github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-07-05 20:41:39 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

code indent

Browse source
This commit is contained in:
van Hauser 2020-02-01 11:47:13 +01:00
parent 531ee7734b
commit 720bdb3f96
83 changed files with 6377 additions and 6240 deletions
Download patch file Download diff file Expand all files Collapse all files

59
hydra-s7-300.c
View file

@ -1,4 +1,5 @@
// submitted by Alexander Timorin <ATimorin@ptsecurity.com> and Sergey Gordeychik
// submitted by Alexander Timorin <ATimorin@ptsecurity.com> and Sergey
// Gordeychik
#include "hydra-mod.h"
@ -6,16 +7,24 @@
extern char *HYDRA_EXIT;
unsigned char p_cotp[] = "\x03\x00\x00\x16\x11\xe0\x00\x00\x00\x17" "\x00\xc1\x02\x01\x00\xc2\x02\x01\x02\xc0" "\x01\x0a";
unsigned char p_cotp[] = "\x03\x00\x00\x16\x11\xe0\x00\x00\x00\x17"
"\x00\xc1\x02\x01\x00\xc2\x02\x01\x02\xc0"
"\x01\x0a";
unsigned char p_s7_negotiate_pdu[] = "\x03\x00\x00\x19\x02\xf0\x80\x32\x01\x00" "\x00\x02\x00\x00\x08\x00\x00\xf0\x00\x00" "\x01\x00\x01\x01\xe0";
unsigned char p_s7_negotiate_pdu[] = "\x03\x00\x00\x19\x02\xf0\x80\x32\x01\x00"
"\x00\x02\x00\x00\x08\x00\x00\xf0\x00\x00"
"\x01\x00\x01\x01\xe0";
unsigned char p_s7_read_szl[] = "\x03\x00\x00\x21\x02\xf0\x80\x32\x07\x00" "\x00\x03\x00\x00\x08\x00\x08\x00\x01\x12" "\x04\x11\x44\x01\x00\xff\x09\x00\x04\x01" "\x32\x00\x04";
unsigned char p_s7_read_szl[] = "\x03\x00\x00\x21\x02\xf0\x80\x32\x07\x00"
"\x00\x03\x00\x00\x08\x00\x08\x00\x01\x12"
"\x04\x11\x44\x01\x00\xff\x09\x00\x04\x01"
"\x32\x00\x04";
unsigned char p_s7_password_request[] = "\x03\x00\x00\x25\x02\xf0\x80\x32\x07\x00" "\x00\x00\x00\x00\x08\x00\x0c\x00\x01\x12" "\x04\x11\x45\x01\x00\xff\x09\x00\x08";
unsigned char p_s7_password_request[] = "\x03\x00\x00\x25\x02\xf0\x80\x32\x07\x00"
"\x00\x00\x00\x00\x08\x00\x0c\x00\x01\x12"
"\x04\x11\x45\x01\x00\xff\x09\x00\x08";
int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) {
int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";
char *pass, buffer[1024];
char context[S7PASSLEN + 1];
@ -45,7 +54,7 @@ int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, c
}
// send p_cotp and check first 2 bytes of answer
if (hydra_send(s, (char *) p_cotp, 22, 0) < 0)
if (hydra_send(s, (char *)p_cotp, 22, 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret = hydra_recv_nb(s, buffer, sizeof(buffer));
@ -57,7 +66,7 @@ int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, c
return 3;
// send p_s7_negotiate_pdu and check first 2 bytes of answer
if (hydra_send(s, (char *) p_s7_negotiate_pdu, 25, 0) < 0)
if (hydra_send(s, (char *)p_s7_negotiate_pdu, 25, 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret = hydra_recv_nb(s, buffer, sizeof(buffer));
@ -69,7 +78,7 @@ int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, c
return 3;
// send p_s7_read_szl and check first 2 bytes of answer
if (hydra_send(s, (char *) p_s7_read_szl, 33, 0) < 0)
if (hydra_send(s, (char *)p_s7_read_szl, 33, 0) < 0)
return 1;
memset(buffer, 0, sizeof(buffer));
ret = hydra_recv_nb(s, buffer, sizeof(buffer));
@ -108,7 +117,7 @@ int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, c
}
if (buffer[27] == '\xd6' && buffer[28] == '\x05') {
//hydra_report_found_host(port, ip, "s7-300", fp);
// hydra_report_found_host(port, ip, "s7-300", fp);
hydra_completed_pair_found();
hydra_report(stderr, "[INFO] No password protection enabled\n");
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
@ -124,7 +133,7 @@ int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, c
return 1;
}
void service_s7_300(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
void service_s7_300(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
int32_t run = 1, next_run = 1, sock = -1;
int32_t s7port = PORT_S7_300;
@ -136,21 +145,21 @@ void service_s7_300(char *ip, int32_t sp, unsigned char options, char *miscptr,
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
case 1: /* connect and service init function */
sock = hydra_connect_tcp(ip, s7port);
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = start_s7_300(sock, ip, s7port, options, miscptr, fp);
sock = hydra_disconnect(sock);
break;
case 2: /* clean exit */
case 2: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 3: /* clean exit */
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
@ -163,13 +172,13 @@ void service_s7_300(char *ip, int32_t sp, unsigned char options, char *miscptr,
}
}
int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
//
// return codes:
// 0 all OK
// 1 skip target without generating an error
@ -211,7 +220,7 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m
}
// send p_cotp and check first 2 bytes of answer
if (hydra_send(sock, (char *) p_cotp, 22, 0) < 0) {
if (hydra_send(sock, (char *)p_cotp, 22, 0) < 0) {
fprintf(stderr, "[ERROR] can not send data to service\n");
return 3;
}
@ -226,7 +235,7 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m
return 3;
}
// send p_s7_negotiate_pdu and check first 2 bytes of answer
if (hydra_send(sock, (char *) p_s7_negotiate_pdu, 25, 0) < 0) {
if (hydra_send(sock, (char *)p_s7_negotiate_pdu, 25, 0) < 0) {
fprintf(stderr, "[ERROR] can not send data to service (2)\n");
return 3;
}
@ -241,7 +250,7 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m
return 3;
}
// send p_s7_read_szl and check first 2 bytes of answer
if (hydra_send(sock, (char *) p_s7_read_szl, 33, 0) < 0) {
if (hydra_send(sock, (char *)p_s7_read_szl, 33, 0) < 0) {
fprintf(stderr, "[ERROR] can not send data to service (3)\n");
return 3;
}
@ -276,7 +285,8 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m
// 0xd602 - wrong password
if (ret > 30) {
if ((buffer[27] == '\x00' && buffer[28] == '\x00') || (buffer[27] == '\xd6' && buffer[28] == '\x05')) {
hydra_report(stderr, "[INFO] No password protection enabled, no password tests are necessary!\n");
hydra_report(stderr, "[INFO] No password protection enabled, no password "
"tests are necessary!\n");
return 1;
}
}
@ -286,6 +296,7 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m
return 0;
}
void usage_s7_300(const char* service) {
printf("Module S7-300 is for a special Siemens PLC. It either requires only a password or no authentication, so just use the -p or -P option.\n\n");
void usage_s7_300(const char *service) {
printf("Module S7-300 is for a special Siemens PLC. It either requires only a "
"password or no authentication, so just use the -p or -P option.\n\n");
}