,7 +96,6 @@ http://technet.microsoft.com/en-us/library/cc960646.aspx
#define TIME_FIXUP_CONSTANT_INT 11644473600LL
extern char *HYDRA_EXIT;
static unsigned char challenge[8];
static unsigned char workgroup[16];
@ -113,8 +106,7 @@ int32_t hashFlag, accntFlag, protoFlag;
int32_t smb_auth_mechanism = AUTH_NTLM;
int32_t security_mode = ENCRYPTED;
static size_t UTF8_UTF16LE(unsigned char *in, int32_t insize, unsigned char *out, int32_t outsize)
{
static size_t UTF8_UTF16LE(unsigned char *in, int32_t insize, unsigned char *out, int32_t outsize) {
int32_t i = 0, j = 0;
uint64_t ch;
if (debug) {
@ -145,7 +137,8 @@ static size_t UTF8_UTF16LE(unsigned char *in, int32_t insize, unsigned char *out
j = j + 4;
i = i + 3;
}
if ( j-2 > outsize) break;
if (j - 2 > outsize)
break;
}
if (debug) {
hydra_report(stderr, "[DEBUG] UTF8_UTF16LE out:\n");
@ -295,7 +288,6 @@ int32_t HashLM(unsigned char **lmhash, unsigned char *pass, unsigned char *chall
return 0;
}
/*
MakeNTLM
Function: Create a NTLM hash from the password
@ -312,7 +304,8 @@ int32_t MakeNTLM(unsigned char *ntlmhash, unsigned char *pass) {
/* Use NTLM Hash instead of password */
if (hashFlag == 1) {
/* 1000:D42E35E1A1E4C22BD32E2170E4857C20:5E20780DD45857A68402938C7629D3B2::: */
/* 1000:D42E35E1A1E4C22BD32E2170E4857C20:5E20780DD45857A68402938C7629D3B2:::
*/
p = pass;
while ((*p != '\0') && (i < 1)) {
if (*p == ':')
@ -379,9 +372,9 @@ int32_t MakeNTLM(unsigned char *ntlmhash, unsigned char *pass) {
/*
HashLMv2
This function implements the LMv2 response algorithm. The LMv2 response is used to
provide pass-through authentication compatibility with older servers. The response
is based on the NTLM password hash and is exactly 24 bytes.
This function implements the LMv2 response algorithm. The LMv2 response is
used to provide pass-through authentication compatibility with older servers.
The response is based on the NTLM password hash and is exactly 24 bytes.
The below code is based heavily on the following resources:
@ -411,16 +404,17 @@ int32_t HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char
return -1;
/*
The Unicode uppercase username is concatenated with the Unicode authentication target
(the domain or server name specified in the Target Name field of the Type 3 message).
Note that this calculation always uses the Unicode representation, even if OEM encoding
has been negotiated; also note that the username is converted to uppercase, while the
authentication target is case-sensitive and must match the case presented in the Target
The Unicode uppercase username is concatenated with the Unicode
authentication target (the domain or server name specified in the Target
Name field of the Type 3 message). Note that this calculation always uses
the Unicode representation, even if OEM encoding has been negotiated; also
note that the username is converted to uppercase, while the authentication
target is case-sensitive and must match the case presented in the Target
Name field.
The HMAC-MD5 message authentication code algorithm (described in RFC 2104) is applied to
this value using the 16-byte NTLM hash as the key. This results in a 16-byte value - the
NTLMv2 hash.
The HMAC-MD5 message authentication code algorithm (described in RFC 2104)
is applied to this value using the 16-byte NTLM hash as the key. This
results in a 16-byte value - the NTLMv2 hash.
*/
/* Initialize the Unicode version of the username and target. */
@ -445,9 +439,10 @@ int32_t HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char
/* --- HMAC #2 Calculations --- */
/*
The challenge from the Type 2 message is concatenated with our fixed client nonce. The HMAC-MD5
message authentication code algorithm is applied to this value using the 16-byte NTLMv2 hash
(calculated above) as the key. This results in a 16-byte output value.
The challenge from the Type 2 message is concatenated with our fixed client
nonce. The HMAC-MD5 message authentication code algorithm is applied to
this value using the 16-byte NTLMv2 hash (calculated above) as the key.
This results in a 16-byte output value.
*/
hmac_md5_init_limK_to_64(kr_buf, 16, &ctx);
@ -468,12 +463,13 @@ int32_t HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char
/*
HashNTLMv2
This function implements the NTLMv2 response algorithm. Support for this algorithm
was added with Microsoft Windows with NT 4.0 SP4. It should be noted that code doesn't
currently work with Microsoft Vista. While NTLMv2 authentication with Samba and Windows
2003 functions as expected, Vista systems respond with the oh-so-helpful
"INVALID_PARAMETER" error code. LMv2-only authentication appears to work against Vista
in cases where LM and NTLM are refused.
This function implements the NTLMv2 response algorithm. Support for this
algorithm was added with Microsoft Windows with NT 4.0 SP4. It should be noted
that code doesn't currently work with Microsoft Vista. While NTLMv2
authentication with Samba and Windows 2003 functions as expected, Vista
systems respond with the oh-so-helpful "INVALID_PARAMETER" error code.
LMv2-only authentication appears to work against Vista in cases where LM and
NTLM are refused.
The below code is based heavily on the following two resources:
@ -503,20 +499,15 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha
[16] Header: Blob Signature [01 01 00 00] (4 bytes)
[20] Reserved: [00 00 00 00] (4 bytes)
[24] Time: Little-endian, 64-bit signed value representing the number of
tenths of a microsecond since January 1, 1601. (8 bytes)
[32] Client Nonce: (8 bytes)
[40] Unknown: 00 00 00 00 (4 bytes)
[44] Target Information (from the Type 2 message)
NetBIOS domain/workgroup:
Type: domain 02 00 (2 bytes)
Length: 12 00 (2 bytes)
Name: WORKGROUP [NULL spacing -> 57 00 4f 00 ...] (18 bytes)
End-of-list: 00 00 00 00 (4 bytes)
[24] Time: Little-endian, 64-bit signed value representing the number
of tenths of a microsecond since January 1, 1601. (8 bytes) [32] Client
Nonce: (8 bytes) [40] Unknown: 00 00 00 00 (4 bytes) [44] Target
Information (from the Type 2 message) NetBIOS domain/workgroup: Type:
domain 02 00 (2 bytes) Length: 12 00 (2 bytes) Name: WORKGROUP [NULL
spacing -> 57 00 4f 00 ...] (18 bytes) End-of-list: 00 00 00 00 (4 bytes)
Termination: 00 00 00 00 (4 bytes)
*/
iTargetLen = 2 * strlen((char *)workgroup);
memset(ntlm_hash, 0, 16);
@ -531,16 +522,17 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha
return -1;
/*
The Unicode uppercase username is concatenated with the Unicode authentication target
(the domain or server name specified in the Target Name field of the Type 3 message).
Note that this calculation always uses the Unicode representation, even if OEM encoding
has been negotiated; also note that the username is converted to uppercase, while the
authentication target is case-sensitive and must match the case presented in the Target
The Unicode uppercase username is concatenated with the Unicode
authentication target (the domain or server name specified in the Target
Name field of the Type 3 message). Note that this calculation always uses
the Unicode representation, even if OEM encoding has been negotiated; also
note that the username is converted to uppercase, while the authentication
target is case-sensitive and must match the case presented in the Target
Name field.
The HMAC-MD5 message authentication code algorithm (described in RFC 2104) is applied to
this value using the 16-byte NTLM hash as the key. This results in a 16-byte value - the
NTLMv2 hash.
The HMAC-MD5 message authentication code algorithm (described in RFC 2104)
is applied to this value using the 16-byte NTLM hash as the key. This
results in a 16-byte value - the NTLMv2 hash.
*/
/* Initialize the Unicode version of the username and target. */
@ -606,7 +598,8 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha
0x0300 Fully-qualified DNS host name
0x0400 DNS domain name
TODO: Need to rework negotiation code to correctly extract target information
TODO: Need to rework negotiation code to correctly extract target
information
*/
memset(ntlmv2_response + 44, 0x02, 1); /* Type: Domain */
@ -623,9 +616,10 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha
/* --- HMAC #2 Caculations --- */
/*
The challenge from the Type 2 message is concatenated with the blob. The HMAC-MD5 message
authentication code algorithm is applied to this value using the 16-byte NTLMv2 hash
(calculated above) as the key. This results in a 16-byte output value.
The challenge from the Type 2 message is concatenated with the blob. The
HMAC-MD5 message authentication code algorithm is applied to this value
using the 16-byte NTLMv2 hash (calculated above) as the key. This results
in a 16-byte output value.
*/
hmac_md5_init_limK_to_64(kr_buf, 16, &ctx);
@ -716,7 +710,6 @@ int32_t NBSSessionRequest(int32_t s) {
return -1; /* failed */
}
/*
SMBNegProt
Function: Negotiate protocol with server ...
@ -728,31 +721,9 @@ int32_t NBSSessionRequest(int32_t s) {
*/
int32_t SMBNegProt(int32_t s) {
unsigned char buf[] = {
0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42,
0x72, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc0,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x7d,
0x00, 0x00, 0x01, 0x00, 0x00, 0x9b, 0x00, 0x02,
0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46,
0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52,
0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00,
0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f,
0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00,
0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31,
0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e,
0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x44,
0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41,
0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00,
0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02,
0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e,
0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31,
0x32, 0x00
0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x7d, 0x00, 0x00, 0x01, 0x00, 0x00, 0x9b, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4d,
0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58,
0x30, 0x30, 0x32, 0x00, 0x02, 0x44, 0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00
/*
0x02,
@ -799,7 +770,6 @@ int32_t SMBNegProt(int32_t s) {
iResponseOffset = 65;
}
hydra_send(s, (char *)buf, iLength, 0);
k = hydra_recv(s, (char *)rbuf, sizeof(rbuf));
if (k == 0)
@ -807,10 +777,11 @@ int32_t SMBNegProt(int32_t s) {
/* retrieve the security mode */
/*
[0] Mode: (0) ? (1) USER security mode
[1] Password: (0) PLAINTEXT password (1) ENCRYPTED password. Use challenge/response
[2] Signatures: (0) Security signatures NOT enabled (1) ENABLED
[3] Sig Req: (0) Security signatures NOT required (1) REQUIRED
[0] Mode: (0) ? (1) USER security
mode [1] Password: (0) PLAINTEXT password (1) ENCRYPTED
password. Use challenge/response [2] Signatures: (0) Security signatures
NOT enabled (1) ENABLED [3] Sig Req: (0) Security signatures NOT
required (1) REQUIRED
SAMBA: 0x01 (default)
WinXP: 0x0F (default)
@ -825,18 +796,21 @@ int32_t SMBNegProt(int32_t s) {
if (hashFlag == 1) {
if (verbose)
hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. HASH password mode not supported for this configuration.\n");
hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. HASH "
"password mode not supported for this configuration.\n");
return 3;
}
if (hashFlag == 2) {
if (verbose)
hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. MACHINE password mode not supported for this configuration.\n");
hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. MACHINE "
"password mode not supported for this configuration.\n");
return 3;
}
break;
case 0x03:
if (verbose)
hydra_report(stderr, "[VERBOSE] Server requested ENCRYPTED password without security signatures.\n");
hydra_report(stderr, "[VERBOSE] Server requested ENCRYPTED password "
"without security signatures.\n");
security_mode = ENCRYPTED;
break;
case 0x07:
@ -847,7 +821,10 @@ int32_t SMBNegProt(int32_t s) {
break;
default:
if (verbose)
hydra_report(stderr, "[VERBOSE] Unknown security mode request: %2.2X. Proceeding using ENCRYPTED password mode.\n", rbuf[39]);
hydra_report(stderr,
"[VERBOSE] Unknown security mode request: %2.2X. Proceeding "
"using ENCRYPTED password mode.\n",
rbuf[39]);
security_mode = ENCRYPTED;
break;
}
@ -886,8 +863,6 @@ int32_t SMBNegProt(int32_t s) {
return 2;
}
/*
SMBSessionSetup
Function: Send username + response to the challenge from
@ -927,18 +902,39 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char *
/* SMB Header */
unsigned char szSMB[32] = {
0xff, 0x53, 0x4d, 0x42, /* Server Component */
0xff,
0x53,
0x4d,
0x42, /* Server Component */
0x73, /* SMB Command: Session Setup AndX */
0x00, 0x00, 0x00, 0x00, /* NT Status: STATUS_SUCCESS */
0x00,
0x00,
0x00,
0x00, /* NT Status: STATUS_SUCCESS */
0x08, /* Flags */
0x01, 0xc0, /* Flags2 */ /* add Unicode */
0x00, 0x00, /* Process ID High */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Signature */
0x00, 0x00, /* Reserved */
0x00, 0x00, /* Tree ID */
0x13, 0x37, /* Process ID */
0x00, 0x00, /* User ID */
0x01, 0x00 /* Multiplx ID */
0x01,
0xc0,
/* Flags2 */ /* add Unicode */
0x00,
0x00, /* Process ID High */
0x00,
0x00,
0x00,
0x00,
0x00,
0x00,
0x00,
0x00, /* Signature */
0x00,
0x00, /* Reserved */
0x00,
0x00, /* Tree ID */
0x13,
0x37, /* Process ID */
0x00,
0x00, /* User ID */
0x01,
0x00 /* Multiplx ID */
};
memset(buf, 0, 512);
@ -993,16 +989,33 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char *
0x0d, /* Word Count */
0xff, /* AndXCommand: No further commands */
0x00, /* Reserved */
0x00, 0x00, /* AndXOffset */
0xff, 0xff, /* Max Buffer */
0x02, 0x00, /* Max Mpx Count */
0x3c, 0x7d, /* VC Number */
0x00, 0x00, 0x00, 0x00, /* Session Key */
0x18, 0x00, /* LAN Manager Password Hash Length */
0x18, 0x00, /* NT LAN Manager Password Hash Length */
0x00, 0x00, 0x00, 0x00, /* Reserved */
0x5c, 0x00, 0x00, 0x00, /* Capabilities */ /* Add Unicode */
0x49, 0x00 /* Byte Count -- MUST SET */
0x00,
0x00, /* AndXOffset */
0xff,
0xff, /* Max Buffer */
0x02,
0x00, /* Max Mpx Count */
0x3c,
0x7d, /* VC Number */
0x00,
0x00,
0x00,
0x00, /* Session Key */
0x18,
0x00, /* LAN Manager Password Hash Length */
0x18,
0x00, /* NT LAN Manager Password Hash Length */
0x00,
0x00,
0x00,
0x00, /* Reserved */
0x5c,
0x00,
0x00,
0x00,
/* Capabilities */ /* Add Unicode */
0x49,
0x00 /* Byte Count -- MUST SET */
};
iOffset = 65; /* szNBSS + szSMB + szSessionRequest */
@ -1016,7 +1029,8 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char *
return -1;
memset(NTLMhash, 0, 24);
/* We don't need to actually calculated a LM hash for this mode, only NTLM */
/* We don't need to actually calculated a LM hash for this mode, only NTLM
*/
ret = HashNTLM(&NTLMhash, (unsigned char *)szPassword, (unsigned char *)challenge, miscptr);
if (ret == -1)
return -1;
@ -1134,7 +1148,8 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char *
memcpy(buf + 36, szSessionRequest, 23);
/* Calculate and set password length */
/* Samba appears to append NULL characters equal to the password length plus 2 */
/* Samba appears to append NULL characters equal to the password length plus
* 2 */
// iByteCount = 2 * strlen(szPassword) + 2;
iByteCount = strlen(szPassword) + 1;
buf[iOffset - 8] = (iByteCount) % 256;
@ -1142,19 +1157,22 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char *
/* set ANSI password */
/*
Depending on the SAMBA server configuration, multiple passwords may be successful
when dealing with mixed-case values. The SAMBA parameter "password level" appears
to determine how many characters within a password are tested by the server both
upper and lower case. For example, assume a SAMBA account has a password of "Fred"
and the server is configured with "password level = 2". Medusa sends the password
"FRED". The SAMBA server will brute-force test this value for us with values
like: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ... The default setting
is "password level = 0". This results in only two attempts to being made by the
remote server; the password as is and the password in all-lower case.
Depending on the SAMBA server configuration, multiple passwords may be
successful when dealing with mixed-case values. The SAMBA parameter
"password level" appears to determine how many characters within a
password are tested by the server both upper and lower case. For example,
assume a SAMBA account has a password of "Fred" and the server is
configured with "password level = 2". Medusa sends the password "FRED".
The SAMBA server will brute-force test this value for us with values
like: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ... The default
setting is "password level = 0". This results in only two attempts to
being made by the remote server; the password as is and the password in
all-lower case.
*/
strncpy((char *)(buf + iOffset), szPassword, 256);
} else {
hydra_report(stderr, "[ERROR] Security_mode was not properly set. This should not happen.\n");
hydra_report(stderr, "[ERROR] Security_mode was not properly set. This "
"should not happen.\n");
return -1;
}
@ -1230,21 +1248,33 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char
if (SMBerr == 0x000000) { /* success */
if (SMBaction == 0x01) { /* invalid account - anonymous connection */
fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: Invalid account (Anonymous success)\n", port, ipaddr_str, login);
fprintf(stderr,
"[%d][smb] Host: %s Account: %s Error: Invalid account "
"(Anonymous success)\n",
port, ipaddr_str, login);
hydra_completed_pair_skip();
} else { /* valid account */
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
}
} else if ((SMBerr == 0x00000D) && (SMBaction == 0x00)) {
hydra_report(stderr, "[ERROR] Invalid parameter status received, either the account or the method used are not valid\n");
hydra_report(stderr, "[ERROR] Invalid parameter status received, either "
"the account or the method used are not valid\n");
hydra_completed_pair_skip();
} else if (SMBerr == 0x00006E) { /* Valid password, GPO Disabling Remote Connections Using NULL Passwords */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, GPO Disabling Remote Connections Using NULL Passwords\n", port, ipaddr_str, login);
} else if (SMBerr == 0x00006E) { /* Valid password, GPO Disabling Remote
Connections Using NULL Passwords */
hydra_report(stdout,
"[%d][smb] Host: %s Account: %s Valid password, GPO Disabling "
"Remote Connections Using NULL Passwords\n",
port, ipaddr_str, login);
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
} else if (SMBerr == 0x00015B) { /* Valid password, GPO "Deny access to this computer from the network" */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, GPO Deny access to this computer from the network\n", port, ipaddr_str, login);
} else if (SMBerr == 0x00015B) { /* Valid password, GPO "Deny access to this
computer from the network" */
hydra_report(stdout,
"[%d][smb] Host: %s Account: %s Valid password, GPO Deny "
"access to this computer from the network\n",
port, ipaddr_str, login);
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
} else if (SMBerr == 0x000193) { /* Valid password, account expired */
@ -1252,15 +1282,24 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
} else if ((SMBerr == 0x000224) || (SMBerr == 0xC20002)) { /* Valid password, account expired */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, password expired and must be changed on next logon\n", port, ipaddr_str, login);
hydra_report(stdout,
"[%d][smb] Host: %s Account: %s Valid password, password "
"expired and must be changed on next logon\n",
port, ipaddr_str, login);
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
} else if ((SMBerr == 0x00006F) || (SMBerr == 0xC10002)) { /* Invalid logon hours */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, but logon hours invalid\n", port, ipaddr_str, login);
hydra_report(stdout,
"[%d][smb] Host: %s Account: %s Valid password, but logon "
"hours invalid\n",
port, ipaddr_str, login);
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
} else if (SMBerr == 0x050001) { /* AS/400 -- Incorrect password */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Error: Incorrect password or account disabled\n", port, ipaddr_str, login);
hydra_report(stdout,
"[%d][smb] Host: %s Account: %s Error: Incorrect password or "
"account disabled\n",
port, ipaddr_str, login);
if ((miscptr) && (strstr(miscptr, "LM")))
hydra_report(stderr, "[INFO] LM dialect may be disabled, try LMV2 instead\n");
hydra_completed_pair_skip();
@ -1283,7 +1322,10 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char
hydra_completed_pair_skip();
} else if (SMBerr == 0x00008D) { /* ummm... broken client-domain membership */
if (verbose)
fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE\n", port, ipaddr_str, login);
fprintf(stderr,
"[%d][smb] Host: %s Account: %s Error: "
"NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE\n",
port, ipaddr_str, login);
hydra_completed_pair();
} else { /* failed */
if (verbose)
@ -1388,14 +1430,16 @@ void service_smb(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
port = PORT_SMBNT;
protoFlag = WIN2000_NATIVEMODE;
} else {
hydra_report(stderr, "Failed to establish WIN2000_NATIVE mode. Attempting WIN_NETBIOS mode.\n");
hydra_report(stderr, "Failed to establish WIN2000_NATIVE mode. "
"Attempting WIN_NETBIOS mode.\n");
port = PORT_SMB;
protoFlag = WIN_NETBIOSMODE;
sock = hydra_connect_tcp(ip, PORT_SMB);
}
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
if (NBSSessionRequest(sock) < 0) {
@ -1433,33 +1477,9 @@ int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *misc
// -1 error, hydra will exit, so print a good error message here
time_t ctime;
int ready = 0, sock = hydra_connect_tcp(ip, port);
unsigned char buf[] = {
0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42,
0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xff,
0x00, 0x00, 0x00, 0x00, 0x00, 0x9b, 0x00, 0x02,
0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46,
0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52,
0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00,
0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f,
0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00,
0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31,
0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e,
0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x44,
0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41,
0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00,
0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02,
0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e,
0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31,
0x32, 0x00 };
unsigned char buf[] = {0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9b, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4d,
0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58,
0x30, 0x30, 0x32, 0x00, 0x02, 0x44, 0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00};
if (sock < 0) {
fprintf(stderr, "[ERROR] could not connect to target smb://%s:%d/\n", hostname, port);
@ -1494,7 +1514,10 @@ int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *misc
}
if ((buf[15] & 16) == 16) {
fprintf(stderr, "[ERROR] target smb://%s:%d/ requires signing which we do not support\n", hostname, port);
fprintf(stderr,
"[ERROR] target smb://%s:%d/ requires signing which we do not "
"support\n",
hostname, port);
return -1;
}
@ -1502,7 +1525,8 @@ int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_smb(const char *service) {
printf("Module smb default value is set to test both local and domain account, using a simple password with NTLM dialect.\n"
printf("Module smb default value is set to test both local and domain account, "
"using a simple password with NTLM dialect.\n"
"Note: you can set the group type using LOCAL or DOMAIN keyword\n"
" or other_domain:{value} to specify a trusted domain.\n"
" you can set the password type using HASH or MACHINE keyword\n"
@ -1510,6 +1534,9 @@ void usage_smb(const char* service) {
" you can set the dialect using NTLMV2, NTLM, LMV2, LM keyword.\n"
"Example: \n"
" hydra smb://microsoft.com -l admin -p tooeasy -m \"local lmv2\"\n"
" hydra smb://microsoft.com -l admin -p D5731CFC6C2A069C21FD0D49CAEBC9EA:2126EE7712D37E265FD63F2C84D2B13D::: -m \"local hash\"\n"
" hydra smb://microsoft.com -l admin -p tooeasy -m \"other_domain:SECONDDOMAIN\"\n\n");
" hydra smb://microsoft.com -l admin -p "
"D5731CFC6C2A069C21FD0D49CAEBC9EA:2126EE7712D37E265FD63F2C84D2B13D::: -m "
"\"local hash\"\n"
" hydra smb://microsoft.com -l admin -p tooeasy -m "
"\"other_domain:SECONDDOMAIN\"\n\n");
}

292
hydra-smb2.c Normal file
View file

@ -0,0 +1,292 @@
/**
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*
* Copyright (C) 2020 Karim Kanso, all rights reserved.
* kaz 'dot' kanso 'at' g mail 'dot' com
*/
#if defined(LIBSMBCLIENT)
#include "hydra-mod.h"
#include <errno.h>
#include <libsmbclient.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
extern char *HYDRA_EXIT;
typedef struct creds {
const char *workgroup;
const char *user;
const char *pass;
} creds_t;
const char default_workgroup[] = "WORKGROUP";
bool use_nt_hash = false;
const char *workgroup = default_workgroup;
const char *netbios_name = NULL;
#define EXIT_PROTOCOL_ERROR hydra_child_exit(2)
#define EXIT_CONNECTION_ERROR hydra_child_exit(1)
#define EXIT_NORMAL hydra_child_exit(0)
void smb2_auth_provider(SMBCCTX *c, const char *srv, const char *shr, char *wg, int wglen, char *un, int unlen, char *pw, int pwlen) {
creds_t *cr = (creds_t *)smbc_getOptionUserData(c);
strncpy(wg, cr->workgroup, wglen);
strncpy(un, cr->user, unlen);
strncpy(pw, cr->pass, pwlen);
wg[wglen - 1] = 0;
un[unlen - 1] = 0;
pw[pwlen - 1] = 0;
}
bool smb2_run_test(creds_t *cr, const char *server, uint16_t port) {
SMBCCTX *ctx = smbc_new_context();
if (ctx == NULL) {
hydra_report(stderr, "[ERROR] failed to create context\n");
EXIT_PROTOCOL_ERROR;
}
// samba internal debugging will be dumped to stderr
smbc_setDebug(ctx, debug ? 7 : 0);
smbc_setOptionDebugToStderr(ctx, true);
smbc_setFunctionAuthDataWithContext(ctx, smb2_auth_provider);
smbc_setOptionUserData(ctx, cr);
// 0 will use default port
smbc_setPort(ctx, port);
smbc_setOptionNoAutoAnonymousLogin(ctx, false);
smbc_setOptionUseNTHash(ctx, use_nt_hash);
if (netbios_name) {
smbc_setNetbiosName(ctx, (char *)netbios_name);
}
ctx = smbc_init_context(ctx);
if (!ctx) {
hydra_report(stderr, "[ERROR] smbc_init_context fail\n");
smbc_free_context(ctx, 1);
EXIT_PROTOCOL_ERROR;
}
char uri[2048];
snprintf(uri, sizeof(uri) - 1, "smb://%s/IPC$", server);
uri[sizeof(uri) - 1] = 0;
if (verbose) {
printf("[INFO] Connecting to: %s with %s\\%s%%%s\n", uri, cr->workgroup, cr->user, cr->pass);
}
SMBCFILE *fd = smbc_getFunctionOpendir(ctx)(ctx, uri);
if (fd) {
hydra_report(stderr, "[WARNING] Unexpected open on IPC$\n");
smbc_getFunctionClosedir(ctx)(ctx, fd);
smbc_free_context(ctx, 1);
fd = NULL;
return true;
}
/*
errno is set to 22 (EINVAL) when IPC$ as been opened but can not
be opened like a normal share. This corresponds to samba error
NT_STATUS_INVALID_INFO_CLASS, however this precise error code is
not available outside of the library. Thus, instead the library
sets a generic error (EINVAL) which can also correspond to other
cases (see below test).
This is not ideal, but appears to be the best that the
libsmbclient library offers as detailed state information is
internalised and not available. Further, it is also not possible
from the api to separate the connection, authentication and
authorisation.
The following text is taken from the libsmbclient header file for
the return value of the smbc_getFunctionOpendir function:
Valid directory handle. < 0 on error with errno set:
- EACCES Permission denied.
- EINVAL A NULL file/URL was passed, or the URL would
not parse, or was of incorrect form or smbc_init not
called.
- ENOENT durl does not exist, or name is an
- ENOMEM Insufficient memory to complete the
operation.
- ENOTDIR name is not a directory.
- EPERM the workgroup could not be found.
- ENODEV the workgroup or server could not be found.
*/
switch (errno) {
case EINVAL: // 22
// probably password ok
smbc_free_context(ctx, 1);
return true;
break;
case EPERM:
// Probably this means access denied inspite of mention above
// about being related to wrong workgroup. I have observed
// libsmbclient emitting this when connecting to a vanilla install
// of Windows 2019 server (non-domain) with wrong credentials. It
// appears related to a fallback null session being rejected after
// the library tries with provided credentials. If the null
// session is accepted, EACCES is returned.
case EACCES:
// 100% access denied
break;
case EHOSTUNREACH:
case ETIMEDOUT:
case ECONNREFUSED:
// there are probably more codes that could be added here to
// indicate connection errors.
smbc_free_context(ctx, 1);
EXIT_CONNECTION_ERROR;
break;
default:
// unexpected error
hydra_report(stderr, "[ERROR] %s (%d)\n", strerror(errno), errno);
smbc_free_context(ctx, 1);
EXIT_PROTOCOL_ERROR;
}
smbc_free_context(ctx, 1);
return false;
}
void service_smb2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
hydra_register_socket(sp);
while (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT))) {
char *login, *pass;
login = hydra_get_next_login();
pass = hydra_get_next_password();
creds_t cr = {
.user = login,
.pass = pass,
.workgroup = workgroup,
};
if (smb2_run_test(&cr, hydra_address2string(ip), port & 0xffff)) {
hydra_completed_pair_found();
} else {
hydra_completed_pair();
}
}
EXIT_NORMAL;
}
// constants used by option parser
const char tkn_workgroup[] = "workgroup:{";
const char tkn_nthash_true[] = "nthash:true";
const char tkn_nthash_false[] = "nthash:false";
const char tkn_netbios[] = "netbios:{";
#define CMP(s1, s2) (strncmp(s1, s2, sizeof(s1) - 1) == 0)
int32_t service_smb2_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
if (!miscptr)
return 0;
while (*miscptr) {
if (isspace(*miscptr)) {
miscptr++;
continue;
}
if (CMP(tkn_workgroup, miscptr)) {
miscptr += sizeof(tkn_workgroup) - 1;
char *p = strchr(miscptr, '}');
if (p == NULL) {
hydra_report(stderr, "[ERROR] missing closing brace in workgroup\n");
return -1;
}
*p = '\0';
workgroup = miscptr;
miscptr = p + 1;
if (verbose || debug) {
printf("[VERBOSE] Set workgroup to: %s\n", workgroup);
}
continue;
}
if (CMP(tkn_netbios, miscptr)) {
miscptr += sizeof(tkn_netbios) - 1;
char *p = strchr(miscptr, '}');
if (p == NULL) {
hydra_report(stderr, "[ERROR] missing closing brace in netbios name\n");
return -1;
}
*p = '\0';
netbios_name = miscptr;
miscptr = p + 1;
if (verbose || debug) {
printf("[VERBOSE] Set netbios name to: %s\n", netbios_name);
}
continue;
}
if (CMP(tkn_nthash_true, miscptr)) {
miscptr += sizeof(tkn_nthash_true) - 1;
use_nt_hash = true;
if (verbose || debug) {
printf("[VERBOSE] Enabled nthash.\n");
}
continue;
}
if (CMP(tkn_nthash_false, miscptr)) {
miscptr += sizeof(tkn_nthash_false) - 1;
use_nt_hash = false;
if (verbose || debug) {
printf("[VERBOSE] Disabled nthash.\n");
}
continue;
}
hydra_report(stderr, "[ERROR] unable to parse: %s\n", miscptr);
return -1;
}
return 0;
}
void usage_smb2(const char *service) {
puts("Module is a thin wrapper over the Samba client library (libsmbclient).\n"
"Thus, is capable of negotiating v1, v2 and v3 of the protocol.\n"
"\n"
"As this relies on Samba libraries, the system smb.conf will be parsed\n"
"when library starts up. It is possible to add configuration options\n"
"into that file that affect this module (such as min/max supported\n"
"protocol version).\n"
"\n"
"Caution: due to the high-level libsmbclient api (compared the smb\n"
"Hydra module), the accuracy is reduced. That is, this module works by\n"
"attempting to open the IPC$ share, which is reported as an error,\n"
"e.g. try this with the smbclient tool and it will raise the\n"
"NT_STATUS_INVALID_INFO_CLASS error). Sadly, the level of feedback\n"
"from the api does not distinguish this error from general/unknown\n"
"errors, so it might be possible to have false positives due to this\n"
"fact. One example of this is when the library can not parse the uri\n"
"correctly. On the other hand, false negatives could occur when a\n"
"valid credential is unable to open the share due to access control,\n"
"e.g. a locked/suspended account.\n"
"\n"
"There are three module options available:\n"
" workgroup:{XXX} - set the users workgroup\n"
" netbios:{XXX} - set the recipients netbios name\n"
" nthash:true or nthash:false - threat password as an nthash\n"
"\n"
"Examples: \n"
" hydra smb2://abc.com -l admin -p xxx -m workgroup:{OFFICE}\n"
" hydra smb2://1.2.3.4 -l admin -p F54F3A1D3C38140684FF4DAD029F25B5 -m "
"'workgroup:{OFFICE} nthash:true'\n"
" hydra -l admin -p F54F3A1D3C38140684FF4DAD029F25B5 "
"'smb2://1.2.3.4/workgroup:{OFFICE} nthash:true'\n");
}
#endif // LIBSMBCLIENT

14
hydra-smtp-enum.c
View file

@ -121,14 +121,18 @@ int32_t start_smtp_enum(int32_t s, char *ip, int32_t port, unsigned char options
// we should report command not identified by the server
// 502 5.5.2 Error: command not recognized
//#ifdef HAVE_PCRE
// if ((debug || hydra_string_match(buf, "\\scommand\\snot\\srecognized")) && err) {
// if ((debug || hydra_string_match(buf,
// "\\scommand\\snot\\srecognized")) && err) {
//#else
// if ((debug || strstr(buf, "command") != NULL) && err) {
//#endif
// hydra_report(stderr, "Server %s", err);
// }
if (strncmp(buf, "500 ", 4) == 0) {
hydra_report(stderr, "[ERROR] command is disabled on the server (choose different method): %s", buf);
hydra_report(stderr,
"[ERROR] command is disabled on the server (choose "
"different method): %s",
buf);
free(buf);
return 3;
}
@ -266,6 +270,8 @@ int32_t service_smtp_enum_init(char *ip, int32_t sp, unsigned char options, char
void usage_smtp_enum(const char *service) {
printf("Module smtp-enum is optionally taking one SMTP command of:\n\n"
"VRFY (default), EXPN, RCPT (which will connect using \"root\" account)\n"
"login parameter is used as username and password parameter as the domain name\n"
"For example to test if john@localhost exists on 192.168.0.1:\n" "hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost\n\n");
"login parameter is used as username and password parameter as the "
"domain name\n"
"For example to test if john@localhost exists on 192.168.0.1:\n"
"hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost\n\n");
}

45
hydra-smtp.c
View file

@ -37,7 +37,7 @@ char *smtp_read_server_capacity(int32_t sock) {
}
int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";
char *empty = "", *result = NULL;
char *login, *pass, buffer[500], buffer2[500], *fooptr, *buf;
if (strlen(login = hydra_get_next_login()) == 0)
@ -52,7 +52,6 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
switch (smtp_auth_mechanism) {
case AUTH_PLAIN:
sprintf(buffer, "AUTH PLAIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
@ -68,7 +67,9 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
free(buf);
memset(buffer, 0, sizeof(buffer));
sasl_plain(buffer, login, pass);
result = sasl_plain(buffer, login, pass);
if (result == NULL)
return 3;
char tmp_buffer[sizeof(buffer)];
sprintf(tmp_buffer, "%.250s\r\n", buffer);
@ -103,7 +104,9 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
free(buf);
memset(buffer2, 0, sizeof(buffer2));
sasl_cram_md5(buffer2, pass, buffer);
result = sasl_cram_md5(buffer2, pass, buffer);
if (result == NULL)
return 3;
sprintf(buffer, "%s %.250s", preplogin, buffer2);
hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer));
@ -113,8 +116,7 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
strcpy(buffer, tmp_buffer);
free(preplogin);
}
break;
} break;
case AUTH_DIGESTMD5: {
sprintf(buffer, "AUTH DIGEST-MD5\r\n");
@ -137,16 +139,15 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
hydra_report(stderr, "DEBUG S: %s\n", buffer);
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL);
if (fooptr == NULL)
result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL);
if (result == NULL)
return 3;
if (debug)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
} break;
#endif
case AUTH_NTLM: {
@ -174,8 +175,7 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
} break;
default:
/* by default trying AUTH LOGIN */
@ -188,7 +188,10 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
/* 504 5.7.4 Unrecognized authentication type */
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH, either this auth is disabled or server is not using auth: %s\n", buf);
hydra_report(stderr,
"[ERROR] SMTP LOGIN AUTH, either this auth is disabled or "
"server is not using auth: %s\n",
buf);
free(buf);
return 3;
}
@ -325,7 +328,8 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
free(buf);
buf = hydra_receive_line(sock);
if (buf[0] != '2') {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer "
"received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock, hostname) == -1)) {
@ -346,9 +350,11 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
hydra_child_exit(2);
}
} else
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n");
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it "
"is not supported by the server\n");
} else
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n");
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is "
"not supported by the server\n");
}
#endif
@ -380,9 +386,7 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
smtp_auth_mechanism = AUTH_PLAIN;
}
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
if (strstr(miscptr, "LOGIN"))
smtp_auth_mechanism = AUTH_LOGIN;
@ -399,7 +403,6 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
if (strstr(miscptr, "NTLM"))
smtp_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
@ -460,5 +463,7 @@ int32_t service_smtp_init(char *ip, int32_t sp, unsigned char options, char *mis
void usage_smtp(const char *service) {
printf("Module smtp is optionally taking one authentication type of:\n"
" LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n"
"Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: smtp://target/TLS:PLAIN\n");
"Additionally TLS encryption via STARTTLS can be enforced with the "
"TLS option.\n\n"
"Example: smtp://target/TLS:PLAIN\n");
}

73
hydra-snmp.c
View file

@ -1,10 +1,10 @@
#include "hydra-mod.h"
#ifdef LIBOPENSSL
#include <openssl/aes.h>
#include <openssl/des.h>
#include <openssl/hmac.h>
#include <openssl/md5.h>
#include <openssl/sha.h>
#include <openssl/des.h>
#include <openssl/aes.h>
#endif
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
@ -15,29 +15,11 @@ extern int32_t child_head_no;
char snmpv3buf[1024], *snmpv3info = NULL;
int32_t snmpv3infolen = 0, snmpversion = 1, snmpread = 1, hashtype = 1, enctype = 0;
unsigned char snmpv3_init[] = { 0x30, 0x3e, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02,
0x04, 0x08, 0x86, 0xdd, 0xf0, 0x02, 0x03, 0x00,
0xff, 0xe3, 0x04, 0x01, 0x04, 0x02, 0x01, 0x03,
0x04, 0x10, 0x30, 0x0e, 0x04, 0x00, 0x02, 0x01,
0x00, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x00,
0x04, 0x00, 0x30, 0x14, 0x04, 0x00, 0x04, 0x00,
0xa0, 0x0e, 0x02, 0x04, 0x3f, 0x44, 0x5c, 0xbc,
0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x00
};
unsigned char snmpv3_init[] = {0x30, 0x3e, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02, 0x04, 0x08, 0x86, 0xdd, 0xf0, 0x02, 0x03, 0x00, 0xff, 0xe3, 0x04, 0x01, 0x04, 0x02, 0x01, 0x03, 0x04, 0x10, 0x30, 0x0e, 0x04, 0x00, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x30, 0x14, 0x04, 0x00, 0x04, 0x00, 0xa0, 0x0e, 0x02, 0x04, 0x3f, 0x44, 0x5c, 0xbc, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x00};
unsigned char snmpv3_get1[] = { 0x30, 0x77, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02,
0x04, 0x08, 0x86, 0xdd, 0xef, 0x02, 0x03, 0x00,
0xff, 0xe3, 0x04, 0x01, 0x05, 0x02, 0x01, 0x03
};
unsigned char snmpv3_get1[] = {0x30, 0x77, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02, 0x04, 0x08, 0x86, 0xdd, 0xef, 0x02, 0x03, 0x00, 0xff, 0xe3, 0x04, 0x01, 0x05, 0x02, 0x01, 0x03};
unsigned char snmpv3_get2[] = { 0x30, 0x2e, 0x04, 0x0c, 0x80, 0x00, 0x00,
0x09, 0x03, 0x00, 0x00, 0x1f, 0xca, 0x8d, 0x82,
0x1b, 0x04, 0x00, 0xa0, 0x1c, 0x02, 0x04, 0x3f,
0x44, 0x5c, 0xbb, 0x02, 0x01, 0x00, 0x02, 0x01,
0x00, 0x30, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2b,
0x06, 0x01, 0x02, 0x01, 0x01, 0x01, 0x00, 0x05,
0x00
};
unsigned char snmpv3_get2[] = {0x30, 0x2e, 0x04, 0x0c, 0x80, 0x00, 0x00, 0x09, 0x03, 0x00, 0x00, 0x1f, 0xca, 0x8d, 0x82, 0x1b, 0x04, 0x00, 0xa0, 0x1c, 0x02, 0x04, 0x3f, 0x44, 0x5c, 0xbb, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x02, 0x01, 0x01, 0x01, 0x00, 0x05, 0x00};
unsigned char snmpv3_nouser[] = {0x04, 0x00, 0x04, 0x00, 0x04, 0x00};
@ -49,13 +31,11 @@ struct SNMPV1_A {
char comlen;
};
struct SNMPV1_A snmpv1_a = {
.ID = '\x30',
struct SNMPV1_A snmpv1_a = {.ID = '\x30',
.len = '\x00',
.ver = "\x02\x01\x00", /* \x02\x01\x01 for snmpv2c, \x02\x01\x03 for snmpv3 */
.comid = '\x04',
.comlen = '\x00'
};
.comlen = '\x00'};
struct SNMPV1_R {
unsigned char type[2];
@ -68,10 +48,12 @@ struct SNMPV1_R {
unsigned char value[3];
} snmpv1_r = {
.type = "\xa0\x1b", /* GET */
.identid = "\x02\x04",.ident = "\x1a\x5e\x97\x00", /* random crap :) */
.identid = "\x02\x04",
.ident = "\x1a\x5e\x97\x00", /* random crap :) */
.errstat = "\x02\x01\x00", /* no error */
.errind = "\x02\x01\x00", /* error index 0 */
.objectid = "\x30\x0d",.object = "\x30\x0b\x06\x07\x2b\x06\x01\x02\x01\x01\x01", /* sysDescr */
.objectid = "\x30\x0d",
.object = "\x30\x0b\x06\x07\x2b\x06\x01\x02\x01\x01\x01", /* sysDescr */
.value = "\x05\x00" /* we just read, so value = 0 */
};
@ -86,11 +68,13 @@ struct SNMPV1_W {
unsigned char value[8];
} snmpv1_w = {
.type = "\xa3\x21", /* SET */
.identid = "\x02\x04",.ident = "\x1a\x5e\x97\x22", /* random crap :) */
.identid = "\x02\x04",
.ident = "\x1a\x5e\x97\x22", /* random crap :) */
.errstat = "\x02\x01\x00", /* no error */
.errind = "\x02\x01\x00", /* error index 0 */
.objectid = "\x30\x13", /* string */
.object = "\x30\x11\x06\x08\x2b\x06\x01\x02\x01\x01\x05\x00",.value = "\x04\x05Hydra" /* writing hydra :-) */
.object = "\x30\x11\x06\x08\x2b\x06\x01\x02\x01\x01\x05\x00",
.value = "\x04\x05Hydra" /* writing hydra :-) */
};
#ifdef LIBOPENSSL
@ -277,7 +261,8 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (enctype == 0)
buffer[1] = 48 + sizeof(snmpv3_get1) + buffer[i + 1];
i += snmpv3infolen;
//printf("2 + %d + %d + %d = 0x%02x\n", off, snmpv3infolen, strlen(login), buffer[1]);
// printf("2 + %d + %d + %d = 0x%02x\n", off, snmpv3infolen, strlen(login),
// buffer[1]);
buffer[i] = 0x04;
buffer[i + 1] = strlen(login);
@ -341,7 +326,8 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha
#endif
/* for (i = 0; i <= sizeof(snmpv3_get2) - 8; i += 8) {
DES_ncbc_encrypt(snmpv3_get2 + i, buf + i, 8, (const_DES_cblock*)(initVect), DES_ENCRYPT);
DES_ncbc_encrypt(snmpv3_get2 + i, buf + i, 8,
(const_DES_cblock*)(initVect), DES_ENCRYPT);
}
// last part of buffer
if (buffer_len % 8) {
@ -351,10 +337,9 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha
memset(tmp_buf, 0, 8);
for (uint32_t l = start; l < buffer_len; l++)
*tmp_buf_ptr++ = buffer[l];
DES_ncbc_encrypt(tmp_buf, buf + start, 1, &symcbc, (const_DES_cblock*)(initVect), DES_ENCRYPT);
*out_buffer_len = buffer_len + 8 - (buffer_len % 8);
} else
*out_buffer_len = buffer_len;
DES_ncbc_encrypt(tmp_buf, buf + start, 1, &symcbc,
(const_DES_cblock*)(initVect), DES_ENCRYPT); *out_buffer_len =
buffer_len + 8 - (buffer_len % 8); } else *out_buffer_len = buffer_len;
*/
// dummy
k = ((sizeof(snmpv3_get2) - 2) / 8);
@ -453,7 +438,8 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
} else if ((buf[off + 15] & 5) == 4 && hydra_memsearch(buf, i, snmpv3_nouser, sizeof(snmpv3_nouser)) >= 0) { // user does not exist
} else if ((buf[off + 15] & 5) == 4 && hydra_memsearch(buf, i, snmpv3_nouser,
sizeof(snmpv3_nouser)) >= 0) { // user does not exist
if (verbose)
printf("[INFO] user %s does not exist, skipping\n", login);
hydra_completed_pair_skip();
@ -538,8 +524,9 @@ void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
if (debug)
hydra_dump_asciihex(snmpv3info, snmpv3infolen);
if (snmpv3info[10] == 3 && child_head_no == 0)
printf("[INFO] Remote device MAC address is %02x:%02x:%02x:%02x:%02x:%02x\n", (unsigned char) snmpv3info[12], (unsigned char) snmpv3info[13],
(unsigned char) snmpv3info[14], (unsigned char) snmpv3info[15], (unsigned char) snmpv3info[16], (unsigned char) snmpv3info[12]);
printf("[INFO] Remote device MAC address is "
"%02x:%02x:%02x:%02x:%02x:%02x\n",
(unsigned char)snmpv3info[12], (unsigned char)snmpv3info[13], (unsigned char)snmpv3info[14], (unsigned char)snmpv3info[15], (unsigned char)snmpv3info[16], (unsigned char)snmpv3info[12]);
}
}
}
@ -594,13 +581,15 @@ void usage_snmp(const char* service) {
" 1 use SNMP version 1 (default)\n"
" 2 use SNMP version 2\n"
" 3 use SNMP version 3\n"
" Note that SNMP version 3 usually uses both login and passwords!\n"
" Note that SNMP version 3 usually uses both login and "
"passwords!\n"
" SNMP version 3 has the following optional sub parameters:\n"
" MD5 use MD5 authentication (default)\n"
" SHA use SHA authentication\n"
" DES use DES encryption\n"
" AES use AES encryption\n"
" if no -p/-P parameter is given, SNMPv3 noauth is performed, which\n"
" if no -p/-P parameter is given, SNMPv3 noauth is performed, "
"which\n"
" only requires a password (or username) not both.\n"
"To combine the options, use colons (\":\"), e.g.:\n"
" hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ target.com snmp\n"

29
hydra-ssh.c
View file

@ -8,9 +8,7 @@ have to add option -DWITH_SSH1=On in the cmake
#include "hydra-mod.h"
#ifndef LIBSSH
void dummy_ssh() {
printf("\n");
}
void dummy_ssh() { printf("\n"); }
#else
#include <libssh/libssh.h>
@ -158,8 +156,8 @@ void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
#endif
//
// dirty workaround here: miscptr is the ptr to the logins, and the first one is used
// to test if password authentication is enabled!!
// dirty workaround here: miscptr is the ptr to the logins, and the first one is
// used to test if password authentication is enabled!!
//
int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
@ -178,7 +176,9 @@ int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *misc
ssh_session session = ssh_new();
if (verbose || debug)
printf("[INFO] Testing if password authentication is supported by ssh://%s@%s:%d\n", miscptr == NULL ? "hydra" : miscptr, hydra_address2string_beautiful(ip), port);
printf("[INFO] Testing if password authentication is supported by "
"ssh://%s@%s:%d\n",
miscptr == NULL ? "hydra" : miscptr, hydra_address2string_beautiful(ip), port);
ssh_options_set(session, SSH_OPTIONS_PORT, &port);
ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
if (miscptr == NULL)
@ -198,19 +198,28 @@ int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *misc
ssh_finalize();
ssh_free(session);
if (debug) printf("[DEBUG] SSH method check: %08x\n", method);
if (debug)
printf("[DEBUG] SSH method check: %08x\n", method);
if ((method & SSH_AUTH_METHOD_INTERACTIVE) || (method & SSH_AUTH_METHOD_PASSWORD)) {
if (verbose || debug)
printf("[INFO] Successful, password authentication is supported by ssh://%s:%d\n", hydra_address2string_beautiful(ip), port);
printf("[INFO] Successful, password authentication is supported by "
"ssh://%s:%d\n",
hydra_address2string_beautiful(ip), port);
return 0;
} else if (method == 0) {
if (verbose || debug)
fprintf(stderr, "[WARNING] invalid SSH method reply from ssh://%s:%d, continuing anyway ... (check for empty password!)\n", hydra_address2string_beautiful(ip), port);
fprintf(stderr,
"[WARNING] invalid SSH method reply from ssh://%s:%d, continuing "
"anyway ... (check for empty password!)\n",
hydra_address2string_beautiful(ip), port);
return 0;
}
fprintf(stderr, "[ERROR] target ssh://%s:%d/ does not support password authentication (method reply %d).\n", hydra_address2string_beautiful(ip), port, method);
fprintf(stderr,
"[ERROR] target ssh://%s:%d/ does not support password "
"authentication (method reply %d).\n",
hydra_address2string_beautiful(ip), port, method);
return 1;
#else
return 0;

10
hydra-sshkey.c
View file

@ -8,9 +8,7 @@
#include "hydra-mod.h"
#ifndef LIBSSH
void dummy_sshkey() {
printf("\n");
}
void dummy_sshkey() { printf("\n"); }
#else
#include <libssh/libssh.h>
@ -169,8 +167,10 @@ int32_t service_sshkey_init(char *ip, int32_t sp, unsigned char options, char *m
}
void usage_sshkey(const char *service) {
printf("Module sshkey does not provide additional options, although the semantic for\n"
printf("Module sshkey does not provide additional options, although the "
"semantic for\n"
"options -p and -P is changed:\n"
" -p expects a path to an unencrypted private key in PEM format.\n"
" -P expects a filename containing a list of path to some unencrypted\n" " private keys in PEM format.\n\n");
" -P expects a filename containing a list of path to some unencrypted\n"
" private keys in PEM format.\n\n");
}

18
hydra-svn.c
View file

@ -10,12 +10,12 @@
#include <sys/param.h>
#endif
#include <svn_version.h>
#include <svn_client.h>
#include <svn_cmdline.h>
#include <svn_pools.h>
#include <svn_config.h>
#include <svn_fs.h>
#include <svn_pools.h>
#include <svn_version.h>
#if SVN_VER_MINOR > 7
#include <svn_path.h>
#endif
@ -25,9 +25,7 @@
#include "hydra-mod.h"
#ifndef LIBSVN
void dummy_svn() {
printf("\n");
}
void dummy_svn() { printf("\n"); }
#else
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
@ -36,9 +34,7 @@ extern char *HYDRA_EXIT;
#define DEFAULT_BRANCH "trunk"
static svn_error_t *print_dirdummy(void *baton, const char *path, const svn_dirent_t * dirent, const svn_lock_t * lock, const char *abs_path, apr_pool_t * pool) {
return SVN_NO_ERROR;
}
static svn_error_t *print_dirdummy(void *baton, const char *path, const svn_dirent_t *dirent, const svn_lock_t *lock, const char *abs_path, apr_pool_t *pool) { return SVN_NO_ERROR; }
static svn_error_t *my_simple_prompt_callback(svn_auth_cred_simple_t **cred, void *baton, const char *realm, const char *username, svn_boolean_t may_save, apr_pool_t *pool) {
char *empty = "";
@ -207,7 +203,8 @@ void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
return;
default:
if (!verbose)
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose option for more details\n");
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose "
"option for more details\n");
hydra_child_exit(0);
}
run = next_run;
@ -239,5 +236,6 @@ int32_t service_svn_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_svn(const char *service) {
printf("Module svn is optionally taking the repository name to attack, default is \"trunk\"\n\n");
printf("Module svn is optionally taking the repository name to attack, "
"default is \"trunk\"\n\n");
}

1
hydra-teamspeak.c
View file

@ -36,7 +36,6 @@ struct team_speak {
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
extern char *HYDRA_EXIT;
char *buf;
int32_t start_teamspeak(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";

9
hydra-telnet.c
View file

@ -76,10 +76,7 @@ int32_t start_telnet(int32_t s, char *ip, int32_t port, unsigned char options, c
/*win7 answering with do terminal type = 0xfd 0x18 */
while ((buf = hydra_receive_line(s)) != NULL && make_to_lower(buf) && (strstr(buf, "login:") == NULL || strstr(buf, "last login:") != NULL) && strstr(buf, "sername:") == NULL) {
if ((miscptr != NULL && strstr(buf, miscptr) != NULL) || (miscptr == NULL &&
strstr(buf, "invalid") == NULL && strstr(buf, "failed") == NULL && strstr(buf, "bad ") == NULL &&
(index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL ||
index(buf, '%') != NULL || ((buf[1] == '\xfd') && (buf[2] == '\x18'))))) {
if ((miscptr != NULL && strstr(buf, miscptr) != NULL) || (miscptr == NULL && strstr(buf, "invalid") == NULL && strstr(buf, "failed") == NULL && strstr(buf, "bad ") == NULL && (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL || index(buf, '%') != NULL || ((buf[1] == '\xfd') && (buf[2] == '\x18'))))) {
hydra_report_found_host(port, ip, "telnet", fp);
hydra_completed_pair_found();
free(buf);
@ -220,5 +217,7 @@ int32_t service_telnet_init(char *ip, int32_t sp, unsigned char options, char *m
void usage_telnet(const char *service) {
printf("Module telnet is optionally taking the string which is displayed after\n"
"a successful login (case insensitive), use if the default in the telnet\n" "module produces too many false positives\n\n");
"a successful login (case insensitive), use if the default in the "
"telnet\n"
"module produces too many false positives\n\n");
}

13
hydra-time.c
View file

@ -2,8 +2,7 @@
#ifndef _WIN32
#include <time.h>
int32_t sleepn(time_t seconds)
{
int32_t sleepn(time_t seconds) {
struct timespec ts;
ts.tv_sec = seconds;
ts.tv_nsec = 0;
@ -19,13 +18,7 @@ int32_t usleepn(uint64_t milisec) {
#else
#include <windows.h>
int32_t sleepn(uint32_t seconds)
{
return SleepEx(milisec*1000,TRUE);
}
int32_t sleepn(uint32_t seconds) { return SleepEx(milisec * 1000, TRUE); }
int32_t usleepn(uint32_t milisec)
{
return SleepEx(milisec,TRUE);
}
int32_t usleepn(uint32_t milisec) { return SleepEx(milisec, TRUE); }
#endif

9
hydra-vmauthd.c
View file

@ -5,7 +5,6 @@
#include "hydra-mod.h"
extern char *HYDRA_EXIT;
char *buf;
@ -99,7 +98,8 @@ void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr,
// fprintf(stderr, "%s\n",buf);
// 220 VMware Authentication Daemon Version 1.00
// 220 VMware Authentication Daemon Version 1.10: SSL Required
//220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC ,
// 220 VMware Authentication Daemon Version 1.10: SSL Required,
// ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC ,
if (buf == NULL || strstr(buf, "220 VMware Authentication Daemon Version ") == NULL) {
/* check the first line */
@ -108,7 +108,10 @@ void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr,
hydra_child_exit(2);
}
if ((strstr(buf, "Version 1.00") == NULL) && (strstr(buf, "Version 1.10") == NULL)) {
hydra_report(stderr, "[ERROR] this vmware authd protocol is not supported, please report: %s\n", buf);
hydra_report(stderr,
"[ERROR] this vmware authd protocol is not supported, "
"please report: %s\n",
buf);
free(buf);
hydra_child_exit(2);
}

21
hydra-vnc.c
View file

@ -5,8 +5,8 @@
*
*/
#include "hydra-mod.h"
#include "d3des.h"
#include "hydra-mod.h"
#define CHALLENGESIZE 16
@ -75,7 +75,7 @@ int32_t start_vnc(int32_t s, char *ip, int32_t port, unsigned char options, char
// supported security type
switch (buf2[3]) {
case 0x0:
hydra_report(stderr, "[ERROR] VNC server told us to quit %c\n", buf[3]);
hydra_report(stderr, "[ERROR] VNC server told us to quit %c\n", buf2[3]);
hydra_child_exit(0);
break;
case 0x1:
@ -181,14 +181,16 @@ void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
}
if (strstr(buf, " security failures") != NULL) { /* check the first line */
/*
VNC has a 'blacklisting' scheme that blocks an IP address after five unsuccessful connection attempts.
The IP address is initially blocked for ten seconds,
but this doubles for each unsuccessful attempt thereafter.
A successful connection from an IP address resets the blacklist timeout.
This is built in to VNC Server and does not rely on operating system support.
VNC has a 'blacklisting' scheme that blocks an IP address after five
unsuccessful connection attempts. The IP address is initially blocked
for ten seconds, but this doubles for each unsuccessful attempt
thereafter. A successful connection from an IP address resets the
blacklist timeout. This is built in to VNC Server and does not rely
on operating system support.
*/
failed_auth++;
hydra_report(stderr, "VNC server reported too many authentication failures, have to wait some seconds ...\n");
hydra_report(stderr, "VNC server reported too many authentication "
"failures, have to wait some seconds ...\n");
sleep(12 * failed_auth);
free(buf);
next_run = 1;
@ -197,7 +199,8 @@ void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
if (verbose)
hydra_report(stderr, "[VERBOSE] Server banner is %s\n", buf);
if (((strstr(buf, "RFB 005.000") != NULL) || (strstr(buf, "RFB 004") != NULL) || (strstr(buf, "RFB 003.007") != NULL) || (strstr(buf, "RFB 003.008") != NULL))) {
//using proto version 003.007 to talk to server 005.xxx and 004.xxx same for 3.7 and 3.8
// using proto version 003.007 to talk to server 005.xxx and 004.xxx
// same for 3.7 and 3.8
vnc_client_version = RFB37;
free(buf);
buf = strdup("RFB 003.007\n");

62
hydra-xmpp.c
View file

@ -9,10 +9,11 @@ static char *domain = NULL;
int32_t xmpp_auth_mechanism = AUTH_ERROR;
char *JABBER_CLIENT_INIT_STR = "<?xml version='1.0' ?><stream:stream to='";
char *JABBER_CLIENT_INIT_END_STR = "' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>";
char *JABBER_CLIENT_INIT_END_STR = "' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' "
"version='1.0'>";
int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "\"\"";
char *empty = "\"\"", *result = NULL;
char *login, *pass, buffer[500], buffer2[500];
char *AUTH_STR = "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='";
char *AUTH_STR_END = "'/>";
@ -120,24 +121,26 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
}
}
}
break;
} break;
#ifdef LIBOPENSSL
case AUTH_PLAIN: {
memset(buffer2, 0, sizeof(buffer));
sasl_plain(buffer2, login, pass);
result = sasl_plain(buffer2, login, pass);
if (result == NULL)
return 3;
sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
if (debug)
hydra_report(stderr, "DEBUG C: %s\n", buffer);
}
break;
} break;
case AUTH_CRAMMD5: {
int32_t rc = 0;
char *preplogin;
memset(buffer2, 0, sizeof(buffer2));
sasl_cram_md5(buffer2, pass, buffer);
result = sasl_cram_md5(buffer2, pass, buffer);
if (result == NULL)
return 3;
rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
@ -153,13 +156,12 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
strncpy(buffer, buffer2, sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\0';
free(preplogin);
}
break;
} break;
case AUTH_DIGESTMD5: {
memset(buffer2, 0, sizeof(buffer2));
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, domain, "xmpp", NULL, 0, NULL);
if (fooptr == NULL) {
result = sasl_digest_md5(fooptr, login, pass, buffer, domain, "xmpp", NULL, 0, NULL);
if (result == NULL) {
free(buf);
return 3;
}
@ -167,8 +169,7 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
}
break;
} break;
case AUTH_SCRAMSHA1: {
/*client-first-message */
char clientfirstmessagebare[200];
@ -220,8 +221,8 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
memset(buffer2, 0, sizeof(buffer2));
fooptr = buffer2;
sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage);
if (fooptr == NULL) {
result = sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage);
if (result == NULL) {
hydra_report(stderr, "[ERROR] Can't compute client response\n");
free(buf);
return 1;
@ -234,8 +235,7 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
free(buf);
return 1;
}
}
break;
} break;
#endif
ptr = 0;
}
@ -249,8 +249,9 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (buf == NULL)
return 1;
//we test the challenge tag as digest-md5 when connected is sending "rspauth" value
//so if we are receiving a second challenge we assume the auth is good
// we test the challenge tag as digest-md5 when connected is sending
// "rspauth" value so if we are receiving a second challenge we assume the
// auth is good
if ((strstr(buf, "<success") != NULL) || (strstr(buf, "<challenge ") != NULL)) {
hydra_report_found_host(port, ip, "xmpp", fp);
@ -284,14 +285,16 @@ void service_xmpp(char *target, char *ip, int32_t sp, unsigned char options, cha
int32_t myport = PORT_XMPP, mysslport = PORT_XMPP_SSL, disable_tls = 0;
char *enddomain = NULL;
//we have to pass the target here as the reverse dns resolution is not working for some servers
//try to extract only the domain name from the target
//so for o.nimbuzz.com will get nimbuzz.com
//and hermes.jabber.org will get jabber.org
// we have to pass the target here as the reverse dns resolution is not
// working for some servers try to extract only the domain name from the
// target so for o.nimbuzz.com will get nimbuzz.com and hermes.jabber.org will
// get jabber.org
domain = strchr(target, '.');
if (!domain) {
hydra_report(stderr, "[ERROR] can't extract the domain name, you have to specify a fqdn xmpp server, the domain name will be used in the jabber init request\n");
hydra_report(stderr, "[ERROR] can't extract the domain name, you have to "
"specify a fqdn xmpp server, the domain name will be "
"used in the jabber init request\n");
hydra_child_exit(1);
}
@ -351,7 +354,11 @@ void service_xmpp(char *target, char *ip, int32_t sp, unsigned char options, cha
if (strstr(buf, "<stream:error")) {
if (strstr(buf, "<host-unknown"))
hydra_report(stderr, "[ERROR] %s host unknown, you have to specify a fqdn xmpp server, the domain name will be used in the jabber init request : %s\n", domain, buf);
hydra_report(stderr,
"[ERROR] %s host unknown, you have to specify a fqdn "
"xmpp server, the domain name will be used in the "
"jabber init request : %s\n",
domain, buf);
else
hydra_report(stderr, "[ERROR] xmpp protocol : %s\n", buf);
free(buf);
@ -502,5 +509,6 @@ int32_t service_xmpp_init(char *ip, int32_t sp, unsigned char options, char *mis
void usage_xmpp(const char *service) {
printf("Module xmpp is optionally taking one authentication type of:\n"
" LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1\n\n"
"Note, the target passed should be a fdqn as the value is used in the Jabber init request, example: hermes.jabber.org\n\n");
"Note, the target passed should be a fdqn as the value is used in the "
"Jabber init request, example: hermes.jabber.org\n\n");
}

2
hydra.1
View file

@ -1,4 +1,4 @@
.TH "HYDRA" "1" "01/01/2019"
.TH "HYDRA" "1" "01/01/2020"
.SH NAME
hydra \- a very fast network logon cracker which supports many different services
.SH SYNOPSIS

1067
hydra.c
View file

File diff suppressed because it is too large Load diff

49
hydra.h
View file

@ -15,26 +15,25 @@
#define hPRIu64 "lu"
#endif
#include <string.h>
#include <stdarg.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <strings.h>
#include <time.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <arpa/inet.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <fcntl.h>
#include <ctype.h>
#include <signal.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <time.h>
#include <unistd.h>
#ifdef HAVE_OPENSSL
#define HYDRA_SSL
@ -172,22 +171,9 @@
int32_t usleepn(uint32_t useconds);
#endif
typedef enum {
MODE_PASSWORD_LIST = 1,
MODE_LOGIN_LIST = 2,
MODE_PASSWORD_BRUTE = 4,
MODE_PASSWORD_REVERSE = 8,
MODE_PASSWORD_NULL = 16,
MODE_PASSWORD_SAME = 32,
MODE_COLON_FILE = 64
} hydra_mode_t;
typedef enum { MODE_PASSWORD_LIST = 1, MODE_LOGIN_LIST = 2, MODE_PASSWORD_BRUTE = 4, MODE_PASSWORD_REVERSE = 8, MODE_PASSWORD_NULL = 16, MODE_PASSWORD_SAME = 32, MODE_COLON_FILE = 64 } hydra_mode_t;
typedef enum {
FORMAT_PLAIN_TEXT,
FORMAT_JSONV1,
FORMAT_JSONV2,
FORMAT_XMLV1
} output_format_t;
typedef enum { FORMAT_PLAIN_TEXT, FORMAT_JSONV1, FORMAT_JSONV2, FORMAT_XMLV1 } output_format_t;
typedef struct {
hydra_mode_t mode;
@ -220,6 +206,7 @@ typedef struct {
char *server;
char *service;
char bfg;
_Bool rainy;
int32_t skip_redo;
_Bool rainy;
} hydra_option;

30
libpq-fe.h
View file

@ -197,8 +197,7 @@ extern "C" {
extern PGconn *PQconnectdb(const char *conninfo);
extern PGconn *PQsetdbLogin(const char *pghost, const char *pgport, const char *pgoptions, const char *pgtty, const char *dbName, const char *login, const char *pwd);
#define PQsetdb(M_PGHOST,M_PGPORT,M_PGOPT,M_PGTTY,M_DBNAME) \
PQsetdbLogin(M_PGHOST, M_PGPORT, M_PGOPT, M_PGTTY, M_DBNAME, NULL, NULL)
#define PQsetdb(M_PGHOST, M_PGPORT, M_PGOPT, M_PGTTY, M_DBNAME) PQsetdbLogin(M_PGHOST, M_PGPORT, M_PGOPT, M_PGTTY, M_DBNAME, NULL, NULL)
/* close the current connection and free the PGconn data structure */
extern void PQfinish(PGconn *conn);
@ -263,19 +262,13 @@ extern "C" {
/* Simple synchronous query */
extern PGresult *PQexec(PGconn *conn, const char *query);
extern PGresult *PQexecParams(PGconn * conn,
const char *command,
int32_t nParams, const Oid * paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern PGresult *PQexecPrepared(PGconn * conn,
const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern PGresult *PQexecParams(PGconn *conn, const char *command, int32_t nParams, const Oid *paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern PGresult *PQexecPrepared(PGconn *conn, const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
/* Interface for multiple-result or asynchronous queries */
extern int32_t PQsendQuery(PGconn *conn, const char *query);
extern int32_t PQsendQueryParams(PGconn * conn,
const char *command,
int32_t nParams, const Oid * paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern int32_t PQsendQueryPrepared(PGconn * conn,
const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern int32_t PQsendQueryParams(PGconn *conn, const char *command, int32_t nParams, const Oid *paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern int32_t PQsendQueryPrepared(PGconn *conn, const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern PGresult *PQgetResult(PGconn *conn);
/* Routines for managing an asynchronous query */
@ -350,38 +343,31 @@ extern "C" {
*/
extern PGresult *PQmakeEmptyPGresult(PGconn *conn, ExecStatusType status);
/* Quoting strings before inclusion in queries. */
extern size_t PQescapeString(char *to, const char *from, size_t length);
extern unsigned char *PQescapeBytea(const unsigned char *bintext, size_t binlen, size_t *bytealen);
extern unsigned char *PQunescapeBytea(const unsigned char *strtext, size_t *retbuflen);
/* === in fe-print.c === */
extern void
PQprint(FILE * fout, /* output stream */
extern void PQprint(FILE *fout, /* output stream */
const PGresult *res, const PQprintOpt *ps); /* option structure */
/*
* really old printing routines
*/
extern void
PQdisplayTuples(const PGresult * res, FILE * fp, /* where to send the output */
extern void PQdisplayTuples(const PGresult *res, FILE *fp, /* where to send the output */
int32_t fillAlign, /* pad the fields with spaces */
const char *fieldSep, /* field separator */
int32_t printHeader, /* display headers? */
int32_t quiet);
extern void
PQprintTuples(const PGresult * res, FILE * fout, /* output stream */
extern void PQprintTuples(const PGresult *res, FILE *fout, /* output stream */
int32_t printAttName, /* print attribute names */
int32_t terseOutput, /* delimiter bars */
int32_t width); /* width of column, if 0, use variable
* width */
/* === in fe-lobj.c === */
/* Large-object access routines */

367
ntlm.c
View file

@ -36,17 +36,16 @@
*/
#include <stdio.h>
#ifdef WIN32
#else
#include <unistd.h>
#endif
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
#include <assert.h>
#include <string.h>
#include "ntlm.h"
#include <assert.h>
#include <ctype.h>
#include <stdlib.h>
#include <string.h>
/* Byte order macros */
#ifndef _BYTEORDER_H
@ -127,28 +126,82 @@ it also defines lots of intermediate macros, just ignore those :-)
/* some switch macros that do both store and read to and from SMB buffers */
#define RW_PCVAL(read, inbuf, outbuf, len) \
{ if (read) { PCVAL (inbuf,0,outbuf,len); } \
else { PSCVAL(inbuf,0,outbuf,len); } }
{ \
if (read) { \
PCVAL(inbuf, 0, outbuf, len); \
} else { \
PSCVAL(inbuf, 0, outbuf, len); \
} \
}
#define RW_PIVAL(read, big_endian, inbuf, outbuf, len) \
{ if (read) { if (big_endian) { RPIVAL(inbuf,0,outbuf,len); } else { PIVAL(inbuf,0,outbuf,len); } } \
else { if (big_endian) { RPSIVAL(inbuf,0,outbuf,len); } else { PSIVAL(inbuf,0,outbuf,len); } } }
{ \
if (read) { \
if (big_endian) { \
RPIVAL(inbuf, 0, outbuf, len); \
} else { \
PIVAL(inbuf, 0, outbuf, len); \
} \
} else { \
if (big_endian) { \
RPSIVAL(inbuf, 0, outbuf, len); \
} else { \
PSIVAL(inbuf, 0, outbuf, len); \
} \
} \
}
#define RW_PSVAL(read, big_endian, inbuf, outbuf, len) \
{ if (read) { if (big_endian) { RPSVAL(inbuf,0,outbuf,len); } else { PSVAL(inbuf,0,outbuf,len); } } \
else { if (big_endian) { RPSSVAL(inbuf,0,outbuf,len); } else { PSSVAL(inbuf,0,outbuf,len); } } }
{ \
if (read) { \
if (big_endian) { \
RPSVAL(inbuf, 0, outbuf, len); \
} else { \
PSVAL(inbuf, 0, outbuf, len); \
} \
} else { \
if (big_endian) { \
RPSSVAL(inbuf, 0, outbuf, len); \
} else { \
PSSVAL(inbuf, 0, outbuf, len); \
} \
} \
}
#define RW_CVAL(read, inbuf, outbuf, offset) \
{ if (read) { (outbuf) = CVAL (inbuf,offset); } \
else { SCVAL(inbuf,offset,outbuf); } }
{ \
if (read) { \
(outbuf) = CVAL(inbuf, offset); \
} else { \
SCVAL(inbuf, offset, outbuf); \
} \
}
#define RW_IVAL(read, big_endian, inbuf, outbuf, offset) \
{ if (read) { (outbuf) = ((big_endian) ? RIVAL(inbuf,offset) : IVAL (inbuf,offset)); } \
else { if (big_endian) { RSIVAL(inbuf,offset,outbuf); } else { SIVAL(inbuf,offset,outbuf); } } }
{ \
if (read) { \
(outbuf) = ((big_endian) ? RIVAL(inbuf, offset) : IVAL(inbuf, offset)); \
} else { \
if (big_endian) { \
RSIVAL(inbuf, offset, outbuf); \
} else { \
SIVAL(inbuf, offset, outbuf); \
} \
} \
}
#define RW_SVAL(read, big_endian, inbuf, outbuf, offset) \
{ if (read) { (outbuf) = ((big_endian) ? RSVAL(inbuf,offset) : SVAL (inbuf,offset)); } \
else { if (big_endian) { RSSVAL(inbuf,offset,outbuf); } else { SSVAL(inbuf,offset,outbuf); } } }
{ \
if (read) { \
(outbuf) = ((big_endian) ? RSVAL(inbuf, offset) : SVAL(inbuf, offset)); \
} else { \
if (big_endian) { \
RSSVAL(inbuf, offset, outbuf); \
} else { \
SSVAL(inbuf, offset, outbuf); \
} \
} \
}
#undef CAREFUL_ALIGNMENT
@ -166,7 +219,6 @@ it also defines lots of intermediate macros, just ignore those :-)
#define PVAL(buf, pos) ((unsigned)CVAL(buf, pos))
#define SCVAL(buf, pos, val) (CVAL(buf, pos) = (val))
#if CAREFUL_ALIGNMENT
#define SVAL(buf, pos) (PVAL(buf, pos) | PVAL(buf, (pos) + 1) << 8)
@ -207,10 +259,18 @@ it also defines lots of intermediate macros, just ignore those :-)
/* macros for reading / writing arrays */
#define SMBMACRO(macro, buf, pos, val, len, size) \
{ int32_t l; for (l = 0; l < (len); l++) (val)[l] = macro((buf), (pos) + (size)*l); }
{ \
int32_t l; \
for (l = 0; l < (len); l++) \
(val)[l] = macro((buf), (pos) + (size)*l); \
}
#define SSMBMACRO(macro, buf, pos, val, len, size) \
{ int32_t l; for (l = 0; l < (len); l++) macro((buf), (pos) + (size)*l, (val)[l]); }
{ \
int32_t l; \
for (l = 0; l < (len); l++) \
macro((buf), (pos) + (size)*l, (val)[l]); \
}
/* reads multiple data from an SMB buffer */
#define PCVAL(buf, pos, val, len) SMBMACRO(CVAL, buf, pos, val, len, 1)
@ -228,7 +288,6 @@ it also defines lots of intermediate macros, just ignore those :-)
#define PSSVALS(buf, pos, val, len) SSMBMACRO(SSVALS, buf, pos, val, len, 2)
#define PSIVALS(buf, pos, val, len) SSMBMACRO(SIVALS, buf, pos, val, len, 4)
/* now the reverse routines - these are used in nmb packets (mostly) */
#define SREV(x) ((((x)&0xFF) << 8) | (((x) >> 8) & 0xFF))
#define IREV(x) ((SREV(x) << 16) | (SREV((x) >> 16)))
@ -255,47 +314,70 @@ it also defines lots of intermediate macros, just ignore those :-)
#define RPSIVALS(buf, pos, val, len) SSMBMACRO(RSIVALS, buf, pos, val, len, 4)
#define DBG_RW_PCVAL(charmode, string, depth, base, read, inbuf, outbuf, len) \
{ RW_PCVAL(read,inbuf,outbuf,len) \
DEBUG(5,("%s%04x %s: ", \
tab_depth(depth), base,string)); \
if (charmode) print_asc(5, (unsigned char*)(outbuf), (len)); else \
{ int32_t idx; for (idx = 0; idx < len; idx++) { DEBUG(5,("%02x ", (outbuf)[idx])); } } \
DEBUG(5,("\n")); }
{ \
RW_PCVAL(read, inbuf, outbuf, len) \
DEBUG(5, ("%s%04x %s: ", tab_depth(depth), base, string)); \
if (charmode) \
print_asc(5, (unsigned char *)(outbuf), (len)); \
else { \
int32_t idx; \
for (idx = 0; idx < len; idx++) { \
DEBUG(5, ("%02x ", (outbuf)[idx])); \
} \
} \
DEBUG(5, ("\n")); \
}
#define DBG_RW_PSVAL(charmode, string, depth, base, read, big_endian, inbuf, outbuf, len) \
{ RW_PSVAL(read,big_endian,inbuf,outbuf,len) \
DEBUG(5,("%s%04x %s: ", \
tab_depth(depth), base,string)); \
if (charmode) print_asc(5, (unsigned char*)(outbuf), 2*(len)); else \
{ int32_t idx; for (idx = 0; idx < len; idx++) { DEBUG(5,("%04x ", (outbuf)[idx])); } } \
DEBUG(5,("\n")); }
{ \
RW_PSVAL(read, big_endian, inbuf, outbuf, len) \
DEBUG(5, ("%s%04x %s: ", tab_depth(depth), base, string)); \
if (charmode) \
print_asc(5, (unsigned char *)(outbuf), 2 * (len)); \
else { \
int32_t idx; \
for (idx = 0; idx < len; idx++) { \
DEBUG(5, ("%04x ", (outbuf)[idx])); \
} \
} \
DEBUG(5, ("\n")); \
}
#define DBG_RW_PIVAL(charmode, string, depth, base, read, big_endian, inbuf, outbuf, len) \
{ RW_PIVAL(read,big_endian,inbuf,outbuf,len) \
DEBUG(5,("%s%04x %s: ", \
tab_depth(depth), base,string)); \
if (charmode) print_asc(5, (unsigned char*)(outbuf), 4*(len)); else \
{ int32_t idx; for (idx = 0; idx < len; idx++) { DEBUG(5,("%08x ", (outbuf)[idx])); } } \
DEBUG(5,("\n")); }
{ \
RW_PIVAL(read, big_endian, inbuf, outbuf, len) \
DEBUG(5, ("%s%04x %s: ", tab_depth(depth), base, string)); \
if (charmode) \
print_asc(5, (unsigned char *)(outbuf), 4 * (len)); \
else { \
int32_t idx; \
for (idx = 0; idx < len; idx++) { \
DEBUG(5, ("%08x ", (outbuf)[idx])); \
} \
} \
DEBUG(5, ("\n")); \
}
#define DBG_RW_CVAL(string, depth, base, read, inbuf, outbuf) \
{ RW_CVAL(read,inbuf,outbuf,0) \
DEBUG(5,("%s%04x %s: %02x\n", \
tab_depth(depth), base, string, outbuf)); }
{ \
RW_CVAL(read, inbuf, outbuf, 0) \
DEBUG(5, ("%s%04x %s: %02x\n", tab_depth(depth), base, string, outbuf)); \
}
#define DBG_RW_SVAL(string, depth, base, read, big_endian, inbuf, outbuf) \
{ RW_SVAL(read,big_endian,inbuf,outbuf,0) \
DEBUG(5,("%s%04x %s: %04x\n", \
tab_depth(depth), base, string, outbuf)); }
{ \
RW_SVAL(read, big_endian, inbuf, outbuf, 0) \
DEBUG(5, ("%s%04x %s: %04x\n", tab_depth(depth), base, string, outbuf)); \
}
#define DBG_RW_IVAL(string, depth, base, read, big_endian, inbuf, outbuf) \
{ RW_IVAL(read,big_endian,inbuf,outbuf,0) \
DEBUG(5,("%s%04x %s: %08x\n", \
tab_depth(depth), base, string, outbuf)); }
{ \
RW_IVAL(read, big_endian, inbuf, outbuf, 0) \
DEBUG(5, ("%s%04x %s: %08x\n", tab_depth(depth), base, string, outbuf)); \
}
#endif /* _BYTEORDER_H */
/* Samba MD4 implementation */
/* NOTE: This code makes no attempt to be fast!
@ -305,17 +387,11 @@ it also defines lots of intermediate macros, just ignore those :-)
static uint32 A, B, C, D;
static uint32 F(uint32 X, uint32 Y, uint32 Z) {
return (X & Y) | ((~X) & Z);
}
static uint32 F(uint32 X, uint32 Y, uint32 Z) { return (X & Y) | ((~X) & Z); }
static uint32 G(uint32 X, uint32 Y, uint32 Z) {
return (X & Y) | (X & Z) | (Y & Z);
}
static uint32 G(uint32 X, uint32 Y, uint32 Z) { return (X & Y) | (X & Z) | (Y & Z); }
static uint32 H(uint32 X, uint32 Y, uint32 Z) {
return X ^ Y ^ Z;
}
static uint32 H(uint32 X, uint32 Y, uint32 Z) { return X ^ Y ^ Z; }
static uint32 lshift(uint32 x, int32_t s) {
x &= 0xFFFFFFFF;
@ -471,111 +547,35 @@ void mdfour(unsigned char *out, unsigned char *in, int32_t n) {
#define uchar unsigned char
#define int16 signed short
static uchar perm1[56] = { 57, 49, 41, 33, 25, 17, 9,
1, 58, 50, 42, 34, 26, 18,
10, 2, 59, 51, 43, 35, 27,
19, 11, 3, 60, 52, 44, 36,
63, 55, 47, 39, 31, 23, 15,
7, 62, 54, 46, 38, 30, 22,
14, 6, 61, 53, 45, 37, 29,
21, 13, 5, 28, 20, 12, 4
};
static uchar perm1[56] = {57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4};
static uchar perm2[48] = { 14, 17, 11, 24, 1, 5,
3, 28, 15, 6, 21, 10,
23, 19, 12, 4, 26, 8,
16, 7, 27, 20, 13, 2,
41, 52, 31, 37, 47, 55,
30, 40, 51, 45, 33, 48,
44, 49, 39, 56, 34, 53,
46, 42, 50, 36, 29, 32
};
static uchar perm2[48] = {14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32};
static uchar perm3[64] = { 58, 50, 42, 34, 26, 18, 10, 2,
60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6,
64, 56, 48, 40, 32, 24, 16, 8,
57, 49, 41, 33, 25, 17, 9, 1,
59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5,
63, 55, 47, 39, 31, 23, 15, 7
};
static uchar perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7};
static uchar perm4[48] = { 32, 1, 2, 3, 4, 5,
4, 5, 6, 7, 8, 9,
8, 9, 10, 11, 12, 13,
12, 13, 14, 15, 16, 17,
16, 17, 18, 19, 20, 21,
20, 21, 22, 23, 24, 25,
24, 25, 26, 27, 28, 29,
28, 29, 30, 31, 32, 1
};
static uchar perm4[48] = {32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9, 8, 9, 10, 11, 12, 13, 12, 13, 14, 15, 16, 17, 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24, 25, 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1};
static uchar perm5[32] = { 16, 7, 20, 21,
29, 12, 28, 17,
1, 15, 23, 26,
5, 18, 31, 10,
2, 8, 24, 14,
32, 27, 3, 9,
19, 13, 30, 6,
22, 11, 4, 25
};
static uchar perm6[64] = { 40, 8, 48, 16, 56, 24, 64, 32,
39, 7, 47, 15, 55, 23, 63, 31,
38, 6, 46, 14, 54, 22, 62, 30,
37, 5, 45, 13, 53, 21, 61, 29,
36, 4, 44, 12, 52, 20, 60, 28,
35, 3, 43, 11, 51, 19, 59, 27,
34, 2, 42, 10, 50, 18, 58, 26,
33, 1, 41, 9, 49, 17, 57, 25
};
static uchar perm5[32] = {16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25};
static uchar perm6[64] = {40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23, 63, 31, 38, 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29, 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, 27, 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, 57, 25};
static uchar sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
static uchar sbox[8][4][16] = {
{{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7},
{0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8},
{4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0},
{15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}},
static uchar sbox[8][4][16] = {{{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7}, {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8}, {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0}, {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}},
{{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10},
{3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5},
{0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15},
{13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}},
{{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10}, {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5}, {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15}, {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}},
{{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8},
{13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1},
{13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7},
{1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}},
{{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8}, {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1}, {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7}, {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}},
{{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15},
{13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9},
{10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4},
{3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}},
{{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15}, {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9}, {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4}, {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}},
{{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9},
{14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6},
{4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14},
{11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}},
{{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9}, {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6}, {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14}, {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}},
{{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11},
{10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8},
{9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6},
{4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}},
{{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11}, {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8}, {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6}, {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}},
{{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1},
{13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6},
{1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2},
{6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}},
{{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1}, {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6}, {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2}, {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}},
{{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7},
{1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2},
{7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8},
{2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}
};
{{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7}, {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2}, {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8}, {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}};
static void permute(char *out, char *in, uchar *p, int32_t n) {
int32_t i;
@ -601,7 +601,8 @@ static void concat(char *out, char *in1, char *in2, int32_t l1, int32_t l2) {
*out++ = *in2++;
}
void xor(char *out, char *in1, char *in2, int32_t n) {
void xor
(char *out, char *in1, char *in2, int32_t n) {
int32_t i;
for (i = 0; i < n; i++)
@ -703,7 +704,6 @@ static void str_to_key(unsigned char *str, unsigned char *key) {
}
}
static void smbhash(unsigned char *out, unsigned char *in, unsigned char *key, int32_t forw) {
int32_t i;
char outb[64];
@ -815,7 +815,6 @@ void SamOEMhash(unsigned char *data, unsigned char *key, int32_t val) {
/* Samba encryption implementation*/
/****************************************************************************
Like strncpy but always null terminates. Make sure there is room!
The variable n should always be one less than the available size.
@ -830,15 +829,13 @@ char *StrnCpy(char *dest, const char *src, size_t n) {
*dest = 0;
return (dest);
}
while (n-- && (*d++ = *src++));
while (n-- && (*d++ = *src++))
;
*d = 0;
return (dest);
}
size_t skip_multibyte_char(char c) {
return 0;
}
size_t skip_multibyte_char(char c) { return 0; }
/*******************************************************************
safe string copy into a known length string. maxlength does not
@ -870,7 +867,6 @@ char *safe_strcpy(char *dest, const char *src, size_t maxlength) {
return dest;
}
void strupper(char *s) {
while (*s) {
{
@ -1029,7 +1025,6 @@ void NTLMSSPOWFencrypt(uchar passwd[8], uchar * ntlmchalresp, uchar p24[24]) {
#endif
}
/* Does the NT MD4 hash then des encryption. */
void SMBNTencrypt(uchar *passwd, uchar *c8, uchar *p24) {
@ -1083,7 +1078,8 @@ BOOL make_oem_passwd_hash(char data[516], const char *passwd, uchar old_pw_hash[
#endif
/* libtnlm copyrigth was left here, anyway the interface was slightly modified */
/* libtnlm copyrigth was left here, anyway the interface was slightly modified
*/
/* included libntlm-3.2.9 (c) even if this code is based in 2.1 version*/
@ -1115,18 +1111,14 @@ Contributed LGPL versions of some of the GPL'd Samba files.
#define AddBytes(ptr, header, buf, count) \
{ \
if (buf != NULL && count != 0) \
{ \
if (buf != NULL && count != 0) { \
SSVAL(&ptr->header.len, 0, count); \
SSVAL(&ptr->header.maxlen, 0, count); \
SIVAL(&ptr->header.offset, 0, ((ptr->buffer - ((uint8 *)ptr)) + ptr->bufIndex)); \
memcpy(ptr->buffer + ptr->bufIndex, buf, count); \
ptr->bufIndex += count; \
} \
else \
{ \
ptr->header.len = \
ptr->header.maxlen = 0; \
} else { \
ptr->header.len = ptr->header.maxlen = 0; \
SIVAL(&ptr->header.offset, 0, ptr->bufIndex); \
} \
}
@ -1135,7 +1127,8 @@ else \
{ \
char *p = string; \
int32_t len = 0; \
if (p) len = strlen(p); \
if (p) \
len = strlen(p); \
AddBytes(ptr, header, ((unsigned char *)p), len); \
}
@ -1144,22 +1137,16 @@ AddBytes(ptr, header, ((unsigned char*)p), len); \
char *p = string; \
unsigned char *b = NULL; \
int32_t len = 0; \
if (p) \
{ \
if (p) { \
len = strlen(p); \
b = strToUnicode(p); \
} \
AddBytes(ptr, header, b, len * 2); \
}
#define GetUnicodeString(structPtr, header) \
unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
#define GetString(structPtr, header) \
toString((((char *)structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
#define DumpBuffer(fp, structPtr, header) \
dumpRaw(fp,((unsigned char*)structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
#define GetUnicodeString(structPtr, header) unicodeToString(((char *)structPtr) + IVAL(&structPtr->header.offset, 0), SVAL(&structPtr->header.len, 0) / 2)
#define GetString(structPtr, header) toString((((char *)structPtr) + IVAL(&structPtr->header.offset, 0)), SVAL(&structPtr->header.len, 0))
#define DumpBuffer(fp, structPtr, header) dumpRaw(fp, ((unsigned char *)structPtr) + IVAL(&structPtr->header.offset, 0), SVAL(&structPtr->header.len, 0))
static void dumpRaw(FILE *fp, unsigned char *buf, size_t len) {
int32_t i;
@ -1210,7 +1197,6 @@ static unsigned char *toString(char *p, size_t len) {
return buf;
}
void buildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain) {
char *h = NULL; // strdup(host);
char *p = NULL; // strchr(h,'@');
@ -1295,10 +1281,6 @@ void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *
free(u);
}
// info functions
void dumpAuthRequest(FILE *fp, tSmbNtlmAuthRequest *request);
void dumpAuthChallenge(FILE *fp, tSmbNtlmAuthChallenge *challenge);
@ -1340,12 +1322,6 @@ void dumpAuthResponse(FILE * fp, tSmbNtlmAuthResponse * response) {
fprintf(fp, " Flags = %08x\n", IVAL(&response->flags, 0));
}
/*
* base64.c -- base-64 conversion routines.
*
@ -1360,20 +1336,11 @@ void dumpAuthResponse(FILE * fp, tSmbNtlmAuthResponse * response) {
* This code borrowed from fetchmail sources
*/
static const char base64digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
#define BAD -1
static const char base64val[] = {
BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD,
BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD,
BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, 62, BAD, BAD, BAD, 63,
52, 53, 54, 55, 56, 57, 58, 59, 60, 61, BAD, BAD, BAD, BAD, BAD, BAD,
BAD, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, BAD, BAD, BAD, BAD, BAD,
BAD, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, BAD, BAD, BAD, BAD, BAD
};
static const char base64val[] = {BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, 62, BAD, BAD, BAD, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, BAD, BAD, BAD, BAD, BAD, BAD,
BAD, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, BAD, BAD, BAD, BAD, BAD, BAD, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, BAD, BAD, BAD, BAD, BAD};
#define DECODE64(c) (isascii(c) ? base64val[c] : BAD)

33
ntlm.h
View file

@ -14,26 +14,29 @@
NTLM Interface, just two functions:
void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain);
if flags is 0 minimun security level is selected, otherwise new value superseeds.
host and domain are optional, they may be NULLed.
void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host,
char *domain); if flags is 0 minimun security level is selected, otherwise
new value superseeds. host and domain are optional, they may be NULLed.
void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *response, long flags, char *user, char *password, char *domain, char *host);
void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse
*response, long flags, char *user, char *password, char *domain, char *host);
Given a challenge, generates a response for that user/passwd/host/domain.
flags, host, and domain superseeds given by server. Leave 0 and NULL for server authentication
flags, host, and domain superseeds given by server. Leave 0 and NULL for
server authentication
This is an usage sample:
...
//beware of fixed sized buffer, asserts may fail, don't use long strings :)
//beware of fixed sized buffer, asserts may fail, don't use long
strings :)
//Yes, I Know, year 2k6 and still with this shit..
unsigned char buf[4096];
unsigned char buf2[4096];
//send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL);
//send auth request: let the server send it's own hostname and
domainname buildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL);
to64frombits(buf, buf2, SmbLength((tSmbNtlmAuthRequest*)buf2));
send_to_server(buf);
@ -52,7 +55,8 @@
included bonus!!:
Base64 code
int32_t from64tobits(char *out, const char *in);
void to64frombits(unsigned char *out, const unsigned char *in, int32_t inlen);
void to64frombits(unsigned char *out, const unsigned char *in, int32_t
inlen);
@ -60,7 +64,6 @@
You don't need to read the rest of the file.
*/
/*
* These structures are byte-order dependant, and should not
* be manipulated except by the use of the routines provided
@ -105,7 +108,6 @@ typedef struct {
uint32 bufIndex;
} tSmbNtlmAuthChallenge;
typedef struct {
char ident[8];
uint32 msgType;
@ -120,7 +122,6 @@ typedef struct {
uint32 bufIndex;
} tSmbNtlmAuthResponse;
extern void buildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain);
/* reversing interface */
@ -128,14 +129,14 @@ extern void buildAuthRequest(tSmbNtlmAuthRequest * request, long flags, char *ho
/* ntlm functions */
void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain);
// if flags is 0 minimun security level is selected, otherwise new value superseeds.
// host and domain are optional, they may be NULLed.
// if flags is 0 minimun security level is selected, otherwise new value
// superseeds. host and domain are optional, they may be NULLed.
void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *response, long flags, char *user, char *password, char *domain, char *host);
// Given a challenge, generates a response for that user/passwd/host/domain.
//flags, host, and domain superseeds given by server. Leave 0 and NULL for server authentication
// flags, host, and domain superseeds given by server. Leave 0 and NULL for
// server authentication
/* Base64 code*/
int32_t from64tobits(char *out, const char *in);

12
performance.h
View file

@ -1,10 +1,10 @@
#include <unistd.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <sys/select.h>
#include <sys/time.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
/* handles select errors */
int32_t my_select(int32_t fd, fd_set *fdread, fd_set *fdwrite, fd_set *fdex, long sec, long usec) {
@ -18,9 +18,11 @@ int32_t my_select(int32_t fd, fd_set * fdread, fd_set * fdwrite, fd_set * fdex,
fde2 = fdex;
stv.tv_sec = sec;
stv.tv_usec = usec;
if (debug > 1) printf("before select\n");
if (debug > 1)
printf("before select\n");
ret_val = select(fd, fdr2, fdw2, fde2, &stv);
if (debug > 1) printf("after select\n");
if (debug > 1)
printf("after select\n");
/* XXX select() sometimes returns errno=EINTR (signal found) */
} while (ret_val == -1 && errno == EINTR);

7
postgres_ext.h
View file

@ -4,8 +4,9 @@
* postgres_ext.h
*
* This file contains declarations of things that are visible everywhere
* in PostgreSQL *and* are visible to clients of frontend interface libraries.
* For example, the Oid type is part of the API of libpq and other libraries.
* in PostgreSQL *and* are visible to clients of frontend interface
*libraries. For example, the Oid type is part of the API of libpq and other
*libraries.
*
* Declarations which are specific to a particular interface should
* go in the header file for that interface (such as libpq-fe.h). This
@ -39,7 +40,6 @@ typedef uint32_t Oid;
/* you will need to include <limits.h> to use the above #define */
/*
* NAMEDATALEN is the max length for system identifiers (e.g. table names,
* attribute names, function names, etc). It must be a multiple of
@ -49,7 +49,6 @@ typedef uint32_t Oid;
*/
#define NAMEDATALEN 64
/*
* Identifiers of error message fields. Kept here to keep common
* between frontend and backend, and also to export them to libpq

35
pw-inspector.c
View file

@ -1,9 +1,9 @@
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define PROGRAM "PW-Inspector"
#define VERSION "v0.2"
@ -16,23 +16,31 @@ char *prg;
void help() {
printf("%s %s (c) 2005 by van Hauser / THC %s [%s]\n\n", PROGRAM, VERSION, EMAIL, WEB);
printf("Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s\n\n", prg);
printf("Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] "
"-l -u -n -p -s\n\n",
prg);
printf("Options:\n");
printf(" -i FILE file to read passwords from (default: stdin)\n");
printf(" -o FILE file to write valid passwords to (default: stdout)\n");
printf(" -m MINLEN minimum length of a valid password\n");
printf(" -M MAXLEN maximum length of a valid password\n");
printf(" -c MINSETS the minimum number of sets required (default: all given)\n");
printf(" -c MINSETS the minimum number of sets required (default: all "
"given)\n");
printf("Sets:\n");
printf(" -l lowcase characters (a,b,c,d, etc.)\n");
printf(" -u upcase characters (A,B,C,D, etc.)\n");
printf(" -n numbers (1,2,3,4, etc.)\n");
printf(" -p printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)\n");
printf(" -s special characters - all others not within the sets above\n");
printf(" -p printable characters (which are not -l/-n/-p, e.g. "
"$,!,/,(,*, etc.)\n");
printf(" -s special characters - all others not within the sets "
"above\n");
printf("\n%s reads passwords in and prints those which meet the requirements.\n", PROGRAM);
printf("The return code is the number of valid passwords found, 0 if none was found.\n");
printf("Use for security: check passwords, if 0 is returned, reject password choice.\n");
printf("Use for hacking: trim your dictionary file to the pw requirements of the target.\n");
printf("The return code is the number of valid passwords found, 0 if none "
"was found.\n");
printf("Use for security: check passwords, if 0 is returned, reject password "
"choice.\n");
printf("Use for hacking: trim your dictionary file to the pw requirements of "
"the target.\n");
printf("Usage only allowed for legal purposes.\n");
exit(-1);
}
@ -122,6 +130,8 @@ int main(int argc, char *argv[]) {
continue;
if (buf[strlen(buf) - 1] == '\n')
buf[strlen(buf) - 1] = 0;
if (buf[strlen(buf) - 1] == '\r')
buf[strlen(buf) - 1] = 0;
if (strlen(buf) >= minlen && strlen(buf) <= maxlen) {
i = 0;
if (countsets > 0) {
@ -156,7 +166,8 @@ int main(int argc, char *argv[]) {
count++;
}
}
/* fprintf(stderr, "[DEBUG] i: %d minlen: %d maxlen: %d len: %d\n", i, minlen, maxlen, strlen(buf)); */
/* fprintf(stderr, "[DEBUG] i: %d minlen: %d maxlen: %d len: %d\n", i,
* minlen, maxlen, strlen(buf)); */
}
fclose(in);
fclose(out);

139
sasl.c
View file

@ -68,20 +68,20 @@ sasl_plain computes the plain authentication from strings login and password
and stored the value in variable result
the first parameter result must be able to hold at least 255 bytes!
*/
void sasl_plain(char *result, char *login, char *pass) {
char *sasl_plain(char *result, char *login, char *pass) {
char *preplogin;
char *preppasswd;
int32_t rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin);
if (rc) {
result = NULL;
return;
return result;
}
rc = sasl_saslprep(pass, 0, &preppasswd);
if (rc) {
free(preplogin);
result = NULL;
return;
return result;
}
if (2 * strlen(preplogin) + 3 + strlen(preppasswd) < 180) {
strcpy(result, preplogin);
@ -91,6 +91,7 @@ void sasl_plain(char *result, char *login, char *pass) {
}
free(preplogin);
free(preppasswd);
return result;
}
#ifdef LIBOPENSSL
@ -102,7 +103,7 @@ and the challenge sent by the server, and stored the value in variable
result
the parameter result must be able to hold at least 100 bytes!
*/
void sasl_cram_md5(char *result, char *pass, char *challenge) {
char *sasl_cram_md5(char *result, char *pass, char *challenge) {
char ipad[64];
char opad[64];
unsigned char md5_raw[MD5_DIGEST_LENGTH];
@ -112,12 +113,12 @@ void sasl_cram_md5(char *result, char *pass, char *challenge) {
if (challenge == NULL) {
result = NULL;
return;
return result;
}
rc = sasl_saslprep(pass, 0, &preppasswd);
if (rc) {
result = NULL;
return;
return result;
}
memset(ipad, 0, sizeof(ipad));
memset(opad, 0, sizeof(opad));
@ -148,6 +149,7 @@ void sasl_cram_md5(char *result, char *pass, char *challenge) {
result += 2;
}
free(preppasswd);
return result;
}
/*
@ -156,7 +158,7 @@ and the challenge sent by the server, and stored the value in variable
result
the parameter result must be able to hold at least 100 bytes!
*/
void sasl_cram_sha1(char *result, char *pass, char *challenge) {
char *sasl_cram_sha1(char *result, char *pass, char *challenge) {
char ipad[64];
char opad[64];
unsigned char sha1_raw[SHA_DIGEST_LENGTH];
@ -166,12 +168,12 @@ void sasl_cram_sha1(char *result, char *pass, char *challenge) {
if (challenge == NULL) {
result = NULL;
return;
return result;
}
rc = sasl_saslprep(pass, 0, &preppasswd);
if (rc) {
result = NULL;
return;
return result;
}
memset(ipad, 0, sizeof(ipad));
memset(opad, 0, sizeof(opad));
@ -202,6 +204,7 @@ void sasl_cram_sha1(char *result, char *pass, char *challenge) {
result += 2;
}
free(preppasswd);
return result;
}
/*
@ -210,7 +213,7 @@ and the challenge sent by the server, and stored the value in variable
result
the parameter result must be able to hold at least 100 bytes!
*/
void sasl_cram_sha256(char *result, char *pass, char *challenge) {
char *sasl_cram_sha256(char *result, char *pass, char *challenge) {
char ipad[64];
char opad[64];
unsigned char sha256_raw[SHA256_DIGEST_LENGTH];
@ -220,14 +223,14 @@ void sasl_cram_sha256(char *result, char *pass, char *challenge) {
if (challenge == NULL) {
result = NULL;
return;
return result;
}
memset(ipad, 0, sizeof(ipad));
memset(opad, 0, sizeof(opad));
rc = sasl_saslprep(pass, 0, &preppasswd);
if (rc) {
result = NULL;
return;
return result;
}
if (strlen(preppasswd) >= 64) {
SHA256_Init(&sha256c);
@ -256,18 +259,19 @@ void sasl_cram_sha256(char *result, char *pass, char *challenge) {
result += 2;
}
free(preppasswd);
return result;
}
/*
RFC 2831: Using Digest Authentication as a SASL Mechanism
the parameter result must be able to hold at least 500 bytes!!
*/
void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *miscptr, char *type, char *webtarget, int32_t webport, char *header) {
char *sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *miscptr, char *type, char *webtarget, int32_t webport, char *header) {
char *pbuffer = NULL;
int32_t array_size = 10;
unsigned char response[MD5_DIGEST_LENGTH];
char *array[array_size];
char buffer2[500], buffer3[500], nonce[200], realm[50], algo[20];
char buffer2[500], buffer3[500], nonce[200], realm[200], algo[20];
int32_t i = 0, ind = 0, lastpos = 0, currentpos = 0, intq = 0, auth_find = 0;
MD5_CTX md5c;
char *preplogin;
@ -277,16 +281,18 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *
memset(realm, 0, sizeof(realm));
if (rc) {
result = NULL;
return;
return result;
}
rc = sasl_saslprep(pass, 0, &preppasswd);
if (rc) {
free(preplogin);
result = NULL;
return;
return result;
}
//DEBUG S: nonce="HB3HGAk+hxKpijy/ichq7Wob3Zo17LPM9rr4kMX7xRM=",realm="tida",qop="auth",maxbuf=4096,charset=utf-8,algorithm=md5-sess
//DEBUG S: nonce="1Mr6c8WjOd/x5r8GUnGeQIRNUtOVtItu3kQOGAmsZfM=",realm="test.com",qop="auth,auth-int32_t,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=4096,charset=utf-8,algorithm=md5-sess
// DEBUG S:
// nonce="HB3HGAk+hxKpijy/ichq7Wob3Zo17LPM9rr4kMX7xRM=",realm="tida",qop="auth",maxbuf=4096,charset=utf-8,algorithm=md5-sess
// DEBUG S:
// nonce="1Mr6c8WjOd/x5r8GUnGeQIRNUtOVtItu3kQOGAmsZfM=",realm="test.com",qop="auth,auth-int32_t,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=4096,charset=utf-8,algorithm=md5-sess
// warning some not well configured xmpp server is sending no realm
// DEBUG S: nonce="3448160828",qop="auth",charset=utf-8,algorithm=md5-sess
pbuffer = buffer;
@ -342,7 +348,7 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *
free(array[j]);
hydra_report(stderr, "Error: DIGEST-MD5 nonce from server could not be extracted\n");
result = NULL;
return;
return result;
}
} else {
strncpy(nonce, strstr(array[i], "nonce=") + strlen("nonce="), sizeof(nonce) - 1);
@ -365,7 +371,7 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *
free(array[i]);
hydra_report(stderr, "Error: DIGEST-MD5 realm from server could not be extracted\n");
result = NULL;
return;
return result;
}
} else {
strncpy(realm, strstr(array[i], "realm=") + strlen("realm="), sizeof(realm) - 1);
@ -373,10 +379,9 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *
}
}
if (strstr(array[i], "qop=") != NULL) {
/*
The value "auth" indicates authentication; the value "auth-int32_t" indicates
authentication with integrity protection; the value "auth-conf"
The value "auth" indicates authentication; the value "auth-int32_t"
indicates authentication with integrity protection; the value "auth-conf"
indicates authentication with integrity protection and encryption.
*/
auth_find = 1;
@ -386,9 +391,10 @@ indicates authentication with integrity protection and encryption.
for (j = 0; j < ind; j++)
if (array[j] != NULL)
free(array[j]);
hydra_report(stderr, "Error: DIGEST-MD5 quality of protection only authentication is not supported by server\n");
hydra_report(stderr, "Error: DIGEST-MD5 quality of protection only "
"authentication is not supported by server\n");
result = NULL;
return;
return result;
}
}
if (strstr(array[i], "algorithm=") != NULL) {
@ -405,9 +411,10 @@ indicates authentication with integrity protection and encryption.
for (j = 0; j < ind; j++)
if (array[j] != NULL)
free(array[j]);
hydra_report(stderr, "Error: DIGEST-MD5 algorithm from server could not be extracted\n");
hydra_report(stderr, "Error: DIGEST-MD5 algorithm from server could "
"not be extracted\n");
result = NULL;
return;
return result;
}
} else {
strncpy(algo, strstr(array[i], "algorithm=") + strlen("algorithm="), sizeof(algo) - 1);
@ -421,7 +428,7 @@ indicates authentication with integrity protection and encryption.
free(array[j]);
hydra_report(stderr, "Error: DIGEST-MD5 algorithm not based on md5, based on %s\n", algo);
result = NULL;
return;
return result;
}
}
free(array[i]);
@ -432,7 +439,8 @@ indicates authentication with integrity protection and encryption.
memset(algo, 0, sizeof(algo));
strcpy(algo, "MD5");
}
//xmpp case, some xmpp server is not sending the realm so we have to set it up
// xmpp case, some xmpp server is not sending the realm so we have to set it
// up
if ((strlen(realm) == 0) && (strstr(type, "xmpp") != NULL))
snprintf(realm, sizeof(realm), "%s", miscptr);
// compute ha1
@ -453,10 +461,10 @@ indicates authentication with integrity protection and encryption.
sprintf(pbuffer, "%02x", response[i]);
pbuffer += 2;
}
sprintf(buffer, "%s:%s:%s", buffer3, nonce, "hydra");
snprintf(buffer, 500, "%s:%s:%s", buffer3, nonce, "hydra");
} else {
memcpy(buffer, response, sizeof(response));
sprintf(buffer + sizeof(response), ":%s:%s", nonce, "hydra");
snprintf(buffer + sizeof(response), 50 - sizeof(response), ":%s:%s", nonce, "hydra");
}
MD5_Init(&md5c);
MD5_Update(&md5c, buffer, strlen(buffer));
@ -471,22 +479,22 @@ indicates authentication with integrity protection and encryption.
// compute ha2
// proxy case
if (strstr(type, "proxy") != NULL)
sprintf(buffer, "%s:%s", "HEAD", miscptr);
snprintf(buffer, 500, "%s:%s", "HEAD", miscptr);
else
// http case
if ((strstr(type, "GET") != NULL) || (strstr(type, "HEAD") != NULL))
sprintf(buffer, "%s:%s", type, miscptr);
snprintf(buffer, 500, "%s:%s", type, miscptr);
else
// sip case
if (strstr(type, "sip") != NULL)
sprintf(buffer, "REGISTER:%s:%s", type, miscptr);
snprintf(buffer, 500, "REGISTER:%s:%s", type, miscptr);
else
// others
if (strstr(type, "rtsp") != NULL)
sprintf(buffer, "DESCRIBE:%s://%s:%i", type, webtarget, port);
snprintf(buffer, 500, "DESCRIBE:%s://%s:%i", type, webtarget, port);
else
// others
sprintf(buffer, "AUTHENTICATE:%s/%s", type, realm);
snprintf(buffer, 500, "AUTHENTICATE:%s/%s", type, realm);
MD5_Init(&md5c);
MD5_Update(&md5c, buffer, strlen(buffer));
@ -514,32 +522,55 @@ indicates authentication with integrity protection and encryption.
// create the auth response
if (strstr(type, "proxy") != NULL) {
snprintf(result, 500,
"HEAD %s HTTP/1.0\r\n%sProxy-Authorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
"HEAD %s HTTP/1.0\r\n%sProxy-Authorization: Digest username=\"%s\", "
"realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", "
"nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, header);
} else {
if ((strstr(type, "imap") != NULL) || (strstr(type, "pop") != NULL) || (strstr(type, "smtp") != NULL) ||
(strstr(type, "ldap") != NULL) || (strstr(type, "xmpp") != NULL) || (strstr(type, "nntp") != NULL)) {
snprintf(result, 500, "username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"hydra\",nc=00000001,algorithm=%s,qop=\"auth\",digest-uri=\"%s/%s\",response=%s", preplogin, realm,
nonce, algo, type, realm, buffer);
if ((strstr(type, "imap") != NULL) || (strstr(type, "pop") != NULL) || (strstr(type, "smtp") != NULL) || (strstr(type, "ldap") != NULL) || (strstr(type, "xmpp") != NULL) || (strstr(type, "nntp") != NULL)) {
snprintf(result, 500,
"username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"hydra\",nc="
"00000001,algorithm=%s,qop=\"auth\",digest-uri=\"%s/%s\",response=%s",
preplogin, realm, nonce, algo, type, realm, buffer);
} else {
if (strstr(type, "sip") != NULL) {
snprintf(result, 500, "username=\"%s\",realm=\"%s\",nonce=\"%s\",uri=\"%s:%s\",response=%s", preplogin, realm, nonce, type, realm, buffer);
snprintf(result, 500,
"username=\"%s\",realm=\"%s\",nonce=\"%s\",uri=\"%s:%s\","
"response=%s",
preplogin, realm, nonce, type, realm, buffer);
} else {
if (strstr(type, "rtsp") != NULL) {
snprintf(result, 500, "username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s://%s:%i\", response=\"%s\"\r\n", preplogin, realm, nonce, type, webtarget, port, buffer);
snprintf(result, 500,
"username=\"%s\", realm=\"%s\", nonce=\"%s\", "
"uri=\"%s://%s:%i\", response=\"%s\"\r\n",
preplogin, realm, nonce, type, webtarget, port, buffer);
} else {
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
snprintf(result, 500,
"%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
"%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: "
"Digest username=\"%s\", realm=\"%s\", response=\"%s\", "
"nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, "
"qop=auth, uri=\"%s\"\r\nProxy-Authorization: Basic "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: "
"keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
snprintf(result, 500,
"%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
"%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: "
"Digest username=\"%s\", realm=\"%s\", response=\"%s\", "
"nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, "
"qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, header);
else
snprintf(result, 500,
"%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
"%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest "
"username=\"%s\", realm=\"%s\", response=\"%s\", "
"nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, "
"qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, header);
}
}
@ -548,6 +579,7 @@ indicates authentication with integrity protection and encryption.
}
free(preplogin);
free(preppasswd);
return result;
}
/*
@ -557,7 +589,7 @@ I want to thx Simon Josefsson for his public server test,
and my girlfriend that let me work on that 2 whole nights ;)
clientfirstmessagebare must be at least 500 bytes in size!
*/
void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, char *serverfirstmessage) {
char *sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, char *serverfirstmessage) {
int32_t saltlen = 0;
int32_t iter = 4096;
char *salt, *nonce, *ic;
@ -576,7 +608,7 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha
if (rc) {
result = NULL;
return;
return result;
}
/*client-final-message */
@ -587,7 +619,7 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha
hydra_report(stderr, "Error: Can't understand server message\n");
free(preppasswd);
result = NULL;
return;
return result;
}
strncpy(buffer, serverfirstmessage, sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\0';
@ -600,7 +632,7 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha
hydra_report(stderr, "Error: Can't understand server response\n");
free(preppasswd);
result = NULL;
return;
return result;
}
if ((nonce != NULL) && (strlen(nonce) > 2))
snprintf(clientfinalmessagewithoutproof, sizeof(clientfinalmessagewithoutproof), "c=biws,%s", nonce);
@ -608,7 +640,7 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha
hydra_report(stderr, "Error: Could not identify server nonce value\n");
free(preppasswd);
result = NULL;
return;
return result;
}
if ((salt != NULL) && (strlen(salt) > 2) && (strlen(salt) <= sizeof(buffer)))
// s=ghgIAfLl1+yUy/Xl1WD5Tw== remove the header s=
@ -617,7 +649,7 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha
hydra_report(stderr, "Error: Could not identify server salt value\n");
free(preppasswd);
result = NULL;
return;
return result;
}
/* SaltedPassword := Hi(Normalize(password), salt, i) */
@ -626,7 +658,7 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha
hydra_report(stderr, "Error: Failed to generate PBKDF2\n");
free(preppasswd);
result = NULL;
return;
return result;
}
/* ClientKey := HMAC(SaltedPassword, "Client Key") */
@ -647,5 +679,6 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha
if (debug)
hydra_report(stderr, "DEBUG C: %s\n", result);
free(preppasswd);
return result;
}
#endif

23
sasl.h
View file

@ -1,8 +1,8 @@
#include "hydra-mod.h"
#include "ntlm.h"
#include <stdio.h>
#include <string.h>
#include "ntlm.h"
#include "hydra-mod.h"
#define AUTH_ERROR -1
#define AUTH_CLEAR 0
@ -28,24 +28,21 @@
#endif
#endif
typedef enum {
SASL_ALLOW_UNASSIGNED = 1
} sasl_saslprep_flags;
typedef enum { SASL_ALLOW_UNASSIGNED = 1 } sasl_saslprep_flags;
int32_t print_hex(unsigned char *buf, int32_t len);
void sasl_plain(char *result, char *login, char *pass);
char *sasl_plain(char *result, char *login, char *pass);
int32_t sasl_saslprep(const char *in, sasl_saslprep_flags flags, char **out);
#ifdef LIBOPENSSL
#include <openssl/hmac.h>
#include <openssl/md5.h>
#include <openssl/sha.h>
#include <openssl/hmac.h>
void sasl_cram_md5(char *result, char *pass, char *challenge);
void sasl_cram_sha1(char *result, char *pass, char *challenge);
void sasl_cram_sha256(char *result, char *pass, char *challenge);
void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *miscptr, char *type, char *webtarget, int32_t webport, char *header);
void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, char *serverfirstmessage);
char *sasl_cram_md5(char *result, char *pass, char *challenge);
char *sasl_cram_sha1(char *result, char *pass, char *challenge);
char *sasl_cram_sha256(char *result, char *pass, char *challenge);
char *sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *miscptr, char *type, char *webtarget, int32_t webport, char *header);
char *sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, char *serverfirstmessage);
#endif