github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-07-05 12:36:09 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

code indent

Browse source
This commit is contained in:
van Hauser 2020-02-01 11:47:13 +01:00
parent 531ee7734b
commit 720bdb3f96
83 changed files with 6377 additions and 6240 deletions
Download patch file Download diff file Expand all files Collapse all files

117
.clang-format Normal file
View file

@ -0,0 +1,117 @@
---
Language: Cpp
AccessModifierOffset: -2
AlignAfterOpenBracket: Align
AlignConsecutiveAssignments: false
AlignConsecutiveDeclarations: false
AlignEscapedNewlines: Right
AlignOperands: true
AlignTrailingComments: true
AllowAllParametersOfDeclarationOnNextLine: true
AllowShortBlocksOnASingleLine: false
AllowShortCaseLabelsOnASingleLine: false
AllowShortFunctionsOnASingleLine: All
AllowShortIfStatementsOnASingleLine: false
AllowShortLoopsOnASingleLine: false
AlwaysBreakAfterDefinitionReturnType: None
AlwaysBreakAfterReturnType: None
AlwaysBreakBeforeMultilineStrings: false
AlwaysBreakTemplateDeclarations: false
BinPackArguments: true
BinPackParameters: true
BraceWrapping:
AfterClass: false
AfterControlStatement: false
AfterEnum: false
AfterFunction: false
AfterNamespace: false
AfterObjCDeclaration: false
AfterStruct: false
AfterUnion: false
AfterExternBlock: false
BeforeCatch: false
BeforeElse: false
IndentBraces: false
SplitEmptyFunction: true
SplitEmptyRecord: true
SplitEmptyNamespace: true
BreakBeforeBinaryOperators: None
BreakBeforeBraces: Attach
BreakBeforeInheritanceComma: false
BreakInheritanceList: BeforeColon
BreakBeforeTernaryOperators: true
BreakConstructorInitializersBeforeComma: false
BreakConstructorInitializers: BeforeColon
BreakAfterJavaFieldAnnotations: false
BreakStringLiterals: true
ColumnLimit: 512
CommentPragmas: '^ IWYU pragma:'
CompactNamespaces: true
ConstructorInitializerAllOnOneLineOrOnePerLine: false
ConstructorInitializerIndentWidth: 4
ContinuationIndentWidth: 4
Cpp11BracedListStyle: true
DerivePointerAlignment: false
DisableFormat: false
ExperimentalAutoDetectBinPacking: false
FixNamespaceComments: true
ForEachMacros:
- foreach
- Q_FOREACH
- BOOST_FOREACH
IncludeBlocks: Preserve
IncludeCategories:
- Regex: '^"(llvm|llvm-c|clang|clang-c)/'
Priority: 2
- Regex: '^(<|"(gtest|gmock|isl|json)/)'
Priority: 3
- Regex: '.*'
Priority: 1
IncludeIsMainRegex: '(Test)?$'
IndentCaseLabels: false
IndentPPDirectives: None
IndentWidth: 2
IndentWrappedFunctionNames: false
JavaScriptQuotes: Leave
JavaScriptWrapImports: true
KeepEmptyLinesAtTheStartOfBlocks: false
MacroBlockBegin: ''
MacroBlockEnd: ''
MaxEmptyLinesToKeep: 1
NamespaceIndentation: None
ObjCBinPackProtocolList: Auto
ObjCBlockIndentWidth: 2
ObjCSpaceAfterProperty: false
ObjCSpaceBeforeProtocolList: true
PenaltyBreakAssignment: 2
PenaltyBreakBeforeFirstCallParameter: 19
PenaltyBreakComment: 300
PenaltyBreakFirstLessLess: 120
PenaltyBreakString: 1000
PenaltyBreakTemplateDeclaration: 10
PenaltyExcessCharacter: 1000000
PenaltyReturnTypeOnItsOwnLine: 60
PointerAlignment: Right
ReflowComments: true
SortIncludes: true
SortUsingDeclarations: true
SpaceAfterCStyleCast: false
SpaceAfterTemplateKeyword: true
SpaceBeforeAssignmentOperators: true
SpaceBeforeCpp11BracedList: false
SpaceBeforeCtorInitializerColon: true
SpaceBeforeInheritanceColon: true
SpaceBeforeParens: ControlStatements
SpaceBeforeRangeBasedForLoopColon: true
SpaceInEmptyParentheses: false
SpacesBeforeTrailingComments: 1
SpacesInAngles: false
SpacesInContainerLiterals: true
SpacesInCStyleCastParentheses: false
SpacesInParentheses: false
SpacesInSquareBrackets: false
Standard: Cpp11
TabWidth: 2
UseTab: Never
...

1
CHANGES
View file

@ -9,6 +9,7 @@ Release 9.1-dev
* added -K command line switch to disable redo attempts (good for mass scanning)
* forgot to have the -m option in the hydra help output
* gcc-10 support and various cleanups by Jeroen Roovers, thanks!
* added .clang-format and formatted all code
Release 9.0

43
bfg.c
View file

@ -1,11 +1,12 @@
/* code original by Jan Dlabal <dlabaljan@gmail.com>, partially rewritten by vh */
/* code original by Jan Dlabal <dlabaljan@gmail.com>, partially rewritten by vh
*/
#include <ctype.h>
#include <math.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <math.h>
#include <ctype.h>
#ifdef __sun
#include <sys/int_types.h>
#elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX)
@ -24,17 +25,23 @@ extern int32_t debug;
static int32_t add_single_char(char ch, char flags, int32_t *crs_len) {
if ((ch >= '2' && ch <= '9') || ch == '0') {
if ((flags & BF_NUMS) > 0) {
printf("[ERROR] character %c defined in -x although the whole number range was already defined by '1', ignored\n", ch);
printf("[ERROR] character %c defined in -x although the whole number "
"range was already defined by '1', ignored\n",
ch);
return 0;
}
//printf("[WARNING] adding character %c for -x, note that '1' will add all numbers from 0-9\n", ch);
// printf("[WARNING] adding character %c for -x, note that '1' will add all
// numbers from 0-9\n", ch);
}
if (tolower((int32_t)ch) >= 'b' && tolower((int32_t)ch) <= 'z') {
if ((ch <= 'Z' && (flags & BF_UPPER) > 0) || (ch > 'Z' && (flags & BF_UPPER) > 0)) {
printf("[ERROR] character %c defined in -x although the whole letter range was already defined by '%c', ignored\n", ch, ch <= 'Z' ? 'A' : 'a');
printf("[ERROR] character %c defined in -x although the whole letter "
"range was already defined by '%c', ignored\n",
ch, ch <= 'Z' ? 'A' : 'a');
return 0;
}
//printf("[WARNING] adding character %c for -x, note that '%c' will add all %scase letters\n", ch, ch <= 'Z' ? 'A' : 'a', ch <= 'Z' ? "up" : "low");
// printf("[WARNING] adding character %c for -x, note that '%c' will add all
// %scase letters\n", ch, ch <= 'Z' ? 'A' : 'a', ch <= 'Z' ? "up" : "low");
}
(*crs_len)++;
if (BF_CHARSMAX - *crs_len < 1) {
@ -66,7 +73,8 @@ int32_t bf_init(char *arg) {
}
bf_options.from = atoi(arg);
if (bf_options.from < 1 || bf_options.from > 127) {
fprintf(stderr, "Error: minimum length must be between 1 and 127, format: -x min:max:types\n");
fprintf(stderr, "Error: minimum length must be between 1 and 127, format: "
"-x min:max:types\n");
return 1;
}
arg = tmp + 1;
@ -86,7 +94,8 @@ int32_t bf_init(char *arg) {
tmp++;
if (bf_options.from > bf_options.to) {
fprintf(stderr, "Error: you specified a minimum length higher than the maximum length!\n");
fprintf(stderr, "Error: you specified a minimum length higher than the "
"maximum length!\n");
return 1;
}
@ -173,7 +182,6 @@ int32_t bf_init(char *arg) {
return 0;
}
uint64_t bf_get_pcount() {
int32_t i;
double count = 0;
@ -182,7 +190,8 @@ uint64_t bf_get_pcount() {
for (i = bf_options.from; i <= bf_options.to; i++)
count += (pow((double)bf_options.crs_len, (double)i));
if (count >= 0xffffffff) {
fprintf(stderr, "\n[ERROR] definition for password bruteforce (-x) generates more than 4 billion passwords\n");
fprintf(stderr, "\n[ERROR] definition for password bruteforce (-x) "
"generates more than 4 billion passwords\n");
exit(-1);
}
@ -190,11 +199,9 @@ uint64_t bf_get_pcount() {
return foo;
}
int accu(int value)
{
int accu(int value) {
int i = 0, a;
for (a=1; a<=value; ++a)
{
for (a = 1; a <= value; ++a) {
i += a;
}
return i;
@ -211,8 +218,7 @@ char *bf_next(_Bool rainy) {
return NULL;
}
if(rainy)
{
if (rainy) {
for (i = 0; i < bf_options.current; i++) {
bf_options.ptr[i] = bf_options.crs[(bf_options.state[i] + bf_options.rain) % bf_options.crs_len];
bf_options.rain += i + 1;
@ -223,8 +229,7 @@ char *bf_next(_Bool rainy) {
bf_options.rain -= accu(bf_options.current) - 4;
else if (bf_options.crs_len % 2)
bf_options.rain -= accu(bf_options.current) - 1;
}
else
} else
for (i = 0; i < bf_options.current; i++)
bf_options.ptr[i] = bf_options.crs[bf_options.state[i]];
bf_options.ptr[bf_options.current] = 0;

4
bfg.h
View file

@ -24,7 +24,9 @@
#define BF_WEBSITE "http://houbysoft.com/bfg/"
#define BF_BUFLEN 1024
#define BF_CHARSMAX 256 /* how many max possibilities there are for characters, normally it's 2^8 = 256 */
#define BF_CHARSMAX \
256 /* how many max possibilities there are for characters, normally it's \
2^8 = 256 */
#define BF_LOWER 1
#define BF_UPPER 2

52
crc32.c
View file

@ -49,51 +49,13 @@
#include <stdint.h>
#endif
uint32_t crc32_tab[] = {
0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f,
0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2,
0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7,
0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,
0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172,
0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c,
0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59,
0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423,
0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106,
0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433,
0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d,
0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e,
0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,
0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65,
0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7,
0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0,
0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa,
0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81,
0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a,
0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84,
0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1,
0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,
0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc,
0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e,
0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b,
0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55,
0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28,
0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d,
0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f,
0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38,
0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,
0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777,
0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69,
0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2,
0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc,
0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693,
0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94,
0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d
};
uint32_t crc32_tab[] = {0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 0x3c03e4d1,
0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934,
0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 0xaa0a4c5f,
0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe,
0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,
0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69,
0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d};
#ifndef HAVE_ZLIB

209
d3des.c
View file

@ -48,38 +48,17 @@ static unsigned long KnL[32] = { 0L };
0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67 };
*/
static unsigned short bytebit[8] = {
01, 02, 04, 010, 020, 040, 0100, 0200
};
static unsigned short bytebit[8] = {01, 02, 04, 010, 020, 040, 0100, 0200};
static unsigned long bigbyte[24] = {
0x800000L, 0x400000L, 0x200000L, 0x100000L,
0x80000L, 0x40000L, 0x20000L, 0x10000L,
0x8000L, 0x4000L, 0x2000L, 0x1000L,
0x800L, 0x400L, 0x200L, 0x100L,
0x80L, 0x40L, 0x20L, 0x10L,
0x8L, 0x4L, 0x2L, 0x1L
};
static unsigned long bigbyte[24] = {0x800000L, 0x400000L, 0x200000L, 0x100000L, 0x80000L, 0x40000L, 0x20000L, 0x10000L, 0x8000L, 0x4000L, 0x2000L, 0x1000L, 0x800L, 0x400L, 0x200L, 0x100L, 0x80L, 0x40L, 0x20L, 0x10L, 0x8L, 0x4L, 0x2L, 0x1L};
/* Use the key schedule specified in the Standard (ANSI X3.92-1981). */
static unsigned char pc1[56] = {
56, 48, 40, 32, 24, 16, 8, 0, 57, 49, 41, 33, 25, 17,
9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35,
62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21,
13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3
};
static unsigned char pc1[56] = {56, 48, 40, 32, 24, 16, 8, 0, 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3};
static unsigned char totrot[16] = {
1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28
};
static unsigned char totrot[16] = {1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28};
static unsigned char pc2[48] = {
13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9,
22, 18, 11, 3, 25, 7, 15, 6, 26, 19, 12, 1,
40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47,
43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31
};
static unsigned char pc2[48] = {13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9, 22, 18, 11, 3, 25, 7, 15, 6, 26, 19, 12, 1, 40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47, 43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31};
void deskey(key, edf) /* Thanks to James Gillogly & Phil Karn! */
unsigned char *key;
@ -126,8 +105,7 @@ void deskey(key, edf) /* Thanks to James Gillogly & Phil Karn! */
return;
}
static void cookey(raw1)
register unsigned long *raw1;
static void cookey(raw1) register unsigned long *raw1;
{
register unsigned long *cook, *raw0;
unsigned long dough[32];
@ -149,8 +127,7 @@ static void cookey(raw1)
return;
}
void cpkey(into)
register unsigned long *into;
void cpkey(into) register unsigned long *into;
{
register unsigned long *from, *endp;
@ -160,8 +137,7 @@ void cpkey(into)
return;
}
void usekey(from)
register unsigned long *from;
void usekey(from) register unsigned long *from;
{
register unsigned long *to, *endp;
@ -180,8 +156,7 @@ void des(unsigned char *inblock, unsigned char *outblock) {
return;
}
static void scrunch(outof, into)
register unsigned char *outof;
static void scrunch(outof, into) register unsigned char *outof;
register unsigned long *into;
{
*into = (*outof++ & 0xffL) << 24;
@ -195,8 +170,7 @@ static void scrunch(outof, into)
return;
}
static void unscrun(outof, into)
register unsigned long *outof;
static void unscrun(outof, into) register unsigned long *outof;
register unsigned char *into;
{
*into++ = (*outof >> 24) & 0xffL;
@ -210,160 +184,31 @@ static void unscrun(outof, into)
return;
}
static unsigned long SP1[64] = {
0x01010400L, 0x00000000L, 0x00010000L, 0x01010404L,
0x01010004L, 0x00010404L, 0x00000004L, 0x00010000L,
0x00000400L, 0x01010400L, 0x01010404L, 0x00000400L,
0x01000404L, 0x01010004L, 0x01000000L, 0x00000004L,
0x00000404L, 0x01000400L, 0x01000400L, 0x00010400L,
0x00010400L, 0x01010000L, 0x01010000L, 0x01000404L,
0x00010004L, 0x01000004L, 0x01000004L, 0x00010004L,
0x00000000L, 0x00000404L, 0x00010404L, 0x01000000L,
0x00010000L, 0x01010404L, 0x00000004L, 0x01010000L,
0x01010400L, 0x01000000L, 0x01000000L, 0x00000400L,
0x01010004L, 0x00010000L, 0x00010400L, 0x01000004L,
0x00000400L, 0x00000004L, 0x01000404L, 0x00010404L,
0x01010404L, 0x00010004L, 0x01010000L, 0x01000404L,
0x01000004L, 0x00000404L, 0x00010404L, 0x01010400L,
0x00000404L, 0x01000400L, 0x01000400L, 0x00000000L,
0x00010004L, 0x00010400L, 0x00000000L, 0x01010004L
};
static unsigned long SP1[64] = {0x01010400L, 0x00000000L, 0x00010000L, 0x01010404L, 0x01010004L, 0x00010404L, 0x00000004L, 0x00010000L, 0x00000400L, 0x01010400L, 0x01010404L, 0x00000400L, 0x01000404L, 0x01010004L, 0x01000000L, 0x00000004L, 0x00000404L, 0x01000400L, 0x01000400L, 0x00010400L, 0x00010400L, 0x01010000L, 0x01010000L, 0x01000404L, 0x00010004L, 0x01000004L, 0x01000004L, 0x00010004L, 0x00000000L, 0x00000404L, 0x00010404L, 0x01000000L,
0x00010000L, 0x01010404L, 0x00000004L, 0x01010000L, 0x01010400L, 0x01000000L, 0x01000000L, 0x00000400L, 0x01010004L, 0x00010000L, 0x00010400L, 0x01000004L, 0x00000400L, 0x00000004L, 0x01000404L, 0x00010404L, 0x01010404L, 0x00010004L, 0x01010000L, 0x01000404L, 0x01000004L, 0x00000404L, 0x00010404L, 0x01010400L, 0x00000404L, 0x01000400L, 0x01000400L, 0x00000000L, 0x00010004L, 0x00010400L, 0x00000000L, 0x01010004L};
static unsigned long SP2[64] = {
0x80108020L, 0x80008000L, 0x00008000L, 0x00108020L,
0x00100000L, 0x00000020L, 0x80100020L, 0x80008020L,
0x80000020L, 0x80108020L, 0x80108000L, 0x80000000L,
0x80008000L, 0x00100000L, 0x00000020L, 0x80100020L,
0x00108000L, 0x00100020L, 0x80008020L, 0x00000000L,
0x80000000L, 0x00008000L, 0x00108020L, 0x80100000L,
0x00100020L, 0x80000020L, 0x00000000L, 0x00108000L,
0x00008020L, 0x80108000L, 0x80100000L, 0x00008020L,
0x00000000L, 0x00108020L, 0x80100020L, 0x00100000L,
0x80008020L, 0x80100000L, 0x80108000L, 0x00008000L,
0x80100000L, 0x80008000L, 0x00000020L, 0x80108020L,
0x00108020L, 0x00000020L, 0x00008000L, 0x80000000L,
0x00008020L, 0x80108000L, 0x00100000L, 0x80000020L,
0x00100020L, 0x80008020L, 0x80000020L, 0x00100020L,
0x00108000L, 0x00000000L, 0x80008000L, 0x00008020L,
0x80000000L, 0x80100020L, 0x80108020L, 0x00108000L
};
static unsigned long SP2[64] = {0x80108020L, 0x80008000L, 0x00008000L, 0x00108020L, 0x00100000L, 0x00000020L, 0x80100020L, 0x80008020L, 0x80000020L, 0x80108020L, 0x80108000L, 0x80000000L, 0x80008000L, 0x00100000L, 0x00000020L, 0x80100020L, 0x00108000L, 0x00100020L, 0x80008020L, 0x00000000L, 0x80000000L, 0x00008000L, 0x00108020L, 0x80100000L, 0x00100020L, 0x80000020L, 0x00000000L, 0x00108000L, 0x00008020L, 0x80108000L, 0x80100000L, 0x00008020L,
0x00000000L, 0x00108020L, 0x80100020L, 0x00100000L, 0x80008020L, 0x80100000L, 0x80108000L, 0x00008000L, 0x80100000L, 0x80008000L, 0x00000020L, 0x80108020L, 0x00108020L, 0x00000020L, 0x00008000L, 0x80000000L, 0x00008020L, 0x80108000L, 0x00100000L, 0x80000020L, 0x00100020L, 0x80008020L, 0x80000020L, 0x00100020L, 0x00108000L, 0x00000000L, 0x80008000L, 0x00008020L, 0x80000000L, 0x80100020L, 0x80108020L, 0x00108000L};
static unsigned long SP3[64] = {
0x00000208L, 0x08020200L, 0x00000000L, 0x08020008L,
0x08000200L, 0x00000000L, 0x00020208L, 0x08000200L,
0x00020008L, 0x08000008L, 0x08000008L, 0x00020000L,
0x08020208L, 0x00020008L, 0x08020000L, 0x00000208L,
0x08000000L, 0x00000008L, 0x08020200L, 0x00000200L,
0x00020200L, 0x08020000L, 0x08020008L, 0x00020208L,
0x08000208L, 0x00020200L, 0x00020000L, 0x08000208L,
0x00000008L, 0x08020208L, 0x00000200L, 0x08000000L,
0x08020200L, 0x08000000L, 0x00020008L, 0x00000208L,
0x00020000L, 0x08020200L, 0x08000200L, 0x00000000L,
0x00000200L, 0x00020008L, 0x08020208L, 0x08000200L,
0x08000008L, 0x00000200L, 0x00000000L, 0x08020008L,
0x08000208L, 0x00020000L, 0x08000000L, 0x08020208L,
0x00000008L, 0x00020208L, 0x00020200L, 0x08000008L,
0x08020000L, 0x08000208L, 0x00000208L, 0x08020000L,
0x00020208L, 0x00000008L, 0x08020008L, 0x00020200L
};
static unsigned long SP3[64] = {0x00000208L, 0x08020200L, 0x00000000L, 0x08020008L, 0x08000200L, 0x00000000L, 0x00020208L, 0x08000200L, 0x00020008L, 0x08000008L, 0x08000008L, 0x00020000L, 0x08020208L, 0x00020008L, 0x08020000L, 0x00000208L, 0x08000000L, 0x00000008L, 0x08020200L, 0x00000200L, 0x00020200L, 0x08020000L, 0x08020008L, 0x00020208L, 0x08000208L, 0x00020200L, 0x00020000L, 0x08000208L, 0x00000008L, 0x08020208L, 0x00000200L, 0x08000000L,
0x08020200L, 0x08000000L, 0x00020008L, 0x00000208L, 0x00020000L, 0x08020200L, 0x08000200L, 0x00000000L, 0x00000200L, 0x00020008L, 0x08020208L, 0x08000200L, 0x08000008L, 0x00000200L, 0x00000000L, 0x08020008L, 0x08000208L, 0x00020000L, 0x08000000L, 0x08020208L, 0x00000008L, 0x00020208L, 0x00020200L, 0x08000008L, 0x08020000L, 0x08000208L, 0x00000208L, 0x08020000L, 0x00020208L, 0x00000008L, 0x08020008L, 0x00020200L};
static unsigned long SP4[64] = {
0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,
0x00802080L, 0x00800081L, 0x00800001L, 0x00002001L,
0x00000000L, 0x00802000L, 0x00802000L, 0x00802081L,
0x00000081L, 0x00000000L, 0x00800080L, 0x00800001L,
0x00000001L, 0x00002000L, 0x00800000L, 0x00802001L,
0x00000080L, 0x00800000L, 0x00002001L, 0x00002080L,
0x00800081L, 0x00000001L, 0x00002080L, 0x00800080L,
0x00002000L, 0x00802080L, 0x00802081L, 0x00000081L,
0x00800080L, 0x00800001L, 0x00802000L, 0x00802081L,
0x00000081L, 0x00000000L, 0x00000000L, 0x00802000L,
0x00002080L, 0x00800080L, 0x00800081L, 0x00000001L,
0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L,
0x00802081L, 0x00000081L, 0x00000001L, 0x00002000L,
0x00800001L, 0x00002001L, 0x00802080L, 0x00800081L,
0x00002001L, 0x00002080L, 0x00800000L, 0x00802001L,
0x00000080L, 0x00800000L, 0x00002000L, 0x00802080L
};
static unsigned long SP4[64] = {0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L, 0x00802080L, 0x00800081L, 0x00800001L, 0x00002001L, 0x00000000L, 0x00802000L, 0x00802000L, 0x00802081L, 0x00000081L, 0x00000000L, 0x00800080L, 0x00800001L, 0x00000001L, 0x00002000L, 0x00800000L, 0x00802001L, 0x00000080L, 0x00800000L, 0x00002001L, 0x00002080L, 0x00800081L, 0x00000001L, 0x00002080L, 0x00800080L, 0x00002000L, 0x00802080L, 0x00802081L, 0x00000081L,
0x00800080L, 0x00800001L, 0x00802000L, 0x00802081L, 0x00000081L, 0x00000000L, 0x00000000L, 0x00802000L, 0x00002080L, 0x00800080L, 0x00800081L, 0x00000001L, 0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L, 0x00802081L, 0x00000081L, 0x00000001L, 0x00002000L, 0x00800001L, 0x00002001L, 0x00802080L, 0x00800081L, 0x00002001L, 0x00002080L, 0x00800000L, 0x00802001L, 0x00000080L, 0x00800000L, 0x00002000L, 0x00802080L};
static unsigned long SP5[64] = {
0x00000100L, 0x02080100L, 0x02080000L, 0x42000100L,
0x00080000L, 0x00000100L, 0x40000000L, 0x02080000L,
0x40080100L, 0x00080000L, 0x02000100L, 0x40080100L,
0x42000100L, 0x42080000L, 0x00080100L, 0x40000000L,
0x02000000L, 0x40080000L, 0x40080000L, 0x00000000L,
0x40000100L, 0x42080100L, 0x42080100L, 0x02000100L,
0x42080000L, 0x40000100L, 0x00000000L, 0x42000000L,
0x02080100L, 0x02000000L, 0x42000000L, 0x00080100L,
0x00080000L, 0x42000100L, 0x00000100L, 0x02000000L,
0x40000000L, 0x02080000L, 0x42000100L, 0x40080100L,
0x02000100L, 0x40000000L, 0x42080000L, 0x02080100L,
0x40080100L, 0x00000100L, 0x02000000L, 0x42080000L,
0x42080100L, 0x00080100L, 0x42000000L, 0x42080100L,
0x02080000L, 0x00000000L, 0x40080000L, 0x42000000L,
0x00080100L, 0x02000100L, 0x40000100L, 0x00080000L,
0x00000000L, 0x40080000L, 0x02080100L, 0x40000100L
};
static unsigned long SP5[64] = {0x00000100L, 0x02080100L, 0x02080000L, 0x42000100L, 0x00080000L, 0x00000100L, 0x40000000L, 0x02080000L, 0x40080100L, 0x00080000L, 0x02000100L, 0x40080100L, 0x42000100L, 0x42080000L, 0x00080100L, 0x40000000L, 0x02000000L, 0x40080000L, 0x40080000L, 0x00000000L, 0x40000100L, 0x42080100L, 0x42080100L, 0x02000100L, 0x42080000L, 0x40000100L, 0x00000000L, 0x42000000L, 0x02080100L, 0x02000000L, 0x42000000L, 0x00080100L,
0x00080000L, 0x42000100L, 0x00000100L, 0x02000000L, 0x40000000L, 0x02080000L, 0x42000100L, 0x40080100L, 0x02000100L, 0x40000000L, 0x42080000L, 0x02080100L, 0x40080100L, 0x00000100L, 0x02000000L, 0x42080000L, 0x42080100L, 0x00080100L, 0x42000000L, 0x42080100L, 0x02080000L, 0x00000000L, 0x40080000L, 0x42000000L, 0x00080100L, 0x02000100L, 0x40000100L, 0x00080000L, 0x00000000L, 0x40080000L, 0x02080100L, 0x40000100L};
static unsigned long SP6[64] = {
0x20000010L, 0x20400000L, 0x00004000L, 0x20404010L,
0x20400000L, 0x00000010L, 0x20404010L, 0x00400000L,
0x20004000L, 0x00404010L, 0x00400000L, 0x20000010L,
0x00400010L, 0x20004000L, 0x20000000L, 0x00004010L,
0x00000000L, 0x00400010L, 0x20004010L, 0x00004000L,
0x00404000L, 0x20004010L, 0x00000010L, 0x20400010L,
0x20400010L, 0x00000000L, 0x00404010L, 0x20404000L,
0x00004010L, 0x00404000L, 0x20404000L, 0x20000000L,
0x20004000L, 0x00000010L, 0x20400010L, 0x00404000L,
0x20404010L, 0x00400000L, 0x00004010L, 0x20000010L,
0x00400000L, 0x20004000L, 0x20000000L, 0x00004010L,
0x20000010L, 0x20404010L, 0x00404000L, 0x20400000L,
0x00404010L, 0x20404000L, 0x00000000L, 0x20400010L,
0x00000010L, 0x00004000L, 0x20400000L, 0x00404010L,
0x00004000L, 0x00400010L, 0x20004010L, 0x00000000L,
0x20404000L, 0x20000000L, 0x00400010L, 0x20004010L
};
static unsigned long SP6[64] = {0x20000010L, 0x20400000L, 0x00004000L, 0x20404010L, 0x20400000L, 0x00000010L, 0x20404010L, 0x00400000L, 0x20004000L, 0x00404010L, 0x00400000L, 0x20000010L, 0x00400010L, 0x20004000L, 0x20000000L, 0x00004010L, 0x00000000L, 0x00400010L, 0x20004010L, 0x00004000L, 0x00404000L, 0x20004010L, 0x00000010L, 0x20400010L, 0x20400010L, 0x00000000L, 0x00404010L, 0x20404000L, 0x00004010L, 0x00404000L, 0x20404000L, 0x20000000L,
0x20004000L, 0x00000010L, 0x20400010L, 0x00404000L, 0x20404010L, 0x00400000L, 0x00004010L, 0x20000010L, 0x00400000L, 0x20004000L, 0x20000000L, 0x00004010L, 0x20000010L, 0x20404010L, 0x00404000L, 0x20400000L, 0x00404010L, 0x20404000L, 0x00000000L, 0x20400010L, 0x00000010L, 0x00004000L, 0x20400000L, 0x00404010L, 0x00004000L, 0x00400010L, 0x20004010L, 0x00000000L, 0x20404000L, 0x20000000L, 0x00400010L, 0x20004010L};
static unsigned long SP7[64] = {
0x00200000L, 0x04200002L, 0x04000802L, 0x00000000L,
0x00000800L, 0x04000802L, 0x00200802L, 0x04200800L,
0x04200802L, 0x00200000L, 0x00000000L, 0x04000002L,
0x00000002L, 0x04000000L, 0x04200002L, 0x00000802L,
0x04000800L, 0x00200802L, 0x00200002L, 0x04000800L,
0x04000002L, 0x04200000L, 0x04200800L, 0x00200002L,
0x04200000L, 0x00000800L, 0x00000802L, 0x04200802L,
0x00200800L, 0x00000002L, 0x04000000L, 0x00200800L,
0x04000000L, 0x00200800L, 0x00200000L, 0x04000802L,
0x04000802L, 0x04200002L, 0x04200002L, 0x00000002L,
0x00200002L, 0x04000000L, 0x04000800L, 0x00200000L,
0x04200800L, 0x00000802L, 0x00200802L, 0x04200800L,
0x00000802L, 0x04000002L, 0x04200802L, 0x04200000L,
0x00200800L, 0x00000000L, 0x00000002L, 0x04200802L,
0x00000000L, 0x00200802L, 0x04200000L, 0x00000800L,
0x04000002L, 0x04000800L, 0x00000800L, 0x00200002L
};
static unsigned long SP7[64] = {0x00200000L, 0x04200002L, 0x04000802L, 0x00000000L, 0x00000800L, 0x04000802L, 0x00200802L, 0x04200800L, 0x04200802L, 0x00200000L, 0x00000000L, 0x04000002L, 0x00000002L, 0x04000000L, 0x04200002L, 0x00000802L, 0x04000800L, 0x00200802L, 0x00200002L, 0x04000800L, 0x04000002L, 0x04200000L, 0x04200800L, 0x00200002L, 0x04200000L, 0x00000800L, 0x00000802L, 0x04200802L, 0x00200800L, 0x00000002L, 0x04000000L, 0x00200800L,
0x04000000L, 0x00200800L, 0x00200000L, 0x04000802L, 0x04000802L, 0x04200002L, 0x04200002L, 0x00000002L, 0x00200002L, 0x04000000L, 0x04000800L, 0x00200000L, 0x04200800L, 0x00000802L, 0x00200802L, 0x04200800L, 0x00000802L, 0x04000002L, 0x04200802L, 0x04200000L, 0x00200800L, 0x00000000L, 0x00000002L, 0x04200802L, 0x00000000L, 0x00200802L, 0x04200000L, 0x00000800L, 0x04000002L, 0x04000800L, 0x00000800L, 0x00200002L};
static unsigned long SP8[64] = {
0x10001040L, 0x00001000L, 0x00040000L, 0x10041040L,
0x10000000L, 0x10001040L, 0x00000040L, 0x10000000L,
0x00040040L, 0x10040000L, 0x10041040L, 0x00041000L,
0x10041000L, 0x00041040L, 0x00001000L, 0x00000040L,
0x10040000L, 0x10000040L, 0x10001000L, 0x00001040L,
0x00041000L, 0x00040040L, 0x10040040L, 0x10041000L,
0x00001040L, 0x00000000L, 0x00000000L, 0x10040040L,
0x10000040L, 0x10001000L, 0x00041040L, 0x00040000L,
0x00041040L, 0x00040000L, 0x10041000L, 0x00001000L,
0x00000040L, 0x10040040L, 0x00001000L, 0x00041040L,
0x10001000L, 0x00000040L, 0x10000040L, 0x10040000L,
0x10040040L, 0x10000000L, 0x00040000L, 0x10001040L,
0x00000000L, 0x10041040L, 0x00040040L, 0x10000040L,
0x10040000L, 0x10001000L, 0x10001040L, 0x00000000L,
0x10041040L, 0x00041000L, 0x00041000L, 0x00001040L,
0x00001040L, 0x00040040L, 0x10000000L, 0x10041000L
};
static unsigned long SP8[64] = {0x10001040L, 0x00001000L, 0x00040000L, 0x10041040L, 0x10000000L, 0x10001040L, 0x00000040L, 0x10000000L, 0x00040040L, 0x10040000L, 0x10041040L, 0x00041000L, 0x10041000L, 0x00041040L, 0x00001000L, 0x00000040L, 0x10040000L, 0x10000040L, 0x10001000L, 0x00001040L, 0x00041000L, 0x00040040L, 0x10040040L, 0x10041000L, 0x00001040L, 0x00000000L, 0x00000000L, 0x10040040L, 0x10000040L, 0x10001000L, 0x00041040L, 0x00040000L,
0x00041040L, 0x00040000L, 0x10041000L, 0x00001000L, 0x00000040L, 0x10040040L, 0x00001000L, 0x00041040L, 0x10001000L, 0x00000040L, 0x10000040L, 0x10040000L, 0x10040040L, 0x10000000L, 0x00040000L, 0x10001040L, 0x00000000L, 0x10041040L, 0x00040040L, 0x10000040L, 0x10040000L, 0x10001000L, 0x10001040L, 0x00000000L, 0x10041040L, 0x00041000L, 0x00041000L, 0x00001040L, 0x00001040L, 0x00040040L, 0x10000000L, 0x10041000L};
static void desfunc(block, keys)
register unsigned long *block, *keys;
static void desfunc(block, keys) register unsigned long *block, *keys;
{
register unsigned long fval, work, right, leftt;
register int32_t round;

9
hmacmd5.c
View file

@ -34,8 +34,8 @@
*/
#ifdef LIBOPENSSL
#include <string.h>
#include "hmacmd5.h"
#include <string.h>
#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
@ -107,15 +107,12 @@ void hmac_md5_init_limK_to_64(const unsigned char *key, int32_t key_len, HMACMD5
update hmac_md5 "inner" buffer
***********************************************************************/
void hmac_md5_update(const unsigned char *text, int32_t text_len, HMACMD5Context * ctx) {
MD5_Update(&ctx->ctx, (void *) text, text_len); /* then text of datagram */
}
void hmac_md5_update(const unsigned char *text, int32_t text_len, HMACMD5Context *ctx) { MD5_Update(&ctx->ctx, (void *)text, text_len); /* then text of datagram */ }
/***********************************************************************
finish off hmac_md5 "inner" buffer and generate outer one.
***********************************************************************/
void hmac_md5_final(unsigned char *digest, HMACMD5Context * ctx)
{
void hmac_md5_final(unsigned char *digest, HMACMD5Context *ctx) {
MD5_CTX ctx_o;
MD5_Final(digest, &ctx->ctx);

3
hmacmd5.h
View file

@ -47,11 +47,8 @@ typedef struct {
#endif /* _HMAC_MD5_H */
void hmac_md5_init_rfc2104(const unsigned char *key, int32_t key_len, HMACMD5Context *ctx);
void hmac_md5_init_limK_to_64(const unsigned char *key, int32_t key_len, HMACMD5Context *ctx);
void hmac_md5_update(const unsigned char *text, int32_t text_len, HMACMD5Context *ctx);
void hmac_md5_final(unsigned char *digest, HMACMD5Context *ctx);
void hmac_md5(unsigned char key[16], unsigned char *data, int32_t data_len, unsigned char *digest);

56
hydra-adam6500.c
View file

@ -6,55 +6,13 @@
extern char *HYDRA_EXIT;
unsigned char adam6500_req1[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x01, 0x10,
0x27, 0x0f, 0x00, 0x08, 0x10, 0x24, 0x30, 0x31,
0x50, 0x57, 0x30, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f,
0x1f, 0x1f, 0x1f, 0x0d, 0x00
};
unsigned char adam6500_resp1[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x10,
0x27, 0x0f, 0x00, 0x08
};
unsigned char adam6500_req2[] = {
0x01, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03,
0x27, 0x0f, 0x00, 0x7d
};
unsigned char adam6500_resp2[] = {
0x01, 0x00, 0x00, 0x00, 0x00, 0xfd, 0x01, 0x03,
0xfa, 0x3f, 0x30, 0x31, 0x0d, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00
};
unsigned char adam6500_req1[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x01, 0x10, 0x27, 0x0f, 0x00, 0x08, 0x10, 0x24, 0x30, 0x31, 0x50, 0x57, 0x30, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x0d, 0x00};
unsigned char adam6500_resp1[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x10, 0x27, 0x0f, 0x00, 0x08};
unsigned char adam6500_req2[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03, 0x27, 0x0f, 0x00, 0x7d};
unsigned char adam6500_resp2[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0xfd, 0x01, 0x03, 0xfa, 0x3f, 0x30, 0x31, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
int32_t start_adam6500(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";

18
hydra-afp.c
View file

@ -9,9 +9,7 @@
#include "hydra-mod.h"
#ifndef LIBAFP
void dummy_afp() {
printf("\n");
}
void dummy_afp() { printf("\n"); }
#else
#define FREE(x) \
@ -20,9 +18,9 @@ void dummy_afp() {
x = NULL; \
}
#include <stdio.h>
#include <afpfs-ng/afp.h>
#include <afpfs-ng/libafpclient.h>
#include <stdio.h>
extern char *HYDRA_EXIT;
@ -50,7 +48,8 @@ static int32_t server_subconnect(struct afp_url url) {
conn_req->url = url;
conn_req->url.requested_version = 31;
//fprintf(stderr, "AFP connection - username: %s password: %s server: %s\n", url.username, url.password, url.servername);
// fprintf(stderr, "AFP connection - username: %s password: %s server: %s\n",
// url.username, url.password, url.servername);
if (strlen(url.uamname) > 0) {
if ((conn_req->uam_mask = find_uam_by_name(url.uamname)) == 0) {
@ -69,7 +68,8 @@ static int32_t server_subconnect(struct afp_url url) {
// FREE(server);
return -1;
}
//fprintf(stderr, "Connected to server: %s via UAM: %s\n", server->server_name_printable, uam_bitmap_to_string(server->using_uam));
// fprintf(stderr, "Connected to server: %s via UAM: %s\n",
// server->server_name_printable, uam_bitmap_to_string(server->using_uam));
FREE(conn_req);
FREE(server);
@ -88,7 +88,6 @@ int32_t start_afp(int32_t s, char *ip, int32_t port, unsigned char options, char
init_uams();
afp_default_url(&tmpurl);
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
@ -110,7 +109,6 @@ int32_t start_afp(int32_t s, char *ip, int32_t port, unsigned char options, char
return 3;
return 2;
} else {
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
@ -127,7 +125,6 @@ void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
@ -139,7 +136,8 @@ void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
port = myport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}

11
hydra-asterisk.c
View file

@ -6,7 +6,6 @@
#include "hydra-mod.h"
extern char *HYDRA_EXIT;
char *buf;
@ -41,7 +40,10 @@ int32_t start_asterisk(int32_t s, char *ip, int32_t port, unsigned char options,
hydra_report(stderr, "[DEBUG] S: %s\n", buf);
if (buf == NULL || (strstr(buf, "Response: ") == NULL)) {
hydra_report(stderr, "[ERROR] Asterisk Call Manager protocol error or service shutdown: %s\n", buf);
hydra_report(stderr,
"[ERROR] Asterisk Call Manager protocol error or service "
"shutdown: %s\n",
buf);
free(buf);
return 4;
}
@ -100,7 +102,10 @@ void service_asterisk(char *ip, int32_t sp, unsigned char options, char *miscptr
if (buf == NULL || strstr(buf, "Asterisk Call Manager/") == NULL) {
/* check the first line */
if (verbose || debug)
hydra_report(stderr, "[ERROR] Not an Asterisk Call Manager protocol or service shutdown: %s\n", buf);
hydra_report(stderr,
"[ERROR] Not an Asterisk Call Manager protocol or "
"service shutdown: %s\n",
buf);
hydra_child_exit(2);
}
free(buf);

42
hydra-cisco-enable.c
View file

@ -42,8 +42,7 @@ int32_t start_cisco_enable(int32_t s, char *ip, int32_t port, unsigned char opti
}
}
if (buf != NULL
&& (strstr(buf, "assw") != NULL || strstr(buf, "ad ") != NULL || strstr(buf, "attempt") != NULL || strstr(buf, "fail") != NULL || strstr(buf, "denied") != NULL)) {
if (buf != NULL && (strstr(buf, "assw") != NULL || strstr(buf, "ad ") != NULL || strstr(buf, "attempt") != NULL || strstr(buf, "fail") != NULL || strstr(buf, "denied") != NULL)) {
free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
@ -87,7 +86,8 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
port = mysslport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
@ -101,7 +101,8 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
sprintf(buffer, "%.250s\r\n", login);
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t)getpid());
hydra_child_exit(2);
}
}
@ -117,7 +118,8 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
sprintf(buffer, "%.250s\r\n", miscptr);
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t)getpid());
hydra_child_exit(2);
}
}
@ -132,7 +134,11 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
}
if (strstr(buf, "assw") != NULL) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating - can not login, can not login\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr,
"[ERROR] Child with pid %d terminating - can not login, can "
"not login\n",
(int32_t)getpid());
hydra_child_exit(2);
}
free(buf);
@ -147,7 +153,8 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
sprintf(buffer, "%.250s\r\n", "ena");
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'ena'\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'ena'\n", (int32_t)getpid());
hydra_child_exit(2);
}
@ -160,7 +167,11 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
if (failc < retry) {
next_run = 1;
failc++;
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d was disconnected - retrying (%d of %d retries)\n", (int32_t) getpid(), failc, retry);
if (quiet != 1)
fprintf(stderr,
"[ERROR] Child with pid %d was disconnected - retrying "
"(%d of %d retries)\n",
(int32_t)getpid(), failc, retry);
sleep(3);
break;
} else {
@ -180,7 +191,8 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis
case 3: /* clean exit */
sprintf(buffer, "%.250s\r\n", "exit");
if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'exit'\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'exit'\n", (int32_t)getpid());
hydra_child_exit(0);
}
if (sock >= 0)
@ -211,11 +223,15 @@ int32_t service_cisco_enable_init(char *ip, int32_t sp, unsigned char options, c
}
void usage_cisco_enable(const char *service) {
printf("Module cisco-enable is optionally taking the logon password for the cisco device\n"
"Note: if AAA authentication is used, use the -l option for the username\n"
printf("Module cisco-enable is optionally taking the logon password for the "
"cisco device\n"
"Note: if AAA authentication is used, use the -l option for the "
"username\n"
"and the optional parameter for the password of the user.\n"
"Examples:\n"
" hydra -P pass.txt target cisco-enable (direct console access)\n"
" hydra -P pass.txt -m cisco target cisco-enable (Logon password cisco)\n"
" hydra -l foo -m bar -P pass.txt target cisco-enable (AAA Login foo, password bar)\n");
" hydra -P pass.txt -m cisco target cisco-enable (Logon password "
"cisco)\n"
" hydra -l foo -m bar -P pass.txt target cisco-enable (AAA Login "
"foo, password bar)\n");
}

14
hydra-cisco.c
View file

@ -95,7 +95,6 @@ int32_t start_cisco(int32_t s, char *ip, int32_t port, unsigned char options, ch
}
} while (buf != NULL && strlen(buf) <= 1);
}
}
if (buf != NULL && (strstr(buf, "assw") != NULL || strstr(buf, "ad ") != NULL || strstr(buf, "attempt") != NULL || strstr(buf, "ailur") != NULL)) {
@ -160,11 +159,16 @@ void service_cisco(char *ip, int32_t sp, unsigned char options, char *miscptr, F
if (failc < retry) {
next_run = 1;
failc++;
if (quiet != 1) hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - retrying (%d of %d retries)\n", (int32_t) getpid(), failc, retry);
if (quiet != 1)
hydra_report(stderr,
"[ERROR] Child with pid %d was disconnected - "
"retrying (%d of %d retries)\n",
(int32_t)getpid(), failc, retry);
sleep(3);
break;
} else {
if (quiet != 1) hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - exiting\n", (int32_t) getpid());
if (quiet != 1)
hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - exiting\n", (int32_t)getpid());
hydra_child_exit(0);
}
}
@ -214,5 +218,7 @@ int32_t service_cisco_init(char *ip, int32_t sp, unsigned char options, char *mi
}
void usage_cisco(const char *service) {
printf("Module cisco is optionally taking the keyword ENTER, it then sends an initial\n" "ENTER when connecting to the service.\n");
printf("Module cisco is optionally taking the keyword ENTER, it then sends "
"an initial\n"
"ENTER when connecting to the service.\n");
}

11
hydra-cvs.c
View file

@ -30,13 +30,7 @@ int32_t start_cvs(int32_t s, char *ip, int32_t port, unsigned char options, char
/ 87 ? 105 O 35 _ 56 o 48
*/
char key[] = { 0, 120, 53, 0, 0, 109, 72, 108, 70, 64, 76, 67, 116, 74, 68, 87,
111, 52, 75, 119, 49, 34, 82, 81, 95, 65, 112, 86, 118, 110, 122, 105,
0, 57, 83, 43, 46, 102, 40, 89, 38, 103, 45, 50, 42, 123, 91, 35,
125, 55, 54, 66, 124, 126, 59, 47, 92, 71, 115, 0, 0, 0, 0, 56,
0, 121, 117, 104, 101, 100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48,
58, 113, 32, 90, 44, 98, 60, 51, 33, 97, 62
};
char key[] = {0, 120, 53, 0, 0, 109, 72, 108, 70, 64, 76, 67, 116, 74, 68, 87, 111, 52, 75, 119, 49, 34, 82, 81, 95, 65, 112, 86, 118, 110, 122, 105, 0, 57, 83, 43, 46, 102, 40, 89, 38, 103, 45, 50, 42, 123, 91, 35, 125, 55, 54, 66, 124, 126, 59, 47, 92, 71, 115, 0, 0, 0, 0, 56, 0, 121, 117, 104, 101, 100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48, 58, 113, 32, 90, 44, 98, 60, 51, 33, 97, 62};
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
@ -151,5 +145,6 @@ int32_t service_cvs_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_cvs(const char *service) {
printf("Module cvs is optionally taking the repository name to attack, default is \"/root\"\n\n");
printf("Module cvs is optionally taking the repository name to attack, "
"default is \"/root\"\n\n");
}

14
hydra-firebird.c
View file

@ -14,13 +14,11 @@ the msg: "no permission for direct access to security database"
#include "hydra-mod.h"
#ifndef LIBFIREBIRD
void dummy_firebird() {
printf("\n");
}
void dummy_firebird() { printf("\n"); }
#else
#include <stdio.h>
#include <ibase.h>
#include <stdio.h>
#define DEFAULT_DB "C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb"
@ -95,7 +93,6 @@ void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
@ -112,7 +109,8 @@ void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr
port = mysslport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
@ -160,5 +158,7 @@ int32_t service_firebird_init(char *ip, int32_t sp, unsigned char options, char
}
void usage_firebird(const char *service) {
printf("Module firebird is optionally taking the database path to attack,\n" "default is \"C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb\"\n\n");
printf("Module firebird is optionally taking the database path to attack,\n"
"default is \"C:\\Program "
"Files\\Firebird\\Firebird_1_5\\security.fdb\"\n\n");
}

11
hydra-ftp.c
View file

@ -20,7 +20,8 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char
buf = hydra_receive_line(s);
if (buf == NULL)
return 1;
/* special hack to identify 530 user unknown msg. suggested by Jean-Baptiste.BEAUFRETON@turbomeca.fr */
/* special hack to identify 530 user unknown msg. suggested by
* Jean-Baptiste.BEAUFRETON@turbomeca.fr */
if (buf[0] == '5' && buf[1] == '3' && buf[2] == '0') {
if (verbose)
printf("[INFO] user %s does not exist, skipping\n", login);
@ -169,13 +170,9 @@ void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr
}
}
void service_ftp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 0);
}
void service_ftp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 0); }
void service_ftps(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 1);
}
void service_ftps(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 1); }
int32_t service_ftp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function

52
hydra-gtk/src/callbacks.c
View file

@ -15,18 +15,17 @@
#include "interface.h"
#include "support.h"
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
int hydra_pid = 0;
@ -37,7 +36,6 @@ char smbparm[128];
char sapr3id[4];
char passLoginNull[4];
#define BUF_S 1024
void hydra_select_file(GtkEntry *widget, char *text) {
@ -45,8 +43,7 @@ void hydra_select_file(GtkEntry * widget, char *text) {
GtkWidget *dialog;
char *filename;
dialog = gtk_file_chooser_dialog_new(text, (GtkWindow *) wndMain, GTK_FILE_CHOOSER_ACTION_OPEN,
GTK_STOCK_OPEN, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL);
dialog = gtk_file_chooser_dialog_new(text, (GtkWindow *)wndMain, GTK_FILE_CHOOSER_ACTION_OPEN, GTK_STOCK_OPEN, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL);
if (gtk_dialog_run(GTK_DIALOG(dialog)) == GTK_RESPONSE_ACCEPT) {
filename = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(dialog));
@ -311,11 +308,7 @@ int hydra_get_options(char *options[]) {
widget = lookup_widget(GTK_WIDGET(wndMain), "entSMB2Workgroup");
snprintf(smbparm,
sizeof(smbparm)-1,
"nthash:%s workgroup:{%s}",
pth ? "true" : "false",
(char *) gtk_entry_get_text((GtkEntry *) widget));
snprintf(smbparm, sizeof(smbparm) - 1, "nthash:%s workgroup:{%s}", pth ? "true" : "false", (char *)gtk_entry_get_text((GtkEntry *)widget));
} else if (!strcmp(tmp, "sapr3")) {
widget = lookup_widget(GTK_WIDGET(wndMain), "spnSAPR3");
j = gtk_spin_button_get_value_as_int((GtkSpinButton *)widget);
@ -350,7 +343,6 @@ int hydra_get_options(char *options[]) {
widget = lookup_widget(GTK_WIDGET(wndMain), "radioProxy");
if (!gtk_toggle_button_get_active((GtkToggleButton *)widget)) {
widget2 = lookup_widget(GTK_WIDGET(wndMain), "entHTTPProxy");
widget = lookup_widget(GTK_WIDGET(wndMain), "radioProxy2");
@ -404,7 +396,6 @@ int update_statusbar() {
i = hydra_get_options(options);
for (j = 1; j < i; j++) {
statustext = g_string_append(statustext, options[j]);
statustext = g_string_append_c(statustext, ' ');
}
@ -447,7 +438,6 @@ int read_into(int fd) {
gtk_text_buffer_get_iter_at_offset(outputbuf, &outputiter, -1);
if ((passline = strstr(in_buf, "password: ")) == NULL) {
gtk_text_buffer_insert(outputbuf, &outputiter, in_buf, result);
} else {
@ -465,10 +455,8 @@ int read_into(int fd) {
if (end - in_buf - result > 0) {
gtk_text_buffer_insert(outputbuf, &outputiter, end + 1, -1);
}
}
if (strstr(in_buf, " finished at ") != NULL) {
gtk_text_buffer_insert_with_tags_by_name(outputbuf, &outputiter, "<finished>\n\n", -1, "bold", NULL);
}
@ -530,7 +518,6 @@ static int wait_hydra_output(gpointer data) {
return TRUE;
}
/* assumes a successfull pipe() won't set the fd's to -1 */
static void close_pipe(int *pipe) {
if (-1 != pipe[0]) {
@ -550,8 +537,7 @@ static void close_pipe(int *pipe) {
*/
int *popen_re_unbuffered(char *command) {
static int p_r[2] = { -1, -1 }, p_e[2] = {
-1, -1};
static int p_r[2] = {-1, -1}, p_e[2] = {-1, -1};
static int *pfd = NULL;
char *options[128];
@ -620,21 +606,15 @@ int *popen_re_unbuffered(char *command) {
return pfd;
}
void on_quit1_activate(GtkMenuItem * menuitem, gpointer user_data) {
gtk_main_quit();
}
void on_quit1_activate(GtkMenuItem *menuitem, gpointer user_data) { gtk_main_quit(); }
void on_about1_activate(GtkMenuItem * menuitem, gpointer user_data) {
}
void on_about1_activate(GtkMenuItem *menuitem, gpointer user_data) {}
void on_btnStart_clicked(GtkButton *button, gpointer user_data) {
int *fd = NULL;
fd = popen_re_unbuffered(NULL);
g_timeout_add(200, wait_hydra_output, fd);
}
void on_btnStop_clicked(GtkButton *button, gpointer user_data) {
@ -644,7 +624,6 @@ void on_btnStop_clicked(GtkButton * button, gpointer user_data) {
}
}
void on_wndMain_destroy(GtkObject *object, gpointer user_data) {
if (hydra_pid != 0) {
kill(hydra_pid, SIGTERM);
@ -653,22 +632,18 @@ void on_wndMain_destroy(GtkObject * object, gpointer user_data) {
gtk_main_quit();
}
gboolean on_entTargetFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data) {
hydra_select_file((GtkEntry *)widget, "Select target list");
gtk_widget_grab_focus(widget);
return TRUE;
}
gboolean on_entUsernameFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data) {
hydra_select_file((GtkEntry *)widget, "Select username list");
gtk_widget_grab_focus(widget);
return TRUE;
}
gboolean on_entPassFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data) {
hydra_select_file((GtkEntry *)widget, "Select password list");
gtk_widget_grab_focus(widget);
@ -692,8 +667,7 @@ void on_btnSave_clicked(GtkButton * button, gpointer user_data) {
GtkTextIter start;
GtkTextIter end;
dialog = gtk_file_chooser_dialog_new("Save output", (GtkWindow *) wndMain, GTK_FILE_CHOOSER_ACTION_SAVE,
GTK_STOCK_SAVE, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL);
dialog = gtk_file_chooser_dialog_new("Save output", (GtkWindow *)wndMain, GTK_FILE_CHOOSER_ACTION_SAVE, GTK_STOCK_SAVE, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL);
if (gtk_dialog_run(GTK_DIALOG(dialog)) == GTK_RESPONSE_ACCEPT) {
filename = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(dialog));
@ -719,7 +693,8 @@ void on_btnSave_clicked(GtkButton * button, gpointer user_data) {
void on_chkColon_toggled(GtkToggleButton *togglebutton, gpointer user_data) {
GtkWidget *user, *pass;
user = lookup_widget(GTK_WIDGET(wndMain), "frmUsername");;
user = lookup_widget(GTK_WIDGET(wndMain), "frmUsername");
;
pass = lookup_widget(GTK_WIDGET(wndMain), "frmPass");
if (gtk_toggle_button_get_active(togglebutton)) {
@ -734,7 +709,8 @@ void on_chkColon_toggled(GtkToggleButton * togglebutton, gpointer user_data) {
void on_chkDisUser_toggled(GtkToggleButton *togglebutton, gpointer user_data) {
GtkWidget *radioUsername1, *radioUsername2, *entUsername, *entUsernameFile;
radioUsername1 = lookup_widget(GTK_WIDGET(wndMain), "radioUsername1");;
radioUsername1 = lookup_widget(GTK_WIDGET(wndMain), "radioUsername1");
;
radioUsername2 = lookup_widget(GTK_WIDGET(wndMain), "radioUsername2");
entUsername = lookup_widget(GTK_WIDGET(wndMain), "entUsername");
entUsernameFile = lookup_widget(GTK_WIDGET(wndMain), "entUsernameFile");

40
hydra-gtk/src/interface.c
View file

@ -7,13 +7,13 @@
#include <config.h>
#endif
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/types.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <string.h>
#include <stdio.h>
#include <string.h>
#include <gdk/gdkkeysyms.h>
#include <gtk/gtk.h>
@ -22,12 +22,9 @@
#include "interface.h"
#include "support.h"
#define GLADE_HOOKUP_OBJECT(component,widget,name) \
g_object_set_data_full (G_OBJECT (component), name, \
gtk_widget_ref (widget), (GDestroyNotify) gtk_widget_unref)
#define GLADE_HOOKUP_OBJECT(component, widget, name) g_object_set_data_full(G_OBJECT(component), name, gtk_widget_ref(widget), (GDestroyNotify)gtk_widget_unref)
#define GLADE_HOOKUP_OBJECT_NO_REF(component,widget,name) \
g_object_set_data (G_OBJECT (component), name, widget)
#define GLADE_HOOKUP_OBJECT_NO_REF(component, widget, name) g_object_set_data(G_OBJECT(component), name, widget)
GtkWidget *create_wndMain(void) {
GtkWidget *wndMain;
@ -315,7 +312,6 @@ GtkWidget *create_wndMain(void) {
gtk_table_attach(GTK_TABLE(table8), label6, 0, 1, 3, 4, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_misc_set_alignment(GTK_MISC(label6), 0, 0.5);
chkIPV6 = gtk_check_button_new_with_mnemonic("Prefer IPV6");
gtk_widget_set_name(chkIPV6, "chkIPV6");
gtk_widget_show(chkIPV6);
@ -392,25 +388,19 @@ GtkWidget *create_wndMain(void) {
chkServiceDetails = gtk_check_button_new_with_mnemonic("Service Module Usage Details");
gtk_widget_set_name(chkServiceDetails, "chkServiceDetails");
gtk_widget_show(chkServiceDetails);
gtk_table_attach (GTK_TABLE (table9), chkServiceDetails, 2, 3, 2, 3,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND), 0, 0);
gtk_table_attach(GTK_TABLE(table9), chkServiceDetails, 2, 3, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_tooltips_set_tip(tooltips, chkServiceDetails, "Service Module Usage Details", NULL);
chkCompleteHelp = gtk_check_button_new_with_mnemonic("COMPLETE HELP");
gtk_widget_set_name(chkCompleteHelp, "chkCompleteHelp");
gtk_widget_show(chkCompleteHelp);
gtk_table_attach (GTK_TABLE (table9), chkCompleteHelp, 0, 2, 2, 3,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND), 0, 0);
gtk_table_attach(GTK_TABLE(table9), chkCompleteHelp, 0, 2, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_tooltips_set_tip(tooltips, chkCompleteHelp, "Complete Help", NULL);
chkOldSSL = gtk_check_button_new_with_mnemonic("Use old SSL");
gtk_widget_set_name(chkOldSSL, "chkOldSSL");
gtk_widget_show(chkOldSSL);
gtk_table_attach (GTK_TABLE (table9), chkOldSSL, 1, 2, 0, 1,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND), 0, 0);
gtk_table_attach(GTK_TABLE(table9), chkOldSSL, 1, 2, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_tooltips_set_tip(tooltips, chkOldSSL, "Enable to use old SSL (the target must have SSL enabled!)", NULL);
label29 = gtk_label_new("Output Options");
@ -523,18 +513,14 @@ GtkWidget *create_wndMain(void) {
radioGenerate = gtk_radio_button_new_with_mnemonic(NULL, "Generate");
gtk_widget_set_name(radioGenerate, "radioGenerate");
gtk_widget_show(radioGenerate);
gtk_table_attach (GTK_TABLE (table3), radioGenerate, 0, 1, 2, 3,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0);
gtk_table_attach(GTK_TABLE(table3), radioGenerate, 0, 1, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0);
gtk_radio_button_set_group(GTK_RADIO_BUTTON(radioGenerate), radioPass1_group);
radioPass1_group = gtk_radio_button_get_group(GTK_RADIO_BUTTON(radioGenerate));
entGeneration = gtk_entry_new();
gtk_widget_set_name(entGeneration, "entGeneration");
gtk_widget_show(entGeneration);
gtk_table_attach (GTK_TABLE (table3), entGeneration, 1, 2, 2, 3,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0);
gtk_table_attach(GTK_TABLE(table3), entGeneration, 1, 2, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0);
gtk_tooltips_set_tip(tooltips, entGeneration, "Generate passwords", NULL);
gtk_entry_set_text(GTK_ENTRY(entGeneration), "1:1:a");
@ -743,17 +729,13 @@ GtkWidget *create_wndMain(void) {
chkExitF = gtk_check_button_new_with_mnemonic("Exit after first found pair (global)");
gtk_widget_set_name(chkExitF, "chkExitF");
gtk_widget_show(chkExitF);
gtk_table_attach (GTK_TABLE (table10), chkExitF, 0, 2, 3, 4,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND), 0, 0);
gtk_table_attach(GTK_TABLE(table10), chkExitF, 0, 2, 3, 4, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_tooltips_set_tip(tooltips, chkExitF, "Enable this to stop all attacking processes once a valid login/password pair is found (global)", NULL);
chkNoErr = gtk_check_button_new_with_mnemonic("Do not print messages about connection errors");
gtk_widget_set_name(chkNoErr, "chkNoErr");
gtk_widget_show(chkNoErr);
gtk_table_attach (GTK_TABLE (table10), chkNoErr, 0, 2, 4, 5,
(GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK),
(GtkAttachOptions) (GTK_EXPAND), 0, 0);
gtk_table_attach(GTK_TABLE(table10), chkNoErr, 0, 2, 4, 5, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0);
gtk_tooltips_set_tip(tooltips, chkNoErr, "Do not print messages about connection errors", NULL);
label30 = gtk_label_new("Performance Options");

9
hydra-gtk/src/main.c
View file

@ -8,17 +8,16 @@
#include <config.h>
#endif
#include <gtk/gtk.h>
#include <string.h>
#include "callbacks.h"
#include "interface.h"
#include "support.h"
#include "callbacks.h"
#include <gtk/gtk.h>
#include <string.h>
char *hydra_path1 = "./hydra";
char *hydra_path2 = "/usr/local/bin/hydra";
char *hydra_path3 = "/usr/bin/hydra";
int main(int argc, char *argv[]) {
extern GtkWidget *wndMain;
int i;
@ -60,7 +59,6 @@ int main(int argc, char *argv[]) {
wndMain = create_wndMain();
gtk_widget_show(wndMain);
/* if we can't use the new cool file chooser, the save button gets disabled */
#ifndef GTK_TYPE_FILE_CHOOSER
GtkWidget *btnSave;
@ -69,7 +67,6 @@ int main(int argc, char *argv[]) {
gtk_widget_set_sensitive(btnSave, FALSE);
#endif
/* update the statusbar every now and then */
g_timeout_add(600, update_statusbar, NULL);

15
hydra-gtk/src/support.c
View file

@ -7,11 +7,11 @@
#include <config.h>
#endif
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <gtk/gtk.h>
@ -41,9 +41,7 @@ GtkWidget *lookup_widget(GtkWidget * widget, const gchar * widget_name) {
static GList *pixmaps_directories = NULL;
/* Use this function to set the directory containing installed pixmaps. */
void add_pixmap_directory(const gchar * directory) {
pixmaps_directories = g_list_prepend(pixmaps_directories, g_strdup(directory));
}
void add_pixmap_directory(const gchar *directory) { pixmaps_directories = g_list_prepend(pixmaps_directories, g_strdup(directory)); }
/* This is an internally used function to find pixmap files. */
static gchar *find_pixmap_file(const gchar *filename) {
@ -52,8 +50,7 @@ static gchar *find_pixmap_file(const gchar * filename) {
/* We step through each of the pixmaps directory to find it. */
elem = pixmaps_directories;
while (elem) {
gchar *pathname = g_strdup_printf("%s%s%s", (gchar *) elem->data,
G_DIR_SEPARATOR_S, filename);
gchar *pathname = g_strdup_printf("%s%s%s", (gchar *)elem->data, G_DIR_SEPARATOR_S, filename);
if (g_file_test(pathname, G_FILE_TEST_EXISTS))
return pathname;

3
hydra-gtk/src/support.h
View file

@ -21,11 +21,9 @@
*/
GtkWidget *lookup_widget(GtkWidget *widget, const gchar *widget_name);
/* Use this function to set the directory containing installed pixmaps. */
void add_pixmap_directory(const gchar *directory);
/*
* Private Functions.
*/
@ -39,7 +37,6 @@ GdkPixbuf *create_pixbuf(const gchar * filename);
/* This is used to set ATK action descriptions. */
void glade_set_atk_action_description(AtkAction *action, const gchar *action_name, const gchar *description);
GtkWidget *wndMain;
char *HYDRA_BIN;
guint message_id;

123
hydra-http-form.c
View file

@ -45,7 +45,8 @@ rewritten by David Maciejak
Fix and issue with strtok use and implement 1 step location follow if HTTP
3xx code is returned (david dot maciejak at gmail dot com)
Added fail or success condition, getting cookies, and allow 5 redirections by david
Added fail or success condition, getting cookies, and allow 5 redirections by
david
*/
@ -195,7 +196,8 @@ int32_t add_or_update_cookie(ptr_cookie_node * ptr_cookie, char *cookie_expr) {
cookie_name = strndup(cookie_expr, cookie_value - cookie_expr);
cookie_value = strdup(cookie_value + 1);
// we've got the cookie's name and value, now it's time to insert or update the list
// we've got the cookie's name and value, now it's time to insert or update
// the list
if (*ptr_cookie == NULL) {
// no cookies
append_cookie(cookie_name, cookie_value, ptr_cookie);
@ -257,23 +259,20 @@ int32_t add_header(ptr_header_node * ptr_head, char *header, char *value, char t
ptr_header_node existing_hdr, new_ptr;
// get to the last header
for (cur_ptr = *ptr_head; cur_ptr && cur_ptr->next; cur_ptr = cur_ptr->next);
for (cur_ptr = *ptr_head; cur_ptr && cur_ptr->next; cur_ptr = cur_ptr->next)
;
char *new_header = strdup(header);
char *new_value = strdup(value);
if (new_header && new_value) {
if ((type == HEADER_TYPE_USERHEADER) ||
(type == HEADER_TYPE_DEFAULT && !header_exists(ptr_head, new_header, HEADER_TYPE_USERHEADER_REPL)) ||
(type == HEADER_TYPE_USERHEADER_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT)) ||
(type == HEADER_TYPE_DEFAULT_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT))
) {
if ((type == HEADER_TYPE_USERHEADER) || (type == HEADER_TYPE_DEFAULT && !header_exists(ptr_head, new_header, HEADER_TYPE_USERHEADER_REPL)) || (type == HEADER_TYPE_USERHEADER_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT)) || (type == HEADER_TYPE_DEFAULT_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT))) {
/*
* We are in one of the following scenarios:
* 1. A default header with no user-supplied headers that replace it.
* 2. A user-supplied header that must be appended (option 'h').
* 3. A user-supplied header that must replace a default header (option 'h'),
* but no default headers exist with that name.
* 3. A user-supplied header that must replace a default header
* (option 'h'), but no default headers exist with that name.
*
* In either case we just add the header to the list.
*/
@ -571,7 +570,6 @@ char *html_encode(char *string) {
return ret;
}
/*
int32_t analyze_server_response(int32_t socket)
return 0 or 1 when the cond regex is matched
@ -635,27 +633,33 @@ int32_t analyze_server_response(int32_t s) {
tmpname[sizeof(tmpname) - 2] = 0;
ptr = index(tmpname, '=');
*(++ptr) = 0;
// is the cookie already in the cookiejar? (so, does it have to be replaced?)
// is the cookie already in the cookiejar? (so, does it have to be
// replaced?)
if ((ptr = hydra_strcasestr(cookie, tmpname)) != NULL) {
// yes it is.
// if the cookie is not in the beginning of the cookiejar, copy the ones before
// if the cookie is not in the beginning of the cookiejar, copy the
// ones before
if (ptr != cookie && *(ptr - 1) == ' ') {
strncpy(tmpcookie, cookie, ptr - cookie - 2);
tmpcookie[ptr - cookie - 2] = 0;
}
ptr += strlen(tmpname);
// if there are any cookies after this one in the cookiejar, copy them over
// if there are any cookies after this one in the cookiejar, copy
// them over
if ((ptr2 = strstr(ptr, "; ")) != NULL) {
ptr2 += 2;
strncat(tmpcookie, ptr2, sizeof(tmpcookie) - strlen(tmpcookie) - 1);
}
if (debug)
printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: %s\n", tmpname, cookie, tmpcookie);
printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: "
"%s\n",
tmpname, cookie, tmpcookie);
strcpy(cookie, tmpcookie);
}
}
ptr = index(str, '=');
// only copy the cookie if it has a value (otherwise the server wants to delete the cookie)
// only copy the cookie if it has a value (otherwise the server wants to
// delete the cookie)
if (ptr != NULL && *(ptr + 1) != ';' && *(ptr + 1) != 0 && *(ptr + 1) != '\n' && *(ptr + 1) != '\r') {
if (strlen(cookie) > 0)
strncat(cookie, "; ", sizeof(cookie) - strlen(cookie) - 1);
@ -694,8 +698,7 @@ void hydra_reconnect(int32_t s, char *ip, int32_t port, unsigned char options, c
}
}
int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *hostname, char *type, ptr_header_node ptr_head,
ptr_cookie_node ptr_cookie) {
int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname, char *type, ptr_header_node ptr_head, ptr_cookie_node ptr_cookie) {
char *empty = "";
char *login, *pass, clogin[256], cpass[256], b64login[345], b64pass[345];
char header[8096], *upd3variables;
@ -928,7 +931,9 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
found = analyze_server_response(s);
if (auth_flag) { // we received a 401 error - user is using wrong module
hydra_report(stderr, "[ERROR] the target is using HTTP auth, not a web form, received HTTP error code 401. Use module \"http%s-get\" instead.\n",
hydra_report(stderr,
"[ERROR] the target is using HTTP auth, not a web form, received HTTP "
"error code 401. Use module \"http%s-get\" instead.\n",
(options & OPTION_SSL) > 0 ? "s" : "");
return 4;
}
@ -1092,8 +1097,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
return 1;
}
void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname, char *type, ptr_header_node * ptr_head,
ptr_cookie_node * ptr_cookie) {
void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname, char *type, ptr_header_node *ptr_head, ptr_cookie_node *ptr_cookie) {
int32_t run = 1, next_run = 1, sock = -1;
int32_t myport = PORT_HTTP, mysslport = PORT_HTTP_SSL;
@ -1268,7 +1272,6 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
if (*ptr != 0)
*ptr++ = 0;
if ((ptr2 = rindex(ptr, ':')) != NULL) {
cond = ptr2 + 1;
*ptr2 = 0;
@ -1304,7 +1307,9 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
}
}
//printf("ptr: %s ptr2: %s cond: %s url: %s variables: %s optional1: %s\n", ptr, ptr2, cond, url, variables, optional1 == NULL ? "null" : optional1);
// printf("ptr: %s ptr2: %s cond: %s url: %s variables: %s optional1:
// %s\n", ptr, ptr2, cond, url, variables, optional1 == NULL ? "null" :
// optional1);
if (url == NULL || variables == NULL || cond == NULL /*|| optional1 == NULL */)
hydra_child_exit(2);
@ -1328,7 +1333,8 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
success_cond = 0;
}
//printf("miscptr: %s, url=%s, variables=%s, ptr=%s, optional1: %s, cond: %s (%d)\n", miscptr, url, variables, ptr, optional1, cond, success_cond);
// printf("miscptr: %s, url=%s, variables=%s, ptr=%s, optional1: %s, cond: %s
// (%d)\n", miscptr, url, variables, ptr, optional1, cond, success_cond);
/*
* Parse the user-supplied options.
@ -1396,37 +1402,62 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
void usage_http_form(const char *service) {
printf("Module %s requires the page and the parameters for the web form.\n\n"
"By default this module is configured to follow a maximum of 5 redirections in\n"
"a row. It always gathers a new cookie from the same URL without variables\n"
"The parameters take three \":\" separated values, plus optional values.\n"
"(Note: if you need a colon in the option string as value, escape it with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n"
"\nSyntax: <url>:<form parameters>:<condition string>[:<optional>[:<optional>]\n"
"By default this module is configured to follow a maximum of 5 "
"redirections in\n"
"a row. It always gathers a new cookie from the same URL without "
"variables\n"
"The parameters take three \":\" separated values, plus optional "
"values.\n"
"(Note: if you need a colon in the option string as value, escape it "
"with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n"
"\nSyntax: <url>:<form parameters>:<condition "
"string>[:<optional>[:<optional>]\n"
"First is the page on the server to GET or POST to (URL).\n"
"Second is the POST/GET variables (taken from either the browser, proxy, etc.\n"
" with url-encoded (resp. base64-encoded) usernames and passwords being replaced in the\n"
" \"^USER^\" (resp. \"^USER64^\") and \"^PASS^\" (resp. \"^PASS64^\") placeholders (FORM PARAMETERS)\n"
"Second is the POST/GET variables (taken from either the browser, proxy, "
"etc.\n"
" with url-encoded (resp. base64-encoded) usernames and passwords being "
"replaced in the\n"
" \"^USER^\" (resp. \"^USER64^\") and \"^PASS^\" (resp. \"^PASS64^\") "
"placeholders (FORM PARAMETERS)\n"
"Third is the string that it checks for an *invalid* login (by default)\n"
" Invalid condition login check can be preceded by \"F=\", successful condition\n"
" Invalid condition login check can be preceded by \"F=\", successful "
"condition\n"
" login check must be preceded by \"S=\".\n"
" This is where most people get it wrong. You have to check the webapp what a\n"
" This is where most people get it wrong. You have to check the webapp "
"what a\n"
" failed string looks like and put it in this parameter!\n"
"The following parameters are optional:\n"
" (c|C)=/page/uri to define a different page to gather initial cookies from\n"
" (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n"
" ^USER[64]^ and ^PASS[64]^ can also be put into these headers!\n"
" (c|C)=/page/uri to define a different page to gather initial "
"cookies from\n"
" (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each "
"request\n"
" ^USER[64]^ and ^PASS[64]^ can also be put into these "
"headers!\n"
" Note: 'h' will add the user-defined header at the end\n"
" regardless it's already being sent by Hydra or not.\n"
" 'H' will replace the value of that header if it exists, by the\n"
" one supplied by the user, or add the header at the end\n"
"Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\\).\n"
" All colons that are not option separators should be escaped (see the examples above and below).\n"
" You can specify a header without escaping the colons, but that way you will not be able to put colons\n"
" in the header value itself, as they will be interpreted by hydra as option separators.\n"
" 'H' will replace the value of that header if it "
"exists, by the\n"
" one supplied by the user, or add the header at the "
"end\n"
"Note that if you are going to put colons (:) in your headers you should "
"escape them with a backslash (\\).\n"
" All colons that are not option separators should be escaped (see the "
"examples above and below).\n"
" You can specify a header without escaping the colons, but that way you "
"will not be able to put colons\n"
" in the header value itself, as they will be interpreted by hydra as "
"option separators.\n"
"\nExamples:\n"
" \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n"
" \"/login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=authlog=.*success\"\n"
" \"/"
"login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=authlog=.*"
"success\"\n"
" \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n"
" \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n"
" \"/exchweb/bin/auth/owaauth.dll:destination=http%%3A%%2F%%2F<target>%%2Fexchange&flags=0&username=<domain>%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb\"\n",
" \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic "
"dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n"
" \"/exchweb/bin/auth/"
"owaauth.dll:destination=http%%3A%%2F%%2F<target>%%2Fexchange&flags=0&"
"username=<domain>%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:"
"reason=:C=/exchweb\"\n",
service);
}

34
hydra-http-proxy-urlenum.c
View file

@ -75,7 +75,10 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha
http_proxy_auth_mechanism = AUTH_BASIC;
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
url, host, buffer2, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
@ -105,14 +108,18 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha
http_proxy_auth_mechanism = AUTH_NTLM;
// send auth and receive challenge
//send auth request: let the server send it's own hostname and domainname
// send auth request: let the server send it's own hostname and
// domainname
buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2));
/* to be portable, no snprintf, buffer is big enough so it can't overflow */
/* to be portable, no snprintf, buffer is big enough so it can't
* overflow */
// send the first..
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n",
url, host, buf1, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
@ -143,8 +150,10 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha
// Send response
buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1,
header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n",
url, host, buf1, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
@ -256,7 +265,8 @@ void service_http_proxy_urlenum(char *ip, int32_t sp, unsigned char options, cha
port = mysslport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -293,8 +303,12 @@ int32_t service_http_proxy_urlenum_init(char *ip, int32_t sp, unsigned char opti
}
void usage_http_proxy_urlenum(const char *service) {
printf("Module http-proxy-urlenum only uses the -L option, not -x or -p/-P option.\n"
printf("Module http-proxy-urlenum only uses the -L option, not -x or -p/-P "
"option.\n"
"The -L loginfile must contain the URL list to try through the proxy.\n"
"The proxy credentials cann be put as the optional parameter, e.g.\n"
" hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum user:pass\n" " hydra -L urllist.txt http-proxy-urlenum://target.com:3128/user:pass\n\n");
" hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum "
"user:pass\n"
" hydra -L urllist.txt "
"http-proxy-urlenum://target.com:3128/user:pass\n\n");
}

27
hydra-http-proxy.c
View file

@ -82,7 +82,10 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
http_proxy_auth_mechanism = AUTH_BASIC;
sprintf(buffer2, "%.50s:%.50s", login, pass);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\n%s\r\n",
url, host, buffer2, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
@ -106,7 +109,6 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
hydra_report(stderr, "S:%s\n", http_proxy_buf);
} else {
if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM") != NULL) {
unsigned char buf1[4096];
unsigned char buf2[4096];
char *pos = NULL;
@ -117,9 +119,13 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2));
/* to be portable, no snprintf, buffer is big enough so it can't overflow */
/* to be portable, no snprintf, buffer is big enough so it can't overflow
*/
// send the first..
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n",
url, host, buf1, header);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 3;
@ -151,7 +157,10 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
// Send response
buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header);
sprintf(buffer,
"GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n",
url, host, buf1, header);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
@ -170,7 +179,6 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option
} else {
#ifdef LIBOPENSSL
if (hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest") != NULL) {
char *pbuffer;
http_proxy_auth_mechanism = AUTH_DIGESTMD5;
@ -277,7 +285,8 @@ void service_http_proxy(char *ip, int32_t sp, unsigned char options, char *miscp
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -315,5 +324,7 @@ int32_t service_http_proxy_init(char *ip, int32_t sp, unsigned char options, cha
void usage_http_proxy(const char *service) {
printf("Module http-proxy is optionally taking the page to authenticate at.\n"
"Default is http://www.microsoft.com/)\n" "Basic, DIGEST-MD5 and NTLM are supported and negotiated automatically.\n\n");
"Default is http://www.microsoft.com/)\n"
"Basic, DIGEST-MD5 and NTLM are supported and negotiated "
"automatically.\n\n");
}

109
hydra-http.c
View file

@ -1,8 +1,6 @@
#include "hydra-http.h"
#include "sasl.h"
extern char *HYDRA_EXIT;
char *webtarget = NULL;
char *slash = "/";
@ -53,14 +51,24 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
/* again: no snprintf to be portable. don't worry, buffer can't overflow */
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
sprintf(buffer,
"%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: "
"close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
sprintf(buffer,
"%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: "
"close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buffer2, header);
else
sprintf(buffer, "%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header);
sprintf(buffer,
"%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: "
"close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\n%s\r\n",
type, miscptr, webtarget, buffer2, header);
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
@ -85,8 +93,7 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (debug)
hydra_report(stderr, "C:%s\n", buffer2);
strcpy(buffer, buffer2);
}
break;
} break;
#endif
case AUTH_NTLM: {
@ -103,15 +110,21 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
// send the first..
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, header);
else
sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget,
buf1, header);
sprintf(buffer,
"%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, miscptr, webtarget, buf1, header);
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
@ -161,21 +174,26 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
// create the auth response
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
sprintf(buffer,
"%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, buf1, header);
else
sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget,
buf1, header);
sprintf(buffer,
"%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n",
type, miscptr, webtarget, buf1, header);
}
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
}
break;
} break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
@ -191,7 +209,8 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
tmpreplybuf[0] = 0;
while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (index(http_buf, '\n') == NULL && complete_line == 0))) {
if (debug) printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf);
if (debug)
printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf);
if (tmpreplybuf[0] == 0 && strstr(http_buf, "HTTP/1.") != NULL) {
strncpy(tmpreplybuf, http_buf, sizeof(tmpreplybuf) - 1);
tmpreplybuf[sizeof(tmpreplybuf) - 1] = 0;
@ -204,7 +223,8 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
strcat(tmpreplybufptr, http_buf);
free(http_buf);
http_buf = tmpreplybufptr;
if (debug) printf("http_buf now: %s\n", http_buf);
if (debug)
printf("http_buf now: %s\n", http_buf);
}
} else {
free(http_buf);
@ -234,10 +254,12 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha
#else
if (end_condition_type >= 0 && (strstr(http_buf, end_condition) == NULL ? 0 : 1) != end_condition_type) {
#endif
if (debug) hydra_report(stderr, "End condition not match continue.\n");
if (debug)
hydra_report(stderr, "End condition not match continue.\n");
hydra_completed_pair();
} else {
if (debug) hydra_report(stderr, "END condition %s match.\n",end_condition);
if (debug)
hydra_report(stderr, "END condition %s match.\n", end_condition);
hydra_report_found_host(port, ip, "www", fp);
hydra_completed_pair_found();
}
@ -313,8 +335,7 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
*ptr2 = 0;
} else
webtarget = hostname;
} else
if (strlen(miscptr) == 0)
} else if (strlen(miscptr) == 0)
miscptr = strdup("/");
if (webtarget == NULL)
webtarget = hostname;
@ -333,7 +354,8 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
*ptr++ = 0;
optional1 = ptr;
if (!parse_options(optional1, &ptr_head)) // this function is in hydra-http-form.c !!
if (!parse_options(optional1,
&ptr_head)) // this function is in hydra-http-form.c !!
run = 4;
if (http_auth_mechanism == AUTH_UNASSIGNED)
@ -360,7 +382,8 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
if (sock < 0) {
if (freemischttp)
free(miscptr);
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -386,17 +409,11 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
}
}
void service_http_get(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_http(ip, sp, options, miscptr, fp, port, hostname, "GET");
}
void service_http_get(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_http(ip, sp, options, miscptr, fp, port, hostname, "GET"); }
void service_http_post(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_http(ip, sp, options, miscptr, fp, port, hostname, "POST");
}
void service_http_post(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_http(ip, sp, options, miscptr, fp, port, hostname, "POST"); }
void service_http_head(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_http(ip, sp, options, miscptr, fp, port, hostname, "HEAD");
}
void service_http_head(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_http(ip, sp, options, miscptr, fp, port, hostname, "HEAD"); }
int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
@ -409,8 +426,6 @@ int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *mis
// 0 all OK
// -1 error, hydra will exit, so print a good error message here
/*POU CODE */
char *start = strstr(miscptr, "F=");
if (start == NULL)
@ -443,19 +458,23 @@ int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *mis
hydra_report(stderr, "Condition not found\n");
}
return 0;
}
void usage_http(const char *service) {
printf("Module %s requires the page to authenticate.\n"
"The following parameters are optional:\n"
" (a|A)=auth-type specify authentication mechanism to use: BASIC, NTLM or MD5\n"
" (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n"
" (F|S)=check for text in the HTTP reply. S= means if this text is found, a\n"
" valid account has been found, F= means if this string is present the\n"
" combination is invalid. Note: this must be the last option supplied.\n"
"For example: \"/secret\" or \"http://bla.com/foo/bar:H=Cookie\\: sessid=aaaa\" or \"https://test.com:8080/members:A=NTLM\"\n\n", service);
" (a|A)=auth-type specify authentication mechanism to use: BASIC, "
"NTLM or MD5\n"
" (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each "
"request\n"
" (F|S)=check for text in the HTTP reply. S= means if this text is "
"found, a\n"
" valid account has been found, F= means if this string is "
"present the\n"
" combination is invalid. Note: this must be the last option "
"supplied.\n"
"For example: \"/secret\" or \"http://bla.com/foo/bar:H=Cookie\\: "
"sessid=aaaa\" or \"https://test.com:8080/members:A=NTLM\"\n\n",
service);
}

36
hydra-icq.c
View file

@ -4,32 +4,10 @@ extern char *HYDRA_EXIT;
extern int32_t child_head_no;
int32_t seq = 1;
const unsigned char icq5_table[] = {
0x59, 0x60, 0x37, 0x6B, 0x65, 0x62, 0x46, 0x48, 0x53, 0x61, 0x4C,
0x59, 0x60, 0x57, 0x5B, 0x3D, 0x5E, 0x34, 0x6D, 0x36, 0x50, 0x3F,
0x6F, 0x67, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x47, 0x63, 0x39, 0x50,
0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 0x69, 0x48, 0x33, 0x31, 0x64,
0x35, 0x5A, 0x4A, 0x42, 0x56, 0x40, 0x67, 0x53, 0x41, 0x07, 0x6C,
0x49, 0x58, 0x3B, 0x4D, 0x46, 0x68, 0x43, 0x69, 0x48, 0x33, 0x31,
0x44, 0x65, 0x62, 0x46, 0x48, 0x53, 0x41, 0x07, 0x6C, 0x69, 0x48,
0x33, 0x51, 0x54, 0x5D, 0x4E, 0x6C, 0x49, 0x38, 0x4B, 0x55, 0x4A,
0x62, 0x46, 0x48, 0x33, 0x51, 0x34, 0x6D, 0x36, 0x50, 0x5F, 0x5F,
0x5F, 0x3F, 0x6F, 0x47, 0x63, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64,
0x35, 0x5A, 0x6A, 0x52, 0x6E, 0x3C, 0x51, 0x34, 0x6D, 0x36, 0x50,
0x5F, 0x5F, 0x3F, 0x4F, 0x37, 0x4B, 0x35, 0x5A, 0x4A, 0x62, 0x66,
0x58, 0x3B, 0x4D, 0x66, 0x58, 0x5B, 0x5D, 0x4E, 0x6C, 0x49, 0x58,
0x3B, 0x4D, 0x66, 0x58, 0x3B, 0x4D, 0x46, 0x48, 0x53, 0x61, 0x4C,
0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 0x55, 0x6A, 0x32, 0x3E, 0x44,
0x45, 0x52, 0x6E, 0x3C, 0x31, 0x64, 0x55, 0x6A, 0x52, 0x4E, 0x6C,
0x69, 0x48, 0x53, 0x61, 0x4C, 0x39, 0x30, 0x6F, 0x47, 0x63, 0x59,
0x60, 0x57, 0x5B, 0x3D, 0x3E, 0x64, 0x35, 0x3A, 0x3A, 0x5A, 0x6A,
0x52, 0x4E, 0x6C, 0x69, 0x48, 0x53, 0x61, 0x6C, 0x49, 0x58, 0x3B,
0x4D, 0x46, 0x68, 0x63, 0x39, 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x67,
0x53, 0x41, 0x25, 0x41, 0x3C, 0x51, 0x54, 0x3D, 0x5E, 0x54, 0x5D,
0x4E, 0x4C, 0x39, 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43,
0x69, 0x48, 0x33, 0x51, 0x54, 0x5D, 0x6E, 0x3C, 0x31, 0x64, 0x35,
0x5A, 0x00, 0x00
};
const unsigned char icq5_table[] = {0x59, 0x60, 0x37, 0x6B, 0x65, 0x62, 0x46, 0x48, 0x53, 0x61, 0x4C, 0x59, 0x60, 0x57, 0x5B, 0x3D, 0x5E, 0x34, 0x6D, 0x36, 0x50, 0x3F, 0x6F, 0x67, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x47, 0x63, 0x39, 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 0x69, 0x48, 0x33, 0x31, 0x64, 0x35, 0x5A, 0x4A, 0x42, 0x56, 0x40, 0x67, 0x53, 0x41, 0x07, 0x6C, 0x49, 0x58, 0x3B, 0x4D, 0x46, 0x68, 0x43, 0x69, 0x48,
0x33, 0x31, 0x44, 0x65, 0x62, 0x46, 0x48, 0x53, 0x41, 0x07, 0x6C, 0x69, 0x48, 0x33, 0x51, 0x54, 0x5D, 0x4E, 0x6C, 0x49, 0x38, 0x4B, 0x55, 0x4A, 0x62, 0x46, 0x48, 0x33, 0x51, 0x34, 0x6D, 0x36, 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x63, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 0x35, 0x5A, 0x6A, 0x52, 0x6E, 0x3C, 0x51, 0x34, 0x6D, 0x36, 0x50, 0x5F, 0x5F, 0x3F, 0x4F, 0x37, 0x4B, 0x35,
0x5A, 0x4A, 0x62, 0x66, 0x58, 0x3B, 0x4D, 0x66, 0x58, 0x5B, 0x5D, 0x4E, 0x6C, 0x49, 0x58, 0x3B, 0x4D, 0x66, 0x58, 0x3B, 0x4D, 0x46, 0x48, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 0x55, 0x6A, 0x32, 0x3E, 0x44, 0x45, 0x52, 0x6E, 0x3C, 0x31, 0x64, 0x55, 0x6A, 0x52, 0x4E, 0x6C, 0x69, 0x48, 0x53, 0x61, 0x4C, 0x39, 0x30, 0x6F, 0x47, 0x63, 0x59, 0x60, 0x57, 0x5B, 0x3D, 0x3E,
0x64, 0x35, 0x3A, 0x3A, 0x5A, 0x6A, 0x52, 0x4E, 0x6C, 0x69, 0x48, 0x53, 0x61, 0x6C, 0x49, 0x58, 0x3B, 0x4D, 0x46, 0x68, 0x63, 0x39, 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x67, 0x53, 0x41, 0x25, 0x41, 0x3C, 0x51, 0x54, 0x3D, 0x5E, 0x54, 0x5D, 0x4E, 0x4C, 0x39, 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 0x69, 0x48, 0x33, 0x51, 0x54, 0x5D, 0x6E, 0x3C, 0x31, 0x64, 0x35, 0x5A, 0x00, 0x00};
void fix_packet(char *buf, int32_t len) {
unsigned long c1, c2;
@ -188,7 +166,8 @@ int32_t start_icq(int32_t sock, char *ip, int32_t port, FILE * output, char *mis
break;
}
/* if((buf[2] != 10 || buf[3] != 0) && (buf[2] != 250 || buf[3] != 0)) */
/* if((buf[2] != 10 || buf[3] != 0) && (buf[2] != 250 || buf[3] != 0))
*/
}
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
@ -221,7 +200,8 @@ void service_icq(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
sock = hydra_disconnect(sock);
sock = hydra_connect_udp(ip, myport);
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;

40
hydra-imap.c
View file

@ -20,7 +20,8 @@ char *imap_read_server_capacity(int32_t sock) {
if (strstr(buf, "CAPABILITY") != NULL && buf[0] == '*') {
resp = 1;
usleepn(300);
/* we got the capability info then get the completed warning info from server */
/* we got the capability info then get the completed warning info from
* server */
while (hydra_data_ready(sock)) {
free(buf);
buf = hydra_receive_line(sock);
@ -120,7 +121,6 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
switch (imap_auth_mechanism) {
case AUTH_CRAMMD5:
sprintf(buffer, "%d AUTHENTICATE CRAM-MD5\r\n", counter);
break;
@ -163,18 +163,15 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
case AUTH_CRAMMD5: {
sasl_cram_md5(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
case AUTH_CRAMSHA1: {
sasl_cram_sha1(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
case AUTH_CRAMSHA256: {
sasl_cram_sha256(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
}
hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer));
@ -183,8 +180,7 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
strcpy(buffer, tmp_buffer);
free(preplogin);
}
break;
} break;
case AUTH_DIGESTMD5: {
sprintf(buffer, "%d AUTHENTICATE DIGEST-MD5\r\n", counter);
@ -214,8 +210,7 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
} break;
case AUTH_SCRAMSHA1: {
char clientfirstmessagebare[200];
char serverfirstmessage[200];
@ -275,8 +270,7 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
}
break;
} break;
#endif
case AUTH_NTLM: {
unsigned char buf1[4096];
@ -320,8 +314,7 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
} break;
default:
// clear authentication
sprintf(buffer, "%d LOGIN \"%.100s\" \"%.100s\"\r\n", counter, login, pass);
@ -415,14 +408,16 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
}
#ifdef LIBOPENSSL
if (!disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
/* check for STARTTLS, if available we may have access to more basic
* auth methods */
if (strstr(buf, "STARTTLS") != NULL) {
hydra_send(sock, "2 STARTTLS\r\n", strlen("2 STARTTLS\r\n"), 0);
counter++;
free(buf);
buf = hydra_receive_line(sock);
if (buf == NULL || (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL)) {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer "
"received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock, hostname) == -1)) {
@ -444,7 +439,8 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
hydra_child_exit(2);
}
} else
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n");
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is "
"not supported by the server\n");
}
#endif
@ -487,7 +483,6 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
free(buf);
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
if (strstr(miscptr, "CLEAR"))
imap_auth_mechanism = AUTH_CLEAR;
@ -588,5 +583,8 @@ int32_t service_imap_init(char *ip, int32_t sp, unsigned char options, char *mis
void usage_imap(const char *service) {
printf("Module imap is optionally taking one authentication type of:\n"
" CLEAR or APOP (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n"
" CRAM-SHA256, DIGEST-MD5, NTLM\n" "Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: imap://target/TLS:PLAIN\n");
" CRAM-SHA256, DIGEST-MD5, NTLM\n"
"Additionally TLS encryption via STARTTLS can be enforced with the "
"TLS option.\n\n"
"Example: imap://target/TLS:PLAIN\n");
}

22
hydra-irc.c
View file

@ -105,10 +105,16 @@ int32_t start_pass_irc(int32_t s, char *ip, int32_t port, unsigned char options,
#endif
hydra_report_pass_found(port, ip, "irc", fp);
hydra_completed_pair_found();
hydra_report(stderr, "[INFO] Server password '%s' is working, you can pass it as argument\nto irc module to then try login/password oper mode\n", pass);
hydra_report(stderr,
"[INFO] Server password '%s' is working, you can pass it as "
"argument\nto irc module to then try login/password oper mode\n",
pass);
} else {
if (verbose && (miscptr != NULL))
hydra_report(stderr, "[VERBOSE] Server is requesting a general password, '%s' you entered is not working\n", miscptr);
hydra_report(stderr,
"[VERBOSE] Server is requesting a general password, '%s' "
"you entered is not working\n",
miscptr);
hydra_completed_pair();
}
@ -180,10 +186,14 @@ void service_irc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
hydra_child_exit(0);
}
/* ERROR :Bad password is returned from ngircd when it s waiting for a server password */
/* ERROR :Bad password is returned from ngircd when it s waiting for a
* server password */
if ((ret > 0) && (strstr(buffer, " 001 ") == NULL)) {
/* seems we not successfully connected */
hydra_report(stderr, "[ERROR] should not be able to identify server msg, please report it\n%s\n", buffer);
hydra_report(stderr,
"[ERROR] should not be able to identify server msg, "
"please report it\n%s\n",
buffer);
hydra_child_exit(0);
}
@ -223,5 +233,7 @@ int32_t service_irc_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_irc(const char *service) {
printf("Module irc is optionally taking the general server password, if the server is requiring one, and if none is passed the password from -p/-P will be used\n\n");
printf("Module irc is optionally taking the general server password, if the "
"server is requiring one, and if none is passed the password from "
"-p/-P will be used\n\n");
}

54
hydra-ldap.c
View file

@ -306,13 +306,19 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha
if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 53) {
if (verbose)
hydra_report(stderr, "[VERBOSE] Server unwilling to perform action, maybe deny by server config or too busy when tried login: %s password: %s\n", login, pass);
hydra_report(stderr,
"[VERBOSE] Server unwilling to perform action, maybe deny by server "
"config or too busy when tried login: %s password: %s\n",
login, pass);
free(buf);
return 1;
}
if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 2) {
hydra_report(stderr, "[ERROR] Invalid protocol version, you tried ldap%c, better try ldap%c\n", version + '0', version == 2 ? '3' : '2');
hydra_report(stderr,
"[ERROR] Invalid protocol version, you tried ldap%c, better "
"try ldap%c\n",
version + '0', version == 2 ? '3' : '2');
free(buf);
hydra_child_exit(2);
sleep(1);
@ -335,7 +341,6 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
}
} else {
if (buf[9] != 49 && buf[9] != 2 && buf[9] != 53) {
hydra_report(stderr, "[ERROR] Uh, unknown LDAP response! Please report this: \n");
print_hex((unsigned char *)buf, 24);
@ -382,8 +387,10 @@ void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
}
counter = 1;
if (tls_required) {
/* Start TLS operation OID = 1.3.6.1.4.1.1466.20037 according to RFC 2830 */
char confidentiality_required[] = "\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";
/* Start TLS operation OID = 1.3.6.1.4.1.1466.20037 according to RFC
* 2830 */
char confidentiality_required[] = "\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31"
"\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";
if (hydra_send(sock, confidentiality_required, strlen(confidentiality_required), 0) < 0)
hydra_child_exit(1);
@ -427,21 +434,13 @@ void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
}
}
void service_ldap2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ldap(ip, sp, options, miscptr, fp, port, hostname, 2, AUTH_CLEAR);
}
void service_ldap2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 2, AUTH_CLEAR); }
void service_ldap3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CLEAR);
}
void service_ldap3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CLEAR); }
void service_ldap3_cram_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CRAMMD5);
}
void service_ldap3_cram_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CRAMMD5); }
void service_ldap3_digest_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_DIGESTMD5);
}
void service_ldap3_digest_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_DIGESTMD5); }
int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
@ -454,7 +453,8 @@ int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *mis
// 0 all OK
// -1 error, hydra will exit, so print a good error message here
if (miscptr != NULL && strlen(miscptr) > 220) {
fprintf(stderr, "[ERROR] the option string to this module may not be larger than 220 bytes\n");
fprintf(stderr, "[ERROR] the option string to this module may not be "
"larger than 220 bytes\n");
return -1;
}
@ -462,12 +462,18 @@ int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *mis
}
void usage_ldap(const char *service) {
printf("Module %s is optionally taking the DN (depending of the auth method choosed\n"
"Note: you can also specify the DN as login when Simple auth method is used).\n"
printf("Module %s is optionally taking the DN (depending of the auth method "
"choosed\n"
"Note: you can also specify the DN as login when Simple auth method "
"is used).\n"
"The keyword \"^USER^\" is replaced with the login.\n"
"Special notes for Simple method has 3 operation modes: anonymous, (no user no pass),\n"
"unauthenticated (user but no pass), user/pass authenticated (user and pass).\n"
"Special notes for Simple method has 3 operation modes: anonymous, "
"(no user no pass),\n"
"unauthenticated (user but no pass), user/pass authenticated (user "
"and pass).\n"
"So don't forget to set empty string as user/pass to test all modes.\n"
"Hint: to authenticate to a windows active directory ldap, this is usually\n"
" cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com\n\n", service);
"Hint: to authenticate to a windows active directory ldap, this is "
"usually\n"
" cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com\n\n",
service);
}

9
hydra-memcached.c
View file

@ -8,9 +8,7 @@
#include "hydra-mod.h"
#ifndef LIBMCACHED
void dummy_mcached() {
printf("\n");
}
void dummy_mcached() { printf("\n"); }
#else
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
@ -33,8 +31,6 @@ int mcached_send_com_version(int32_t sock) {
return 0;
}
int32_t start_mcached(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";
char *login, *pass;
@ -127,7 +123,8 @@ void service_mcached(char *ip, int32_t sp, unsigned char options, char *miscptr,
return;
default:
if (!verbose)
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose option for more details\n");
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose "
"option for more details\n");
hydra_child_exit(2);
}
run = next_run;

190
hydra-mod.c
View file

@ -1,10 +1,10 @@
#include "hydra-mod.h"
#include <arpa/inet.h>
#ifdef LIBOPENSSL
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/ssl.h>
#endif
#ifdef HAVE_PCRE
#include <pcre.h>
@ -63,17 +63,20 @@ void alarming() {
fail++;
alarm_went_off++;
/* uh, I think it's not good for performance if we try to reconnect to a timeout system!
* if (fail > MAX_CONNECT_RETRY) {
/* uh, I think it's not good for performance if we try to reconnect to a
* timeout system! if (fail > MAX_CONNECT_RETRY) {
*/
//fprintf(stderr, "Process %d: Can not connect [timeout], process exiting\n", (int32_t) getpid());
// fprintf(stderr, "Process %d: Can not connect [timeout], process exiting\n",
// (int32_t) getpid());
if (debug)
printf("DEBUG_CONNECT_TIMEOUT\n");
hydra_child_exit(1);
/*
* } else {
* if (verbose) fprintf(stderr, "Process %d: Can not connect [timeout], retrying (%d of %d retries)\n", (int32_t)getpid(), fail, MAX_CONNECT_RETRY);
* if (verbose) fprintf(stderr, "Process %d: Can not connect [timeout],
* retrying (%d of %d retries)\n", (int32_t)getpid(), fail,
* MAX_CONNECT_RETRY);
* }
*/
}
@ -167,7 +170,6 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
}
}
if (use_proxy > 0 && proxy_count > 0) {
if (proxy_string_ip[selected_proxy][0] == 4) {
memcpy(&target.sin_addr.s_addr, &proxy_string_ip[selected_proxy][1], 4);
target.sin_family = AF_INET;
@ -223,7 +225,10 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
fail++;
if (verbose) {
if (do_retry && fail <= MAX_CONNECT_RETRY)
fprintf(stderr, "Process %d: Can not connect [unreachable], retrying (%d of %d retries)\n", (int32_t) getpid(), fail, MAX_CONNECT_RETRY);
fprintf(stderr,
"Process %d: Can not connect [unreachable], retrying (%d "
"of %d retries)\n",
(int32_t)getpid(), fail, MAX_CONNECT_RETRY);
else
fprintf(stderr, "Process %d: Can not connect [unreachable]\n", (int32_t)getpid());
}
@ -234,7 +239,8 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
printf("DEBUG_CONNECT_UNREACHABLE\n");
/* we wont quit here, thats up to the module to decide what to do
* fprintf(stderr, "Process %d: Can not connect [unreachable], process exiting\n", (int32_t)getpid());
* fprintf(stderr, "Process %d: Can not connect
* [unreachable], process exiting\n", (int32_t)getpid());
* hydra_child_exit(1);
*/
extern_socket = -1;
@ -280,7 +286,10 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
else
snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\n\r\n", hydra_address2string(host), port);
else if (host[0] == 16)
snprintf(buf, 4096, "CONNECT [%s]:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication[selected_proxy]);
snprintf(buf, 4096,
"CONNECT [%s]:%d HTTP/1.0\r\nProxy-Authorization: Basic "
"%s\r\n\r\n",
hydra_address2string(host), port, proxy_authentication[selected_proxy]);
else
snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication[selected_proxy]);
@ -326,7 +335,8 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
err = 1;
}
if ((unsigned char)buf[1] == SOCKS_NOMETHOD) {
hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication method negotiation failed\n");
hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication method "
"negotiation failed\n");
err = 1;
}
/* SOCKS_DOMAIN not supported here, do we need it ? */
@ -439,7 +449,10 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t
}
}
} else {
hydra_report(stderr, "[ERROR] Unknown proxy type: %s, valid type are \"connect\", \"socks4\" or \"socks5\"\n", proxy_string_type[selected_proxy]);
hydra_report(stderr,
"[ERROR] Unknown proxy type: %s, valid type are "
"\"connect\", \"socks4\" or \"socks5\"\n",
proxy_string_type[selected_proxy]);
err = 1;
}
}
@ -624,9 +637,11 @@ void hydra_child_exit(int32_t code) {
__fck = write(intern_socket, "C", 1);
else if (code == 2) /* application protocol error or service shutdown */
__fck = write(intern_socket, "E", 1);
// code 3 means exit without telling mommy about it - a bad idea. mommy should know
// code 3 means exit without telling mommy about it - a bad idea. mommy should
// know
else if (code == -1 || code > 3) {
fprintf(stderr, "[TOTAL FUCKUP] a module should not use hydra_child_exit(-1) ! Fix it in the source please ...\n");
fprintf(stderr, "[TOTAL FUCKUP] a module should not use "
"hydra_child_exit(-1) ! Fix it in the source please ...\n");
__fck = write(intern_socket, "E", 1);
}
do {
@ -637,9 +652,7 @@ void hydra_child_exit(int32_t code) {
exit(0); // might be killed before reaching this
}
void hydra_register_socket(int32_t s) {
intern_socket = s;
}
void hydra_register_socket(int32_t s) { intern_socket = s; }
char *hydra_get_next_pair() {
if (pair[0] == 0) {
@ -737,19 +750,20 @@ void hydra_report_found(int32_t port, char *svc, FILE * fp) {
/*
if (!strcmp(svc, "rsh"))
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m\n", port, svc, hydra_get_next_login());
else
fprintf(fp, "[%d][%s] login: %s\n", port, svc, hydra_get_next_login());
else if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m password: \e[32m%s\e[0m\n", port, svc, hydra_get_next_login(), hydra_get_next_password());
else
fprintf(fp, "[%d][%s] login: %s password: %s\n", port, svc, hydra_get_next_login(), hydra_get_next_password());
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m\n",
port, svc, hydra_get_next_login()); else fprintf(fp, "[%d][%s] login: %s\n",
port, svc, hydra_get_next_login()); else if (colored_output) fprintf(fp,
"[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m password:
\e[32m%s\e[0m\n", port, svc, hydra_get_next_login(),
hydra_get_next_password()); else fprintf(fp, "[%d][%s] login: %s password:
%s\n", port, svc, hydra_get_next_login(), hydra_get_next_password());
if (stdout != fp) {
if (!strcmp(svc, "rsh"))
printf("[%d][%s] login: %s\n", port, svc, hydra_get_next_login());
else
printf("[%d][%s] login: %s password: %s\n", port, svc, hydra_get_next_login(), hydra_get_next_password());
printf("[%d][%s] login: %s password: %s\n", port, svc,
hydra_get_next_login(), hydra_get_next_password());
}
fflush(fp);
@ -761,11 +775,11 @@ void hydra_report_pass_found(int32_t port, char *ip, char *svc, FILE * fp) {
/*
strcpy(ipaddr_str, hydra_address2string(ip));
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password());
else
fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
if (stdout != fp)
printf("[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password:
\e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); else
fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str,
hydra_get_next_password()); if (stdout != fp) printf("[%d][%s] host: %s
password: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
fflush(fp);
*/
}
@ -778,33 +792,34 @@ void hydra_report_found_host(int32_t port, char *ip, char *svc, FILE * fp) {
keyw = "domain";
if (!strcmp(svc, "rsh") || !strcmp(svc, "oracle-sid"))
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login());
else
fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_login());
else if (!strcmp(svc, "snmp3"))
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password());
else
fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
else if (!strcmp(svc, "cisco-enable") || !strcmp(svc, "cisco"))
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password());
else
fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
else if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m %s: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw,
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login:
\e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login()); else
fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str,
hydra_get_next_login()); else if (!strcmp(svc, "snmp3")) if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login:
\e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); else
fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str,
hydra_get_next_password()); else if (!strcmp(svc, "cisco-enable") ||
!strcmp(svc, "cisco")) if (colored_output) fprintf(fp,
"[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password:
\e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); else
fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str,
hydra_get_next_password()); else if (colored_output) fprintf(fp,
"[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m
%s: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw,
hydra_get_next_password());
else
fprintf(fp, "[%d][%s] host: %s login: %s %s: %s\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw, hydra_get_next_password());
if (stdout != fp) {
if (!strcmp(svc, "rsh") || !strcmp(svc, "oracle-sid"))
printf("[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_login());
else if (!strcmp(svc, "snmp3"))
printf("[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
fprintf(fp, "[%d][%s] host: %s login: %s %s: %s\n", port, svc,
ipaddr_str, hydra_get_next_login(), keyw, hydra_get_next_password()); if
(stdout != fp) { if (!strcmp(svc, "rsh") || !strcmp(svc, "oracle-sid"))
printf("[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str,
hydra_get_next_login()); else if (!strcmp(svc, "snmp3")) printf("[%d][%s]
host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
else if (!strcmp(svc, "cisco-enable") || !strcmp(svc, "cisco"))
printf("[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password());
else
printf("[%d][%s] host: %s login: %s %s: %s\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw, hydra_get_next_password());
printf("[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str,
hydra_get_next_password()); else printf("[%d][%s] host: %s login: %s %s:
%s\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw,
hydra_get_next_password());
}
fflush(fp);
fflush(stdout);
@ -815,12 +830,13 @@ void hydra_report_found_host_msg(int32_t port, char *ip, char *svc, FILE * fp, c
/*
strcpy(ipaddr_str, hydra_address2string(ip));
if (colored_output)
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m password: \e[32m%s\e[0m [%s]\n", port, svc, ipaddr_str, hydra_get_next_login(),
hydra_get_next_password(), msg);
else
fprintf(fp, "[%d][%s] host: %s login: %s password: %s [%s]\n", port, svc, ipaddr_str, hydra_get_next_login(), hydra_get_next_password(), msg);
if (stdout != fp)
printf("[%d][%s] host: %s login: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_login(), hydra_get_next_password());
fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login:
\e[32m%s\e[0m password: \e[32m%s\e[0m [%s]\n", port, svc, ipaddr_str,
hydra_get_next_login(), hydra_get_next_password(), msg); else fprintf(fp,
"[%d][%s] host: %s login: %s password: %s [%s]\n", port, svc,
ipaddr_str, hydra_get_next_login(), hydra_get_next_password(), msg); if
(stdout != fp) printf("[%d][%s] host: %s login: %s password: %s\n",
port, svc, ipaddr_str, hydra_get_next_login(), hydra_get_next_password());
fflush(fp);
*/
}
@ -886,9 +902,7 @@ int32_t hydra_data_ready_writing_timed(int32_t socket, long sec, long usec) {
return (my_select(socket + 1, &fds, NULL, NULL, sec, usec));
}
int32_t hydra_data_ready_writing(int32_t socket) {
return (hydra_data_ready_writing_timed(socket, 30, 0));
}
int32_t hydra_data_ready_writing(int32_t socket) { return (hydra_data_ready_writing_timed(socket, 30, 0)); }
int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec) {
fd_set fds;
@ -898,9 +912,7 @@ int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec) {
return (my_select(socket + 1, &fds, NULL, NULL, sec, usec));
}
int32_t hydra_data_ready(int32_t socket) {
return (hydra_data_ready_timed(socket, 0, 100));
}
int32_t hydra_data_ready(int32_t socket) { return (hydra_data_ready_timed(socket, 0, 100)); }
int32_t hydra_recv(int32_t socket, char *buf, uint32_t length) {
int32_t ret;
@ -910,7 +922,8 @@ int32_t hydra_recv(int32_t socket, char *buf, uint32_t length) {
if (debug) {
sprintf(text, "[DEBUG] RECV [pid:%d]", getpid());
hydra_dump_data(buf, ret, text);
//hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]", buf, getpid(), ret);
// hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]",
// buf, getpid(), ret);
}
return ret;
}
@ -931,7 +944,8 @@ int32_t hydra_recv_nb(int32_t socket, char *buf, uint32_t length) {
if (debug) {
sprintf(text, "[DEBUG] RECV [pid:%d]", getpid());
hydra_dump_data(buf, ret, text);
//hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]", buf, getpid(), ret);
// hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]",
// buf, getpid(), ret);
}
}
return ret;
@ -949,7 +963,9 @@ char *hydra_receive_line(int32_t socket) {
memset(buff, 0, sizeof(buf));
if (debug)
printf("[DEBUG] hydra_receive_line: waittime: %d, conwait: %d, socket: %d, pid: %d\n", waittime, conwait, socket, getpid());
printf("[DEBUG] hydra_receive_line: waittime: %d, conwait: %d, socket: %d, "
"pid: %d\n",
waittime, conwait, socket, getpid());
if ((i = hydra_data_ready_timed(socket, (long)waittime, 0)) > 0) {
do {
@ -984,14 +1000,16 @@ char *hydra_receive_line(int32_t socket) {
if (debug) {
sprintf(pid, "[DEBUG] RECV [pid:%d]", getpid());
hydra_dump_data(buff, got, pid);
//hydra_report_debug(stderr, "DEBUG_RECV_BEGIN [pid:%d len:%d]|%s|END", getpid(), got, buff);
// hydra_report_debug(stderr, "DEBUG_RECV_BEGIN [pid:%d len:%d]|%s|END",
// getpid(), got, buff);
}
} else {
if (got < 0) {
if (debug) {
sprintf(pid, "[DEBUG] RECV [pid:%d]", getpid());
hydra_dump_data((unsigned char *)"", -1, pid);
//hydra_report_debug(stderr, "DEBUG_RECV_BEGIN||END [pid:%d %d]", getpid(), i);
// hydra_report_debug(stderr, "DEBUG_RECV_BEGIN||END [pid:%d %d]",
// getpid(), i);
perror("recv");
}
}
@ -1002,7 +1020,9 @@ char *hydra_receive_line(int32_t socket) {
usleepn(100);
} else {
if (debug)
printf("[DEBUG] hydra_data_ready_timed: %d, waittime: %d, conwait: %d, socket: %d\n", i, waittime, conwait, socket);
printf("[DEBUG] hydra_data_ready_timed: %d, waittime: %d, conwait: %d, "
"socket: %d\n",
i, waittime, conwait, socket);
}
return buff;
@ -1025,12 +1045,13 @@ int32_t hydra_send(int32_t socket, char *buf, uint32_t size, int32_t options) {
else
debugbuf[k] = buf[k];
debugbuf[size] = 0;
hydra_report_debug(stderr, "DEBUG_SEND_BEGIN|%s|END [pid:%d]", debugbuf, getpid());
free(debugbuf);
hydra_report_debug(stderr, "DEBUG_SEND_BEGIN|%s|END [pid:%d]",
debugbuf, getpid()); free(debugbuf);
}*/
}
/* if (hydra_data_ready_writing(socket)) < 1) return -1; XXX maybe needed in the future */
/* if (hydra_data_ready_writing(socket)) < 1) return -1; XXX maybe needed
* in the future */
return (internal__hydra_send(socket, buf, size, options));
}
@ -1046,15 +1067,16 @@ int32_t make_to_lower(char *buf) {
char *hydra_strrep(char *string, char *oldpiece, char *newpiece) {
int32_t str_index, newstr_index, oldpiece_index, end, new_len, old_len, cpy_len;
char *c, oldstring[6096], newstring[6096]; //updated due to issue 192 on github.
char *c, oldstring[6096],
newstring[6096]; // updated due to issue 192 on github.
static char finalstring[6096];
if (string == NULL || oldpiece == NULL || newpiece == NULL || strlen(string) >= sizeof(oldstring) - 1
|| (strlen(string) + strlen(newpiece) - strlen(oldpiece) >= sizeof(newstring) - 1 && strlen(string) > strlen(oldpiece)))
if (string == NULL || oldpiece == NULL || newpiece == NULL || strlen(string) >= sizeof(oldstring) - 1 || (strlen(string) + strlen(newpiece) - strlen(oldpiece) >= sizeof(newstring) - 1 && strlen(string) > strlen(oldpiece)))
return NULL;
if (strlen(string) > 6000) {
hydra_report(stderr, "[ERROR] Supplied URL or POST data too large. Max limit is 6000 characters.\n");
hydra_report(stderr, "[ERROR] Supplied URL or POST data too large. Max "
"limit is 6000 characters.\n");
exit(-1);
}
@ -1263,9 +1285,7 @@ char *hydra_address2string_beautiful(char *address) {
return NULL; // not reached
}
void hydra_set_srcport(int32_t port) {
src_port = port;
}
void hydra_set_srcport(int32_t port) { src_port = port; }
#ifdef HAVE_PCRE
int32_t hydra_string_match(char *str, const char *regex) {
@ -1292,9 +1312,9 @@ int32_t hydra_string_match(char *str, const char *regex) {
* str_replace.c implements a str_replace PHP like function
* Copyright (C) 2009 chantra <chantra__A__debuntu__D__org>
*
* Create a new string with [substr] being replaced ONCE by [replacement] in [string]
* Returns the new string, or NULL if out of memory.
* The caller is responsible for freeing this new string.
* Create a new string with [substr] being replaced ONCE by [replacement] in
* [string] Returns the new string, or NULL if out of memory. The caller is
* responsible for freeing this new string.
*
*/
char *hydra_string_replace(const char *string, const char *substr, const char *replacement) {

19
hydra-mongodb.c
View file

@ -9,9 +9,7 @@
#include "hydra-mod.h"
#ifndef LIBMONGODB
void dummy_mongodb() {
printf("\n");
}
void dummy_mongodb() { printf("\n"); }
#else
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
@ -31,16 +29,17 @@ int is_error_msg(char *msg) {
}
int require_auth(int32_t sock) {
unsigned char m_hdr[] =
"\x3f\x00\x00\x00" //messageLength (63)
unsigned char m_hdr[] = "\x3f\x00\x00\x00" // messageLength (63)
"\x00\x00\x00\x41" // requestID
"\xff\xff\xff\xff" // responseTo
"\xd4\x07\x00\x00" // opCode (2004 OP_QUERY)
"\x00\x00\x00\x00" // flags
"\x61\x64\x6d\x69\x6e\x2e\x24\x63\x6d\x64\x00" //fullCollectionName (admin.$cmd)
"\x61\x64\x6d\x69\x6e\x2e\x24\x63\x6d\x64\x00" // fullCollectionName
// (admin.$cmd)
"\x00\x00\x00\x00" // numberToSkip (0)
"\x01\x00\x00\x00" // numberToReturn (1)
"\x18\x00\x00\x00\x10\x6c\x69\x73\x74\x44\x61\x74\x61\x62\x61\x73\x65\x73\x00\x01\x00\x00\x00\x00"; //query ({"listDatabases"=>1})
"\x18\x00\x00\x00\x10\x6c\x69\x73\x74\x44\x61\x74\x61\x62\x61\x73\x65\x73"
"\x00\x01\x00\x00\x00\x00"; // query ({"listDatabases"=>1})
if (hydra_send(sock, m_hdr, sizeof(m_hdr), 0) > 0) {
if (hydra_data_ready_timed(sock, 0, 1000) > 0) {
@ -136,7 +135,8 @@ void service_mongodb(char *ip, int32_t sp, unsigned char options, char *miscptr,
return;
default:
if (!verbose)
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose option for more details\n");
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose "
"option for more details\n");
hydra_child_exit(2);
}
run = next_run;
@ -180,5 +180,6 @@ int32_t service_mongodb_init(char *ip, int32_t sp, unsigned char options, char *
#endif
void usage_mongodb(const char *service) {
printf("Module mongodb is optionally taking a database name to attack, default is \"admin\"\n\n");
printf("Module mongodb is optionally taking a database name to attack, "
"default is \"admin\"\n\n");
}

28
hydra-mssql.c
View file

@ -5,19 +5,22 @@
extern char *HYDRA_EXIT;
char *buf;
unsigned char p_hdr[] =
"\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00";
unsigned char p_pk2[] =
"\x30\x30\x30\x30\x30\x30\x61\x30\x00\x00"
unsigned char p_hdr[] = "\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00";
unsigned char p_pk2[] = "\x30\x30\x30\x30\x30\x30\x61\x30\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x20\x18\x81\xb8\x2c\x08\x03"
"\x01\x06\x0a\x09\x01\x01\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x73\x71\x75\x65\x6c\x64\x61"
"\x20\x31\x2e\x30\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00";
unsigned char p_pk3[] =
"\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00";
unsigned char p_pk3[] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
@ -38,12 +41,17 @@ unsigned char p_pk3[] =
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x04\x02\x00\x00\x4d\x53\x44"
"\x42\x4c\x49\x42\x00\x00\x00\x07\x06\x00\x00" "\x00\x00\x0d\x11\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00";
unsigned char p_lng[] =
"\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00"
"\x42\x4c\x49\x42\x00\x00\x00\x07\x06\x00\x00"
"\x00\x00\x0d\x11\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00";
unsigned char p_lng[] = "\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x30\x30\x30\x00\x00" "\x00\x03\x00\x00\x00";
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x30\x30\x30\x00\x00"
"\x00\x03\x00\x00\x00";
int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";

41
hydra-mysql.c
View file

@ -1,19 +1,16 @@
/* mysql 3.2x.x to 4.x support - by mcbethh (at) u-n-f (dot) com */
/* david (dot) maciejak (at) gmail (dot) com for using libmysqlclient-dev, adding support for mysql version 5.x */
/* david (dot) maciejak (at) gmail (dot) com for using libmysqlclient-dev,
* adding support for mysql version 5.x */
#include "hydra-mod.h"
#ifndef HAVE_MATH_H
#include <stdio.h>
void dummy_mysql() {
printf("\n");
}
void dummy_mysql() { printf("\n"); }
void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
printf("\n");
}
void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { printf("\n"); }
#else
#include <math.h>
@ -41,7 +38,8 @@ extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
extern char *HYDRA_EXIT;
char mysqlsalt[9];
/* modified hydra_receive_line, I've striped code which changed every 0x00 to 0x20 */
/* modified hydra_receive_line, I've striped code which changed every 0x00 to
* 0x20 */
char *hydra_mysql_receive_line(int32_t socket) {
char buf[300], *buff, *buff2;
int32_t i = 0, j = 0, buff_size = 300;
@ -108,7 +106,10 @@ char hydra_mysql_init(int32_t sock) {
return 2;
}
if (protocol > 10) {
fprintf(stderr, "[INFO] This is protocol version %d, only v10 is supported, not sure if it will work\n", protocol);
fprintf(stderr,
"[INFO] This is protocol version %d, only v10 is supported, not "
"sure if it will work\n",
protocol);
}
server_version = &buf[5];
pos = buf + strlen(server_version) + 10;
@ -116,7 +117,8 @@ char hydra_mysql_init(int32_t sock) {
if (!strstr(server_version, "3.") && !strstr(server_version, "4.") && strstr(server_version, "5.")) {
#ifndef LIBMYSQLCLIENT
hydra_report(stderr, "[ERROR] Not an MySQL protocol or unsupported version,\ncheck configure to see if libmysql is found\n");
hydra_report(stderr, "[ERROR] Not an MySQL protocol or unsupported version,\ncheck "
"configure to see if libmysql is found\n");
#endif
free(buf);
return 2;
@ -130,10 +132,7 @@ char hydra_mysql_init(int32_t sock) {
char *hydra_mysql_prepare_auth(char *login, char *pass) {
unsigned char *response;
unsigned long login_len = strlen(login) > 32 ? 32 : strlen(login);
unsigned long response_len = 4 /* header */ +
2 /* client flags */ +
3 /* max packet len */ +
login_len + 1 + 8 /* scrambled password len */ ;
unsigned long response_len = 4 /* header */ + 2 /* client flags */ + 3 /* max packet len */ + login_len + 1 + 8 /* scrambled password len */;
response = (unsigned char *)malloc(response_len + 4);
if (response == NULL) {
@ -221,7 +220,8 @@ int32_t start_mysql(int32_t sock, char *ip, int32_t port, unsigned char options,
}
if (my_errno == 1251) {
hydra_report(stderr, "[ERROR] Client does not support authentication protocol requested by server\n");
hydra_report(stderr, "[ERROR] Client does not support authentication "
"protocol requested by server\n");
}
/*
@ -324,7 +324,8 @@ void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, F
port = myport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -349,8 +350,6 @@ void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, F
#ifndef LIBMYSQLCLIENT
#endif
/************************************************************************/
@ -391,7 +390,8 @@ void hydra_hash_password(unsigned long *result, const char *password) {
nr2 += (nr2 << 8) ^ nr;
add += tmp;
}
result[0] = nr & (((unsigned long) 1L << 31) - 1L); /* Don't use sign bit (str2int) */ ;
result[0] = nr & (((unsigned long)1L << 31) - 1L); /* Don't use sign bit (str2int) */
;
result[1] = nr2 & (((unsigned long)1L << 31) - 1L);
return;
}
@ -433,5 +433,6 @@ int32_t service_mysql_init(char *ip, int32_t sp, unsigned char options, char *mi
}
void usage_mysql(const char *service) {
printf("Module mysql is optionally taking the database to attack, default is \"mysql\"\n\n");
printf("Module mysql is optionally taking the database to attack, default is "
"\"mysql\"\n\n");
}

20
hydra-ncp.c
View file

@ -10,19 +10,16 @@
*
*/
#include "hydra-mod.h"
#ifndef LIBNCP
void dummy_ncp() {
printf("\n");
}
void dummy_ncp() { printf("\n"); }
#else
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <ncp/nwcalls.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
extern char *HYDRA_EXIT;
extern int32_t child_head_no;
@ -37,7 +34,6 @@ typedef struct __NCP_DATA {
//#define NCP_DEBUG
int32_t start_ncp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *login;
char *pass;
char context[256];
@ -47,13 +43,11 @@ int32_t start_ncp(int32_t s, char *ip, int32_t port, unsigned char options, char
_NCP_DATA *session;
session = malloc(sizeof(_NCP_DATA));
memset(session, 0, sizeof(_NCP_DATA));
login = empty;
pass = empty;
if (strlen(login = hydra_get_next_login()) == 0) {
login = empty;
} else {
@ -152,7 +146,8 @@ void service_ncp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
sock = hydra_connect_tcp(ip, myport);
port = myport;
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -198,5 +193,6 @@ int32_t service_ncp_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_ncp(const char *service) {
printf("Module ncp is optionally taking the full context, for example \".O=cx\"\n\n");
printf("Module ncp is optionally taking the full context, for example "
"\".O=cx\"\n\n");
}

17
hydra-nntp.c
View file

@ -156,8 +156,7 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
sprintf(tmp_buffer, "%.250s\r\n", buffer);
strcpy(buffer, tmp_buffer);
free(preplogin);
}
break;
} break;
case AUTH_DIGESTMD5: {
sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n");
@ -187,8 +186,7 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
} break;
#endif
@ -217,8 +215,7 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "%s\r\n", (char *)buf1);
}
break;
} break;
default: {
sprintf(buffer, "AUTHINFO USER %.250s\r\n", login);
@ -237,10 +234,8 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
free(buf);
sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass);
} break;
}
break;
}
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
@ -426,7 +421,6 @@ SASL PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5
if (strncmp(miscptr, "NTLM", 4) == 0)
nntp_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
switch (nntp_auth_mechanism) {
@ -487,5 +481,6 @@ int32_t service_nntp_init(char *ip, int32_t sp, unsigned char options, char *mis
}
void usage_nntp(const char *service) {
printf("Module nntp is optionally taking one authentication type of:\n" " USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n");
printf("Module nntp is optionally taking one authentication type of:\n"
" USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n");
}

22
hydra-oracle-listener.c
View file

@ -13,9 +13,7 @@ at http://marcellmajor.com/frame_listenerhash.html
#include "hydra-mod.h"
#ifndef LIBOPENSSL
#include <stdio.h>
void dummy_oracle_listener() {
printf("\n");
}
void dummy_oracle_listener() { printf("\n"); }
#else
#include "sasl.h"
#include <openssl/des.h>
@ -180,12 +178,10 @@ int32_t ora_hash_password(char *pass) {
}
int32_t start_oracle_listener(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
unsigned char tns_packet_begin[22] = {
"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00"
};
unsigned char tns_packet_end[32] = {
"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
};
unsigned char tns_packet_begin[22] = {"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e"
"\x00\x00\x01\x00"};
unsigned char tns_packet_end[32] = {"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"};
char *empty = "";
char *pass;
@ -212,7 +208,10 @@ int32_t start_oracle_listener(int32_t s, char *ip, int32_t port, unsigned char o
}
pass = (char *)hash;
}
snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE=)(VERSION=169869568)))", pass);
snprintf(connect_string, sizeof(connect_string),
"(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)("
"PASSWORD=%s)(SERVICE=)(VERSION=169869568)))",
pass);
if (hash != NULL)
free(hash);
@ -339,7 +338,8 @@ int32_t service_oracle_listener_init(char *ip, int32_t sp, unsigned char options
}
void usage_oracle_listener(const char *service) {
printf("Module oracle-listener / tns is optionally taking the mode the password is stored as, could be PLAIN (default) or CLEAR\n\n");
printf("Module oracle-listener / tns is optionally taking the mode the "
"password is stored as, could be PLAIN (default) or CLEAR\n\n");
}
#endif

24
hydra-oracle-sid.c
View file

@ -11,9 +11,7 @@ find a big list on the Internet
#include "hydra-mod.h"
#ifndef LIBOPENSSL
#include <stdio.h>
void dummy_oracle_sid() {
printf("\n");
}
void dummy_oracle_sid() { printf("\n"); }
#else
#include <openssl/des.h>
#define HASHSIZE 16
@ -22,19 +20,16 @@ extern char *HYDRA_EXIT;
char *buf;
unsigned char *hash;
int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
/*
PP is the packet length
XX is the length of connect data
PP + tns_packet_begin + XX + tns_packet_end
*/
unsigned char tns_packet_begin[22] = {
"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00"
};
unsigned char tns_packet_end[32] = {
"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
};
unsigned char tns_packet_begin[22] = {"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e"
"\x00\x00\x01\x00"};
unsigned char tns_packet_end[32] = {"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"};
char *empty = "";
char *login;
char connect_string[200];
@ -47,8 +42,10 @@ int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char option
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))", login,
hydra_address2string(ip), port);
snprintf(connect_string, sizeof(connect_string),
"(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)("
"USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))",
login, hydra_address2string(ip), port);
siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string);
if (siz > 255) {
buffer2[0] = 1;
@ -72,7 +69,8 @@ int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char option
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
//if no error reported. it should be a resend packet type 00 08 00 00 0b 00 00 00, 4 is refuse
// if no error reported. it should be a resend packet type 00 08 00 00 0b 00
// 00 00, 4 is refuse
if ((strstr(buf, "ERR=") == NULL) && (buf[4] != 4)) {
hydra_report_found_host(port, ip, "oracle-sid", fp);
hydra_completed_pair_found();

49
hydra-oracle.c
View file

@ -4,8 +4,8 @@ david: code is based on SNORT spo_database.c
tested with :
-instantclient_10_2 on Oracle 10.2.0
-instantclient-basic-linux.*-11.2.0.3.0.zip + instantclient-sdk-linux.*-11.2.0.3.0.zip
on Oracle 9i and on Oracle 11g
-instantclient-basic-linux.*-11.2.0.3.0.zip +
instantclient-sdk-linux.*-11.2.0.3.0.zip on Oracle 9i and on Oracle 11g
*/
@ -13,9 +13,7 @@ on Oracle 9i and on Oracle 11g
#ifndef LIBORACLE
void dummy_oracle() {
printf("\n");
}
void dummy_oracle() { printf("\n"); }
#else
@ -55,14 +53,17 @@ int32_t start_oracle(int32_t s, char *ip, int32_t port, unsigned char options, c
/*
To use the Easy Connect naming method, PHP must be linked with Oracle 10g or greater Client libraries.
The Easy Connect string for Oracle 10g is of the form: [//]host_name[:port][/service_name].
With Oracle 11g, the syntax is: [//]host_name[:port][/service_name][:server_type][/instance_name].
Service names can be found by running the Oracle utility lsnrctl status on the database server machine.
To use the Easy Connect naming method, PHP must be linked with Oracle 10g
or greater Client libraries. The Easy Connect string for Oracle 10g is of
the form: [//]host_name[:port][/service_name]. With Oracle 11g, the syntax
is: [//]host_name[:port][/service_name][:server_type][/instance_name].
Service names can be found by running the Oracle utility lsnrctl status on
the database server machine.
The tnsnames.ora file can be in the Oracle Net search path, which includes $ORACLE_HOME/network/admin
and /etc. Alternatively set TNS_ADMIN so that $TNS_ADMIN/tnsnames.ora is read. Make sure the web
daemon has read access to the file.
The tnsnames.ora file can be in the Oracle Net search path, which includes
$ORACLE_HOME/network/admin and /etc. Alternatively set TNS_ADMIN so that
$TNS_ADMIN/tnsnames.ora is read. Make sure the web daemon has read access
to the file.
*/
@ -85,15 +86,17 @@ int32_t start_oracle(int32_t s, char *ip, int32_t port, unsigned char options, c
if (OCILogon(o_environment, o_error, &o_servicecontext, (const OraText *)login, strlen(login), (const OraText *)pass, strlen(pass), (const OraText *)buffer, strlen(buffer))) {
OCIErrorGet(o_error, 1, NULL, &o_errorcode, o_errormsg, sizeof(o_errormsg), OCI_HTYPE_ERROR);
//database: oracle_error: ORA-01017: invalid username/password; logon denied
//database: oracle_error: ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
//database: oracle_error: ORA-28000: the account is locked
//Failed login attempts is set to 10 by default
// database: oracle_error: ORA-01017: invalid username/password; logon
// denied database: oracle_error: ORA-12514: TNS:listener does not currently
// know of service requested in connect descriptor database: oracle_error:
// ORA-28000: the account is locked Failed login attempts is set to 10 by
// default
if (verbose) {
hydra_report(stderr, "[VERBOSE] database: oracle_error: %s\n", o_errormsg);
}
if (strstr((const char *)o_errormsg, "ORA-12514") != NULL) {
hydra_report(stderr, "[ERROR] ORACLE SID is not valid, you should try to enumerate them.\n");
hydra_report(stderr, "[ERROR] ORACLE SID is not valid, you should try to "
"enumerate them.\n");
hydra_completed_pair();
return 3;
}
@ -110,11 +113,10 @@ int32_t start_oracle(int32_t s, char *ip, int32_t port, unsigned char options, c
}
hydra_completed_pair();
//by default, set in sqlnet.ora, the trace file is generated in pwd to log any errors happening,
//as we don't care, we are deleting the file
//set these parameters to not generate the file
//LOG_DIRECTORY_CLIENT = /dev/null
//LOG_FILE_CLIENT = /dev/null
// by default, set in sqlnet.ora, the trace file is generated in pwd to log
// any errors happening, as we don't care, we are deleting the file set
// these parameters to not generate the file LOG_DIRECTORY_CLIENT =
// /dev/null LOG_FILE_CLIENT = /dev/null
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
@ -198,5 +200,6 @@ int32_t service_oracle_init(char *ip, int32_t sp, unsigned char options, char *m
}
void usage_oracle(const char *service) {
printf("Module oracle / ora is optionally taking the ORACLE SID, default is \"ORCL\"\n\n");
printf("Module oracle / ora is optionally taking the ORACLE SID, default is "
"\"ORCL\"\n\n");
}

12
hydra-pcanywhere.c
View file

@ -71,7 +71,6 @@ void pca_encrypt(char *cleartxt) {
passwd[strlen(passwd)] = '\0';
strcpy(cleartxt, passwd);
}
}
void pca_decrypt(char *password) {
@ -119,7 +118,6 @@ int32_t start_pcanywhere(int32_t s, char *ip, int32_t port, unsigned char option
server[3] = "Enter login name";
server[4] = "denying connection";
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
@ -158,13 +156,15 @@ int32_t start_pcanywhere(int32_t s, char *ip, int32_t port, unsigned char option
if (i == 0 || i == 3)
clean_buffer(buffer, ret);
if (debug) show_buffer(buffer, ret);
if (debug)
show_buffer(buffer, ret);
if (i == 2) {
clean_buffer(buffer, ret);
buffer[sizeof(buffer) - 1] = 0;
if (strstr(buffer, server[i + 2]) != NULL) {
fprintf(stderr, "[ERROR] PC Anywhere host denying connection because you have requested a lower encrypt level\n");
fprintf(stderr, "[ERROR] PC Anywhere host denying connection because "
"you have requested a lower encrypt level\n");
return 3;
}
}
@ -233,7 +233,6 @@ void service_pcanywhere(char *ip, int32_t sp, unsigned char options, char *miscp
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
@ -251,7 +250,8 @@ void service_pcanywhere(char *ip, int32_t sp, unsigned char options, char *miscp
port = mysslport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}

7
hydra-pcnfs.c
View file

@ -66,7 +66,9 @@ int32_t start_pcnfs(int32_t s, char *ip, int32_t port, unsigned char options, ch
prh->len_passwd = htonl(63);
prh->len_comments = htonl(254);
strcpy(prh->comments, " Hydra - THC password cracker - visit https://github.com/vanhauser-thc/thc-hydra - use only allowed for legal purposes ");
strcpy(prh->comments, " Hydra - THC password cracker - visit "
"https://github.com/vanhauser-thc/thc-hydra - use only "
"allowed for legal purposes ");
strcpy(prh->name, "localhost");
ptr = prh->id;
@ -161,7 +163,8 @@ void service_pcnfs(char *ip, int32_t sp, unsigned char options, char *miscptr, F
sock = hydra_disconnect(sock);
// usleepn(275);
if ((sock = hydra_connect_udp(ip, port)) < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;

61
hydra-pop3.c
View file

@ -88,7 +88,6 @@ char *pop3_read_server_capacity(int32_t sock) {
free(buf);
ptr = buf = hydra_receive_line(sock);
if (buf != NULL) {
/*
exchange capa:
@ -99,7 +98,8 @@ STLS
*/
if (strstr(buf, "\r\n.\r\n") != NULL && buf[0] == '+') {
resp = 1;
/* we got the capability info then get the completed warning info from server */
/* we got the capability info then get the completed warning info from
* server */
while (hydra_data_ready(sock)) {
free(buf);
buf = hydra_receive_line(sock);
@ -150,8 +150,7 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
pbuffer += 2;
}
sprintf(buffer, "APOP %s %s\r\n", login, buffer2);
}
break;
} break;
#endif
case AUTH_LOGIN: {
@ -186,8 +185,7 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
strcpy(buffer2, pass);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.250s\r\n", buffer2);
}
break;
} break;
case AUTH_PLAIN: {
sprintf(buffer, "AUTH PLAIN\r\n");
@ -209,8 +207,7 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
char tmp_buffer[sizeof(buffer)];
sprintf(tmp_buffer, "%.250s\r\n", buffer);
strcpy(buffer, tmp_buffer);
}
break;
} break;
#ifdef LIBOPENSSL
case AUTH_CRAMMD5:
@ -268,18 +265,15 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
case AUTH_CRAMMD5: {
sasl_cram_md5(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
case AUTH_CRAMSHA1: {
sasl_cram_sha1(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
case AUTH_CRAMSHA256: {
sasl_cram_sha256(buffer2, pass, buffer);
sprintf(buffer, "%s %.250s", preplogin, buffer2);
}
break;
} break;
}
hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer));
@ -287,8 +281,7 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
sprintf(tmp_buffer, "%.250s\r\n", buffer);
strcpy(buffer, tmp_buffer);
free(preplogin);
}
break;
} break;
case AUTH_DIGESTMD5: {
sprintf(buffer, "AUTH DIGEST-MD5\r\n");
@ -319,8 +312,7 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
hydra_report(stderr, "[DEBUG] C: %s\n", buffer2);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
} break;
#endif
case AUTH_NTLM: {
@ -361,8 +353,7 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
} break;
default:
sprintf(buffer, "USER %.250s\r\n", login);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
@ -433,7 +424,6 @@ void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
@ -470,11 +460,13 @@ void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
#ifdef LIBOPENSSL
if (!p->disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
/* check for STARTTLS, if available we may have access to more basic
* auth methods */
hydra_send(sock, "STLS\r\n", strlen("STLS\r\n"), 0);
buf = hydra_receive_line(sock);
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer "
"received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock, hostname) == -1)) {
@ -512,7 +504,6 @@ void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
}
}
int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
int32_t myport = PORT_POP3, mysslport = PORT_POP3_SSL;
char *ptr = NULL;
@ -584,13 +575,15 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
#ifdef LIBOPENSSL
if (!p.disable_tls) {
/* check for STARTTLS, if available we may have access to more basic auth methods */
/* check for STARTTLS, if available we may have access to more basic auth
* methods */
if (strstr(buf, "STLS") != NULL) {
hydra_send(sock, "STLS\r\n", strlen("STLS\r\n"), 0);
free(buf);
buf = hydra_receive_line(sock);
if (buf[0] != '+') {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer "
"received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock, hostname) == -1)) {
@ -616,7 +609,8 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
}
}
} else
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n");
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not "
"supported by the server\n");
}
#endif
@ -625,7 +619,6 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
}
hydra_disconnect(sock);
if (verbose)
hydra_report(stderr, "[VERBOSE] CAPABILITY: %s", buf);
@ -648,7 +641,8 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
which are supported.
*/
/* which mean threre will *always* have a space before the LOGIN auth keyword */
/* which mean threre will *always* have a space before the LOGIN auth keyword
*/
if ((strstr(buf, " LOGIN") == NULL) && (strstr(buf, "NTLM") != NULL)) {
p.pop3_auth_mechanism = AUTH_NTLM;
}
@ -688,12 +682,10 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
#else
p.pop3_auth_mechanism = AUTH_CLEAR;
#endif
}
free(buf);
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
if (strstr(miscptr, "CLEAR"))
p.pop3_auth_mechanism = AUTH_CLEAR;
@ -722,7 +714,6 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
if (strstr(miscptr, "NTLM"))
p.pop3_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
@ -765,7 +756,6 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
case AUTH_NTLM:
hydra_report(stderr, "[VERBOSE] using POP3 NTLM AUTH mechanism\n");
break;
}
}
@ -780,5 +770,8 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis
void usage_pop3(const char *service) {
printf("Module pop3 is optionally taking one authentication type of:\n"
" CLEAR (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n"
" CRAM-SHA256, DIGEST-MD5, NTLM.\n" "Additionally TLS encryption via STLS can be enforced with the TLS option.\n\n" "Example: pop3://target/TLS:PLAIN\n");
" CRAM-SHA256, DIGEST-MD5, NTLM.\n"
"Additionally TLS encryption via STLS can be enforced with the TLS "
"option.\n\n"
"Example: pop3://target/TLS:PLAIN\n");
}

12
hydra-postgres.c
View file

@ -8,9 +8,7 @@
#include "hydra-mod.h"
#ifndef LIBPOSTGRES
void dummy_postgres() {
printf("\n");
}
void dummy_postgres() { printf("\n"); }
#else
#include "libpq-fe.h" // Postgres connection functions
@ -42,7 +40,6 @@ int32_t start_postgres(int32_t s, char *ip, int32_t port, unsigned char options,
* Building the connection string
*/
snprintf(connection_string, sizeof(connection_string), "host = '%s' dbname = '%s' user = '%s' password = '%s' ", hydra_address2string(ip), database, login, pass);
if (verbose)
@ -74,7 +71,6 @@ void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0)
@ -92,7 +88,8 @@ void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr
port = mysslport;
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = 2;
@ -133,5 +130,6 @@ int32_t service_postgres_init(char *ip, int32_t sp, unsigned char options, char
}
void usage_postgres(const char *service) {
printf("Module postgres is optionally taking the database to attack, default is \"template1\"\n\n");
printf("Module postgres is optionally taking the database to attack, default "
"is \"template1\"\n\n");
}

69
hydra-radmin2.c
View file

@ -19,10 +19,10 @@ struct rmessage {
/*
* Usage: sum = checksum(message);
* Function: Returns a 4 byte little endian sum of the messages typecode+data. This data is zero padded for alignment.
* Example message (big endian):
* [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)])
* Sum: is 0f43d461 (big endian)
* Function: Returns a 4 byte little endian sum of the messages typecode+data.
* This data is zero padded for alignment. Example message (big endian):
* [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9
* 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)]) Sum: is 0f43d461 (big endian)
*/
uint32_t checksum(struct rmessage *msg) {
int32_t blen;
@ -50,7 +50,8 @@ uint32_t checksum(struct rmessage *msg) {
/*
* Usage: challenge_request(message);
* Function: Modifies message to reflect a request for a challenge. Updates the checksum as appropriate.
* Function: Modifies message to reflect a request for a challenge. Updates the
* checksum as appropriate.
*/
void challenge_request(struct rmessage *msg) {
msg->magic = 0x01;
@ -61,7 +62,8 @@ void challenge_request(struct rmessage *msg) {
/*
* Usage: challenge_request(message);
* Function: Modifies message to reflect a response to a challenge. Updates the checksum as appropriate.
* Function: Modifies message to reflect a response to a challenge. Updates the
* checksum as appropriate.
*/
void challenge_response(struct rmessage *msg, unsigned char *solution) {
msg->magic = 0x01;
@ -72,8 +74,9 @@ void challenge_response(struct rmessage *msg, unsigned char *solution) {
}
/*
* Usage: buffer = message2buffer(message); send(buffer, message->length + 10); free(buffer)
* Function: Allocates a buffer for transmission and fills the buffer with message data such that it is ready to transmit.
* Usage: buffer = message2buffer(message); send(buffer, message->length + 10);
* free(buffer) Function: Allocates a buffer for transmission and fills the
* buffer with message data such that it is ready to transmit.
*/
// TODO: conver to a sendMessage() function?
char *message2buffer(struct rmessage *msg) {
@ -163,10 +166,7 @@ struct rmessage *buffer2message(char *buffer) {
return msg;
}
int32_t start_radmin2(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) {
return 0;
}
int32_t start_radmin2(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { return 0; }
void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
#ifdef HAVE_GCRYPT
@ -200,7 +200,6 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
}
while (1) {
/* Typical conversation goes as follows...
0) connect to server
1) request challenge
@ -225,7 +224,8 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
// 2) receive response (working)
index = 0;
while(index < 42) { //We're always expecting back a 42 byte buffer from a challenge request.
while (index < 42) { // We're always expecting back a 42 byte buffer from a
// challenge request.
switch (hydra_data_ready(sock)) {
case -1:
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
@ -237,7 +237,10 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
default:
bytecount = hydra_recv(sock, buffer + index, 42 - index);
if (bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
hydra_report(stderr,
"Error: Child with pid %d terminating, receive "
"error\nerror:\t%s\n",
(int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;
@ -252,10 +255,14 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
hydra_get_next_pair();
strncpy(password, hydra_get_next_password(), sizeof(password) - 1);
//MD5 the password to generate the password key, this is used with twofish below.
// MD5 the password to generate the password key, this is used with twofish
// below.
err = gcry_md_open(&md, GCRY_MD_MD5, 0);
if (err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_md_open error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_md_open error "
"(%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
gcry_md_reset(md);
@ -273,25 +280,37 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
// 3.b) encrypt data received using pkey & known IV
err = gcry_cipher_open(&cipher, GCRY_CIPHER_TWOFISH128, GCRY_CIPHER_MODE_CBC, 0);
if (err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_open error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_open "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_setiv(cipher, IV, 16);
if (err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_setiv error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_setiv "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_setkey(cipher, rawkey, 16);
if (err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_setkey error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_setkey "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_encrypt(cipher, encrypted, 32, msg->data, 32);
if (err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_encrypt error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_encrypt "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
@ -312,7 +331,8 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
// 4) receive auth success/failure
index = 0;
while(index < 10) { //We're always expecting back a 42 byte buffer from a challenge request.
while (index < 10) { // We're always expecting back a 42 byte buffer from a
// challenge request.
switch (hydra_data_ready(sock)) {
case -1:
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
@ -324,7 +344,10 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
default:
bytecount = hydra_recv(sock, buffer + index, 10 - index);
if (bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
hydra_report(stderr,
"Error: Child with pid %d terminating, receive "
"error\nerror:\t%s\n",
(int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;

17
hydra-rdp.c
View file

@ -11,9 +11,7 @@
extern char *HYDRA_EXIT;
#ifndef LIBFREERDP2
void dummy_rdp() {
printf("\n");
}
void dummy_rdp() { printf("\n"); }
#else
#include <freerdp/freerdp.h>
@ -69,13 +67,18 @@ int32_t start_rdp(char *ip, int32_t port, unsigned char options, char *miscptr,
hydra_completed_pair();
break;
case 0x0002000d:
hydra_report(stderr, "[%d][rdp] account on %s might be valid but account not active for remote desktop: login: %s password: %s, continuing attacking the account.\n", port, hydra_address2string_beautiful(ip), login, pass);
hydra_report(stderr,
"[%d][rdp] account on %s might be valid but account not "
"active for remote desktop: login: %s password: %s, "
"continuing attacking the account.\n",
port, hydra_address2string_beautiful(ip), login, pass);
hydra_completed_pair();
break;
case 0x00020006:
case 0x00020008:
case 0x0002000c:
// cannot establish rdp connection, either the port is not opened or it's not rdp
// cannot establish rdp connection, either the port is not opened or it's
// not rdp
return 3;
default:
if (verbose) {
@ -146,6 +149,8 @@ int32_t service_rdp_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_rdp(const char *service) {
printf("Module rdp is optionally taking the windows domain name.\n" "For example:\nhydra rdp://192.168.0.1/firstdomainname -l john -p doe\n\n");
printf("Module rdp is optionally taking the windows domain name.\n"
"For example:\nhydra rdp://192.168.0.1/firstdomainname -l john -p "
"doe\n\n");
}
#endif

19
hydra-redis.c
View file

@ -104,16 +104,14 @@ void service_redis_core(char *ip, int32_t sp, unsigned char options, char *miscp
}
}
void service_redis(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
service_redis_core(ip, sp, options, miscptr, fp, port, hostname, 0);
}
void service_redis(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_redis_core(ip, sp, options, miscptr, fp, port, hostname, 0); }
/*
* Initial password authentication test and response test for the redis server,
* added by Petar Kaleychev <petar.kaleychev@gmail.com>
* The service_redis_init function is generating ping request as redis-cli (command line interface).
* You can use redis-cli to connect with Redis. After start of the redis-server in another terminal the following:
* % ./redis-cli
* The service_redis_init function is generating ping request as redis-cli
* (command line interface). You can use redis-cli to connect with Redis. After
* start of the redis-server in another terminal the following: % ./redis-cli
* redis> ping
* when the server does not require password, leads to:
* PONG
@ -121,7 +119,8 @@ void service_redis(char *ip, int32_t sp, unsigned char options, char *miscptr, F
* (error) NOAUTH Authentication required.
* or
* (error) ERR operation not permitted (for older redis versions)
* That is used for initial password authentication and redis server response tests in service_redis_init
* That is used for initial password authentication and redis server response
* tests in service_redis_init
*/
int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
@ -129,7 +128,8 @@ int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *mi
// performed once only.
// return codes:
// 0 - when the server is redis and it requires password
// n - when the server is not redis or when the server does not require password
// n - when the server is not redis or when the server does not require
// password
int32_t sock = -1;
int32_t myport = PORT_REDIS, mysslport = PORT_REDIS_SSL;
@ -148,7 +148,8 @@ int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *mi
port = mysslport;
}
if (verbose)
printf("[VERBOSE] Initial redis password authentication test and response test ...\n");
printf("[VERBOSE] Initial redis password authentication test and response "
"test ...\n");
if (sock < 0) {
hydra_report(stderr, "[ERROR] Can not connect to port %d on the target\n", myport);
return 3;

1
hydra-rexec.c
View file

@ -88,7 +88,6 @@ void service_rexec(char *ip, int32_t sp, unsigned char options, char *miscptr, F
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);
}
run = next_run;
}

4
hydra-rlogin.c
View file

@ -8,7 +8,6 @@ client have to use port from 512 -> 1023 or server is denying the connection
no memleaks found on 110425
*/
#define TERM "vt100/9600"
extern char *HYDRA_EXIT;
@ -78,7 +77,8 @@ int32_t start_rlogin(int32_t s, char *ip, int32_t port, unsigned char options, c
hydra_completed_pair();
}
} else {
/* if password is asked a second time, it means the pass we provided is wrong */
/* if password is asked a second time, it means the pass we provided is
* wrong */
hydra_completed_pair();
}

8
hydra-rpcap.c
View file

@ -21,7 +21,8 @@ int32_t start_rpcap(int32_t s, char *ip, int32_t port, unsigned char options, ch
char bfr4[] = " ";
bfr4[0] = strlen(login) + strlen(pass) + 8;
char bfr5[] = "\x00";
char bfr6[] = "\x01"; // x01 - when a password is required, x00 - when no need of password
char bfr6[] = "\x01"; // x01 - when a password is required, x00 - when no need
// of password
char bfr7[] = "\x00\x00\x00";
char bfr8[] = " ";
bfr8[0] = strlen(login);
@ -59,9 +60,8 @@ int32_t start_rpcap(int32_t s, char *ip, int32_t port, unsigned char options, ch
}
/*
if (strstr(buf, "Logon failure") == NULL) {
hydra_report(stderr, "[ERROR] rpcap error or service shutdown: %s\n", buf);
free(buf);
return 4;
hydra_report(stderr, "[ERROR] rpcap error or service shutdown: %s\n",
buf); free(buf); return 4;
}
*/
free(buf);

21
hydra-rtsp.c
View file

@ -6,17 +6,16 @@
//
//
#include <stdio.h>
#include "hydra-mod.h"
#include <string.h>
#include "sasl.h"
#include <stdio.h>
#include <string.h>
extern char *HYDRA_EXIT;
char packet[500];
char packet2[500];
int32_t is_Unauthorized(char *s) {
if (strstr(s, "401 Unauthorized") != NULL) {
return 1;
} else {
@ -25,7 +24,6 @@ int32_t is_Unauthorized(char *s) {
}
int32_t is_NotFound(char *s) {
if (strstr(s, "404 Stream Not Found") != NULL) {
return 1;
} else {
@ -34,7 +32,6 @@ int32_t is_NotFound(char *s) {
}
int32_t is_Authorized(char *s) {
if (strstr(s, "200 OK") != NULL) {
return 1;
} else {
@ -43,7 +40,6 @@ int32_t is_Authorized(char *s) {
}
int32_t use_Basic_Auth(char *s) {
if (strstr(s, "WWW-Authenticate: Basic") != NULL) {
return 1;
} else {
@ -52,7 +48,6 @@ int32_t use_Basic_Auth(char *s) {
}
int32_t use_Digest_Auth(char *s) {
if (strstr(s, "WWW-Authenticate: Digest") != NULL) {
return 1;
} else {
@ -60,8 +55,6 @@ int32_t use_Digest_Auth(char *s) {
}
}
void create_core_packet(int32_t control, char *ip, int32_t port) {
char *target = hydra_address2string(ip);
@ -109,11 +102,9 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
return 1;
} else {
create_core_packet(1, ip, port);
if (use_Basic_Auth(lresp) == 1) {
free(lresp);
sprintf(buffer2, "%.249s:%.249s", login, pass);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
@ -123,8 +114,7 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (debug) {
hydra_report(stderr, "C:%s\n", buffer);
}
}
else {
} else {
if (use_Digest_Auth(lresp) == 1) {
char *dbuf = NULL;
char aux[500] = "";
@ -136,7 +126,8 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha
#ifdef LIBOPENSSL
sasl_digest_md5(dbuf, login, pass, aux, miscptr, "rtsp", hydra_address2string(ip), port, "");
#else
hydra_report(stderr, "[ERROR] Digest auth required but compiled without OpenSSL/MD5 support\n");
hydra_report(stderr, "[ERROR] Digest auth required but compiled "
"without OpenSSL/MD5 support\n");
return 3;
#endif
@ -177,7 +168,6 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha
return 3;
}
return 1;
}
free(lresp);
hydra_completed_pair();
@ -200,7 +190,6 @@ void service_rtsp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (sock >= 0) {

27
hydra-s7-300.c
View file

@ -1,4 +1,5 @@
// submitted by Alexander Timorin <ATimorin@ptsecurity.com> and Sergey Gordeychik
// submitted by Alexander Timorin <ATimorin@ptsecurity.com> and Sergey
// Gordeychik
#include "hydra-mod.h"
@ -6,14 +7,22 @@
extern char *HYDRA_EXIT;
unsigned char p_cotp[] = "\x03\x00\x00\x16\x11\xe0\x00\x00\x00\x17" "\x00\xc1\x02\x01\x00\xc2\x02\x01\x02\xc0" "\x01\x0a";
unsigned char p_cotp[] = "\x03\x00\x00\x16\x11\xe0\x00\x00\x00\x17"
"\x00\xc1\x02\x01\x00\xc2\x02\x01\x02\xc0"
"\x01\x0a";
unsigned char p_s7_negotiate_pdu[] = "\x03\x00\x00\x19\x02\xf0\x80\x32\x01\x00" "\x00\x02\x00\x00\x08\x00\x00\xf0\x00\x00" "\x01\x00\x01\x01\xe0";
unsigned char p_s7_negotiate_pdu[] = "\x03\x00\x00\x19\x02\xf0\x80\x32\x01\x00"
"\x00\x02\x00\x00\x08\x00\x00\xf0\x00\x00"
"\x01\x00\x01\x01\xe0";
unsigned char p_s7_read_szl[] = "\x03\x00\x00\x21\x02\xf0\x80\x32\x07\x00" "\x00\x03\x00\x00\x08\x00\x08\x00\x01\x12" "\x04\x11\x44\x01\x00\xff\x09\x00\x04\x01" "\x32\x00\x04";
unsigned char p_s7_password_request[] = "\x03\x00\x00\x25\x02\xf0\x80\x32\x07\x00" "\x00\x00\x00\x00\x08\x00\x0c\x00\x01\x12" "\x04\x11\x45\x01\x00\xff\x09\x00\x08";
unsigned char p_s7_read_szl[] = "\x03\x00\x00\x21\x02\xf0\x80\x32\x07\x00"
"\x00\x03\x00\x00\x08\x00\x08\x00\x01\x12"
"\x04\x11\x44\x01\x00\xff\x09\x00\x04\x01"
"\x32\x00\x04";
unsigned char p_s7_password_request[] = "\x03\x00\x00\x25\x02\xf0\x80\x32\x07\x00"
"\x00\x00\x00\x00\x08\x00\x0c\x00\x01\x12"
"\x04\x11\x45\x01\x00\xff\x09\x00\x08";
int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";
@ -276,7 +285,8 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m
// 0xd602 - wrong password
if (ret > 30) {
if ((buffer[27] == '\x00' && buffer[28] == '\x00') || (buffer[27] == '\xd6' && buffer[28] == '\x05')) {
hydra_report(stderr, "[INFO] No password protection enabled, no password tests are necessary!\n");
hydra_report(stderr, "[INFO] No password protection enabled, no password "
"tests are necessary!\n");
return 1;
}
}
@ -287,5 +297,6 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m
}
void usage_s7_300(const char *service) {
printf("Module S7-300 is for a special Siemens PLC. It either requires only a password or no authentication, so just use the -p or -P option.\n\n");
printf("Module S7-300 is for a special Siemens PLC. It either requires only a "
"password or no authentication, so just use the -p or -P option.\n\n");
}

16
hydra-sapr3.c
View file

@ -1,13 +1,11 @@
#include "hydra-mod.h"
// checked for memleaks on 110425, none found
#ifndef LIBSAPR3
void dummy_sapr3() {
printf("\n");
}
void dummy_sapr3() { printf("\n"); }
#else
#include <saprfc.h>
#include <ctype.h>
#include <saprfc.h>
/* temporary workaround fix */
const int32_t *__ctype_tolower;
@ -28,7 +26,8 @@ int32_t start_sapr3(int32_t s, char *ip, int32_t port, unsigned char options, ch
int32_t sysnr = port % 100;
char opts[] = "RFCINI=N RFCTRACE=N BALANCE=N DEBUG=N TRACE=0 ABAP_DEBUG=0";
// char opts[] = "RFCINI=N RFCTRACE=Y BALANCE=N DEBUG=Y TRACE=Y ABAP_DEBUG=Y";
// char opts[] = "RFCINI=N RFCTRACE=Y BALANCE=N DEBUG=Y TRACE=Y
// ABAP_DEBUG=Y";
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
@ -66,7 +65,8 @@ int32_t start_sapr3(int32_t s, char *ip, int32_t port, unsigned char options, ch
// printf ("DEBUG: %d Connectstring \"%s\"\n",sizeof(error_info),buffer);
handle = RfcOpenEx(buffer, &error_info);
//printf("DEBUG: handle %d, key %s, message %s\n", handle, error_info.key, error_info.message);
// printf("DEBUG: handle %d, key %s, message %s\n", handle, error_info.key,
// error_info.message);
if (handle <= RFC_HANDLE_NULL)
return 3;
@ -131,6 +131,4 @@ int32_t service_sapr3_init(char *ip, int32_t sp, unsigned char options, char *mi
return 0;
}
void usage_sapr3(const char* service) {
printf("Module sapr3 requires the client id, a number between 0 and 99\n\n");
}
void usage_sapr3(const char *service) { printf("Module sapr3 requires the client id, a number between 0 and 99\n\n"); }

38
hydra-sip.c
View file

@ -10,13 +10,11 @@
#ifndef LIBOPENSSL
#include <stdio.h>
void dummy_sip() {
printf("\n");
}
void dummy_sip() { printf("\n"); }
#else
#include <stdint.h>
#include "sasl.h"
#include <stdint.h>
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
@ -25,7 +23,6 @@ char *get_iface_ip(uint64_t ip);
int32_t cseq;
extern char *HYDRA_EXIT;
#define SIP_MAX_BUF 1024
void empty_register(char *buf, char *host, char *lhost, int32_t port, int32_t lport, char *user) {
@ -74,12 +71,14 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u
}
int32_t has_sip_cred = 0;
int32_t try = 0;
int32_t try
= 0;
/* We have to check many times because server may begin to send "100 Trying"
* before "401 Unauthorized" */
while (try < 2 && !has_sip_cred) {
try++;
try
++;
if (hydra_data_ready_timed(s, 3, 0) > 0) {
i = hydra_recv(s, (char *)buf, sizeof(buf) - 1);
if (i > 0)
@ -94,13 +93,17 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u
// if we already tried to connect, exit
if (external_ip_addr[0]) {
hydra_report(stdout, "[ERROR] Get error code 606 : session is not acceptable by the server\n");
hydra_report(stdout, "[ERROR] Get error code 606 : session is not "
"acceptable by the server\n");
return 2;
}
if (verbose)
hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not acceptable by the server,\n"
"maybe it's an addressing issue as you are using NAT, trying to reconnect\n" "using addr from the server reply\n");
hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not "
"acceptable by the server,\n"
"maybe it's an addressing issue as you are "
"using NAT, trying to reconnect\n"
"using addr from the server reply\n");
/*
SIP/2.0 606 Not Acceptable
Via: SIP/2.0/UDP 192.168.0.21:46759;received=82.227.229.137
@ -143,7 +146,11 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u
"Via: SIP/2.0/UDP %s:%i\n"
"From: <sip:%s@%s>\n"
"To: <sip:%s@%s>\n"
"Call-ID: 1337@%s\n" "CSeq: %i REGISTER\n" "Authorization: Digest %s\n" "Content-Length: 0\n\n", host, lip, lport, login, host, login, host, host, cseq, buffer2);
"Call-ID: 1337@%s\n"
"CSeq: %i REGISTER\n"
"Authorization: Digest %s\n"
"Content-Length: 0\n\n",
host, lip, lport, login, host, login, host, host, cseq, buffer2);
cseq++;
if (debug)
@ -151,12 +158,14 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 3;
}
try = 0;
try
= 0;
int32_t has_resp = 0;
int32_t sip_code = 0;
while (try < 2 && !has_resp) {
try++;
try
++;
if (hydra_data_ready_timed(s, 5, 0) > 0) {
memset(buf, 0, sizeof(buf));
if ((i = hydra_recv(s, (char *)buf, sizeof(buf) - 1)) >= 0)
@ -192,7 +201,8 @@ void service_sip(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
// FIXME IPV6
if (ip[0] != 4) {
fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are appreciated.\n");
fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are "
"appreciated.\n");
hydra_child_exit(2);
}

369
hydra-smb.c
View file

@ -1,17 +1,14 @@
#include "hydra-mod.h"
#ifndef LIBOPENSSL
void dummy_smb() {
printf("\n");
}
void dummy_smb() { printf("\n"); }
#else
#include <openssl/md4.h>
#include <openssl/des.h>
#include "hmacmd5.h"
#include "sasl.h"
#include <openssl/des.h>
#include <openssl/md4.h>
// FIXME XXX BUG: several malloc()s without return code checking
/*
http://technet.microsoft.com/en-us/library/cc960646.aspx
@ -80,18 +77,15 @@ http://technet.microsoft.com/en-us/library/cc960646.aspx
#define WIN2000_NATIVEMODE 1
#define WIN_NETBIOSMODE 2
#define PLAINTEXT 10
#define ENCRYPTED 11
#ifndef CHAR_BIT
#define CHAR_BIT 8
#endif
#ifndef TIME_T_MIN
#define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
: ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
#define TIME_T_MIN ((time_t)0 < (time_t)-1 ? (time_t)0 : ~(time_t)0 << (sizeof(time_t) * CHAR_BIT - 1))
#endif
#ifndef TIME_T_MAX
#define TIME_T_MAX (~(time_t)0 - TIME_T_MIN)
@ -102,7 +96,6 @@ http://technet.microsoft.com/en-us/library/cc960646.aspx
#define TIME_FIXUP_CONSTANT_INT 11644473600LL
extern char *HYDRA_EXIT;
static unsigned char challenge[8];
static unsigned char workgroup[16];
@ -113,8 +106,7 @@ int32_t hashFlag, accntFlag, protoFlag;
int32_t smb_auth_mechanism = AUTH_NTLM;
int32_t security_mode = ENCRYPTED;
static size_t UTF8_UTF16LE(unsigned char *in, int32_t insize, unsigned char *out, int32_t outsize)
{
static size_t UTF8_UTF16LE(unsigned char *in, int32_t insize, unsigned char *out, int32_t outsize) {
int32_t i = 0, j = 0;
uint64_t ch;
if (debug) {
@ -145,7 +137,8 @@ static size_t UTF8_UTF16LE(unsigned char *in, int32_t insize, unsigned char *out
j = j + 4;
i = i + 3;
}
if ( j-2 > outsize) break;
if (j - 2 > outsize)
break;
}
if (debug) {
hydra_report(stderr, "[DEBUG] UTF8_UTF16LE out:\n");
@ -295,7 +288,6 @@ int32_t HashLM(unsigned char **lmhash, unsigned char *pass, unsigned char *chall
return 0;
}
/*
MakeNTLM
Function: Create a NTLM hash from the password
@ -312,7 +304,8 @@ int32_t MakeNTLM(unsigned char *ntlmhash, unsigned char *pass) {
/* Use NTLM Hash instead of password */
if (hashFlag == 1) {
/* 1000:D42E35E1A1E4C22BD32E2170E4857C20:5E20780DD45857A68402938C7629D3B2::: */
/* 1000:D42E35E1A1E4C22BD32E2170E4857C20:5E20780DD45857A68402938C7629D3B2:::
*/
p = pass;
while ((*p != '\0') && (i < 1)) {
if (*p == ':')
@ -379,9 +372,9 @@ int32_t MakeNTLM(unsigned char *ntlmhash, unsigned char *pass) {
/*
HashLMv2
This function implements the LMv2 response algorithm. The LMv2 response is used to
provide pass-through authentication compatibility with older servers. The response
is based on the NTLM password hash and is exactly 24 bytes.
This function implements the LMv2 response algorithm. The LMv2 response is
used to provide pass-through authentication compatibility with older servers.
The response is based on the NTLM password hash and is exactly 24 bytes.
The below code is based heavily on the following resources:
@ -411,16 +404,17 @@ int32_t HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char
return -1;
/*
The Unicode uppercase username is concatenated with the Unicode authentication target
(the domain or server name specified in the Target Name field of the Type 3 message).
Note that this calculation always uses the Unicode representation, even if OEM encoding
has been negotiated; also note that the username is converted to uppercase, while the
authentication target is case-sensitive and must match the case presented in the Target
The Unicode uppercase username is concatenated with the Unicode
authentication target (the domain or server name specified in the Target
Name field of the Type 3 message). Note that this calculation always uses
the Unicode representation, even if OEM encoding has been negotiated; also
note that the username is converted to uppercase, while the authentication
target is case-sensitive and must match the case presented in the Target
Name field.
The HMAC-MD5 message authentication code algorithm (described in RFC 2104) is applied to
this value using the 16-byte NTLM hash as the key. This results in a 16-byte value - the
NTLMv2 hash.
The HMAC-MD5 message authentication code algorithm (described in RFC 2104)
is applied to this value using the 16-byte NTLM hash as the key. This
results in a 16-byte value - the NTLMv2 hash.
*/
/* Initialize the Unicode version of the username and target. */
@ -445,9 +439,10 @@ int32_t HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char
/* --- HMAC #2 Calculations --- */
/*
The challenge from the Type 2 message is concatenated with our fixed client nonce. The HMAC-MD5
message authentication code algorithm is applied to this value using the 16-byte NTLMv2 hash
(calculated above) as the key. This results in a 16-byte output value.
The challenge from the Type 2 message is concatenated with our fixed client
nonce. The HMAC-MD5 message authentication code algorithm is applied to
this value using the 16-byte NTLMv2 hash (calculated above) as the key.
This results in a 16-byte output value.
*/
hmac_md5_init_limK_to_64(kr_buf, 16, &ctx);
@ -468,12 +463,13 @@ int32_t HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char
/*
HashNTLMv2
This function implements the NTLMv2 response algorithm. Support for this algorithm
was added with Microsoft Windows with NT 4.0 SP4. It should be noted that code doesn't
currently work with Microsoft Vista. While NTLMv2 authentication with Samba and Windows
2003 functions as expected, Vista systems respond with the oh-so-helpful
"INVALID_PARAMETER" error code. LMv2-only authentication appears to work against Vista
in cases where LM and NTLM are refused.
This function implements the NTLMv2 response algorithm. Support for this
algorithm was added with Microsoft Windows with NT 4.0 SP4. It should be noted
that code doesn't currently work with Microsoft Vista. While NTLMv2
authentication with Samba and Windows 2003 functions as expected, Vista
systems respond with the oh-so-helpful "INVALID_PARAMETER" error code.
LMv2-only authentication appears to work against Vista in cases where LM and
NTLM are refused.
The below code is based heavily on the following two resources:
@ -503,20 +499,15 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha
[16] Header: Blob Signature [01 01 00 00] (4 bytes)
[20] Reserved: [00 00 00 00] (4 bytes)
[24] Time: Little-endian, 64-bit signed value representing the number of
tenths of a microsecond since January 1, 1601. (8 bytes)
[32] Client Nonce: (8 bytes)
[40] Unknown: 00 00 00 00 (4 bytes)
[44] Target Information (from the Type 2 message)
NetBIOS domain/workgroup:
Type: domain 02 00 (2 bytes)
Length: 12 00 (2 bytes)
Name: WORKGROUP [NULL spacing -> 57 00 4f 00 ...] (18 bytes)
End-of-list: 00 00 00 00 (4 bytes)
[24] Time: Little-endian, 64-bit signed value representing the number
of tenths of a microsecond since January 1, 1601. (8 bytes) [32] Client
Nonce: (8 bytes) [40] Unknown: 00 00 00 00 (4 bytes) [44] Target
Information (from the Type 2 message) NetBIOS domain/workgroup: Type:
domain 02 00 (2 bytes) Length: 12 00 (2 bytes) Name: WORKGROUP [NULL
spacing -> 57 00 4f 00 ...] (18 bytes) End-of-list: 00 00 00 00 (4 bytes)
Termination: 00 00 00 00 (4 bytes)
*/
iTargetLen = 2 * strlen((char *)workgroup);
memset(ntlm_hash, 0, 16);
@ -531,16 +522,17 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha
return -1;
/*
The Unicode uppercase username is concatenated with the Unicode authentication target
(the domain or server name specified in the Target Name field of the Type 3 message).
Note that this calculation always uses the Unicode representation, even if OEM encoding
has been negotiated; also note that the username is converted to uppercase, while the
authentication target is case-sensitive and must match the case presented in the Target
The Unicode uppercase username is concatenated with the Unicode
authentication target (the domain or server name specified in the Target
Name field of the Type 3 message). Note that this calculation always uses
the Unicode representation, even if OEM encoding has been negotiated; also
note that the username is converted to uppercase, while the authentication
target is case-sensitive and must match the case presented in the Target
Name field.
The HMAC-MD5 message authentication code algorithm (described in RFC 2104) is applied to
this value using the 16-byte NTLM hash as the key. This results in a 16-byte value - the
NTLMv2 hash.
The HMAC-MD5 message authentication code algorithm (described in RFC 2104)
is applied to this value using the 16-byte NTLM hash as the key. This
results in a 16-byte value - the NTLMv2 hash.
*/
/* Initialize the Unicode version of the username and target. */
@ -606,7 +598,8 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha
0x0300 Fully-qualified DNS host name
0x0400 DNS domain name
TODO: Need to rework negotiation code to correctly extract target information
TODO: Need to rework negotiation code to correctly extract target
information
*/
memset(ntlmv2_response + 44, 0x02, 1); /* Type: Domain */
@ -623,9 +616,10 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha
/* --- HMAC #2 Caculations --- */
/*
The challenge from the Type 2 message is concatenated with the blob. The HMAC-MD5 message
authentication code algorithm is applied to this value using the 16-byte NTLMv2 hash
(calculated above) as the key. This results in a 16-byte output value.
The challenge from the Type 2 message is concatenated with the blob. The
HMAC-MD5 message authentication code algorithm is applied to this value
using the 16-byte NTLMv2 hash (calculated above) as the key. This results
in a 16-byte output value.
*/
hmac_md5_init_limK_to_64(kr_buf, 16, &ctx);
@ -716,7 +710,6 @@ int32_t NBSSessionRequest(int32_t s) {
return -1; /* failed */
}
/*
SMBNegProt
Function: Negotiate protocol with server ...
@ -728,31 +721,9 @@ int32_t NBSSessionRequest(int32_t s) {
*/
int32_t SMBNegProt(int32_t s) {
unsigned char buf[] = {
0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42,
0x72, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc0,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x7d,
0x00, 0x00, 0x01, 0x00, 0x00, 0x9b, 0x00, 0x02,
0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46,
0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52,
0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00,
0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f,
0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00,
0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31,
0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e,
0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x44,
0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41,
0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00,
0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02,
0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e,
0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31,
0x32, 0x00
0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x7d, 0x00, 0x00, 0x01, 0x00, 0x00, 0x9b, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4d,
0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58,
0x30, 0x30, 0x32, 0x00, 0x02, 0x44, 0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00
/*
0x02,
@ -799,7 +770,6 @@ int32_t SMBNegProt(int32_t s) {
iResponseOffset = 65;
}
hydra_send(s, (char *)buf, iLength, 0);
k = hydra_recv(s, (char *)rbuf, sizeof(rbuf));
if (k == 0)
@ -807,10 +777,11 @@ int32_t SMBNegProt(int32_t s) {
/* retrieve the security mode */
/*
[0] Mode: (0) ? (1) USER security mode
[1] Password: (0) PLAINTEXT password (1) ENCRYPTED password. Use challenge/response
[2] Signatures: (0) Security signatures NOT enabled (1) ENABLED
[3] Sig Req: (0) Security signatures NOT required (1) REQUIRED
[0] Mode: (0) ? (1) USER security
mode [1] Password: (0) PLAINTEXT password (1) ENCRYPTED
password. Use challenge/response [2] Signatures: (0) Security signatures
NOT enabled (1) ENABLED [3] Sig Req: (0) Security signatures NOT
required (1) REQUIRED
SAMBA: 0x01 (default)
WinXP: 0x0F (default)
@ -825,18 +796,21 @@ int32_t SMBNegProt(int32_t s) {
if (hashFlag == 1) {
if (verbose)
hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. HASH password mode not supported for this configuration.\n");
hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. HASH "
"password mode not supported for this configuration.\n");
return 3;
}
if (hashFlag == 2) {
if (verbose)
hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. MACHINE password mode not supported for this configuration.\n");
hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. MACHINE "
"password mode not supported for this configuration.\n");
return 3;
}
break;
case 0x03:
if (verbose)
hydra_report(stderr, "[VERBOSE] Server requested ENCRYPTED password without security signatures.\n");
hydra_report(stderr, "[VERBOSE] Server requested ENCRYPTED password "
"without security signatures.\n");
security_mode = ENCRYPTED;
break;
case 0x07:
@ -847,7 +821,10 @@ int32_t SMBNegProt(int32_t s) {
break;
default:
if (verbose)
hydra_report(stderr, "[VERBOSE] Unknown security mode request: %2.2X. Proceeding using ENCRYPTED password mode.\n", rbuf[39]);
hydra_report(stderr,
"[VERBOSE] Unknown security mode request: %2.2X. Proceeding "
"using ENCRYPTED password mode.\n",
rbuf[39]);
security_mode = ENCRYPTED;
break;
}
@ -886,8 +863,6 @@ int32_t SMBNegProt(int32_t s) {
return 2;
}
/*
SMBSessionSetup
Function: Send username + response to the challenge from
@ -927,18 +902,39 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char *
/* SMB Header */
unsigned char szSMB[32] = {
0xff, 0x53, 0x4d, 0x42, /* Server Component */
0xff,
0x53,
0x4d,
0x42, /* Server Component */
0x73, /* SMB Command: Session Setup AndX */
0x00, 0x00, 0x00, 0x00, /* NT Status: STATUS_SUCCESS */
0x00,
0x00,
0x00,
0x00, /* NT Status: STATUS_SUCCESS */
0x08, /* Flags */
0x01, 0xc0, /* Flags2 */ /* add Unicode */
0x00, 0x00, /* Process ID High */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Signature */
0x00, 0x00, /* Reserved */
0x00, 0x00, /* Tree ID */
0x13, 0x37, /* Process ID */
0x00, 0x00, /* User ID */
0x01, 0x00 /* Multiplx ID */
0x01,
0xc0,
/* Flags2 */ /* add Unicode */
0x00,
0x00, /* Process ID High */
0x00,
0x00,
0x00,
0x00,
0x00,
0x00,
0x00,
0x00, /* Signature */
0x00,
0x00, /* Reserved */
0x00,
0x00, /* Tree ID */
0x13,
0x37, /* Process ID */
0x00,
0x00, /* User ID */
0x01,
0x00 /* Multiplx ID */
};
memset(buf, 0, 512);
@ -993,16 +989,33 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char *
0x0d, /* Word Count */
0xff, /* AndXCommand: No further commands */
0x00, /* Reserved */
0x00, 0x00, /* AndXOffset */
0xff, 0xff, /* Max Buffer */
0x02, 0x00, /* Max Mpx Count */
0x3c, 0x7d, /* VC Number */
0x00, 0x00, 0x00, 0x00, /* Session Key */
0x18, 0x00, /* LAN Manager Password Hash Length */
0x18, 0x00, /* NT LAN Manager Password Hash Length */
0x00, 0x00, 0x00, 0x00, /* Reserved */
0x5c, 0x00, 0x00, 0x00, /* Capabilities */ /* Add Unicode */
0x49, 0x00 /* Byte Count -- MUST SET */
0x00,
0x00, /* AndXOffset */
0xff,
0xff, /* Max Buffer */
0x02,
0x00, /* Max Mpx Count */
0x3c,
0x7d, /* VC Number */
0x00,
0x00,
0x00,
0x00, /* Session Key */
0x18,
0x00, /* LAN Manager Password Hash Length */
0x18,
0x00, /* NT LAN Manager Password Hash Length */
0x00,
0x00,
0x00,
0x00, /* Reserved */
0x5c,
0x00,
0x00,
0x00,
/* Capabilities */ /* Add Unicode */
0x49,
0x00 /* Byte Count -- MUST SET */
};
iOffset = 65; /* szNBSS + szSMB + szSessionRequest */
@ -1016,7 +1029,8 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char *
return -1;
memset(NTLMhash, 0, 24);
/* We don't need to actually calculated a LM hash for this mode, only NTLM */
/* We don't need to actually calculated a LM hash for this mode, only NTLM
*/
ret = HashNTLM(&NTLMhash, (unsigned char *)szPassword, (unsigned char *)challenge, miscptr);
if (ret == -1)
return -1;
@ -1134,7 +1148,8 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char *
memcpy(buf + 36, szSessionRequest, 23);
/* Calculate and set password length */
/* Samba appears to append NULL characters equal to the password length plus 2 */
/* Samba appears to append NULL characters equal to the password length plus
* 2 */
// iByteCount = 2 * strlen(szPassword) + 2;
iByteCount = strlen(szPassword) + 1;
buf[iOffset - 8] = (iByteCount) % 256;
@ -1142,19 +1157,22 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char *
/* set ANSI password */
/*
Depending on the SAMBA server configuration, multiple passwords may be successful
when dealing with mixed-case values. The SAMBA parameter "password level" appears
to determine how many characters within a password are tested by the server both
upper and lower case. For example, assume a SAMBA account has a password of "Fred"
and the server is configured with "password level = 2". Medusa sends the password
"FRED". The SAMBA server will brute-force test this value for us with values
like: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ... The default setting
is "password level = 0". This results in only two attempts to being made by the
remote server; the password as is and the password in all-lower case.
Depending on the SAMBA server configuration, multiple passwords may be
successful when dealing with mixed-case values. The SAMBA parameter
"password level" appears to determine how many characters within a
password are tested by the server both upper and lower case. For example,
assume a SAMBA account has a password of "Fred" and the server is
configured with "password level = 2". Medusa sends the password "FRED".
The SAMBA server will brute-force test this value for us with values
like: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ... The default
setting is "password level = 0". This results in only two attempts to
being made by the remote server; the password as is and the password in
all-lower case.
*/
strncpy((char *)(buf + iOffset), szPassword, 256);
} else {
hydra_report(stderr, "[ERROR] Security_mode was not properly set. This should not happen.\n");
hydra_report(stderr, "[ERROR] Security_mode was not properly set. This "
"should not happen.\n");
return -1;
}
@ -1230,21 +1248,33 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char
if (SMBerr == 0x000000) { /* success */
if (SMBaction == 0x01) { /* invalid account - anonymous connection */
fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: Invalid account (Anonymous success)\n", port, ipaddr_str, login);
fprintf(stderr,
"[%d][smb] Host: %s Account: %s Error: Invalid account "
"(Anonymous success)\n",
port, ipaddr_str, login);
hydra_completed_pair_skip();
} else { /* valid account */
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
}
} else if ((SMBerr == 0x00000D) && (SMBaction == 0x00)) {
hydra_report(stderr, "[ERROR] Invalid parameter status received, either the account or the method used are not valid\n");
hydra_report(stderr, "[ERROR] Invalid parameter status received, either "
"the account or the method used are not valid\n");
hydra_completed_pair_skip();
} else if (SMBerr == 0x00006E) { /* Valid password, GPO Disabling Remote Connections Using NULL Passwords */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, GPO Disabling Remote Connections Using NULL Passwords\n", port, ipaddr_str, login);
} else if (SMBerr == 0x00006E) { /* Valid password, GPO Disabling Remote
Connections Using NULL Passwords */
hydra_report(stdout,
"[%d][smb] Host: %s Account: %s Valid password, GPO Disabling "
"Remote Connections Using NULL Passwords\n",
port, ipaddr_str, login);
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
} else if (SMBerr == 0x00015B) { /* Valid password, GPO "Deny access to this computer from the network" */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, GPO Deny access to this computer from the network\n", port, ipaddr_str, login);
} else if (SMBerr == 0x00015B) { /* Valid password, GPO "Deny access to this
computer from the network" */
hydra_report(stdout,
"[%d][smb] Host: %s Account: %s Valid password, GPO Deny "
"access to this computer from the network\n",
port, ipaddr_str, login);
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
} else if (SMBerr == 0x000193) { /* Valid password, account expired */
@ -1252,15 +1282,24 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
} else if ((SMBerr == 0x000224) || (SMBerr == 0xC20002)) { /* Valid password, account expired */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, password expired and must be changed on next logon\n", port, ipaddr_str, login);
hydra_report(stdout,
"[%d][smb] Host: %s Account: %s Valid password, password "
"expired and must be changed on next logon\n",
port, ipaddr_str, login);
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
} else if ((SMBerr == 0x00006F) || (SMBerr == 0xC10002)) { /* Invalid logon hours */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, but logon hours invalid\n", port, ipaddr_str, login);
hydra_report(stdout,
"[%d][smb] Host: %s Account: %s Valid password, but logon "
"hours invalid\n",
port, ipaddr_str, login);
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_found();
} else if (SMBerr == 0x050001) { /* AS/400 -- Incorrect password */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Error: Incorrect password or account disabled\n", port, ipaddr_str, login);
hydra_report(stdout,
"[%d][smb] Host: %s Account: %s Error: Incorrect password or "
"account disabled\n",
port, ipaddr_str, login);
if ((miscptr) && (strstr(miscptr, "LM")))
hydra_report(stderr, "[INFO] LM dialect may be disabled, try LMV2 instead\n");
hydra_completed_pair_skip();
@ -1283,7 +1322,10 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char
hydra_completed_pair_skip();
} else if (SMBerr == 0x00008D) { /* ummm... broken client-domain membership */
if (verbose)
fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE\n", port, ipaddr_str, login);
fprintf(stderr,
"[%d][smb] Host: %s Account: %s Error: "
"NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE\n",
port, ipaddr_str, login);
hydra_completed_pair();
} else { /* failed */
if (verbose)
@ -1388,14 +1430,16 @@ void service_smb(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
port = PORT_SMBNT;
protoFlag = WIN2000_NATIVEMODE;
} else {
hydra_report(stderr, "Failed to establish WIN2000_NATIVE mode. Attempting WIN_NETBIOS mode.\n");
hydra_report(stderr, "Failed to establish WIN2000_NATIVE mode. "
"Attempting WIN_NETBIOS mode.\n");
port = PORT_SMB;
protoFlag = WIN_NETBIOSMODE;
sock = hydra_connect_tcp(ip, PORT_SMB);
}
}
if (sock < 0) {
if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid());
if (quiet != 1)
fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
if (NBSSessionRequest(sock) < 0) {
@ -1433,33 +1477,9 @@ int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *misc
// -1 error, hydra will exit, so print a good error message here
time_t ctime;
int ready = 0, sock = hydra_connect_tcp(ip, port);
unsigned char buf[] = {
0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42,
0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xff,
0x00, 0x00, 0x00, 0x00, 0x00, 0x9b, 0x00, 0x02,
0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46,
0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52,
0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00,
0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f,
0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00,
0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31,
0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e,
0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x44,
0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41,
0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00,
0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02,
0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e,
0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31,
0x32, 0x00 };
unsigned char buf[] = {0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9b, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4d,
0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58,
0x30, 0x30, 0x32, 0x00, 0x02, 0x44, 0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00};
if (sock < 0) {
fprintf(stderr, "[ERROR] could not connect to target smb://%s:%d/\n", hostname, port);
@ -1494,7 +1514,10 @@ int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *misc
}
if ((buf[15] & 16) == 16) {
fprintf(stderr, "[ERROR] target smb://%s:%d/ requires signing which we do not support\n", hostname, port);
fprintf(stderr,
"[ERROR] target smb://%s:%d/ requires signing which we do not "
"support\n",
hostname, port);
return -1;
}
@ -1502,7 +1525,8 @@ int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_smb(const char *service) {
printf("Module smb default value is set to test both local and domain account, using a simple password with NTLM dialect.\n"
printf("Module smb default value is set to test both local and domain account, "
"using a simple password with NTLM dialect.\n"
"Note: you can set the group type using LOCAL or DOMAIN keyword\n"
" or other_domain:{value} to specify a trusted domain.\n"
" you can set the password type using HASH or MACHINE keyword\n"
@ -1510,6 +1534,9 @@ void usage_smb(const char* service) {
" you can set the dialect using NTLMV2, NTLM, LMV2, LM keyword.\n"
"Example: \n"
" hydra smb://microsoft.com -l admin -p tooeasy -m \"local lmv2\"\n"
" hydra smb://microsoft.com -l admin -p D5731CFC6C2A069C21FD0D49CAEBC9EA:2126EE7712D37E265FD63F2C84D2B13D::: -m \"local hash\"\n"
" hydra smb://microsoft.com -l admin -p tooeasy -m \"other_domain:SECONDDOMAIN\"\n\n");
" hydra smb://microsoft.com -l admin -p "
"D5731CFC6C2A069C21FD0D49CAEBC9EA:2126EE7712D37E265FD63F2C84D2B13D::: -m "
"\"local hash\"\n"
" hydra smb://microsoft.com -l admin -p tooeasy -m "
"\"other_domain:SECONDDOMAIN\"\n\n");
}

42
hydra-smb2.c
View file

@ -21,11 +21,11 @@
#include "hydra-mod.h"
#include <stdio.h>
#include <stdbool.h>
#include <string.h>
#include <errno.h>
#include <libsmbclient.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
extern char *HYDRA_EXIT;
@ -35,7 +35,6 @@ typedef struct creds {
const char *pass;
} creds_t;
const char default_workgroup[] = "WORKGROUP";
bool use_nt_hash = false;
const char *workgroup = default_workgroup;
@ -45,12 +44,7 @@ const char* netbios_name = NULL;
#define EXIT_CONNECTION_ERROR hydra_child_exit(1)
#define EXIT_NORMAL hydra_child_exit(0)
void smb2_auth_provider(SMBCCTX *c,
const char *srv,
const char *shr,
char *wg, int wglen,
char *un, int unlen,
char *pw, int pwlen) {
void smb2_auth_provider(SMBCCTX *c, const char *srv, const char *shr, char *wg, int wglen, char *un, int unlen, char *pw, int pwlen) {
creds_t *cr = (creds_t *)smbc_getOptionUserData(c);
strncpy(wg, cr->workgroup, wglen);
strncpy(un, cr->user, unlen);
@ -90,10 +84,7 @@ bool smb2_run_test(creds_t* cr, const char* server, uint16_t port) {
snprintf(uri, sizeof(uri) - 1, "smb://%s/IPC$", server);
uri[sizeof(uri) - 1] = 0;
if (verbose) {
printf("[INFO] Connecting to: %s with %s\\%s%%%s\n",
uri, cr->workgroup,
cr->user,
cr->pass);
printf("[INFO] Connecting to: %s with %s\\%s%%%s\n", uri, cr->workgroup, cr->user, cr->pass);
}
SMBCFILE *fd = smbc_getFunctionOpendir(ctx)(ctx, uri);
if (fd) {
@ -162,13 +153,7 @@ bool smb2_run_test(creds_t* cr, const char* server, uint16_t port) {
return false;
}
void service_smb2(char *ip,
int32_t sp,
unsigned char options,
char *miscptr,
FILE * fp,
int32_t port,
char *hostname) {
void service_smb2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
hydra_register_socket(sp);
while (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT))) {
char *login, *pass;
@ -199,13 +184,7 @@ const char tkn_netbios[] = "netbios:{";
#define CMP(s1, s2) (strncmp(s1, s2, sizeof(s1) - 1) == 0)
int32_t service_smb2_init(char *ip,
int32_t sp,
unsigned char options,
char *miscptr,
FILE * fp,
int32_t port,
char *hostname) {
int32_t service_smb2_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
if (!miscptr)
return 0;
@ -296,9 +275,10 @@ void usage_smb2(const char* service) {
"\n"
"Examples: \n"
" hydra smb2://abc.com -l admin -p xxx -m workgroup:{OFFICE}\n"
" hydra smb2://1.2.3.4 -l admin -p F54F3A1D3C38140684FF4DAD029F25B5 -m 'workgroup:{OFFICE} nthash:true'\n"
" hydra -l admin -p F54F3A1D3C38140684FF4DAD029F25B5 'smb2://1.2.3.4/workgroup:{OFFICE} nthash:true'\n"
);
" hydra smb2://1.2.3.4 -l admin -p F54F3A1D3C38140684FF4DAD029F25B5 -m "
"'workgroup:{OFFICE} nthash:true'\n"
" hydra -l admin -p F54F3A1D3C38140684FF4DAD029F25B5 "
"'smb2://1.2.3.4/workgroup:{OFFICE} nthash:true'\n");
}
#endif // LIBSMBCLIENT

14
hydra-smtp-enum.c
View file

@ -121,14 +121,18 @@ int32_t start_smtp_enum(int32_t s, char *ip, int32_t port, unsigned char options
// we should report command not identified by the server
// 502 5.5.2 Error: command not recognized
//#ifdef HAVE_PCRE
// if ((debug || hydra_string_match(buf, "\\scommand\\snot\\srecognized")) && err) {
// if ((debug || hydra_string_match(buf,
// "\\scommand\\snot\\srecognized")) && err) {
//#else
// if ((debug || strstr(buf, "command") != NULL) && err) {
//#endif
// hydra_report(stderr, "Server %s", err);
// }
if (strncmp(buf, "500 ", 4) == 0) {
hydra_report(stderr, "[ERROR] command is disabled on the server (choose different method): %s", buf);
hydra_report(stderr,
"[ERROR] command is disabled on the server (choose "
"different method): %s",
buf);
free(buf);
return 3;
}
@ -266,6 +270,8 @@ int32_t service_smtp_enum_init(char *ip, int32_t sp, unsigned char options, char
void usage_smtp_enum(const char *service) {
printf("Module smtp-enum is optionally taking one SMTP command of:\n\n"
"VRFY (default), EXPN, RCPT (which will connect using \"root\" account)\n"
"login parameter is used as username and password parameter as the domain name\n"
"For example to test if john@localhost exists on 192.168.0.1:\n" "hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost\n\n");
"login parameter is used as username and password parameter as the "
"domain name\n"
"For example to test if john@localhost exists on 192.168.0.1:\n"
"hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost\n\n");
}

31
hydra-smtp.c
View file

@ -52,7 +52,6 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
switch (smtp_auth_mechanism) {
case AUTH_PLAIN:
sprintf(buffer, "AUTH PLAIN\r\n");
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
@ -113,8 +112,7 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
strcpy(buffer, tmp_buffer);
free(preplogin);
}
break;
} break;
case AUTH_DIGESTMD5: {
sprintf(buffer, "AUTH DIGEST-MD5\r\n");
@ -145,8 +143,7 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%s\r\n", buffer2);
}
break;
} break;
#endif
case AUTH_NTLM: {
@ -174,8 +171,7 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL);
to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2));
sprintf(buffer, "%s\r\n", buf1);
}
break;
} break;
default:
/* by default trying AUTH LOGIN */
@ -188,7 +184,10 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
/* 504 5.7.4 Unrecognized authentication type */
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH, either this auth is disabled or server is not using auth: %s\n", buf);
hydra_report(stderr,
"[ERROR] SMTP LOGIN AUTH, either this auth is disabled or "
"server is not using auth: %s\n",
buf);
free(buf);
return 3;
}
@ -325,7 +324,8 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
free(buf);
buf = hydra_receive_line(sock);
if (buf[0] != '2') {
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n");
hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer "
"received from STARTTLS request\n");
} else {
free(buf);
if ((hydra_connect_to_ssl(sock, hostname) == -1)) {
@ -346,9 +346,11 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
hydra_child_exit(2);
}
} else
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n");
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it "
"is not supported by the server\n");
} else
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n");
hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is "
"not supported by the server\n");
}
#endif
@ -380,9 +382,7 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
smtp_auth_mechanism = AUTH_PLAIN;
}
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
if (strstr(miscptr, "LOGIN"))
smtp_auth_mechanism = AUTH_LOGIN;
@ -399,7 +399,6 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
if (strstr(miscptr, "NTLM"))
smtp_auth_mechanism = AUTH_NTLM;
}
if (verbose) {
@ -460,5 +459,7 @@ int32_t service_smtp_init(char *ip, int32_t sp, unsigned char options, char *mis
void usage_smtp(const char *service) {
printf("Module smtp is optionally taking one authentication type of:\n"
" LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n"
"Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: smtp://target/TLS:PLAIN\n");
"Additionally TLS encryption via STARTTLS can be enforced with the "
"TLS option.\n\n"
"Example: smtp://target/TLS:PLAIN\n");
}

73
hydra-snmp.c
View file

@ -1,10 +1,10 @@
#include "hydra-mod.h"
#ifdef LIBOPENSSL
#include <openssl/aes.h>
#include <openssl/des.h>
#include <openssl/hmac.h>
#include <openssl/md5.h>
#include <openssl/sha.h>
#include <openssl/des.h>
#include <openssl/aes.h>
#endif
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
@ -15,29 +15,11 @@ extern int32_t child_head_no;
char snmpv3buf[1024], *snmpv3info = NULL;
int32_t snmpv3infolen = 0, snmpversion = 1, snmpread = 1, hashtype = 1, enctype = 0;
unsigned char snmpv3_init[] = { 0x30, 0x3e, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02,
0x04, 0x08, 0x86, 0xdd, 0xf0, 0x02, 0x03, 0x00,
0xff, 0xe3, 0x04, 0x01, 0x04, 0x02, 0x01, 0x03,
0x04, 0x10, 0x30, 0x0e, 0x04, 0x00, 0x02, 0x01,
0x00, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x00,
0x04, 0x00, 0x30, 0x14, 0x04, 0x00, 0x04, 0x00,
0xa0, 0x0e, 0x02, 0x04, 0x3f, 0x44, 0x5c, 0xbc,
0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x00
};
unsigned char snmpv3_init[] = {0x30, 0x3e, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02, 0x04, 0x08, 0x86, 0xdd, 0xf0, 0x02, 0x03, 0x00, 0xff, 0xe3, 0x04, 0x01, 0x04, 0x02, 0x01, 0x03, 0x04, 0x10, 0x30, 0x0e, 0x04, 0x00, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x30, 0x14, 0x04, 0x00, 0x04, 0x00, 0xa0, 0x0e, 0x02, 0x04, 0x3f, 0x44, 0x5c, 0xbc, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x00};
unsigned char snmpv3_get1[] = { 0x30, 0x77, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02,
0x04, 0x08, 0x86, 0xdd, 0xef, 0x02, 0x03, 0x00,
0xff, 0xe3, 0x04, 0x01, 0x05, 0x02, 0x01, 0x03
};
unsigned char snmpv3_get1[] = {0x30, 0x77, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02, 0x04, 0x08, 0x86, 0xdd, 0xef, 0x02, 0x03, 0x00, 0xff, 0xe3, 0x04, 0x01, 0x05, 0x02, 0x01, 0x03};
unsigned char snmpv3_get2[] = { 0x30, 0x2e, 0x04, 0x0c, 0x80, 0x00, 0x00,
0x09, 0x03, 0x00, 0x00, 0x1f, 0xca, 0x8d, 0x82,
0x1b, 0x04, 0x00, 0xa0, 0x1c, 0x02, 0x04, 0x3f,
0x44, 0x5c, 0xbb, 0x02, 0x01, 0x00, 0x02, 0x01,
0x00, 0x30, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2b,
0x06, 0x01, 0x02, 0x01, 0x01, 0x01, 0x00, 0x05,
0x00
};
unsigned char snmpv3_get2[] = {0x30, 0x2e, 0x04, 0x0c, 0x80, 0x00, 0x00, 0x09, 0x03, 0x00, 0x00, 0x1f, 0xca, 0x8d, 0x82, 0x1b, 0x04, 0x00, 0xa0, 0x1c, 0x02, 0x04, 0x3f, 0x44, 0x5c, 0xbb, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x02, 0x01, 0x01, 0x01, 0x00, 0x05, 0x00};
unsigned char snmpv3_nouser[] = {0x04, 0x00, 0x04, 0x00, 0x04, 0x00};
@ -49,13 +31,11 @@ struct SNMPV1_A {
char comlen;
};
struct SNMPV1_A snmpv1_a = {
.ID = '\x30',
struct SNMPV1_A snmpv1_a = {.ID = '\x30',
.len = '\x00',
.ver = "\x02\x01\x00", /* \x02\x01\x01 for snmpv2c, \x02\x01\x03 for snmpv3 */
.comid = '\x04',
.comlen = '\x00'
};
.comlen = '\x00'};
struct SNMPV1_R {
unsigned char type[2];
@ -68,10 +48,12 @@ struct SNMPV1_R {
unsigned char value[3];
} snmpv1_r = {
.type = "\xa0\x1b", /* GET */
.identid = "\x02\x04",.ident = "\x1a\x5e\x97\x00", /* random crap :) */
.identid = "\x02\x04",
.ident = "\x1a\x5e\x97\x00", /* random crap :) */
.errstat = "\x02\x01\x00", /* no error */
.errind = "\x02\x01\x00", /* error index 0 */
.objectid = "\x30\x0d",.object = "\x30\x0b\x06\x07\x2b\x06\x01\x02\x01\x01\x01", /* sysDescr */
.objectid = "\x30\x0d",
.object = "\x30\x0b\x06\x07\x2b\x06\x01\x02\x01\x01\x01", /* sysDescr */
.value = "\x05\x00" /* we just read, so value = 0 */
};
@ -86,11 +68,13 @@ struct SNMPV1_W {
unsigned char value[8];
} snmpv1_w = {
.type = "\xa3\x21", /* SET */
.identid = "\x02\x04",.ident = "\x1a\x5e\x97\x22", /* random crap :) */
.identid = "\x02\x04",
.ident = "\x1a\x5e\x97\x22", /* random crap :) */
.errstat = "\x02\x01\x00", /* no error */
.errind = "\x02\x01\x00", /* error index 0 */
.objectid = "\x30\x13", /* string */
.object = "\x30\x11\x06\x08\x2b\x06\x01\x02\x01\x01\x05\x00",.value = "\x04\x05Hydra" /* writing hydra :-) */
.object = "\x30\x11\x06\x08\x2b\x06\x01\x02\x01\x01\x05\x00",
.value = "\x04\x05Hydra" /* writing hydra :-) */
};
#ifdef LIBOPENSSL
@ -277,7 +261,8 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (enctype == 0)
buffer[1] = 48 + sizeof(snmpv3_get1) + buffer[i + 1];
i += snmpv3infolen;
//printf("2 + %d + %d + %d = 0x%02x\n", off, snmpv3infolen, strlen(login), buffer[1]);
// printf("2 + %d + %d + %d = 0x%02x\n", off, snmpv3infolen, strlen(login),
// buffer[1]);
buffer[i] = 0x04;
buffer[i + 1] = strlen(login);
@ -341,7 +326,8 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha
#endif
/* for (i = 0; i <= sizeof(snmpv3_get2) - 8; i += 8) {
DES_ncbc_encrypt(snmpv3_get2 + i, buf + i, 8, (const_DES_cblock*)(initVect), DES_ENCRYPT);
DES_ncbc_encrypt(snmpv3_get2 + i, buf + i, 8,
(const_DES_cblock*)(initVect), DES_ENCRYPT);
}
// last part of buffer
if (buffer_len % 8) {
@ -351,10 +337,9 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha
memset(tmp_buf, 0, 8);
for (uint32_t l = start; l < buffer_len; l++)
*tmp_buf_ptr++ = buffer[l];
DES_ncbc_encrypt(tmp_buf, buf + start, 1, &symcbc, (const_DES_cblock*)(initVect), DES_ENCRYPT);
*out_buffer_len = buffer_len + 8 - (buffer_len % 8);
} else
*out_buffer_len = buffer_len;
DES_ncbc_encrypt(tmp_buf, buf + start, 1, &symcbc,
(const_DES_cblock*)(initVect), DES_ENCRYPT); *out_buffer_len =
buffer_len + 8 - (buffer_len % 8); } else *out_buffer_len = buffer_len;
*/
// dummy
k = ((sizeof(snmpv3_get2) - 2) / 8);
@ -453,7 +438,8 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 3;
return 1;
} else if ((buf[off + 15] & 5) == 4 && hydra_memsearch(buf, i, snmpv3_nouser, sizeof(snmpv3_nouser)) >= 0) { // user does not exist
} else if ((buf[off + 15] & 5) == 4 && hydra_memsearch(buf, i, snmpv3_nouser,
sizeof(snmpv3_nouser)) >= 0) { // user does not exist
if (verbose)
printf("[INFO] user %s does not exist, skipping\n", login);
hydra_completed_pair_skip();
@ -538,8 +524,9 @@ void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
if (debug)
hydra_dump_asciihex(snmpv3info, snmpv3infolen);
if (snmpv3info[10] == 3 && child_head_no == 0)
printf("[INFO] Remote device MAC address is %02x:%02x:%02x:%02x:%02x:%02x\n", (unsigned char) snmpv3info[12], (unsigned char) snmpv3info[13],
(unsigned char) snmpv3info[14], (unsigned char) snmpv3info[15], (unsigned char) snmpv3info[16], (unsigned char) snmpv3info[12]);
printf("[INFO] Remote device MAC address is "
"%02x:%02x:%02x:%02x:%02x:%02x\n",
(unsigned char)snmpv3info[12], (unsigned char)snmpv3info[13], (unsigned char)snmpv3info[14], (unsigned char)snmpv3info[15], (unsigned char)snmpv3info[16], (unsigned char)snmpv3info[12]);
}
}
}
@ -594,13 +581,15 @@ void usage_snmp(const char* service) {
" 1 use SNMP version 1 (default)\n"
" 2 use SNMP version 2\n"
" 3 use SNMP version 3\n"
" Note that SNMP version 3 usually uses both login and passwords!\n"
" Note that SNMP version 3 usually uses both login and "
"passwords!\n"
" SNMP version 3 has the following optional sub parameters:\n"
" MD5 use MD5 authentication (default)\n"
" SHA use SHA authentication\n"
" DES use DES encryption\n"
" AES use AES encryption\n"
" if no -p/-P parameter is given, SNMPv3 noauth is performed, which\n"
" if no -p/-P parameter is given, SNMPv3 noauth is performed, "
"which\n"
" only requires a password (or username) not both.\n"
"To combine the options, use colons (\":\"), e.g.:\n"
" hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ target.com snmp\n"

29
hydra-ssh.c
View file

@ -8,9 +8,7 @@ have to add option -DWITH_SSH1=On in the cmake
#include "hydra-mod.h"
#ifndef LIBSSH
void dummy_ssh() {
printf("\n");
}
void dummy_ssh() { printf("\n"); }
#else
#include <libssh/libssh.h>
@ -158,8 +156,8 @@ void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
#endif
//
// dirty workaround here: miscptr is the ptr to the logins, and the first one is used
// to test if password authentication is enabled!!
// dirty workaround here: miscptr is the ptr to the logins, and the first one is
// used to test if password authentication is enabled!!
//
int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
@ -178,7 +176,9 @@ int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *misc
ssh_session session = ssh_new();
if (verbose || debug)
printf("[INFO] Testing if password authentication is supported by ssh://%s@%s:%d\n", miscptr == NULL ? "hydra" : miscptr, hydra_address2string_beautiful(ip), port);
printf("[INFO] Testing if password authentication is supported by "
"ssh://%s@%s:%d\n",
miscptr == NULL ? "hydra" : miscptr, hydra_address2string_beautiful(ip), port);
ssh_options_set(session, SSH_OPTIONS_PORT, &port);
ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
if (miscptr == NULL)
@ -198,19 +198,28 @@ int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *misc
ssh_finalize();
ssh_free(session);
if (debug) printf("[DEBUG] SSH method check: %08x\n", method);
if (debug)
printf("[DEBUG] SSH method check: %08x\n", method);
if ((method & SSH_AUTH_METHOD_INTERACTIVE) || (method & SSH_AUTH_METHOD_PASSWORD)) {
if (verbose || debug)
printf("[INFO] Successful, password authentication is supported by ssh://%s:%d\n", hydra_address2string_beautiful(ip), port);
printf("[INFO] Successful, password authentication is supported by "
"ssh://%s:%d\n",
hydra_address2string_beautiful(ip), port);
return 0;
} else if (method == 0) {
if (verbose || debug)
fprintf(stderr, "[WARNING] invalid SSH method reply from ssh://%s:%d, continuing anyway ... (check for empty password!)\n", hydra_address2string_beautiful(ip), port);
fprintf(stderr,
"[WARNING] invalid SSH method reply from ssh://%s:%d, continuing "
"anyway ... (check for empty password!)\n",
hydra_address2string_beautiful(ip), port);
return 0;
}
fprintf(stderr, "[ERROR] target ssh://%s:%d/ does not support password authentication (method reply %d).\n", hydra_address2string_beautiful(ip), port, method);
fprintf(stderr,
"[ERROR] target ssh://%s:%d/ does not support password "
"authentication (method reply %d).\n",
hydra_address2string_beautiful(ip), port, method);
return 1;
#else
return 0;

10
hydra-sshkey.c
View file

@ -8,9 +8,7 @@
#include "hydra-mod.h"
#ifndef LIBSSH
void dummy_sshkey() {
printf("\n");
}
void dummy_sshkey() { printf("\n"); }
#else
#include <libssh/libssh.h>
@ -169,8 +167,10 @@ int32_t service_sshkey_init(char *ip, int32_t sp, unsigned char options, char *m
}
void usage_sshkey(const char *service) {
printf("Module sshkey does not provide additional options, although the semantic for\n"
printf("Module sshkey does not provide additional options, although the "
"semantic for\n"
"options -p and -P is changed:\n"
" -p expects a path to an unencrypted private key in PEM format.\n"
" -P expects a filename containing a list of path to some unencrypted\n" " private keys in PEM format.\n\n");
" -P expects a filename containing a list of path to some unencrypted\n"
" private keys in PEM format.\n\n");
}

18
hydra-svn.c
View file

@ -10,12 +10,12 @@
#include <sys/param.h>
#endif
#include <svn_version.h>
#include <svn_client.h>
#include <svn_cmdline.h>
#include <svn_pools.h>
#include <svn_config.h>
#include <svn_fs.h>
#include <svn_pools.h>
#include <svn_version.h>
#if SVN_VER_MINOR > 7
#include <svn_path.h>
#endif
@ -25,9 +25,7 @@
#include "hydra-mod.h"
#ifndef LIBSVN
void dummy_svn() {
printf("\n");
}
void dummy_svn() { printf("\n"); }
#else
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
@ -36,9 +34,7 @@ extern char *HYDRA_EXIT;
#define DEFAULT_BRANCH "trunk"
static svn_error_t *print_dirdummy(void *baton, const char *path, const svn_dirent_t * dirent, const svn_lock_t * lock, const char *abs_path, apr_pool_t * pool) {
return SVN_NO_ERROR;
}
static svn_error_t *print_dirdummy(void *baton, const char *path, const svn_dirent_t *dirent, const svn_lock_t *lock, const char *abs_path, apr_pool_t *pool) { return SVN_NO_ERROR; }
static svn_error_t *my_simple_prompt_callback(svn_auth_cred_simple_t **cred, void *baton, const char *realm, const char *username, svn_boolean_t may_save, apr_pool_t *pool) {
char *empty = "";
@ -207,7 +203,8 @@ void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
return;
default:
if (!verbose)
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose option for more details\n");
hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose "
"option for more details\n");
hydra_child_exit(0);
}
run = next_run;
@ -239,5 +236,6 @@ int32_t service_svn_init(char *ip, int32_t sp, unsigned char options, char *misc
}
void usage_svn(const char *service) {
printf("Module svn is optionally taking the repository name to attack, default is \"trunk\"\n\n");
printf("Module svn is optionally taking the repository name to attack, "
"default is \"trunk\"\n\n");
}

9
hydra-telnet.c
View file

@ -76,10 +76,7 @@ int32_t start_telnet(int32_t s, char *ip, int32_t port, unsigned char options, c
/*win7 answering with do terminal type = 0xfd 0x18 */
while ((buf = hydra_receive_line(s)) != NULL && make_to_lower(buf) && (strstr(buf, "login:") == NULL || strstr(buf, "last login:") != NULL) && strstr(buf, "sername:") == NULL) {
if ((miscptr != NULL && strstr(buf, miscptr) != NULL) || (miscptr == NULL &&
strstr(buf, "invalid") == NULL && strstr(buf, "failed") == NULL && strstr(buf, "bad ") == NULL &&
(index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL ||
index(buf, '%') != NULL || ((buf[1] == '\xfd') && (buf[2] == '\x18'))))) {
if ((miscptr != NULL && strstr(buf, miscptr) != NULL) || (miscptr == NULL && strstr(buf, "invalid") == NULL && strstr(buf, "failed") == NULL && strstr(buf, "bad ") == NULL && (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL || index(buf, '%') != NULL || ((buf[1] == '\xfd') && (buf[2] == '\x18'))))) {
hydra_report_found_host(port, ip, "telnet", fp);
hydra_completed_pair_found();
free(buf);
@ -220,5 +217,7 @@ int32_t service_telnet_init(char *ip, int32_t sp, unsigned char options, char *m
void usage_telnet(const char *service) {
printf("Module telnet is optionally taking the string which is displayed after\n"
"a successful login (case insensitive), use if the default in the telnet\n" "module produces too many false positives\n\n");
"a successful login (case insensitive), use if the default in the "
"telnet\n"
"module produces too many false positives\n\n");
}

13
hydra-time.c
View file

@ -2,8 +2,7 @@
#ifndef _WIN32
#include <time.h>
int32_t sleepn(time_t seconds)
{
int32_t sleepn(time_t seconds) {
struct timespec ts;
ts.tv_sec = seconds;
ts.tv_nsec = 0;
@ -19,13 +18,7 @@ int32_t usleepn(uint64_t milisec) {
#else
#include <windows.h>
int32_t sleepn(uint32_t seconds)
{
return SleepEx(milisec*1000,TRUE);
}
int32_t sleepn(uint32_t seconds) { return SleepEx(milisec * 1000, TRUE); }
int32_t usleepn(uint32_t milisec)
{
return SleepEx(milisec,TRUE);
}
int32_t usleepn(uint32_t milisec) { return SleepEx(milisec, TRUE); }
#endif

9
hydra-vmauthd.c
View file

@ -5,7 +5,6 @@
#include "hydra-mod.h"
extern char *HYDRA_EXIT;
char *buf;
@ -99,7 +98,8 @@ void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr,
// fprintf(stderr, "%s\n",buf);
// 220 VMware Authentication Daemon Version 1.00
// 220 VMware Authentication Daemon Version 1.10: SSL Required
//220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC ,
// 220 VMware Authentication Daemon Version 1.10: SSL Required,
// ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC ,
if (buf == NULL || strstr(buf, "220 VMware Authentication Daemon Version ") == NULL) {
/* check the first line */
@ -108,7 +108,10 @@ void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr,
hydra_child_exit(2);
}
if ((strstr(buf, "Version 1.00") == NULL) && (strstr(buf, "Version 1.10") == NULL)) {
hydra_report(stderr, "[ERROR] this vmware authd protocol is not supported, please report: %s\n", buf);
hydra_report(stderr,
"[ERROR] this vmware authd protocol is not supported, "
"please report: %s\n",
buf);
free(buf);
hydra_child_exit(2);
}

19
hydra-vnc.c
View file

@ -5,8 +5,8 @@
*
*/
#include "hydra-mod.h"
#include "d3des.h"
#include "hydra-mod.h"
#define CHALLENGESIZE 16
@ -181,14 +181,16 @@ void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
}
if (strstr(buf, " security failures") != NULL) { /* check the first line */
/*
VNC has a 'blacklisting' scheme that blocks an IP address after five unsuccessful connection attempts.
The IP address is initially blocked for ten seconds,
but this doubles for each unsuccessful attempt thereafter.
A successful connection from an IP address resets the blacklist timeout.
This is built in to VNC Server and does not rely on operating system support.
VNC has a 'blacklisting' scheme that blocks an IP address after five
unsuccessful connection attempts. The IP address is initially blocked
for ten seconds, but this doubles for each unsuccessful attempt
thereafter. A successful connection from an IP address resets the
blacklist timeout. This is built in to VNC Server and does not rely
on operating system support.
*/
failed_auth++;
hydra_report(stderr, "VNC server reported too many authentication failures, have to wait some seconds ...\n");
hydra_report(stderr, "VNC server reported too many authentication "
"failures, have to wait some seconds ...\n");
sleep(12 * failed_auth);
free(buf);
next_run = 1;
@ -197,7 +199,8 @@ void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
if (verbose)
hydra_report(stderr, "[VERBOSE] Server banner is %s\n", buf);
if (((strstr(buf, "RFB 005.000") != NULL) || (strstr(buf, "RFB 004") != NULL) || (strstr(buf, "RFB 003.007") != NULL) || (strstr(buf, "RFB 003.008") != NULL))) {
//using proto version 003.007 to talk to server 005.xxx and 004.xxx same for 3.7 and 3.8
// using proto version 003.007 to talk to server 005.xxx and 004.xxx
// same for 3.7 and 3.8
vnc_client_version = RFB37;
free(buf);
buf = strdup("RFB 003.007\n");

44
hydra-xmpp.c
View file

@ -9,7 +9,8 @@ static char *domain = NULL;
int32_t xmpp_auth_mechanism = AUTH_ERROR;
char *JABBER_CLIENT_INIT_STR = "<?xml version='1.0' ?><stream:stream to='";
char *JABBER_CLIENT_INIT_END_STR = "' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>";
char *JABBER_CLIENT_INIT_END_STR = "' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' "
"version='1.0'>";
int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "\"\"";
@ -120,8 +121,7 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
}
}
}
}
break;
} break;
#ifdef LIBOPENSSL
case AUTH_PLAIN: {
memset(buffer2, 0, sizeof(buffer));
@ -130,8 +130,7 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (debug)
hydra_report(stderr, "DEBUG C: %s\n", buffer);
}
break;
} break;
case AUTH_CRAMMD5: {
int32_t rc = 0;
char *preplogin;
@ -153,8 +152,7 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
strncpy(buffer, buffer2, sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\0';
free(preplogin);
}
break;
} break;
case AUTH_DIGESTMD5: {
memset(buffer2, 0, sizeof(buffer2));
fooptr = buffer2;
@ -167,8 +165,7 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR);
}
break;
} break;
case AUTH_SCRAMSHA1: {
/*client-first-message */
char clientfirstmessagebare[200];
@ -234,8 +231,7 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
free(buf);
return 1;
}
}
break;
} break;
#endif
ptr = 0;
}
@ -249,8 +245,9 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha
if (buf == NULL)
return 1;
//we test the challenge tag as digest-md5 when connected is sending "rspauth" value
//so if we are receiving a second challenge we assume the auth is good
// we test the challenge tag as digest-md5 when connected is sending
// "rspauth" value so if we are receiving a second challenge we assume the
// auth is good
if ((strstr(buf, "<success") != NULL) || (strstr(buf, "<challenge ") != NULL)) {
hydra_report_found_host(port, ip, "xmpp", fp);
@ -284,14 +281,16 @@ void service_xmpp(char *target, char *ip, int32_t sp, unsigned char options, cha
int32_t myport = PORT_XMPP, mysslport = PORT_XMPP_SSL, disable_tls = 0;
char *enddomain = NULL;
//we have to pass the target here as the reverse dns resolution is not working for some servers
//try to extract only the domain name from the target
//so for o.nimbuzz.com will get nimbuzz.com
//and hermes.jabber.org will get jabber.org
// we have to pass the target here as the reverse dns resolution is not
// working for some servers try to extract only the domain name from the
// target so for o.nimbuzz.com will get nimbuzz.com and hermes.jabber.org will
// get jabber.org
domain = strchr(target, '.');
if (!domain) {
hydra_report(stderr, "[ERROR] can't extract the domain name, you have to specify a fqdn xmpp server, the domain name will be used in the jabber init request\n");
hydra_report(stderr, "[ERROR] can't extract the domain name, you have to "
"specify a fqdn xmpp server, the domain name will be "
"used in the jabber init request\n");
hydra_child_exit(1);
}
@ -351,7 +350,11 @@ void service_xmpp(char *target, char *ip, int32_t sp, unsigned char options, cha
if (strstr(buf, "<stream:error")) {
if (strstr(buf, "<host-unknown"))
hydra_report(stderr, "[ERROR] %s host unknown, you have to specify a fqdn xmpp server, the domain name will be used in the jabber init request : %s\n", domain, buf);
hydra_report(stderr,
"[ERROR] %s host unknown, you have to specify a fqdn "
"xmpp server, the domain name will be used in the "
"jabber init request : %s\n",
domain, buf);
else
hydra_report(stderr, "[ERROR] xmpp protocol : %s\n", buf);
free(buf);
@ -502,5 +505,6 @@ int32_t service_xmpp_init(char *ip, int32_t sp, unsigned char options, char *mis
void usage_xmpp(const char *service) {
printf("Module xmpp is optionally taking one authentication type of:\n"
" LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1\n\n"
"Note, the target passed should be a fdqn as the value is used in the Jabber init request, example: hermes.jabber.org\n\n");
"Note, the target passed should be a fdqn as the value is used in the "
"Jabber init request, example: hermes.jabber.org\n\n");
}

1029
hydra.c
View file

File diff suppressed because it is too large Load diff

48
hydra.h
View file

@ -15,26 +15,25 @@
#define hPRIu64 "lu"
#endif
#include <string.h>
#include <stdarg.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <strings.h>
#include <time.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <arpa/inet.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <fcntl.h>
#include <ctype.h>
#include <signal.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <time.h>
#include <unistd.h>
#ifdef HAVE_OPENSSL
#define HYDRA_SSL
@ -172,22 +171,9 @@
int32_t usleepn(uint32_t useconds);
#endif
typedef enum {
MODE_PASSWORD_LIST = 1,
MODE_LOGIN_LIST = 2,
MODE_PASSWORD_BRUTE = 4,
MODE_PASSWORD_REVERSE = 8,
MODE_PASSWORD_NULL = 16,
MODE_PASSWORD_SAME = 32,
MODE_COLON_FILE = 64
} hydra_mode_t;
typedef enum { MODE_PASSWORD_LIST = 1, MODE_LOGIN_LIST = 2, MODE_PASSWORD_BRUTE = 4, MODE_PASSWORD_REVERSE = 8, MODE_PASSWORD_NULL = 16, MODE_PASSWORD_SAME = 32, MODE_COLON_FILE = 64 } hydra_mode_t;
typedef enum {
FORMAT_PLAIN_TEXT,
FORMAT_JSONV1,
FORMAT_JSONV2,
FORMAT_XMLV1
} output_format_t;
typedef enum { FORMAT_PLAIN_TEXT, FORMAT_JSONV1, FORMAT_JSONV2, FORMAT_XMLV1 } output_format_t;
typedef struct {
hydra_mode_t mode;

30
libpq-fe.h
View file

@ -197,8 +197,7 @@ extern "C" {
extern PGconn *PQconnectdb(const char *conninfo);
extern PGconn *PQsetdbLogin(const char *pghost, const char *pgport, const char *pgoptions, const char *pgtty, const char *dbName, const char *login, const char *pwd);
#define PQsetdb(M_PGHOST,M_PGPORT,M_PGOPT,M_PGTTY,M_DBNAME) \
PQsetdbLogin(M_PGHOST, M_PGPORT, M_PGOPT, M_PGTTY, M_DBNAME, NULL, NULL)
#define PQsetdb(M_PGHOST, M_PGPORT, M_PGOPT, M_PGTTY, M_DBNAME) PQsetdbLogin(M_PGHOST, M_PGPORT, M_PGOPT, M_PGTTY, M_DBNAME, NULL, NULL)
/* close the current connection and free the PGconn data structure */
extern void PQfinish(PGconn *conn);
@ -263,19 +262,13 @@ extern "C" {
/* Simple synchronous query */
extern PGresult *PQexec(PGconn *conn, const char *query);
extern PGresult *PQexecParams(PGconn * conn,
const char *command,
int32_t nParams, const Oid * paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern PGresult *PQexecPrepared(PGconn * conn,
const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern PGresult *PQexecParams(PGconn *conn, const char *command, int32_t nParams, const Oid *paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern PGresult *PQexecPrepared(PGconn *conn, const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
/* Interface for multiple-result or asynchronous queries */
extern int32_t PQsendQuery(PGconn *conn, const char *query);
extern int32_t PQsendQueryParams(PGconn * conn,
const char *command,
int32_t nParams, const Oid * paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern int32_t PQsendQueryPrepared(PGconn * conn,
const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern int32_t PQsendQueryParams(PGconn *conn, const char *command, int32_t nParams, const Oid *paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern int32_t PQsendQueryPrepared(PGconn *conn, const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat);
extern PGresult *PQgetResult(PGconn *conn);
/* Routines for managing an asynchronous query */
@ -350,38 +343,31 @@ extern "C" {
*/
extern PGresult *PQmakeEmptyPGresult(PGconn *conn, ExecStatusType status);
/* Quoting strings before inclusion in queries. */
extern size_t PQescapeString(char *to, const char *from, size_t length);
extern unsigned char *PQescapeBytea(const unsigned char *bintext, size_t binlen, size_t *bytealen);
extern unsigned char *PQunescapeBytea(const unsigned char *strtext, size_t *retbuflen);
/* === in fe-print.c === */
extern void
PQprint(FILE * fout, /* output stream */
extern void PQprint(FILE *fout, /* output stream */
const PGresult *res, const PQprintOpt *ps); /* option structure */
/*
* really old printing routines
*/
extern void
PQdisplayTuples(const PGresult * res, FILE * fp, /* where to send the output */
extern void PQdisplayTuples(const PGresult *res, FILE *fp, /* where to send the output */
int32_t fillAlign, /* pad the fields with spaces */
const char *fieldSep, /* field separator */
int32_t printHeader, /* display headers? */
int32_t quiet);
extern void
PQprintTuples(const PGresult * res, FILE * fout, /* output stream */
extern void PQprintTuples(const PGresult *res, FILE *fout, /* output stream */
int32_t printAttName, /* print attribute names */
int32_t terseOutput, /* delimiter bars */
int32_t width); /* width of column, if 0, use variable
* width */
/* === in fe-lobj.c === */
/* Large-object access routines */

367
ntlm.c
View file

@ -36,17 +36,16 @@
*/
#include <stdio.h>
#ifdef WIN32
#else
#include <unistd.h>
#endif
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
#include <assert.h>
#include <string.h>
#include "ntlm.h"
#include <assert.h>
#include <ctype.h>
#include <stdlib.h>
#include <string.h>
/* Byte order macros */
#ifndef _BYTEORDER_H
@ -127,28 +126,82 @@ it also defines lots of intermediate macros, just ignore those :-)
/* some switch macros that do both store and read to and from SMB buffers */
#define RW_PCVAL(read, inbuf, outbuf, len) \
{ if (read) { PCVAL (inbuf,0,outbuf,len); } \
else { PSCVAL(inbuf,0,outbuf,len); } }
{ \
if (read) { \
PCVAL(inbuf, 0, outbuf, len); \
} else { \
PSCVAL(inbuf, 0, outbuf, len); \
} \
}
#define RW_PIVAL(read, big_endian, inbuf, outbuf, len) \
{ if (read) { if (big_endian) { RPIVAL(inbuf,0,outbuf,len); } else { PIVAL(inbuf,0,outbuf,len); } } \
else { if (big_endian) { RPSIVAL(inbuf,0,outbuf,len); } else { PSIVAL(inbuf,0,outbuf,len); } } }
{ \
if (read) { \
if (big_endian) { \
RPIVAL(inbuf, 0, outbuf, len); \
} else { \
PIVAL(inbuf, 0, outbuf, len); \
} \
} else { \
if (big_endian) { \
RPSIVAL(inbuf, 0, outbuf, len); \
} else { \
PSIVAL(inbuf, 0, outbuf, len); \
} \
} \
}
#define RW_PSVAL(read, big_endian, inbuf, outbuf, len) \
{ if (read) { if (big_endian) { RPSVAL(inbuf,0,outbuf,len); } else { PSVAL(inbuf,0,outbuf,len); } } \
else { if (big_endian) { RPSSVAL(inbuf,0,outbuf,len); } else { PSSVAL(inbuf,0,outbuf,len); } } }
{ \
if (read) { \
if (big_endian) { \
RPSVAL(inbuf, 0, outbuf, len); \
} else { \
PSVAL(inbuf, 0, outbuf, len); \
} \
} else { \
if (big_endian) { \
RPSSVAL(inbuf, 0, outbuf, len); \
} else { \
PSSVAL(inbuf, 0, outbuf, len); \
} \
} \
}
#define RW_CVAL(read, inbuf, outbuf, offset) \
{ if (read) { (outbuf) = CVAL (inbuf,offset); } \
else { SCVAL(inbuf,offset,outbuf); } }
{ \
if (read) { \
(outbuf) = CVAL(inbuf, offset); \
} else { \
SCVAL(inbuf, offset, outbuf); \
} \
}
#define RW_IVAL(read, big_endian, inbuf, outbuf, offset) \
{ if (read) { (outbuf) = ((big_endian) ? RIVAL(inbuf,offset) : IVAL (inbuf,offset)); } \
else { if (big_endian) { RSIVAL(inbuf,offset,outbuf); } else { SIVAL(inbuf,offset,outbuf); } } }
{ \
if (read) { \
(outbuf) = ((big_endian) ? RIVAL(inbuf, offset) : IVAL(inbuf, offset)); \
} else { \
if (big_endian) { \
RSIVAL(inbuf, offset, outbuf); \
} else { \
SIVAL(inbuf, offset, outbuf); \
} \
} \
}
#define RW_SVAL(read, big_endian, inbuf, outbuf, offset) \
{ if (read) { (outbuf) = ((big_endian) ? RSVAL(inbuf,offset) : SVAL (inbuf,offset)); } \
else { if (big_endian) { RSSVAL(inbuf,offset,outbuf); } else { SSVAL(inbuf,offset,outbuf); } } }
{ \
if (read) { \
(outbuf) = ((big_endian) ? RSVAL(inbuf, offset) : SVAL(inbuf, offset)); \
} else { \
if (big_endian) { \
RSSVAL(inbuf, offset, outbuf); \
} else { \
SSVAL(inbuf, offset, outbuf); \
} \
} \
}
#undef CAREFUL_ALIGNMENT
@ -166,7 +219,6 @@ it also defines lots of intermediate macros, just ignore those :-)
#define PVAL(buf, pos) ((unsigned)CVAL(buf, pos))
#define SCVAL(buf, pos, val) (CVAL(buf, pos) = (val))
#if CAREFUL_ALIGNMENT
#define SVAL(buf, pos) (PVAL(buf, pos) | PVAL(buf, (pos) + 1) << 8)
@ -207,10 +259,18 @@ it also defines lots of intermediate macros, just ignore those :-)
/* macros for reading / writing arrays */
#define SMBMACRO(macro, buf, pos, val, len, size) \
{ int32_t l; for (l = 0; l < (len); l++) (val)[l] = macro((buf), (pos) + (size)*l); }
{ \
int32_t l; \
for (l = 0; l < (len); l++) \
(val)[l] = macro((buf), (pos) + (size)*l); \
}
#define SSMBMACRO(macro, buf, pos, val, len, size) \
{ int32_t l; for (l = 0; l < (len); l++) macro((buf), (pos) + (size)*l, (val)[l]); }
{ \
int32_t l; \
for (l = 0; l < (len); l++) \
macro((buf), (pos) + (size)*l, (val)[l]); \
}
/* reads multiple data from an SMB buffer */
#define PCVAL(buf, pos, val, len) SMBMACRO(CVAL, buf, pos, val, len, 1)
@ -228,7 +288,6 @@ it also defines lots of intermediate macros, just ignore those :-)
#define PSSVALS(buf, pos, val, len) SSMBMACRO(SSVALS, buf, pos, val, len, 2)
#define PSIVALS(buf, pos, val, len) SSMBMACRO(SIVALS, buf, pos, val, len, 4)
/* now the reverse routines - these are used in nmb packets (mostly) */
#define SREV(x) ((((x)&0xFF) << 8) | (((x) >> 8) & 0xFF))
#define IREV(x) ((SREV(x) << 16) | (SREV((x) >> 16)))
@ -255,47 +314,70 @@ it also defines lots of intermediate macros, just ignore those :-)
#define RPSIVALS(buf, pos, val, len) SSMBMACRO(RSIVALS, buf, pos, val, len, 4)
#define DBG_RW_PCVAL(charmode, string, depth, base, read, inbuf, outbuf, len) \
{ RW_PCVAL(read,inbuf,outbuf,len) \
DEBUG(5,("%s%04x %s: ", \
tab_depth(depth), base,string)); \
if (charmode) print_asc(5, (unsigned char*)(outbuf), (len)); else \
{ int32_t idx; for (idx = 0; idx < len; idx++) { DEBUG(5,("%02x ", (outbuf)[idx])); } } \
DEBUG(5,("\n")); }
{ \
RW_PCVAL(read, inbuf, outbuf, len) \
DEBUG(5, ("%s%04x %s: ", tab_depth(depth), base, string)); \
if (charmode) \
print_asc(5, (unsigned char *)(outbuf), (len)); \
else { \
int32_t idx; \
for (idx = 0; idx < len; idx++) { \
DEBUG(5, ("%02x ", (outbuf)[idx])); \
} \
} \
DEBUG(5, ("\n")); \
}
#define DBG_RW_PSVAL(charmode, string, depth, base, read, big_endian, inbuf, outbuf, len) \
{ RW_PSVAL(read,big_endian,inbuf,outbuf,len) \
DEBUG(5,("%s%04x %s: ", \
tab_depth(depth), base,string)); \
if (charmode) print_asc(5, (unsigned char*)(outbuf), 2*(len)); else \
{ int32_t idx; for (idx = 0; idx < len; idx++) { DEBUG(5,("%04x ", (outbuf)[idx])); } } \
DEBUG(5,("\n")); }
{ \
RW_PSVAL(read, big_endian, inbuf, outbuf, len) \
DEBUG(5, ("%s%04x %s: ", tab_depth(depth), base, string)); \
if (charmode) \
print_asc(5, (unsigned char *)(outbuf), 2 * (len)); \
else { \
int32_t idx; \
for (idx = 0; idx < len; idx++) { \
DEBUG(5, ("%04x ", (outbuf)[idx])); \
} \
} \
DEBUG(5, ("\n")); \
}
#define DBG_RW_PIVAL(charmode, string, depth, base, read, big_endian, inbuf, outbuf, len) \
{ RW_PIVAL(read,big_endian,inbuf,outbuf,len) \
DEBUG(5,("%s%04x %s: ", \
tab_depth(depth), base,string)); \
if (charmode) print_asc(5, (unsigned char*)(outbuf), 4*(len)); else \
{ int32_t idx; for (idx = 0; idx < len; idx++) { DEBUG(5,("%08x ", (outbuf)[idx])); } } \
DEBUG(5,("\n")); }
{ \
RW_PIVAL(read, big_endian, inbuf, outbuf, len) \
DEBUG(5, ("%s%04x %s: ", tab_depth(depth), base, string)); \
if (charmode) \
print_asc(5, (unsigned char *)(outbuf), 4 * (len)); \
else { \
int32_t idx; \
for (idx = 0; idx < len; idx++) { \
DEBUG(5, ("%08x ", (outbuf)[idx])); \
} \
} \
DEBUG(5, ("\n")); \
}
#define DBG_RW_CVAL(string, depth, base, read, inbuf, outbuf) \
{ RW_CVAL(read,inbuf,outbuf,0) \
DEBUG(5,("%s%04x %s: %02x\n", \
tab_depth(depth), base, string, outbuf)); }
{ \
RW_CVAL(read, inbuf, outbuf, 0) \
DEBUG(5, ("%s%04x %s: %02x\n", tab_depth(depth), base, string, outbuf)); \
}
#define DBG_RW_SVAL(string, depth, base, read, big_endian, inbuf, outbuf) \
{ RW_SVAL(read,big_endian,inbuf,outbuf,0) \
DEBUG(5,("%s%04x %s: %04x\n", \
tab_depth(depth), base, string, outbuf)); }
{ \
RW_SVAL(read, big_endian, inbuf, outbuf, 0) \
DEBUG(5, ("%s%04x %s: %04x\n", tab_depth(depth), base, string, outbuf)); \
}
#define DBG_RW_IVAL(string, depth, base, read, big_endian, inbuf, outbuf) \
{ RW_IVAL(read,big_endian,inbuf,outbuf,0) \
DEBUG(5,("%s%04x %s: %08x\n", \
tab_depth(depth), base, string, outbuf)); }
{ \
RW_IVAL(read, big_endian, inbuf, outbuf, 0) \
DEBUG(5, ("%s%04x %s: %08x\n", tab_depth(depth), base, string, outbuf)); \
}
#endif /* _BYTEORDER_H */
/* Samba MD4 implementation */
/* NOTE: This code makes no attempt to be fast!
@ -305,17 +387,11 @@ it also defines lots of intermediate macros, just ignore those :-)
static uint32 A, B, C, D;
static uint32 F(uint32 X, uint32 Y, uint32 Z) {
return (X & Y) | ((~X) & Z);
}
static uint32 F(uint32 X, uint32 Y, uint32 Z) { return (X & Y) | ((~X) & Z); }
static uint32 G(uint32 X, uint32 Y, uint32 Z) {
return (X & Y) | (X & Z) | (Y & Z);
}
static uint32 G(uint32 X, uint32 Y, uint32 Z) { return (X & Y) | (X & Z) | (Y & Z); }
static uint32 H(uint32 X, uint32 Y, uint32 Z) {
return X ^ Y ^ Z;
}
static uint32 H(uint32 X, uint32 Y, uint32 Z) { return X ^ Y ^ Z; }
static uint32 lshift(uint32 x, int32_t s) {
x &= 0xFFFFFFFF;
@ -471,111 +547,35 @@ void mdfour(unsigned char *out, unsigned char *in, int32_t n) {
#define uchar unsigned char
#define int16 signed short
static uchar perm1[56] = { 57, 49, 41, 33, 25, 17, 9,
1, 58, 50, 42, 34, 26, 18,
10, 2, 59, 51, 43, 35, 27,
19, 11, 3, 60, 52, 44, 36,
63, 55, 47, 39, 31, 23, 15,
7, 62, 54, 46, 38, 30, 22,
14, 6, 61, 53, 45, 37, 29,
21, 13, 5, 28, 20, 12, 4
};
static uchar perm1[56] = {57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4};
static uchar perm2[48] = { 14, 17, 11, 24, 1, 5,
3, 28, 15, 6, 21, 10,
23, 19, 12, 4, 26, 8,
16, 7, 27, 20, 13, 2,
41, 52, 31, 37, 47, 55,
30, 40, 51, 45, 33, 48,
44, 49, 39, 56, 34, 53,
46, 42, 50, 36, 29, 32
};
static uchar perm2[48] = {14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32};
static uchar perm3[64] = { 58, 50, 42, 34, 26, 18, 10, 2,
60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6,
64, 56, 48, 40, 32, 24, 16, 8,
57, 49, 41, 33, 25, 17, 9, 1,
59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5,
63, 55, 47, 39, 31, 23, 15, 7
};
static uchar perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7};
static uchar perm4[48] = { 32, 1, 2, 3, 4, 5,
4, 5, 6, 7, 8, 9,
8, 9, 10, 11, 12, 13,
12, 13, 14, 15, 16, 17,
16, 17, 18, 19, 20, 21,
20, 21, 22, 23, 24, 25,
24, 25, 26, 27, 28, 29,
28, 29, 30, 31, 32, 1
};
static uchar perm4[48] = {32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9, 8, 9, 10, 11, 12, 13, 12, 13, 14, 15, 16, 17, 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24, 25, 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1};
static uchar perm5[32] = { 16, 7, 20, 21,
29, 12, 28, 17,
1, 15, 23, 26,
5, 18, 31, 10,
2, 8, 24, 14,
32, 27, 3, 9,
19, 13, 30, 6,
22, 11, 4, 25
};
static uchar perm6[64] = { 40, 8, 48, 16, 56, 24, 64, 32,
39, 7, 47, 15, 55, 23, 63, 31,
38, 6, 46, 14, 54, 22, 62, 30,
37, 5, 45, 13, 53, 21, 61, 29,
36, 4, 44, 12, 52, 20, 60, 28,
35, 3, 43, 11, 51, 19, 59, 27,
34, 2, 42, 10, 50, 18, 58, 26,
33, 1, 41, 9, 49, 17, 57, 25
};
static uchar perm5[32] = {16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25};
static uchar perm6[64] = {40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23, 63, 31, 38, 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29, 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, 27, 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, 57, 25};
static uchar sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
static uchar sbox[8][4][16] = {
{{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7},
{0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8},
{4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0},
{15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}},
static uchar sbox[8][4][16] = {{{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7}, {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8}, {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0}, {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}},
{{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10},
{3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5},
{0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15},
{13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}},
{{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10}, {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5}, {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15}, {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}},
{{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8},
{13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1},
{13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7},
{1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}},
{{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8}, {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1}, {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7}, {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}},
{{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15},
{13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9},
{10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4},
{3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}},
{{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15}, {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9}, {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4}, {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}},
{{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9},
{14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6},
{4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14},
{11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}},
{{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9}, {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6}, {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14}, {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}},
{{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11},
{10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8},
{9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6},
{4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}},
{{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11}, {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8}, {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6}, {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}},
{{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1},
{13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6},
{1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2},
{6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}},
{{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1}, {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6}, {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2}, {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}},
{{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7},
{1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2},
{7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8},
{2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}
};
{{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7}, {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2}, {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8}, {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}};
static void permute(char *out, char *in, uchar *p, int32_t n) {
int32_t i;
@ -601,7 +601,8 @@ static void concat(char *out, char *in1, char *in2, int32_t l1, int32_t l2) {
*out++ = *in2++;
}
void xor(char *out, char *in1, char *in2, int32_t n) {
void xor
(char *out, char *in1, char *in2, int32_t n) {
int32_t i;
for (i = 0; i < n; i++)
@ -703,7 +704,6 @@ static void str_to_key(unsigned char *str, unsigned char *key) {
}
}
static void smbhash(unsigned char *out, unsigned char *in, unsigned char *key, int32_t forw) {
int32_t i;
char outb[64];
@ -815,7 +815,6 @@ void SamOEMhash(unsigned char *data, unsigned char *key, int32_t val) {
/* Samba encryption implementation*/
/****************************************************************************
Like strncpy but always null terminates. Make sure there is room!
The variable n should always be one less than the available size.
@ -830,15 +829,13 @@ char *StrnCpy(char *dest, const char *src, size_t n) {
*dest = 0;
return (dest);
}
while (n-- && (*d++ = *src++));
while (n-- && (*d++ = *src++))
;
*d = 0;
return (dest);
}
size_t skip_multibyte_char(char c) {
return 0;
}
size_t skip_multibyte_char(char c) { return 0; }
/*******************************************************************
safe string copy into a known length string. maxlength does not
@ -870,7 +867,6 @@ char *safe_strcpy(char *dest, const char *src, size_t maxlength) {
return dest;
}
void strupper(char *s) {
while (*s) {
{
@ -1029,7 +1025,6 @@ void NTLMSSPOWFencrypt(uchar passwd[8], uchar * ntlmchalresp, uchar p24[24]) {
#endif
}
/* Does the NT MD4 hash then des encryption. */
void SMBNTencrypt(uchar *passwd, uchar *c8, uchar *p24) {
@ -1083,7 +1078,8 @@ BOOL make_oem_passwd_hash(char data[516], const char *passwd, uchar old_pw_hash[
#endif
/* libtnlm copyrigth was left here, anyway the interface was slightly modified */
/* libtnlm copyrigth was left here, anyway the interface was slightly modified
*/
/* included libntlm-3.2.9 (c) even if this code is based in 2.1 version*/
@ -1115,18 +1111,14 @@ Contributed LGPL versions of some of the GPL'd Samba files.
#define AddBytes(ptr, header, buf, count) \
{ \
if (buf != NULL && count != 0) \
{ \
if (buf != NULL && count != 0) { \
SSVAL(&ptr->header.len, 0, count); \
SSVAL(&ptr->header.maxlen, 0, count); \
SIVAL(&ptr->header.offset, 0, ((ptr->buffer - ((uint8 *)ptr)) + ptr->bufIndex)); \
memcpy(ptr->buffer + ptr->bufIndex, buf, count); \
ptr->bufIndex += count; \
} \
else \
{ \
ptr->header.len = \
ptr->header.maxlen = 0; \
} else { \
ptr->header.len = ptr->header.maxlen = 0; \
SIVAL(&ptr->header.offset, 0, ptr->bufIndex); \
} \
}
@ -1135,7 +1127,8 @@ else \
{ \
char *p = string; \
int32_t len = 0; \
if (p) len = strlen(p); \
if (p) \
len = strlen(p); \
AddBytes(ptr, header, ((unsigned char *)p), len); \
}
@ -1144,22 +1137,16 @@ AddBytes(ptr, header, ((unsigned char*)p), len); \
char *p = string; \
unsigned char *b = NULL; \
int32_t len = 0; \
if (p) \
{ \
if (p) { \
len = strlen(p); \
b = strToUnicode(p); \
} \
AddBytes(ptr, header, b, len * 2); \
}
#define GetUnicodeString(structPtr, header) \
unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
#define GetString(structPtr, header) \
toString((((char *)structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
#define DumpBuffer(fp, structPtr, header) \
dumpRaw(fp,((unsigned char*)structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
#define GetUnicodeString(structPtr, header) unicodeToString(((char *)structPtr) + IVAL(&structPtr->header.offset, 0), SVAL(&structPtr->header.len, 0) / 2)
#define GetString(structPtr, header) toString((((char *)structPtr) + IVAL(&structPtr->header.offset, 0)), SVAL(&structPtr->header.len, 0))
#define DumpBuffer(fp, structPtr, header) dumpRaw(fp, ((unsigned char *)structPtr) + IVAL(&structPtr->header.offset, 0), SVAL(&structPtr->header.len, 0))
static void dumpRaw(FILE *fp, unsigned char *buf, size_t len) {
int32_t i;
@ -1210,7 +1197,6 @@ static unsigned char *toString(char *p, size_t len) {
return buf;
}
void buildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain) {
char *h = NULL; // strdup(host);
char *p = NULL; // strchr(h,'@');
@ -1295,10 +1281,6 @@ void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *
free(u);
}
// info functions
void dumpAuthRequest(FILE *fp, tSmbNtlmAuthRequest *request);
void dumpAuthChallenge(FILE *fp, tSmbNtlmAuthChallenge *challenge);
@ -1340,12 +1322,6 @@ void dumpAuthResponse(FILE * fp, tSmbNtlmAuthResponse * response) {
fprintf(fp, " Flags = %08x\n", IVAL(&response->flags, 0));
}
/*
* base64.c -- base-64 conversion routines.
*
@ -1360,20 +1336,11 @@ void dumpAuthResponse(FILE * fp, tSmbNtlmAuthResponse * response) {
* This code borrowed from fetchmail sources
*/
static const char base64digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
#define BAD -1
static const char base64val[] = {
BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD,
BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD,
BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, 62, BAD, BAD, BAD, 63,
52, 53, 54, 55, 56, 57, 58, 59, 60, 61, BAD, BAD, BAD, BAD, BAD, BAD,
BAD, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, BAD, BAD, BAD, BAD, BAD,
BAD, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, BAD, BAD, BAD, BAD, BAD
};
static const char base64val[] = {BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, 62, BAD, BAD, BAD, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, BAD, BAD, BAD, BAD, BAD, BAD,
BAD, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, BAD, BAD, BAD, BAD, BAD, BAD, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, BAD, BAD, BAD, BAD, BAD};
#define DECODE64(c) (isascii(c) ? base64val[c] : BAD)

33
ntlm.h
View file

@ -14,26 +14,29 @@
NTLM Interface, just two functions:
void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain);
if flags is 0 minimun security level is selected, otherwise new value superseeds.
host and domain are optional, they may be NULLed.
void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host,
char *domain); if flags is 0 minimun security level is selected, otherwise
new value superseeds. host and domain are optional, they may be NULLed.
void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *response, long flags, char *user, char *password, char *domain, char *host);
void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse
*response, long flags, char *user, char *password, char *domain, char *host);
Given a challenge, generates a response for that user/passwd/host/domain.
flags, host, and domain superseeds given by server. Leave 0 and NULL for server authentication
flags, host, and domain superseeds given by server. Leave 0 and NULL for
server authentication
This is an usage sample:
...
//beware of fixed sized buffer, asserts may fail, don't use long strings :)
//beware of fixed sized buffer, asserts may fail, don't use long
strings :)
//Yes, I Know, year 2k6 and still with this shit..
unsigned char buf[4096];
unsigned char buf2[4096];
//send auth request: let the server send it's own hostname and domainname
buildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL);
//send auth request: let the server send it's own hostname and
domainname buildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL);
to64frombits(buf, buf2, SmbLength((tSmbNtlmAuthRequest*)buf2));
send_to_server(buf);
@ -52,7 +55,8 @@
included bonus!!:
Base64 code
int32_t from64tobits(char *out, const char *in);
void to64frombits(unsigned char *out, const unsigned char *in, int32_t inlen);
void to64frombits(unsigned char *out, const unsigned char *in, int32_t
inlen);
@ -60,7 +64,6 @@
You don't need to read the rest of the file.
*/
/*
* These structures are byte-order dependant, and should not
* be manipulated except by the use of the routines provided
@ -105,7 +108,6 @@ typedef struct {
uint32 bufIndex;
} tSmbNtlmAuthChallenge;
typedef struct {
char ident[8];
uint32 msgType;
@ -120,7 +122,6 @@ typedef struct {
uint32 bufIndex;
} tSmbNtlmAuthResponse;
extern void buildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain);
/* reversing interface */
@ -128,14 +129,14 @@ extern void buildAuthRequest(tSmbNtlmAuthRequest * request, long flags, char *ho
/* ntlm functions */
void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain);
// if flags is 0 minimun security level is selected, otherwise new value superseeds.
// host and domain are optional, they may be NULLed.
// if flags is 0 minimun security level is selected, otherwise new value
// superseeds. host and domain are optional, they may be NULLed.
void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *response, long flags, char *user, char *password, char *domain, char *host);
// Given a challenge, generates a response for that user/passwd/host/domain.
//flags, host, and domain superseeds given by server. Leave 0 and NULL for server authentication
// flags, host, and domain superseeds given by server. Leave 0 and NULL for
// server authentication
/* Base64 code*/
int32_t from64tobits(char *out, const char *in);

12
performance.h
View file

@ -1,10 +1,10 @@
#include <unistd.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <sys/select.h>
#include <sys/time.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
/* handles select errors */
int32_t my_select(int32_t fd, fd_set *fdread, fd_set *fdwrite, fd_set *fdex, long sec, long usec) {
@ -18,9 +18,11 @@ int32_t my_select(int32_t fd, fd_set * fdread, fd_set * fdwrite, fd_set * fdex,
fde2 = fdex;
stv.tv_sec = sec;
stv.tv_usec = usec;
if (debug > 1) printf("before select\n");
if (debug > 1)
printf("before select\n");
ret_val = select(fd, fdr2, fdw2, fde2, &stv);
if (debug > 1) printf("after select\n");
if (debug > 1)
printf("after select\n");
/* XXX select() sometimes returns errno=EINTR (signal found) */
} while (ret_val == -1 && errno == EINTR);

7
postgres_ext.h
View file

@ -4,8 +4,9 @@
* postgres_ext.h
*
* This file contains declarations of things that are visible everywhere
* in PostgreSQL *and* are visible to clients of frontend interface libraries.
* For example, the Oid type is part of the API of libpq and other libraries.
* in PostgreSQL *and* are visible to clients of frontend interface
*libraries. For example, the Oid type is part of the API of libpq and other
*libraries.
*
* Declarations which are specific to a particular interface should
* go in the header file for that interface (such as libpq-fe.h). This
@ -39,7 +40,6 @@ typedef uint32_t Oid;
/* you will need to include <limits.h> to use the above #define */
/*
* NAMEDATALEN is the max length for system identifiers (e.g. table names,
* attribute names, function names, etc). It must be a multiple of
@ -49,7 +49,6 @@ typedef uint32_t Oid;
*/
#define NAMEDATALEN 64
/*
* Identifiers of error message fields. Kept here to keep common
* between frontend and backend, and also to export them to libpq

33
pw-inspector.c
View file

@ -1,9 +1,9 @@
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define PROGRAM "PW-Inspector"
#define VERSION "v0.2"
@ -16,23 +16,31 @@ char *prg;
void help() {
printf("%s %s (c) 2005 by van Hauser / THC %s [%s]\n\n", PROGRAM, VERSION, EMAIL, WEB);
printf("Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s\n\n", prg);
printf("Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] "
"-l -u -n -p -s\n\n",
prg);
printf("Options:\n");
printf(" -i FILE file to read passwords from (default: stdin)\n");
printf(" -o FILE file to write valid passwords to (default: stdout)\n");
printf(" -m MINLEN minimum length of a valid password\n");
printf(" -M MAXLEN maximum length of a valid password\n");
printf(" -c MINSETS the minimum number of sets required (default: all given)\n");
printf(" -c MINSETS the minimum number of sets required (default: all "
"given)\n");
printf("Sets:\n");
printf(" -l lowcase characters (a,b,c,d, etc.)\n");
printf(" -u upcase characters (A,B,C,D, etc.)\n");
printf(" -n numbers (1,2,3,4, etc.)\n");
printf(" -p printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)\n");
printf(" -s special characters - all others not within the sets above\n");
printf(" -p printable characters (which are not -l/-n/-p, e.g. "
"$,!,/,(,*, etc.)\n");
printf(" -s special characters - all others not within the sets "
"above\n");
printf("\n%s reads passwords in and prints those which meet the requirements.\n", PROGRAM);
printf("The return code is the number of valid passwords found, 0 if none was found.\n");
printf("Use for security: check passwords, if 0 is returned, reject password choice.\n");
printf("Use for hacking: trim your dictionary file to the pw requirements of the target.\n");
printf("The return code is the number of valid passwords found, 0 if none "
"was found.\n");
printf("Use for security: check passwords, if 0 is returned, reject password "
"choice.\n");
printf("Use for hacking: trim your dictionary file to the pw requirements of "
"the target.\n");
printf("Usage only allowed for legal purposes.\n");
exit(-1);
}
@ -156,7 +164,8 @@ int main(int argc, char *argv[]) {
count++;
}
}
/* fprintf(stderr, "[DEBUG] i: %d minlen: %d maxlen: %d len: %d\n", i, minlen, maxlen, strlen(buf)); */
/* fprintf(stderr, "[DEBUG] i: %d minlen: %d maxlen: %d len: %d\n", i,
* minlen, maxlen, strlen(buf)); */
}
fclose(in);
fclose(out);

63
sasl.c
View file

@ -285,8 +285,10 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *
result = NULL;
return;
}
//DEBUG S: nonce="HB3HGAk+hxKpijy/ichq7Wob3Zo17LPM9rr4kMX7xRM=",realm="tida",qop="auth",maxbuf=4096,charset=utf-8,algorithm=md5-sess
//DEBUG S: nonce="1Mr6c8WjOd/x5r8GUnGeQIRNUtOVtItu3kQOGAmsZfM=",realm="test.com",qop="auth,auth-int32_t,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=4096,charset=utf-8,algorithm=md5-sess
// DEBUG S:
// nonce="HB3HGAk+hxKpijy/ichq7Wob3Zo17LPM9rr4kMX7xRM=",realm="tida",qop="auth",maxbuf=4096,charset=utf-8,algorithm=md5-sess
// DEBUG S:
// nonce="1Mr6c8WjOd/x5r8GUnGeQIRNUtOVtItu3kQOGAmsZfM=",realm="test.com",qop="auth,auth-int32_t,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=4096,charset=utf-8,algorithm=md5-sess
// warning some not well configured xmpp server is sending no realm
// DEBUG S: nonce="3448160828",qop="auth",charset=utf-8,algorithm=md5-sess
pbuffer = buffer;
@ -373,10 +375,9 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *
}
}
if (strstr(array[i], "qop=") != NULL) {
/*
The value "auth" indicates authentication; the value "auth-int32_t" indicates
authentication with integrity protection; the value "auth-conf"
The value "auth" indicates authentication; the value "auth-int32_t"
indicates authentication with integrity protection; the value "auth-conf"
indicates authentication with integrity protection and encryption.
*/
auth_find = 1;
@ -386,7 +387,8 @@ indicates authentication with integrity protection and encryption.
for (j = 0; j < ind; j++)
if (array[j] != NULL)
free(array[j]);
hydra_report(stderr, "Error: DIGEST-MD5 quality of protection only authentication is not supported by server\n");
hydra_report(stderr, "Error: DIGEST-MD5 quality of protection only "
"authentication is not supported by server\n");
result = NULL;
return;
}
@ -405,7 +407,8 @@ indicates authentication with integrity protection and encryption.
for (j = 0; j < ind; j++)
if (array[j] != NULL)
free(array[j]);
hydra_report(stderr, "Error: DIGEST-MD5 algorithm from server could not be extracted\n");
hydra_report(stderr, "Error: DIGEST-MD5 algorithm from server could "
"not be extracted\n");
result = NULL;
return;
}
@ -432,7 +435,8 @@ indicates authentication with integrity protection and encryption.
memset(algo, 0, sizeof(algo));
strcpy(algo, "MD5");
}
//xmpp case, some xmpp server is not sending the realm so we have to set it up
// xmpp case, some xmpp server is not sending the realm so we have to set it
// up
if ((strlen(realm) == 0) && (strstr(type, "xmpp") != NULL))
snprintf(realm, sizeof(realm), "%s", miscptr);
// compute ha1
@ -514,32 +518,55 @@ indicates authentication with integrity protection and encryption.
// create the auth response
if (strstr(type, "proxy") != NULL) {
snprintf(result, 500,
"HEAD %s HTTP/1.0\r\n%sProxy-Authorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
"HEAD %s HTTP/1.0\r\n%sProxy-Authorization: Digest username=\"%s\", "
"realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", "
"nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: "
"Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, header);
} else {
if ((strstr(type, "imap") != NULL) || (strstr(type, "pop") != NULL) || (strstr(type, "smtp") != NULL) ||
(strstr(type, "ldap") != NULL) || (strstr(type, "xmpp") != NULL) || (strstr(type, "nntp") != NULL)) {
snprintf(result, 500, "username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"hydra\",nc=00000001,algorithm=%s,qop=\"auth\",digest-uri=\"%s/%s\",response=%s", preplogin, realm,
nonce, algo, type, realm, buffer);
if ((strstr(type, "imap") != NULL) || (strstr(type, "pop") != NULL) || (strstr(type, "smtp") != NULL) || (strstr(type, "ldap") != NULL) || (strstr(type, "xmpp") != NULL) || (strstr(type, "nntp") != NULL)) {
snprintf(result, 500,
"username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"hydra\",nc="
"00000001,algorithm=%s,qop=\"auth\",digest-uri=\"%s/%s\",response=%s",
preplogin, realm, nonce, algo, type, realm, buffer);
} else {
if (strstr(type, "sip") != NULL) {
snprintf(result, 500, "username=\"%s\",realm=\"%s\",nonce=\"%s\",uri=\"%s:%s\",response=%s", preplogin, realm, nonce, type, realm, buffer);
snprintf(result, 500,
"username=\"%s\",realm=\"%s\",nonce=\"%s\",uri=\"%s:%s\","
"response=%s",
preplogin, realm, nonce, type, realm, buffer);
} else {
if (strstr(type, "rtsp") != NULL) {
snprintf(result, 500, "username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s://%s:%i\", response=\"%s\"\r\n", preplogin, realm, nonce, type, webtarget, port, buffer);
snprintf(result, 500,
"username=\"%s\", realm=\"%s\", nonce=\"%s\", "
"uri=\"%s://%s:%i\", response=\"%s\"\r\n",
preplogin, realm, nonce, type, webtarget, port, buffer);
} else {
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL)
snprintf(result, 500,
"%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
"%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: "
"Digest username=\"%s\", realm=\"%s\", response=\"%s\", "
"nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, "
"qop=auth, uri=\"%s\"\r\nProxy-Authorization: Basic "
"%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: "
"keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, proxy_authentication[selected_proxy], header);
else {
if (use_proxy == 1)
snprintf(result, 500,
"%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
"%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: "
"Digest username=\"%s\", realm=\"%s\", response=\"%s\", "
"nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, "
"qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, webtarget, webport, miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, header);
else
snprintf(result, 500,
"%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
"%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest "
"username=\"%s\", realm=\"%s\", response=\"%s\", "
"nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, "
"qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 "
"(Hydra)\r\nConnection: keep-alive\r\n%s\r\n",
type, miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, header);
}
}

11
sasl.h
View file

@ -1,8 +1,8 @@
#include "hydra-mod.h"
#include "ntlm.h"
#include <stdio.h>
#include <string.h>
#include "ntlm.h"
#include "hydra-mod.h"
#define AUTH_ERROR -1
#define AUTH_CLEAR 0
@ -28,10 +28,7 @@
#endif
#endif
typedef enum {
SASL_ALLOW_UNASSIGNED = 1
} sasl_saslprep_flags;
typedef enum { SASL_ALLOW_UNASSIGNED = 1 } sasl_saslprep_flags;
int32_t print_hex(unsigned char *buf, int32_t len);
@ -39,9 +36,9 @@ void sasl_plain(char *result, char *login, char *pass);
int32_t sasl_saslprep(const char *in, sasl_saslprep_flags flags, char **out);
#ifdef LIBOPENSSL
#include <openssl/hmac.h>
#include <openssl/md5.h>
#include <openssl/sha.h>
#include <openssl/hmac.h>
void sasl_cram_md5(char *result, char *pass, char *challenge);
void sasl_cram_sha1(char *result, char *pass, char *challenge);