github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-07-06 04:51:40 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

openssl v1.1 interface changes - this is beta!

Browse source
This commit is contained in:
van Hauser 2016-06-17 22:13:34 +02:00
parent f50e14a904
commit 8671dbd31a
9 changed files with 123 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hydra-http.c
View file

@ -246,8 +246,6 @@ void service_http(char *ip, int sp, unsigned char options, char *miscptr, FILE *
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return; return;
printf("DEBUG0: %s\n", miscptr);
if ((webtarget = strstr(miscptr, "://")) != NULL) { if ((webtarget = strstr(miscptr, "://")) != NULL) {
webtarget += strlen("://"); webtarget += strlen("://");
if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */ if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */

31
hydra-mod.c
View file

@ -440,11 +440,25 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) {
#ifdef LIBOPENSSL #ifdef LIBOPENSSL
RSA *ssl_temp_rsa_cb(SSL * ssl, int export, int keylength) { RSA *ssl_temp_rsa_cb(SSL * ssl, int export, int keylength) {
if(rsa->n && RSA_size(rsa)!=(keylength/8)){ int ok = 0;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
BIGNUM *n;
n = BN_new();
RSA_get0_key(rsa, &n, NULL, NULL);
ok = BN_zero(n);
#else
if (rsa->n == 0)
ok = 1;
#endif
if(ok == 0 && RSA_size(rsa)!=(keylength/8)){ // n is not zero
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
BN_free(n);
#endif
RSA_free(rsa); RSA_free(rsa);
rsa = NULL;
} }
if (rsa->n == 0) { if (ok != 0) { // n is zero
#ifdef NO_RSA_LEGACY #if defined(NO_RSA_LEGACY) || OPENSSL_VERSION_NUMBER >= 0x10100000L
RSA *rsa = RSA_new(); RSA *rsa = RSA_new();
BIGNUM *f4 = BN_new(); BIGNUM *f4 = BN_new();
BN_set_word(f4, RSA_F4); BN_set_word(f4, RSA_F4);
@ -453,6 +467,9 @@ RSA *ssl_temp_rsa_cb(SSL * ssl, int export, int keylength) {
rsa = RSA_generate_key(keylength, RSA_F4, NULL, NULL); rsa = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
#endif #endif
} }
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
BN_free(n);
#endif
return rsa; return rsa;
} }
@ -480,7 +497,11 @@ int internal__hydra_connect_to_ssl(int socket, char *hostname) {
} else { } else {
// if ((sslContext = SSL_CTX_new(SSLv23_client_method())) == NULL) { // if ((sslContext = SSL_CTX_new(SSLv23_client_method())) == NULL) {
#ifndef TLSv1_2_client_method #ifndef TLSv1_2_client_method
#define TLSv1_2_client_method TLSv1_client_method #if OPENSSL_VERSION_NUMBER < 0x10100000L
#define TLSv1_2_client_method TLSv1_client_method
#else
#define TLSv1_2_client_method TLS_client_method
#endif
#endif #endif
if ((sslContext = SSL_CTX_new(TLSv1_2_client_method())) == NULL) { if ((sslContext = SSL_CTX_new(TLSv1_2_client_method())) == NULL) {
if (verbose) { if (verbose) {
@ -497,7 +518,9 @@ int internal__hydra_connect_to_ssl(int socket, char *hostname) {
/* we set the default verifiers and dont care for the results */ /* we set the default verifiers and dont care for the results */
(void) SSL_CTX_set_default_verify_paths(sslContext); (void) SSL_CTX_set_default_verify_paths(sslContext);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb); SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb);
#endif
SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL);
} }

10
hydra-oracle-listener.c
View file

@ -106,7 +106,7 @@ int convert_byteorder(unsigned char **result, int size) {
int ora_descrypt(unsigned char **rs, unsigned char *result, int siz) { int ora_descrypt(unsigned char **rs, unsigned char *result, int siz) {
int i = 0; int i = 0;
char lastkey[8]; char lastkey[8];
des_key_schedule ks1; DES_key_schedule ks1;
unsigned char key1[8] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF }; unsigned char key1[8] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF };
unsigned char ivec1[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; unsigned char ivec1[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
unsigned char *desresult; unsigned char *desresult;
@ -116,17 +116,17 @@ int ora_descrypt(unsigned char **rs, unsigned char *result, int siz) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n"); hydra_report(stderr, "[ERROR] Can't allocate memory\n");
return 1; return 1;
} }
des_key_sched((C_Block *) key1, ks1); DES_key_sched((const_DES_cblock *) key1, &ks1);
des_ncbc_encrypt(result, desresult, siz, ks1, &ivec1, DES_ENCRYPT); DES_ncbc_encrypt(result, desresult, siz, &ks1, &ivec1, DES_ENCRYPT);
for (i = 0; i < 8; i++) { for (i = 0; i < 8; i++) {
lastkey[i] = desresult[siz - 8 + i]; lastkey[i] = desresult[siz - 8 + i];
} }
des_key_sched((C_Block *) lastkey, ks1); DES_key_sched((const_DES_cblock *) lastkey, &ks1);
memset(desresult, 0, siz); memset(desresult, 0, siz);
memset(ivec1, 0, sizeof(ivec1)); memset(ivec1, 0, sizeof(ivec1));
des_ncbc_encrypt(result, desresult, siz, ks1, &ivec1, DES_ENCRYPT); DES_ncbc_encrypt(result, desresult, siz, &ks1, &ivec1, DES_ENCRYPT);
if ((*rs = malloc(siz)) == NULL) { if ((*rs = malloc(siz)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n"); hydra_report(stderr, "[ERROR] Can't allocate memory\n");

79
hydra-rdp.c
View file

@ -1,4 +1,3 @@
/* /*
david: this module is heavily based on rdesktop v 1.7.0 david: this module is heavily based on rdesktop v 1.7.0
@ -859,7 +858,7 @@ static void reverse(uint8 * p, int len) {
void ssl_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint8 * modulus, uint8 * exponent) { void ssl_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint8 * modulus, uint8 * exponent) {
BN_CTX *ctx; BN_CTX *ctx;
BIGNUM mod, exp, x, y; BIGNUM *mod, *exp, *x, *y;
uint8 inr[SEC_MAX_MODULUS_SIZE]; uint8 inr[SEC_MAX_MODULUS_SIZE];
int outlen; int outlen;
@ -869,39 +868,39 @@ void ssl_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint
reverse(inr, len); reverse(inr, len);
ctx = BN_CTX_new(); ctx = BN_CTX_new();
BN_init(&mod); mod = BN_new();
BN_init(&exp); exp = BN_new();
BN_init(&x); x = BN_new();
BN_init(&y); y = BN_new();
BN_bin2bn(modulus, modulus_size, &mod); BN_bin2bn(modulus, modulus_size, mod);
BN_bin2bn(exponent, SEC_EXPONENT_SIZE, &exp); BN_bin2bn(exponent, SEC_EXPONENT_SIZE, exp);
BN_bin2bn(inr, len, &x); BN_bin2bn(inr, len, x);
BN_mod_exp(&y, &x, &exp, &mod, ctx); BN_mod_exp(y, x, exp, mod, ctx);
outlen = BN_bn2bin(&y, out); outlen = BN_bn2bin(y, out);
reverse(out, outlen); reverse(out, outlen);
if (outlen < (int) modulus_size) if (outlen < (int) modulus_size)
memset(out + outlen, 0, modulus_size - outlen); memset(out + outlen, 0, modulus_size - outlen);
BN_free(&y); BN_free(y);
BN_clear_free(&x); BN_free(x);
BN_free(&exp); BN_free(exp);
BN_free(&mod); BN_free(mod);
BN_CTX_free(ctx); BN_CTX_free(ctx);
} }
/* returns newly allocated SSL_CERT or NULL */ /* returns newly allocated X509 or NULL */
SSL_CERT *ssl_cert_read(uint8 * data, uint32 len) { X509 *ssl_cert_read(uint8 * data, uint32 len) {
/* this will move the data pointer but we don't care, we don't use it again */ /* this will move the data pointer but we don't care, we don't use it again */
return d2i_X509(NULL, (D2I_X509_CONST unsigned char **) &data, len); return d2i_X509(NULL, (D2I_X509_CONST unsigned char **) &data, len);
} }
static void ssl_cert_free(SSL_CERT * cert) { static void ssl_cert_free(X509 * cert) {
X509_free(cert); X509_free(cert);
} }
/* returns newly allocated SSL_RKEY or NULL */ /* returns newly allocated SSL_RKEY or NULL */
SSL_RKEY *ssl_cert_to_rkey(SSL_CERT * cert, uint32 * key_len) { SSL_RKEY *ssl_cert_to_rkey(X509 * cert, uint32 * key_len) {
EVP_PKEY *epk = NULL; EVP_PKEY *epk = NULL;
SSL_RKEY *lkey; SSL_RKEY *lkey;
int nid; int nid;
@ -909,13 +908,19 @@ SSL_RKEY *ssl_cert_to_rkey(SSL_CERT * cert, uint32 * key_len) {
/* By some reason, Microsoft sets the OID of the Public RSA key to /* By some reason, Microsoft sets the OID of the Public RSA key to
the oid for "MD5 with RSA Encryption" instead of "RSA Encryption" the oid for "MD5 with RSA Encryption" instead of "RSA Encryption"
Kudos to Richard Levitte for the following (. intiutive .) Kudos to Richard Levitte for the following (. intuitive .)
lines of code that resets the OID and let's us extract the key. */ lines of code that resets the OID and let's us extract the key. */
nid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm); //nid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm);
nid = X509_get_signature_nid(cert);
if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption)) { if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption)) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
fprintf(stderr, "[ERROR] the current experimental openssl-1.1 support in hydra does not support RDP :( \n");
hydra_child_exit(2);
#else
DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n")); DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n"));
ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm); ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm);
cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption); cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
#endif
} }
epk = X509_get_pubkey(cert); epk = X509_get_pubkey(cert);
if (NULL == epk) { if (NULL == epk) {
@ -929,7 +934,7 @@ SSL_RKEY *ssl_cert_to_rkey(SSL_CERT * cert, uint32 * key_len) {
return lkey; return lkey;
} }
int ssl_cert_print_fp(FILE * fp, SSL_CERT * cert) { int ssl_cert_print_fp(FILE * fp, X509 * cert) {
return X509_print_fp(fp, cert); return X509_print_fp(fp, cert);
} }
@ -941,13 +946,29 @@ void ssl_rkey_free(SSL_RKEY * rkey) {
int ssl_rkey_get_exp_mod(SSL_RKEY * rkey, uint8 * exponent, uint32 max_exp_len, uint8 * modulus, uint32 max_mod_len) { int ssl_rkey_get_exp_mod(SSL_RKEY * rkey, uint8 * exponent, uint32 max_exp_len, uint8 * modulus, uint32 max_mod_len) {
int len; int len;
if ((BN_num_bytes(rkey->e) > (int) max_exp_len) || (BN_num_bytes(rkey->n) > (int) max_mod_len)) { #if OPENSSL_VERSION_NUMBER >= 0x10100000L
BIGNUM *n, *e, *d;
n = BN_new();
e = BN_new();
RSA_get0_key(rkey, &n, &e, NULL);
if ((BN_num_bytes(e) > (int) max_exp_len) || (BN_num_bytes(n) > (int) max_mod_len)) {
return 1; return 1;
} }
len = BN_bn2bin(e, exponent);
reverse(exponent, len);
len = BN_bn2bin(n, modulus);
reverse(modulus, len);
BN_free(n);
BN_free(e);
#else
if ((BN_num_bytes(rkey->e) > (int) max_exp_len) || (BN_num_bytes(rkey->n) > (int) max_mod_len))
return 1;
len = BN_bn2bin(rkey->e, exponent); len = BN_bn2bin(rkey->e, exponent);
reverse(exponent, len); reverse(exponent, len);
len = BN_bn2bin(rkey->n, modulus); len = BN_bn2bin(rkey->n, modulus);
reverse(modulus, len); reverse(modulus, len);
#endif
return 0; return 0;
} }
@ -958,11 +979,17 @@ BOOL ssl_sig_ok(uint8 * exponent, uint32 exp_len, uint8 * modulus, uint32 mod_le
void ssl_hmac_md5(const void *key, int key_len, const unsigned char *msg, int msg_len, unsigned char *md) { void ssl_hmac_md5(const void *key, int key_len, const unsigned char *msg, int msg_len, unsigned char *md) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
HMAC_CTX *ctx;
ctx = HMAC_CTX_new();
HMAC(EVP_md5(), key, key_len, msg, msg_len, md, NULL);
HMAC_CTX_free(ctx);
#else
HMAC_CTX ctx; HMAC_CTX ctx;
HMAC_CTX_init(&ctx); HMAC_CTX_init(&ctx);
HMAC(EVP_md5(), key, key_len, msg, msg_len, md, NULL); HMAC(EVP_md5(), key, key_len, msg, msg_len, md, NULL);
HMAC_CTX_cleanup(&ctx); HMAC_CTX_cleanup(&ctx);
#endif
} }
@ -1373,7 +1400,7 @@ static BOOL sec_parse_public_sig(STREAM s, uint32 len, uint8 * modulus, uint8 *
static BOOL sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size, uint8 ** server_random, uint8 * modulus, uint8 * exponent) { static BOOL sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size, uint8 ** server_random, uint8 * modulus, uint8 * exponent) {
uint32 crypt_level, random_len, rsa_info_len; uint32 crypt_level, random_len, rsa_info_len;
uint32 cacert_len, cert_len, flags; uint32 cacert_len, cert_len, flags;
SSL_CERT *cacert, *server_cert; X509 *cacert, *server_cert;
SSL_RKEY *server_public_key; SSL_RKEY *server_public_key;
uint16 tag, length; uint16 tag, length;
uint8 *next_tag, *end; uint8 *next_tag, *end;
@ -1438,7 +1465,7 @@ static BOOL sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size, uint8 ** serve
} }
for (; certcount > 2; certcount--) { /* ignore all the certificates between the root and the signing CA */ for (; certcount > 2; certcount--) { /* ignore all the certificates between the root and the signing CA */
uint32 ignorelen; uint32 ignorelen;
SSL_CERT *ignorecert; X509 *ignorecert;
DEBUG_RDP5(("Ignored certs left: %d\n", certcount)); DEBUG_RDP5(("Ignored certs left: %d\n", certcount));
in_uint32_le(s, ignorelen); in_uint32_le(s, ignorelen);

30
hydra-smb.c
View file

@ -166,27 +166,27 @@ static unsigned char Get7Bits(unsigned char *input, int startBit) {
} }
/* Make the key */ /* Make the key */
static void MakeKey(unsigned char *key, unsigned char *des_key) { static void MakeKey(unsigned char *key, unsigned char *DES_key) {
des_key[0] = Get7Bits(key, 0); DES_key[0] = Get7Bits(key, 0);
des_key[1] = Get7Bits(key, 7); DES_key[1] = Get7Bits(key, 7);
des_key[2] = Get7Bits(key, 14); DES_key[2] = Get7Bits(key, 14);
des_key[3] = Get7Bits(key, 21); DES_key[3] = Get7Bits(key, 21);
des_key[4] = Get7Bits(key, 28); DES_key[4] = Get7Bits(key, 28);
des_key[5] = Get7Bits(key, 35); DES_key[5] = Get7Bits(key, 35);
des_key[6] = Get7Bits(key, 42); DES_key[6] = Get7Bits(key, 42);
des_key[7] = Get7Bits(key, 49); DES_key[7] = Get7Bits(key, 49);
des_set_odd_parity((DES_cblock *) des_key); DES_set_odd_parity((DES_cblock *) DES_key);
} }
/* Do the DesEncryption */ /* Do the DesEncryption */
void DesEncrypt(unsigned char *clear, unsigned char *key, unsigned char *cipher) { void DesEncrypt(unsigned char *clear, unsigned char *key, unsigned char *cipher) {
DES_cblock des_key; DES_cblock DES_key;
des_key_schedule key_schedule; DES_key_schedule key_schedule;
MakeKey(key, des_key); MakeKey(key, DES_key);
des_set_key(&des_key, key_schedule); DES_set_key(&DES_key, &key_schedule);
des_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cipher, key_schedule, 1); DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cipher, &key_schedule, 1);
} }
/* /*

8
hydra-snmp.c
View file

@ -335,13 +335,13 @@ int start_snmp(int s, char *ip, int port, unsigned char options, char *miscptr,
// xor initVect with salt // xor initVect with salt
for (i = 0; i < 8; i++) for (i = 0; i < 8; i++)
initVect[i] ^= privacy_params[i]; initVect[i] ^= privacy_params[i];
des_key_sched((C_Block *) key, symcbc); DES_key_sched((const_DES_cblock *) key, &symcbc);
des_ncbc_encrypt(snmpv3_get2 + 2, buf, sizeof(snmpv3_get2) - 2, symcbc, (C_Block *) (initVect), DES_ENCRYPT); DES_ncbc_encrypt(snmpv3_get2 + 2, buf, sizeof(snmpv3_get2) - 2, &symcbc, (const_DES_cblock *) (initVect), DES_ENCRYPT);
#endif #endif
/* for (i = 0; i <= sizeof(snmpv3_get2) - 8; i += 8) { /* for (i = 0; i <= sizeof(snmpv3_get2) - 8; i += 8) {
des_ncbc_encrypt(snmpv3_get2 + i, buf + i, 8, (C_Block*)(initVect), DES_ENCRYPT); DES_ncbc_encrypt(snmpv3_get2 + i, buf + i, 8, (const_DES_cblock*)(initVect), DES_ENCRYPT);
} }
// last part of buffer // last part of buffer
if (buffer_len % 8) { if (buffer_len % 8) {
@ -351,7 +351,7 @@ int start_snmp(int s, char *ip, int port, unsigned char options, char *miscptr,
memset(tmp_buf, 0, 8); memset(tmp_buf, 0, 8);
for (unsigned int l = start; l < buffer_len; l++) for (unsigned int l = start; l < buffer_len; l++)
*tmp_buf_ptr++ = buffer[l]; *tmp_buf_ptr++ = buffer[l];
des_ncbc_encrypt(tmp_buf, buf + start, 1, symcbc, (C_Block*)(initVect), DES_ENCRYPT); DES_ncbc_encrypt(tmp_buf, buf + start, 1, &symcbc, (const_DES_cblock*)(initVect), DES_ENCRYPT);
*out_buffer_len = buffer_len + 8 - (buffer_len % 8); *out_buffer_len = buffer_len + 8 - (buffer_len % 8);
} else } else
*out_buffer_len = buffer_len; *out_buffer_len = buffer_len;

9
hydra.c
View file

@ -3685,6 +3685,15 @@ int main(int argc, char *argv[]) {
fflush(stderr); fflush(stderr);
fflush(hydra_brains.ofp); fflush(hydra_brains.ofp);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
if (hydra_options.ssl) {
fprintf(stderr, "[WARNING] *****************************************************\n");
fprintf(stderr, "[WARNING] OPENSSL v1.1 development changes are active - modules SMB, SNMP, RDP, ORACLE LISTENER and SSL in general might not work properly! Please test and report to vh@thc.org.\n");
fprintf(stderr, "[WARNING] *****************************************************\n");
}
#endif
hydra_debug(0, "attack"); hydra_debug(0, "attack");
process_restore = 1; process_restore = 1;

8
hydra.h
View file

@ -41,6 +41,14 @@
#define OPTION_SSL 1 #define OPTION_SSL 1
#ifdef LIBOPENSSL
#ifndef NO_RSA_LEGACY
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
#define NO_RSA_LEGACY
#endif
#endif
#endif
#define PORT_NOPORT -1 #define PORT_NOPORT -1
#define PORT_FTP 21 #define PORT_FTP 21
#define PORT_FTP_SSL 990 #define PORT_FTP_SSL 990

2
rdp.h
View file

@ -49,6 +49,8 @@
#include <sys/stat.h> /* stat */ #include <sys/stat.h> /* stat */
#include <sys/time.h> /* gettimeofday */ #include <sys/time.h> /* gettimeofday */
#include <sys/times.h> /* times */ #include <sys/times.h> /* times */
#include <openssl/rsa.h>
#include <openssl/hmac.h>
//fixme //fixme