github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-07-05 20:41:39 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

pre-8.0

Browse source
This commit is contained in:
vanhauser-thc 2014-04-27 13:49:33 +02:00
parent 6a94f708e8
commit 9f75ddad8b
32 changed files with 208 additions and 129 deletions
Download patch file Download diff file Expand all files Collapse all files

12
hydra-afp.c
View file

@ -67,7 +67,7 @@ static int server_subconnect(struct afp_url url) {
//fprintf(stderr, "Initiating connection attempt.\n");
if ((server = afp_server_full_connect(NULL, conn_req)) == NULL) {
FREE(conn_req);
FREE(server);
// FREE(server);
return -1;
}
//fprintf(stderr, "Connected to server: %s via UAM: %s\n", server->server_name_printable, uam_bitmap_to_string(server->using_uam));
@ -80,7 +80,7 @@ static int server_subconnect(struct afp_url url) {
int start_afp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass;
char *login, *pass, mlogin[AFP_MAX_USERNAME_LEN], mpass[AFP_MAX_PASSWORD_LEN];
struct afp_url tmpurl;
/* Build AFP authentication request */
@ -97,8 +97,12 @@ int start_afp(int s, char *ip, int port, unsigned char options, char *miscptr, F
strncpy(tmpurl.servername, hydra_address2string(ip), AFP_SERVER_NAME_LEN - 1);
tmpurl.servername[AFP_SERVER_NAME_LEN] = 0;
memcpy(&tmpurl.username, login, AFP_MAX_USERNAME_LEN);
memcpy(&tmpurl.password, pass, AFP_MAX_PASSWORD_LEN);
strncpy(mlogin, login, AFP_MAX_USERNAME_LEN);
mlogin[AFP_MAX_USERNAME_LEN] = 0;
strncpy(mpass, pass, AFP_MAX_PASSWORD_LEN);
mpass[AFP_MAX_PASSWORD_LEN] = 0;
memcpy(&tmpurl.username, mlogin, AFP_MAX_USERNAME_LEN);
memcpy(&tmpurl.password, mpass, AFP_MAX_PASSWORD_LEN);
if (server_subconnect(tmpurl) == 0) {
hydra_report_found_host(port, ip, "afp", fp);

2
hydra-asterisk.c
View file

@ -84,7 +84,7 @@ void service_asterisk(char *ip, int sp, unsigned char options, char *miscptr, FI
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = myport;
port = mysslport;
}
if (sock < 0) {

4
hydra-cisco.c
View file

@ -74,11 +74,13 @@ int start_cisco(int s, char *ip, int port, unsigned char options, char *miscptr,
}
do {
buf = hydra_receive_line(s);
if (buf != NULL) {
if (buf[strlen(buf) - 1] == '\n')
buf[strlen(buf) - 1] = 0;
if (buf[strlen(buf) - 1] == '\r')
buf[strlen(buf) - 1] = 0;
} while (strlen(buf) <= 1);
}
} while (buf != NULL && strlen(buf) <= 1);
}
}

1
hydra-firebird.c
View file

@ -43,6 +43,7 @@ int start_firebird(int s, char *ip, int port, unsigned char options, char *miscp
strncpy(database, miscptr, sizeof(database));
else
strncpy(database, DEFAULT_DB, sizeof(database));
database[sizeof(database) - 1] = 0;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;

4
hydra-http-form.c
View file

@ -382,7 +382,8 @@ int start_http_form(int s, char *ip, int port, unsigned char options, char *misc
if ((endloc = strchr(startloc, '\n')) != NULL) {
startloc[endloc - startloc] = 0;
}
strcpy(str, startloc);
strncpy(str, startloc, sizeof(str));
str[sizeof(str) - 1] = 0;
endloc = strchr(str, '/');
if (endloc != NULL) {
@ -399,6 +400,7 @@ int start_http_form(int s, char *ip, int port, unsigned char options, char *misc
}
} else {
strncpy(str2, webtarget, sizeof(str2));
str2[sizeof(str2)] = 0;
if (redirected_url_buff[0] != '/') {
//it's a relative path, so we have to concatenate it
//with the path from the first url given

6
hydra-http-proxy-urlenum.c
View file

@ -134,6 +134,7 @@ int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, c
}
//recover challenge
if (buf != NULL) {
if (strlen(buf) >= 4)
from64tobits((char *) buf1, pos);
free(buf);
}
@ -165,8 +166,9 @@ int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, c
strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (buffer2 == NULL)
pbuffer = buffer2;
sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (pbuffer == NULL)
return 3;
if (debug)

10
hydra-http-proxy.c
View file

@ -10,7 +10,7 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis
char *login, *pass, buffer[500], buffer2[500];
char url[210], host[30];
char *header = ""; /* XXX TODO */
char *ptr;
char *ptr, *fooptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
@ -118,7 +118,7 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis
}
}
//recover challenge
if (buf != NULL) {
if (buf != NULL && strlen(buf) >= 4) {
from64tobits((char *) buf1, pos);
free(buf);
}
@ -149,9 +149,11 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis
pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest ");
strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
pbuffer = NULL;
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (buffer2 == NULL)
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header);
if (fooptr == NULL)
return 3;
if (debug)

8
hydra-http.c
View file

@ -2,7 +2,6 @@
#include "sasl.h"
extern char *HYDRA_EXIT;
char *buf = NULL;
char *webtarget = NULL;
char *slash = "/";
int webport, freemischttp = 0;
@ -13,7 +12,7 @@ int start_http(int s, char *ip, int port, unsigned char options, char *miscptr,
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
char *header = ""; /* XXX TODO */
char *ptr;
char *ptr, *fooptr, *buf;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
@ -52,8 +51,9 @@ int start_http(int s, char *ip, int port, unsigned char options, char *miscptr,
strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, type, webtarget, webport, header);
if (buffer2 == NULL) {
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header);
if (fooptr == NULL) {
return 3;
}

18
hydra-imap.c
View file

@ -41,7 +41,7 @@ char *imap_read_server_capacity(int sock) {
int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
char *login, *pass, buffer[500], buffer2[500], *fooptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
@ -201,8 +201,9 @@ int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr,
if (verbose)
hydra_report(stderr, "DEBUG S: %s\n", buffer);
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "imap", NULL, 0, NULL);
if (buffer2 == NULL)
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "imap", NULL, 0, NULL);
if (fooptr == NULL)
return 3;
if (verbose)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
@ -261,8 +262,9 @@ int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr,
serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0';
memset(buffer2, 0, sizeof(buffer2));
sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage);
if (buffer2 == NULL) {
fooptr = buffer2;
sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage);
if (fooptr == NULL) {
hydra_report(stderr, "[ERROR] Can't compute client response\n");
return 1;
}
@ -299,7 +301,11 @@ int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr,
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
if ((buf = hydra_receive_line(s)) == NULL)
return (1);
return 1;
if (strlen(buf) < 6) {
free(buf);
return 1;
}
//recover challenge
from64tobits((char *) buf1, buf + 2);

8
hydra-irc.c
View file

@ -25,7 +25,9 @@ int start_oper_irc(int s, char *ip, int port, unsigned char options, char *miscp
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 3;
}
ret = hydra_recv(s, buffer, sizeof(buffer));
ret = hydra_recv(s, buffer, sizeof(buffer) - 1);
if (ret >= 0)
buffer[ret] = 0;
/* :irc.debian.org 381 koma :You are now an IRC Operator */
/* :irc.debian.org 464 koma :Invalid password */
if ((ret > 0) && (strstr(buffer, " 381 ") != NULL)) {
@ -94,7 +96,9 @@ int start_pass_irc(int s, char *ip, int port, unsigned char options, char *miscp
return 3;
}
ret = hydra_recv(s, buffer, sizeof(buffer));
ret = hydra_recv(s, buffer, sizeof(buffer) - 1);
if (ret >= 0)
buffer[ret] = 0;
#ifdef HAVE_PCRE
if ((ret > 0) && (!hydra_string_match(buffer, "ERROR\\s.*password"))) {
#else

14
hydra-ldap.c
View file

@ -9,7 +9,7 @@ int tls_required = 0;
int start_ldap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char version, int auth_method) {
char *empty = "";
char *login = "", *pass;
char *login = "", *pass, *fooptr = "";
unsigned char buffer[512];
int length = 0;
int ldap_auth_mechanism = auth_method;
@ -27,6 +27,8 @@ int start_ldap(int s, char *ip, int port, unsigned char options, char *miscptr,
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
}
if (miscptr == NULL)
miscptr = fooptr;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
@ -120,8 +122,9 @@ int start_ldap(int s, char *ip, int port, unsigned char options, char *miscptr,
char buf2[32];
ptr = strstr((char *) buf, "<");
sasl_cram_md5(buf2, pass, ptr);
if (buf2 == NULL)
fooptr = buf2;
sasl_cram_md5(fooptr, pass, ptr);
if (fooptr == NULL)
return 1;
counter++;
if (strstr(miscptr, "^USER^") != NULL) {
@ -176,8 +179,9 @@ int start_ldap(int s, char *ip, int port, unsigned char options, char *miscptr,
miscptr = hydra_strrep(miscptr, "^USER^", login);
}
sasl_digest_md5(buffer2, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL);
if (buffer2 == NULL) {
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL);
if (fooptr == NULL) {
free(buf);
return 3;
}

12
hydra-mod.c
View file

@ -144,6 +144,7 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) {
} else {
if (errno == EACCES && (getuid() > 0)) {
fprintf(stderr, "[ERROR] You need to be root to test this service\n");
close(s);
return -1;
}
}
@ -218,6 +219,7 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) {
* hydra_child_exit(1);
*/
extern_socket = -1;
close(s);
ret = -1;
return ret;
}
@ -230,6 +232,7 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) {
if (use_proxy == 2) {
if ((buf = malloc(4096)) == NULL) {
fprintf(stderr, "[ERROR] could not malloc()\n");
close(s);
return -1;
}
memset(&target, 0, sizeof(target));
@ -270,10 +273,10 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) {
fprintf(stderr, "[ERROR] CONNECT call to proxy failed with code %c%c%c\n", *tmpptr, *(tmpptr + 1), *(tmpptr + 2));
err = 1;
}
free(buf);
// free(buf);
} else {
if (hydra_strcasestr(proxy_string_type, "socks5")) {
char buf[1024];
// char buf[1024];
size_t cnt, wlen;
/* socks v5 support */
@ -376,7 +379,7 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) {
hydra_report(stderr, "[ERROR] SOCKS4 proxy does not support IPv6\n");
err = 1;
} else {
char buf[1024];
// char buf[1024];
size_t cnt, wlen;
/* socks v4 support */
@ -412,12 +415,13 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) {
}
}
}
free(buf);
}
if (err) {
close(s);
extern_socket = -1;
ret = -1;
free(buf);
close(s);
return ret;
}
fail = 0;

3
hydra-mysql.c
View file

@ -63,7 +63,7 @@ char *hydra_mysql_receive_line(int socket) {
j = 1;
while (hydra_data_ready(socket) > 0 && j > 0) {
j = internal__hydra_recv(socket, buf, sizeof(buf));
if ((buff2 = realloc(buff, i + j)) == NULL) {
if (j > 65535 || i + j > 65535 || (buff2 = realloc(buff, i + j)) == NULL) {
free(buff);
return NULL;
} else
@ -183,6 +183,7 @@ int start_mysql(int sock, char *ip, int port, unsigned char options, char *miscp
if (verbose)
hydra_report(stderr, "[VERBOSE] using default db 'mysql'\n");
}
database[sizeof(database)] = 0;
/* read server greeting */
res = hydra_mysql_init(sock);

15
hydra-nntp.c
View file

@ -49,7 +49,7 @@ char *nntp_read_server_capacity(int sock) {
int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "\"\"";
char *login, *pass, buffer[300], buffer2[500];
char *login, *pass, buffer[500], buffer2[500], *fooptr;
int i = 1;
if (strlen(login = hydra_get_next_login()) == 0)
@ -60,6 +60,10 @@ int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr,
while (i > 0 && hydra_data_ready(s) > 0)
i = hydra_recv(s, buffer, 300);
if (i < 0)
i = 0;
buffer[i] = 0;
switch (nntp_auth_mechanism) {
case AUTH_LOGIN:
sprintf(buffer, "AUTHINFO SASL LOGIN\r\n");
@ -156,7 +160,7 @@ int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr,
//receive
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
if (buf == NULL || strstr(buf, "383") == NULL || strlen(buf) < 8) {
hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
@ -167,8 +171,9 @@ int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr,
if (verbose)
hydra_report(stderr, "DEBUG S: %s\n", buffer);
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL);
if (buffer2 == NULL)
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL);
if (fooptr == NULL)
return 3;
if (verbose)
@ -193,7 +198,7 @@ int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr,
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (buf == NULL || strstr(buf, "383") == NULL) {
if (buf == NULL || strstr(buf, "383") == NULL || strlen(buf) < 8) {
hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf);
free(buf);
return 3;

9
hydra-oracle-listener.c
View file

@ -38,12 +38,12 @@ int initial_permutation(unsigned char **result, char *p_str, int *sz) {
}
*sz = 2 * i;
if ((buff = malloc(i)) == NULL) {
if ((buff = malloc(i + 4)) == NULL) {
hydra_report(stderr, "[ERROR] Can't allocate memory\n");
return 1;
}
memset(buff, 0, i);
strncpy(buff, p_str, strlen(p_str));
memset(buff, 0, i + 4);
strcpy(buff, p_str);
//swap the order of every byte pair
for (k = 0; k < i; k += 2) {
@ -158,15 +158,18 @@ int ora_hash_password(char *pass) {
if (convert_byteorder(&result, siz)) {
hydra_report(stderr, "[ERROR] ora_hash_password: in convert_byteorder\n");
free(result);
return 1;
}
if (ora_descrypt(&desresult, result, siz)) {
hydra_report(stderr, "[ERROR] ora_hash_password: in DES crypt\n");
free(result);
return 1;
}
free(result);
if (ora_hash(&result, desresult, siz)) {
hydra_report(stderr, "[ERROR] ora_hash_password: in extracting Oracle hash\n");
free(desresult);
return 1;
}

3
hydra-pcanywhere.c
View file

@ -62,7 +62,8 @@ void pca_encrypt(char *cleartxt) {
char passwd[128];
int i;
strcpy(passwd, cleartxt);
strncpy(passwd, cleartxt, sizeof(passwd));
passwd[sizeof(passwd)] = 0;
if (strlen(cleartxt) > 0) {
passwd[0] = (passwd[0] ^ 0xab);
for (i = 1; i < strlen(passwd); i++)

9
hydra-pop3.c
View file

@ -119,7 +119,7 @@ STLS
int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "\"\"";
char *login, *pass, buffer[500], buffer2[500];
char *login, *pass, buffer[500], buffer2[500], *fooptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
@ -304,8 +304,9 @@ int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr,
if (verbose)
hydra_report(stderr, "[VERBOSE] S: %s\n", buffer);
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "pop", NULL, 0, NULL);
if (buffer2 == NULL)
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "pop", NULL, 0, NULL);
if (fooptr == NULL)
return 3;
if (verbose)
@ -342,7 +343,7 @@ int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr,
sprintf(buffer, "%s\r\n", buf1);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0)
return 1;
if ((buf = hydra_receive_line(s)) == NULL)
if ((buf = hydra_receive_line(s)) == NULL || strlen(buf) < 6)
return 4;
//recover challenge

1
hydra-postgres.c
View file

@ -32,6 +32,7 @@ int start_postgres(int s, char *ip, int port, unsigned char options, char *miscp
strncpy(database, miscptr, sizeof(database));
else
strncpy(database, DEFAULT_DB, sizeof(database));
database[sizeof(database)] = 0;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;

3
hydra-rdp.c
View file

@ -2424,7 +2424,8 @@ int start_rdp(int s, char *ip, int port, unsigned char options, char *miscptr, F
strcpy(server, hydra_address2string(ip));
if ((miscptr != NULL) && (strlen(miscptr) > 0)) {
strncpy(domain, miscptr, sizeof(domain));
strncpy(domain, miscptr, sizeof(domain) - 1);
domain[sizeof(domain) - 1] = 0;
}
if (!rdp_connect(server, flags, domain, login, pass, shell, directory, g_redirect))

6
hydra-rlogin.c
View file

@ -47,7 +47,7 @@ int start_rlogin(int s, char *ip, int port, unsigned char options, char *miscptr
return 1;
if (ret > 0 && (strstr(buffer, "ssword") != NULL)) {
if (strlen(pass = hydra_get_next_password()) == 0)
if (strlen((pass = hydra_get_next_password())) == 0)
pass = empty;
sprintf(buffer2, "%s\r", pass);
if (hydra_send(s, buffer2, 1 + strlen(pass), 0) < 0) {
@ -56,7 +56,9 @@ int start_rlogin(int s, char *ip, int port, unsigned char options, char *miscptr
memset(buffer, 0, sizeof(buffer));
ret = hydra_recv(s, buffer, sizeof(buffer));
if (strcmp(buffer, "\r\n"))
ret = hydra_recv(s, buffer, sizeof(buffer));
ret = hydra_recv(s, buffer, sizeof(buffer) - 1);
if (ret >= 0)
buffer[ret] = 0;
}
/* Authentication failure */

4
hydra-rsh.c
View file

@ -39,7 +39,9 @@ int start_rsh(int s, char *ip, int port, unsigned char options, char *miscptr, F
ret = hydra_recv(s, buffer, sizeof(buffer));
/* 0x00 is sent but hydra_recv transformed it */
if (strlen(buffer) == 0)
ret = hydra_recv(s, buffer, sizeof(buffer));
ret = hydra_recv(s, buffer, sizeof(buffer) - 1);
if (ret >= 0)
buffer[ret] = 0;
#ifdef HAVE_PCRE
if (ret > 0 && (!hydra_string_match(buffer, "\\s(failure|incorrect|denied)"))) {
#else

1
hydra-sip.c
View file

@ -245,7 +245,6 @@ void service_sip(char *ip, int sp, unsigned char options, char *miscptr, FILE *
}
char *get_iface_ip(unsigned long int ip) {
int sfd;
sfd = socket(AF_INET, SOCK_DGRAM, 0);

41
hydra-smb.c
View file

@ -9,6 +9,9 @@ void dummy_smb() {
#include "hmacmd5.h"
#include "sasl.h"
// FIXME XXX BUG: several malloc()s without return code checking
/*
http://technet.microsoft.com/en-us/library/cc960646.aspx
@ -453,7 +456,8 @@ int HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char *sz
hmac_md5_final(lmv2_response, &ctx);
/* --- 24-byte LMv2 Response Complete --- */
*LMv2hash = malloc(24);
if ((*LMv2hash = malloc(24)) == NULL)
return -1;
memset(*LMv2hash, 0, 24);
memcpy(*LMv2hash, lmv2_response, 16);
memcpy(*LMv2hash + 16, client_challenge, 8);
@ -630,7 +634,8 @@ int HashNTLMv2(unsigned char **NTLMv2hash, int *iByteCount, unsigned char *szLog
hmac_md5_final(ntlmv2_response, &ctx);
*iByteCount = 48 + iTargetLen + 4;
*NTLMv2hash = malloc(*iByteCount);
if ((*NTLMv2hash = malloc(*iByteCount)) == NULL)
return -1;
memset(*NTLMv2hash, 0, *iByteCount);
memcpy(*NTLMv2hash, ntlmv2_response, *iByteCount);
@ -678,6 +683,7 @@ int NBSSessionRequest(int s) {
unsigned char rqbuf[7] = { 0x81, 0x00, 0x00, 0x44, 0x20, 0x00, 0x20 };
char *buf;
unsigned char rbuf[400];
int k;
/* if we are running in native mode (aka port 445) don't do netbios */
if (protoFlag == WIN2000_NATIVEMODE)
@ -689,7 +695,8 @@ int NBSSessionRequest(int s) {
memcpy(nb_name, "CKFDENECFDEFFCFGEFFCCACACACACACA", 32); /* *SMBSERVER */
memcpy(nb_local, "EIFJEEFCEBCACACACACACACACACACACA", 32); /* HYDRA */
buf = (char *) malloc(100);
if ((buf = (char *) malloc(100)) == NULL)
return -1;
memset(buf, 0, 100);
memcpy(buf, (char *) rqbuf, 5);
memcpy(buf + 5, nb_name, 32);
@ -701,10 +708,9 @@ int NBSSessionRequest(int s) {
free(buf);
memset(rbuf, 0, 400);
hydra_recv(s, (char *) rbuf, sizeof(rbuf));
k = hydra_recv(s, (char *) rbuf, sizeof(rbuf));
if ((rbuf != NULL) && (rbuf[0] == 0x82))
if (k > 0 && (rbuf[0] == 0x82))
return 0; /* success */
else
return -1; /* failed */
@ -772,7 +778,7 @@ int SMBNegProt(int s) {
unsigned char rbuf[400];
unsigned char sess_key[2];
unsigned char userid[2] = { 0xCD, 0xEF };
int i = 0, j = 0;
int i = 0, j = 0, k;
int iLength = 194;
int iResponseOffset = 73;
@ -784,8 +790,6 @@ int SMBNegProt(int s) {
memcpy(buf + 30, sess_key, 2);
memcpy(buf + 32, userid, 2);
if (smb_auth_mechanism == AUTH_LM) {
if (verbose)
hydra_report(stderr, "[VERBOSE] Setting Negotiate Protocol Response for LM.\n");
@ -797,8 +801,8 @@ int SMBNegProt(int s) {
hydra_send(s, (char *) buf, iLength, 0);
hydra_recv(s, (char *) rbuf, sizeof(rbuf));
if (rbuf == NULL)
k = hydra_recv(s, (char *) rbuf, sizeof(rbuf));
if (k == 0)
return 3;
/* retrieve the security mode */
@ -968,7 +972,8 @@ unsigned long SMBSessionSetup(int s, char *szLogin, char *szPassword, char *misc
memcpy(buf + 36, szSessionRequest, 23);
/* Calculate and set LAN Manager password hash */
LMhash = (unsigned char *) malloc(24);
if ((LMhash = (unsigned char *) malloc(24)) == NULL)
return -1;
memset(LMhash, 0, 24);
ret = HashLM(&LMhash, (unsigned char *) szPassword, (unsigned char *) challenge);
@ -1005,7 +1010,8 @@ unsigned long SMBSessionSetup(int s, char *szLogin, char *szPassword, char *misc
memcpy(buf + 36, szSessionRequest, 29);
/* Calculate and set NTLM password hash */
NTLMhash = (unsigned char *) malloc(24);
if ((NTLMhash = (unsigned char *) malloc(24)) == NULL)
return -1;
memset(NTLMhash, 0, 24);
/* We don't need to actually calculated a LM hash for this mode, only NTLM */
@ -1042,7 +1048,8 @@ unsigned long SMBSessionSetup(int s, char *szLogin, char *szPassword, char *misc
memcpy(buf + 36, szSessionRequest, 29);
/* Calculate and set LMv2 response hash */
LMv2hash = (unsigned char *) malloc(24);
if ((LMv2hash = (unsigned char *) malloc(24)) == NULL)
return -1;
memset(LMv2hash, 0, 24);
ret = HashLMv2(&LMv2hash, (unsigned char *) szLogin, (unsigned char *) szPassword);
@ -1177,9 +1184,8 @@ unsigned long SMBSessionSetup(int s, char *szLogin, char *szPassword, char *misc
hydra_send(s, (char *) buf, iOffset + iByteCount, 0);
nReceiveBufferSize = 0;
nReceiveBufferSize = hydra_recv(s, bufReceive, sizeof(bufReceive));
if ((bufReceive == NULL) || (nReceiveBufferSize == 0))
if (/*(bufReceive == NULL) ||*/ (nReceiveBufferSize == 0))
return -1;
/* 41 - Action (Guest/Non-Guest Account) */
@ -1316,7 +1322,8 @@ void service_smb(char *ip, int sp, unsigned char options, char *miscptr, FILE *
//split the string after the domain if there are other values
strtok(tmpdom, " ");
if (tmpdom) {
strncpy((char *) domain, (char *) tmpdom, 16);
strncpy((char *) domain, (char *) tmpdom, sizeof(domain) - 1);
domain[sizeof(domain) - 1] = 0;
} else {
err = 1;
}

2
hydra-smtp-enum.c
View file

@ -172,7 +172,7 @@ void service_smtp_enum(char *ip, int sp, unsigned char options, char *miscptr, F
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = myport;
port = mysslport;
}
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid());

19
hydra-smtp.c
View file

@ -2,8 +2,6 @@
#include "sasl.h"
extern char *HYDRA_EXIT;
char *buf;
int smtp_auth_mechanism = AUTH_LOGIN;
char *smtp_read_server_capacity(int sock) {
@ -40,7 +38,7 @@ char *smtp_read_server_capacity(int sock) {
int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "";
char *login, *pass, buffer[500], buffer2[500];
char *login, *pass, buffer[500], buffer2[500], *fooptr, *buf;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
@ -91,7 +89,7 @@ int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr,
//get the one-time BASE64 encoded challenge
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, "334") == NULL) {
if (strstr(buf, "334") == NULL || strlen(buf) < 8) {
hydra_report(stderr, "[ERROR] SMTP CRAM-MD5 AUTH : %s\n", buf);
free(buf);
return 3;
@ -130,8 +128,9 @@ int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr,
if (verbose)
hydra_report(stderr, "DEBUG S: %s\n", buffer);
sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL);
if (buffer2 == NULL)
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL);
if (fooptr == NULL)
return 3;
if (verbose)
@ -155,7 +154,7 @@ int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr,
}
if ((buf = hydra_receive_line(s)) == NULL)
return 1;
if (strstr(buf, "334") == NULL) {
if (strstr(buf, "334") == NULL || strlen(buf) < 8) {
hydra_report(stderr, "[ERROR] SMTP NTLM AUTH : %s\n", buf);
free(buf);
return 3;
@ -215,7 +214,7 @@ int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr,
#ifdef LIBOPENSSL
if (smtp_auth_mechanism == AUTH_DIGESTMD5) {
if (strstr(buf, "334") != NULL) {
if (strstr(buf, "334") != NULL && strlen(buf) >= 8) {
memset(buffer2, 0, sizeof(buffer2));
from64tobits((char *) buffer2, buf + 4);
if (strstr(buffer2, "rspauth=") != NULL) {
@ -250,7 +249,7 @@ int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr,
void service_smtp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) {
int run = 1, next_run = 1, sock = -1, i = 0;
int myport = PORT_SMTP, mysslport = PORT_SMTP_SSL, disable_tls = 1;
char *buf;
char *buffer1 = "EHLO hydra\r\n";
char *buffer2 = "HELO hydra\r\n";
@ -271,7 +270,7 @@ void service_smtp(char *ip, int sp, unsigned char options, char *miscptr, FILE *
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = myport;
port = mysslport;
}
if (sock < 0) {
if (verbose || debug)

16
hydra-snmp.c
View file

@ -101,7 +101,13 @@ void password_to_key_md5(u_char * password, /* IN */
u_char * key) { /* OUT - pointer to caller 16-octet buffer */
MD5_CTX MD;
u_char *cp, password_buf[80], *mypass = password, bpass[17];
u_long password_index = 0, count = 0, i, mylen = passwordlen, myelen = engineLength;
u_long password_index = 0, count = 0, i, mylen, myelen = engineLength;
if (strlen(password) > passwordlen)
passwordlen = strlen(password);
if (passwordlen > sizeof(bpass) - 1)
passwordlen = sizeof(bpass) - 1;
mylen = passwordlen;
if (mylen < 8) {
memset(bpass, 0, sizeof(bpass));
@ -191,7 +197,7 @@ void password_to_key_sha(u_char * password, /* IN */
#endif
int start_snmp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) {
char *empty = "\"\"", *ptr, *login, *pass, buffer[1024], buf[1024], hash[64], key[256], salt[8];
char *empty = "\"\"", *ptr, *login, *pass, buffer[1024], buf[1024], hash[64], key[256] = "", salt[8] = "";
int i, j, k, size, off = 0, off2 = 0, done = 0;
unsigned char initVect[8], privacy_params[8];
int engine_boots = 0;
@ -523,10 +529,11 @@ void service_snmp(char *ip, int sp, unsigned char options, char *miscptr, FILE *
hydra_send(sock, snmpv3_init, sizeof(snmpv3_init), 0);
if (hydra_data_ready_timed(sock, 5, 0) > 0) {
if ((i = hydra_recv(sock, (char *) snmpv3buf, sizeof(snmpv3buf))) > 30) {
if (snmpv3buf[4] == 3 && snmpv3buf[5] == 0x30); {
if (snmpv3buf[4] == 3 && snmpv3buf[5] == 0x30) {
snmpv3info = snmpv3buf + 7 + snmpv3buf[6];
snmpv3infolen = snmpv3info[3] + 4;
while (snmpv3info[snmpv3infolen - 2] == 4 && snmpv3info[snmpv3infolen - 1] == 0)
if (snmpv3info + snmpv3infolen <= snmpv3buf + sizeof(snmpv3buf)) {
while (snmpv3info[snmpv3infolen - 2] == 4 && snmpv3info[snmpv3infolen - 1] == 0 && snmpv3infolen > 1)
snmpv3infolen -= 2;
if (debug)
hydra_dump_asciihex(snmpv3info, snmpv3infolen);
@ -536,6 +543,7 @@ void service_snmp(char *ip, int sp, unsigned char options, char *miscptr, FILE *
}
}
}
}
next_run++;
}
if (snmpv3info == NULL || i < snmpv3info + snmpv3infolen - snmpv3buf) {

2
hydra-vmauthd.c
View file

@ -87,7 +87,7 @@ void service_vmauthd(char *ip, int sp, unsigned char options, char *miscptr, FIL
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport);
port = myport;
port = mysslport;
}
if (sock < 0) {

2
hydra-vnc.c
View file

@ -58,7 +58,7 @@ int start_vnc(int s, char *ip, int port, unsigned char options, char *miscptr, F
int i;
//fprintf(stderr,"number of security types supported: %d\n", buf2[0]);
if (buf2[0] == 0) {
if (buf2[0] == 0 || buf2[0] > CHALLENGESIZE + 4) {
hydra_report(stderr, "[ERROR] VNC server connection failed\n");
hydra_child_exit(0);
}

17
hydra-xmpp.c
View file

@ -22,6 +22,7 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr,
char *CHALLENGE_END_STR = "</challenge>";
char *RESPONSE_STR = "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>";
char *RESPONSE_END_STR = "</response>";
char *fooptr;
if (strlen(login = hydra_get_next_login()) == 0)
login = empty;
@ -95,7 +96,6 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr,
/* server now would ask for the password */
if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) {
char *ptr = strstr(buf, CHALLENGE_STR);
if (!ptr)
ptr = strstr(buf, CHALLENGE_STR2);
char *ptr_end = strstr(ptr, CHALLENGE_END_STR);
@ -117,7 +117,6 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr,
free(buf);
return 1;
}
free(buf);
}
}
}
@ -156,8 +155,9 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr,
break;
case AUTH_DIGESTMD5:{
memset(buffer2, 0, sizeof(buffer2));
sasl_digest_md5(buffer2, login, pass, buffer, domain, "xmpp", NULL, 0, NULL);
if (buffer2 == NULL)
fooptr = buffer2;
sasl_digest_md5(fooptr, login, pass, buffer, domain, "xmpp", NULL, 0, NULL);
if (fooptr == NULL)
return 3;
if (verbose)
hydra_report(stderr, "DEBUG C: %s\n", buffer2);
@ -213,8 +213,9 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr,
serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0';
memset(buffer2, 0, sizeof(buffer2));
sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage);
if (buffer2 == NULL) {
fooptr = buffer2;
sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage);
if (fooptr == NULL) {
hydra_report(stderr, "[ERROR] Can't compute client response\n");
free(buf);
return 1;
@ -227,12 +228,13 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr,
free(buf);
return 1;
}
free(buf);
}
break;
#endif
ptr = 0;
}
free(buf);
if (hydra_send(s, buffer, strlen(buffer), 0) < 0) {
return 1;
}
@ -266,6 +268,7 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr,
if (strstr(buf, "<failure")) {
hydra_report(stderr, "[ERROR] Protocol failure, try using another auth method. %s\n", strstr(buf, "<failure"));
}
free(buf);
return 3;
}

30
hydra.c
View file

@ -155,7 +155,7 @@ char *SERVICES = "asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-
#define RESTOREFILE "./hydra.restore"
#define PROGRAM "Hydra"
#define VERSION "v7.7"
#define VERSION "v8.0"
#define AUTHOR "van Hauser/THC"
#define EMAIL "<vh@thc.org>"
#define AUTHOR2 "David Maciejak"
@ -867,6 +867,8 @@ void hydra_restore_read() {
hydra_targets[j]->redo_pass[i] = malloc(strlen(out) + 1);
strcpy(hydra_targets[j]->redo_pass[i], out);
}
if (hydra_targets[j]->skipcnt >= hydra_brains.countlogin)
hydra_targets[j]->skipcnt = 0;
if (hydra_targets[j]->skipcnt > 0)
for (i = 0; i < hydra_targets[j]->skipcnt; i++) {
sck = fgets(out, sizeof(out), f);
@ -879,7 +881,7 @@ void hydra_restore_read() {
hydra_targets[j]->use_count = 0;
hydra_targets[j]->failed = 0;
}
hydra_heads = malloc(hydra_options.max_use * sizeof(hydra_heads));
hydra_heads = malloc((hydra_options.max_use + 2 ) * sizeof(int) + 8);
for (j = 0; j < hydra_options.max_use; j++) {
hydra_heads[j] = malloc(sizeof(hydra_head));
fck = (int) fread(hydra_heads[j], sizeof(hydra_head), 1, f);
@ -982,7 +984,7 @@ unsigned long int countlines(FILE * fp, int colonmode) {
}
rewind(fp);
free(buf);
fstat(fileno(fp), &st);
(void)fstat(fileno(fp), &st);
size_of_data = st.st_size + 1;
return lines;
}
@ -1356,7 +1358,7 @@ int hydra_spawn_head(int head_no, int target_no) {
child_head_no = -1;
if (hydra_heads[head_no]->pid > 0) {
fck = write(hydra_heads[head_no]->sp[1], "n", 1); // yes, a small "n" - this way we can distinguish later if the client successfully tested a pair and is requesting a new one or the mother did that
fcntl(hydra_heads[head_no]->sp[0], F_SETFL, O_NONBLOCK);
(void)fcntl(hydra_heads[head_no]->sp[0], F_SETFL, O_NONBLOCK);
if (hydra_heads[head_no]->redo != 1)
hydra_heads[head_no]->target_no = target_no;
hydra_heads[head_no]->active = 1;
@ -1597,6 +1599,11 @@ int hydra_send_next_pair(int target_no, int head_no) {
snp_is_redo = 0;
snpdont = 0;
loop_cnt++;
if (hydra_heads[head_no]->redo && hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL) {
hydra_heads[head_no]->redo = 0;
snp_is_redo = 1;
snpdone = 1;
} else {
if (hydra_targets[target_no]->sent >= hydra_brains.todo + hydra_targets[target_no]->redo) {
if (hydra_targets[target_no]->done == 0) {
hydra_targets[target_no]->done = 1;
@ -1606,6 +1613,7 @@ int hydra_send_next_pair(int target_no, int head_no) {
}
return -1;
}
}
if (loop_cnt > (hydra_brains.countlogin * 2) + 1 && loop_cnt > (hydra_brains.countpass * 2) + 1) {
if (debug)
printf("[DEBUG] too many loops in send_next_pair, returning -1 (loop_cnt %d, sent %ld, todo %ld)\n", loop_cnt, hydra_targets[target_no]->sent, hydra_brains.todo);
@ -2605,7 +2613,7 @@ int main(int argc, char *argv[]) {
}
if (strcmp(hydra_options.service, "ssh") == 0 || strcmp(hydra_options.service, "sshkey") == 0) {
if (hydra_options.tasks > 8)
fprintf(stderr, "[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 or -t 8\n");
fprintf(stderr, "[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n");
#ifdef LIBSSH
i = 1;
#else
@ -2945,6 +2953,9 @@ int main(int argc, char *argv[]) {
exit(-1);
}
if (hydra_options.ssl == 1 && strncmp(hydra_options.service, "http-", 5 == 0) && hydra_options.port == 443)
fprintf(stderr, "[WARNING] you specified port 443 for attacking a http service, however did not specify the -S ssl switch nor used https-..., therefore using plain HTTP\n");
if (hydra_options.loop_mode && hydra_options.colonfile != NULL)
bail("The loop mode option (-u) works with all modes - except colon files (-C)\n");
if (strncmp(hydra_options.service, "http-", strlen("http-")) != 0 && strcmp(hydra_options.service, "http-head") != 0 && getenv("HYDRA_PROXY_HTTP") != NULL)
@ -3118,7 +3129,7 @@ int main(int argc, char *argv[]) {
hydra_brains.targets = countservers = countinfile = countlines(ifp, 0);
if (countinfile == 0)
bail("File for IP addresses is empty!");
hydra_targets = malloc(sizeof(hydra_targets) * (countservers + 1) + 8);
hydra_targets = malloc(sizeof(hydra_targets) * (countservers + 2) + 8);
if (hydra_targets == NULL)
bail("Could not allocate enough memory for target data");
sizeinfile = size_of_data;
@ -3146,7 +3157,7 @@ int main(int argc, char *argv[]) {
}
} else {
countservers = hydra_brains.targets = 1;
hydra_targets = malloc(sizeof(hydra_targets));
hydra_targets = malloc(sizeof(int) * 4);
hydra_targets[0] = malloc(sizeof(hydra_target));
memset(hydra_targets[0], 0, sizeof(hydra_target));
hydra_targets[0]->target = servers_ptr = hydra_options.server;
@ -3183,7 +3194,8 @@ int main(int argc, char *argv[]) {
if (dslash) {
proxy_string[dslash - proxy_string] = 0;
strncpy(proxy_string_type, proxy_string, sizeof(proxy_string_type));
strncpy(proxy_string_type, proxy_string, sizeof(proxy_string_type) - 1);
proxy_string_type[sizeof(proxy_string_type) - 1] = 0;
}
proxy_string = dslash;
@ -3622,7 +3634,7 @@ int main(int argc, char *argv[]) {
hydra_brains.sent, // tries
(long unsigned int) ((elapsed_status - starttime) / 3600), // hours
(long unsigned int) (((elapsed_status - starttime) % 3600) / 60), // minutes
hydra_brains.todo_all - hydra_brains.sent < 0 ? 1 : hydra_brains.todo_all - hydra_brains.sent, // left todo
hydra_brains.todo_all - hydra_brains.sent <= 0 ? 1 : hydra_brains.todo_all - hydra_brains.sent, // left todo
(long unsigned int) (((double) hydra_brains.todo_all - hydra_brains.sent) / ((double) hydra_brains.sent / (elapsed_status - starttime))
) / 3600, // hours
(((long unsigned int) (((double) hydra_brains.todo_all - hydra_brains.sent) / ((double) hydra_brains.sent / (elapsed_status - starttime))

3
ntlm.c
View file

@ -1,4 +1,3 @@
/* $Id$
Single file NTLM system to create and parse authentication messages.
@ -1288,6 +1287,8 @@ void buildAuthResponse(tSmbNtlmAuthChallenge * challenge, tSmbNtlmAuthResponse *
challenge->flags = flags; /* Overide flags! */
response->flags = challenge->flags;
if (w)
free(w);
if (d)
free(d);
if (u)

6
sasl.c
View file

@ -363,10 +363,12 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *
} while ((pbuffer[0] != '\0') && (pbuffer[0] > 31) && (ind < array_size));
//save the latest one
if (ind < array_size) {
array[ind] = malloc(currentpos + 1);
strncpy(array[ind], buffer + lastpos, currentpos);
array[ind][currentpos] = '\0';
ind++;
}
for (i = 0; i < ind; i++) {
//removing space chars between comma separated value if any
@ -498,7 +500,7 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *
//for MD5-sess
if (strstr(algo, "5-sess") != NULL) {
memset(buffer, 0, sizeof(buffer));
buffer[0] = 0; //memset(buffer, 0, sizeof(buffer)); => buffer is char*!
/* per RFC 2617 Errata ID 1649 */
if ((strstr(type, "proxy") != NULL) || (strstr(type, "GET") != NULL) || (strstr(type, "HEAD") != NULL)) {
@ -673,7 +675,7 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha
return;
}
if ((salt != NULL) && (strlen(salt) > 2))
if ((salt != NULL) && (strlen(salt) > 2) && (strlen(salt) <= sizeof(buffer)))
//s=ghgIAfLl1+yUy/Xl1WD5Tw== remove the header s=
strcpy(buffer, salt + 2);
else {