diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..87040ec --- /dev/null +++ b/.clang-format @@ -0,0 +1,117 @@ +--- +Language: Cpp +AccessModifierOffset: -2 +AlignAfterOpenBracket: Align +AlignConsecutiveAssignments: false +AlignConsecutiveDeclarations: false +AlignEscapedNewlines: Right +AlignOperands: true +AlignTrailingComments: true +AllowAllParametersOfDeclarationOnNextLine: true +AllowShortBlocksOnASingleLine: false +AllowShortCaseLabelsOnASingleLine: false +AllowShortFunctionsOnASingleLine: All +AllowShortIfStatementsOnASingleLine: false +AllowShortLoopsOnASingleLine: false +AlwaysBreakAfterDefinitionReturnType: None +AlwaysBreakAfterReturnType: None +AlwaysBreakBeforeMultilineStrings: false +AlwaysBreakTemplateDeclarations: false +BinPackArguments: true +BinPackParameters: true +BraceWrapping: + AfterClass: false + AfterControlStatement: false + AfterEnum: false + AfterFunction: false + AfterNamespace: false + AfterObjCDeclaration: false + AfterStruct: false + AfterUnion: false + AfterExternBlock: false + BeforeCatch: false + BeforeElse: false + IndentBraces: false + SplitEmptyFunction: true + SplitEmptyRecord: true + SplitEmptyNamespace: true +BreakBeforeBinaryOperators: None +BreakBeforeBraces: Attach +BreakBeforeInheritanceComma: false +BreakInheritanceList: BeforeColon +BreakBeforeTernaryOperators: true +BreakConstructorInitializersBeforeComma: false +BreakConstructorInitializers: BeforeColon +BreakAfterJavaFieldAnnotations: false +BreakStringLiterals: true +ColumnLimit: 512 +CommentPragmas: '^ IWYU pragma:' +CompactNamespaces: true +ConstructorInitializerAllOnOneLineOrOnePerLine: false +ConstructorInitializerIndentWidth: 4 +ContinuationIndentWidth: 4 +Cpp11BracedListStyle: true +DerivePointerAlignment: false +DisableFormat: false +ExperimentalAutoDetectBinPacking: false +FixNamespaceComments: true +ForEachMacros: + - foreach + - Q_FOREACH + - BOOST_FOREACH +IncludeBlocks: Preserve +IncludeCategories: + - Regex: '^"(llvm|llvm-c|clang|clang-c)/' + Priority: 2 + - Regex: '^(<|"(gtest|gmock|isl|json)/)' + Priority: 3 + - Regex: '.*' + Priority: 1 +IncludeIsMainRegex: '(Test)?$' +IndentCaseLabels: false +IndentPPDirectives: None +IndentWidth: 2 +IndentWrappedFunctionNames: false +JavaScriptQuotes: Leave +JavaScriptWrapImports: true +KeepEmptyLinesAtTheStartOfBlocks: false +MacroBlockBegin: '' +MacroBlockEnd: '' +MaxEmptyLinesToKeep: 1 +NamespaceIndentation: None +ObjCBinPackProtocolList: Auto +ObjCBlockIndentWidth: 2 +ObjCSpaceAfterProperty: false +ObjCSpaceBeforeProtocolList: true +PenaltyBreakAssignment: 2 +PenaltyBreakBeforeFirstCallParameter: 19 +PenaltyBreakComment: 300 +PenaltyBreakFirstLessLess: 120 +PenaltyBreakString: 1000 +PenaltyBreakTemplateDeclaration: 10 +PenaltyExcessCharacter: 1000000 +PenaltyReturnTypeOnItsOwnLine: 60 +PointerAlignment: Right +ReflowComments: true +SortIncludes: true +SortUsingDeclarations: true +SpaceAfterCStyleCast: false +SpaceAfterTemplateKeyword: true +SpaceBeforeAssignmentOperators: true +SpaceBeforeCpp11BracedList: false +SpaceBeforeCtorInitializerColon: true +SpaceBeforeInheritanceColon: true +SpaceBeforeParens: ControlStatements +SpaceBeforeRangeBasedForLoopColon: true +SpaceInEmptyParentheses: false +SpacesBeforeTrailingComments: 1 +SpacesInAngles: false +SpacesInContainerLiterals: true +SpacesInCStyleCastParentheses: false +SpacesInParentheses: false +SpacesInSquareBrackets: false +Standard: Cpp11 +TabWidth: 2 +UseTab: Never +... + diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..78bd469 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,37 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: '' +assignees: '' + +--- + +**IMPORTANT** +This is just for reporting *BUGS* not help on how to hack, how to use hydra, command line options or how to get it compiled. Please search for help via search engines. Issues asking for this here will be closed. + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** + * Ensure that you have tested the bug to be present in the current github code. You might be using an outdated version that comes with your Linux distribution! + * You must provide full command line options. + +Steps to reproduce the behavior: +1. ... +2. ... +3. ... + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. +Note that all messages must be in *English*, not in Chinese, Russian, etc. + +**Desktop (please complete the following information):** + - OS: [e.g. Ubuntu 20.04] + - hydra version [e.g. current github state] + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..d0c19f8 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,23 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**IMPORTANT** +Please note that hydra is still maintained however not actively developed. If you would like to see specific feature here it it recommended implement it yourself and send a pull request - or look for someone to do that for you :-) + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..e7e79e7 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,38 @@ +name: release + +on: + push: + branches: [master, main] + tags-ignore: ['**'] + paths-ignore: [README, TODO, PROBLEMS] + pull_request: + paths-ignore: [README, TODO, PROBLEMS] + +jobs: + docker-image: + name: Build the docker image + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v3 + + - uses: docker/setup-qemu-action@v2 + + - uses: docker/setup-buildx-action@v2 + + - uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - uses: gacts/github-slug@v1 # Action page: + id: slug + + - uses: docker/build-push-action@v3 # Action page: + with: + context: . + file: Dockerfile + push: true + platforms: linux/amd64, linux/arm64 +# ,linux/arm/v6, linux/arm/v7 + tags: vanhauser/hydra:latest + diff --git a/.gitignore b/.gitignore index 0a9a618..4cf0c32 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ hydra-gtk/stamp-h pw-inspector pw-inspector.exe hydra.restore +*~ diff --git a/.travis.yml b/.travis.yml index 19f1e15..ad0b541 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,6 +4,9 @@ dist: trusty os: - linux - osx +arch: + - amd64 + - ppc64le compiler: - clang - gcc diff --git a/Android.mk b/Android.mk index 2638e06..8e414d1 100644 --- a/Android.mk +++ b/Android.mk @@ -40,6 +40,8 @@ LOCAL_SRC_FILES:= \ hydra-irc.c\ hydra-ldap.c\ hydra-mod.c\ + hydra-memcached.c\ + hydra-mongodb.c\ hydra-mssql.c\ hydra-mysql.c\ hydra-ncp.c\ @@ -90,7 +92,8 @@ LOCAL_STATIC_LIBRARIES := \ libiconv\ libneon\ libssl_static\ - libcrypto_static + libcrypto_static\ + libmemcached LOCAL_SHARED_LIBRARIES := \ libsqlite\ diff --git a/CHANGES b/CHANGES index 76354e3..685f48d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,82 @@ Changelog for hydra ------------------- +Release 9.5 +* many modules did not support -W (all those that used a library for the + connection). All (or most?) should be fixed now. +* http-form: + - The help for http-form was wrong. the condition variable must always be + the *last* parameter, not the third + - Proxy support was not working correctly +* smb2: fix for updated libsmb2 which resulted in correct guessing attempts + not being detected +* smtp: break early if the server does not allow authentication +* rdp: detect more return codes that say a user is disabled etc. + + +Release 9.4 +* Switched from pcre/pcre3 to pcre2 as pcre/pcre3 will be dropped from Debian +* Small fix for weird RTSP servers +* Added "2=" optional parameter to http-post-form module to tell hydra that + a "302" HTTP return code means success +* replaced wait3 with waitpid for better compatability + + +Release 9.3 +* support Xcode compilation +* new module: cobaltstrike by ultimaiiii, thank you! +* fix for ssh to support -M or ip/range +* fix for rdp to detect empty passwords +* fix for http-form to no send empty headers +* fix for http on non-default ports when using with a proxy +* for vnc/cisco/... protocols that only check for a password, skip host + after the password is found +* fix to support IPv6 addresses in -M +* fix to test all entries in -C files, not exiting after the first found +* make disappearing targets faster to terminate on +* added "make uninstall" + + +Release 9.2 +* fix for http-post-form optional parameters +* enable gcc 10 support for xhydra too :) +* msys support +* removed rain mode (-r) because of inefficiency +* IPv6 support for Host: header for http based modules + + +Release 9.1 +* rdb: support for libfreerdp3 (thanks to animetauren) +* new module: smb2 which also supports smb3 (uses libsmbclient-dev) (thanks to Karim Kanso for the module!) +* oracle: added success condition (thanks to kazkansouh), compile on Cygwin (thanks to maaaaz) +* rtsp: fixed crash in MD5 auth +* svn: updated to support past and new API +* http: now supports F=/S= string matching conditions (thanks to poucz@github) +* http-proxy: buffer fix, 404 success condition (thanks to kazkansouh) +* mysql: changed not to use mysql db as a default. if the user has not access to this db auth fails ... +* sasl: buffer fix (thanks to TenGbps) +* fixed help for https modules (thanks to Jab2870) +* added -K command line switch to disable redo attempts (good for mass scanning) +* forgot to have the -m option in the hydra help output +* gcc-10 support and various cleanups by Jeroen Roovers, thanks! +* added .clang-format and formatted all code + + +Release 9.0 +* rdp: Revamped rdp module to use FreeRDP library (thanks to loianhtuan@github for the patch!) +* Added memcached module +* Added mongodb module +* http: http module now supports a= option to select http authentication type +* JSON output does now truncate the file if exists. +* Fixed svn module memory leaks +* Fixed rtsp module potential buffer overflow +* Fixed http module DIGEST-MD5 mode + + +Release 8.9.1 +* Clarification for rdp error message +* CIDR notation (hydra -l test -p test 192.168.0.0/24 ftp) was not detected, fixed + Release 8.8 * New web page: https://github.com/vanhauser-thc/thc-hydra diff --git a/CITATION.cff b/CITATION.cff new file mode 100644 index 0000000..3b450d3 --- /dev/null +++ b/CITATION.cff @@ -0,0 +1,20 @@ +cff-version: 1.2.0 +message: "If you use this software, please cite it as below." +authors: + - given-names: Marc + family-names: Heuse + name-particle: "van Hauser" + email: vh@thc.org + affiliation: The Hacker's Choice +title: "hydra" +version: 9.2 +type: software +date-released: 2021-03-15 +url: "https://github.com/vanhauser-thc/thc-hydra" +keywords: + - scanning + - passwords + - hacking + - pentesting + - securiy +license: AGPL-3.0-or-later diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..9f16b02 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,77 @@ +FROM debian:bookworm-slim + +ARG HYDRA_VERSION="github" + +LABEL \ + org.opencontainers.image.url="https://github.com/vanhauser-thc/thc-hydra" \ + org.opencontainers.image.source="https://github.com/vanhauser-thc/thc-hydra" \ + org.opencontainers.image.version="$HYDRA_VERSION" \ + org.opencontainers.image.vendor="vanhauser-thc" \ + org.opencontainers.image.title="hydra" \ + org.opencontainers.image.licenses="GNU AFFERO GENERAL PUBLIC LICENSE" + +COPY . /src + +RUN set -x \ + && apt-get update \ + && apt-get -y install \ + #libmysqlclient-dev \ + default-libmysqlclient-dev \ + libgpg-error-dev \ + #libmemcached-dev \ + #libgcrypt11-dev \ + libgcrypt-dev \ + #libgcrypt20-dev \ + #libgtk2.0-dev \ + libpcre3-dev \ + #firebird-dev \ + libidn11-dev \ + libssh-dev \ + #libsvn-dev \ + libssl-dev \ + #libpq-dev \ + make \ + curl \ + gcc \ + 1>/dev/null \ + # The next line fixes the curl "SSL certificate problem: unable to get local issuer certificate" for linux/arm + && c_rehash + +# Get hydra sources and compile +RUN cd /src \ + && make clean \ + && ./configure \ + && make \ + && make install + +# Make clean +RUN apt-get purge -y make gcc \ + && apt-get autoremove -y \ + && rm -rf /var/lib/apt/lists/* \ + && rm -rf /src + +# Verify hydra installation +RUN hydra -h || error_code=$? \ + && if [ ! "${error_code}" -eq 255 ]; then echo "Wrong exit code for 'hydra help' command"; exit 1; fi \ + # Unprivileged user creation + && echo 'hydra:x:10001:10001::/tmp:/sbin/nologin' > /etc/passwd \ + && echo 'hydra:x:10001:' > /etc/group + +ARG INCLUDE_SECLISTS="true" + +RUN set -x \ + && if [ "${INCLUDE_SECLISTS}" = "true" ]; then \ + mkdir /tmp/seclists \ + && curl -SL "https://api.github.com/repos/danielmiessler/SecLists/tarball" -o /tmp/seclists/src.tar.gz \ + && tar xzf /tmp/seclists/src.tar.gz -C /tmp/seclists \ + && mv /tmp/seclists/*SecLists*/Passwords /opt/passwords \ + && mv /tmp/seclists/*SecLists*/Usernames /opt/usernames \ + && chmod -R u+r /opt/passwords /opt/usernames \ + && rm -Rf /tmp/seclists \ + && ls -la /opt/passwords /opt/usernames \ + ;fi + +# Use an unprivileged user +USER 10001:10001 + +ENTRYPOINT ["hydra"] diff --git a/INSTALL b/INSTALL index 8e33f87..20f12fd 100644 --- a/INSTALL +++ b/INSTALL @@ -2,10 +2,27 @@ type "./configure", then "make" and finally "sudo make install" For special modules you need to install software packages before you run "./configure": - Ubuntu/Debian: apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird2.1-dev libncp-dev libncurses5-dev + Ubuntu/Debian: apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev libncurses5-dev Redhat/Fedora: yum install openssl-devel pcre-devel ncpfs-devel postgresql-devel libssh-devel subversion-devel libncurses-devel OpenSuSE: zypper install libopenssl-devel pcre-devel libidn-devel ncpfs-devel libssh-devel postgresql-devel subversion-devel libncurses-devel -For the Oracle login module, install the basic and SDK packages: - http://www.oracle.com/technetwork/database/features/instant-client/index.html + +For Termux/Android you need the following setup: + +Install the necessary dependencies + # pkg install -y x11-repo + # pkg install -y clang make openssl openssl-tool wget openssh coreutils gtk2 gtk3 +And then compiling hydra + # ./configure --prefix=$PREFIX + # make + # make install + + +To use xhydra, you will need to install a graphical output in termux, you can be guided from this article: + +https://wiki.termux.com/wiki/Graphical_Environment + + +For the Oracle login module, install the basic and SDK packages: + https://www.oracle.com/database/technologies/instant-client/downloads.html diff --git a/LICENSE b/LICENSE index 052a76b..0ad25db 100644 --- a/LICENSE +++ b/LICENSE @@ -1,12 +1,7 @@ -[see the end of the file for the special exception for linking with OpenSSL - - debian people need this] - - - GNU AFFERO GENERAL PUBLIC LICENSE Version 3, 19 November 2007 - Copyright (C) 2007 Free Software Foundation, Inc. + Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. @@ -638,8 +633,8 @@ the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published by - the Free Software Foundation, either version 3 of the License, or + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -648,7 +643,7 @@ the "copyright" line and a pointer to where the full notice is found. GNU Affero General Public License for more details. You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . + along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. @@ -663,21 +658,4 @@ specific requirements. You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU AGPL, see -. - - -Special Exception - - * In addition, as a special exception, the copyright holders give - * permission to link the code of portions of this program with the - * OpenSSL library under certain conditions as described in each - * individual source file, and distribute linked combinations - * including the two. - * You must obey the GNU Affero General Public License in all respects - * for all of the code used other than OpenSSL. If you modify - * file(s) with this exception, you may extend this exception to your - * version of the file(s), but you are not obligated to do so. If you - * do not wish to do so, delete this exception statement from your - * version. If you delete this exception statement from all source - * files in the program, then also delete it here. - +. diff --git a/LICENSE.OPENSSL b/LICENSE_OPENSSL similarity index 100% rename from LICENSE.OPENSSL rename to LICENSE_OPENSSL diff --git a/Makefile b/Makefile index 372e67e..0fc0d2e 100644 --- a/Makefile +++ b/Makefile @@ -3,3 +3,6 @@ all: clean: cp -f Makefile.orig Makefile + +uninstall: + @echo Error: you must run "./configure" first diff --git a/Makefile.am b/Makefile.am index d65f7d7..f6d4bb0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,40 +1,48 @@ # -# Makefile for Hydra - (c) 2001-2019 by van Hauser / THC +# Makefile for Hydra - (c) 2001-2023 by van Hauser / THC # -OPTS=-I. -O3 +WARN_CLANG=-Wformat-nonliteral -Wstrncat-size -Wformat-security -Wsign-conversion -Wconversion -Wfloat-conversion -Wshorten-64-to-32 -Wuninitialized -Wmissing-variable-declarations -Wmissing-declarations +WARN_GCC=-Wformat=2 -Wformat-overflow=2 -Wformat-nonliteral -Wformat-truncation=2 -Wnull-dereference -Wstrict-overflow=2 -Wstringop-overflow=4 -Walloca-larger-than=4096 -Wtype-limits -Wconversion -Wtrampolines -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fno-common -Wcast-align +CFLAGS ?= -g +OPTS=-I. -O3 $(CFLAGS) -fcommon -Wno-deprecated-declarations +CPPFLAGS += -D_GNU_SOURCE # -Wall -g -pedantic LIBS=-lm -BINDIR = /bin -MANDIR ?= /man/man1/ -DATADIR ?= /etc DESTDIR ?= +BINDIR = /bin +MANDIR = /man/man1/ +DATADIR = /etc +PIXDIR = /share/pixmaps +APPDIR = /share/applications SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \ hydra-telnet.c hydra-cisco.c hydra-http.c hydra-ftp.c hydra-imap.c \ hydra-pop3.c hydra-smb.c hydra-icq.c hydra-cisco-enable.c hydra-ldap.c \ - hydra-mysql.c hydra-mssql.c hydra-xmpp.c hydra-http-proxy-urlenum.c \ - hydra-snmp.c hydra-cvs.c hydra-smtp.c hydra-smtp-enum.c hydra-sapr3.c \ - hydra-ssh.c hydra-sshkey.c hydra-teamspeak.c hydra-postgres.c \ - hydra-rsh.c hydra-rlogin.c hydra-oracle-listener.c hydra-svn.c \ - hydra-pcanywhere.c hydra-sip.c hydra-oracle.c hydra-vmauthd.c \ + hydra-memcached.c hydra-mongodb.c hydra-mysql.c hydra-mssql.c hydra-xmpp.c \ + hydra-http-proxy-urlenum.c hydra-snmp.c hydra-cvs.c hydra-smtp.c \ + hydra-smtp-enum.c hydra-sapr3.c hydra-ssh.c hydra-sshkey.c hydra-teamspeak.c \ + hydra-postgres.c hydra-rsh.c hydra-rlogin.c hydra-oracle-listener.c \ + hydra-svn.c hydra-pcanywhere.c hydra-sip.c hydra-oracle.c hydra-vmauthd.c \ hydra-asterisk.c hydra-firebird.c hydra-afp.c hydra-ncp.c hydra-rdp.c \ hydra-oracle-sid.c hydra-http-proxy.c hydra-http-form.c hydra-irc.c \ hydra-s7-300.c hydra-redis.c hydra-adam6500.c hydra-rtsp.c \ - hydra-rpcap.c hydra-radmin2.c \ - hydra-time.c crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c + hydra-rpcap.c hydra-radmin2.c hydra-cobaltstrike.c \ + hydra-time.c crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c \ + hydra-smb2.c OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \ hydra-telnet.o hydra-cisco.o hydra-http.o hydra-ftp.o hydra-imap.o \ hydra-pop3.o hydra-smb.o hydra-icq.o hydra-cisco-enable.o hydra-ldap.o \ - hydra-mysql.o hydra-mssql.o hydra-xmpp.o hydra-http-proxy-urlenum.o \ - hydra-snmp.o hydra-cvs.o hydra-smtp.o hydra-smtp-enum.o hydra-sapr3.o \ - hydra-ssh.o hydra-sshkey.o hydra-teamspeak.o hydra-postgres.o \ - hydra-rsh.o hydra-rlogin.o hydra-oracle-listener.o hydra-svn.o \ - hydra-pcanywhere.o hydra-sip.o hydra-oracle-sid.o hydra-oracle.o \ + hydra-memcached.o hydra-mongodb.o hydra-mysql.o hydra-mssql.o hydra-cobaltstrike.o hydra-xmpp.o \ + hydra-http-proxy-urlenum.o hydra-snmp.o hydra-cvs.o hydra-smtp.o \ + hydra-smtp-enum.o hydra-sapr3.o hydra-ssh.o hydra-sshkey.o hydra-teamspeak.o \ + hydra-postgres.o hydra-rsh.o hydra-rlogin.o hydra-oracle-listener.o \ + hydra-svn.o hydra-pcanywhere.o hydra-sip.o hydra-oracle-sid.o hydra-oracle.o \ hydra-vmauthd.o hydra-asterisk.o hydra-firebird.o hydra-afp.o \ hydra-ncp.o hydra-http-proxy.o hydra-http-form.o hydra-irc.o \ hydra-redis.o hydra-rdp.o hydra-s7-300.c hydra-adam6500.o hydra-rtsp.o \ hydra-rpcap.o hydra-radmin2.o \ - crc32.o d3des.o bfg.o ntlm.o sasl.o hmacmd5.o hydra-mod.o hydra-time.o + crc32.o d3des.o bfg.o ntlm.o sasl.o hmacmd5.o hydra-mod.o hydra-time.o \ + hydra-smb2.o BINS = hydra pw-inspector EXTRA_DIST = README README.arm README.palm CHANGES TODO INSTALL LICENSE \ @@ -60,7 +68,7 @@ pw-inspector: pw-inspector.c $(CC) $(OPTS) $(SEC) $(CFLAGS) $(CPPFLAGS) -c $< $(XDEFINES) $(XIPATHS) strip: all - strip $(BINS) + -strip $(BINS) -echo OK > /dev/null && test -x xhydra && strip xhydra || echo OK > /dev/null install: strip @@ -73,8 +81,18 @@ install: strip -cp -f *.csv $(DESTDIR)$(PREFIX)$(DATADIR) -mkdir -p $(DESTDIR)$(PREFIX)$(MANDIR) -cp -f hydra.1 xhydra.1 pw-inspector.1 $(DESTDIR)$(PREFIX)$(MANDIR) + -mkdir -p $(DESTDIR)$(PREFIX)$(PIXDIR) + -cp -f xhydra.png $(DESTDIR)$(PREFIX)$(PIXDIR)/ + -mkdir -p $(DESTDIR)$(PREFIX)$(APPDIR) + -desktop-file-install --dir $(DESTDIR)$(PREFIX)$(APPDIR) xhydra.desktop clean: rm -rf xhydra pw-inspector hydra *.o core *.core *.stackdump *~ Makefile.in Makefile dev_rfc hydra.restore arm/*.ipk arm/ipkg/usr/bin/* hydra-gtk/src/*.o hydra-gtk/src/xhydra hydra-gtk/stamp-h hydra-gtk/config.status hydra-gtk/errors hydra-gtk/config.log hydra-gtk/src/.deps hydra-gtk/src/Makefile hydra-gtk/Makefile cp -f Makefile.orig Makefile +uninstall: + -rm -f $(DESTDIR)$(PREFIX)$(BINDIR)/xhydra $(DESTDIR)$(PREFIX)$(BINDIR)/hydra $(DESTDIR)$(PREFIX)$(BINDIR)/pw-inspector $(DESTDIR)$(PREFIX)$(BINDIR)/hydra-wizard.sh $(DESTDIR)$(PREFIX)$(BINDIR)/dpl4hydra.sh + -rm -f $(DESTDIR)$(PREFIX)$(DATADIR)/dpl4hydra_full.csv $(DESTDIR)$(PREFIX)$(DATADIR)/dpl4hydra_local.csv + -rm -f $(DESTDIR)$(PREFIX)$(MANDIR)/hydra.1 $(DESTDIR)$(PREFIX)$(MANDIR)/xhydra.1 $(DESTDIR)$(PREFIX)$(MANDIR)/pw-inspector.1 + -rm -f $(DESTDIR)$(PREFIX)$(PIXDIR)/xhydra.png + -rm -f $(DESTDIR)$(PREFIX)$(APPDIR)/xhydra.desktop diff --git a/Makefile.orig b/Makefile.orig index 372e67e..0fc0d2e 100644 --- a/Makefile.orig +++ b/Makefile.orig @@ -3,3 +3,6 @@ all: clean: cp -f Makefile.orig Makefile + +uninstall: + @echo Error: you must run "./configure" first diff --git a/PROBLEMS b/PROBLEMS index 74dafd2..4fcbf44 100644 --- a/PROBLEMS +++ b/PROBLEMS @@ -3,5 +3,3 @@ List of known issues: * Cygwin: more than 30 tasks (-t 31 or more) will lead to a stack smash * OS X: brew installed modules are not compiled correctly and will crash hydra -* RDP module: disabled as it does not support the current protocol. Help needed! - diff --git a/README b/README index 3847215..ca95b03 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ H Y D R A - (c) 2001-2019 by van Hauser / THC + (c) 2001-2023 by van Hauser / THC https://github.com/vanhauser-thc/thc-hydra many modules were written by David (dot) Maciejak @ gmail (dot) com BFG code by Jan Dlabal @@ -10,7 +10,17 @@ Please do not use in military or secret service organizations, or for illegal purposes. + (This is the wish of the author and non-binding. Many people working + in these organizations do not care for laws and ethics anyways. + You are not one of the "good" ones if you ignore this.) + NOTE: no this is not meant to be a markdown doc! old school! + + +Hydra in the most current github state can be directly downloaded via docker: +``` +docker pull vanhauser/hydra +``` INTRODUCTION @@ -24,7 +34,7 @@ access from remote to a system. THIS TOOL IS FOR LEGAL PURPOSES ONLY! There are already several login hacker tools available, however, none does -either support more than one protocol to attack or support parallized +either support more than one protocol to attack or support parallelized connects. It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, @@ -34,8 +44,8 @@ Currently this tool supports the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, - HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, - Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, + HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, + Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP. @@ -58,6 +68,10 @@ repository is at Github: Use the development version at your own risk. It contains new features and new bugs. Things might not work! +Alternatively (and easier) to can pull it as a docker container: +``` +docker pull vanhauser/hydra +``` HOW TO COMPILE @@ -71,7 +85,7 @@ make install ``` If you want the ssh module, you have to setup libssh (not libssh2!) on your -system, get it from http://www.libssh.org, for ssh v1 support you also need +system, get it from https://www.libssh.org, for ssh v1 support you also need to add "-DWITH_SSH1=On" option in the cmake command line. IMPORTANT: If you compile on MacOS then you must do this - do not install libssh via brew! @@ -81,7 +95,8 @@ for a few optional modules (note that some might not be available on your distri ``` apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \ - firebird-dev + firebird-dev libmemcached-dev libgpg-error-dev \ + libgcrypt11-dev libgcrypt20-dev freetds-dev ``` This enables all optional modules and features with the exception of Oracle, @@ -149,7 +164,7 @@ THIRD - check if the module has optional parameters e.g. hydra -U smtp FOURTH - the destination port - this is optional! if no port is supplied the default common port for the + this is optional, if no port is supplied the default common port for the PROTOCOL is used. If you specify SSL to use ("-S" option), the SSL common port is used by default. @@ -166,7 +181,7 @@ All attacks are then IPv6 only! If you want to supply your targets via a text file, you can not use the :// notation but use the old style and just supply the protocol (and module options): hydra [some command line options] -M targets.txt ftp -You can supply also the port for each target entry by adding ":" after a +You can also supply the port for each target entry by adding ":" after a target entry in the file, e.g.: ``` @@ -252,6 +267,7 @@ Examples: -x 1:3:a generate passwords from length 1 to 3 with all lowercase letters -x 2:5:/ generate passwords from length 2 to 5 containing only slashes -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers +-x '3:3:aA1&~#\\ "\'<{([-|_^@)]=}>$%*?./§,;:!`' -v generates length 3 passwords with all 95 characters, and verbose. ``` Example: @@ -378,7 +394,7 @@ Version 1.00 example: "These are very free form" ], "generator": { - "built": "2019-03-01 14:44:22", + "built": "2021-03-01 14:44:22", "commandline": "hydra -b jsonv1 -o results.json ... ...", "jsonoutputversion": "1.00", "server": "127.0.0.1", diff --git a/README.md b/README.md deleted file mode 100644 index 3847215..0000000 --- a/README.md +++ /dev/null @@ -1,530 +0,0 @@ - - H Y D R A - - (c) 2001-2019 by van Hauser / THC - https://github.com/vanhauser-thc/thc-hydra - many modules were written by David (dot) Maciejak @ gmail (dot) com - BFG code by Jan Dlabal - - Licensed under AGPLv3 (see LICENSE file) - - Please do not use in military or secret service organizations, - or for illegal purposes. - - - -INTRODUCTION ------------- -Number one of the biggest security holes are passwords, as every password -security study shows. -This tool is a proof of concept code, to give researchers and security -consultants the possibility to show how easy it would be to gain unauthorized -access from remote to a system. - -THIS TOOL IS FOR LEGAL PURPOSES ONLY! - -There are already several login hacker tools available, however, none does -either support more than one protocol to attack or support parallized -connects. - -It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, -FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS. - -Currently this tool supports the following protocols: - Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, - HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, - HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, - HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, - Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, - Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, - SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, - VNC and XMPP. - -However the module engine for new services is very easy so it won't take a -long time until even more services are supported. -Your help in writing, enhancing or fixing modules is highly appreciated!! :-) - - - -WHERE TO GET ------------- -You can always find the newest release/production version of hydra at its -project page at https://github.com/vanhauser-thc/thc-hydra/releases -If you are interested in the current development state, the public development -repository is at Github: - svn co https://github.com/vanhauser-thc/thc-hydra - or - git clone https://github.com/vanhauser-thc/thc-hydra -Use the development version at your own risk. It contains new features and -new bugs. Things might not work! - - - -HOW TO COMPILE --------------- -To configure, compile and install hydra, just type: - -``` -./configure -make -make install -``` - -If you want the ssh module, you have to setup libssh (not libssh2!) on your -system, get it from http://www.libssh.org, for ssh v1 support you also need -to add "-DWITH_SSH1=On" option in the cmake command line. -IMPORTANT: If you compile on MacOS then you must do this - do not install libssh via brew! - -If you use Ubuntu/Debian, this will install supplementary libraries needed -for a few optional modules (note that some might not be available on your distribution): - -``` -apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ - libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \ - firebird-dev -``` - -This enables all optional modules and features with the exception of Oracle, -SAP R/3, NCP and the apple filing protocol - which you will need to download and -install from the vendor's web sites. - -For all other Linux derivates and BSD based systems, use the system -software installer and look for similarly named libraries like in the -command above. In all other cases, you have to download all source libraries -and compile them manually. - - - -SUPPORTED PLATFORMS -------------------- -- All UNIX platforms (Linux, *BSD, Solaris, etc.) -- MacOS (basically a BSD clone) -- Windows with Cygwin (both IPv4 and IPv6) -- Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq) - - - -HOW TO USE ----------- -If you just enter `hydra`, you will see a short summary of the important -options available. -Type `./hydra -h` to see all available command line options. - -Note that NO login/password file is included. Generate them yourself. -A default password list is however present, use "dpl4hydra.sh" to generate -a list. - -For Linux users, a GTK GUI is available, try `./xhydra` - -For the command line usage, the syntax is as follows: - For attacking one target or a network, you can use the new "://" style: - hydra [some command line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS - The old mode can be used for these too, and additionally if you want to - specify your targets from a text file, you *must* use this one: - -``` -hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS] -``` - -Via the command line options you specify which logins to try, which passwords, -if SSL should be used, how many parallel tasks to use for attacking, etc. - -PROTOCOL is the protocol you want to use for attacking, e.g. ftp, smtp, -http-get or many others are available -TARGET is the target you want to attack -MODULE-OPTIONS are optional values which are special per PROTOCOL module - -FIRST - select your target - you have three options on how to specify the target you want to attack: - 1. a single target on the command line: just put the IP or DNS address in - 2. a network range on the command line: CIDR specification like "192.168.0.0/24" - 3. a list of hosts in a text file: one line per entry (see below) - -SECOND - select your protocol - Try to avoid telnet, as it is unreliable to detect a correct or false login attempt. - Use a port scanner to see which protocols are enabled on the target. - -THIRD - check if the module has optional parameters - hydra -U PROTOCOL - e.g. hydra -U smtp - -FOURTH - the destination port - this is optional! if no port is supplied the default common port for the - PROTOCOL is used. - If you specify SSL to use ("-S" option), the SSL common port is used by default. - - -If you use "://" notation, you must use "[" "]" brackets if you want to supply -IPv6 addresses or CIDR ("192.168.0.0/24") notations to attack: - hydra [some command line options] ftp://[192.168.0.0/24]/ - hydra [some command line options] -6 smtps://[2001:db8::1]/NTLM - -Note that everything hydra does is IPv4 only! -If you want to attack IPv6 addresses, you must add the "-6" command line option. -All attacks are then IPv6 only! - -If you want to supply your targets via a text file, you can not use the :// -notation but use the old style and just supply the protocol (and module options): - hydra [some command line options] -M targets.txt ftp -You can supply also the port for each target entry by adding ":" after a -target entry in the file, e.g.: - -``` -foo.bar.com -target.com:21 -unusual.port.com:2121 -default.used.here.com -127.0.0.1 -127.0.0.1:2121 -``` - -Note that if you want to attach IPv6 targets, you must supply the -6 option -and *must* put IPv6 addresses in brackets in the file(!) like this: - -``` -foo.bar.com -target.com:21 -[fe80::1%eth0] -[2001::1] -[2002::2]:8080 -[2a01:24a:133:0:00:123:ff:1a] -``` - -LOGINS AND PASSWORDS --------------------- -You have many options on how to attack with logins and passwords -With -l for login and -p for password you tell hydra that this is the only -login and/or password to try. -With -L for logins and -P for passwords you supply text files with entries. -e.g.: - -``` -hydra -l admin -p password ftp://localhost/ -hydra -L default_logins.txt -p test ftp://localhost/ -hydra -l admin -P common_passwords.txt ftp://localhost/ -hydra -L logins.txt -P passwords.txt ftp://localhost/ -``` - -Additionally, you can try passwords based on the login via the "-e" option. -The "-e" option has three parameters: - -``` -s - try the login as password -n - try an empty password -r - reverse the login and try it as password -``` - -If you want to, e.g. try "try login as password and "empty password", you -specify "-e sn" on the command line. - -But there are two more modes for trying passwords than -p/-P: -You can use text file which where a login and password pair is separated by a colon, -e.g.: - -``` -admin:password -test:test -foo:bar -``` - -This is a common default account style listing, that is also generated by the -dpl4hydra.sh default account file generator supplied with hydra. -You use such a text file with the -C option - note that in this mode you -can not use -l/-L/-p/-P options (-e nsr however you can). -Example: - -``` -hydra -C default_accounts.txt ftp://localhost/ -``` - -And finally, there is a bruteforce mode with the -x option (which you can not -use with -p/-P/-C): - -``` --x minimum_length:maximum_length:charset -``` - -the charset definition is `a` for lowercase letters, `A` for uppercase letters, -`1` for numbers and for anything else you supply it is their real representation. -Examples: - -``` --x 1:3:a generate passwords from length 1 to 3 with all lowercase letters --x 2:5:/ generate passwords from length 2 to 5 containing only slashes --x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers -``` - -Example: - -``` -hydra -l ftp -x 3:3:a ftp://localhost/ -``` - -SPECIAL OPTIONS FOR MODULES ---------------------------- -Via the third command line parameter (TARGET SERVICE OPTIONAL) or the -m -command line option, you can pass one option to a module. -Many modules use this, a few require it! - -To see the special option of a module, type: - - hydra -U - -e.g. - - ./hydra -U http-post-form - -The special options can be passed via the -m parameter, as 3rd command line -option or in the service://target/option format. - -Examples (they are all equal): - -``` -./hydra -l test -p test -m PLAIN 127.0.0.1 imap -./hydra -l test -p test 127.0.0.1 imap PLAIN -./hydra -l test -p test imap://127.0.0.1/PLAIN -``` - -RESTORING AN ABORTED/CRASHED SESSION ------------------------------------- -When hydra is aborted with Control-C, killed or crashes, it leaves a -"hydra.restore" file behind which contains all necessary information to -restore the session. This session file is written every 5 minutes. -NOTE: the hydra.restore file can NOT be copied to a different platform (e.g. -from little endian to big endian, or from Solaris to AIX) - -HOW TO SCAN/CRACK OVER A PROXY ------------------------------- -The environment variable HYDRA_PROXY_HTTP defines the web proxy (this works -just for the http services!). -The following syntax is valid: - -``` -HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" -HYDRA_PROXY_HTTP="http://login:password@123.45.67.89:8080/" -HYDRA_PROXY_HTTP="proxylist.txt" -``` - -The last example is a text file containing up to 64 proxies (in the same -format definition as the other examples). - -For all other services, use the HYDRA_PROXY variable to scan/crack. -It uses the same syntax. eg: - -``` -HYDRA_PROXY=[connect|socks4|socks5]://[login:password@]proxy_addr:proxy_port -``` - -for example: - -``` -HYDRA_PROXY=connect://proxy.anonymizer.com:8000 -HYDRA_PROXY=socks4://auth:pw@127.0.0.1:1080 -HYDRA_PROXY=socksproxylist.txt -``` - -ADDITIONAL HINTS ----------------- -* sort your password files by likelihood and use the -u option to find - passwords much faster! -* uniq your dictionary files! this can save you a lot of time :-) - cat words.txt | sort | uniq > dictionary.txt -* if you know that the target is using a password policy (allowing users - only to choose a password with a minimum length of 6, containing a least one - letter and one number, etc. use the tool pw-inspector which comes along - with the hydra package to reduce the password list: - cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt - - -RESULTS OUTPUT --------------- - -The results are output to stdio along with the other information. Via the -o -command line option, the results can also be written to a file. Using -b, -the format of the output can be specified. Currently, these are supported: - -* `text` - plain text format -* `jsonv1` - JSON data using version 1.x of the schema (defined below). -* `json` - JSON data using the latest version of the schema, currently there - is only version 1. - -If using JSON output, the results file may not be valid JSON if there are -serious errors in booting Hydra. - - -JSON Schema ------------ -Here is an example of the JSON output. Notes on some of the fields: - -* `errormessages` - an array of zero or more strings that are normally printed - to stderr at the end of the Hydra's run. The text is very free form. -* `success` - indication if Hydra ran correctly without error (**NOT** if - passwords were detected). This parameter is either the JSON value `true` - or `false` depending on completion. -* `quantityfound` - How many username+password combinations discovered. -* `jsonoutputversion` - Version of the schema, 1.00, 1.01, 1.11, 2.00, - 2.03, etc. Hydra will make second tuple of the version to always be two - digits to make it easier for downstream processors (as opposed to v1.1 vs - v1.10). The minor-level versions are additive, so 1.02 will contain more - fields than version 1.00 and will be backward compatible. Version 2.x will - break something from version 1.x output. - -Version 1.00 example: -``` -{ - "errormessages": [ - "[ERROR] Error Message of Something", - "[ERROR] Another Message", - "These are very free form" - ], - "generator": { - "built": "2019-03-01 14:44:22", - "commandline": "hydra -b jsonv1 -o results.json ... ...", - "jsonoutputversion": "1.00", - "server": "127.0.0.1", - "service": "http-post-form", - "software": "Hydra", - "version": "v8.5" - }, - "quantityfound": 2, - "results": [ - { - "host": "127.0.0.1", - "login": "bill@example.com", - "password": "bill", - "port": 9999, - "service": "http-post-form" - }, - { - "host": "127.0.0.1", - "login": "joe@example.com", - "password": "joe", - "port": 9999, - "service": "http-post-form" - } - ], - "success": false -} -``` - - -SPEED ------ -through the parallelizing feature, this password cracker tool can be very -fast, however it depends on the protocol. The fastest are generally POP3 -and FTP. -Experiment with the task option (-t) to speed things up! The higher - the -faster ;-) (but too high - and it disables the service) - - - -STATISTICS ----------- -Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing -295 entries (294 tries invalid logins, 1 valid). Every test was run three -times (only for "1 task" just once), and the average noted down. - -``` - P A R A L L E L T A S K S -SERVICE 1 4 8 16 32 50 64 100 128 -------- -------------------------------------------------------------------- -telnet 23:20 5:58 2:58 1:34 1:05 0:33 0:45* 0:25* 0:55* -ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0:32 -pop3 92:10 27:16 13:56 6:42 2:55 1:57 1:24 1:14 0:50 -imap 31:05 7:41 3:51 1:58 1:01 0:39 0:32 0:25 0:21 -``` - -(*) -Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with -128 tasks, running four times resulted in timings between 28 and 97 seconds! -The reason for this is unknown... - -guesses per task (rounded up): - - 295 74 38 19 10 6 5 3 3 - -guesses possible per connect (depends on the server software and config): - - telnet 4 - ftp 6 - pop3 1 - imap 3 - - - -BUGS & FEATURES ---------------- -Hydra: -Email me or David if you find bugs or if you have written a new module. -vh@thc.org (and put "antispam" in the subject line) - - -You should use PGP to encrypt emails to vh@thc.org : - -``` ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v3.3.3 (vh@thc.org) - -mQINBFIp+7QBEADQcJctjohuYjBxq7MELAlFDvXRTeIqqh8kqHPOR018xKL09pZT -KiBWFBkU48xlR3EtV5fC1yEt8gDEULe5o0qtK1aFlYBtAWkflVNjDrs+Y2BpjITQ -FnAPHw0SOOT/jfcvmhNOZMzMU8lIubAVC4cVWoSWJbLTv6e0DRIPiYgXNT5Quh6c -vqhnI1C39pEo/W/nh3hSa16oTc5dtTLbi5kEbdzml78TnT0OASmWLI+xtYKnP+5k -Xv4xrXRMVk4L1Bv9WpCY/Jb6J8K8SJYdXPtbaIi4VjgVr5gvg9QC/d/QP2etmw3p -lJ1Ldv63x6nXsxnPq6MSOOw8+QqKc1dAgIA43k6SU4wLq9TB3x0uTKnnB8pA3ACI -zPeRN9LFkr7v1KUMeKKEdu8jUut5iKUJVu63lVYxuM5ODb6Owt3+UXgsSaQLu9nI -DZqnp/M6YTCJTJ+cJANN+uQzESI4Z2m9ITg/U/cuccN/LIDg8/eDXW3VsCqJz8Bf -lBSwMItMhs/Qwzqc1QCKfY3xcNGc4aFlJz4Bq3zSdw3mUjHYJYv1UkKntCtvvTCN -DiomxyBEKB9J7KNsOLI/CSst3MQWSG794r9ZjcfA0EWZ9u6929F2pGDZ3LiS7Jx5 -n+gdBDMe0PuuonLIGXzyIuMrkfoBeW/WdnOxh+27eemcdpCb68XtQCw6UQARAQAB -tB52YW4gSGF1c2VyICgyMDEzKSA8dmhAdGhjLm9yZz6JAjkEEwECACMCGwMCHgEC -F4AFAlIp/QcGCwkIAwcCBhUKCQgLAgUWAwIBAAAKCRDI8AEqhCFiv2R9D/9qTCJJ -xCH4BUbWIUhw1zRkn9iCVSwZMmfaAhz5PdVTjeTelimMh5qwK2MNAjpR7vCCd3BH -Z2VLB2Eoz9MOgSCxcMOnCDJjtCdCOeaxiASJt8qLeRMwdMOtznM8MnKCIO8X4oo4 -qH8eNj83KgpI50ERBCj/EMsgg07vSyZ9i1UXjFofFnbHRWSW9yZO16qD4F6r4SGz -dsfXARcO3QRI5lbjdGqm+g+HOPj1EFLAOxJAQOygz7ZN5fj+vPp+G/drONxNyVKp -QFtENpvqPdU9CqYh8ssazXTWeBi/TIs0q0EXkzqo7CQjfNb6tlRsg18FxnJDK/ga -V/1umTg41bQuVP9gGmycsiNI8Atr5DWqaF+O4uDmQxcxS0kX2YXQ4CSQJFi0pml5 -slAGL8HaAUbV7UnQEqpayPyyTEx1i0wK5ZCHYjLBfJRZCbmHX7SbviSAzKdo5JIl -Atuk+atgW3vC3hDTrBu5qlsFCZvbxS21PJ+9zmK7ySjAEFH/NKFmx4B8kb7rPAOM -0qCTv0pD/e4ogJCxVrqQ2XcCSJWxJL31FNAMnBZpVzidudNURG2v61h3ckkSB/fP -JnkRy/yxYWrdFBYkURImxD8iFD1atj1n3EI5HBL7p/9mHxf1DVJWz7rYQk+3czvs -IhBz7xGBz4nhpCi87VDEYttghYlJanbiRfNh3okCOAQTAQIAIgUCUin7tAIbAwYL -CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQyPABKoQhYr8OIA//cvkhoKay88yS -AjMQypach8C5CvP7eFCT11pkCt1DMAO/8Dt6Y/Ts10dPjohGdIX4PkoLTkQDwBDJ -HoLO75oqj0CYLlqDI4oHgf2uzd0Zv8f/11CQQCtut5oEK72mGNzv3GgVqg60z2KR -2vpxvGQmDwpDOPP620tf/LuRQgBpks7uazcbkAE2Br09YrUQSCBNHy8kirHW5m5C -nupMrcvuFx7mHKW1z3FuhM8ijG7oRmcBWfVoneQgIT3l2WBniXg1mKFhuUSV8Erc -XIcc11qsKshyqh0GWb2JfeXbAcTW8/4IwrCP+VfAyLO9F9khP6SnCmcNF9EVJyR6 -Aw+JMNRin7PgvsqbFhpkq9N+gVBAufz3DZoMTEbsMTtW4lYG6HMWhza2+8G9XyaL -ARAWhkNVsmQQ5T6qGkI19thB6E/T6ZorTxqeopNVA7VNK3RVlKpkmUu07w5bTD6V -l3Ti6XfcSQqzt6YX2/WUE8ekEG3rSesuJ5fqjuTnIIOjBxr+pPxkzdoazlu2zJ9F -n24fHvlU20TccEWXteXj9VFzV/zbPEQbEqmE16lV+bO8U7UHqCOdE83OMrbNKszl -7LSCbFhCDtflUsyClBt/OPnlLEHgEE1j9QkqdFFy90l4HqGwKvx7lUFDnuF8LYsb -/hcP4XhqjiGcjTPYBDK254iYrpOSMZSIRgQQEQIABgUCUioGfQAKCRBDlBVOdiii -tuddAJ4zMrge4qzajScIQcXYgIWMXVenCQCfYTNQPGkHVyp3dMhJ0NR21TYoYMC5 -Ag0EUin7tAEQAK5/AEIBLlA/TTgjUF3im6nu/rkWTM7/gs5H4W0a04kF4UPhaJUR -gCNlDfUnBFA0QD7Jja5LHYgLdoHXiFelPhGrbZel/Sw6sH2gkGCBtFMrVkm3u7tt -x3AZlprqqRH68Y5xTCEjGRncCAmaDgd2apgisJqXpu0dRDroFYpJFNH3vw9N2a62 -0ShNakYP4ykVG3jTDC4MSl2q3BO5dzn8GYFHU0CNz6nf3gZR+48BG+zmAT77peTS -+C4Mbd6LmMmB0cuS2kYiFRwE2B69UWguLHjpXFcu9/85JJVCl2CIab7l5hpqGmgw -G/yW8HFK04Yhew7ZJOXJfUYlv1EZzR5bOsZ8Z9inC6hvFmxuCYCFnvkiEI+pOxPA -oeNOkMaT/W4W+au0ZVt3Hx+oD0pkJb5if0jrCaoAD4gpWOte6LZA8mAbKTxkHPBr -rA9/JFis5CVNI688O6eDiJqCCJjPOQA+COJI+0V+tFa6XyHPB4LxA46RxtumUZMC -v/06sDJlXMNpZbSd5Fq95YfZd4l9Vr9VrvKXfbomn+akwUymP8RDyc6Z8BzjF4Y5 -02m6Ts0J0MnSYfEDqJPPZbMGB+GAgAqLs7FrZJQzOZTiOXOSIJsKMYsPIDWE8lXv -s77rs0rGvgvQfWzPsJlMIx6ryrMnAsfOkzM2GChGNX9+pABpgOdYII4bABEBAAGJ -Ah8EGAECAAkFAlIp+7QCGwwACgkQyPABKoQhYr+hrg/9Er0+HN78y6UWGFHu/KVK -d8M6ekaqjQndQXmzQaPQwsOHOvWdC+EtBoTdR3VIjAtX96uvzCRV3sb0XPB9S9eP -gRrO/t5+qTVTtjua1zzjZsMOr1SxhBgZ5+0U2aoY1vMhyIjUuwpKKNqj2uf+uj5Y -ZQbCNklghf7EVDHsYQ4goB9gsNT7rnmrzSc6UUuJOYI2jjtHp5BPMBHh2WtUVfYP -8JqDfQ+eJQr5NCFB24xMW8OxMJit3MGckUbcZlUa1wKiTb0b76fOjt0y/+9u1ykd -X+i27DAM6PniFG8BfqPq/E3iU20IZGYtaAFBuhhDWR3vGY4+r3OxdlFAJfBG9XDD -aEDTzv1XF+tEBo69GFaxXZGdk9//7qxcgiya4LL9Kltuvs82+ZzQhC09p8d3YSQN -cfaYObm4EwbINdKP7cr4anGFXvsLC9urhow/RNBLiMbRX/5qBzx2DayXtxEnDlSC -Mh7wCkNDYkSIZOrPVUFOCGxu7lloRgPxEetM5x608HRa3hDHoe5KvUBmmtavB/aR -zlGuZP1S6Y7S13ytiULSzTfUxJmyGYgNo+4ygh0i6Dudf9NLmV+i9aEIbLbd6bni -1B/y8hBSx3SVb4sQVRe3clBkfS1/mYjlldtYjzOwcd02x599KJlcChf8HnWFB7qT -zB3yrr+vYBT0uDWmxwPjiJs= -=ytEf ------END PGP PUBLIC KEY BLOCK----- -``` diff --git a/TODO b/TODO index 8d798f6..06bf3f9 100644 --- a/TODO +++ b/TODO @@ -1,4 +1,9 @@ +./configure: + - add test for -march=native + +--- this is old --- + Prio 1: * add cookie support to hydra-http.c * hydra-smb more than 1 connection? diff --git a/_config.yml b/_config.yml new file mode 100644 index 0000000..225f091 --- /dev/null +++ b/_config.yml @@ -0,0 +1,2 @@ +title: "thc-hydra" +theme: jekyll-theme-midnight diff --git a/bfg.c b/bfg.c index a3a1dad..faad45d 100644 --- a/bfg.c +++ b/bfg.c @@ -1,17 +1,17 @@ -/* code original by Jan Dlabal , partially rewritten by vh */ +/* code original by Jan Dlabal , partially rewritten by vh. */ +#include +#include #include #include #include -#include -#include #ifdef __sun - #include +#include #elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX) - #include +#include #else - #include +#include #endif #include "bfg.h" @@ -21,20 +21,26 @@ bf_option bf_options; extern int32_t debug; -static int32_t add_single_char(char ch, char flags, int32_t* crs_len) { +static int32_t add_single_char(char ch, char flags, int32_t *crs_len) { if ((ch >= '2' && ch <= '9') || ch == '0') { if ((flags & BF_NUMS) > 0) { - printf("[ERROR] character %c defined in -x although the whole number range was already defined by '1', ignored\n", ch); + printf("[ERROR] character %c defined in -x although the whole number " + "range was already defined by '1', ignored\n", + ch); return 0; } - //printf("[WARNING] adding character %c for -x, note that '1' will add all numbers from 0-9\n", ch); + // printf("[WARNING] adding character %c for -x, note that '1' will add all + // numbers from 0-9\n", ch); } - if (tolower((int32_t) ch) >= 'b' && tolower((int32_t) ch) <= 'z') { + if (tolower((int32_t)ch) >= 'b' && tolower((int32_t)ch) <= 'z') { if ((ch <= 'Z' && (flags & BF_UPPER) > 0) || (ch > 'Z' && (flags & BF_UPPER) > 0)) { - printf("[ERROR] character %c defined in -x although the whole letter range was already defined by '%c', ignored\n", ch, ch <= 'Z' ? 'A' : 'a'); + printf("[ERROR] character %c defined in -x although the whole letter " + "range was already defined by '%c', ignored\n", + ch, ch <= 'Z' ? 'A' : 'a'); return 0; } - //printf("[WARNING] adding character %c for -x, note that '%c' will add all %scase letters\n", ch, ch <= 'Z' ? 'A' : 'a', ch <= 'Z' ? "up" : "low"); + // printf("[WARNING] adding character %c for -x, note that '%c' will add all + // %scase letters\n", ch, ch <= 'Z' ? 'A' : 'a', ch <= 'Z' ? "up" : "low"); } (*crs_len)++; if (BF_CHARSMAX - *crs_len < 1) { @@ -65,7 +71,8 @@ int32_t bf_init(char *arg) { } bf_options.from = atoi(arg); if (bf_options.from < 1 || bf_options.from > 127) { - fprintf(stderr, "Error: minimum length must be between 1 and 127, format: -x min:max:types\n"); + fprintf(stderr, "Error: minimum length must be between 1 and 127, format: " + "-x min:max:types\n"); return 1; } arg = tmp + 1; @@ -85,7 +92,8 @@ int32_t bf_init(char *arg) { tmp++; if (bf_options.from > bf_options.to) { - fprintf(stderr, "Error: you specified a minimum length higher than the maximum length!\n"); + fprintf(stderr, "Error: you specified a minimum length higher than the " + "maximum length!\n"); return 1; } @@ -165,23 +173,25 @@ int32_t bf_init(char *arg) { bf_options.crs_len = crs_len; bf_options.current = bf_options.from; - memset((char *) bf_options.state, 0, sizeof(bf_options.state)); + + memset((char *)bf_options.state, 0, sizeof(bf_options.state)); + if (debug) printf("[DEBUG] bfg INIT: from %u, to %u, len: %u, set: %s\n", bf_options.from, bf_options.to, bf_options.crs_len, bf_options.crs); return 0; } - uint64_t bf_get_pcount() { int32_t i; double count = 0; uint64_t foo; for (i = bf_options.from; i <= bf_options.to; i++) - count += (pow((double) bf_options.crs_len, (double) i)); + count += (pow((double)bf_options.crs_len, (double)i)); if (count >= 0xffffffff) { - fprintf(stderr, "\n[ERROR] definition for password bruteforce (-x) generates more than 4 billion passwords\n"); + fprintf(stderr, "\n[ERROR] definition for password bruteforce (-x) " + "generates more than 4 billion passwords - this is not a bug in the program, it is just not feasible to try so many attempts. Try a calculator how long that would take. duh.\n"); exit(-1); } @@ -189,20 +199,20 @@ uint64_t bf_get_pcount() { return foo; } - char *bf_next() { int32_t i, pos = bf_options.current - 1; if (bf_options.current > bf_options.to) - return NULL; // we are done + return NULL; // we are done if ((bf_options.ptr = malloc(BF_CHARSMAX)) == NULL) { fprintf(stderr, "Error: Can not allocate memory for -x data!\n"); return NULL; } - for (i = 0; i < bf_options.current; i++) + for (i = 0; i < bf_options.current; ++i) bf_options.ptr[i] = bf_options.crs[bf_options.state[i]]; + // we don't subtract the same depending on wether the length is odd or even bf_options.ptr[bf_options.current] = 0; if (debug) { @@ -212,14 +222,15 @@ char *bf_next() { printf(", x: %s\n", bf_options.ptr); } + // we revert the ordering of the bruteforce to fix the first static character while (pos >= 0 && (++bf_options.state[pos]) >= bf_options.crs_len) { bf_options.state[pos] = 0; pos--; } - if (pos < 0) { + if (pos < 0 || pos >= bf_options.current) { bf_options.current++; - memset((char *) bf_options.state, 0, sizeof(bf_options.state)); + memset((char *)bf_options.state, 0, sizeof(bf_options.state)); } return bf_options.ptr; diff --git a/bfg.h b/bfg.h index 2ac5f49..6d11aee 100644 --- a/bfg.h +++ b/bfg.h @@ -24,7 +24,9 @@ #define BF_WEBSITE "http://houbysoft.com/bfg/" #define BF_BUFLEN 1024 -#define BF_CHARSMAX 256 /* how many max possibilities there are for characters, normally it's 2^8 = 256 */ +#define BF_CHARSMAX \ + 256 /* how many max possibilities there are for characters, normally it's \ + 2^8 = 256 */ #define BF_LOWER 1 #define BF_UPPER 2 @@ -35,11 +37,11 @@ typedef struct { unsigned char to; unsigned char current; unsigned char state[BF_CHARSMAX]; /* which position has which character */ - unsigned char pos; /* where in current string length is the position */ - unsigned char crs_len; /* length of selected charset */ - char *arg; /* argument received for bfg commandline option */ - char *crs; /* internal representation of charset */ - char *ptr; /* ptr to the last generated password */ + unsigned char pos; /* where in current string length is the position */ + unsigned char crs_len; /* length of selected charset */ + char *arg; /* argument received for bfg commandline option */ + char *crs; /* internal representation of charset */ + char *ptr; /* ptr to the last generated password */ uint32_t disable_symbols; } bf_option; diff --git a/configure b/configure index 88b1a05..dc86adb 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #!/bin/sh # -# uname -s = Linux | OpenBSD | FreeBSD +# uname -s = Linux | OpenBSD | FreeBSD | Darwin # uname -m = i636 or x86_64 if [ "$1" = "-h" -o "$1" = "--help" ]; then @@ -17,10 +17,12 @@ if [ "$1" = "-h" -o "$1" = "--help" ]; then echo " --help this here" echo echo If the CC environment variable is set, this is used as the compiler for the configure tests. The default is \"gcc\" otherwise. + echo You can also set PKG_CONFIG if necessary. exit 0 fi test -z "$CC" && CC=gcc +test -z "$PKG_CONFIG" && PKG_CONFIG=pkg-config FHS="" SIXFOUR="" @@ -38,6 +40,7 @@ WSSL_LIB_PATH="" CURSES_PATH="" CURSES_IPATH="" CRYPTO_PATH="" +GPGERROR_IPATH="" IDN_PATH="" IDN_IPATH="" PR29_IPATH="" @@ -48,6 +51,12 @@ FIREBIRD_PATH="" FIREBIRD_IPATH="" MYSQL_PATH="" MYSQL_IPATH="" +MCACHED_PATH="" +MCACHED_IPATH="" +MONGODB_PATH="" +MONGODB_IPATH="" +BSON_PATH="" +BSON_IPATH="" AFP_PATH="" AFP_IPATH="" NCP_PATH="" @@ -63,6 +72,12 @@ NSL_PATH="" SOCKET_PATH="" MANDIR="" XHYDRA_SUPPORT="" +FREERDP2_PATH="" +WINPR2_PATH="" +FREERDP3_PATH="" +WINPR3_PATH="" +SMBC_PATH="" +SMBC_IPATH="" if [ '!' "X" = "X$*" ]; then while [ $# -gt 0 ] ; do @@ -117,6 +132,7 @@ echo "Starting hydra auto configuration ..." rm -f Makefile.in SYSS=`uname -s 2> /dev/null` SYSO=`uname -o 2> /dev/null` +SYSM=`uname -m 2> /dev/null` if [ "$SYSS" = "Linux" -o "$SYSS" = "OpenBSD" -o "$SYSS" = "FreeBSD" -o "$SYSS" = "NetBSD" -o "$SYSS" = "Darwin" ]; then SF=`uname -m | grep 64` if [ `uname -m` = "s390x" ]; then @@ -133,7 +149,7 @@ fi # On macOS /usr/include only exists if one has installed the Command Line Tools package. # If this is an Xcode-only system we need to look inside the SDK for headers. SDK_PATH="" -if [ "$SYSS" = "Darwin" ] && [ ! -d "/usr/include" ]; then +if [ "$SYSS" = "Darwin" -a ! -d "/usr/include" ]; then SDK_PATH=`xcrun --show-sdk-path` fi LIBDIRS=`cat /etc/ld.so.conf /etc/ld.so.conf.d/* 2> /dev/null | grep -v '^#' | sort | uniq` @@ -143,8 +159,8 @@ fi if [ -d "/Library/Developer/CommandLineTools/usr/lib" ]; then LIBDIRS="$LIBDIRS /Library/Developer/CommandLineTools/usr/lib /Library/Developer/CommandLineTools/lib" fi -LIBDIRS="$LIBDIRS /lib /usr/lib /usr/local/lib /opt/local/lib" -INCDIRS="$SDK_PATH/usr/include /usr/local/include /opt/include /opt/local/include" +LIBDIRS="$LIBDIRS /lib /usr/lib /usr/local/lib /opt/local/lib /mingw64/lib /mingw64/bin" +INCDIRS="$SDK_PATH/usr/include /usr/local/include /opt/include /opt/local/include /mingw64/include" if [ -n "$PREFIX" ]; then if [ -d "$PREFIX/lib" ]; then LIBDIRS="$LIBDIRS $PREFIX/lib" @@ -156,7 +172,7 @@ fi STRIP="strip" echo -echo "Checking for zlib (libz.so, zlib.h) ..." +echo "Checking for zlib (libz/zlib.h) ..." for i in $INCDIRS; do if [ -f "$i/zlib.h" ]; then HAVE_ZLIB="y" @@ -164,12 +180,38 @@ for i in $INCDIRS; do done if [ -n "$HAVE_ZLIB" ]; then - echo " ... found" + echo " ... found" else - echo " ... zlib not found, gzip support disabled" + echo " ... zlib not found, gzip support disabled" fi -echo "Checking for openssl (libssl, libcrypto, ssl.h, sha.h) ..." +echo "Checking for sybdb (sybdb.h) ..." +for i in $INCDIRS; do + if [ -f "$i/sybdb.h" ]; then + HAVE_SYBDB="y" + fi +done + +if [ -n "$HAVE_SYBDB" ]; then + echo " ... found" +else + echo " ... sybdb not found, MSSQL module will lack TDSv7 support" +fi + +echo "Checking for sybfront (sybfront.h) ..." +for i in $INCDIRS; do + if [ -f "$i/sybfront.h" ]; then + HAVE_SYBFRONT="y" + fi +done + +if [ -n "$HAVE_SYBFRONT" ]; then + echo " ... found" +else + echo " ... sybfront not found, MSSQL module will lack TDSv7 support" +fi + +echo "Checking for openssl (libssl/libcrypto/ssl.h/sha.h) ..." if [ "X" != "X$DEBUG" ]; then echo DEBUG: SSL_LIB=$LIBDIRS `ls -d /*ssl /usr/*ssl /opt/*ssl /usr/local/*ssl /opt/local/*ssl /*ssl/lib /usr/*ssl/lib /opt/*ssl/lib /usr/local/*ssl/lib /opt/local/*ssl/lib 2> /dev/null` echo DEBUG: SSL_INC=$INCDIRS `ls -d /*ssl/include /opt/*ssl/include /usr/*ssl/include /usr/local/*ssl/include 2> /dev/null` @@ -238,37 +280,48 @@ if [ "X" = "X$SSL_IPATH" ]; then CRYPTO_PATH="" fi if [ -n "$SSL_PATH" -a "X" = "X$SSLNEW" ]; then - echo " ... found but OLD" + echo " ... found but OLD" echo "NOTE: your OpenSSL package is outdated, update it!" fi if [ -n "$SSL_PATH" -a '!' "X" = "X$SSLNEW" ]; then - echo " ... found" + echo " ... found" fi if [ "X" = "X$SSL_PATH" ]; then - echo " ... NOT found, SSL support disabled" + echo " ... NOT found, SSL support disabled" echo "Get it from http://www.openssl.org" fi if [ "$SSL_IPATH" = "/usr/include" ]; then SSL_IPATH="" fi -echo "Checking for gcrypt (libgcrypt.so) ..." +echo "Checking for gcrypt (libgcrypt/gpg-error.h) ..." for i in $LIBDIRS ; do - if [ "X" = "X$GCRYPT_PATH" ]; then - if [ -f "$i/libgcrypt.so" -o -f "$i/libgcrypt.dylib" -o -f "$i/libgcrypt.a" -o -f "$i/libgcrypt.dll.a" -o -f "$i/libgcrypt.la" ]; then + if [ -f "$i/libgcrypt.so" -o -f "$i/libgcrypt.dylib" -o -f "$i/libgcrypt.a" -o -f "$i/libgcrypt.dll.a" -o -f "$i/libgcrypt.la" ]; then HAVE_GCRYPT="y" + fi +done + +for i in $INCDIRS ; do + if [ "X" = "X$GPGERROR_IPATH" ]; then + TMP_PATH=`/bin/ls $i/$SYSM*/gpg-error.h 2> /dev/null` + if [ -n "$TMP_PATH" ]; then + GPGERROR_IPATH="$i" + else + if [ -f "$i/gpg-error.h" ]; then + GPGERROR_IPATH="$i" + fi fi fi done -if [ -n "$HAVE_GCRYPT" ]; then - echo " ... found" + +if [ -n "$HAVE_GCRYPT" -a "X" != "X$GPGERROR_IPATH" ]; then + echo " ... found" else - echo " ... gcrypt not found, radmin2 module disabled" + echo " ... gcrypt not found, radmin2 module disabled" + HAVE_GCRYPT="" fi - - -echo "Checking for idn (libidn.so) ..." +echo "Checking for idn (libidn) ..." for i in $LIBDIRS ; do if [ "X" = "X$IDN_PATH" ]; then if [ -f "$i/libidn.so" -o -f "$i/libidn.dylib" -o -f "$i/libidn.a" -o -f "$i/libidn.dll.a" -o -f "$i/libidn.la" ]; then @@ -300,17 +353,17 @@ if [ "X" != "X$DEBUG" ]; then echo DEBUG: PR29_IPATH=$PR29_IPATH/pr29.h fi if [ -n "$IDN_PATH" -a -n "$IDN_IPATH" ]; then - echo " ... found" + echo " ... found" fi #pr29 is optional if [ "X" = "X$IDN_PATH" -o "X" = "X$IDN_IPATH" ]; then - echo " ... NOT found, unicode logins and passwords will not be supported" + echo " ... NOT found, unicode logins and passwords will not be supported" IDN_PATH="" IDN_IPATH="" PR29_IPATH="" fi -echo "Checking for curses (libcurses.so / term.h) ..." +echo "Checking for curses (libcurses/term.h) ..." for i in $LIBDIRS; do if [ "X" = "X$CURSES_PATH" ]; then if [ -f "$i/libcurses.so" -o -f "$i/libcurses.dylib" -o -f "$i/libcurses.a" ]; then @@ -345,29 +398,29 @@ if [ "X" != "X$DEBUG" ]; then echo DEBUG: CURSES_IPATH=$CURSES_IPATH/term.h fi if [ -n "$CURSES_PATH" -a -n "$CURSES_IPATH" ]; then - echo " ... found, color output enabled" + echo " ... found, color output enabled" fi if [ "X" = "X$CURSES_PATH" -o "X" = "X$CURSES_IPATH" ]; then - echo " ... NOT found, color output disabled" + echo " ... NOT found, color output disabled" CURSES_PATH="" CURSES_IPATH="" fi -echo "Checking for pcre (libpcre.so, pcre.h) ..." +echo "Checking for pcre2 (libpcre/pcre.h) ..." for i in $LIBDIRS ; do if [ "X" = "X$PCRE_PATH" ]; then - if [ -f "$i/libpcre.so" -o -f "$i/libpcre.dylib" -o -f "$i/libpcre.a" ]; then + if [ -f "$i/libpcre2-8.so" -o -f "$i/libpcre2-8.dylib" -o -f "$i/libpcre2-8.a" ]; then PCRE_PATH="$i" fi fi if [ "X" = "X$PCRE_PATH" ]; then - TMP_LIB=`/bin/ls $i/libpcre.so* 2> /dev/null | grep libpcre.` + TMP_LIB=`/bin/ls $i/libpcre2*.so* 2> /dev/null | grep libpcre.` if [ -n "$TMP_LIB" ]; then PCRE_PATH="$i" fi fi if [ "X" = "X$PCRE_PATH" ]; then - TMP_LIB=`/bin/ls $i/libpcre.dll* 2> /dev/null | grep libpcre.` + TMP_LIB=`/bin/ls $i/libpcre2*.dll* 2> /dev/null | grep libpcre.` if [ -n "$TMP_LIB" ]; then PCRE_PATH="$i" fi @@ -375,25 +428,25 @@ for i in $LIBDIRS ; do done for i in $INCDIRS ; do if [ "X" != "X$PCRE_PATH" ]; then - if [ -f "$i/pcre.h" ]; then + if [ -f "$i/pcre2.h" ]; then PCRE_IPATH="$i" fi fi done if [ "X" != "X$DEBUG" ]; then echo DEBUG: PCRE_PATH=$PCRE_PATH/libpcre - echo DEBUG: PCRE_IPATH=$PCRE_IPATH/pcre.h + echo DEBUG: PCRE_IPATH=$PCRE_IPATH/pcre2.h fi if [ -n "$PCRE_PATH" -a -n "$PCRE_IPATH" ]; then - echo " ... found" + echo " ... found" fi if [ "X" = "X$PCRE_PATH" -o "X" = "X$PCRE_IPATH" ]; then - echo " ... NOT found, server response checks will be less reliable" + echo " ... NOT found, server response checks will be less reliable" PCRE_PATH="" PCRE_IPATH="" fi -echo "Checking for Postgres (libpq.so, libpq-fe.h) ..." +echo "Checking for Postgres (libpq/libpq-fe.h) ..." #if [ "$SYSO" = "Cygwin" ]; then # echo " ... DISABLED - postgres is buggy in Cygwin at the moment" # POSTGRES_PATH="" @@ -420,7 +473,7 @@ echo "Checking for Postgres (libpq.so, libpq-fe.h) ..." done POSTGRES_IPATH= for i in $INCDIRS \ - /opt/p*sql*/include /usr/*p*sql*/include /usr/local/*psql*/include + /opt/p*sql*/include /usr/*p*sql*/include /usr/local/*psql*/include /mingw64/include do if [ "X" = "X$POSTGRES_IPATH" ]; then if [ -f "$i/libpq-fe.h" ]; then @@ -440,16 +493,16 @@ if [ "X" != "X$DEBUG" ]; then echo DEBUG: POSTGRES_IPATH=$POSTGRES_IPATH/libpq-fe.h fi if [ -n "$POSTGRES_PATH" -a -n "$POSTGRES_IPATH" ]; then - echo " ... found" + echo " ... found" fi if [ "X" = "X$POSTGRES_PATH" -o "X" = "X$POSTGRES_IPATH" ]; then - echo " ... NOT found, module postgres disabled" + echo " ... NOT found, module postgres disabled" POSTGRES_PATH="" POSTGRES_IPATH="" fi #fi -echo "Checking for SVN (libsvn_client-1 libapr-1.so libaprutil-1.so) ..." +echo "Checking for SVN (libsvn_client-1/libapr-1/libaprutil-1) ..." for i in $LIBDIRS ; do if [ "X" = "X$SVN_PATH" ]; then if [ -f "$i/libsvn_client-1.so" ]; then @@ -549,6 +602,10 @@ for i in $INCDIRS ; do fi fi done +SYS_PARAM="" +if [ -f "$SDK_PATH/usr/include/sys/param.h" ]; then + SYS_PARAM=-DHAVE_SYS_PARAM_H +fi if [ "X" != "X$DEBUG" ]; then echo DEBUG: SVN_PATH=$SVN_PATH/libsvn_client-1 echo DEBUG: APR_PATH=$APR_PATH/libapr @@ -569,13 +626,13 @@ if [ "$APR_IPATH" = "/usr/include" ]; then fi if [ -n "$SVN_PATH" -a -n "$APR_PATH" ]; then - echo " ... found" + echo " ... found" fi if [ "X" = "X$SVN_PATH" -o "X" = "X$APR_PATH" ]; then - echo " ... NOT found, module svn disabled" + echo " ... NOT found, module svn disabled" fi -echo "Checking for firebird (libfbclient.so) ..." +echo "Checking for firebird (libfbclient) ..." for i in $LIBDIRS ; do if [ "X" = "X$FIREBIRD_PATH" ]; then if [ -f "$i/libfbclient.so" -o -f "$i/libfbclient.dylib" -o -f "$i/libfbclient.a" ]; then @@ -600,6 +657,9 @@ for i in $INCDIRS ; do if [ -f "$i/ibase.h" ]; then FIREBIRD_IPATH="$i" fi + if [ -f "$i/firebird/ibase.h" ]; then + FIREBIRD_IPATH="$i/firebird" + fi fi done if [ "X" != "X$DEBUG" ]; then @@ -607,15 +667,15 @@ if [ "X" != "X$DEBUG" ]; then echo DEBUG: FIREBIRD_IPATH=$FIREBIRD_IPATH/ibase.h fi if [ -n "$FIREBIRD_PATH" -a -n "$FIREBIRD_IPATH" ]; then - echo " ... found" + echo " ... found" fi if [ "X" = "X$FIREBIRD_PATH" -o "X" = "X$FIREBIRD_IPATH" ]; then - echo " ... NOT found, module firebird disabled" + echo " ... NOT found, module firebird disabled" FIREBIRD_PATH="" FIREBIRD_IPATH="" fi -echo "Checking for MYSQL client (libmysqlclient.so, math.h) ..." +echo "Checking for MYSQL client (libmysqlclient/math.h) ..." for i in $LIBDIRS ; do if [ "X" = "X$MYSQL_PATH" ]; then if [ -f "$i/libmysqlclient.so" -o -f "$i/libmysqlclient.dylib" -o -f "$i/libmysqlclient.a" ]; then @@ -655,16 +715,16 @@ MATH="" if [ -f "$SDK_PATH/usr/include/math.h" ]; then MATH="-DHAVE_MATH_H" if [ -n "$MYSQL_PATH" -a -n "$MYSQL_IPATH" -a -n "$MATH" ]; then - echo " ... found" + echo " ... found" else - echo " ... NOT found, module Mysql will not support version > 4.x" + echo " ... NOT found, module Mysql will not support version > 4.x" MYSQL_PATH="" MYSQL_IPATH="" fi else echo " ... math.h not found, module Mysql disabled" fi -echo "Checking for AFP (libafpclient.so) ..." +echo "Checking for AFP (libafpclient) ..." for i in $LIBDIRS ; do if [ "X" = "X$AFP_PATH" ]; then if [ -f "$i/libafpclient.so" -o -f "$i/libafpclient.so" -o -f "$i/libafpclient.a" ]; then @@ -696,15 +756,15 @@ if [ "X" != "X$DEBUG" ]; then echo DEBUG: AFP_IPATH=$AFP_IPATH/afp.h fi if [ -n "$AFP_PATH" -a -n "$AFP_IPATH" ]; then - echo " ... found" + echo " ... found" fi if [ "X" = "X$AFP_PATH" -o "X" = "X$AFP_IPATH" ]; then - echo " ... NOT found, module Apple Filing Protocol disabled - Apple sucks anyway" + echo " ... NOT found, module Apple Filing Protocol disabled - Apple sucks anyway" AFP_PATH="" AFP_IPATH="" fi -echo "Checking for NCP (libncp.so / nwcalls.h) ..." +echo "Checking for NCP (libncp/nwcalls.h) ..." for i in $LIBDIRS ; do if [ "X" = "X$NCP_PATH" ]; then if [ -f "$i/libncp.so" -o -f "$i/libncp.dylib" -o -f "$i/libncp.a" ]; then @@ -736,10 +796,10 @@ if [ "X" != "X$DEBUG" ]; then echo DEBUG: NCP_IPATH=$NCP_IPATH/ncp/nwcalls.h fi if [ -n "$NCP_PATH" -a -n "$NCP_IPATH" ]; then - echo " ... found" + echo " ... found" fi if [ "X" = "X$NCP_PATH" -o "X" = "X$NCP_IPATH" ]; then - echo " ... NOT found, module NCP disabled" + echo " ... NOT found, module NCP disabled" NCP_PATH="" NCP_IPATH="" fi @@ -834,7 +894,7 @@ if [ "$SSH_IPATH" = "/usr/include" ]; then SSH_IPATH="" fi -echo "Checking for Oracle (libocci.so libclntsh.so / oci.h and libaio.so) ..." +echo "Checking for Oracle (libocci/libclntsh/oci.h/libaio/liboci) ..." #assume if we find oci.h other headers should also be in that dir #for libs we will test the 2 if [ "X" != "X$WORACLE_PATH" ]; then @@ -864,6 +924,11 @@ for i in $LIBDIRS ; do ORACLE_PATH="$i" fi fi + if [ "X" = "X$ORACLE_PATH" ]; then + if [ -f "$i/liboci.a" -a -f "$i/oci.dll" ]; then + ORACLE_PATH="$i" + fi + fi if [ "X" = "X$ORACLE_PATH" ]; then TMP_LIB=`/bin/ls $i/libocci.so.* 2> /dev/null | grep occi.` if [ -n "$TMP_LIB" ]; then @@ -877,23 +942,17 @@ for i in $LIBDIRS ; do fi fi if [ "X" = "X$ORACLE_PATH" ]; then - TMP_LIB=`/bin/ls $i/libocci.dll* 2> /dev/null | grep occi.` + TMP_LIB=`/bin/ls $i/oci.dll* 2> /dev/null | grep occi.` if [ -n "$TMP_LIB" ]; then ORACLE_PATH="$i" fi - if [ "X" != "X$ORACLE_PATH" ]; then - TMP_LIB=`/bin/ls $i/libclntsh.dll* 2> /dev/null | grep clntsh.` - if [ -z "$TMP_LIB" ]; then - ORACLE_PATH="" - fi - fi fi done if [ "X" != "X$DEBUG" ]; then echo DEBUG: ORACLE_PATH=$ORACLE_PATH/libocci fi -#check for Kernel Asynchronous I/O (AIO) lib support -if [ "X" != "X$ORACLE_PATH" ]; then +#check for Kernel Asynchronous I/O (AIO) lib support, no need on Cygwin +if [ "X" != "X$ORACLE_PATH" -a "$SYSO" != "Cygwin" ]; then LIBAIO="" for i in $LIBDIRS ; do if [ "X" = "X$LIBAIO" ]; then @@ -921,38 +980,367 @@ if [ "X" != "X$DEBUG" ]; then fi for i in $INCDIRS ; do - if [ "X" != "X$ORACLE_PATH" ]; then - if [ -f "$i/oci.h" ]; then - ORACLE_IPATH="$i" - fi + if [ -f "$i/oci.h" ]; then + ORACLE_IPATH="$i" fi done if [ "X" != "X$DEBUG" ]; then echo DEBUG: ORACLE_IPATH=$ORACLE_IPATH/oci.h fi if [ -n "$ORACLE_PATH" -a -n "$ORACLE_IPATH" ]; then - echo " ... found" + echo " ... found" fi if [ "X" = "X$ORACLE_PATH" -o "X" = "X$ORACLE_IPATH" ]; then - echo " ... NOT found, module Oracle disabled" - echo "Get basic and sdk package from http://www.oracle.com/technetwork/database/features/instant-client/index.html" + echo " ... NOT found, module Oracle disabled" + echo "Get basic and sdk package from https://www.oracle.com/database/technologies/instant-client/downloads.html" ORACLE_PATH="" ORACLE_IPATH="" fi +echo "Checking for Memcached (libmemcached/memcached.h) ..." + + for i in $LIBDIRS ; do + if [ "X" = "X$MCACHED_PATH" ]; then + if [ -f "$i/libmemcached.so" -o -f "$i/libmemcached.dylib" -o -f "$i/libmemcached.a" ]; then + MCACHED_PATH="$i" + fi + fi + if [ "X" = "X$MCACHED_PATH" ]; then + TMP_LIB=`/bin/ls $i/libmemcached.so* 2> /dev/null | grep memcached` + if [ -n "$TMP_LIB" ]; then + MCACHED_PATH="$i" + fi + fi + if [ "X" = "X$MCACHED_PATH" ]; then + TMP_LIB=`/bin/ls $i/libmemcached.dll* 2> /dev/null | grep memcached` + if [ -n "$TMP_LIB" ]; then + MCACHED_PATH="$i" + fi + fi + done + + MCACHED_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$MCACHED_IPATH" ]; then + if [ -f "$i/memcached.h" ]; then + MCACHED_IPATH="$i" + elif [ -f "$i/libmemcached/memcached.h" ]; then + MCACHED_IPATH="$i/libmemcached" + elif [ -f "$i/libmemcached-1.0/memcached.h" ]; then + MCACHED_IPATH="$i/libmemcached-1.0" + fi + fi + done + +if [ "X" != "X$DEBUG" ]; then + echo DEBUG: MCACHED_PATH=$MCACHED_PATH/libmemcached + echo DEBUG: MCACHED_IPATH=$MCACHED_IPATH/memcached.h +fi + if [ -n "$MCACHED_PATH" -a -n "$MCACHED_IPATH" ]; then + echo " ... found" + fi + if [ "X" = "X$MCACHED_PATH" -o "X" = "X$MCACHED_IPATH" ]; then + echo " ... NOT found, module memcached disabled" + MCACHED_PATH="" + MCACHED_IPATH="" + fi + +echo "Checking for Freerdp3 (libfreerdp3/freerdp.h/libwinpr3/winpr.h) ..." + + for i in $LIBDIRS ; do + if [ "X" = "X$FREERDP3_PATH" ]; then + if [ -f "$i/libfreerdp3.so" -o -f "$i/libfreerdp3.dylib" -o -f "$i/libfreerdp3.a" -o -f "$i/libfreerdp3.dll.a" ]; then + FREERDP3_PATH="$i" + fi + fi + if [ "X" = "X$FREERDP3_PATH" ]; then + TMP_LIB=`/bin/ls $i/libfreerdp3*.so* 2> /dev/null | grep libfreerdp3` + if [ -n "$TMP_LIB" ]; then + FREERDP3_PATH="$i" + fi + fi + done + + FREERDP3_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$FREERDP3_IPATH" ]; then + if [ -f "$i/freerdp/freerdp.h" ]; then + FREERDP3_IPATH="$i/freerdp3" + fi + if [ -f "$i/freerdp3/freerdp/freerdp.h" ]; then + FREERDP3_IPATH="$i/freerdp3" + fi + fi + done + + for i in $LIBDIRS ; do + if [ "X" = "X$WINPR3_PATH" ]; then + if [ -f "$i/libwinpr3.so" -o -f "$i/libwinpr3.dylib" -o -f "$i/libwinpr3.a" ]; then + WINPR3_PATH="$i" + fi + fi + if [ "X" = "X$WINPR3_PATH" ]; then + TMP_LIB=`/bin/ls $i/libwinpr3.dll.a 2> /dev/null | grep winpr` + if [ -n "$TMP_LIB" ]; then + WINPR3_PATH="$i" + fi + fi + done + + WINPR3_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$WINPR3_IPATH" ]; then + if [ -f "$i/winpr.h" ]; then + WINPR3_IPATH="$i" + fi + if [ -f "$i/winpr3/winpr/winpr.h" ]; then + WINPR3_IPATH="$i/winpr3" + fi + fi + done + + if [ "X" != "X$DEBUG" ]; then + echo DEBUG: FREERDP3_PATH=$FREERDP3_PATH/ + echo DEBUG: FREERDP3_IPATH=$FREERDP3_IPATH/ + echo DEBUG: WINPR3_PATH=$WINPR3_PATH/ + echo DEBUG: WINPR3_IPATH=$WINPR3_IPATH/ + fi + + if [ -n "$FREERDP3_PATH" -a -n "$FREERDP3_IPATH" -a -n "$WINPR3_PATH" -a -n "$WINPR3_IPATH" ]; then + echo " ... found" + fi + if [ "X" = "X$FREERDP3_PATH" -o "X" = "X$FREERDP3_IPATH" -o "X" = "X$WINPR3_PATH" -o "X" = "X$WINPR3_IPATH" ]; then + echo " ... NOT found, checking for freerdp2 module next..." + FREERDP3_PATH="" + FREERDP3_IPATH="" + WINPR3_PATH="" + WINPR3_IPATH="" + fi + + if [ "X" = "X$FREERDP3_PATH" -o "X" = "X$FREERDP3_IPATH" -o "X" = "X$WINPR3_PATH" -o "X" = "X$WINPR3_IPATH" ]; then + echo "Checking for Freerdp2 (libfreerdp2/freerdp.h/libwinpr2/winpr.h) ..." + + for i in $LIBDIRS ; do + if [ "X" = "X$FREERDP2_PATH" ]; then + if [ -f "$i/libfreerdp2.so" -o -f "$i/libfreerdp2.dylib" -o -f "$i/libfreerdp2.a" -o -f "$i/libfreerdp2.dll.a" ]; then + FREERDP2_PATH="$i" + fi + fi + if [ "X" = "X$FREERDP2_PATH" ]; then + TMP_LIB=`/bin/ls $i/libfreerdp2*.so* 2> /dev/null | grep libfreerdp2` + if [ -n "$TMP_LIB" ]; then + FREERDP2_PATH="$i" + fi + fi + done + + FREERDP2_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$FREERDP2_IPATH" ]; then + if [ -f "$i/freerdp/freerdp.h" ]; then + FREERDP2_IPATH="$i/freerdp2" + fi + if [ -f "$i/freerdp2/freerdp/freerdp.h" ]; then + FREERDP2_IPATH="$i/freerdp2" + fi + fi + done + + for i in $LIBDIRS ; do + if [ "X" = "X$WINPR2_PATH" ]; then + if [ -f "$i/libwinpr2.so" -o -f "$i/libwinpr2.dylib" -o -f "$i/libwinpr2.a" ]; then + WINPR2_PATH="$i" + fi + fi + if [ "X" = "X$WINPR2_PATH" ]; then + TMP_LIB=`/bin/ls $i/libwinpr2.dll.a 2> /dev/null | grep winpr` + if [ -n "$TMP_LIB" ]; then + WINPR2_PATH="$i" + fi + fi + done + + WINPR2_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$WINPR2_IPATH" ]; then + if [ -f "$i/winpr.h" ]; then + WINPR2_IPATH="$i" + fi + if [ -f "$i/winpr2/winpr/winpr.h" ]; then + WINPR2_IPATH="$i/winpr2" + fi + fi + done + + if [ "X" != "X$DEBUG" ]; then + echo DEBUG: FREERDP2_PATH=$FREERDP2_PATH/ + echo DEBUG: FREERDP2_IPATH=$FREERDP2_IPATH/ + echo DEBUG: WINPR2_PATH=$WINPR2_PATH/ + echo DEBUG: WINPR2_IPATH=$WINPR2_IPATH/ + fi + + if [ -n "$FREERDP2_PATH" -a -n "$FREERDP2_IPATH" -a -n "$WINPR2_PATH" -a -n "$WINPR2_IPATH" ]; then + echo " ... found" + fi + if [ "X" = "X$FREERDP2_PATH" -o "X" = "X$FREERDP2_IPATH" -o "X" = "X$WINPR2_PATH" -o "X" = "X$WINPR2_IPATH" ]; then + echo " ... NOT found, module rdp disabled" + FREERDP2_PATH="" + FREERDP2_IPATH="" + WINPR2_PATH="" + WINPR2_IPATH="" + fi +fi + +echo "Checking for Mongodb (libmongoc-1.0/mongoc.h/libbson-1.0/bson.h) ..." + + for i in $LIBDIRS ; do + if [ "X" = "X$MONGODB_PATH" ]; then + if [ -f "$i/libmongoc-1.0.so" -o -f "$i/libmongoc-1.0.dylib" -o -f "$i/libmongoc-1.0.a" ]; then + MONGODB_PATH="$i" + fi + fi + if [ "X" = "X$MONGODB_PATH" ]; then + TMP_LIB=`/bin/ls $i/libmongoc-*.so* 2> /dev/null | grep mongoc` + if [ -n "$TMP_LIB" ]; then + MONGODB_PATH="$i" + fi + fi + if [ "X" = "X$MONGODB_PATH" ]; then + TMP_LIB=`/bin/ls $i/libmongoc.dll* 2> /dev/null | grep mongoc` + if [ -n "$TMP_LIB" ]; then + MONGODB_PATH="$i" + fi + fi + done + + MONGODB_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$MONGODB_IPATH" ]; then + if [ -f "$i/mongoc.h" ]; then + MONGODB_IPATH="$i" + fi + if [ -f "$i/libmongoc/mongoc.h" ]; then + MONGODB_IPATH="$i/libmongoc" + fi + if [ -f "$i/libmongoc-1.0/mongoc.h" ]; then + MONGODB_IPATH="$i/libmongoc-1.0" + fi + fi + done + + for i in $LIBDIRS ; do + if [ "X" = "X$BSON_PATH" ]; then + if [ -f "$i/libbson-1.0.so" -o -f "$i/libbson-1.0.dylib" -o -f "$i/libbson-1.0.a" ]; then + BSON_PATH="$i" + fi + fi + if [ "X" = "X$BSON_PATH" ]; then + TMP_LIB=`/bin/ls $i/libbson-*.so* 2> /dev/null | grep mongoc` + if [ -n "$TMP_LIB" ]; then + BSON_PATH="$i" + fi + fi + if [ "X" = "X$BSON_PATH" ]; then + TMP_LIB=`/bin/ls $i/libbson.dll* 2> /dev/null | grep mongoc` + if [ -n "$TMP_LIB" ]; then + BSON_PATH="$i" + fi + fi + done + + BSON_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$BSON_IPATH" ]; then + if [ -f "$i/bson.h" ]; then + BSON_IPATH="$i" + fi + if [ -f "$i/libbson/bson.h" ]; then + BSON_IPATH="$i/libbson" + fi + if [ -f "$i/libbson-1.0/bson.h" ]; then + BSON_IPATH="$i/libbson-1.0" + fi + fi + done + +if [ "X" != "X$DEBUG" ]; then + echo DEBUG: MONGODB_PATH=$MONGODB_PATH/libmongoc + echo DEBUG: MONGODB_IPATH=$MONGODB_IPATH/libmongoc.h + echo DEBUG: BSON_PATH=$BSON_PATH/libbson + echo DEBUG: BSON_IPATH=$BSON_IPATH/libbson.h +fi + + if [ -n "$MONGODB_PATH" -a -n "$MONGODB_IPATH" -a -n "$BSON_PATH" -a -n "$BSON_IPATH" ]; then + echo " ... found" + fi + if [ "X" = "X$MONGODB_PATH" -o "X" = "X$MONGODB_IPATH" -o "X" = "X$BSON_PATH" -o "X" = "X$BSON_IPATH" ]; then + echo " ... NOT found, module mongodb disabled" + MONGODB_PATH="" + MONGODB_IPATH="" + BSON_PATH="" + BSON_IPATH="" + fi + +echo "Checking for smbclient (libsmbclient/libsmbclient.h) ..." + + for i in $LIBDIRS ; do + if [ "X" = "X$SMBC_PATH" ]; then + if [ -f "$i/libsmbclient.so" -o -f "$i/libsmbclient.dylib" -o -f "$i/libsmbclient.a" ]; then + SMBC_PATH="$i" + fi + fi + if [ "X" = "X$SMBC_PATH" ]; then + TMP_LIB=`/bin/ls $i/libsmbclient.so* 2> /dev/null | grep smbclient` + if [ -n "$TMP_LIB" ]; then + SMBC_PATH="$i" + fi + fi + if [ "X" = "X$SMBC_PATH" ]; then + TMP_LIB=`/bin/ls $i/libsmbclient.dll* 2> /dev/null | grep smbclient` + if [ -n "$TMP_LIB" ]; then + SMBC_PATH="$i" + fi + fi + done + + SMBC_IPATH= + for i in $INCDIRS ; do + if [ "X" = "X$SMBC_IPATH" ]; then + if [ -f "$i/libsmbclient.h" ]; then + SMBC_IPATH="$i" + fi + if [ -f "$i/samba-4.0/libsmbclient.h" ]; then + SMBC_IPATH="$i/samba-4.0" + fi + fi + done + + if [ "X" != "X$DEBUG" ]; then + echo DEBUG: SMBC_PATH=$SMBC_PATH/libsmbclient + echo DEBUG: SMBC_IPATH=$SMBC_IPATH/libsmbclient.h + fi + if [ -n "$SMBC_PATH" -a -n "$SMBC_IPATH" ]; then + echo " ... found" + fi + if [ "X" = "X$SMBC_PATH" -o "X" = "X$SMBC_IPATH" ]; then + echo " ... NOT found, module smb2 disabled" + SMBC_PATH="" + SMBC_IPATH="" + fi + if [ "X" = "X$XHYDRA_SUPPORT" ]; then - echo "Checking for GUI req's (pkg-config, gtk+-2.0) ..." - XHYDRA_SUPPORT=`pkg-config --help > /dev/null 2>&1 || echo disabled` + echo "Checking for GUI req's (pkg-config/gtk+-2.0) ..." + XHYDRA_SUPPORT=`$PKG_CONFIG --help > /dev/null 2>&1 || echo disabled` if [ "X" = "X$XHYDRA_SUPPORT" ]; then - XHYDRA_SUPPORT=`pkg-config --modversion gtk+-2.0 2> /dev/null` + XHYDRA_SUPPORT=`$PKG_CONFIG --modversion gtk+-2.0 2> /dev/null` else XHYDRA_SUPPORT="" fi if [ "X" = "X$XHYDRA_SUPPORT" ]; then - echo " ... NOT found, optional anyway" + echo " ... NOT found, optional anyway" else - echo " ... found" + echo " ... found" fi fi @@ -994,10 +1382,14 @@ echo "Checking for Android specialities ..." TMPC=comptest$$ STRRCHR=" not" echo '#include ' > $TMPC.c -echo '#include ' >> $TMPC.c +echo '#include ' >> $TMPC.c echo "int main() { char *x = strrchr(\"test\", 'e'); if (x == NULL) return 0; else return 1; }" >> $TMPC.c $CC -o $TMPC $TMPC.c > /dev/null 2>&1 test -x $TMPC && STRRCHR="" +rm -f $TMPC +$CC -o $TMPC -Wl,--allow-multiple-definition $TMPC.c > /dev/null 2>&1 +WALLOW="no" +test -x $TMPC && WALLOW="yes" rm -f $TMPC $TMPC.c echo " ... strrchr()$STRRCHR found" if [ -n "$CRYPTO_PATH" ]; then @@ -1028,14 +1420,52 @@ rm -f $TMPC $TMPC.c $TMPC.c.err echo " Compiling... $GCCSEC" echo " Linking... $LDSEC" +echo "Checking for --allow-multiple-definition linker option ... $WALLOW" +if [ "$WALLOW" = "yes" ]; then + GCCSECOPT="$GCCSECOPT -Wl,--allow-multiple-definition" +fi + echo XDEFINES="" XLIBS="" XLIBPATHS="" XIPATHS="" -if [ -n "$FIREBIRD_PATH" -o -n "$PCRE_PATH" -o -n "$IDN_PATH" -o -n "$SSL_PATH" -o -n "$CRYPTO_PATH" -o -n "$NSL_PATH" -o -n "$SOCKET_PATH" -o -n "$RESOLV_PATH" -o -n "$SAPR3_PATH" -o -n "$SSH_PATH" -o -n "$POSTGRES_PATH" -o -n "$SVN_PATH" -o -n "$NCP_PATH" -o -n "$CURSES_PATH" -o -n "$ORACLE_PATH" -o -n "$AFP_PATH" -o -n "$MYSQL_PATH" ]; then - XLIBPATHS="-L/usr/lib -L/usr/local/lib -L/lib" +if [ -n "$FIREBIRD_PATH" -o \ + -n "$PCRE_PATH" -o \ + -n "$IDN_PATH" -o \ + -n "$SSL_PATH" -o \ + -n "$CRYPTO_PATH" -o \ + -n "$NSL_PATH" -o \ + -n "$SOCKET_PATH" -o \ + -n "$RESOLV_PATH" -o \ + -n "$SAPR3_PATH" -o \ + -n "$SSH_PATH" -o \ + -n "$POSTGRES_PATH" -o \ + -n "$SVN_PATH" -o \ + -n "$NCP_PATH" -o \ + -n "$CURSES_PATH" -o \ + -n "$ORACLE_PATH" -o \ + -n "$AFP_PATH" -o \ + -n "$MYSQL_PATH" -o \ + -n "$MCACHED_PATH" -o \ + -n "$MONGOD_PATH" -o \ + -n "$FREERDP2_PATH" -o \ + -n "$WINPR2_PATH" -o \ + -n "$FREERDP3_PATH" -o \ + -n "$WINPR3_PATH" -o \ + -n "$SMBC_PATH" \ + ]; then + if [ "$SYSS" = "Darwin" -a ! -d "/lib" ]; then + #for libraries installed with MacPorts + if [ -d "/opt/local/lib" ]; then + XLIBPATHS="-L/usr/lib -L/usr/local/lib -L/opt/local/lib" + else + XLIBPATHS="-L/usr/lib -L/usr/local/lib" + fi + else + XLIBPATHS="-L/usr/lib -L/usr/local/lib -L/lib" + fi fi if [ -n "$MYSQL_IPATH" ]; then XIPATHS="$XIPATHS -I$MYSQL_IPATH" @@ -1092,16 +1522,70 @@ fi if [ -n "$RSA" ]; then XDEFINES="$XDEFINES -DNO_RSA_LEGACY" fi +if [ -n "$HAVE_SYBDB" ]; then + XDEFINES="$XDEFINES -DHAVE_SYBDB" +fi +if [ -n "$HAVE_SYBFRONT" ]; then + XDEFINES="$XDEFINES -DHAVE_SYBFRONT" +fi if [ -n "$HAVE_ZLIB" ]; then XDEFINES="$XDEFINES -DHAVE_ZLIB" fi if [ -n "$HAVE_GCRYPT" ]; then XDEFINES="$XDEFINES -DHAVE_GCRYPT" fi - +if [ -n "$MCACHED_PATH" ]; then + XDEFINES="$XDEFINES -DLIBMCACHED" +fi +if [ -n "$MONGODB_PATH" ]; then + XDEFINES="$XDEFINES -DLIBMONGODB" +fi +if [ -n "$BSON_PATH" ]; then + XDEFINES="$XDEFINES -DLIBBSON" +fi +if [ -n "$FREERDP2_PATH" ]; then + XDEFINES="$XDEFINES -DLIBFREERDP" +fi +if [ -n "$WINPR2_PATH" ]; then + XDEFINES="$XDEFINES -DLIBWINPR2" +fi +if [ -n "$FREERDP3_PATH" ]; then + XDEFINES="$XDEFINES -DLIBFREERDP" +fi +if [ -n "$WINPR3_PATH" ]; then + XDEFINES="$XDEFINES -DLIBWINPR3" +fi +if [ -n "$SMBC_PATH" ]; then + XDEFINES="$XDEFINES -DLIBSMBCLIENT" +fi OLDPATH="" -for i in $SSL_PATH $FIREBIRD_PATH $WORACLE_LIB_PATH $PCRE_PATH $IDN_PATH $CRYPTO_PATH $SSH_PATH $NSL_PATH $SOCKET_PATH $RESOLV_PATH $SAPR3_PATH $POSTGRES_PATH $SVN_PATH $NCP_PATH $CURSES_PATH $ORACLE_PATH $AFP_PATH $MYSQL_PATH; do +for i in $SSL_PATH \ + $FIREBIRD_PATH \ + $WORACLE_LIB_PATH \ + $PCRE_PATH \ + $IDN_PATH \ + $CRYPTO_PATH \ + $SSH_PATH \ + $NSL_PATH \ + $SOCKET_PATH \ + $RESOLV_PATH \ + $SAPR3_PATH \ + $POSTGRES_PATH \ + $SVN_PATH \ + $NCP_PATH \ + $CURSES_PATH \ + $ORACLE_PATH \ + $AFP_PATH \ + $MYSQL_PATH \ + $MCACHED_PATH \ + $MONGODB_PATH \ + $BSON_PATH \ + $FREERDP2_PATH \ + $WINPR2_PATH \ + $FREERDP3_PATH \ + $WINPR3_PATH \ + $SMBC_PATH; do if [ "$OLDPATH" = "$i" ]; then OLDPATH="$i" else @@ -1154,12 +1638,30 @@ fi if [ -n "$ORACLE_IPATH" ]; then XIPATHS="$XIPATHS -I$ORACLE_IPATH" fi +if [ -n "$MCACHED_IPATH" ]; then + XIPATHS="$XIPATHS -I$MCACHED_IPATH" +fi +if [ -n "$MONGODB_IPATH" ]; then + XIPATHS="$XIPATHS -I$MONGODB_IPATH -I$BSON_IPATH" +fi +if [ -n "$FREERDP2_IPATH" ]; then + XIPATHS="$XIPATHS -I$FREERDP2_IPATH -I$WINPR2_IPATH" +fi +if [ -n "$FREERDP3_IPATH" ]; then + XIPATHS="$XIPATHS -I$FREERDP3_IPATH -I$WINPR3_IPATH" +fi +if [ -n "$SMBC_IPATH" ]; then + XIPATHS="$XIPATHS -I$SMBC_IPATH" +fi if [ -n "$HAVE_GCRYPT" ]; then XLIBS="$XLIBS -lgcrypt" fi if [ -n "$HAVE_ZLIB" ]; then XLIBS="$XLIBS -lz" fi +if [ -n "$HAVE_SYBDB" ]; then + XLIBS="$XLIBS -lsybdb" +fi if [ -n "$CURSES_PATH" ]; then XLIBS="$XLIBS -lcurses" fi @@ -1169,9 +1671,12 @@ fi if [ -n "$NCP_PATH" ]; then XLIBS="$XLIBS -lncp" fi -if [ -n "$ORACLE_PATH" ]; then +if [ -n "$ORACLE_PATH" -a "$SYSO" != "Cygwin" ]; then XLIBS="$XLIBS -locci -lclntsh" fi +if [ -n "$ORACLE_PATH" -a "$SYSO" = "Cygwin" ]; then + XLIBS="$XLIBS -loci" +fi if [ -n "$FIREBIRD_PATH" ]; then XLIBS="$XLIBS -lfbclient" fi @@ -1179,7 +1684,7 @@ if [ -n "$IDN_PATH" ]; then XLIBS="$XLIBS -lidn" fi if [ -n "$PCRE_PATH" ]; then - XLIBS="$XLIBS -lpcre" + XLIBS="$XLIBS -lpcre2-8" fi if [ -n "$MYSQL_PATH" ]; then XLIBS="$XLIBS -lmysqlclient" @@ -1217,7 +1722,30 @@ fi if [ -n "$RESOLV_PATH" ]; then XLIBS="$XLIBS -lresolv" fi - +if [ -n "$MCACHED_PATH" ]; then + XLIBS="$XLIBS -lmemcached" +fi +if [ -n "$MONGODB_PATH" ]; then + XLIBS="$XLIBS -lmongoc-1.0" +fi +if [ -n "$BSON_PATH" ]; then + XLIBS="$XLIBS -lbson-1.0" +fi +if [ -n "$FREERDP2_PATH" ]; then + XLIBS="$XLIBS -lfreerdp2" +fi +if [ -n "$WINPR2_PATH" ]; then + XLIBS="$XLIBS -lwinpr2" +fi +if [ -n "$FREERDP3_PATH" ]; then + XLIBS="$XLIBS -lfreerdp3" +fi +if [ -n "$WINPR3_PATH" ]; then + XLIBS="$XLIBS -lwinpr3" +fi +if [ -n "$SMBC_PATH" ]; then + XLIBS="$XLIBS -lsmbclient" +fi if [ -d /usr/kerberos/include ]; then XIPATHS="$XIPATHS -I/usr/kerberos/include" fi @@ -1244,7 +1772,7 @@ else fi if [ "X" != "X$DEBUG" ]; then - echo DEBUG: XDEFINES=$XDEFINES $MATH + echo DEBUG: XDEFINES=$XDEFINES $MATH $SYS_PARAM echo DEBUG: XLIBS=$XLIBS echo DEBUG: XLIBPATHS=$XLIBPATHS echo DEBUG: XIPATHS=$XIPATHS @@ -1262,7 +1790,7 @@ if [ "X" != "X$FHS" ]; then echo "MANDIR = /share/man/man1" >> Makefile.in echo "DATADIR = /share/hydra" >> Makefile.in fi -echo "XDEFINES=$XDEFINES $MATH" >> Makefile.in +echo "XDEFINES=$XDEFINES $MATH $SYS_PARAM" >> Makefile.in echo "XLIBS=$XLIBS" >> Makefile.in echo "XLIBPATHS=$XLIBPATHS" >> Makefile.in echo "XIPATHS=$XIPATHS" >> Makefile.in @@ -1277,9 +1805,9 @@ cat Makefile.in >> Makefile # ignore errors if this uname call fails ### Current Cygwin is up to speed :-) WINDRES="" -if [ "$SYSO" = "Cygwin" ]; then +if [ "$SYSO" = "Cygwin" -o "$SYSO" = "Msys" ]; then echo - echo "Cygwin detected, if compilation fails just update your installation." + echo "Cygwin/MSYS2 detected, if compilation fails just update your installation." echo WINDRES=`which windres` test -x "$WINDRES" && { @@ -1300,7 +1828,7 @@ if [ "x$WINDRES" = "x" ]; then echo HYDRA_LOGO= >> Makefile echo PWI_LOGO= >> Makefile fi -if [ "$GCCSEC" = "yes" ] && [ "$SYSS" != "SunOS" ]; then +if [ "$GCCSEC" = "yes" -a "$SYSS" != "SunOS" -a "$SYSS" != "Darwin" ]; then echo "SEC=$GCCSECOPT" >> Makefile else echo "SEC=" >> Makefile @@ -1311,4 +1839,4 @@ if [ "x$NOSTRIP" = "x" ]; then else cat Makefile.am | sed 's/^install:.*/install: all/' >> Makefile fi -echo "now type \"make\"" +echo "now type \"make\"" \ No newline at end of file diff --git a/crc32.c b/crc32.c index 364cfa4..ee9839b 100644 --- a/crc32.c +++ b/crc32.c @@ -1,99 +1,61 @@ /*- -* COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or -* code or tables extracted from it, as desired without restriction. -* -* First, the polynomial itself and its table of feedback terms. The -* polynomial is -* X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0 -* -* Note that we take it "backwards" and put the highest-order term in -* the lowest-order bit. The X^32 term is "implied"; the LSB is the -* X^31 term, etc. The X^0 term (usually shown as "+1") results in -* the MSB being 1 -* -* Note that the usual hardware shift register implementation, which -* is what we're using (we're merely optimizing it by doing eight-bit -* chunks at a time) shifts bits into the lowest-order term. In our -* implementation, that means shifting towards the right. Why do we -* do it this way? Because the calculated CRC must be transmitted in -* order from highest-order term to lowest-order term. UARTs transmit -* characters in order from LSB to MSB. By storing the CRC this way -* we hand it to the UART in the order low-byte to high-byte; the UART -* sends each low-bit to hight-bit; and the result is transmission bit -* by bit from highest- to lowest-order term without requiring any bit -* shuffling on our part. Reception works similarly -* -* The feedback terms table consists of 256, 32-bit entries. Notes -* -* The table can be generated at runtime if desired; code to do so -* is shown later. It might not be obvious, but the feedback -* terms simply represent the results of eight shift/xor opera -* tions for all combinations of data and CRC register values -* -* The values must be right-shifted by eight bits by the "updcrc -* logic; the shift must be unsigned (bring in zeroes). On some -* hardware you could probably optimize the shift in assembler by -* using byte-swap instructions -* polynomial $edb88320 -* -* -* CRC32 code derived from work by Gary S. Brown. -*/ + * COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or + * code or tables extracted from it, as desired without restriction. + * + * First, the polynomial itself and its table of feedback terms. The + * polynomial is + * X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0 + * + * Note that we take it "backwards" and put the highest-order term in + * the lowest-order bit. The X^32 term is "implied"; the LSB is the + * X^31 term, etc. The X^0 term (usually shown as "+1") results in + * the MSB being 1 + * + * Note that the usual hardware shift register implementation, which + * is what we're using (we're merely optimizing it by doing eight-bit + * chunks at a time) shifts bits into the lowest-order term. In our + * implementation, that means shifting towards the right. Why do we + * do it this way? Because the calculated CRC must be transmitted in + * order from highest-order term to lowest-order term. UARTs transmit + * characters in order from LSB to MSB. By storing the CRC this way + * we hand it to the UART in the order low-byte to high-byte; the UART + * sends each low-bit to hight-bit; and the result is transmission bit + * by bit from highest- to lowest-order term without requiring any bit + * shuffling on our part. Reception works similarly + * + * The feedback terms table consists of 256, 32-bit entries. Notes + * + * The table can be generated at runtime if desired; code to do so + * is shown later. It might not be obvious, but the feedback + * terms simply represent the results of eight shift/xor opera + * tions for all combinations of data and CRC register values + * + * The values must be right-shifted by eight bits by the "updcrc + * logic; the shift must be unsigned (bring in zeroes). On some + * hardware you could probably optimize the shift in assembler by + * using byte-swap instructions + * polynomial $edb88320 + * + * + * CRC32 code derived from work by Gary S. Brown. + */ #include #ifdef __sun - #include +#include #elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX) - #include +#include #else - #include +#include #endif -uint32_t crc32_tab[] = { - 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, - 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, - 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, - 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, - 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, - 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, - 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, - 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, - 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, - 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, - 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, - 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, - 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, - 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, - 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, - 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, - 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, - 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, - 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, - 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, - 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, - 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, - 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, - 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, - 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, - 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, - 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, - 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, - 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, - 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, - 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, - 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, - 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, - 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, - 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, - 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, - 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, - 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, - 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, - 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, - 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, - 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, - 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d -}; +uint32_t crc32_tab[] = {0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 0x3c03e4d1, + 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, + 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 0xaa0a4c5f, + 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, + 0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, + 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, + 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d}; #ifndef HAVE_ZLIB diff --git a/d3des.c b/d3des.c index 7f964ea..c6cc054 100644 --- a/d3des.c +++ b/d3des.c @@ -37,53 +37,32 @@ static void unscrun(unsigned long *, unsigned char *); static void desfunc(unsigned long *, unsigned long *); static void cookey(unsigned long *); -static unsigned long KnL[32] = { 0L }; +static unsigned long KnL[32] = {0L}; /* not needed ... static unsigned long KnR[32] = { 0L }; static unsigned long Kn3[32] = { 0L }; static unsigned char Df_Key[24] = { - 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef, - 0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10, - 0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67 }; + 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef, + 0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10, + 0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67 }; */ -static unsigned short bytebit[8] = { - 01, 02, 04, 010, 020, 040, 0100, 0200 -}; +static unsigned short bytebit[8] = {01, 02, 04, 010, 020, 040, 0100, 0200}; -static unsigned long bigbyte[24] = { - 0x800000L, 0x400000L, 0x200000L, 0x100000L, - 0x80000L, 0x40000L, 0x20000L, 0x10000L, - 0x8000L, 0x4000L, 0x2000L, 0x1000L, - 0x800L, 0x400L, 0x200L, 0x100L, - 0x80L, 0x40L, 0x20L, 0x10L, - 0x8L, 0x4L, 0x2L, 0x1L -}; +static unsigned long bigbyte[24] = {0x800000L, 0x400000L, 0x200000L, 0x100000L, 0x80000L, 0x40000L, 0x20000L, 0x10000L, 0x8000L, 0x4000L, 0x2000L, 0x1000L, 0x800L, 0x400L, 0x200L, 0x100L, 0x80L, 0x40L, 0x20L, 0x10L, 0x8L, 0x4L, 0x2L, 0x1L}; /* Use the key schedule specified in the Standard (ANSI X3.92-1981). */ -static unsigned char pc1[56] = { - 56, 48, 40, 32, 24, 16, 8, 0, 57, 49, 41, 33, 25, 17, - 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, - 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, - 13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3 -}; +static unsigned char pc1[56] = {56, 48, 40, 32, 24, 16, 8, 0, 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3}; -static unsigned char totrot[16] = { - 1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28 -}; +static unsigned char totrot[16] = {1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28}; -static unsigned char pc2[48] = { - 13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9, - 22, 18, 11, 3, 25, 7, 15, 6, 26, 19, 12, 1, - 40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47, - 43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31 -}; +static unsigned char pc2[48] = {13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9, 22, 18, 11, 3, 25, 7, 15, 6, 26, 19, 12, 1, 40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47, 43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31}; -void deskey(key, edf) /* Thanks to James Gillogly & Phil Karn! */ - unsigned char *key; - int32_t edf; +void deskey(key, edf) /* Thanks to James Gillogly & Phil Karn! */ + unsigned char *key; +int32_t edf; { register int32_t i, j, l, m, n; unsigned char pc1m[56], pcr[56]; @@ -126,8 +105,7 @@ void deskey(key, edf) /* Thanks to James Gillogly & Phil Karn! */ return; } -static void cookey(raw1) - register unsigned long *raw1; +static void cookey(raw1) register unsigned long *raw1; { register unsigned long *cook, *raw0; unsigned long dough[32]; @@ -149,8 +127,7 @@ static void cookey(raw1) return; } -void cpkey(into) - register unsigned long *into; +void cpkey(into) register unsigned long *into; { register unsigned long *from, *endp; @@ -160,8 +137,7 @@ void cpkey(into) return; } -void usekey(from) - register unsigned long *from; +void usekey(from) register unsigned long *from; { register unsigned long *to, *endp; @@ -180,9 +156,8 @@ void des(unsigned char *inblock, unsigned char *outblock) { return; } -static void scrunch(outof, into) - register unsigned char *outof; - register unsigned long *into; +static void scrunch(outof, into) register unsigned char *outof; +register unsigned long *into; { *into = (*outof++ & 0xffL) << 24; *into |= (*outof++ & 0xffL) << 16; @@ -195,9 +170,8 @@ static void scrunch(outof, into) return; } -static void unscrun(outof, into) - register unsigned long *outof; - register unsigned char *into; +static void unscrun(outof, into) register unsigned long *outof; +register unsigned char *into; { *into++ = (*outof >> 24) & 0xffL; *into++ = (*outof >> 16) & 0xffL; @@ -210,160 +184,31 @@ static void unscrun(outof, into) return; } -static unsigned long SP1[64] = { - 0x01010400L, 0x00000000L, 0x00010000L, 0x01010404L, - 0x01010004L, 0x00010404L, 0x00000004L, 0x00010000L, - 0x00000400L, 0x01010400L, 0x01010404L, 0x00000400L, - 0x01000404L, 0x01010004L, 0x01000000L, 0x00000004L, - 0x00000404L, 0x01000400L, 0x01000400L, 0x00010400L, - 0x00010400L, 0x01010000L, 0x01010000L, 0x01000404L, - 0x00010004L, 0x01000004L, 0x01000004L, 0x00010004L, - 0x00000000L, 0x00000404L, 0x00010404L, 0x01000000L, - 0x00010000L, 0x01010404L, 0x00000004L, 0x01010000L, - 0x01010400L, 0x01000000L, 0x01000000L, 0x00000400L, - 0x01010004L, 0x00010000L, 0x00010400L, 0x01000004L, - 0x00000400L, 0x00000004L, 0x01000404L, 0x00010404L, - 0x01010404L, 0x00010004L, 0x01010000L, 0x01000404L, - 0x01000004L, 0x00000404L, 0x00010404L, 0x01010400L, - 0x00000404L, 0x01000400L, 0x01000400L, 0x00000000L, - 0x00010004L, 0x00010400L, 0x00000000L, 0x01010004L -}; +static unsigned long SP1[64] = {0x01010400L, 0x00000000L, 0x00010000L, 0x01010404L, 0x01010004L, 0x00010404L, 0x00000004L, 0x00010000L, 0x00000400L, 0x01010400L, 0x01010404L, 0x00000400L, 0x01000404L, 0x01010004L, 0x01000000L, 0x00000004L, 0x00000404L, 0x01000400L, 0x01000400L, 0x00010400L, 0x00010400L, 0x01010000L, 0x01010000L, 0x01000404L, 0x00010004L, 0x01000004L, 0x01000004L, 0x00010004L, 0x00000000L, 0x00000404L, 0x00010404L, 0x01000000L, + 0x00010000L, 0x01010404L, 0x00000004L, 0x01010000L, 0x01010400L, 0x01000000L, 0x01000000L, 0x00000400L, 0x01010004L, 0x00010000L, 0x00010400L, 0x01000004L, 0x00000400L, 0x00000004L, 0x01000404L, 0x00010404L, 0x01010404L, 0x00010004L, 0x01010000L, 0x01000404L, 0x01000004L, 0x00000404L, 0x00010404L, 0x01010400L, 0x00000404L, 0x01000400L, 0x01000400L, 0x00000000L, 0x00010004L, 0x00010400L, 0x00000000L, 0x01010004L}; -static unsigned long SP2[64] = { - 0x80108020L, 0x80008000L, 0x00008000L, 0x00108020L, - 0x00100000L, 0x00000020L, 0x80100020L, 0x80008020L, - 0x80000020L, 0x80108020L, 0x80108000L, 0x80000000L, - 0x80008000L, 0x00100000L, 0x00000020L, 0x80100020L, - 0x00108000L, 0x00100020L, 0x80008020L, 0x00000000L, - 0x80000000L, 0x00008000L, 0x00108020L, 0x80100000L, - 0x00100020L, 0x80000020L, 0x00000000L, 0x00108000L, - 0x00008020L, 0x80108000L, 0x80100000L, 0x00008020L, - 0x00000000L, 0x00108020L, 0x80100020L, 0x00100000L, - 0x80008020L, 0x80100000L, 0x80108000L, 0x00008000L, - 0x80100000L, 0x80008000L, 0x00000020L, 0x80108020L, - 0x00108020L, 0x00000020L, 0x00008000L, 0x80000000L, - 0x00008020L, 0x80108000L, 0x00100000L, 0x80000020L, - 0x00100020L, 0x80008020L, 0x80000020L, 0x00100020L, - 0x00108000L, 0x00000000L, 0x80008000L, 0x00008020L, - 0x80000000L, 0x80100020L, 0x80108020L, 0x00108000L -}; +static unsigned long SP2[64] = {0x80108020L, 0x80008000L, 0x00008000L, 0x00108020L, 0x00100000L, 0x00000020L, 0x80100020L, 0x80008020L, 0x80000020L, 0x80108020L, 0x80108000L, 0x80000000L, 0x80008000L, 0x00100000L, 0x00000020L, 0x80100020L, 0x00108000L, 0x00100020L, 0x80008020L, 0x00000000L, 0x80000000L, 0x00008000L, 0x00108020L, 0x80100000L, 0x00100020L, 0x80000020L, 0x00000000L, 0x00108000L, 0x00008020L, 0x80108000L, 0x80100000L, 0x00008020L, + 0x00000000L, 0x00108020L, 0x80100020L, 0x00100000L, 0x80008020L, 0x80100000L, 0x80108000L, 0x00008000L, 0x80100000L, 0x80008000L, 0x00000020L, 0x80108020L, 0x00108020L, 0x00000020L, 0x00008000L, 0x80000000L, 0x00008020L, 0x80108000L, 0x00100000L, 0x80000020L, 0x00100020L, 0x80008020L, 0x80000020L, 0x00100020L, 0x00108000L, 0x00000000L, 0x80008000L, 0x00008020L, 0x80000000L, 0x80100020L, 0x80108020L, 0x00108000L}; -static unsigned long SP3[64] = { - 0x00000208L, 0x08020200L, 0x00000000L, 0x08020008L, - 0x08000200L, 0x00000000L, 0x00020208L, 0x08000200L, - 0x00020008L, 0x08000008L, 0x08000008L, 0x00020000L, - 0x08020208L, 0x00020008L, 0x08020000L, 0x00000208L, - 0x08000000L, 0x00000008L, 0x08020200L, 0x00000200L, - 0x00020200L, 0x08020000L, 0x08020008L, 0x00020208L, - 0x08000208L, 0x00020200L, 0x00020000L, 0x08000208L, - 0x00000008L, 0x08020208L, 0x00000200L, 0x08000000L, - 0x08020200L, 0x08000000L, 0x00020008L, 0x00000208L, - 0x00020000L, 0x08020200L, 0x08000200L, 0x00000000L, - 0x00000200L, 0x00020008L, 0x08020208L, 0x08000200L, - 0x08000008L, 0x00000200L, 0x00000000L, 0x08020008L, - 0x08000208L, 0x00020000L, 0x08000000L, 0x08020208L, - 0x00000008L, 0x00020208L, 0x00020200L, 0x08000008L, - 0x08020000L, 0x08000208L, 0x00000208L, 0x08020000L, - 0x00020208L, 0x00000008L, 0x08020008L, 0x00020200L -}; +static unsigned long SP3[64] = {0x00000208L, 0x08020200L, 0x00000000L, 0x08020008L, 0x08000200L, 0x00000000L, 0x00020208L, 0x08000200L, 0x00020008L, 0x08000008L, 0x08000008L, 0x00020000L, 0x08020208L, 0x00020008L, 0x08020000L, 0x00000208L, 0x08000000L, 0x00000008L, 0x08020200L, 0x00000200L, 0x00020200L, 0x08020000L, 0x08020008L, 0x00020208L, 0x08000208L, 0x00020200L, 0x00020000L, 0x08000208L, 0x00000008L, 0x08020208L, 0x00000200L, 0x08000000L, + 0x08020200L, 0x08000000L, 0x00020008L, 0x00000208L, 0x00020000L, 0x08020200L, 0x08000200L, 0x00000000L, 0x00000200L, 0x00020008L, 0x08020208L, 0x08000200L, 0x08000008L, 0x00000200L, 0x00000000L, 0x08020008L, 0x08000208L, 0x00020000L, 0x08000000L, 0x08020208L, 0x00000008L, 0x00020208L, 0x00020200L, 0x08000008L, 0x08020000L, 0x08000208L, 0x00000208L, 0x08020000L, 0x00020208L, 0x00000008L, 0x08020008L, 0x00020200L}; -static unsigned long SP4[64] = { - 0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L, - 0x00802080L, 0x00800081L, 0x00800001L, 0x00002001L, - 0x00000000L, 0x00802000L, 0x00802000L, 0x00802081L, - 0x00000081L, 0x00000000L, 0x00800080L, 0x00800001L, - 0x00000001L, 0x00002000L, 0x00800000L, 0x00802001L, - 0x00000080L, 0x00800000L, 0x00002001L, 0x00002080L, - 0x00800081L, 0x00000001L, 0x00002080L, 0x00800080L, - 0x00002000L, 0x00802080L, 0x00802081L, 0x00000081L, - 0x00800080L, 0x00800001L, 0x00802000L, 0x00802081L, - 0x00000081L, 0x00000000L, 0x00000000L, 0x00802000L, - 0x00002080L, 0x00800080L, 0x00800081L, 0x00000001L, - 0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L, - 0x00802081L, 0x00000081L, 0x00000001L, 0x00002000L, - 0x00800001L, 0x00002001L, 0x00802080L, 0x00800081L, - 0x00002001L, 0x00002080L, 0x00800000L, 0x00802001L, - 0x00000080L, 0x00800000L, 0x00002000L, 0x00802080L -}; +static unsigned long SP4[64] = {0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L, 0x00802080L, 0x00800081L, 0x00800001L, 0x00002001L, 0x00000000L, 0x00802000L, 0x00802000L, 0x00802081L, 0x00000081L, 0x00000000L, 0x00800080L, 0x00800001L, 0x00000001L, 0x00002000L, 0x00800000L, 0x00802001L, 0x00000080L, 0x00800000L, 0x00002001L, 0x00002080L, 0x00800081L, 0x00000001L, 0x00002080L, 0x00800080L, 0x00002000L, 0x00802080L, 0x00802081L, 0x00000081L, + 0x00800080L, 0x00800001L, 0x00802000L, 0x00802081L, 0x00000081L, 0x00000000L, 0x00000000L, 0x00802000L, 0x00002080L, 0x00800080L, 0x00800081L, 0x00000001L, 0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L, 0x00802081L, 0x00000081L, 0x00000001L, 0x00002000L, 0x00800001L, 0x00002001L, 0x00802080L, 0x00800081L, 0x00002001L, 0x00002080L, 0x00800000L, 0x00802001L, 0x00000080L, 0x00800000L, 0x00002000L, 0x00802080L}; -static unsigned long SP5[64] = { - 0x00000100L, 0x02080100L, 0x02080000L, 0x42000100L, - 0x00080000L, 0x00000100L, 0x40000000L, 0x02080000L, - 0x40080100L, 0x00080000L, 0x02000100L, 0x40080100L, - 0x42000100L, 0x42080000L, 0x00080100L, 0x40000000L, - 0x02000000L, 0x40080000L, 0x40080000L, 0x00000000L, - 0x40000100L, 0x42080100L, 0x42080100L, 0x02000100L, - 0x42080000L, 0x40000100L, 0x00000000L, 0x42000000L, - 0x02080100L, 0x02000000L, 0x42000000L, 0x00080100L, - 0x00080000L, 0x42000100L, 0x00000100L, 0x02000000L, - 0x40000000L, 0x02080000L, 0x42000100L, 0x40080100L, - 0x02000100L, 0x40000000L, 0x42080000L, 0x02080100L, - 0x40080100L, 0x00000100L, 0x02000000L, 0x42080000L, - 0x42080100L, 0x00080100L, 0x42000000L, 0x42080100L, - 0x02080000L, 0x00000000L, 0x40080000L, 0x42000000L, - 0x00080100L, 0x02000100L, 0x40000100L, 0x00080000L, - 0x00000000L, 0x40080000L, 0x02080100L, 0x40000100L -}; +static unsigned long SP5[64] = {0x00000100L, 0x02080100L, 0x02080000L, 0x42000100L, 0x00080000L, 0x00000100L, 0x40000000L, 0x02080000L, 0x40080100L, 0x00080000L, 0x02000100L, 0x40080100L, 0x42000100L, 0x42080000L, 0x00080100L, 0x40000000L, 0x02000000L, 0x40080000L, 0x40080000L, 0x00000000L, 0x40000100L, 0x42080100L, 0x42080100L, 0x02000100L, 0x42080000L, 0x40000100L, 0x00000000L, 0x42000000L, 0x02080100L, 0x02000000L, 0x42000000L, 0x00080100L, + 0x00080000L, 0x42000100L, 0x00000100L, 0x02000000L, 0x40000000L, 0x02080000L, 0x42000100L, 0x40080100L, 0x02000100L, 0x40000000L, 0x42080000L, 0x02080100L, 0x40080100L, 0x00000100L, 0x02000000L, 0x42080000L, 0x42080100L, 0x00080100L, 0x42000000L, 0x42080100L, 0x02080000L, 0x00000000L, 0x40080000L, 0x42000000L, 0x00080100L, 0x02000100L, 0x40000100L, 0x00080000L, 0x00000000L, 0x40080000L, 0x02080100L, 0x40000100L}; -static unsigned long SP6[64] = { - 0x20000010L, 0x20400000L, 0x00004000L, 0x20404010L, - 0x20400000L, 0x00000010L, 0x20404010L, 0x00400000L, - 0x20004000L, 0x00404010L, 0x00400000L, 0x20000010L, - 0x00400010L, 0x20004000L, 0x20000000L, 0x00004010L, - 0x00000000L, 0x00400010L, 0x20004010L, 0x00004000L, - 0x00404000L, 0x20004010L, 0x00000010L, 0x20400010L, - 0x20400010L, 0x00000000L, 0x00404010L, 0x20404000L, - 0x00004010L, 0x00404000L, 0x20404000L, 0x20000000L, - 0x20004000L, 0x00000010L, 0x20400010L, 0x00404000L, - 0x20404010L, 0x00400000L, 0x00004010L, 0x20000010L, - 0x00400000L, 0x20004000L, 0x20000000L, 0x00004010L, - 0x20000010L, 0x20404010L, 0x00404000L, 0x20400000L, - 0x00404010L, 0x20404000L, 0x00000000L, 0x20400010L, - 0x00000010L, 0x00004000L, 0x20400000L, 0x00404010L, - 0x00004000L, 0x00400010L, 0x20004010L, 0x00000000L, - 0x20404000L, 0x20000000L, 0x00400010L, 0x20004010L -}; +static unsigned long SP6[64] = {0x20000010L, 0x20400000L, 0x00004000L, 0x20404010L, 0x20400000L, 0x00000010L, 0x20404010L, 0x00400000L, 0x20004000L, 0x00404010L, 0x00400000L, 0x20000010L, 0x00400010L, 0x20004000L, 0x20000000L, 0x00004010L, 0x00000000L, 0x00400010L, 0x20004010L, 0x00004000L, 0x00404000L, 0x20004010L, 0x00000010L, 0x20400010L, 0x20400010L, 0x00000000L, 0x00404010L, 0x20404000L, 0x00004010L, 0x00404000L, 0x20404000L, 0x20000000L, + 0x20004000L, 0x00000010L, 0x20400010L, 0x00404000L, 0x20404010L, 0x00400000L, 0x00004010L, 0x20000010L, 0x00400000L, 0x20004000L, 0x20000000L, 0x00004010L, 0x20000010L, 0x20404010L, 0x00404000L, 0x20400000L, 0x00404010L, 0x20404000L, 0x00000000L, 0x20400010L, 0x00000010L, 0x00004000L, 0x20400000L, 0x00404010L, 0x00004000L, 0x00400010L, 0x20004010L, 0x00000000L, 0x20404000L, 0x20000000L, 0x00400010L, 0x20004010L}; -static unsigned long SP7[64] = { - 0x00200000L, 0x04200002L, 0x04000802L, 0x00000000L, - 0x00000800L, 0x04000802L, 0x00200802L, 0x04200800L, - 0x04200802L, 0x00200000L, 0x00000000L, 0x04000002L, - 0x00000002L, 0x04000000L, 0x04200002L, 0x00000802L, - 0x04000800L, 0x00200802L, 0x00200002L, 0x04000800L, - 0x04000002L, 0x04200000L, 0x04200800L, 0x00200002L, - 0x04200000L, 0x00000800L, 0x00000802L, 0x04200802L, - 0x00200800L, 0x00000002L, 0x04000000L, 0x00200800L, - 0x04000000L, 0x00200800L, 0x00200000L, 0x04000802L, - 0x04000802L, 0x04200002L, 0x04200002L, 0x00000002L, - 0x00200002L, 0x04000000L, 0x04000800L, 0x00200000L, - 0x04200800L, 0x00000802L, 0x00200802L, 0x04200800L, - 0x00000802L, 0x04000002L, 0x04200802L, 0x04200000L, - 0x00200800L, 0x00000000L, 0x00000002L, 0x04200802L, - 0x00000000L, 0x00200802L, 0x04200000L, 0x00000800L, - 0x04000002L, 0x04000800L, 0x00000800L, 0x00200002L -}; +static unsigned long SP7[64] = {0x00200000L, 0x04200002L, 0x04000802L, 0x00000000L, 0x00000800L, 0x04000802L, 0x00200802L, 0x04200800L, 0x04200802L, 0x00200000L, 0x00000000L, 0x04000002L, 0x00000002L, 0x04000000L, 0x04200002L, 0x00000802L, 0x04000800L, 0x00200802L, 0x00200002L, 0x04000800L, 0x04000002L, 0x04200000L, 0x04200800L, 0x00200002L, 0x04200000L, 0x00000800L, 0x00000802L, 0x04200802L, 0x00200800L, 0x00000002L, 0x04000000L, 0x00200800L, + 0x04000000L, 0x00200800L, 0x00200000L, 0x04000802L, 0x04000802L, 0x04200002L, 0x04200002L, 0x00000002L, 0x00200002L, 0x04000000L, 0x04000800L, 0x00200000L, 0x04200800L, 0x00000802L, 0x00200802L, 0x04200800L, 0x00000802L, 0x04000002L, 0x04200802L, 0x04200000L, 0x00200800L, 0x00000000L, 0x00000002L, 0x04200802L, 0x00000000L, 0x00200802L, 0x04200000L, 0x00000800L, 0x04000002L, 0x04000800L, 0x00000800L, 0x00200002L}; -static unsigned long SP8[64] = { - 0x10001040L, 0x00001000L, 0x00040000L, 0x10041040L, - 0x10000000L, 0x10001040L, 0x00000040L, 0x10000000L, - 0x00040040L, 0x10040000L, 0x10041040L, 0x00041000L, - 0x10041000L, 0x00041040L, 0x00001000L, 0x00000040L, - 0x10040000L, 0x10000040L, 0x10001000L, 0x00001040L, - 0x00041000L, 0x00040040L, 0x10040040L, 0x10041000L, - 0x00001040L, 0x00000000L, 0x00000000L, 0x10040040L, - 0x10000040L, 0x10001000L, 0x00041040L, 0x00040000L, - 0x00041040L, 0x00040000L, 0x10041000L, 0x00001000L, - 0x00000040L, 0x10040040L, 0x00001000L, 0x00041040L, - 0x10001000L, 0x00000040L, 0x10000040L, 0x10040000L, - 0x10040040L, 0x10000000L, 0x00040000L, 0x10001040L, - 0x00000000L, 0x10041040L, 0x00040040L, 0x10000040L, - 0x10040000L, 0x10001000L, 0x10001040L, 0x00000000L, - 0x10041040L, 0x00041000L, 0x00041000L, 0x00001040L, - 0x00001040L, 0x00040040L, 0x10000000L, 0x10041000L -}; +static unsigned long SP8[64] = {0x10001040L, 0x00001000L, 0x00040000L, 0x10041040L, 0x10000000L, 0x10001040L, 0x00000040L, 0x10000000L, 0x00040040L, 0x10040000L, 0x10041040L, 0x00041000L, 0x10041000L, 0x00041040L, 0x00001000L, 0x00000040L, 0x10040000L, 0x10000040L, 0x10001000L, 0x00001040L, 0x00041000L, 0x00040040L, 0x10040040L, 0x10041000L, 0x00001040L, 0x00000000L, 0x00000000L, 0x10040040L, 0x10000040L, 0x10001000L, 0x00041040L, 0x00040000L, + 0x00041040L, 0x00040000L, 0x10041000L, 0x00001000L, 0x00000040L, 0x10040040L, 0x00001000L, 0x00041040L, 0x10001000L, 0x00000040L, 0x10000040L, 0x10040000L, 0x10040040L, 0x10000000L, 0x00040000L, 0x10001040L, 0x00000000L, 0x10041040L, 0x00040040L, 0x10000040L, 0x10040000L, 0x10001000L, 0x10001040L, 0x00000000L, 0x10041040L, 0x00041000L, 0x00041000L, 0x00001040L, 0x00001040L, 0x00040040L, 0x10000000L, 0x10041000L}; -static void desfunc(block, keys) - register unsigned long *block, *keys; +static void desfunc(block, keys) register unsigned long *block, *keys; { register unsigned long fval, work, right, leftt; register int32_t round; diff --git a/d3des.h b/d3des.h index 18be88b..3b03d8a 100644 --- a/d3des.h +++ b/d3des.h @@ -1,9 +1,9 @@ #ifdef __sun - #include +#include #elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX) - #include +#include #else - #include +#include #endif /* @@ -27,8 +27,8 @@ * (GEnie : OUTER; CIS : [71755,204]) */ -#define EN0 0 /* MODE == encrypt */ -#define DE1 1 /* MODE == decrypt */ +#define EN0 0 /* MODE == encrypt */ +#define DE1 1 /* MODE == decrypt */ extern void deskey(unsigned char *, int32_t); diff --git a/dpl4hydra_full.csv b/dpl4hydra_full.csv index 032c4c6..2f3df58 100644 --- a/dpl4hydra_full.csv +++ b/dpl4hydra_full.csv @@ -2417,8 +2417,6 @@ draytek,Vigor,all,HTTP,admin,admin,Admin,, dreambox,All models,all versions,http, telnet,root,dreambox,, dreambox,All models,all versions,http,telnet,root,dreambox,gives access to a busybox allowing to control the box using basic unix commands embedded into busybox, drupal.org,Drupal,,administrator,admin,admin,,, -ducati,Diavel motorcycles,,console,,last 4 digits of the motorcycle's VIN,Start and drive the motorcycle without a key,This is the ignition password - if you have one of these bikes change the password ASAP as you may be liable for any accident damage caused by the thief!, -ducati,Diavel,,,,Last 4 digits of VIN,,, dupont,Digital Water Proofer,,,root,par0t,,, dynalink,RTA020,,,admin,private,,, dynalink,RTA020,,Admin,admin,private,,, @@ -3061,7 +3059,6 @@ hewlettpackard,Motive Chorus,,HTTP (port 5060),admin,isee,,, hewlettpackard,Officejet,all versions,http,admin,,admin,http interface, hewlettpackard,Power Manager,3,HTTP,admin,admin,Admin,, hewlettpackard,ProcCurve MSC-5100,,,admin,admin,,, -hewlettpackard,Remote Insight Board,,,Administrator,The last eight digits of the serial number,,, hewlettpackard,StoreOnce,,,HPSupport,badg3r5,,, hewlettpackard,Vectra,,Console,,hewlpack,Admin,, hewlettpackard,iLo,,http,Admin,Admin,Admin,, @@ -3611,7 +3608,6 @@ iso sistemi,winwork,,Admin,,,,, iwill,PC BIOS,,,,iwill,,, iwill,PC BIOS,,Admin,,iwill,,, iwill,PC BIOS,,Console,,iwill,Admin,, -jacksoncommunitycollege,My Network Services,,web,(first 7 letters of student's last name + first seven letters of first name + middle initial -- no spaces or punctuation),(First letter of first name Capitalized + First letter of last name in lowercase + day of birth {01-31} + birth year {2 digits} + last 4 digits of student ID),My Network Services access,, jaht,adsl router,AR41/2A,HTTP,admin,epicrouter,Admin,, jamfsoftware,Casper Suite,,,jamfsoftware,jamfsw03,,, janitza,UMG 508,,,Homepage Password,0th,,, @@ -3786,7 +3782,6 @@ kyocera,FS3140MFP,,Web Interface,,admin00,Administrator,, kyocera,FS6025MFP,,system menus,Admin,Admin,Admin,, kyocera,Intermate LAN FS Pro 10/100,K82_0371,HTTP,admin,admin,Admin,, kyocera,KM-4850W,,,admin,,,, -kyocera,KR2,,http,,read notes,,it is the last 6 characters of the mac address, kyocera,TASKalfa 250 Ci,,,Admin,admin00,,if enable local authentification, kyocera,TASKalfa 250ci,,IP,,admin00,,, kyocera,TASKalfa 266ci,,Console Panel,Admin,Admin,Admin,, @@ -5188,82 +5183,42 @@ oce,tcs500, Windows XP, all models,12.3.0(1668),console, http://192.168.0.81,, oce,tcs500,Windows XP,all models,12.3.0(1668),console,http://192.168.0.81,, ods,1094 IS Chassis,,,ods,ods,,4.x, ods,1094,,,ods,ods,,, -oki,9600,,,admin,last six characters of the MAC address (letters uppercase).,,, -oki,B410,,http (dhcp),admin,last six charachter of mac address (upper case),,, -oki,B410dn,,http://169.254.39.211/,admin,Last 6 characters (chars uppercased) from MAC Address,admin,, oki,B411,all ver,Http or AdminManager,root,aaaaaa,Administrator,, -oki,B420,,http (dhcp),admin,last six charachter of mac address (upper case),,, -oki,B430,,http (dhcp),admin,last six charachter of mac address (upper case),,, oki,B431,all ver,Http or AdminManager,root,aaaaaa,Administrator,, oki,B431dn,,http://192.168.1.xxx,root,123456,Admin,, -oki,B43xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), oki,B6100n,,,admin,OkiLAN,admin,with 61e(NIC), oki,B6200n,,,admin,OkiLAN,admin,with 62e(NIC), -oki,B6300,,,root,last six charachter of mac address,root,, oki,B6300n,,,admin,OkiLAN,admin,with 62e(NIC), -oki,B6500,,,root,(last 6 digits of MAC address),root,, oki,B710,all,http://192.168.1.33,root,aaaaaa,Administrator,, oki,B720,all,http://192.168.1.33,root,aaaaaa,Administrator,, oki,B720N,All versions,Web interface,root,aaaaaa,Root access,, oki,B730,all,http://192.168.1.33,root,aaaaaa,Administrator,, oki,B8300n,,,admin,OkiLAN,admin,with 83e(NIC), -oki,B930n,,,root,(last 4 digits of MAC address),root,, -oki,C3200n,,Web Interface - Device IP,root,last 6 of MAC Address - case sensitive,,, oki,C330,all versions etc.,http://192.168.0.1,root,aaaaaa,Admin,Administrator, oki,C3450,,http://192.168.1.50,admin,heslo,admin,, -oki,C3450,,web,admin,last 6 digits of MAC code, Use uppercase letters,, -oki,C3450,,web,admin,last 6 digits of MAC code,Use uppercase letters,Administrator, -oki,C3530,,console,admin,last 6 digits of MAC address,Admin,, -oki,C380,,,admin,last 6 characters of the MAC ADRESS,,, -oki,C51xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), oki,C530dn,A1.02,http://192.168.1.51,root,aaaaaa,Admin,, -oki,C53xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), -oki,C54xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), oki,C5550 MFP,,http,,*blank*,Admin,, -oki,C5650,,Multi,root,Last 6 characters of MAC address (uppercase),Admin,Last 6 digits are also at the end of the default printer name, oki,C5650dn,,,,000000,menu,, oki,C5650n,,,,000000,menu,, -oki,C5700,,HTTP,root,the 6 last digit of the MAC adress,Admin,running with other models, -oki,C5850,,http,admin,last 6 characters of the MAC ADRESS,,, -oki,C5900,,HTTP,root,Last 6 characters (chars uppercased) from MAC Address,admin,, oki,C6050dn,,,,000000,menu,, oki,C6050n,,,,000000,menu,, oki,C610,,,admin,aaaaaa,admin,, -oki,C6100,,HTTP,root,Last 6 characters of MAC address (uppercase),Administrative,seems to work with a variety of oki printers., -oki,C6150,N1.01 Network Firmware 08.51,ZeroConFig Bonjour,root,last six characters of MAC address,Basic Setup,Printer ID,Protocol oki,C6150dn,,,,000000,menu,, oki,C6150dtn,,,,000000,menu,, oki,C6150hdn,,,,000000,menu,, oki,C6150n,,,,000000,menu,, oki,C7000,,,admin,OkiLAN,admin,with 6200e(NIC), -oki,C7000,,,root,(last 6 digits of MAC address),admin,with 7200e(NIC) or 7300e(NIC), -oki,C710,All versions,http,root,Last 6 characters (chars uppercased) from MAC Address,Full acces to printer configuration,, oki,C711,,Web,admin,aaaaaa,Admin access,, -oki,C7300,A3.14, may apply to other versions,Multi,root,Last six digits of default device name,, -oki,C7300,A3.14,may apply to other versions,Multi,root,Last six digits of default device name,Give this a try if the last six digits of the MAC don't work. I believe alpha characters would be uppercased if there were any present., -oki,C7350,,Administrator,root,Last 6 characters (chars uppercased) from MAC Address,,, -oki,C7350,,Multi,root,Last 6 characters (chars uppercased) from MAC Address,Administrator,, -oki,C810,,http://192.168.0.1,root,Last 6 characters (chars uppercased) from MAC Address,,, -oki,C821,all version?,HTTP,root,last six charachter of mac address,Admin,, -oki,C830,all,web,root,last 6 digits of the MAC address,,, -oki,C8800,,Web or Console,root,Last six characters of MAC address,,, oki,C9000,,,admin,OkiLAN,admin,with 6200e(NIC), -oki,C9000,,,root,(last 6 digits of MAC address),admin,with 7200e(NIC) or 7300e(NIC), -oki,C9500,,HTTP / telnet,root,Last 6 characters (chars uppercased) from MAC Address,Administration,, oki,C9650,,,,0000,Print statistics,, oki,C9650,,,,aaaaaa,Administration,, -oki,C9655,,HTTP,root,last 6 digits of MAC address,Administrator,, oki,C9655,,printer menu,,aaaaaa,printer menubutton,, -oki,C9800,,,root,(last 6 digits of MAC address),,, -oki,C9850,,,root,(last 6 digits of MAC address),,, oki,CX1145,,,,123456,,, oki,CX2032 MFP,,http,,*blank*,Admin,, oki,CX2033,,Printer Menu,,,,When asked for password just press OK, oki,CX2633,,Web interface,admin,aaaaaa,admin,, oki,CX2731,,Web interface,admin,aaaaaa,admin,, -oki,CX3641,,,root,(last 6 digits of MAC address),,, oki,Color 8 +14ex,,,admin,OkiLAN,admin,with 6100e(NIC), -oki,ES3640,,,root,(last 6 digits of MAC address),,, oki,ES5460 MFP,,Local configuration menu,,aaaaaa,Admin/Root i guess,, oki,ES7120,,Web,root,aaaaaa,Admin,, oki,ES7411,,web HTTP,admin,aaaaaa,Administrator,, @@ -5275,7 +5230,6 @@ oki,MC160,,Op Panel,,000000,Admin,, oki,MC160,,Web,,sysAdmin,Admin,, oki,MC342w,,,admin,aaaaaa,admin,, oki,MC360,,Console,admin,aaaaaa,Full acces to printer configuration,, -oki,MC360,,HTTP,admin,Last 6 characters (chars uppercased) from MAC Address,Administration,, oki,MC361,,Web interface,admin,aaaaaa,admin,, oki,MC560,,Printer Menu,,,,When asked for password just press OK, oki,MC560,,Printer Menu,,,,When asked for password, @@ -5285,19 +5239,10 @@ oki,MC860,,Web interface,admin,aaaaaa,admin,, oki,ML3xx,,,admin,OkiLAN,admin,with 6010e(NIC),6020e(NIC) oki,ML491n,,http://,Admin,OkiLAN,Admin,, oki,ML4xx,,,admin,OkiLAN,admin,with 6010e(NIC),6020e(NIC) -oki,ML8810,,,root,(last 6 digits of MAC address),,, oki,N22113B,A2.00,http://192.168.1.9,,noe,Admin,, oki,WebTools,,,Administrator,,,, oki,b710,all,http://192.168.1.33,root,aaaaaa,Administrator,, -oki,c3450,All,Multi,admin,last 6 characters of the MAC ADRESS,Admin,, -oki,c3450,All,Multi,admin,last 6 characters of the MAC ADRESS,Admin,no, oki,c511dn,B7.00,,admin,aaaaaa,Full administrator Access,the machine picks up dhcp address,manually configure static on machine directly if required or print a config page to get the dhcp address that was assigned. -oki,c5300,,,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters type them as upper case",,, -oki,c5300,,Console,root,last 6 characters of the MAC ADRESS ""if it contains any alpha characters,type them as upper case"",, -oki,c5300,,Console,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters,type them as upper case",No, -oki,c5300,,Multi,root,last 6 characters of the MAC ADRESS ""if it contains any alpha characters,type them as upper case"",admin, -oki,c5300,,Multi,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters,type them as upper case",No, -oki,c5300,,admin,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters type them as upper case",,, oki,c5750,n1.02,http://192.168.0.200,,,,, oki,c810,1.0,192.100.185.78,admin,admin,admin,, olegkhabarov,Comfy CMS,,,username,password,,, @@ -10100,7 +10045,6 @@ telus,Telephony and internet services,,,(username),telus12,User,Initial password telus,Telephony and internet services,,,(username),telus13,User,Initial password if issued in 2013, telus,Telephony and internet services,,,(username),telus99,User,Initial password if issued in 1999, tenda,W150M,,192.168.1.1,admin,admin,Admin,, -teradyne,4TEL,VRS400,DTMF,(last 5 digits of lineman's SSN),(same as user ID),,, terayon,,,,admin,nms,,6.29, terayon,,Comcast-supplied,HTTP,,,diagnostics page,192.168.100.1/diagnostics_page.html, terayon,TeraLink 1000 Controller,,,admin,password,,, @@ -10403,8 +10347,6 @@ unisys,ClearPath MCP,,Multi,ADMINISTRATOR,ADMINISTRATOR,Admin,, unisys,ClearPath MCP,,Multi,HTTP,HTTP,Web Server Administration,, unisys,ClearPath MCP,,Multi,NAU,NAU,Privileged,Network Administration Utility, unitedtechnologiescorporation,Interlogix truVision IP Camera,,,admin,1234,,, -universityoftennessee,All Employee and Student Services,,, - See Notes,See Notes,Varies with account,Username based on email - eg. if email is smith123@tennessee.edu then NetID (username) is smith123. Def. Password composed of first two letters of birth month in lower case; last two digits of birth; last four digits of UT ID Number; eg. Born Feb 1979 and UT ID Number is 123-45-6789 - default password is fe796789, -universityoftennessee,All Employee and Student Services,,,lt;NetIDgt; - See Notes,See Notes,Varies with account,Username based on email - eg. if email is smith123@tennessee.edu then NetID (username) is smith123. Def. Password composed of first two letters of birth month in lower case; last two digits of birth; last four digits of UT ID Number; eg. Born Feb 1979 and UT ID Number is 123-45-6789 - default password is fe796789, unix,Generic,,,adm,,,, unix,Generic,,,adm,adm,,, unix,Generic,,,admin,admin,,, diff --git a/dpl4hydra_local.csv b/dpl4hydra_local.csv index 032c4c6..2f3df58 100644 --- a/dpl4hydra_local.csv +++ b/dpl4hydra_local.csv @@ -2417,8 +2417,6 @@ draytek,Vigor,all,HTTP,admin,admin,Admin,, dreambox,All models,all versions,http, telnet,root,dreambox,, dreambox,All models,all versions,http,telnet,root,dreambox,gives access to a busybox allowing to control the box using basic unix commands embedded into busybox, drupal.org,Drupal,,administrator,admin,admin,,, -ducati,Diavel motorcycles,,console,,last 4 digits of the motorcycle's VIN,Start and drive the motorcycle without a key,This is the ignition password - if you have one of these bikes change the password ASAP as you may be liable for any accident damage caused by the thief!, -ducati,Diavel,,,,Last 4 digits of VIN,,, dupont,Digital Water Proofer,,,root,par0t,,, dynalink,RTA020,,,admin,private,,, dynalink,RTA020,,Admin,admin,private,,, @@ -3061,7 +3059,6 @@ hewlettpackard,Motive Chorus,,HTTP (port 5060),admin,isee,,, hewlettpackard,Officejet,all versions,http,admin,,admin,http interface, hewlettpackard,Power Manager,3,HTTP,admin,admin,Admin,, hewlettpackard,ProcCurve MSC-5100,,,admin,admin,,, -hewlettpackard,Remote Insight Board,,,Administrator,The last eight digits of the serial number,,, hewlettpackard,StoreOnce,,,HPSupport,badg3r5,,, hewlettpackard,Vectra,,Console,,hewlpack,Admin,, hewlettpackard,iLo,,http,Admin,Admin,Admin,, @@ -3611,7 +3608,6 @@ iso sistemi,winwork,,Admin,,,,, iwill,PC BIOS,,,,iwill,,, iwill,PC BIOS,,Admin,,iwill,,, iwill,PC BIOS,,Console,,iwill,Admin,, -jacksoncommunitycollege,My Network Services,,web,(first 7 letters of student's last name + first seven letters of first name + middle initial -- no spaces or punctuation),(First letter of first name Capitalized + First letter of last name in lowercase + day of birth {01-31} + birth year {2 digits} + last 4 digits of student ID),My Network Services access,, jaht,adsl router,AR41/2A,HTTP,admin,epicrouter,Admin,, jamfsoftware,Casper Suite,,,jamfsoftware,jamfsw03,,, janitza,UMG 508,,,Homepage Password,0th,,, @@ -3786,7 +3782,6 @@ kyocera,FS3140MFP,,Web Interface,,admin00,Administrator,, kyocera,FS6025MFP,,system menus,Admin,Admin,Admin,, kyocera,Intermate LAN FS Pro 10/100,K82_0371,HTTP,admin,admin,Admin,, kyocera,KM-4850W,,,admin,,,, -kyocera,KR2,,http,,read notes,,it is the last 6 characters of the mac address, kyocera,TASKalfa 250 Ci,,,Admin,admin00,,if enable local authentification, kyocera,TASKalfa 250ci,,IP,,admin00,,, kyocera,TASKalfa 266ci,,Console Panel,Admin,Admin,Admin,, @@ -5188,82 +5183,42 @@ oce,tcs500, Windows XP, all models,12.3.0(1668),console, http://192.168.0.81,, oce,tcs500,Windows XP,all models,12.3.0(1668),console,http://192.168.0.81,, ods,1094 IS Chassis,,,ods,ods,,4.x, ods,1094,,,ods,ods,,, -oki,9600,,,admin,last six characters of the MAC address (letters uppercase).,,, -oki,B410,,http (dhcp),admin,last six charachter of mac address (upper case),,, -oki,B410dn,,http://169.254.39.211/,admin,Last 6 characters (chars uppercased) from MAC Address,admin,, oki,B411,all ver,Http or AdminManager,root,aaaaaa,Administrator,, -oki,B420,,http (dhcp),admin,last six charachter of mac address (upper case),,, -oki,B430,,http (dhcp),admin,last six charachter of mac address (upper case),,, oki,B431,all ver,Http or AdminManager,root,aaaaaa,Administrator,, oki,B431dn,,http://192.168.1.xxx,root,123456,Admin,, -oki,B43xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), oki,B6100n,,,admin,OkiLAN,admin,with 61e(NIC), oki,B6200n,,,admin,OkiLAN,admin,with 62e(NIC), -oki,B6300,,,root,last six charachter of mac address,root,, oki,B6300n,,,admin,OkiLAN,admin,with 62e(NIC), -oki,B6500,,,root,(last 6 digits of MAC address),root,, oki,B710,all,http://192.168.1.33,root,aaaaaa,Administrator,, oki,B720,all,http://192.168.1.33,root,aaaaaa,Administrator,, oki,B720N,All versions,Web interface,root,aaaaaa,Root access,, oki,B730,all,http://192.168.1.33,root,aaaaaa,Administrator,, oki,B8300n,,,admin,OkiLAN,admin,with 83e(NIC), -oki,B930n,,,root,(last 4 digits of MAC address),root,, -oki,C3200n,,Web Interface - Device IP,root,last 6 of MAC Address - case sensitive,,, oki,C330,all versions etc.,http://192.168.0.1,root,aaaaaa,Admin,Administrator, oki,C3450,,http://192.168.1.50,admin,heslo,admin,, -oki,C3450,,web,admin,last 6 digits of MAC code, Use uppercase letters,, -oki,C3450,,web,admin,last 6 digits of MAC code,Use uppercase letters,Administrator, -oki,C3530,,console,admin,last 6 digits of MAC address,Admin,, -oki,C380,,,admin,last 6 characters of the MAC ADRESS,,, -oki,C51xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), oki,C530dn,A1.02,http://192.168.1.51,root,aaaaaa,Admin,, -oki,C53xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), -oki,C54xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), oki,C5550 MFP,,http,,*blank*,Admin,, -oki,C5650,,Multi,root,Last 6 characters of MAC address (uppercase),Admin,Last 6 digits are also at the end of the default printer name, oki,C5650dn,,,,000000,menu,, oki,C5650n,,,,000000,menu,, -oki,C5700,,HTTP,root,the 6 last digit of the MAC adress,Admin,running with other models, -oki,C5850,,http,admin,last 6 characters of the MAC ADRESS,,, -oki,C5900,,HTTP,root,Last 6 characters (chars uppercased) from MAC Address,admin,, oki,C6050dn,,,,000000,menu,, oki,C6050n,,,,000000,menu,, oki,C610,,,admin,aaaaaa,admin,, -oki,C6100,,HTTP,root,Last 6 characters of MAC address (uppercase),Administrative,seems to work with a variety of oki printers., -oki,C6150,N1.01 Network Firmware 08.51,ZeroConFig Bonjour,root,last six characters of MAC address,Basic Setup,Printer ID,Protocol oki,C6150dn,,,,000000,menu,, oki,C6150dtn,,,,000000,menu,, oki,C6150hdn,,,,000000,menu,, oki,C6150n,,,,000000,menu,, oki,C7000,,,admin,OkiLAN,admin,with 6200e(NIC), -oki,C7000,,,root,(last 6 digits of MAC address),admin,with 7200e(NIC) or 7300e(NIC), -oki,C710,All versions,http,root,Last 6 characters (chars uppercased) from MAC Address,Full acces to printer configuration,, oki,C711,,Web,admin,aaaaaa,Admin access,, -oki,C7300,A3.14, may apply to other versions,Multi,root,Last six digits of default device name,, -oki,C7300,A3.14,may apply to other versions,Multi,root,Last six digits of default device name,Give this a try if the last six digits of the MAC don't work. I believe alpha characters would be uppercased if there were any present., -oki,C7350,,Administrator,root,Last 6 characters (chars uppercased) from MAC Address,,, -oki,C7350,,Multi,root,Last 6 characters (chars uppercased) from MAC Address,Administrator,, -oki,C810,,http://192.168.0.1,root,Last 6 characters (chars uppercased) from MAC Address,,, -oki,C821,all version?,HTTP,root,last six charachter of mac address,Admin,, -oki,C830,all,web,root,last 6 digits of the MAC address,,, -oki,C8800,,Web or Console,root,Last six characters of MAC address,,, oki,C9000,,,admin,OkiLAN,admin,with 6200e(NIC), -oki,C9000,,,root,(last 6 digits of MAC address),admin,with 7200e(NIC) or 7300e(NIC), -oki,C9500,,HTTP / telnet,root,Last 6 characters (chars uppercased) from MAC Address,Administration,, oki,C9650,,,,0000,Print statistics,, oki,C9650,,,,aaaaaa,Administration,, -oki,C9655,,HTTP,root,last 6 digits of MAC address,Administrator,, oki,C9655,,printer menu,,aaaaaa,printer menubutton,, -oki,C9800,,,root,(last 6 digits of MAC address),,, -oki,C9850,,,root,(last 6 digits of MAC address),,, oki,CX1145,,,,123456,,, oki,CX2032 MFP,,http,,*blank*,Admin,, oki,CX2033,,Printer Menu,,,,When asked for password just press OK, oki,CX2633,,Web interface,admin,aaaaaa,admin,, oki,CX2731,,Web interface,admin,aaaaaa,admin,, -oki,CX3641,,,root,(last 6 digits of MAC address),,, oki,Color 8 +14ex,,,admin,OkiLAN,admin,with 6100e(NIC), -oki,ES3640,,,root,(last 6 digits of MAC address),,, oki,ES5460 MFP,,Local configuration menu,,aaaaaa,Admin/Root i guess,, oki,ES7120,,Web,root,aaaaaa,Admin,, oki,ES7411,,web HTTP,admin,aaaaaa,Administrator,, @@ -5275,7 +5230,6 @@ oki,MC160,,Op Panel,,000000,Admin,, oki,MC160,,Web,,sysAdmin,Admin,, oki,MC342w,,,admin,aaaaaa,admin,, oki,MC360,,Console,admin,aaaaaa,Full acces to printer configuration,, -oki,MC360,,HTTP,admin,Last 6 characters (chars uppercased) from MAC Address,Administration,, oki,MC361,,Web interface,admin,aaaaaa,admin,, oki,MC560,,Printer Menu,,,,When asked for password just press OK, oki,MC560,,Printer Menu,,,,When asked for password, @@ -5285,19 +5239,10 @@ oki,MC860,,Web interface,admin,aaaaaa,admin,, oki,ML3xx,,,admin,OkiLAN,admin,with 6010e(NIC),6020e(NIC) oki,ML491n,,http://,Admin,OkiLAN,Admin,, oki,ML4xx,,,admin,OkiLAN,admin,with 6010e(NIC),6020e(NIC) -oki,ML8810,,,root,(last 6 digits of MAC address),,, oki,N22113B,A2.00,http://192.168.1.9,,noe,Admin,, oki,WebTools,,,Administrator,,,, oki,b710,all,http://192.168.1.33,root,aaaaaa,Administrator,, -oki,c3450,All,Multi,admin,last 6 characters of the MAC ADRESS,Admin,, -oki,c3450,All,Multi,admin,last 6 characters of the MAC ADRESS,Admin,no, oki,c511dn,B7.00,,admin,aaaaaa,Full administrator Access,the machine picks up dhcp address,manually configure static on machine directly if required or print a config page to get the dhcp address that was assigned. -oki,c5300,,,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters type them as upper case",,, -oki,c5300,,Console,root,last 6 characters of the MAC ADRESS ""if it contains any alpha characters,type them as upper case"",, -oki,c5300,,Console,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters,type them as upper case",No, -oki,c5300,,Multi,root,last 6 characters of the MAC ADRESS ""if it contains any alpha characters,type them as upper case"",admin, -oki,c5300,,Multi,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters,type them as upper case",No, -oki,c5300,,admin,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters type them as upper case",,, oki,c5750,n1.02,http://192.168.0.200,,,,, oki,c810,1.0,192.100.185.78,admin,admin,admin,, olegkhabarov,Comfy CMS,,,username,password,,, @@ -10100,7 +10045,6 @@ telus,Telephony and internet services,,,(username),telus12,User,Initial password telus,Telephony and internet services,,,(username),telus13,User,Initial password if issued in 2013, telus,Telephony and internet services,,,(username),telus99,User,Initial password if issued in 1999, tenda,W150M,,192.168.1.1,admin,admin,Admin,, -teradyne,4TEL,VRS400,DTMF,(last 5 digits of lineman's SSN),(same as user ID),,, terayon,,,,admin,nms,,6.29, terayon,,Comcast-supplied,HTTP,,,diagnostics page,192.168.100.1/diagnostics_page.html, terayon,TeraLink 1000 Controller,,,admin,password,,, @@ -10403,8 +10347,6 @@ unisys,ClearPath MCP,,Multi,ADMINISTRATOR,ADMINISTRATOR,Admin,, unisys,ClearPath MCP,,Multi,HTTP,HTTP,Web Server Administration,, unisys,ClearPath MCP,,Multi,NAU,NAU,Privileged,Network Administration Utility, unitedtechnologiescorporation,Interlogix truVision IP Camera,,,admin,1234,,, -universityoftennessee,All Employee and Student Services,,, - See Notes,See Notes,Varies with account,Username based on email - eg. if email is smith123@tennessee.edu then NetID (username) is smith123. Def. Password composed of first two letters of birth month in lower case; last two digits of birth; last four digits of UT ID Number; eg. Born Feb 1979 and UT ID Number is 123-45-6789 - default password is fe796789, -universityoftennessee,All Employee and Student Services,,,lt;NetIDgt; - See Notes,See Notes,Varies with account,Username based on email - eg. if email is smith123@tennessee.edu then NetID (username) is smith123. Def. Password composed of first two letters of birth month in lower case; last two digits of birth; last four digits of UT ID Number; eg. Born Feb 1979 and UT ID Number is 123-45-6789 - default password is fe796789, unix,Generic,,,adm,,,, unix,Generic,,,adm,adm,,, unix,Generic,,,admin,admin,,, diff --git a/hmacmd5.c b/hmacmd5.c index 9400aba..d7b7691 100644 --- a/hmacmd5.c +++ b/hmacmd5.c @@ -1,24 +1,24 @@ -/* +/* Unix SMB/CIFS implementation. HMAC MD5 code for use in NTLMv2 Copyright (C) Luke Kenneth Casson Leighton 1996-2000 Copyright (C) Andrew Tridgell 1992-2000 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc. - + Free Software Foundation 51 Franklin Street, Fifth Floor Boston, MA 02110-1335 @@ -34,8 +34,8 @@ */ #ifdef LIBOPENSSL -#include #include "hmacmd5.h" +#include #define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x)) @@ -43,7 +43,7 @@ the rfc 2104 version of hmac_md5 initialisation. ***********************************************************************/ -void hmac_md5_init_rfc2104(const unsigned char *key, int32_t key_len, HMACMD5Context * ctx) { +void hmac_md5_init_rfc2104(const unsigned char *key, int32_t key_len, HMACMD5Context *ctx) { int32_t i; unsigned char tk[16]; @@ -52,7 +52,7 @@ void hmac_md5_init_rfc2104(const unsigned char *key, int32_t key_len, HMACMD5Con MD5_CTX tctx; MD5_Init(&tctx); - MD5_Update(&tctx, (void *) key, key_len); + MD5_Update(&tctx, (void *)key, key_len); MD5_Final(tk, &tctx); key = tk; @@ -79,7 +79,7 @@ void hmac_md5_init_rfc2104(const unsigned char *key, int32_t key_len, HMACMD5Con the microsoft version of hmac_md5 initialisation. ***********************************************************************/ -void hmac_md5_init_limK_to_64(const unsigned char *key, int32_t key_len, HMACMD5Context * ctx) { +void hmac_md5_init_limK_to_64(const unsigned char *key, int32_t key_len, HMACMD5Context *ctx) { int32_t i; /* if key is longer than 64 bytes truncate it */ @@ -107,15 +107,12 @@ void hmac_md5_init_limK_to_64(const unsigned char *key, int32_t key_len, HMACMD5 update hmac_md5 "inner" buffer ***********************************************************************/ -void hmac_md5_update(const unsigned char *text, int32_t text_len, HMACMD5Context * ctx) { - MD5_Update(&ctx->ctx, (void *) text, text_len); /* then text of datagram */ -} +void hmac_md5_update(const unsigned char *text, int32_t text_len, HMACMD5Context *ctx) { MD5_Update(&ctx->ctx, (void *)text, text_len); /* then text of datagram */ } /*********************************************************************** finish off hmac_md5 "inner" buffer and generate outer one. ***********************************************************************/ -void hmac_md5_final(unsigned char *digest, HMACMD5Context * ctx) -{ +void hmac_md5_final(unsigned char *digest, HMACMD5Context *ctx) { MD5_CTX ctx_o; MD5_Final(digest, &ctx->ctx); diff --git a/hmacmd5.h b/hmacmd5.h index 54e1393..7677bc6 100644 --- a/hmacmd5.h +++ b/hmacmd5.h @@ -1,19 +1,19 @@ -/* +/* Unix SMB/CIFS implementation. Interface header: Scheduler service Copyright (C) Luke Kenneth Casson Leighton 1996-1999 Copyright (C) Andrew Tridgell 1992-1999 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc. @@ -30,28 +30,25 @@ */ #ifdef __sun - #include +#include #elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX) - #include +#include #else - #include +#include #endif #include #ifndef _HMAC_MD5_H typedef struct { - MD5_CTX ctx; - unsigned char k_ipad[65]; - unsigned char k_opad[65]; + MD5_CTX ctx; + unsigned char k_ipad[65]; + unsigned char k_opad[65]; } HMACMD5Context; #endif /* _HMAC_MD5_H */ - void hmac_md5_init_rfc2104(const unsigned char *key, int32_t key_len, HMACMD5Context *ctx); -void hmac_md5_init_limK_to_64(const unsigned char* key, int32_t key_len,HMACMD5Context *ctx); +void hmac_md5_init_limK_to_64(const unsigned char *key, int32_t key_len, HMACMD5Context *ctx); void hmac_md5_update(const unsigned char *text, int32_t text_len, HMACMD5Context *ctx); void hmac_md5_final(unsigned char *digest, HMACMD5Context *ctx); -void hmac_md5( unsigned char key[16], unsigned char *data, int32_t data_len, unsigned char *digest); - - +void hmac_md5(unsigned char key[16], unsigned char *data, int32_t data_len, unsigned char *digest); diff --git a/hydra-adam6500.c b/hydra-adam6500.c index 9382fd1..ae664d4 100644 --- a/hydra-adam6500.c +++ b/hydra-adam6500.c @@ -6,57 +6,15 @@ extern char *HYDRA_EXIT; -unsigned char adam6500_req1[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x01, 0x10, - 0x27, 0x0f, 0x00, 0x08, 0x10, 0x24, 0x30, 0x31, - 0x50, 0x57, 0x30, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, - 0x1f, 0x1f, 0x1f, 0x0d, 0x00 -}; -unsigned char adam6500_resp1[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x10, - 0x27, 0x0f, 0x00, 0x08 -}; -unsigned char adam6500_req2[] = { - 0x01, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03, - 0x27, 0x0f, 0x00, 0x7d -}; -unsigned char adam6500_resp2[] = { - 0x01, 0x00, 0x00, 0x00, 0x00, 0xfd, 0x01, 0x03, - 0xfa, 0x3f, 0x30, 0x31, 0x0d, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00 -}; +unsigned char adam6500_req1[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x01, 0x10, 0x27, 0x0f, 0x00, 0x08, 0x10, 0x24, 0x30, 0x31, 0x50, 0x57, 0x30, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x1f, 0x0d, 0x00}; +unsigned char adam6500_resp1[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x10, 0x27, 0x0f, 0x00, 0x08}; +unsigned char adam6500_req2[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01, 0x03, 0x27, 0x0f, 0x00, 0x7d}; +unsigned char adam6500_resp2[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0xfd, 0x01, 0x03, 0xfa, 0x3f, 0x30, 0x31, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; -int32_t start_adam6500(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_adam6500(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *pass; unsigned char buffer[300]; @@ -66,13 +24,13 @@ int32_t start_adam6500(int32_t s, char *ip, int32_t port, unsigned char options, pass = empty; memcpy(buffer, adam6500_req1, sizeof(adam6500_req1)); - - for (i = 0; i < 8 && i < strlen(pass); i++) + + for (i = 0; i < 8 && i < strlen(pass); i++) buffer[19 + i] = pass[i] ^ 0x3f; if (hydra_send(s, buffer, sizeof(adam6500_req1), 0) < 0) return 1; - + if (recv(s, buffer, sizeof(buffer), 0) == 12 && memcmp(buffer, adam6500_resp1, sizeof(adam6500_resp1)) == 0) { if (hydra_send(s, adam6500_req2, sizeof(adam6500_req2), 0) < 0) return 1; @@ -90,7 +48,7 @@ int32_t start_adam6500(int32_t s, char *ip, int32_t port, unsigned char options, return 1; } -void service_adam6500(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_adam6500(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_ADAM6500, mysslport = PORT_ADAM6500_SSL; @@ -100,34 +58,34 @@ void service_adam6500(char *ip, int32_t sp, unsigned char options, char *miscptr while (1) { next_run = 0; switch (run) { - case 1: /* connect and service init function */ - { - if (sock >= 0) - sock = hydra_disconnect(sock); -// usleepn(275); - if ((options & OPTION_SSL) == 0) { - if (port != 0) - myport = port; - sock = hydra_connect_tcp(ip, myport); - port = myport; - } else { - if (port != 0) - mysslport = port; - sock = hydra_connect_ssl(ip, mysslport, hostname); - port = mysslport; - } - if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); - } - - next_run = 2; - break; + case 1: /* connect and service init function */ + { + if (sock >= 0) + sock = hydra_disconnect(sock); + // usleepn(275); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; } - case 2: /* run the cracking function */ + if (sock < 0) { + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + + next_run = 2; + break; + } + case 2: /* run the cracking function */ next_run = start_adam6500(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -145,13 +103,13 @@ void service_adam6500(char *ip, int32_t sp, unsigned char options, char *miscptr } } -int32_t service_adam6500_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_adam6500_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-afp.c b/hydra-afp.c index c940ce1..1d2801d 100644 --- a/hydra-afp.c +++ b/hydra-afp.c @@ -1,6 +1,6 @@ /* * Apple Filing Protocol Support - by David Maciejak @ GMAIL dot com - * + * * tested with afpfs-ng 0.8.1 * AFPFS-NG: http://alexthepuffin.googlepages.com/home * @@ -9,33 +9,31 @@ #include "hydra-mod.h" #ifndef LIBAFP -void dummy_afp() { - printf("\n"); -} +void dummy_afp() { printf("\n"); } #else -#define FREE(x) \ - if (x != NULL) { \ - free(x); \ - x = NULL; \ - } +#define FREE(x) \ + if (x != NULL) { \ + free(x); \ + x = NULL; \ + } -#include #include #include +#include extern char *HYDRA_EXIT; void stdout_fct(void *priv, enum loglevels loglevel, int32_t logtype, const char *message) { - //fprintf(stderr, "[ERROR] Caught unknown error %s\n", message); + // fprintf(stderr, "[ERROR] Caught unknown error %s\n", message); } static struct libafpclient afpclient = { - .unmount_volume = NULL, - .log_for_client = stdout_fct, - .forced_ending_hook = NULL, - .scan_extra_fds = NULL, - .loop_started = NULL, + .unmount_volume = NULL, + .log_for_client = stdout_fct, + .forced_ending_hook = NULL, + .scan_extra_fds = NULL, + .loop_started = NULL, }; static int32_t server_subconnect(struct afp_url url) { @@ -43,18 +41,19 @@ static int32_t server_subconnect(struct afp_url url) { struct afp_server *server = NULL; conn_req = malloc(sizeof(struct afp_connection_request)); -// server = malloc(sizeof(struct afp_server)); + // server = malloc(sizeof(struct afp_server)); memset(conn_req, 0, sizeof(struct afp_connection_request)); conn_req->url = url; conn_req->url.requested_version = 31; - //fprintf(stderr, "AFP connection - username: %s password: %s server: %s\n", url.username, url.password, url.servername); + // fprintf(stderr, "AFP connection - username: %s password: %s server: %s\n", + // url.username, url.password, url.servername); if (strlen(url.uamname) > 0) { if ((conn_req->uam_mask = find_uam_by_name(url.uamname)) == 0) { - fprintf(stderr, "[ERROR] Unknown UAM: %s", url.uamname); + fprintf(stderr, "[ERROR] Unknown UAM: %s\n", url.uamname); FREE(conn_req); FREE(server); return -1; @@ -63,13 +62,14 @@ static int32_t server_subconnect(struct afp_url url) { conn_req->uam_mask = default_uams_mask(); } - //fprintf(stderr, "Initiating connection attempt.\n"); + // fprintf(stderr, "Initiating connection attempt.\n"); if ((server = afp_server_full_connect(NULL, conn_req)) == NULL) { FREE(conn_req); -// FREE(server); + // FREE(server); return -1; } - //fprintf(stderr, "Connected to server: %s via UAM: %s\n", server->server_name_printable, uam_bitmap_to_string(server->using_uam)); + // fprintf(stderr, "Connected to server: %s via UAM: %s\n", + // server->server_name_printable, uam_bitmap_to_string(server->using_uam)); FREE(conn_req); FREE(server); @@ -77,7 +77,7 @@ static int32_t server_subconnect(struct afp_url url) { return 0; } -int32_t start_afp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_afp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, mlogin[AFP_MAX_USERNAME_LEN], mpass[AFP_MAX_PASSWORD_LEN]; struct afp_url tmpurl; @@ -88,7 +88,6 @@ int32_t start_afp(int32_t s, char *ip, int32_t port, unsigned char options, char init_uams(); afp_default_url(&tmpurl); - if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) @@ -110,7 +109,6 @@ int32_t start_afp(int32_t s, char *ip, int32_t port, unsigned char options, char return 3; return 2; } else { - hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; @@ -118,7 +116,7 @@ int32_t start_afp(int32_t s, char *ip, int32_t port, unsigned char options, char return 1; } -void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_AFP; @@ -127,9 +125,8 @@ void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL return; while (1) { - switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { @@ -139,7 +136,8 @@ void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL port = myport; } if (sock < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } @@ -149,7 +147,7 @@ void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL case 2: /* - * Here we start the password cracking process + * Here we start the password cracking process */ next_run = start_afp(sock, ip, port, options, miscptr, fp); @@ -172,13 +170,13 @@ void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL #endif -int32_t service_afp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_afp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-asterisk.c b/hydra-asterisk.c index 5be7896..bbcfce7 100644 --- a/hydra-asterisk.c +++ b/hydra-asterisk.c @@ -1,17 +1,16 @@ -//This plugin was written by david@ +// This plugin was written by david@ // -//This plugin is written for Asterisk Call Manager -//which is running by default on TCP/5038 +// This plugin is written for Asterisk Call Manager +// which is running by default on TCP/5038 // #include "hydra-mod.h" - extern char *HYDRA_EXIT; char *buf; -int32_t start_asterisk(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_asterisk(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = "\"\""; char *login, *pass, buffer[1024]; @@ -41,7 +40,10 @@ int32_t start_asterisk(int32_t s, char *ip, int32_t port, unsigned char options, hydra_report(stderr, "[DEBUG] S: %s\n", buf); if (buf == NULL || (strstr(buf, "Response: ") == NULL)) { - hydra_report(stderr, "[ERROR] Asterisk Call Manager protocol error or service shutdown: %s\n", buf); + hydra_report(stderr, + "[ERROR] Asterisk Call Manager protocol error or service " + "shutdown: %s\n", + buf); free(buf); return 4; } @@ -62,7 +64,7 @@ int32_t start_asterisk(int32_t s, char *ip, int32_t port, unsigned char options, return 2; } -void service_asterisk(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_asterisk(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_ASTERISK, mysslport = PORT_ASTERISK_SSL; @@ -71,10 +73,10 @@ void service_asterisk(char *ip, int32_t sp, unsigned char options, char *miscptr return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(300); + // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -89,31 +91,35 @@ void service_asterisk(char *ip, int32_t sp, unsigned char options, char *miscptr if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } buf = hydra_receive_line(sock); - //fprintf(stderr, "%s\n",buf); - //banner should look like: - //Asterisk Call Manager/1.1 + // fprintf(stderr, "%s\n",buf); + // banner should look like: + // Asterisk Call Manager/1.1 if (buf == NULL || strstr(buf, "Asterisk Call Manager/") == NULL) { /* check the first line */ if (verbose || debug) - hydra_report(stderr, "[ERROR] Not an Asterisk Call Manager protocol or service shutdown: %s\n", buf); + hydra_report(stderr, + "[ERROR] Not an Asterisk Call Manager protocol or " + "service shutdown: %s\n", + buf); hydra_child_exit(2); } free(buf); next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_asterisk(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); + break; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); @@ -122,13 +128,13 @@ void service_asterisk(char *ip, int32_t sp, unsigned char options, char *miscptr } } -int32_t service_asterisk_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_asterisk_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-cisco-enable.c b/hydra-cisco-enable.c index 4cc9bdf..5a835e1 100644 --- a/hydra-cisco-enable.c +++ b/hydra-cisco-enable.c @@ -3,7 +3,7 @@ extern char *HYDRA_EXIT; char *buf; -int32_t start_cisco_enable(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_cisco_enable(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *pass, buffer[300]; @@ -42,8 +42,7 @@ int32_t start_cisco_enable(int32_t s, char *ip, int32_t port, unsigned char opti } } - if (buf != NULL - && (strstr(buf, "assw") != NULL || strstr(buf, "ad ") != NULL || strstr(buf, "attempt") != NULL || strstr(buf, "fail") != NULL || strstr(buf, "denied") != NULL)) { + if (buf != NULL && (strstr(buf, "assw") != NULL || strstr(buf, "ad ") != NULL || strstr(buf, "attempt") != NULL || strstr(buf, "fail") != NULL || strstr(buf, "denied") != NULL)) { free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) @@ -58,7 +57,7 @@ int32_t start_cisco_enable(int32_t s, char *ip, int32_t port, unsigned char opti return 3; } -void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, failc = 0, retry = 1, next_run = 1, sock = -1; int32_t myport = PORT_TELNET, mysslport = PORT_TELNET_SSL; char buffer[300]; @@ -70,117 +69,130 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis while (1) { next_run = 0; switch (run) { - case 1: /* connect and service init function */ - { - if (sock >= 0) - sock = hydra_disconnect(sock); -// usleepn(275); - if ((options & OPTION_SSL) == 0) { - if (port != 0) - myport = port; - sock = hydra_connect_tcp(ip, myport); - port = myport; - } else { - if (port != 0) - mysslport = port; - sock = hydra_connect_ssl(ip, mysslport, hostname); - port = mysslport; - } - if (sock < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); + case 1: /* connect and service init function */ + { + if (sock >= 0) + sock = hydra_disconnect(sock); + // usleepn(275); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; + } + if (sock < 0) { + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + + /* Cisco AAA Support */ + if (strlen(login = hydra_get_next_login()) != 0) { + while ((buf = hydra_receive_line(sock)) != NULL && strstr(buf, "name:") == NULL && strstr(buf, "ogin:") == NULL) { + if (hydra_strcasestr(buf, "ress ENTER") != NULL) + hydra_send(sock, "\r\n", 2, 0); + free(buf); } - /* Cisco AAA Support */ - if (strlen(login = hydra_get_next_login()) != 0) { - while ((buf = hydra_receive_line(sock)) != NULL && strstr(buf, "name:") == NULL && strstr(buf, "ogin:") == NULL) { - if (hydra_strcasestr(buf, "ress ENTER") != NULL) - hydra_send(sock, "\r\n", 2, 0); - free(buf); - } - - sprintf(buffer, "%.250s\r\n", login); - if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t) getpid()); - hydra_child_exit(2); - } - } - - if (miscptr != NULL) { - if (buf != NULL) - free(buf); - while ((buf = hydra_receive_line(sock)) != NULL && strstr(buf, "assw") == NULL) { - if (hydra_strcasestr(buf, "ress ENTER") != NULL) - hydra_send(sock, "\r\n", 2, 0); - free(buf); - } - - sprintf(buffer, "%.250s\r\n", miscptr); - if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t) getpid()); - hydra_child_exit(2); - } + sprintf(buffer, "%.250s\r\n", login); + if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) { + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t)getpid()); + hydra_child_exit(2); } + } + if (miscptr != NULL) { if (buf != NULL) free(buf); - buf = hydra_receive_line(sock); - if (hydra_strcasestr(buf, "ress ENTER") != NULL) { - hydra_send(sock, "\r\n", 2, 0); + while ((buf = hydra_receive_line(sock)) != NULL && strstr(buf, "assw") == NULL) { + if (hydra_strcasestr(buf, "ress ENTER") != NULL) + hydra_send(sock, "\r\n", 2, 0); free(buf); - buf = hydra_receive_line(sock); } - if (strstr(buf, "assw") != NULL) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating - can not login, can not login\n", (int32_t) getpid()); - hydra_child_exit(2); - } - free(buf); - - next_run = 2; - break; - } - case 2: /* run the cracking function */ - { - unsigned char *buf2; - int32_t f = 0; - - sprintf(buffer, "%.250s\r\n", "ena"); + sprintf(buffer, "%.250s\r\n", miscptr); if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'ena'\n", (int32_t) getpid()); + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send login\n", (int32_t)getpid()); hydra_child_exit(2); } - - do { - if (f != 0) - free(buf2); - else - f = 1; - if ((buf2 = (unsigned char *) hydra_receive_line(sock)) == NULL) { - if (failc < retry) { - next_run = 1; - failc++; - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d was disconnected - retrying (%d of %d retries)\n", (int32_t) getpid(), failc, retry); - sleep(3); - break; - } else { - fprintf(stderr, "[ERROR] Child with pid %d was disconnected - exiting\n", (int32_t) getpid()); - hydra_child_exit(0); - } - } - } while (strstr((char *) buf2, "assw") == NULL); - free(buf2); - if (next_run != 0) - break; - failc = 0; - - next_run = start_cisco_enable(sock, ip, port, options, miscptr, fp); - break; } - case 3: /* clean exit */ + + if (buf != NULL) + free(buf); + buf = hydra_receive_line(sock); + if (hydra_strcasestr(buf, "ress ENTER") != NULL) { + hydra_send(sock, "\r\n", 2, 0); + free(buf); + buf = hydra_receive_line(sock); + } + + if (strstr(buf, "assw") != NULL) { + if (quiet != 1) + fprintf(stderr, + "[ERROR] Child with pid %d terminating - can not login, can " + "not login\n", + (int32_t)getpid()); + hydra_child_exit(2); + } + free(buf); + + next_run = 2; + break; + } + case 2: /* run the cracking function */ + { + unsigned char *buf2; + int32_t f = 0; + + sprintf(buffer, "%.250s\r\n", "ena"); + if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) { + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'ena'\n", (int32_t)getpid()); + hydra_child_exit(2); + } + + do { + if (f != 0) + free(buf2); + else + f = 1; + if ((buf2 = (unsigned char *)hydra_receive_line(sock)) == NULL) { + if (failc < retry) { + next_run = 1; + failc++; + if (quiet != 1) + fprintf(stderr, + "[ERROR] Child with pid %d was disconnected - retrying " + "(%d of %d retries)\n", + (int32_t)getpid(), failc, retry); + sleep(3); + break; + } else { + fprintf(stderr, "[ERROR] Child with pid %d was disconnected - exiting\n", (int32_t)getpid()); + hydra_child_exit(0); + } + } + } while (strstr((char *)buf2, "assw") == NULL); + free(buf2); + if (next_run != 0) + break; + failc = 0; + + next_run = start_cisco_enable(sock, ip, port, options, miscptr, fp); + break; + } + case 3: /* clean exit */ sprintf(buffer, "%.250s\r\n", "exit"); if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'exit'\n", (int32_t) getpid()); + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not send 'exit'\n", (int32_t)getpid()); hydra_child_exit(0); } if (sock >= 0) @@ -196,13 +208,13 @@ void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *mis } } -int32_t service_cisco_enable_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_cisco_enable_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -210,12 +222,16 @@ int32_t service_cisco_enable_init(char *ip, int32_t sp, unsigned char options, c return 0; } -void usage_cisco_enable(const char* service) { - printf("Module cisco-enable is optionally taking the logon password for the cisco device\n" - "Note: if AAA authentication is used, use the -l option for the username\n" +void usage_cisco_enable(const char *service) { + printf("Module cisco-enable is optionally taking the logon password for the " + "cisco device\n" + "Note: if AAA authentication is used, use the -l option for the " + "username\n" "and the optional parameter for the password of the user.\n" "Examples:\n" " hydra -P pass.txt target cisco-enable (direct console access)\n" - " hydra -P pass.txt -m cisco target cisco-enable (Logon password cisco)\n" - " hydra -l foo -m bar -P pass.txt target cisco-enable (AAA Login foo, password bar)\n"); + " hydra -P pass.txt -m cisco target cisco-enable (Logon password " + "cisco)\n" + " hydra -l foo -m bar -P pass.txt target cisco-enable (AAA Login " + "foo, password bar)\n"); } diff --git a/hydra-cisco.c b/hydra-cisco.c index 32d0e20..e31c749 100644 --- a/hydra-cisco.c +++ b/hydra-cisco.c @@ -5,9 +5,9 @@ #endif extern char *HYDRA_EXIT; -char *buf = NULL; +static char *buf = NULL; -int32_t start_cisco(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_cisco(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *pass, buffer[300]; @@ -52,7 +52,7 @@ int32_t start_cisco(int32_t s, char *ip, int32_t port, unsigned char options, ch if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } - + buf = NULL; do { if (buf != NULL) @@ -95,7 +95,6 @@ int32_t start_cisco(int32_t s, char *ip, int32_t port, unsigned char options, ch } } while (buf != NULL && strlen(buf) <= 1); } - } if (buf != NULL && (strstr(buf, "assw") != NULL || strstr(buf, "ad ") != NULL || strstr(buf, "attempt") != NULL || strstr(buf, "ailur") != NULL)) { @@ -115,7 +114,7 @@ int32_t start_cisco(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } -void service_cisco(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_cisco(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, failc = 0, retry = 1, next_run = 1, sock = -1; int32_t myport = PORT_TELNET, mysslport = PORT_TELNET_SSL; @@ -125,63 +124,68 @@ void service_cisco(char *ip, int32_t sp, unsigned char options, char *miscptr, F while (1) { next_run = 0; switch (run) { - case 1: /* connect and service init function */ - { - unsigned char *buf2 = NULL; - int32_t f = 0; + case 1: /* connect and service init function */ + { + unsigned char *buf2 = NULL; + int32_t f = 0; - if (sock >= 0) - sock = hydra_disconnect(sock); -// usleepn(275); - if ((options & OPTION_SSL) == 0) { - if (port != 0) - myport = port; - sock = hydra_connect_tcp(ip, myport); - port = myport; - if (miscptr != NULL && hydra_strcasestr(miscptr, "enter") != NULL) - hydra_send(sock, "\r\n", 2, 0); - } else { - if (port != 0) - mysslport = port; - sock = hydra_connect_ssl(ip, mysslport, hostname); - port = mysslport; - } - if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); - } - do { - if (f != 0) { - free(buf2); - buf2 = NULL; - } else - f = 1; - if ((buf2 = (unsigned char *) hydra_receive_line(sock)) == NULL) { - if (failc < retry) { - next_run = 1; - failc++; - if (quiet != 1) hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - retrying (%d of %d retries)\n", (int32_t) getpid(), failc, retry); - sleep(3); - break; - } else { - if (quiet != 1) hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - exiting\n", (int32_t) getpid()); - hydra_child_exit(0); - } - } - if (buf2 != NULL && hydra_strcasestr((char*)buf2, "ress ENTER") != NULL) - hydra_send(sock, "\r\n", 2, 0); - } while (buf2 != NULL && strstr((char *) buf2, "assw") == NULL); - free(buf2); - if (next_run != 0) - break; - failc = 0; - next_run = 2; - break; + if (sock >= 0) + sock = hydra_disconnect(sock); + // usleepn(275); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + if (miscptr != NULL && hydra_strcasestr(miscptr, "enter") != NULL) + hydra_send(sock, "\r\n", 2, 0); + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; } - case 2: /* run the cracking function */ + if (sock < 0) { + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + do { + if (f != 0) { + free(buf2); + buf2 = NULL; + } else + f = 1; + if ((buf2 = (unsigned char *)hydra_receive_line(sock)) == NULL) { + if (failc < retry) { + next_run = 1; + failc++; + if (quiet != 1) + hydra_report(stderr, + "[ERROR] Child with pid %d was disconnected - " + "retrying (%d of %d retries)\n", + (int32_t)getpid(), failc, retry); + sleep(3); + break; + } else { + if (quiet != 1) + hydra_report(stderr, "[ERROR] Child with pid %d was disconnected - exiting\n", (int32_t)getpid()); + hydra_child_exit(0); + } + } + if (buf2 != NULL && hydra_strcasestr((char *)buf2, "ress ENTER") != NULL) + hydra_send(sock, "\r\n", 2, 0); + } while (buf2 != NULL && strstr((char *)buf2, "assw") == NULL); + free(buf2); + if (next_run != 0) + break; + failc = 0; + next_run = 2; + break; + } + case 2: /* run the cracking function */ next_run = start_cisco(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -199,13 +203,13 @@ void service_cisco(char *ip, int32_t sp, unsigned char options, char *miscptr, F } } -int32_t service_cisco_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_cisco_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -213,6 +217,8 @@ int32_t service_cisco_init(char *ip, int32_t sp, unsigned char options, char *mi return 0; } -void usage_cisco(const char* service) { - printf("Module cisco is optionally taking the keyword ENTER, it then sends an initial\n" "ENTER when connecting to the service.\n"); +void usage_cisco(const char *service) { + printf("Module cisco is optionally taking the keyword ENTER, it then sends " + "an initial\n" + "ENTER when connecting to the service.\n"); } diff --git a/hydra-cobaltstrike.c b/hydra-cobaltstrike.c new file mode 100644 index 0000000..6c40e64 --- /dev/null +++ b/hydra-cobaltstrike.c @@ -0,0 +1,126 @@ +#include "hydra-mod.h" + +#define CSLEN 256 + +extern char *HYDRA_EXIT; +char *buf; + +int32_t start_cobaltstrike(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { + char *empty = ""; + char *pass, buffer[4 + 1 + 256]; + char cs_pass[CSLEN + 1]; + unsigned char len_pass; + unsigned char reply_byte_0; + unsigned char reply_byte_1; + unsigned char reply_byte_2; + unsigned char reply_byte_3; + int32_t ret = -1; + + if (strlen(pass = hydra_get_next_password()) == 0) + pass = empty; + if (strlen(pass) > CSLEN) + pass[CSLEN - 1] = 0; + len_pass = strlen(pass); + memset(cs_pass, 0, CSLEN + 1); + strcpy(cs_pass, pass); + + memset(buffer, 0x41, sizeof(buffer)); + buffer[0] = 0x00; + buffer[1] = 0x00; + buffer[2] = 0xBE; + buffer[3] = 0xEF; + memcpy(buffer + 4, &len_pass, 1); + memcpy(buffer + 5, cs_pass, len_pass); + + if (hydra_send(s, buffer, sizeof(buffer), 0) < 0) + return 1; + + reply_byte_0 = 0x00; + ret = hydra_recv_nb(s, &reply_byte_0, 1); + if (ret <= 0) + return 3; + + reply_byte_1 = 0x00; + ret = hydra_recv_nb(s, &reply_byte_1, 1); + if (ret <= 0) + return 3; + + reply_byte_2 = 0x00; + ret = hydra_recv_nb(s, &reply_byte_2, 1); + if (ret <= 0) + return 3; + + reply_byte_3 = 0x00; + ret = hydra_recv_nb(s, &reply_byte_3, 1); + if (ret <= 0) + return 3; + + if (reply_byte_0 == 0x00 && reply_byte_1 == 0x00 && reply_byte_2 == 0xCA && reply_byte_3 == 0xFE) { + hydra_report_found_host(port, ip, "cobaltstrike", fp); + hydra_completed_pair_found(); + free(buf); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 2; + return 1; + } + + free(buf); + hydra_completed_pair(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 2; + + return 1; +} + +void service_cobaltstrike(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { + int32_t run = 1, next_run = 1, sock = -1; + int32_t mysslport = PORT_COBALTSTRIKE_SSL; + + hydra_register_socket(sp); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return; + while (1) { + switch (run) { + case 1: /* connect and service init function */ + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; + if (sock < 0) { + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + next_run = start_cobaltstrike(sock, ip, port, options, miscptr, fp); + hydra_disconnect(sock); + break; + case 2: /* clean exit */ + if (sock >= 0) + sock = hydra_disconnect(sock); + hydra_child_exit(0); + return; + case 3: /* clean exit */ + if (sock >= 0) + sock = hydra_disconnect(sock); + hydra_child_exit(2); + return; + default: + hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); + hydra_child_exit(2); + } + run = next_run; + } +} + +int32_t service_cobaltstrike_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { + // called before the childrens are forked off, so this is the function + // which should be filled if initial connections and service setup has to be + // performed once only. + // + // fill if needed. + // + // return codes: + // 0 all OK + // -1 error, hydra will exit, so print a good error message here + + return 0; +} diff --git a/hydra-cvs.c b/hydra-cvs.c index b745504..5dfb40b 100644 --- a/hydra-cvs.c +++ b/hydra-cvs.c @@ -5,38 +5,32 @@ extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); extern char *HYDRA_EXIT; char *buf; -int32_t start_cvs(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_cvs(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, buffer[1024], pass2[513]; int32_t i; char *directory = miscptr; -/* evil cvs encryption sheme... - 0 111 P 125 p 58 -! 120 1 52 A 57 Q 55 a 121 q 113 -" 53 2 75 B 83 R 54 b 117 r 32 - 3 119 C 43 S 66 c 104 s 90 - 4 49 D 46 T 124 d 101 t 44 -% 109 5 34 E 102 U 126 e 100 u 98 -& 72 6 82 F 40 V 59 f 69 v 60 -' 108 7 81 G 89 W 47 g 73 w 51 -( 70 8 95 H 38 X 92 h 99 x 33 -) 64 9 65 I 103 Y 71 i 63 y 97 -* 76 : 112 J 45 Z 115 j 94 z 62 -+ 67 ; 86 K 50 k 93 -, 116 < 118 L 42 l 39 -- 74 = 110 M 123 m 37 -. 68 > 122 N 91 n 61 -/ 87 ? 105 O 35 _ 56 o 48 -*/ + /* evil cvs encryption sheme... + 0 111 P 125 p 58 + ! 120 1 52 A 57 Q 55 a 121 q 113 + " 53 2 75 B 83 R 54 b 117 r 32 + 3 119 C 43 S 66 c 104 s 90 + 4 49 D 46 T 124 d 101 t 44 + % 109 5 34 E 102 U 126 e 100 u 98 + & 72 6 82 F 40 V 59 f 69 v 60 + ' 108 7 81 G 89 W 47 g 73 w 51 + ( 70 8 95 H 38 X 92 h 99 x 33 + ) 64 9 65 I 103 Y 71 i 63 y 97 + * 76 : 112 J 45 Z 115 j 94 z 62 + + 67 ; 86 K 50 k 93 + , 116 < 118 L 42 l 39 + - 74 = 110 M 123 m 37 + . 68 > 122 N 91 n 61 + / 87 ? 105 O 35 _ 56 o 48 + */ - char key[] = { 0, 120, 53, 0, 0, 109, 72, 108, 70, 64, 76, 67, 116, 74, 68, 87, - 111, 52, 75, 119, 49, 34, 82, 81, 95, 65, 112, 86, 118, 110, 122, 105, - 0, 57, 83, 43, 46, 102, 40, 89, 38, 103, 45, 50, 42, 123, 91, 35, - 125, 55, 54, 66, 124, 126, 59, 47, 92, 71, 115, 0, 0, 0, 0, 56, - 0, 121, 117, 104, 101, 100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48, - 58, 113, 32, 90, 44, 98, 60, 51, 33, 97, 62 - }; + char key[] = {0, 120, 53, 0, 0, 109, 72, 108, 70, 64, 76, 67, 116, 74, 68, 87, 111, 52, 75, 119, 49, 34, 82, 81, 95, 65, 112, 86, 118, 110, 122, 105, 0, 57, 83, 43, 46, 102, 40, 89, 38, 103, 45, 50, 42, 123, 91, 35, 125, 55, 54, 66, 124, 126, 59, 47, 92, 71, 115, 0, 0, 0, 0, 56, 0, 121, 117, 104, 101, 100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48, 58, 113, 32, 90, 44, 98, 60, 51, 33, 97, 62}; if (strlen(login = hydra_get_next_login()) == 0) login = empty; @@ -85,7 +79,7 @@ int32_t start_cvs(int32_t s, char *ip, int32_t port, unsigned char options, char return 3; } -void service_cvs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_cvs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_CVS, mysslport = PORT_CVS_SSL; @@ -100,11 +94,11 @@ void service_cvs(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL return; switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(300); + // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -118,12 +112,12 @@ void service_cvs(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL } if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } next_run = start_cvs(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); @@ -136,13 +130,13 @@ void service_cvs(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL } } -int32_t service_cvs_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_cvs_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -150,6 +144,7 @@ int32_t service_cvs_init(char *ip, int32_t sp, unsigned char options, char *misc return 0; } -void usage_cvs(const char* service) { - printf("Module cvs is optionally taking the repository name to attack, default is \"/root\"\n\n"); +void usage_cvs(const char *service) { + printf("Module cvs is optionally taking the repository name to attack, " + "default is \"/root\"\n\n"); } diff --git a/hydra-firebird.c b/hydra-firebird.c index 1b5228b..dea104f 100644 --- a/hydra-firebird.c +++ b/hydra-firebird.c @@ -1,7 +1,7 @@ /* Firebird Support - by David Maciejak @ GMAIL dot com - + you need to pass full path to the fdb file as argument default account is SYSDBA/masterkey @@ -14,28 +14,27 @@ the msg: "no permission for direct access to security database" #include "hydra-mod.h" #ifndef LIBFIREBIRD -void dummy_firebird() { - printf("\n"); -} +void dummy_firebird() { printf("\n"); } #else -#include #include +#include #define DEFAULT_DB "C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb" +extern hydra_option hydra_options; extern char *HYDRA_EXIT; -int32_t start_firebird(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_firebird(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass; char database[256]; char connection_string[1024]; - isc_db_handle db; /* database handle */ - ISC_STATUS_ARRAY status; /* status vector */ + isc_db_handle db; /* database handle */ + ISC_STATUS_ARRAY status; /* status vector */ - char *dpb = NULL; /* DB parameter buffer */ + char *dpb = NULL; /* DB parameter buffer */ short dpb_length = 0; if (miscptr) @@ -49,8 +48,8 @@ int32_t start_firebird(int32_t s, char *ip, int32_t port, unsigned char options, if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; - dpb_length = (short) (1 + strlen(login) + 2 + strlen(pass) + 2); - if ((dpb = (char *) malloc(dpb_length)) == NULL) { + dpb_length = (short)(1 + strlen(login) + 2 + strlen(pass) + 2); + if ((dpb = (char *)malloc(dpb_length)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } @@ -86,7 +85,7 @@ int32_t start_firebird(int32_t s, char *ip, int32_t port, unsigned char options, return 1; } -void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_FIREBIRD, mysslport = PORT_FIREBIRD_SSL; @@ -95,9 +94,8 @@ void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr return; while (1) { - switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { @@ -112,7 +110,8 @@ void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr port = mysslport; } if (sock < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } @@ -122,10 +121,12 @@ void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr case 2: /* - * Here we start the password cracking process + * Here we start the password cracking process */ next_run = start_firebird(sock, ip, port, options, miscptr, fp); + if ((next_run == 1 || next_run == 2) && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 3: @@ -145,13 +146,13 @@ void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr #endif -int32_t service_firebird_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_firebird_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -159,6 +160,8 @@ int32_t service_firebird_init(char *ip, int32_t sp, unsigned char options, char return 0; } -void usage_firebird(const char* service) { - printf("Module firebird is optionally taking the database path to attack,\n" "default is \"C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb\"\n\n"); +void usage_firebird(const char *service) { + printf("Module firebird is optionally taking the database path to attack,\n" + "default is \"C:\\Program " + "Files\\Firebird\\Firebird_1_5\\security.fdb\"\n\n"); } diff --git a/hydra-ftp.c b/hydra-ftp.c index 6b853eb..c6e256c 100644 --- a/hydra-ftp.c +++ b/hydra-ftp.c @@ -3,7 +3,7 @@ extern char *HYDRA_EXIT; char *buf; -int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = "\"\""; char *login, *pass, buffer[510]; @@ -20,13 +20,16 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char buf = hydra_receive_line(s); if (buf == NULL) return 1; - /* special hack to identify 530 user unknown msg. suggested by Jean-Baptiste.BEAUFRETON@turbomeca.fr */ + /* special hack to identify 530 user unknown msg. suggested by + * Jean-Baptiste.BEAUFRETON@turbomeca.fr */ if (buf[0] == '5' && buf[1] == '3' && buf[2] == '0') { if (verbose) printf("[INFO] user %s does not exist, skipping\n", login); hydra_completed_pair_skip(); - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + free(buf); return 4; + } free(buf); return 1; } @@ -34,8 +37,10 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char if (buf[0] == '2') { hydra_report_found_host(port, ip, "ftp", fp); hydra_completed_pair_found(); - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + free(buf); return 4; + } free(buf); return 1; } @@ -60,8 +65,10 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char if (buf[0] == '2') { hydra_report_found_host(port, ip, "ftp", fp); hydra_completed_pair_found(); - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + free(buf); return 4; + } free(buf); return 1; } @@ -74,7 +81,7 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char return 2; } -void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname, int32_t tls) { +void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname, int32_t tls) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_FTP, mysslport = PORT_FTP_SSL; @@ -83,10 +90,10 @@ void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr hydra_child_exit(0); while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(300); + // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -100,12 +107,12 @@ void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } usleepn(250); buf = hydra_receive_line(sock); - if (buf == NULL || buf[0] != '2') { /* check the first line */ + if (buf == NULL || buf[0] != '2') { /* check the first line */ if (verbose || debug) hydra_report(stderr, "[ERROR] Not an FTP protocol or service shutdown: %s\n", buf); hydra_child_exit(2); @@ -120,7 +127,7 @@ void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr } free(buf); - //this mode is manually chosen, so if it fails we giving up + // this mode is manually chosen, so if it fails we giving up if (tls) { if (hydra_send(sock, "AUTH TLS\r\n", strlen("AUTH TLS\r\n"), 0) < 0) { hydra_child_exit(2); @@ -148,17 +155,19 @@ void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_ftp(sock, ip, port, options, miscptr, fp); break; - case 3: /* error exit */ + case 3: /* error exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); - case 4: /* clean exit */ + break; + case 4: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); + break; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); @@ -167,21 +176,17 @@ void service_ftp_core(char *ip, int32_t sp, unsigned char options, char *miscptr } } -void service_ftp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { - service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 0); -} +void service_ftp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 0); } -void service_ftps(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { - service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 1); -} +void service_ftps(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ftp_core(ip, sp, options, miscptr, fp, port, hostname, 1); } -int32_t service_ftp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_ftp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-gtk/Makefile.in b/hydra-gtk/Makefile.in index bf5322e..c29f5fa 100644 --- a/hydra-gtk/Makefile.in +++ b/hydra-gtk/Makefile.in @@ -61,8 +61,9 @@ CC = @CC@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ PACKAGE = @PACKAGE@ -PACKAGE_CFLAGS = @PACKAGE_CFLAGS@ -PACKAGE_LIBS = @PACKAGE_LIBS@ +PACKAGE_CFLAGS = @PACKAGE_CFLAGS@ -fcommon -Wl,--allow-multiple-definition +PACKAGE_LDFLAGS = -fcommon -Wl,--allow-multiple-definition +PACKAGE_LIBS = -fcommon -Wl,--allow-multiple-definition @PACKAGE_LIBS@ PKG_CONFIG = @PKG_CONFIG@ VERSION = @VERSION@ diff --git a/hydra-gtk/configure b/hydra-gtk/configure index 287741e..6cd3de7 100755 --- a/hydra-gtk/configure +++ b/hydra-gtk/configure @@ -2233,15 +2233,15 @@ if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then - CFLAGS="-g -O2" + CFLAGS="-g -O2 -fcommon -Wl,--allow-multiple-definition" else - CFLAGS="-g" + CFLAGS="-g -fcommon -Wl,--allow-multiple-definition" fi else if test "$GCC" = yes; then - CFLAGS="-O2" + CFLAGS="-O2 -fcommon -Wl,--allow-multiple-definition" else - CFLAGS= + CFLAGS="-fcommon -Wl,--allow-multiple-definition" fi fi echo "$as_me:$LINENO: checking for $CC option to accept ANSI C" >&5 @@ -2391,7 +2391,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then for ac_declaration in \ - '' \ + '#include ' \ 'extern "C" void std::exit (int) throw (); using std::exit;' \ 'extern "C" void std::exit (int); using std::exit;' \ 'extern "C" void exit (int) throw ();' \ @@ -3192,7 +3192,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then for ac_declaration in \ - '' \ + '#include ' \ 'extern "C" void std::exit (int) throw (); using std::exit;' \ 'extern "C" void std::exit (int); using std::exit;' \ 'extern "C" void exit (int) throw ();' \ @@ -3797,8 +3797,8 @@ main () for (i = 0; i < 256; i++) if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) - exit(2); - exit (0); + return 2; + return 0; } _ACEOF rm -f conftest$ac_exeext diff --git a/hydra-gtk/configure.in b/hydra-gtk/configure.in index e4fb923..5bf4e78 100755 --- a/hydra-gtk/configure.in +++ b/hydra-gtk/configure.in @@ -10,7 +10,7 @@ AC_PROG_CC AM_PROG_CC_STDC AC_HEADER_STDC -pkg_modules="gtk+-2.0 >= 2.0.0" +pkg_modules="gtk+-3.0 >= 3.24.24" PKG_CHECK_MODULES(PACKAGE, [$pkg_modules]) AC_SUBST(PACKAGE_CFLAGS) AC_SUBST(PACKAGE_LIBS) diff --git a/hydra-gtk/src/Makefile.in b/hydra-gtk/src/Makefile.in index a37ab9e..1ed2b96 100644 --- a/hydra-gtk/src/Makefile.in +++ b/hydra-gtk/src/Makefile.in @@ -61,8 +61,8 @@ CC = @CC@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ PACKAGE = @PACKAGE@ -PACKAGE_CFLAGS = @PACKAGE_CFLAGS@ -PACKAGE_LIBS = @PACKAGE_LIBS@ +PACKAGE_CFLAGS = @PACKAGE_CFLAGS@ -fcommon -Wl,--allow-multiple-definition +PACKAGE_LIBS = -fcommon -Wl,--allow-multiple-definition @PACKAGE_LIBS@ PKG_CONFIG = @PKG_CONFIG@ VERSION = @VERSION@ diff --git a/hydra-gtk/src/callbacks.c b/hydra-gtk/src/callbacks.c index 62c441c..74c3d5e 100644 --- a/hydra-gtk/src/callbacks.c +++ b/hydra-gtk/src/callbacks.c @@ -1,7 +1,7 @@ /* * This file handles all that needs to be done... - * Some stuff is stolen from gcombust since I never used pipes... ok, i + * Some stuff is stolen from gcombust since I never used pipes... ok, i * only used them in reallife :) */ @@ -15,38 +15,35 @@ #include "interface.h" #include "support.h" -#include -#include +#include #include #include -#include +#include +#include #include #include #include -#include -#include #include +#include int hydra_pid = 0; char port[10]; char tasks[10]; char timeout[10]; -char smbparm[12]; +char smbparm[128]; char sapr3id[4]; char passLoginNull[4]; - #define BUF_S 1024 -void hydra_select_file(GtkEntry * widget, char *text) { +void hydra_select_file(GtkEntry *widget, char *text) { #ifdef GTK_TYPE_FILE_CHOOSER GtkWidget *dialog; char *filename; - dialog = gtk_file_chooser_dialog_new(text, (GtkWindow *) wndMain, GTK_FILE_CHOOSER_ACTION_OPEN, - GTK_STOCK_OPEN, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL); + dialog = gtk_file_chooser_dialog_new(text, (GtkWindow *)wndMain, GTK_FILE_CHOOSER_ACTION_OPEN, GTK_STOCK_OPEN, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL); if (gtk_dialog_run(GTK_DIALOG(dialog)) == GTK_RESPONSE_ACCEPT) { filename = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(dialog)); @@ -70,7 +67,7 @@ int hydra_get_options(char *options[]) { /* get the port */ widget = lookup_widget(GTK_WIDGET(wndMain), "spnPort"); - j = gtk_spin_button_get_value_as_int((GtkSpinButton *) widget); + j = gtk_spin_button_get_value_as_int((GtkSpinButton *)widget); if (j != 0) { snprintf(port, 10, "%d", j); options[i++] = "-s"; @@ -79,107 +76,107 @@ int hydra_get_options(char *options[]) { /* prefer ipv6 */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkIPV6"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-6"; } /* use SSL? */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkSSL"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-S"; } /* use old SSL? */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkOldSSL"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-O"; } /* be verbose? */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkVerbose"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-v"; } /* show attempts */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkAttempts"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-V"; } /* debug mode? */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkDebug"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-d"; } /* COMPLETE HELP */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkCompleteHelp"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-h"; } /* Service Module Usage Details */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkServiceDetails"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-U"; } /* use colon separated list? */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkColon"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-C"; widget = lookup_widget(GTK_WIDGET(wndMain), "entColonFile"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } else { /* disable usernames */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkDisUser"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { } else { /* get the username, or username list */ widget = lookup_widget(GTK_WIDGET(wndMain), "radioUsername1"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-l"; widget = lookup_widget(GTK_WIDGET(wndMain), "entUsername"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } else { options[i++] = "-L"; widget = lookup_widget(GTK_WIDGET(wndMain), "entUsernameFile"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } } /* get the pass, pass list, or generate */ /* The "generate" button was implemented by Petar Kaleychev */ widget = lookup_widget(GTK_WIDGET(wndMain), "radioPass1"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-p"; widget = lookup_widget(GTK_WIDGET(wndMain), "entPass"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } widget = lookup_widget(GTK_WIDGET(wndMain), "radioPass2"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-P"; widget = lookup_widget(GTK_WIDGET(wndMain), "entPassFile"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } widget = lookup_widget(GTK_WIDGET(wndMain), "radioGenerate"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-x"; widget = lookup_widget(GTK_WIDGET(wndMain), "entGeneration"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } } /* empty passes / login as pass / reversed login? */ memset(passLoginNull, 0, 4); widget = lookup_widget(GTK_WIDGET(wndMain), "chkPassNull"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { passLoginNull[0] = 'n'; } widget = lookup_widget(GTK_WIDGET(wndMain), "chkPassLogin"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { if (passLoginNull[0] == 0) { passLoginNull[0] = 's'; } else { @@ -188,7 +185,7 @@ int hydra_get_options(char *options[]) { } /* The "Try reversed login" button was implemented by Petar Kaleychev */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkPassReverse"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { if (passLoginNull[0] == 0) { passLoginNull[0] = 'r'; } else if (passLoginNull[1] == 0) { @@ -204,7 +201,7 @@ int hydra_get_options(char *options[]) { /* #of tasks */ widget = lookup_widget(GTK_WIDGET(wndMain), "spnTasks"); - j = gtk_spin_button_get_value_as_int((GtkSpinButton *) widget); + j = gtk_spin_button_get_value_as_int((GtkSpinButton *)widget); if (j != 40) { snprintf(tasks, 10, "%d", j); options[i++] = "-t"; @@ -213,7 +210,7 @@ int hydra_get_options(char *options[]) { /* timeout */ widget = lookup_widget(GTK_WIDGET(wndMain), "spnTimeout"); - j = gtk_spin_button_get_value_as_int((GtkSpinButton *) widget); + j = gtk_spin_button_get_value_as_int((GtkSpinButton *)widget); if (j != 30) { snprintf(timeout, 10, "%d", j); options[i++] = "-w"; @@ -222,59 +219,59 @@ int hydra_get_options(char *options[]) { /* loop around users? */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkUsernameLoop"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-u"; } /* exit after first found pair? */ /* per host */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkExitf"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-f"; } /* global */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkExitF"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-F"; } /* Do not print messages about connection errors */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkNoErr"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { options[i++] = "-q"; } /* get additional parameters */ widget = lookup_widget(GTK_WIDGET(wndMain), "entProtocol"); - tmp = (char *) gtk_entry_get_text((GtkEntry *) widget); + tmp = (char *)gtk_entry_get_text((GtkEntry *)widget); if (!strncmp(tmp, "http-proxy", 10)) { widget = lookup_widget(GTK_WIDGET(wndMain), "entHTTPProxyURL"); options[i++] = "-m"; - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } else if (!strncmp(tmp, "http-", 5) || !strncmp(tmp, "https-", 6)) { options[i++] = "-m"; widget = lookup_widget(GTK_WIDGET(wndMain), "entHTTPURL"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } else if (!strcmp(tmp, "cisco-enable")) { options[i++] = "-m"; widget = lookup_widget(GTK_WIDGET(wndMain), "entCiscoPass"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } else if (!strcmp(tmp, "ldap3-crammd5")) { options[i++] = "-m"; widget = lookup_widget(GTK_WIDGET(wndMain), "entLDAPDN"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } else if (!strcmp(tmp, "ldap3-digestmd5")) { options[i++] = "-m"; widget = lookup_widget(GTK_WIDGET(wndMain), "entLDAPDN"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } else if (!strcmp(tmp, "smb")) { - memset(smbparm, 0, 12); + memset(smbparm, 0, sizeof(smbparm)); widget = lookup_widget(GTK_WIDGET(wndMain), "chkDomain"); widget2 = lookup_widget(GTK_WIDGET(wndMain), "chkLocal"); @@ -282,12 +279,12 @@ int hydra_get_options(char *options[]) { strncpy(smbparm, "Both", sizeof(smbparm)); smbparm[strlen("Both")] = '\0'; - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { strncpy(smbparm, "Domain", sizeof(smbparm)); smbparm[strlen("Domain")] = '\0'; } - if (gtk_toggle_button_get_active((GtkToggleButton *) widget2)) { - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget2)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { strncpy(smbparm, "Both", sizeof(smbparm)); smbparm[strlen("Both")] = '\0'; } else { @@ -296,14 +293,25 @@ int hydra_get_options(char *options[]) { } } widget = lookup_widget(GTK_WIDGET(wndMain), "chkNTLM"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { strcat(smbparm, "Hash"); } options[i++] = smbparm; + } else if (!strcmp(tmp, "smb2")) { + memset(smbparm, 0, sizeof(smbparm)); + options[i++] = "-m"; + options[i++] = smbparm; + + widget = lookup_widget(GTK_WIDGET(wndMain), "chkNTLM"); + int pth = gtk_toggle_button_get_active((GtkToggleButton *)widget); + + widget = lookup_widget(GTK_WIDGET(wndMain), "entSMB2Workgroup"); + + snprintf(smbparm, sizeof(smbparm) - 1, "nthash:%s workgroup:{%s}", pth ? "true" : "false", (char *)gtk_entry_get_text((GtkEntry *)widget)); } else if (!strcmp(tmp, "sapr3")) { widget = lookup_widget(GTK_WIDGET(wndMain), "spnSAPR3"); - j = gtk_spin_button_get_value_as_int((GtkSpinButton *) widget); + j = gtk_spin_button_get_value_as_int((GtkSpinButton *)widget); snprintf(sapr3id, sizeof(sapr3id), "%d", j); options[i++] = "-m"; options[i++] = sapr3id; @@ -311,18 +319,18 @@ int hydra_get_options(char *options[]) { } else if (!strcmp(tmp, "cvs") || !strcmp(tmp, "svn")) { widget = lookup_widget(GTK_WIDGET(wndMain), "entCVS"); options[i++] = "-m"; - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } else if (!strcmp(tmp, "snmp")) { widget = lookup_widget(GTK_WIDGET(wndMain), "entSNMP"); options[i++] = "-m"; - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } else if (!strcmp(tmp, "telnet")) { widget = lookup_widget(GTK_WIDGET(wndMain), "entTelnet"); - if ((char *) gtk_entry_get_text((GtkEntry *) widget) != NULL) { + if ((char *)gtk_entry_get_text((GtkEntry *)widget) != NULL) { options[i++] = "-m"; - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } } @@ -334,45 +342,44 @@ int hydra_get_options(char *options[]) { /* proxy support */ widget = lookup_widget(GTK_WIDGET(wndMain), "radioProxy"); - if (!gtk_toggle_button_get_active((GtkToggleButton *) widget)) { - + if (!gtk_toggle_button_get_active((GtkToggleButton *)widget)) { widget2 = lookup_widget(GTK_WIDGET(wndMain), "entHTTPProxy"); widget = lookup_widget(GTK_WIDGET(wndMain), "radioProxy2"); /* which variable do we set? */ - if ((!strncmp(tmp, "http-", 5)) && (gtk_toggle_button_get_active((GtkToggleButton *) widget))) { - setenv("HYDRA_PROXY_HTTP", gtk_entry_get_text((GtkEntry *) widget2), 1); + if ((!strncmp(tmp, "http-", 5)) && (gtk_toggle_button_get_active((GtkToggleButton *)widget))) { + setenv("HYDRA_PROXY_HTTP", gtk_entry_get_text((GtkEntry *)widget2), 1); } else { - setenv("HYDRA_PROXY_CONNECT", (char *) gtk_entry_get_text((GtkEntry *) widget2), 1); + setenv("HYDRA_PROXY_CONNECT", (char *)gtk_entry_get_text((GtkEntry *)widget2), 1); } /* do we need to provide user and pass? */ widget = lookup_widget(GTK_WIDGET(wndMain), "chkProxyAuth"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { widget = lookup_widget(GTK_WIDGET(wndMain), "entProxyUser"); widget2 = lookup_widget(GTK_WIDGET(wndMain), "entProxyPass"); - a = g_string_new((gchar *) gtk_entry_get_text((GtkEntry *) widget)); + a = g_string_new((gchar *)gtk_entry_get_text((GtkEntry *)widget)); a = g_string_append_c(a, ':'); - a = g_string_append(a, gtk_entry_get_text((GtkEntry *) widget2)); + a = g_string_append(a, gtk_entry_get_text((GtkEntry *)widget2)); setenv("HYDRA_PROXY_AUTH", a->str, 1); - (void) g_string_free(a, TRUE); + (void)g_string_free(a, TRUE); } } /* get the target, or target list */ widget = lookup_widget(GTK_WIDGET(wndMain), "radioTarget1"); - if (gtk_toggle_button_get_active((GtkToggleButton *) widget)) { + if (gtk_toggle_button_get_active((GtkToggleButton *)widget)) { widget = lookup_widget(GTK_WIDGET(wndMain), "entTarget"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } else { options[i++] = "-M"; widget = lookup_widget(GTK_WIDGET(wndMain), "entTargetFile"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); } /* get the service */ widget = lookup_widget(GTK_WIDGET(wndMain), "entProtocol"); - options[i++] = (char *) gtk_entry_get_text((GtkEntry *) widget); + options[i++] = (char *)gtk_entry_get_text((GtkEntry *)widget); options[i] = NULL; return i; @@ -389,12 +396,11 @@ int update_statusbar() { i = hydra_get_options(options); for (j = 1; j < i; j++) { - statustext = g_string_append(statustext, options[j]); statustext = g_string_append_c(statustext, ' '); } - statusbar = (GtkStatusbar *) lookup_widget(GTK_WIDGET(wndMain), "statusbar"); + statusbar = (GtkStatusbar *)lookup_widget(GTK_WIDGET(wndMain), "statusbar"); context_id = gtk_statusbar_get_context_id(statusbar, "status"); /* an old message in stack? */ @@ -402,9 +408,9 @@ int update_statusbar() { gtk_statusbar_remove(statusbar, context_id, message_id); } - message_id = gtk_statusbar_push(statusbar, context_id, (gchar *) statustext->str); + message_id = gtk_statusbar_push(statusbar, context_id, (gchar *)statustext->str); - (void) g_string_free(statustext, TRUE); + (void)g_string_free(statustext, TRUE); return TRUE; } @@ -428,11 +434,10 @@ int read_into(int fd) { } output = lookup_widget(GTK_WIDGET(wndMain), "txtOutput"); - outputbuf = gtk_text_view_get_buffer((GtkTextView *) output); + outputbuf = gtk_text_view_get_buffer((GtkTextView *)output); gtk_text_buffer_get_iter_at_offset(outputbuf, &outputiter, -1); - if ((passline = strstr(in_buf, "password: ")) == NULL) { gtk_text_buffer_insert(outputbuf, &outputiter, in_buf, result); } else { @@ -450,15 +455,13 @@ int read_into(int fd) { if (end - in_buf - result > 0) { gtk_text_buffer_insert(outputbuf, &outputiter, end + 1, -1); } - } - if (strstr(in_buf, " finished at ") != NULL) { gtk_text_buffer_insert_with_tags_by_name(outputbuf, &outputiter, "\n\n", -1, "bold", NULL); } - if (result == BUF_S - 1) /* there might be more available, recurse baby! */ + if (result == BUF_S - 1) /* there might be more available, recurse baby! */ return read_into(fd); else return TRUE; @@ -515,7 +518,6 @@ static int wait_hydra_output(gpointer data) { return TRUE; } - /* assumes a successfull pipe() won't set the fd's to -1 */ static void close_pipe(int *pipe) { if (-1 != pipe[0]) { @@ -535,8 +537,7 @@ static void close_pipe(int *pipe) { */ int *popen_re_unbuffered(char *command) { - static int p_r[2] = { -1, -1 }, p_e[2] = { - -1, -1}; + static int p_r[2] = {-1, -1}, p_e[2] = {-1, -1}; static int *pfd = NULL; char *options[128]; @@ -561,7 +562,7 @@ int *popen_re_unbuffered(char *command) { if ((hydra_pid = fork()) < 0) { g_warning("popen_rw_unbuffered: Error forking!"); return NULL; - } else if (hydra_pid == 0) { /* child */ + } else if (hydra_pid == 0) { /* child */ int k; if (setpgid(getpid(), getpid()) < 0) @@ -582,7 +583,7 @@ int *popen_re_unbuffered(char *command) { if (close(p_e[1]) < 0) g_warning("popen_rw_unbuffered: close(p_e[1]) failed"); - (void) hydra_get_options(options); + (void)hydra_get_options(options); execv(HYDRA_BIN, options); @@ -592,7 +593,7 @@ int *popen_re_unbuffered(char *command) { g_warning("%s", options[k]); } gtk_main_quit(); - } else { /* parent */ + } else { /* parent */ if (close(p_r[1]) < 0) g_warning("popen_rw_unbuffered: close(p_r[1]) (parent) failed"); if (close(p_e[1]) < 0) @@ -605,32 +606,25 @@ int *popen_re_unbuffered(char *command) { return pfd; } -void on_quit1_activate(GtkMenuItem * menuitem, gpointer user_data) { - gtk_main_quit(); -} +void on_quit1_activate(GtkMenuItem *menuitem, gpointer user_data) { gtk_main_quit(); } +void on_about1_activate(GtkMenuItem *menuitem, gpointer user_data) {} -void on_about1_activate(GtkMenuItem * menuitem, gpointer user_data) { - -} - -void on_btnStart_clicked(GtkButton * button, gpointer user_data) { +void on_btnStart_clicked(GtkButton *button, gpointer user_data) { int *fd = NULL; fd = popen_re_unbuffered(NULL); g_timeout_add(200, wait_hydra_output, fd); - } -void on_btnStop_clicked(GtkButton * button, gpointer user_data) { +void on_btnStop_clicked(GtkButton *button, gpointer user_data) { if (hydra_pid != 0) { kill(hydra_pid, SIGTERM); hydra_pid = 0; } } - -void on_wndMain_destroy(GtkObject * object, gpointer user_data) { +void on_wndMain_destroy(GtkObject *object, gpointer user_data) { if (hydra_pid != 0) { kill(hydra_pid, SIGTERM); hydra_pid = 0; @@ -638,35 +632,31 @@ void on_wndMain_destroy(GtkObject * object, gpointer user_data) { gtk_main_quit(); } - - -gboolean on_entTargetFile_button_press_event(GtkWidget * widget, GdkEventButton * event, gpointer user_data) { - hydra_select_file((GtkEntry *) widget, "Select target list"); +gboolean on_entTargetFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data) { + hydra_select_file((GtkEntry *)widget, "Select target list"); gtk_widget_grab_focus(widget); return TRUE; } - -gboolean on_entUsernameFile_button_press_event(GtkWidget * widget, GdkEventButton * event, gpointer user_data) { - hydra_select_file((GtkEntry *) widget, "Select username list"); +gboolean on_entUsernameFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data) { + hydra_select_file((GtkEntry *)widget, "Select username list"); gtk_widget_grab_focus(widget); return TRUE; } - -gboolean on_entPassFile_button_press_event(GtkWidget * widget, GdkEventButton * event, gpointer user_data) { - hydra_select_file((GtkEntry *) widget, "Select password list"); +gboolean on_entPassFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data) { + hydra_select_file((GtkEntry *)widget, "Select password list"); gtk_widget_grab_focus(widget); return TRUE; } -gboolean on_entColonFile_button_press_event(GtkWidget * widget, GdkEventButton * event, gpointer user_data) { - hydra_select_file((GtkEntry *) widget, "Select colon separated user,password list"); +gboolean on_entColonFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data) { + hydra_select_file((GtkEntry *)widget, "Select colon separated user,password list"); gtk_widget_grab_focus(widget); return TRUE; } -void on_btnSave_clicked(GtkButton * button, gpointer user_data) { +void on_btnSave_clicked(GtkButton *button, gpointer user_data) { #ifdef GTK_TYPE_FILE_CHOOSER GtkWidget *dialog; char *filename; @@ -677,20 +667,19 @@ void on_btnSave_clicked(GtkButton * button, gpointer user_data) { GtkTextIter start; GtkTextIter end; - dialog = gtk_file_chooser_dialog_new("Save output", (GtkWindow *) wndMain, GTK_FILE_CHOOSER_ACTION_SAVE, - GTK_STOCK_SAVE, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL); + dialog = gtk_file_chooser_dialog_new("Save output", (GtkWindow *)wndMain, GTK_FILE_CHOOSER_ACTION_SAVE, GTK_STOCK_SAVE, GTK_RESPONSE_ACCEPT, GTK_STOCK_CANCEL, GTK_RESPONSE_CANCEL, NULL); if (gtk_dialog_run(GTK_DIALOG(dialog)) == GTK_RESPONSE_ACCEPT) { filename = gtk_file_chooser_get_filename(GTK_FILE_CHOOSER(dialog)); output = lookup_widget(GTK_WIDGET(wndMain), "txtOutput"); - outputbuf = gtk_text_view_get_buffer((GtkTextView *) output); + outputbuf = gtk_text_view_get_buffer((GtkTextView *)output); gtk_text_buffer_get_start_iter(outputbuf, &start); gtk_text_buffer_get_end_iter(outputbuf, &end); text = gtk_text_buffer_get_text(outputbuf, &start, &end, TRUE); fd = open(filename, O_CREAT | O_TRUNC | O_WRONLY, 0644); - if (fd > 0) { + if (fd >= 0) { write(fd, text, strlen(text)); close(fd); } @@ -701,10 +690,11 @@ void on_btnSave_clicked(GtkButton * button, gpointer user_data) { #endif } -void on_chkColon_toggled(GtkToggleButton * togglebutton, gpointer user_data) { +void on_chkColon_toggled(GtkToggleButton *togglebutton, gpointer user_data) { GtkWidget *user, *pass; - user = lookup_widget(GTK_WIDGET(wndMain), "frmUsername");; + user = lookup_widget(GTK_WIDGET(wndMain), "frmUsername"); + ; pass = lookup_widget(GTK_WIDGET(wndMain), "frmPass"); if (gtk_toggle_button_get_active(togglebutton)) { @@ -716,10 +706,11 @@ void on_chkColon_toggled(GtkToggleButton * togglebutton, gpointer user_data) { } } -void on_chkDisUser_toggled(GtkToggleButton * togglebutton, gpointer user_data) { +void on_chkDisUser_toggled(GtkToggleButton *togglebutton, gpointer user_data) { GtkWidget *radioUsername1, *radioUsername2, *entUsername, *entUsernameFile; - radioUsername1 = lookup_widget(GTK_WIDGET(wndMain), "radioUsername1");; + radioUsername1 = lookup_widget(GTK_WIDGET(wndMain), "radioUsername1"); + ; radioUsername2 = lookup_widget(GTK_WIDGET(wndMain), "radioUsername2"); entUsername = lookup_widget(GTK_WIDGET(wndMain), "entUsername"); entUsernameFile = lookup_widget(GTK_WIDGET(wndMain), "entUsernameFile"); @@ -737,11 +728,11 @@ void on_chkDisUser_toggled(GtkToggleButton * togglebutton, gpointer user_data) { } } -void on_btnClear_clicked(GtkButton * button, gpointer user_data) { +void on_btnClear_clicked(GtkButton *button, gpointer user_data) { GtkWidget *output; GtkTextBuffer *outputbuf; output = lookup_widget(GTK_WIDGET(wndMain), "txtOutput"); - outputbuf = gtk_text_view_get_buffer((GtkTextView *) output); + outputbuf = gtk_text_view_get_buffer((GtkTextView *)output); gtk_text_buffer_set_text(outputbuf, "", -1); } diff --git a/hydra-gtk/src/callbacks.h b/hydra-gtk/src/callbacks.h index dd213fa..3b92c42 100644 --- a/hydra-gtk/src/callbacks.h +++ b/hydra-gtk/src/callbacks.h @@ -2,28 +2,28 @@ int update_statusbar(); -void on_quit1_activate(GtkMenuItem * menuitem, gpointer user_data); +void on_quit1_activate(GtkMenuItem *menuitem, gpointer user_data); -void on_about1_activate(GtkMenuItem * menuitem, gpointer user_data); +void on_about1_activate(GtkMenuItem *menuitem, gpointer user_data); -void on_btnStart_clicked(GtkButton * button, gpointer user_data); +void on_btnStart_clicked(GtkButton *button, gpointer user_data); -void on_wndMain_destroy(GtkObject * object, gpointer user_data); +void on_wndMain_destroy(GtkObject *object, gpointer user_data); -void on_btnStop_clicked(GtkButton * button, gpointer user_data); +void on_btnStop_clicked(GtkButton *button, gpointer user_data); -gboolean on_entTargetFile_button_press_event(GtkWidget * widget, GdkEventButton * event, gpointer user_data); +gboolean on_entTargetFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data); -gboolean on_entUsernameFile_button_press_event(GtkWidget * widget, GdkEventButton * event, gpointer user_data); +gboolean on_entUsernameFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data); -gboolean on_entPassFile_button_press_event(GtkWidget * widget, GdkEventButton * event, gpointer user_data); +gboolean on_entPassFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data); -void on_btnSave_clicked(GtkButton * button, gpointer user_data); +void on_btnSave_clicked(GtkButton *button, gpointer user_data); -gboolean on_entColonFile_button_press_event(GtkWidget * widget, GdkEventButton * event, gpointer user_data); +gboolean on_entColonFile_button_press_event(GtkWidget *widget, GdkEventButton *event, gpointer user_data); -void on_chkColon_toggled(GtkToggleButton * togglebutton, gpointer user_data); +void on_chkColon_toggled(GtkToggleButton *togglebutton, gpointer user_data); -void on_btnClear_clicked(GtkButton * button, gpointer user_data); +void on_btnClear_clicked(GtkButton *button, gpointer user_data); -void on_chkDisUser_toggled(GtkToggleButton * togglebutton, gpointer user_data); +void on_chkDisUser_toggled(GtkToggleButton *togglebutton, gpointer user_data); diff --git a/hydra-gtk/src/interface.c b/hydra-gtk/src/interface.c index f501d0b..e6262e1 100644 --- a/hydra-gtk/src/interface.c +++ b/hydra-gtk/src/interface.c @@ -7,13 +7,13 @@ #include #endif -#include #include +#include #ifdef HAVE_UNISTD_H #include #endif -#include #include +#include #include #include @@ -22,12 +22,9 @@ #include "interface.h" #include "support.h" -#define GLADE_HOOKUP_OBJECT(component,widget,name) \ - g_object_set_data_full (G_OBJECT (component), name, \ - gtk_widget_ref (widget), (GDestroyNotify) gtk_widget_unref) +#define GLADE_HOOKUP_OBJECT(component, widget, name) g_object_set_data_full(G_OBJECT(component), name, gtk_widget_ref(widget), (GDestroyNotify)gtk_widget_unref) -#define GLADE_HOOKUP_OBJECT_NO_REF(component,widget,name) \ - g_object_set_data (G_OBJECT (component), name, widget) +#define GLADE_HOOKUP_OBJECT_NO_REF(component, widget, name) g_object_set_data(G_OBJECT(component), name, widget) GtkWidget *create_wndMain(void) { GtkWidget *wndMain; @@ -171,6 +168,9 @@ GtkWidget *create_wndMain(void) { GtkWidget *btnClear; GtkWidget *label4; GtkWidget *statusbar; + GtkWidget *lblSMB2; + GtkWidget *entSMB2Workgroup; + GtkWidget *fraSMB2; GtkAccelGroup *accel_group; GtkTooltips *tooltips; @@ -221,7 +221,7 @@ GtkWidget *create_wndMain(void) { g_object_set_data(G_OBJECT(GTK_COMBO(cmbProtocol)->popwin), "GladeParentKey", cmbProtocol); gtk_widget_set_name(cmbProtocol, "cmbProtocol"); gtk_widget_show(cmbProtocol); - gtk_table_attach(GTK_TABLE(table8), cmbProtocol, 1, 2, 4, 5, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table8), cmbProtocol, 1, 2, 4, 5, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "adam6500"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "afp"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "asterisk"); @@ -248,6 +248,8 @@ GtkWidget *create_wndMain(void) { cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "ldap3"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "ldap3-crammd5"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "ldap3-digestmd5"); + cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "memcached"); + cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "mongodb"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "mssql"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "mysql"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "ncp"); @@ -271,6 +273,7 @@ GtkWidget *create_wndMain(void) { cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "sapr3"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "sip"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "smb"); + cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "smb2"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "smtp"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "snmp"); cmbProtocol_items = g_list_append(cmbProtocol_items, (gpointer) "socks5"); @@ -293,53 +296,52 @@ GtkWidget *create_wndMain(void) { label7 = gtk_label_new("Protocol"); gtk_widget_set_name(label7, "label7"); gtk_widget_show(label7); - gtk_table_attach(GTK_TABLE(table8), label7, 0, 1, 4, 5, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table8), label7, 0, 1, 4, 5, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_misc_set_alignment(GTK_MISC(label7), 0, 0.5); spnPort_adj = gtk_adjustment_new(0, 0, 65535, 1, 10, 0); spnPort = gtk_spin_button_new(GTK_ADJUSTMENT(spnPort_adj), 1, 0); gtk_widget_set_name(spnPort, "spnPort"); gtk_widget_show(spnPort); - gtk_table_attach(GTK_TABLE(table8), spnPort, 1, 2, 3, 4, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table8), spnPort, 1, 2, 3, 4, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, spnPort, "select the port on which the daemon you want to brute force runs, 0 means default", NULL); label6 = gtk_label_new("Port"); gtk_widget_set_name(label6, "label6"); gtk_widget_show(label6); - gtk_table_attach(GTK_TABLE(table8), label6, 0, 1, 3, 4, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table8), label6, 0, 1, 3, 4, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_misc_set_alignment(GTK_MISC(label6), 0, 0.5); - chkIPV6 = gtk_check_button_new_with_mnemonic("Prefer IPV6"); gtk_widget_set_name(chkIPV6, "chkIPV6"); gtk_widget_show(chkIPV6); - gtk_table_attach(GTK_TABLE(table8), chkIPV6, 0, 2, 2, 3, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table8), chkIPV6, 0, 2, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkIPV6, "Enable to use IPV6", NULL); radioTarget2 = gtk_radio_button_new_with_mnemonic(NULL, "Target List"); gtk_widget_set_name(radioTarget2, "radioTarget2"); gtk_widget_show(radioTarget2); - gtk_table_attach(GTK_TABLE(table8), radioTarget2, 0, 1, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table8), radioTarget2, 0, 1, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_radio_button_set_group(GTK_RADIO_BUTTON(radioTarget2), radioTarget2_group); radioTarget2_group = gtk_radio_button_get_group(GTK_RADIO_BUTTON(radioTarget2)); entTargetFile = gtk_entry_new(); gtk_widget_set_name(entTargetFile, "entTargetFile"); gtk_widget_show(entTargetFile); - gtk_table_attach(GTK_TABLE(table8), entTargetFile, 1, 2, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table8), entTargetFile, 1, 2, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, entTargetFile, "A file which contains the targets to attack. One entry per line. IP\naddresses and/or DNS names.", NULL); entTarget = gtk_entry_new(); gtk_widget_set_name(entTarget, "entTarget"); gtk_widget_show(entTarget); - gtk_table_attach(GTK_TABLE(table8), entTarget, 1, 2, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table8), entTarget, 1, 2, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, entTarget, "The target to attack - DNS name or IP address", NULL); gtk_entry_set_text(GTK_ENTRY(entTarget), "127.0.0.1"); radioTarget1 = gtk_radio_button_new_with_mnemonic(NULL, "Single Target"); gtk_widget_set_name(radioTarget1, "radioTarget1"); gtk_widget_show(radioTarget1); - gtk_table_attach(GTK_TABLE(table8), radioTarget1, 0, 1, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table8), radioTarget1, 0, 1, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_radio_button_set_group(GTK_RADIO_BUTTON(radioTarget1), radioTarget2_group); radioTarget2_group = gtk_radio_button_get_group(GTK_RADIO_BUTTON(radioTarget1)); gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(radioTarget1), TRUE); @@ -362,50 +364,44 @@ GtkWidget *create_wndMain(void) { chkVerbose = gtk_check_button_new_with_mnemonic("Be Verbose"); gtk_widget_set_name(chkVerbose, "chkVerbose"); gtk_widget_show(chkVerbose); - gtk_table_attach(GTK_TABLE(table9), chkVerbose, 2, 3, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table9), chkVerbose, 2, 3, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkVerbose, "be verbose", NULL); chkDebug = gtk_check_button_new_with_mnemonic("Debug"); gtk_widget_set_name(chkDebug, "chkDebug"); gtk_widget_show(chkDebug); - gtk_table_attach(GTK_TABLE(table9), chkDebug, 2, 3, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table9), chkDebug, 2, 3, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkDebug, "Enable debug mode", NULL); chkAttempts = gtk_check_button_new_with_mnemonic("Show Attempts"); gtk_widget_set_name(chkAttempts, "chkAttempts"); gtk_widget_show(chkAttempts); - gtk_table_attach(GTK_TABLE(table9), chkAttempts, 0, 2, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table9), chkAttempts, 0, 2, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkAttempts, "Show attempts", NULL); chkSSL = gtk_check_button_new_with_mnemonic("Use SSL"); gtk_widget_set_name(chkSSL, "chkSSL"); gtk_widget_show(chkSSL); - gtk_table_attach(GTK_TABLE(table9), chkSSL, 0, 1, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table9), chkSSL, 0, 1, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkSSL, "Enable to use SSL (the target must have SSL enabled!)", NULL); - chkServiceDetails = gtk_check_button_new_with_mnemonic ("Service Module Usage Details"); - gtk_widget_set_name (chkServiceDetails, "chkServiceDetails"); - gtk_widget_show (chkServiceDetails); - gtk_table_attach (GTK_TABLE (table9), chkServiceDetails, 2, 3, 2, 3, - (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), - (GtkAttachOptions) (GTK_EXPAND), 0, 0); - gtk_tooltips_set_tip (tooltips, chkServiceDetails, "Service Module Usage Details", NULL); + chkServiceDetails = gtk_check_button_new_with_mnemonic("Service Module Usage Details"); + gtk_widget_set_name(chkServiceDetails, "chkServiceDetails"); + gtk_widget_show(chkServiceDetails); + gtk_table_attach(GTK_TABLE(table9), chkServiceDetails, 2, 3, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); + gtk_tooltips_set_tip(tooltips, chkServiceDetails, "Service Module Usage Details", NULL); - chkCompleteHelp = gtk_check_button_new_with_mnemonic ("COMPLETE HELP"); - gtk_widget_set_name (chkCompleteHelp, "chkCompleteHelp"); - gtk_widget_show (chkCompleteHelp); - gtk_table_attach (GTK_TABLE (table9), chkCompleteHelp, 0, 2, 2, 3, - (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), - (GtkAttachOptions) (GTK_EXPAND), 0, 0); - gtk_tooltips_set_tip (tooltips, chkCompleteHelp, "Complete Help", NULL); + chkCompleteHelp = gtk_check_button_new_with_mnemonic("COMPLETE HELP"); + gtk_widget_set_name(chkCompleteHelp, "chkCompleteHelp"); + gtk_widget_show(chkCompleteHelp); + gtk_table_attach(GTK_TABLE(table9), chkCompleteHelp, 0, 2, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); + gtk_tooltips_set_tip(tooltips, chkCompleteHelp, "Complete Help", NULL); - chkOldSSL = gtk_check_button_new_with_mnemonic ("Use old SSL"); - gtk_widget_set_name (chkOldSSL, "chkOldSSL"); - gtk_widget_show (chkOldSSL); - gtk_table_attach (GTK_TABLE (table9), chkOldSSL, 1, 2, 0, 1, - (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), - (GtkAttachOptions) (GTK_EXPAND), 0, 0); - gtk_tooltips_set_tip (tooltips, chkOldSSL, "Enable to use old SSL (the target must have SSL enabled!)", NULL); + chkOldSSL = gtk_check_button_new_with_mnemonic("Use old SSL"); + gtk_widget_set_name(chkOldSSL, "chkOldSSL"); + gtk_widget_show(chkOldSSL); + gtk_table_attach(GTK_TABLE(table9), chkOldSSL, 1, 2, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); + gtk_tooltips_set_tip(tooltips, chkOldSSL, "Enable to use old SSL (the target must have SSL enabled!)", NULL); label29 = gtk_label_new("Output Options"); gtk_widget_set_name(label29, "label29"); @@ -435,20 +431,20 @@ GtkWidget *create_wndMain(void) { entUsernameFile = gtk_entry_new(); gtk_widget_set_name(entUsernameFile, "entUsernameFile"); gtk_widget_show(entUsernameFile); - gtk_table_attach(GTK_TABLE(table2), entUsernameFile, 1, 2, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0); + gtk_table_attach(GTK_TABLE(table2), entUsernameFile, 1, 2, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0); gtk_tooltips_set_tip(tooltips, entUsernameFile, "File with user logins, one entry per line", NULL); entUsername = gtk_entry_new(); gtk_widget_set_name(entUsername, "entUsername"); gtk_widget_show(entUsername); - gtk_table_attach(GTK_TABLE(table2), entUsername, 1, 2, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0); + gtk_table_attach(GTK_TABLE(table2), entUsername, 1, 2, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0); gtk_tooltips_set_tip(tooltips, entUsername, "The login to use", NULL); gtk_entry_set_text(GTK_ENTRY(entUsername), "yourname"); radioUsername1 = gtk_radio_button_new_with_mnemonic(NULL, "Username"); gtk_widget_set_name(radioUsername1, "radioUsername1"); gtk_widget_show(radioUsername1); - gtk_table_attach(GTK_TABLE(table2), radioUsername1, 0, 1, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0); + gtk_table_attach(GTK_TABLE(table2), radioUsername1, 0, 1, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0); gtk_radio_button_set_group(GTK_RADIO_BUTTON(radioUsername1), radioUsername1_group); radioUsername1_group = gtk_radio_button_get_group(GTK_RADIO_BUTTON(radioUsername1)); gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(radioUsername1), TRUE); @@ -456,20 +452,20 @@ GtkWidget *create_wndMain(void) { radioUsername2 = gtk_radio_button_new_with_mnemonic(NULL, "Username List"); gtk_widget_set_name(radioUsername2, "radioUsername2"); gtk_widget_show(radioUsername2); - gtk_table_attach(GTK_TABLE(table2), radioUsername2, 0, 1, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0); + gtk_table_attach(GTK_TABLE(table2), radioUsername2, 0, 1, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0); gtk_radio_button_set_group(GTK_RADIO_BUTTON(radioUsername2), radioUsername1_group); radioUsername1_group = gtk_radio_button_get_group(GTK_RADIO_BUTTON(radioUsername2)); chkUsernameLoop = gtk_check_button_new_with_mnemonic("Loop around users"); gtk_widget_set_name(chkUsernameLoop, "chkUsernameLoop"); gtk_widget_show(chkUsernameLoop); - gtk_table_attach(GTK_TABLE(table2), chkUsernameLoop, 0, 1, 2, 3, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table2), chkUsernameLoop, 0, 1, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkUsernameLoop, "Enable this option to loop around users not passwords", NULL); chkDisUser = gtk_check_button_new_with_mnemonic("Protocol does not require usernames"); gtk_widget_set_name(chkDisUser, "chkDisUser"); gtk_widget_show(chkDisUser); - gtk_table_attach(GTK_TABLE (table2), chkDisUser, 1, 2, 2, 3, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table2), chkDisUser, 1, 2, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkDisUser, "Protocols like Cisco, Cisco enable, redis, Oracle listener, SNMP, S7-300, VNC etc. are not using usernames", NULL); label8 = gtk_label_new("Username"); @@ -482,7 +478,7 @@ GtkWidget *create_wndMain(void) { gtk_widget_show(frmPass); gtk_box_pack_start(GTK_BOX(vbox2), frmPass, TRUE, TRUE, 0); - table3 = gtk_table_new (3, 2, FALSE); + table3 = gtk_table_new(3, 2, FALSE); gtk_widget_set_name(table3, "table3"); gtk_widget_show(table3); gtk_container_add(GTK_CONTAINER(frmPass), table3); @@ -490,20 +486,20 @@ GtkWidget *create_wndMain(void) { entPassFile = gtk_entry_new(); gtk_widget_set_name(entPassFile, "entPassFile"); gtk_widget_show(entPassFile); - gtk_table_attach(GTK_TABLE(table3), entPassFile, 1, 2, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0); + gtk_table_attach(GTK_TABLE(table3), entPassFile, 1, 2, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0); gtk_tooltips_set_tip(tooltips, entPassFile, "File with passwords to try, one entry per line", NULL); entPass = gtk_entry_new(); gtk_widget_set_name(entPass, "entPass"); gtk_widget_show(entPass); - gtk_table_attach(GTK_TABLE(table3), entPass, 1, 2, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0); + gtk_table_attach(GTK_TABLE(table3), entPass, 1, 2, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0); gtk_tooltips_set_tip(tooltips, entPass, "The password to try", NULL); gtk_entry_set_text(GTK_ENTRY(entPass), "yourpass"); radioPass1 = gtk_radio_button_new_with_mnemonic(NULL, "Password"); gtk_widget_set_name(radioPass1, "radioPass1"); gtk_widget_show(radioPass1); - gtk_table_attach(GTK_TABLE(table3), radioPass1, 0, 1, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0); + gtk_table_attach(GTK_TABLE(table3), radioPass1, 0, 1, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0); gtk_radio_button_set_group(GTK_RADIO_BUTTON(radioPass1), radioPass1_group); radioPass1_group = gtk_radio_button_get_group(GTK_RADIO_BUTTON(radioPass1)); gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(radioPass1), TRUE); @@ -511,26 +507,22 @@ GtkWidget *create_wndMain(void) { radioPass2 = gtk_radio_button_new_with_mnemonic(NULL, "Password List"); gtk_widget_set_name(radioPass2, "radioPass2"); gtk_widget_show(radioPass2); - gtk_table_attach(GTK_TABLE(table3), radioPass2, 0, 1, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0); + gtk_table_attach(GTK_TABLE(table3), radioPass2, 0, 1, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0); gtk_radio_button_set_group(GTK_RADIO_BUTTON(radioPass2), radioPass1_group); radioPass1_group = gtk_radio_button_get_group(GTK_RADIO_BUTTON(radioPass2)); - radioGenerate = gtk_radio_button_new_with_mnemonic (NULL, "Generate"); - gtk_widget_set_name (radioGenerate, "radioGenerate"); - gtk_widget_show (radioGenerate); - gtk_table_attach (GTK_TABLE (table3), radioGenerate, 0, 1, 2, 3, - (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), - (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0); - gtk_radio_button_set_group (GTK_RADIO_BUTTON (radioGenerate), radioPass1_group); - radioPass1_group = gtk_radio_button_get_group (GTK_RADIO_BUTTON (radioGenerate)); + radioGenerate = gtk_radio_button_new_with_mnemonic(NULL, "Generate"); + gtk_widget_set_name(radioGenerate, "radioGenerate"); + gtk_widget_show(radioGenerate); + gtk_table_attach(GTK_TABLE(table3), radioGenerate, 0, 1, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0); + gtk_radio_button_set_group(GTK_RADIO_BUTTON(radioGenerate), radioPass1_group); + radioPass1_group = gtk_radio_button_get_group(GTK_RADIO_BUTTON(radioGenerate)); - entGeneration = gtk_entry_new (); - gtk_widget_set_name (entGeneration, "entGeneration"); - gtk_widget_show (entGeneration); - gtk_table_attach (GTK_TABLE (table3), entGeneration, 1, 2, 2, 3, - (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), - (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), 0, 0); - gtk_tooltips_set_tip (tooltips, entGeneration, "Generate passwords", NULL); - gtk_entry_set_text (GTK_ENTRY (entGeneration), "1:1:a"); + entGeneration = gtk_entry_new(); + gtk_widget_set_name(entGeneration, "entGeneration"); + gtk_widget_show(entGeneration); + gtk_table_attach(GTK_TABLE(table3), entGeneration, 1, 2, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), 0, 0); + gtk_tooltips_set_tip(tooltips, entGeneration, "Generate passwords", NULL); + gtk_entry_set_text(GTK_ENTRY(entGeneration), "1:1:a"); labelpass = gtk_label_new("Password"); gtk_widget_set_name(labelpass, "labelpass"); @@ -550,13 +542,13 @@ GtkWidget *create_wndMain(void) { chkColon = gtk_check_button_new_with_mnemonic("Use Colon separated file"); gtk_widget_set_name(chkColon, "chkColon"); gtk_widget_show(chkColon); - gtk_table_attach(GTK_TABLE(table5), chkColon, 0, 1, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table5), chkColon, 0, 1, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkColon, "Enable this option to use a colon file for login/password attempts", NULL); entColonFile = gtk_entry_new(); gtk_widget_set_name(entColonFile, "entColonFile"); gtk_widget_show(entColonFile); - gtk_table_attach(GTK_TABLE(table5), entColonFile, 1, 2, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table5), entColonFile, 1, 2, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, entColonFile, "The colon file to use, each line has to be structured like \"mylogin:mypass\"", NULL); label20 = gtk_label_new("Colon separated file"); @@ -572,21 +564,21 @@ GtkWidget *create_wndMain(void) { chkPassLogin = gtk_check_button_new_with_mnemonic("Try login as password"); gtk_widget_set_name(chkPassLogin, "chkPassLogin"); gtk_widget_show(chkPassLogin); - gtk_table_attach(GTK_TABLE(table6), chkPassLogin, 0, 1, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table6), chkPassLogin, 0, 1, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkPassLogin, "Enable this option to try the login as password, in addition to the password/file", NULL); chkPassNull = gtk_check_button_new_with_mnemonic("Try empty password"); gtk_widget_set_name(chkPassNull, "chkPassNull"); gtk_widget_show(chkPassNull); - gtk_table_attach(GTK_TABLE(table6), chkPassNull, 1, 2, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table6), chkPassNull, 1, 2, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkPassNull, "Enable this option to try an empty password, in addition to the password/file", NULL); - chkPassReverse = gtk_check_button_new_with_mnemonic ("Try reversed login"); - gtk_widget_set_name (chkPassReverse, "chkPassReverse"); - gtk_widget_show (chkPassReverse); - gtk_table_attach (GTK_TABLE (table6), chkPassReverse, 2, 3, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); - gtk_tooltips_set_tip (tooltips, chkPassReverse, "Enable this option to try an reverse password, in addition to the password/file", NULL); - + chkPassReverse = gtk_check_button_new_with_mnemonic("Try reversed login"); + gtk_widget_set_name(chkPassReverse, "chkPassReverse"); + gtk_widget_show(chkPassReverse); + gtk_table_attach(GTK_TABLE(table6), chkPassReverse, 2, 3, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); + gtk_tooltips_set_tip(tooltips, chkPassReverse, "Enable this option to try an reverse password, in addition to the password/file", NULL); + label2 = gtk_label_new("Passwords"); gtk_widget_set_name(label2, "label2"); gtk_widget_show(label2); @@ -600,7 +592,7 @@ GtkWidget *create_wndMain(void) { frame9 = gtk_frame_new(NULL); gtk_widget_set_name(frame9, "frame9"); gtk_widget_show(frame9); - gtk_table_attach(GTK_TABLE(table4), frame9, 0, 1, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK | GTK_FILL), (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK | GTK_FILL), 0, 0); + gtk_table_attach(GTK_TABLE(table4), frame9, 0, 1, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK | GTK_FILL), (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK | GTK_FILL), 0, 0); table7 = gtk_table_new(5, 2, FALSE); gtk_widget_set_name(table7, "table7"); @@ -610,58 +602,58 @@ GtkWidget *create_wndMain(void) { label22 = gtk_label_new("Proxy "); gtk_widget_set_name(label22, "label22"); gtk_widget_show(label22); - gtk_table_attach(GTK_TABLE(table7), label22, 0, 1, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table7), label22, 0, 1, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_misc_set_alignment(GTK_MISC(label22), 0, 0.5); entHTTPProxy = gtk_entry_new(); gtk_widget_set_name(entHTTPProxy, "entHTTPProxy"); gtk_widget_show(entHTTPProxy); - gtk_table_attach(GTK_TABLE(table7), entHTTPProxy, 1, 2, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table7), entHTTPProxy, 1, 2, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, entHTTPProxy, "The address of the proxy. Syntax: \"http://123.45.67.89:8080\"", NULL); gtk_entry_set_text(GTK_ENTRY(entHTTPProxy), "http://127.0.0.1:8080"); chkProxyAuth = gtk_check_button_new_with_mnemonic("Proxy needs authentication"); gtk_widget_set_name(chkProxyAuth, "chkProxyAuth"); gtk_widget_show(chkProxyAuth); - gtk_table_attach(GTK_TABLE(table7), chkProxyAuth, 0, 1, 2, 3, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table7), chkProxyAuth, 0, 1, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkProxyAuth, "Enable this if the proxy requires authenticatio", NULL); label23 = gtk_label_new("Username"); gtk_widget_set_name(label23, "label23"); gtk_widget_show(label23); - gtk_table_attach(GTK_TABLE(table7), label23, 0, 1, 3, 4, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table7), label23, 0, 1, 3, 4, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_misc_set_alignment(GTK_MISC(label23), 0, 0.5); entProxyUser = gtk_entry_new(); gtk_widget_set_name(entProxyUser, "entProxyUser"); gtk_widget_show(entProxyUser); - gtk_table_attach(GTK_TABLE(table7), entProxyUser, 1, 2, 3, 4, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table7), entProxyUser, 1, 2, 3, 4, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, entProxyUser, "The user name for proxy authentication", NULL); gtk_entry_set_text(GTK_ENTRY(entProxyUser), "yourname"); label24 = gtk_label_new("Password"); gtk_widget_set_name(label24, "label24"); gtk_widget_show(label24); - gtk_table_attach(GTK_TABLE(table7), label24, 0, 1, 4, 5, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table7), label24, 0, 1, 4, 5, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_misc_set_alignment(GTK_MISC(label24), 0, 0.5); entProxyPass = gtk_entry_new(); gtk_widget_set_name(entProxyPass, "entProxyPass"); gtk_widget_show(entProxyPass); - gtk_table_attach(GTK_TABLE(table7), entProxyPass, 1, 2, 4, 5, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table7), entProxyPass, 1, 2, 4, 5, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, entProxyPass, "The password for proxy authentication", NULL); gtk_entry_set_text(GTK_ENTRY(entProxyPass), "yourpass"); label26 = gtk_label_new(""); gtk_widget_set_name(label26, "label26"); gtk_widget_show(label26); - gtk_table_attach(GTK_TABLE(table7), label26, 1, 2, 2, 3, (GtkAttachOptions) (GTK_FILL), (GtkAttachOptions) (0), 0, 0); + gtk_table_attach(GTK_TABLE(table7), label26, 1, 2, 2, 3, (GtkAttachOptions)(GTK_FILL), (GtkAttachOptions)(0), 0, 0); gtk_misc_set_alignment(GTK_MISC(label26), 0, 0.5); hbox3 = gtk_hbox_new(FALSE, 0); gtk_widget_set_name(hbox3, "hbox3"); gtk_widget_show(hbox3); - gtk_table_attach(GTK_TABLE(table7), hbox3, 0, 2, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK | GTK_FILL), (GtkAttachOptions) (GTK_EXPAND | GTK_FILL), 0, 0); + gtk_table_attach(GTK_TABLE(table7), hbox3, 0, 2, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK | GTK_FILL), (GtkAttachOptions)(GTK_EXPAND | GTK_FILL), 0, 0); radioProxy = gtk_radio_button_new_with_mnemonic(NULL, "No Proxy"); gtk_widget_set_name(radioProxy, "radioProxy"); @@ -695,7 +687,7 @@ GtkWidget *create_wndMain(void) { frame13 = gtk_frame_new(NULL); gtk_widget_set_name(frame13, "frame13"); gtk_widget_show(frame13); - gtk_table_attach(GTK_TABLE(table4), frame13, 0, 1, 0, 1, (GtkAttachOptions) (GTK_FILL), (GtkAttachOptions) (GTK_EXPAND | GTK_FILL), 0, 0); + gtk_table_attach(GTK_TABLE(table4), frame13, 0, 1, 0, 1, (GtkAttachOptions)(GTK_FILL), (GtkAttachOptions)(GTK_EXPAND | GTK_FILL), 0, 0); table10 = gtk_table_new(5, 2, FALSE); gtk_widget_set_name(table10, "table10"); @@ -705,50 +697,46 @@ GtkWidget *create_wndMain(void) { chkExitf = gtk_check_button_new_with_mnemonic("Exit after first found pair (per host)"); gtk_widget_set_name(chkExitf, "chkExitf"); gtk_widget_show(chkExitf); - gtk_table_attach(GTK_TABLE(table10), chkExitf, 0, 2, 2, 3, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table10), chkExitf, 0, 2, 2, 3, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, chkExitf, "Enable this to stop all attacking processes once a valid login/password pair is found (per host)", NULL); spnTimeout_adj = gtk_adjustment_new(30, 0, 295, 1, 10, 0); spnTimeout = gtk_spin_button_new(GTK_ADJUSTMENT(spnTimeout_adj), 1, 0); gtk_widget_set_name(spnTimeout, "spnTimeout"); gtk_widget_show(spnTimeout); - gtk_table_attach(GTK_TABLE(table10), spnTimeout, 1, 2, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table10), spnTimeout, 1, 2, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, spnTimeout, "The maximum timeout an attack process is waiting for a response from the target", NULL); spnTasks_adj = gtk_adjustment_new(16, 0, 128, 1, 10, 0); spnTasks = gtk_spin_button_new(GTK_ADJUSTMENT(spnTasks_adj), 1, 0); gtk_widget_set_name(spnTasks, "spnTasks"); gtk_widget_show(spnTasks); - gtk_table_attach(GTK_TABLE(table10), spnTasks, 1, 2, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table10), spnTasks, 1, 2, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_tooltips_set_tip(tooltips, spnTasks, "The number of attack tasks to run in parallel. The more the faster, the most: computer lockup :-) 16-64 is a good choice", NULL); label32 = gtk_label_new("Timeout"); gtk_widget_set_name(label32, "label32"); gtk_widget_show(label32); - gtk_table_attach(GTK_TABLE(table10), label32, 0, 1, 1, 2, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table10), label32, 0, 1, 1, 2, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_misc_set_alignment(GTK_MISC(label32), 0, 0.5); label31 = gtk_label_new("Number of Tasks"); gtk_widget_set_name(label31, "label31"); gtk_widget_show(label31); - gtk_table_attach(GTK_TABLE(table10), label31, 0, 1, 0, 1, (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions) (GTK_EXPAND), 0, 0); + gtk_table_attach(GTK_TABLE(table10), label31, 0, 1, 0, 1, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); gtk_misc_set_alignment(GTK_MISC(label31), 0, 0.5); - chkExitF = gtk_check_button_new_with_mnemonic ("Exit after first found pair (global)"); - gtk_widget_set_name (chkExitF, "chkExitF"); - gtk_widget_show (chkExitF); - gtk_table_attach (GTK_TABLE (table10), chkExitF, 0, 2, 3, 4, - (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), - (GtkAttachOptions) (GTK_EXPAND), 0, 0); - gtk_tooltips_set_tip (tooltips, chkExitF, "Enable this to stop all attacking processes once a valid login/password pair is found (global)", NULL); + chkExitF = gtk_check_button_new_with_mnemonic("Exit after first found pair (global)"); + gtk_widget_set_name(chkExitF, "chkExitF"); + gtk_widget_show(chkExitF); + gtk_table_attach(GTK_TABLE(table10), chkExitF, 0, 2, 3, 4, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); + gtk_tooltips_set_tip(tooltips, chkExitF, "Enable this to stop all attacking processes once a valid login/password pair is found (global)", NULL); - chkNoErr = gtk_check_button_new_with_mnemonic ("Do not print messages about connection errors"); - gtk_widget_set_name (chkNoErr, "chkNoErr"); - gtk_widget_show (chkNoErr); - gtk_table_attach (GTK_TABLE (table10), chkNoErr, 0, 2, 4, 5, - (GtkAttachOptions) (GTK_EXPAND | GTK_SHRINK), - (GtkAttachOptions) (GTK_EXPAND), 0, 0); - gtk_tooltips_set_tip (tooltips, chkNoErr, "Do not print messages about connection errors", NULL); + chkNoErr = gtk_check_button_new_with_mnemonic("Do not print messages about connection errors"); + gtk_widget_set_name(chkNoErr, "chkNoErr"); + gtk_widget_show(chkNoErr); + gtk_table_attach(GTK_TABLE(table10), chkNoErr, 0, 2, 4, 5, (GtkAttachOptions)(GTK_EXPAND | GTK_SHRINK), (GtkAttachOptions)(GTK_EXPAND), 0, 0); + gtk_tooltips_set_tip(tooltips, chkNoErr, "Do not print messages about connection errors", NULL); label30 = gtk_label_new("Performance Options"); gtk_widget_set_name(label30, "label30"); @@ -847,25 +835,42 @@ GtkWidget *create_wndMain(void) { gtk_widget_set_name(chkLocal, "chkLocal"); gtk_widget_show(chkLocal); gtk_box_pack_start(GTK_BOX(hbox2), chkLocal, TRUE, TRUE, 0); - gtk_tooltips_set_tip(tooltips, chkLocal, "Just attack local accounts", NULL); + gtk_tooltips_set_tip(tooltips, chkLocal, "Just attack local accounts (only valid for smb module)", NULL); chkDomain = gtk_check_button_new_with_mnemonic("domain accounts"); gtk_widget_set_name(chkDomain, "chkDomain"); gtk_widget_show(chkDomain); gtk_box_pack_start(GTK_BOX(hbox2), chkDomain, TRUE, TRUE, 0); - gtk_tooltips_set_tip(tooltips, chkDomain, "Attack domain and local accounts", NULL); + gtk_tooltips_set_tip(tooltips, chkDomain, "Attack domain and local accounts (only valid for smb module)", NULL); chkNTLM = gtk_check_button_new_with_mnemonic("Interpret passes as NTLM hashes"); gtk_widget_set_name(chkNTLM, "chkNTLM"); gtk_widget_show(chkNTLM); gtk_box_pack_start(GTK_BOX(hbox2), chkNTLM, FALSE, FALSE, 0); - gtk_tooltips_set_tip(tooltips, chkNTLM, "Interpret passes as NTML hashes", NULL); + gtk_tooltips_set_tip(tooltips, chkNTLM, "Interpret passes as NTML hashes (valid for both smb and smb2 modules)", NULL); label18 = gtk_label_new("SMB"); gtk_widget_set_name(label18, "label18"); gtk_widget_show(label18); gtk_frame_set_label_widget(GTK_FRAME(frame6), label18); + fraSMB2 = gtk_frame_new(NULL); + gtk_widget_set_name(fraSMB2, "fraSMB2"); + gtk_widget_show(fraSMB2); + gtk_box_pack_start(GTK_BOX(vbox4), fraSMB2, TRUE, TRUE, 0); + + entSMB2Workgroup = gtk_entry_new(); + gtk_widget_set_name(entSMB2Workgroup, "entSMB2Workgroup"); + gtk_widget_show(entSMB2Workgroup); + gtk_container_add(GTK_CONTAINER(fraSMB2), entSMB2Workgroup); + gtk_tooltips_set_tip(tooltips, entSMB2Workgroup, "Workgroup to use for SMB authentication (only valid for smb2 module)", NULL); + gtk_entry_set_text(GTK_ENTRY(entSMB2Workgroup), "WORKGROUP"); + + lblSMB2 = gtk_label_new("SMB2 Workgroup"); + gtk_widget_set_name(lblSMB2, "lblSMB2"); + gtk_widget_show(lblSMB2); + gtk_frame_set_label_widget(GTK_FRAME(fraSMB2), lblSMB2); + frame7 = gtk_frame_new(NULL); gtk_widget_set_name(frame7, "frame7"); gtk_widget_show(frame7); @@ -1015,18 +1020,18 @@ GtkWidget *create_wndMain(void) { gtk_widget_show(statusbar); gtk_box_pack_start(GTK_BOX(vbox1), statusbar, FALSE, FALSE, 0); - g_signal_connect((gpointer) wndMain, "destroy", G_CALLBACK(on_wndMain_destroy), NULL); - g_signal_connect((gpointer) quit1, "button-press-event", G_CALLBACK(on_quit1_activate), NULL); - g_signal_connect((gpointer) entTargetFile, "button_press_event", G_CALLBACK(on_entTargetFile_button_press_event), NULL); - g_signal_connect((gpointer) entUsernameFile, "button_press_event", G_CALLBACK(on_entUsernameFile_button_press_event), NULL); - g_signal_connect((gpointer) chkDisUser, "toggled", G_CALLBACK (on_chkDisUser_toggled), NULL); - g_signal_connect((gpointer) entPassFile, "button_press_event", G_CALLBACK(on_entPassFile_button_press_event), NULL); - g_signal_connect((gpointer) chkColon, "toggled", G_CALLBACK(on_chkColon_toggled), NULL); - g_signal_connect((gpointer) entColonFile, "button_press_event", G_CALLBACK(on_entColonFile_button_press_event), NULL); - g_signal_connect((gpointer) btnStart, "clicked", G_CALLBACK(on_btnStart_clicked), NULL); - g_signal_connect((gpointer) btnStop, "clicked", G_CALLBACK(on_btnStop_clicked), NULL); - g_signal_connect((gpointer) btnSave, "clicked", G_CALLBACK(on_btnSave_clicked), NULL); - g_signal_connect((gpointer) btnClear, "clicked", G_CALLBACK(on_btnClear_clicked), NULL); + g_signal_connect((gpointer)wndMain, "destroy", G_CALLBACK(on_wndMain_destroy), NULL); + g_signal_connect((gpointer)quit1, "button-press-event", G_CALLBACK(on_quit1_activate), NULL); + g_signal_connect((gpointer)entTargetFile, "button_press_event", G_CALLBACK(on_entTargetFile_button_press_event), NULL); + g_signal_connect((gpointer)entUsernameFile, "button_press_event", G_CALLBACK(on_entUsernameFile_button_press_event), NULL); + g_signal_connect((gpointer)chkDisUser, "toggled", G_CALLBACK(on_chkDisUser_toggled), NULL); + g_signal_connect((gpointer)entPassFile, "button_press_event", G_CALLBACK(on_entPassFile_button_press_event), NULL); + g_signal_connect((gpointer)chkColon, "toggled", G_CALLBACK(on_chkColon_toggled), NULL); + g_signal_connect((gpointer)entColonFile, "button_press_event", G_CALLBACK(on_entColonFile_button_press_event), NULL); + g_signal_connect((gpointer)btnStart, "clicked", G_CALLBACK(on_btnStart_clicked), NULL); + g_signal_connect((gpointer)btnStop, "clicked", G_CALLBACK(on_btnStop_clicked), NULL); + g_signal_connect((gpointer)btnSave, "clicked", G_CALLBACK(on_btnSave_clicked), NULL); + g_signal_connect((gpointer)btnClear, "clicked", G_CALLBACK(on_btnClear_clicked), NULL); /* Store pointers to all widgets, for use by lookup_widget(). */ GLADE_HOOKUP_OBJECT_NO_REF(wndMain, wndMain, "wndMain"); @@ -1067,7 +1072,7 @@ GtkWidget *create_wndMain(void) { GLADE_HOOKUP_OBJECT(wndMain, radioUsername1, "radioUsername1"); GLADE_HOOKUP_OBJECT(wndMain, chkUsernameLoop, "chkUsernameLoop"); GLADE_HOOKUP_OBJECT(wndMain, radioUsername2, "radioUsername2"); - GLADE_HOOKUP_OBJECT (wndMain, chkDisUser, "chkDisUser"); + GLADE_HOOKUP_OBJECT(wndMain, chkDisUser, "chkDisUser"); GLADE_HOOKUP_OBJECT(wndMain, label8, "label8"); GLADE_HOOKUP_OBJECT(wndMain, frmPass, "frmPass"); GLADE_HOOKUP_OBJECT(wndMain, table3, "table3"); @@ -1162,6 +1167,7 @@ GtkWidget *create_wndMain(void) { GLADE_HOOKUP_OBJECT(wndMain, label4, "label4"); GLADE_HOOKUP_OBJECT(wndMain, statusbar, "statusbar"); GLADE_HOOKUP_OBJECT_NO_REF(wndMain, tooltips, "tooltips"); + GLADE_HOOKUP_OBJECT(wndMain, entSMB2Workgroup, "entSMB2Workgroup"); gtk_window_add_accel_group(GTK_WINDOW(wndMain), accel_group); diff --git a/hydra-gtk/src/main.c b/hydra-gtk/src/main.c index 931493b..b713e6f 100644 --- a/hydra-gtk/src/main.c +++ b/hydra-gtk/src/main.c @@ -8,19 +8,23 @@ #include #endif -#include -#include +#include "callbacks.h" #include "interface.h" #include "support.h" -#include "callbacks.h" +#include +#include char *hydra_path1 = "./hydra"; char *hydra_path2 = "/usr/local/bin/hydra"; char *hydra_path3 = "/usr/bin/hydra"; +char *hydra_path4 = "/data/data/com.termux/files/usr/bin/hydra"; +char *hydra_path5 = "/data/data/com.termux/files/usr/local/bin/hydra"; +GtkWidget *wndMain; +char *HYDRA_BIN; +guint message_id; int main(int argc, char *argv[]) { - extern GtkWidget *wndMain; int i; extern guint message_id; GtkWidget *output; @@ -51,6 +55,10 @@ int main(int argc, char *argv[]) { HYDRA_BIN = hydra_path2; } else if (g_file_test(hydra_path3, G_FILE_TEST_IS_EXECUTABLE)) { HYDRA_BIN = hydra_path3; + } else if (g_file_test(hydra_path4, G_FILE_TEST_IS_EXECUTABLE)) { + HYDRA_BIN = hydra_path4; + } else if (g_file_test(hydra_path5, G_FILE_TEST_IS_EXECUTABLE)) { + HYDRA_BIN = hydra_path5; } else { g_error("Please tell me where hydra is, use --hydra-path\n"); return -1; @@ -60,7 +68,6 @@ int main(int argc, char *argv[]) { wndMain = create_wndMain(); gtk_widget_show(wndMain); - /* if we can't use the new cool file chooser, the save button gets disabled */ #ifndef GTK_TYPE_FILE_CHOOSER GtkWidget *btnSave; @@ -69,13 +76,12 @@ int main(int argc, char *argv[]) { gtk_widget_set_sensitive(btnSave, FALSE); #endif - /* update the statusbar every now and then */ g_timeout_add(600, update_statusbar, NULL); /* we want bold text in the output window */ output = lookup_widget(GTK_WIDGET(wndMain), "txtOutput"); - outputbuf = gtk_text_view_get_buffer((GtkTextView *) output); + outputbuf = gtk_text_view_get_buffer((GtkTextView *)output); gtk_text_buffer_create_tag(outputbuf, "bold", "weight", PANGO_WEIGHT_BOLD, NULL); /* he ho, lets go! */ diff --git a/hydra-gtk/src/support.c b/hydra-gtk/src/support.c index 22a1a3a..96d5e17 100644 --- a/hydra-gtk/src/support.c +++ b/hydra-gtk/src/support.c @@ -7,17 +7,17 @@ #include #endif -#include -#include -#include -#include #include +#include +#include +#include +#include #include #include "support.h" -GtkWidget *lookup_widget(GtkWidget * widget, const gchar * widget_name) { +GtkWidget *lookup_widget(GtkWidget *widget, const gchar *widget_name) { GtkWidget *parent, *found_widget; for (;;) { @@ -26,13 +26,13 @@ GtkWidget *lookup_widget(GtkWidget * widget, const gchar * widget_name) { else parent = widget->parent; if (!parent) - parent = (GtkWidget *) g_object_get_data(G_OBJECT(widget), "GladeParentKey"); + parent = (GtkWidget *)g_object_get_data(G_OBJECT(widget), "GladeParentKey"); if (parent == NULL) break; widget = parent; } - found_widget = (GtkWidget *) g_object_get_data(G_OBJECT(widget), widget_name); + found_widget = (GtkWidget *)g_object_get_data(G_OBJECT(widget), widget_name); if (!found_widget) g_warning("Widget not found: %s", widget_name); return found_widget; @@ -41,19 +41,16 @@ GtkWidget *lookup_widget(GtkWidget * widget, const gchar * widget_name) { static GList *pixmaps_directories = NULL; /* Use this function to set the directory containing installed pixmaps. */ -void add_pixmap_directory(const gchar * directory) { - pixmaps_directories = g_list_prepend(pixmaps_directories, g_strdup(directory)); -} +void add_pixmap_directory(const gchar *directory) { pixmaps_directories = g_list_prepend(pixmaps_directories, g_strdup(directory)); } /* This is an internally used function to find pixmap files. */ -static gchar *find_pixmap_file(const gchar * filename) { +static gchar *find_pixmap_file(const gchar *filename) { GList *elem; /* We step through each of the pixmaps directory to find it. */ elem = pixmaps_directories; while (elem) { - gchar *pathname = g_strdup_printf("%s%s%s", (gchar *) elem->data, - G_DIR_SEPARATOR_S, filename); + gchar *pathname = g_strdup_printf("%s%s%s", (gchar *)elem->data, G_DIR_SEPARATOR_S, filename); if (g_file_test(pathname, G_FILE_TEST_EXISTS)) return pathname; @@ -64,7 +61,7 @@ static gchar *find_pixmap_file(const gchar * filename) { } /* This is an internally used function to create pixmaps. */ -GtkWidget *create_pixmap(GtkWidget * widget, const gchar * filename) { +GtkWidget *create_pixmap(GtkWidget *widget, const gchar *filename) { gchar *pathname = NULL; GtkWidget *pixmap; @@ -84,7 +81,7 @@ GtkWidget *create_pixmap(GtkWidget * widget, const gchar * filename) { } /* This is an internally used function to create pixmaps. */ -GdkPixbuf *create_pixbuf(const gchar * filename) { +GdkPixbuf *create_pixbuf(const gchar *filename) { gchar *pathname = NULL; GdkPixbuf *pixbuf; GError *error = NULL; @@ -109,7 +106,7 @@ GdkPixbuf *create_pixbuf(const gchar * filename) { } /* This is used to set ATK action descriptions. */ -void glade_set_atk_action_description(AtkAction * action, const gchar * action_name, const gchar * description) { +void glade_set_atk_action_description(AtkAction *action, const gchar *action_name, const gchar *description) { gint n_actions, i; n_actions = atk_action_get_n_actions(action); diff --git a/hydra-gtk/src/support.h b/hydra-gtk/src/support.h index 4fc185d..f1f7bbb 100644 --- a/hydra-gtk/src/support.h +++ b/hydra-gtk/src/support.h @@ -19,27 +19,24 @@ * or alternatively any widget in the component, and the name of the widget * you want returned. */ -GtkWidget *lookup_widget(GtkWidget * widget, const gchar * widget_name); - +GtkWidget *lookup_widget(GtkWidget *widget, const gchar *widget_name); /* Use this function to set the directory containing installed pixmaps. */ -void add_pixmap_directory(const gchar * directory); - +void add_pixmap_directory(const gchar *directory); /* * Private Functions. */ /* This is used to create the pixmaps used in the interface. */ -GtkWidget *create_pixmap(GtkWidget * widget, const gchar * filename); +GtkWidget *create_pixmap(GtkWidget *widget, const gchar *filename); /* This is used to create the pixbufs used in the interface. */ -GdkPixbuf *create_pixbuf(const gchar * filename); +GdkPixbuf *create_pixbuf(const gchar *filename); /* This is used to set ATK action descriptions. */ -void glade_set_atk_action_description(AtkAction * action, const gchar * action_name, const gchar * description); +void glade_set_atk_action_description(AtkAction *action, const gchar *action_name, const gchar *description); - -GtkWidget *wndMain; -char *HYDRA_BIN; -guint message_id; +extern GtkWidget *wndMain; +extern char *HYDRA_BIN; +extern guint message_id; diff --git a/hydra-http-form.c b/hydra-http-form.c old mode 100644 new mode 100755 index 875222f..af2f457 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -20,40 +20,33 @@ Here's a couple of examples: - ./hydra -S -s 443 -l "" -P pass.txt 10.221.64.2 https-get-form "/irmlab1/vulnapp.php:username=^USER^&pass=^PASS^:incorrect" -The option field (following the service field) takes three ":" separated -values and an optional fourth value, the first is the page on the server -to GET or POST to, the second is the POST/GET variables (taken from either -the browser, or a proxy such as PAROS) with the varying usernames and passwords -in the "^USER^" and "^PASS^" placeholders, the third is the string that it -checks for an *invalid* or *valid* login - any exception to this is counted -as a success. +The option field (following the service field) takes ":" separated values: +The first is the page on the server to GET or POST to. +The second is the POST/GET variables (taken from either the browser, or a proxy +such as ZAP) with the varying usernames and passwords in the "^USER^" and +"^PASS^" placeholders. +The third + are optional parameters like C=, H= etc. (see below) +The final(!) parameter is the string that it checks for an *invalid* or *valid* +login So please: * invalid condition login should be preceded by "F=" * valid condition login should be preceded by "S=". -By default, if no header is found the condition is assume to be a fail, -so checking for *invalid* login. -The fourth optional value, can be a 'C' to define a different page to GET -initial cookies from. +By default, if no header is found the condition is assume to be a fail (F=), +so checking for an *invalid* login string. -If you specify the verbose flag (-v) it will show you the response from the +If you specify the debug flag (-d) it will show you the response from the HTTP server which is useful for checking the result of a failed login to -find something to pattern match against. - -Module initially written by Phil Robinson, IRM Plc (releases@irmplc.com), -rewritten by David Maciejak - -Fix and issue with strtok use and implement 1 step location follow if HTTP -3xx code is returned (david dot maciejak at gmail dot com) - -Added fail or success condition, getting cookies, and allow 5 redirections by david +find something to pattern match against. This should be done together with -t 1. */ #include "hydra-http.h" +#include "sasl.h" extern char *HYDRA_EXIT; char *buf; char *cond; +extern int32_t http_auth_mechanism; struct header_node { char *header; @@ -72,21 +65,24 @@ typedef struct cookie_node { int32_t success_cond = 0; int32_t getcookie = 1; int32_t auth_flag = 0; +int32_t code_302_is_success = 0; +int32_t code_401_is_failure = 0; +int32_t multipart_mode = 0; char cookie[4096] = "", cmiscptr[1024]; -int32_t webport, freemischttpform = 0; +int32_t webport; char bufferurl[6096 + 24], cookieurl[6096 + 24] = "", userheader[6096 + 24] = "", *url, *variables, *optional1; -#define MAX_REDIRECT 8 -#define MAX_CONTENT_LENGTH 20 -#define MAX_PROXY_LENGTH 2048 // sizeof(cookieurl) * 2 +#define MAX_REDIRECT 8 +#define MAX_CONTENT_LENGTH 20 +#define MAX_PROXY_LENGTH 2048 // sizeof(cookieurl) * 2 char redirected_url_buff[2048] = ""; int32_t redirected_flag = 0; int32_t redirected_cpt = MAX_REDIRECT; -char *cookie_request = NULL, *normal_request = NULL; // Buffers for HTTP headers +char *cookie_request = NULL, *normal_request = NULL; // Buffers for HTTP headers /* * Function to perform some initial setup. @@ -96,7 +92,7 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr); /* * Returns 1 if specified header exists, or 0 otherwise. */ -ptr_header_node header_exists(ptr_header_node * ptr_head, char *header_name, char type) { +ptr_header_node header_exists(ptr_header_node *ptr_head, char *header_name, char type) { ptr_header_node cur_ptr = *ptr_head, found_header = NULL; for (cur_ptr = *ptr_head; cur_ptr && !found_header; cur_ptr = cur_ptr->next) @@ -116,7 +112,7 @@ char *strndup(const char *s, size_t n) { if (n < len) len = n; - result = (char *) malloc(len + 1); + result = (char *)malloc(len + 1); if (!result) return 0; @@ -126,8 +122,8 @@ char *strndup(const char *s, size_t n) { } #endif -int32_t append_cookie(char *name, char *value, ptr_cookie_node * last_cookie) { - ptr_cookie_node new_ptr = (ptr_cookie_node) malloc(sizeof(t_cookie_node)); +int32_t append_cookie(char *name, char *value, ptr_cookie_node *last_cookie) { + ptr_cookie_node new_ptr = (ptr_cookie_node)malloc(sizeof(t_cookie_node)); if (!new_ptr) return 0; @@ -147,13 +143,13 @@ int32_t append_cookie(char *name, char *value, ptr_cookie_node * last_cookie) { char *stringify_cookies(ptr_cookie_node ptr_cookie) { ptr_cookie_node cur_ptr = NULL; uint32_t length = 1; - char *cookie_hdr = (char *) malloc(length); + char *cookie_hdr = (char *)malloc(length); if (cookie_hdr) { memset(cookie_hdr, 0, length); for (cur_ptr = ptr_cookie; cur_ptr; cur_ptr = cur_ptr->next) { length += 2 + strlen(cur_ptr->name) + strlen(cur_ptr->value); - cookie_hdr = (char *) realloc(cookie_hdr, length); + cookie_hdr = (char *)realloc(cookie_hdr, length); if (cookie_hdr) { strcat(cookie_hdr, cur_ptr->name); strcat(cookie_hdr, "="); @@ -185,7 +181,7 @@ success: * +--------+ * Returns 1 if success, or 0 otherwise. */ -int32_t add_or_update_cookie(ptr_cookie_node * ptr_cookie, char *cookie_expr) { +int32_t add_or_update_cookie(ptr_cookie_node *ptr_cookie, char *cookie_expr) { ptr_cookie_node cur_ptr = NULL; char *cookie_name = NULL, *cookie_value = strstr(cookie_expr, "="); @@ -193,7 +189,8 @@ int32_t add_or_update_cookie(ptr_cookie_node * ptr_cookie, char *cookie_expr) { cookie_name = strndup(cookie_expr, cookie_value - cookie_expr); cookie_value = strdup(cookie_value + 1); - // we've got the cookie's name and value, now it's time to insert or update the list + // we've got the cookie's name and value, now it's time to insert or update + // the list if (*ptr_cookie == NULL) { // no cookies append_cookie(cookie_name, cookie_value, ptr_cookie); @@ -201,7 +198,7 @@ int32_t add_or_update_cookie(ptr_cookie_node * ptr_cookie, char *cookie_expr) { for (cur_ptr = *ptr_cookie; cur_ptr; cur_ptr = cur_ptr->next) { if (strcmp(cur_ptr->name, cookie_name) == 0) { free(cur_ptr->value); // free old value - free(cookie_name); // we already have it + free(cookie_name); // we already have it cur_ptr->value = cookie_value; break; } @@ -216,7 +213,7 @@ int32_t add_or_update_cookie(ptr_cookie_node * ptr_cookie, char *cookie_expr) { return 1; } -int32_t process_cookies(ptr_cookie_node * ptr_cookie, char *cookie_expr) { +int32_t process_cookies(ptr_cookie_node *ptr_cookie, char *cookie_expr) { char *tok = NULL; char *expr = strdup(cookie_expr); int32_t res = 0; @@ -250,32 +247,32 @@ int32_t process_cookies(ptr_cookie_node * ptr_cookie, char *cookie_expr) { * * Returns 1 if success, or 0 otherwise (out of memory). */ -int32_t add_header(ptr_header_node * ptr_head, char *header, char *value, char type) { +int32_t add_header(ptr_header_node *ptr_head, char *header, char *value, char type) { ptr_header_node cur_ptr = NULL; ptr_header_node existing_hdr, new_ptr; + if (!header || !value || !strlen(header) || !strlen(value)) + return 0; + // get to the last header - for (cur_ptr = *ptr_head; cur_ptr && cur_ptr->next; cur_ptr = cur_ptr->next); + for (cur_ptr = *ptr_head; cur_ptr && cur_ptr->next; cur_ptr = cur_ptr->next) + ; char *new_header = strdup(header); char *new_value = strdup(value); if (new_header && new_value) { - if ((type == HEADER_TYPE_USERHEADER) || - (type == HEADER_TYPE_DEFAULT && !header_exists(ptr_head, new_header, HEADER_TYPE_USERHEADER_REPL)) || - (type == HEADER_TYPE_USERHEADER_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT)) || - (type == HEADER_TYPE_DEFAULT_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT)) - ) { + if ((type == HEADER_TYPE_USERHEADER) || (type == HEADER_TYPE_DEFAULT && !header_exists(ptr_head, new_header, HEADER_TYPE_USERHEADER_REPL)) || (type == HEADER_TYPE_USERHEADER_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT)) || (type == HEADER_TYPE_DEFAULT_REPL && !header_exists(ptr_head, new_header, HEADER_TYPE_DEFAULT))) { /* * We are in one of the following scenarios: * 1. A default header with no user-supplied headers that replace it. * 2. A user-supplied header that must be appended (option 'h'). - * 3. A user-supplied header that must replace a default header (option 'h'), - * but no default headers exist with that name. + * 3. A user-supplied header that must replace a default header + * (option 'h'), but no default headers exist with that name. * * In either case we just add the header to the list. */ - new_ptr = (ptr_header_node) malloc(sizeof(t_header_node)); + new_ptr = (ptr_header_node)malloc(sizeof(t_header_node)); if (!new_ptr) { free(new_header); free(new_value); @@ -319,11 +316,16 @@ void hdrrep(ptr_header_node *ptr_head, char *oldvalue, char *newvalue) { for (cur_ptr = *ptr_head; cur_ptr; cur_ptr = cur_ptr->next) { if ((cur_ptr->type == HEADER_TYPE_USERHEADER || cur_ptr->type == HEADER_TYPE_USERHEADER_REPL) && strstr(cur_ptr->value, oldvalue)) { - cur_ptr->value = (char *) realloc(cur_ptr->value, strlen(newvalue) + 1); - if (cur_ptr->value) - strcpy(cur_ptr->value, newvalue); - else { - hydra_report(stderr, "[ERROR] Out of memory (hddrep)."); + size_t oldlen = strlen(oldvalue); + size_t newlen = strlen(newvalue); + if (oldlen != newlen) + cur_ptr->value = (char *)realloc(cur_ptr->value, strlen(cur_ptr->value) - oldlen + newlen + 1); + if (cur_ptr->value) { + char *p = strstr(cur_ptr->value, oldvalue); + memmove(p + newlen, p + oldlen, strlen(p + oldlen) + 1); + memcpy(p, newvalue, newlen); + } else { + hydra_report(stderr, "[ERROR] Out of memory (hddrep).\n"); hydra_child_exit(0); } } @@ -338,18 +340,18 @@ void hdrrepv(ptr_header_node *ptr_head, char *hdrname, char *new_value) { for (cur_ptr = *ptr_head; cur_ptr; cur_ptr = cur_ptr->next) { if ((cur_ptr->type == HEADER_TYPE_DEFAULT) && strcmp(cur_ptr->header, hdrname) == 0) { - cur_ptr->value = (char *) realloc(cur_ptr->value, strlen(new_value) + 1); + cur_ptr->value = (char *)realloc(cur_ptr->value, strlen(new_value) + 1); if (cur_ptr->value) strcpy(cur_ptr->value, new_value); else { - hydra_report(stderr, "[ERROR] Out of memory (hdrrepv %lu)", strlen(new_value) + 1); + hydra_report(stderr, "[ERROR] Out of memory (hdrrepv %lu)\n", strlen(new_value) + 1); hydra_child_exit(0); } } } } -void cleanup(ptr_header_node * ptr_head) { +void cleanup(ptr_header_node *ptr_head) { ptr_header_node cur_ptr = *ptr_head, next_ptr = cur_ptr; while (next_ptr != NULL) { @@ -373,7 +375,7 @@ char *stringify_headers(ptr_header_node *ptr_head) { for (; cur_ptr; cur_ptr = cur_ptr->next) ttl_size += strlen(cur_ptr->header) + strlen(cur_ptr->value) + 4; - headers_str = (char *) malloc(ttl_size + 1); + headers_str = (char *)malloc(ttl_size + 1); if (headers_str) { memset(headers_str, 0, ttl_size + 1); @@ -389,15 +391,45 @@ char *stringify_headers(ptr_header_node *ptr_head) { } int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { - char *ptr, *ptr2; + char *ptr, *ptr2, *tmp; + + if (miscptr == NULL) + return 1; /* * Parse the user-supplied options. * Beware of the backslashes (\)! */ while (*miscptr != 0) { + if (strlen(miscptr) < 2 || miscptr[1] != '=') { + hydra_report(stderr, "[ERROR] optional parameters must have the format X=value: %s\n", miscptr); + return 0; + } switch (miscptr[0]) { - case 'c': // fall through + case 'a': // fall through + case 'A': // only for http, not http-form! + ptr = miscptr + 2; + + if (strncasecmp(ptr, "NTLM", 4) == 0) + http_auth_mechanism = AUTH_NTLM; + else if (strncasecmp(ptr, "MD5", 3) == 0 || strncasecmp(ptr, "DIGEST", 6) == 0) + http_auth_mechanism = AUTH_DIGESTMD5; + else if (strncasecmp(ptr, "BASIC", 4) == 0) + http_auth_mechanism = AUTH_BASIC; + else + fprintf(stderr, "[WARNING] unknown http auth type: %s\n", ptr); + + while (*ptr != 0 && *ptr != ':') + ptr++; + + if (*ptr != 0) { + *ptr = 0; + ptr += 1; + } + + miscptr = ptr; + break; + case 'c': // fall through case 'C': ptr = miscptr + 2; while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) @@ -407,6 +439,41 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { sprintf(cookieurl, "%.1000s", hydra_strrep(miscptr + 2, "\\:", ":")); miscptr = ptr; break; + case '1': + code_401_is_failure = 1; + tmp = strchr(miscptr, ':'); + if (tmp) + miscptr = tmp + 1; + else + miscptr += strlen(miscptr); + break; + case '2': + code_302_is_success = 1; + tmp = strchr(miscptr, ':'); + if (tmp) + miscptr = tmp + 1; + else + miscptr += strlen(miscptr); + break; + case 'm': // fall through + case 'M': + multipart_mode = 1; + tmp = strchr(miscptr, ':'); + if (tmp) + miscptr = tmp + 1; + else + miscptr += strlen(miscptr); + break; + case 'g': // fall through + case 'G': + ptr = miscptr + 2; + while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) + ptr++; + if (*ptr != 0) + *ptr++ = 0; + getcookie = 0; + miscptr = ptr; + break; case 'h': // add a new header at the end ptr = miscptr + 2; @@ -416,7 +483,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { *(ptr - 1) = 0; if (*ptr != 0) { *ptr = 0; - ptr += 2; + ptr += 1; } ptr2 = ptr; while (*ptr2 != 0 && (*ptr2 != ':' || *(ptr2 - 1) == '\\')) @@ -434,7 +501,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { break; } // Error: abort execution - hydra_report(stderr, "[ERROR] Out of memory for HTTP headers (h)."); + hydra_report(stderr, "[ERROR] Out of memory for HTTP headers (h).\n"); return 0; case 'H': // add a new header, or replace an existing one's value @@ -447,7 +514,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { if (*ptr != 0) { *ptr = 0; - ptr += 2; + ptr += 1; } ptr2 = ptr; while (*ptr2 != 0 && (*ptr2 != ':' || *(ptr2 - 1) == '\\')) @@ -465,14 +532,107 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { break; } // Error: abort execution - hydra_report(stderr, "[ERROR] Out of memory for HTTP headers (H)."); + hydra_report(stderr, "[ERROR] Out of memory for HTTP headers (H).\n"); + return 0; + default: + hydra_report(stderr, "[ERROR] no valid optional parameter type given: %c\n", miscptr[0]); return 0; - // no default } } return 1; } +char *build_multipart_body(char *multipart_boundary) { + if (!variables) + return NULL; + + char *body = NULL; + size_t body_size = 0; + + // Duplicate "variables" for tokenizing + char *vars_dup = strdup(variables); + if (!vars_dup) + return NULL; + + // Tokenize the string using '&' as a delimiter + char *pair = strtok(vars_dup, "&"); + while (pair != NULL) { + // Find the '=' separator in each pair + char *equal_sign = strchr(pair, '='); + if (!equal_sign) { + pair = strtok(NULL, "&"); + continue; + } + *equal_sign = '\0'; + char *key = pair; + char *value = equal_sign + 1; + + // Build the multipart section for the field + int section_len = snprintf(NULL, 0, + "--%s\r\n" + "Content-Disposition: form-data; name=\"%s\"\r\n" + "\r\n" + "%s\r\n", + multipart_boundary, key, value); + + char *section = malloc(section_len + 1); + if (!section) { + free(body); + free(vars_dup); + return NULL; + } + snprintf(section, section_len + 1, + "--%s\r\n" + "Content-Disposition: form-data; name=\"%s\"\r\n" + "\r\n" + "%s\r\n", + multipart_boundary, key, value); + + // Reallocate the body buffer to add this section + size_t new_body_size = body_size + section_len; + char *new_body = realloc(body, new_body_size + 1); // +1 for null terminator + if (!new_body) { + free(section); + free(body); + free(vars_dup); + return NULL; + } + body = new_body; + if (body_size == 0) + strcpy(body, section); + else + strcat(body, section); + body_size = new_body_size; + free(section); + + pair = strtok(NULL, "&"); + } + free(vars_dup); + + // Append the closing boundary: ----\r\n + int closing_len = snprintf(NULL, 0, "--%s--\r\n", multipart_boundary); + char *closing = malloc(closing_len + 1); + if (!closing) { + free(body); + return NULL; + } + snprintf(closing, closing_len + 1, "--%s--\r\n", multipart_boundary); + + size_t final_size = body_size + closing_len; + char *final_body = realloc(body, final_size + 1); + if (!final_body) { + free(closing); + free(body); + return NULL; + } + body = final_body; + strcat(body, closing); + free(closing); + + return body; +} + + char *prepare_http_request(char *type, char *path, char *params, char *headers) { uint32_t reqlen = 0; char *http_request = NULL; @@ -482,7 +642,7 @@ char *prepare_http_request(char *type, char *path, char *params, char *headers) if (params) reqlen += strlen(params); - http_request = (char *) malloc(reqlen); + http_request = (char *)malloc(reqlen); if (http_request) { memset(http_request, 0, reqlen); @@ -529,21 +689,22 @@ char *html_encode(char *string) { if (ret == NULL) return NULL; - if (index(ret, '%') != NULL) + if (strchr(ret, '%') != NULL) ret = hydra_strrep(ret, "%", "%25"); - if (index(ret, ' ') != NULL) + if (strchr(ret, ' ') != NULL) ret = hydra_strrep(ret, " ", "%20"); - if (index(ret, '&') != NULL) + if (strchr(ret, '&') != NULL) ret = hydra_strrep(ret, "&", "%26"); - if (index(ret, '#') != NULL) + if (strchr(ret, '#') != NULL) ret = hydra_strrep(ret, "#", "%23"); - if (index(ret, '=') != NULL) + if (strchr(ret, '=') != NULL) ret = hydra_strrep(ret, "=", "%3D"); + if (strchr(ret, '+') != NULL) + ret = hydra_strrep(ret, "+", "%2B"); return ret; } - /* int32_t analyze_server_response(int32_t socket) return 0 or 1 when the cond regex is matched @@ -556,7 +717,7 @@ int32_t analyze_server_response(int32_t s) { auth_flag = 0; while ((buf = hydra_receive_line(s)) != NULL) { runs++; - //check for http redirection + // check for http redirection if (strstr(buf, "HTTP/1.1 3") != NULL || strstr(buf, "HTTP/1.0 3") != NULL || strstr(buf, "Status: 3") != NULL) { redirected_flag = 1; } else if (strstr(buf, "HTTP/1.1 401") != NULL || strstr(buf, "HTTP/1.0 401") != NULL) { @@ -580,7 +741,7 @@ int32_t analyze_server_response(int32_t s) { *endloc = 0; strcpy(redirected_url_buff, str); } - //there can be multiple cookies + // there can be multiple cookies if (hydra_strcasestr(buf, "Set-Cookie: ") != NULL) { char *cookiebuf = buf; @@ -594,7 +755,7 @@ int32_t analyze_server_response(int32_t s) { str[sizeof(str) - 1] = 0; endcookie1 = strchr(str, '\n'); endcookie2 = strchr(str, ';'); - //terminate string after cookie data + // terminate string after cookie data if (endcookie1 != NULL && ((endcookie1 < endcookie2) || (endcookie2 == NULL))) { if (*(endcookie1 - 1) == '\r') endcookie1--; @@ -602,32 +763,38 @@ int32_t analyze_server_response(int32_t s) { } else if (endcookie2 != NULL) *endcookie2 = 0; // is the cookie already there? if yes, remove it! - if (index(startcookie, '=') != NULL && (ptr = index(startcookie, '=')) - startcookie + 1 <= sizeof(tmpname)) { + if (strchr(startcookie, '=') != NULL && (ptr = strchr(startcookie, '=')) - startcookie + 1 <= sizeof(tmpname)) { strncpy(tmpname, startcookie, sizeof(tmpname) - 2); tmpname[sizeof(tmpname) - 2] = 0; - ptr = index(tmpname, '='); + ptr = strchr(tmpname, '='); *(++ptr) = 0; - // is the cookie already in the cookiejar? (so, does it have to be replaced?) + // is the cookie already in the cookiejar? (so, does it have to be + // replaced?) if ((ptr = hydra_strcasestr(cookie, tmpname)) != NULL) { // yes it is. - // if the cookie is not in the beginning of the cookiejar, copy the ones before + // if the cookie is not in the beginning of the cookiejar, copy the + // ones before if (ptr != cookie && *(ptr - 1) == ' ') { strncpy(tmpcookie, cookie, ptr - cookie - 2); tmpcookie[ptr - cookie - 2] = 0; } ptr += strlen(tmpname); - // if there are any cookies after this one in the cookiejar, copy them over + // if there are any cookies after this one in the cookiejar, copy + // them over if ((ptr2 = strstr(ptr, "; ")) != NULL) { ptr2 += 2; strncat(tmpcookie, ptr2, sizeof(tmpcookie) - strlen(tmpcookie) - 1); } if (debug) - printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: %s\n", tmpname, cookie, tmpcookie); + printf("[DEBUG] removing cookie %s in jar\n before: %s\n after: " + "%s\n", + tmpname, cookie, tmpcookie); strcpy(cookie, tmpcookie); } } - ptr = index(str, '='); - // only copy the cookie if it has a value (otherwise the server wants to delete the cookie) + ptr = strchr(str, '='); + // only copy the cookie if it has a value (otherwise the server wants to + // delete the cookie) if (ptr != NULL && *(ptr + 1) != ';' && *(ptr + 1) != 0 && *(ptr + 1) != '\n' && *(ptr + 1) != '\r') { if (strlen(cookie) > 0) strncat(cookie, "; ", sizeof(cookie) - strlen(cookie) - 1); @@ -642,10 +809,10 @@ int32_t analyze_server_response(int32_t s) { if (strstr(buf, cond) != NULL) { #endif free(buf); -// printf("DEBUG: STRING %s FOUND!!:\n%s\n", cond, buf); + // printf("DEBUG: STRING %s FOUND!!:\n%s\n", cond, buf); return 1; } -// else printf("DEBUG: STRING %s NOT FOUND:\n%s\n", cond, buf); + // else printf("DEBUG: STRING %s NOT FOUND:\n%s\n", cond, buf); free(buf); } if (runs == 0) { @@ -666,8 +833,7 @@ void hydra_reconnect(int32_t s, char *ip, int32_t port, unsigned char options, c } } -int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *hostname, char *type, ptr_header_node ptr_head, - ptr_cookie_node ptr_cookie) { +int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname, char *type, ptr_header_node ptr_head, ptr_cookie_node ptr_cookie) { char *empty = ""; char *login, *pass, clogin[256], cpass[256], b64login[345], b64pass[345]; char header[8096], *upd3variables; @@ -675,9 +841,9 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options char *http_request = NULL; int32_t found = !success_cond, i, j; char content_length[MAX_CONTENT_LENGTH], proxy_string[MAX_PROXY_LENGTH]; - + char content_type[256]; memset(header, 0, sizeof(header)); - cookie[0] = 0; // reset cookies from potential previous attempt + cookie[0] = 0; // reset cookies from potential previous attempt if (use_proxy > 0 && proxy_count > 0) selected_proxy = random() % proxy_count; @@ -688,17 +854,30 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; strcpy(b64login, login); - hydra_tobase64((unsigned char *) b64login, strlen(b64login), sizeof(b64login)); + hydra_tobase64((unsigned char *)b64login, strlen(b64login), sizeof(b64login)); strcpy(b64pass, pass); - hydra_tobase64((unsigned char *) b64pass, strlen(b64pass), sizeof(b64pass)); + hydra_tobase64((unsigned char *)b64pass, strlen(b64pass), sizeof(b64pass)); strncpy(clogin, html_encode(login), sizeof(clogin) - 1); clogin[sizeof(clogin) - 1] = 0; strncpy(cpass, html_encode(pass), sizeof(cpass) - 1); cpass[sizeof(cpass) - 1] = 0; - upd3variables = hydra_strrep(variables, "^USER^", clogin); - upd3variables = hydra_strrep(upd3variables, "^PASS^", cpass); - upd3variables = hydra_strrep(upd3variables, "^USER64^", b64login); - upd3variables = hydra_strrep(upd3variables, "^PASS64^", b64pass); + + if (multipart_mode) { + snprintf(content_type, sizeof(content_type), "multipart/form-data; boundary=----THC-HydraBoundaryz2Z2z"); + char *multipart_body = build_multipart_body("----THC-HydraBoundaryz2Z2z"); + upd3variables = multipart_body; + +}else{ + snprintf(content_type, sizeof(content_type), "application/x-www-form-urlencoded"); + upd3variables = variables; +} + + upd3variables = hydra_strrep(upd3variables, "^USER^", clogin); + upd3variables = hydra_strrep(upd3variables, "^PASS^", cpass); + upd3variables = hydra_strrep(upd3variables, "^USER64^", b64login); + upd3variables = hydra_strrep(upd3variables, "^PASS64^", b64pass); + + // Replace the user/pass placeholders in the user-supplied headers hdrrep(&ptr_head, "^USER^", clogin); @@ -710,13 +889,13 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) { if (getcookie) { memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, cookieurl); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl); if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request); if (hydra_send(s, http_request, strlen(http_request), 0) < 0) return 1; - i = analyze_server_response(s); // ignore result + i = analyze_server_response(s); // ignore result if (strlen(cookie) > 0) process_cookies(&ptr_cookie, cookie); hydra_reconnect(s, ip, port, options, hostname); @@ -724,14 +903,14 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options // now prepare for the "real" request if (strcmp(type, "POST") == 0) { memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, url); - snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t) strlen(upd3variables)); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url); + snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", content_length); else add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); + add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); if (cookie_header != NULL) free(cookie_header); cookie_header = stringify_cookies(ptr_cookie); @@ -745,8 +924,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (http_request != NULL) free(http_request); http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } else { if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", "0"); @@ -763,16 +944,18 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } } else { if (use_proxy == 1) { // proxy without authentication if (getcookie) { - //doing a GET to get cookies + // doing a GET to get cookies memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, cookieurl); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl); if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request); @@ -786,14 +969,14 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options // now prepare for the "real" request if (strcmp(type, "POST") == 0) { memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, url); - snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t) strlen(upd3variables)); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url); + snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", content_length); else add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); + add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); if (cookie_header != NULL) free(cookie_header); cookie_header = stringify_cookies(ptr_cookie); @@ -801,14 +984,16 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); else hdrrepv(&ptr_head, "Cookie", cookie_header); - if (normal_request != NULL) - free(normal_request); + if (normal_request != NULL) + free(normal_request); normal_request = stringify_headers(&ptr_head); if (http_request != NULL) free(http_request); http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } else { if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", "0"); @@ -819,20 +1004,22 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); else hdrrepv(&ptr_head, "Cookie", cookie_header); - if (normal_request != NULL) - free(normal_request); + if (normal_request != NULL) + free(normal_request); normal_request = stringify_headers(&ptr_head); if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } } else { // direct web server, no proxy normal_request = NULL; if (getcookie) { - //doing a GET to save cookies + // doing a GET to save cookies if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", cookieurl, NULL, cookie_request); @@ -840,7 +1027,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options return 1; i = analyze_server_response(s); // ignore result if (strlen(cookie) > 0) { - //printf("[DEBUG] Got cookie: %s\n", cookie); + // printf("[DEBUG] Got cookie: %s\n", cookie); process_cookies(&ptr_cookie, cookie); if (normal_request != NULL) free(normal_request); @@ -850,13 +1037,13 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options } // now prepare for the "real" request if (strcmp(type, "POST") == 0) { - snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t) strlen(upd3variables)); + snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", content_length); else add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); + add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); if (cookie_header != NULL) free(cookie_header); cookie_header = stringify_cookies(ptr_cookie); @@ -870,8 +1057,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (http_request != NULL) free(http_request); http_request = prepare_http_request("POST", url, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } else { if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", "0"); @@ -888,8 +1077,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", url, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } } } @@ -899,30 +1090,39 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options found = analyze_server_response(s); - if (auth_flag) { // we received a 401 error - user is using wrong module - hydra_report(stderr, "[ERROR] the target is using HTTP auth, not a web form, received HTTP error code 401. Use module \"http%s-get\" instead.\n", - (options & OPTION_SSL) > 0 ? "s" : ""); - return 4; + if (redirected_flag && code_302_is_success) { + found = success_cond; + } + + if (auth_flag) { // we received a 401 error - user may be using wrong module + if (code_401_is_failure) { // apparently they don't think so -- treat 401 as failure + hydra_completed_pair(); + return 1; + } else { + hydra_report(stderr, + "[ERROR] received HTTP error code 401. The target may be using HTTP auth, " + "not a web form. Use module \"http%s-get\" instead, or set \"1=\".\n", + (options & OPTION_SSL) > 0 ? "s" : ""); + return 2; + } } if (strlen(cookie) > 0) process_cookies(&ptr_cookie, cookie); - //if page was redirected, follow the location header + // if page was redirected, follow the location header redirected_cpt = MAX_REDIRECT; if (debug) printf("[DEBUG] attempt result: found %d, redirect %d, location: %s\n", found, redirected_flag, redirected_url_buff); - while (found == 0 && redirected_flag && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) { - //we have to split the location + while (found == 0 && redirected_flag && !code_302_is_success && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) { + // we have to split the location char *startloc, *endloc; - char str[2048]; - char str2[2048]; - char str3[2048]; + char str[2048], str2[2048], str3[2048], str4[2048]; redirected_cpt--; redirected_flag = 0; - //check if the redirect page contains the fail/success condition + // check if the redirect page contains the fail/success condition #ifdef HAVE_PCRE if (hydra_string_match(redirected_url_buff, cond) == 1) { #else @@ -930,26 +1130,28 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options #endif found = success_cond; } else { - //location could be either absolute http(s):// or / something - //or relative + // location could be either absolute http(s):// or / something + // or relative startloc = strstr(redirected_url_buff, "://"); if (startloc != NULL) { startloc += strlen("://"); if ((endloc = strchr(startloc, '\r')) != NULL) { - startloc[endloc - startloc] = 0; + *endloc = 0; } if ((endloc = strchr(startloc, '\n')) != NULL) { - startloc[endloc - startloc] = 0; + *endloc = 0; } - strcpy(str, startloc); + strncpy(str, startloc, sizeof(str) - 1); + str[sizeof(str) - 1] = 0; endloc = strchr(str, '/'); if (endloc != NULL) { strncpy(str2, str, endloc - str); str2[endloc - str] = 0; - } else - strncpy(str2, str, sizeof(str)); + } else { + strcpy(str2, str); + } if (strlen(str) - strlen(str2) == 0) { strcpy(str3, "/"); @@ -958,10 +1160,11 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options str3[strlen(str) - strlen(str2)] = 0; } } else { - strncpy(str2, webtarget, sizeof(str2)); + strncpy(str2, webtarget, sizeof(str2) - 1); + str2[sizeof(str2) - 1] = 0; if (redirected_url_buff[0] != '/') { - //it's a relative path, so we have to concatenate it - //with the path from the first url given + // it's a relative path, so we have to concatenate it + // with the path from the first url given char *urlpath; char urlpath_extracted[2048]; @@ -974,8 +1177,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options } else { sprintf(str3, "%.1000s/%.1000s", url, redirected_url_buff); } - } else - strncpy(str3, redirected_url_buff, sizeof(str3)); + } else { + strncpy(str3, redirected_url_buff, sizeof(str3) - 1); + str3[sizeof(str3) - 1] = 0; + } if (debug) hydra_report(stderr, "[DEBUG] host=%s redirect=%s origin=%s\n", str2, str3, url); } @@ -987,12 +1192,13 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options str3[0] = '/'; } - if (strrchr(url, ':') == NULL && port != 80) { - sprintf(str2, "%s:%d", str2, port); + if (strrchr(str2, ':') == NULL && (port != 80 || port != 443)) { + sprintf(str4, "%.2000s:%d", str2, port); + strcpy(str2, str4); } if (verbose) - hydra_report(stderr, "[VERBOSE] Page redirected to http://%s%s\n", str2, str3); + hydra_report(stderr, "[VERBOSE] Page redirected to http[s]://%s%s\n", str2, str3); if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", "0"); @@ -1002,16 +1208,16 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options free(cookie_header); cookie_header = stringify_cookies(ptr_cookie); if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); else - hdrrepv(&ptr_head, "Cookie", cookie_header); + hdrrepv(&ptr_head, "Cookie", cookie_header); - //re-use the code above to check for proxy use + // re-use the code above to check for proxy use if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) { // proxy with authentication hdrrepv(&ptr_head, "Host", str2); memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, str3); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, str3); if (normal_request != NULL) free(normal_request); normal_request = stringify_headers(&ptr_head); @@ -1023,15 +1229,15 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options // proxy without authentication hdrrepv(&ptr_head, "Host", str2); memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, str3); - if (normal_request != NULL) - free(normal_request); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, str3); + if (normal_request != NULL) + free(normal_request); normal_request = stringify_headers(&ptr_head); if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", proxy_string, NULL, normal_request); } else { - //direct web server, no proxy + // direct web server, no proxy hdrrepv(&ptr_head, "Host", str2); if (normal_request != NULL) free(normal_request); @@ -1044,8 +1250,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options hydra_reconnect(s, ip, port, options, hostname); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } found = analyze_server_response(s); if (strlen(cookie) > 0) @@ -1053,8 +1261,8 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options } } - //if the last status is still 3xx, set it as a false - if (found != -1 && found == success_cond && (redirected_flag == 0 || success_cond == 1) && redirected_cpt >= 0) { + // if the last status is still 3xx, set it as a false + if (found != -1 && found == success_cond && ((redirected_flag && code_302_is_success) || redirected_flag == 0 || success_cond == 1) && redirected_cpt >= 0) { hydra_report_found_host(port, ip, "www-form", fp); hydra_completed_pair_found(); } else { @@ -1064,8 +1272,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options return 1; } -void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname, char *type, ptr_header_node * ptr_head, - ptr_cookie_node * ptr_cookie) { +void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname, char *type, ptr_header_node *ptr_head, ptr_cookie_node *ptr_cookie) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_HTTP, mysslport = PORT_HTTP_SSL; @@ -1079,74 +1286,58 @@ void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscpt * - 3 -> Disconnect and end with success. * - 4 -> Disconnect and end with error. */ + while (1) { if (run == 2) { if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { - if (freemischttpform) - free(miscptr); - freemischttpform = 0; hydra_child_exit(1); } } switch (run) { - case 1: /* connect and service init function */ - { - if (sock >= 0) - sock = hydra_disconnect(sock); - if ((options & OPTION_SSL) == 0) { - if (port != 0) - myport = port; - sock = hydra_connect_tcp(ip, myport); - port = myport; - } else { - if (port != 0) - mysslport = port; - sock = hydra_connect_ssl(ip, mysslport, hostname); - port = mysslport; - } - if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, cannot connect\n", (int32_t) getpid()); - if (freemischttpform) - free(miscptr); - freemischttpform = 0; - hydra_child_exit(1); - } - next_run = 2; - break; + case 1: /* connect and service init function */ + { + if (sock >= 0) + sock = hydra_disconnect(sock); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; } - case 2: /* run the cracking function */ + if (sock < 0) { + hydra_report(stderr, "[ERROR] Child with pid %d terminating, cannot connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + next_run = 2; + break; + } + case 2: /* run the cracking function */ next_run = start_http_form(sock, ip, port, options, miscptr, fp, hostname, type, *ptr_head, *ptr_cookie); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); - if (freemischttpform) - free(miscptr); - freemischttpform = 0; hydra_child_exit(0); break; - case 4: /* silent error exit */ + case 4: /* silent error exit */ if (sock >= 0) sock = hydra_disconnect(sock); - if (freemischttpform) - free(miscptr); - freemischttpform = 0; hydra_child_exit(1); break; default: - if (freemischttpform) - free(miscptr); - freemischttpform = 0; hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } run = next_run; } - if (freemischttpform) - free(miscptr); } -void service_http_get_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_http_get_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { ptr_cookie_node ptr_cookie = NULL; ptr_header_node ptr_head = initialize(ip, options, miscptr); @@ -1154,11 +1345,11 @@ void service_http_get_form(char *ip, int32_t sp, unsigned char options, char *mi service_http_form(ip, sp, options, miscptr, fp, port, hostname, "GET", &ptr_head, &ptr_cookie); else { hydra_report(stderr, "[ERROR] Could not launch head. Error while initializing.\n"); - hydra_child_exit(1); + hydra_child_exit(2); } } -void service_http_post_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_http_post_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { ptr_cookie_node ptr_cookie = NULL; ptr_header_node ptr_head = initialize(ip, options, miscptr); @@ -1166,11 +1357,11 @@ void service_http_post_form(char *ip, int32_t sp, unsigned char options, char *m service_http_form(ip, sp, options, miscptr, fp, port, hostname, "POST", &ptr_head, &ptr_cookie); else { hydra_report(stderr, "[ERROR] Could not launch head. Error while initializing.\n"); - hydra_child_exit(1); + hydra_child_exit(2); } } -int32_t service_http_form_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_http_form_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. @@ -1181,40 +1372,30 @@ int32_t service_http_form_init(char *ip, int32_t sp, unsigned char options, char // 0 all OK // -1 error, hydra will exit, so print a good error message here + if (initialize(ip, options, miscptr) == NULL) + return 1; + return 0; } ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { ptr_header_node ptr_head = NULL; char *ptr, *ptr2, *proxy_string; +#ifdef AF_INET6 + unsigned char addr6[sizeof(struct in6_addr)]; +#endif if (use_proxy > 0 && proxy_count > 0) selected_proxy = random() % proxy_count; - if (webtarget != NULL && (webtarget = strstr(miscptr, "://")) != NULL) { - webtarget += strlen("://"); - if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */ - *ptr2 = 0; - ptr2++; - ptr = ptr2; - if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL) - miscptr = ptr; - else - miscptr = slash; /* to make things easier to user */ - } else if ((ptr2 = index(webtarget, '/')) != NULL) { - if (freemischttpform == 0) { - if ((miscptr = malloc(strlen(ptr2) + 1)) != NULL) { - freemischttpform = 1; - strcpy(miscptr, ptr2); - *ptr2 = 0; - } - } - } else - webtarget = NULL; + if (webtarget) { + free(webtarget); + webtarget = NULL; } - if (cmdlinetarget != NULL && webtarget == NULL) + + if (cmdlinetarget != NULL) webtarget = cmdlinetarget; - else if (webtarget == NULL && cmdlinetarget == NULL) + else webtarget = hydra_address2string(ip); if (port != 0) webport = port; @@ -1223,43 +1404,79 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { else webport = PORT_HTTP_SSL; + /* normalise the webtarget for ipv6/port number */ + ptr = malloc(strlen(webtarget) + 1 /* null */ + 6 /* :65535 */ +#ifdef AF_INET6 + + 2 /* [] */ +#endif + ); +#ifdef AF_INET6 + /* let libc decide if target is an ipv6 address */ + if (inet_pton(AF_INET6, webtarget, addr6)) { + ptr2 = ptr + sprintf(ptr, "[%s]", webtarget); + } else { +#endif + ptr2 = ptr + sprintf(ptr, "%s", webtarget); +#ifdef AF_INET6 + } +#endif + if (options & OPTION_SSL && webport != PORT_HTTP_SSL || !(options & OPTION_SSL) && webport != PORT_HTTP) { + sprintf(ptr2, ":%d", webport); + } + webtarget = ptr; + ptr = ptr2 = NULL; + sprintf(bufferurl, "%.6096s", miscptr); - url = bufferurl; - ptr = url; + ptr = url = bufferurl; + while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) ptr++; if (*ptr != 0) *ptr++ = 0; variables = ptr; + while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) ptr++; if (*ptr != 0) *ptr++ = 0; - cond = ptr; - while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) - ptr++; - if (*ptr != 0) - *ptr++ = 0; - optional1 = ptr; + + optional1 = cond = ptr; + + ptr2 = ptr + strlen(ptr); + + while (ptr2 > ptr && (*ptr2 != ':' || *(ptr2 - 1) == '\\')) + ptr2--; + + if (*ptr2 == ':') { + *ptr2++ = 0; + cond = ptr2; + } + + if (optional1 == cond) + optional1 = NULL; + if (strstr(url, "\\:") != NULL) { - if ((ptr = malloc(strlen(url))) != NULL) { + if ((ptr = malloc(strlen(url) + 1)) != NULL) { strcpy(ptr, hydra_strrep(url, "\\:", ":")); url = ptr; } } if (strstr(variables, "\\:") != NULL) { - if ((ptr = malloc(strlen(variables))) != NULL) { + if ((ptr = malloc(strlen(variables) + 1)) != NULL) { strcpy(ptr, hydra_strrep(variables, "\\:", ":")); variables = ptr; } } if (strstr(cond, "\\:") != NULL) { - if ((ptr = malloc(strlen(cond))) != NULL) { + if ((ptr = malloc(strlen(cond) + 1)) != NULL) { strcpy(ptr, hydra_strrep(cond, "\\:", ":")); cond = ptr; } } - if (url == NULL || variables == NULL || cond == NULL /*|| optional1 == NULL */ ) + + // printf("ptr: %s ptr2: %s cond: %s url: %s variables: %s optional1: %s\n", ptr, ptr2, cond, url, variables, optional1 == NULL ? "null" : optional1); + + if (url == NULL || variables == NULL || cond == NULL /*|| optional1 == NULL */) hydra_child_exit(2); if (*cond == 0) { @@ -1269,18 +1486,20 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { sprintf(cookieurl, "%.1000s", url); - //conditions now have to contain F or S to set the fail or success condition - if (*cond != 0 && (strpos(cond, "F=") == 0)) { + // conditions now have to contain F or S to set the fail or success condition + if (strpos(cond, "F=") == 0) { success_cond = 0; cond += 2; } else if (*cond != 0 && (strpos(cond, "S=") == 0)) { success_cond = 1; cond += 2; } else { - //by default condition is a fail + // by default condition is a fail success_cond = 0; } + // printf("miscptr: %s, url=%s, variables=%s, ptr=%s, optional1: %s, cond: %s (%d)\n", miscptr, url, variables, ptr, optional1, cond, success_cond); + /* * Parse the user-supplied options. * Beware of the backslashes (\)! @@ -1293,23 +1512,23 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { // proxy with authentication add_header(&ptr_head, "Host", webtarget, HEADER_TYPE_DEFAULT); add_header(&ptr_head, "User-Agent", "Mozilla 5.0 (Hydra Proxy Auth)", HEADER_TYPE_DEFAULT); - proxy_string = (char *) malloc(strlen(proxy_authentication[selected_proxy]) + 6); + proxy_string = (char *)malloc(strlen(proxy_authentication[selected_proxy]) + 10); if (proxy_string) { strcpy(proxy_string, "Basic "); - strncat(proxy_string, proxy_authentication[selected_proxy], strlen(proxy_authentication[selected_proxy]) - 6); + strcat(proxy_string, proxy_authentication[selected_proxy]); add_header(&ptr_head, "Proxy-Authorization", proxy_string, HEADER_TYPE_DEFAULT); } else { - hydra_report(stderr, "Out of memory for \"Proxy-Authorization\" header."); + hydra_report(stderr, "Out of memory for \"Proxy-Authorization\" header.\n"); return NULL; } if (getcookie) { - //doing a GET to save cookies + // doing a GET to save cookies if (cookie_request != NULL) free(cookie_request); cookie_request = stringify_headers(&ptr_head); } if (normal_request != NULL) - free(normal_request); + free(normal_request); normal_request = stringify_headers(&ptr_head); } else { if (use_proxy == 1) { @@ -1317,7 +1536,7 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { add_header(&ptr_head, "Host", webtarget, HEADER_TYPE_DEFAULT); add_header(&ptr_head, "User-Agent", "Mozilla/5.0 (Hydra Proxy)", HEADER_TYPE_DEFAULT); if (getcookie) { - //doing a GET to get cookies + // doing a GET to get cookies if (cookie_request != NULL) free(cookie_request); cookie_request = stringify_headers(&ptr_head); @@ -1331,7 +1550,7 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { add_header(&ptr_head, "User-Agent", "Mozilla/5.0 (Hydra)", HEADER_TYPE_DEFAULT); if (getcookie) { - //doing a GET to save cookies + // doing a GET to save cookies if (cookie_request != NULL) free(cookie_request); cookie_request = stringify_headers(&ptr_head); @@ -1342,42 +1561,75 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) { normal_request = stringify_headers(&ptr_head); } } + return ptr_head; } void usage_http_form(const char *service) { printf("Module %s requires the page and the parameters for the web form.\n\n" - "By default this module is configured to follow a maximum of 5 redirections in\n" - "a row. It always gathers a new cookie from the same URL without variables\n" - "The parameters take three \":\" separated values, plus optional values.\n" - "(Note: if you need a colon in the option string as value, escape it with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n" - "\nSyntax: :
:[:[:]\n" - "First is the page on the server to GET or POST to (URL).\n" - "Second is the POST/GET variables (taken from either the browser, proxy, etc.\n" - " with url-encoded (resp. base64-encoded) usernames and passwords being replaced in the\n" - " \"^USER^\" (resp. \"^USER64^\") and \"^PASS^\" (resp. \"^PASS64^\") placeholders (FORM PARAMETERS)\n" - "Third is the string that it checks for an *invalid* login (by default)\n" + "By default this module is configured to follow a maximum of 5 " + "redirections in\n" + "a row. It always gathers a new cookie from the same URL without " + "variables\n" + "The parameters requires at a minimum three \":\" separated values,\n" + "plus optional values.\n" + "(Note: if you need a colon in the option string as value, escape it " + "with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n" + "\nSyntax: :[:[:]:\n" + "\nFirst is the page on the server to GET or POST to (URL), e.g. \"/login\".\n" + "Second is the POST/GET variables (taken from either the browser, proxy, etc.)\n" + " without the initial '?' character and the usernames and passwords being\n" + " replaced with \"^USER^\" (\"^USER64^\" for base64 encodings) and \"^PASS^\"\n" + " (\"^PASS64^\" for base64 encodings).\n" + "Third are optional parameters (see below)\n" + "Last is the string that it checks for an *invalid* login (by default).\n" " Invalid condition login check can be preceded by \"F=\", successful condition\n" " login check must be preceded by \"S=\".\n" - " This is where most people get it wrong. You have to check the webapp what a\n" - " failed string looks like and put it in this parameter!\n" - "The following parameters are optional:\n" - " C=/page/uri to define a different page to gather initial cookies from\n" - " (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n" - " ^USER[64]^ and ^PASS[64]^ can also be put into these headers!\n" + " This is where most people get it wrong! You have to check the webapp what a\n" + " failed string looks like and put it in this parameter! Add the -d switch to see\n" + " the sent/received data!\n" + " Note that using invalid login condition checks can result in false positives!\n" + "\nThe following parameters are optional and are put between the form parameters\n" + "and the condition string; seperate them too with colons:\n" + " 1= 401 error response is interpreted as user/pass wrong\n" + " 2= 302 page forward return codes identify a successful attempt\n" + " M= attack forms that use multipart format\n" + " (c|C)=/page/uri to define a different page to gather initial " + "cookies from\n" + " (g|G)= skip pre-requests - only use this when no pre-cookies are required\n" + " (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each " + "request\n" + " ^USER[64]^ and ^PASS[64]^ can also be put into these " + "headers!\n" " Note: 'h' will add the user-defined header at the end\n" " regardless it's already being sent by Hydra or not.\n" - " 'H' will replace the value of that header if it exists, by the\n" - " one supplied by the user, or add the header at the end\n" - "Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\\).\n" - " All colons that are not option separators should be escaped (see the examples above and below).\n" - " You can specify a header without escaping the colons, but that way you will not be able to put colons\n" - " in the header value itself, as they will be interpreted by hydra as option separators.\n" + " 'H' will replace the value of that header if it " + "exists, by the\n" + " one supplied by the user, or add the header at the " + "end\n" + "\nNote that if you are going to put colons (:) in your headers you should escape\n" + "them with a backslash (\\). All colons that are not option separators should be\n" + "escaped (see the examples above and below).\n" + "You can specify a header without escaping the colons, but that way you will not\n" + "be able to put colons in the header value itself, as they will be interpreted by\n" + "hydra as option separators.\n" "\nExamples:\n" " \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n" - " \"/login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=authlog=.*success\"\n" + " \"/" + "login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=result=" + "success\"\n" " \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n" - " \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n" - " \"/exchweb/bin/auth/owaauth.dll:destination=http%%3A%%2F%%2F%%2Fexchange&flags=0&username=%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb\"\n", + " \"/:user=^USER&pass=^PASS^:H=Authorization\\: Basic " + "dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n" + " \"/exchweb/bin/auth/:F=failed" + "owaauth.dll:destination=http%%3A%%2F%%2F%%2Fexchange&flags=0&" + "username=%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:" + "C=/exchweb\":reason=\n" + "To attack multiple targets, you can use the -M option with a file " + "containing the targets and their parameters.\n" + "Example file content:\n" + " localhost:8443/login:type=login&login=^USER^&password=^PASS^:h=test\\: header:F=401\n" + " localhost:9443/login2:type=login&login=^USER^&password=^PASS^:h=test\\: header:F=302\n" + " ...\n\n", service); } diff --git a/hydra-http-proxy-urlenum.c b/hydra-http-proxy-urlenum.c index 0ca7b47..306d755 100644 --- a/hydra-http-proxy-urlenum.c +++ b/hydra-http-proxy-urlenum.c @@ -5,11 +5,11 @@ extern char *HYDRA_EXIT; char *buf; static int32_t http_proxy_auth_mechanism = AUTH_ERROR; -int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *hostname) { +int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname) { char *empty = ""; char *login, *pass, buffer[500], buffer2[500], mlogin[260], mpass[260], mhost[260]; char url[260], host[30]; - char *header = ""; /* XXX TODO */ + char *header = ""; /* XXX TODO */ char *ptr; int32_t auth = 0; @@ -19,7 +19,7 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha return 1; } pass = hydra_get_next_password(); - pass = empty; // ignored + pass = empty; // ignored strncpy(url, login, sizeof(url) - 1); url[sizeof(url) - 1] = 0; @@ -28,17 +28,17 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha ptr++; strncpy(mhost, ptr, sizeof(mhost) - 1); mhost[sizeof(mhost) - 1] = 0; - if ((ptr = index(mhost, '/')) != NULL) + if ((ptr = strchr(mhost, '/')) != NULL) *ptr = 0; - if ((ptr = index(mhost, ']')) != NULL) + if ((ptr = strchr(mhost, ']')) != NULL) *ptr = 0; - else if ((ptr = index(mhost, ':')) != NULL) + else if ((ptr = strchr(mhost, ':')) != NULL) *ptr = 0; - if (miscptr != NULL && index(miscptr, ':') != NULL) { + if (miscptr != NULL && strchr(miscptr, ':') != NULL) { strncpy(mlogin, miscptr, sizeof(mlogin) - 1); mlogin[sizeof(mlogin) - 1] = 0; - ptr = index(mlogin, ':'); + ptr = strchr(mlogin, ':'); *ptr++ = 0; strncpy(mpass, ptr, sizeof(mpass) - 1); mpass[sizeof(mpass) - 1] = 0; @@ -46,12 +46,12 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha } if (http_proxy_auth_mechanism == AUTH_ERROR) { - //send dummy request + // send dummy request sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, mhost, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; - //receive first 40x + // receive first 40x buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/") == NULL) { free(buf); @@ -61,7 +61,7 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha if (debug) hydra_report(stderr, "S:%s\n", buf); - //after the first query we should have been disconnected from web server + // after the first query we should have been disconnected from web server s = hydra_disconnect(s); if ((options & OPTION_SSL) == 0) { s = hydra_connect_tcp(ip, port); @@ -74,8 +74,11 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha if (hydra_strcasestr(buf, "Proxy-Authenticate: Basic") != NULL) { http_proxy_auth_mechanism = AUTH_BASIC; sprintf(buffer2, "%.50s:%.50s", login, pass); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + sprintf(buffer, + "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic " + "%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", + url, host, buffer2, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) @@ -87,8 +90,8 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha buf = hydra_receive_line(s); } - //if server cut the connection, just exit cleanly or - //this will be an infinite loop + // if server cut the connection, just exit cleanly or + // this will be an infinite loop if (buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); @@ -104,19 +107,23 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha char *pos = NULL; http_proxy_auth_mechanism = AUTH_NTLM; - //send auth and receive challenge - //send auth request: let the server send it's own hostname and domainname - buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); + // send auth and receive challenge + // send auth request: let the server send it's own hostname and + // domainname + buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2)); - /* to be portable, no snprintf, buffer is big enough so it can't overflow */ - //send the first.. - sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, - header); + /* to be portable, no snprintf, buffer is big enough so it can't + * overflow */ + // send the first.. + sprintf(buffer, + "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: " + "Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", + url, host, buf1, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; - //receive challenge + // receive challenge free(buf); buf = hydra_receive_line(s); while (buf != NULL && (pos = hydra_strcasestr(buf, "Proxy-Authenticate: NTLM ")) == NULL) { @@ -134,17 +141,19 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha pos[str - pos] = 0; } } - //recover challenge + // recover challenge if (buf != NULL) { if (strlen(buf) >= 4) - from64tobits((char *) buf1, pos); + from64tobits((char *)buf1, pos); free(buf); } - //Send response - buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); - sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, - header); + // Send response + buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2)); + sprintf(buffer, + "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: " + "Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", + url, host, buf1, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) @@ -161,7 +170,7 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha } else { #ifdef LIBOPENSSL if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) { - char *pbuffer; + char *pbuffer, *result; http_proxy_auth_mechanism = AUTH_DIGESTMD5; pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest "); @@ -169,8 +178,8 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha buffer[sizeof(buffer) - 1] = '\0'; pbuffer = buffer2; - sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header); - if (pbuffer == NULL) + result = sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header); + if (result == NULL) return 3; if (debug) @@ -206,7 +215,7 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha } } // result analysis - ptr = ((char *) index(buf, ' ')) + 1; + ptr = ((char *)strchr(buf, ' ')) + 1; if (*ptr == '2' || (*ptr == '3' && (*(ptr + 2) == '1' || *(ptr + 2) == '2')) || strncmp(ptr, "404", 4) == 0 || strncmp(ptr, "403", 4) == 0) { hydra_report_found_host(port, ip, "http-proxy", fp); if (fp != stdout) @@ -214,7 +223,7 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha printf("[%d][http-proxy-urlenum] host: %s url: %s\n", port, hydra_address2string_beautiful(ip), url); hydra_completed_pair_found(); } else { - if (strncmp(ptr, "407", 3) == 0 /*|| strncmp(ptr, "401", 3) == 0 */ ) { + if (strncmp(ptr, "407", 3) == 0 /*|| strncmp(ptr, "401", 3) == 0 */) { hydra_report(stderr, "[ERROR] Proxy reports bad credentials!\n"); return 3; } @@ -228,7 +237,7 @@ int32_t start_http_proxy_urlenum(int32_t s, char *ip, int32_t port, unsigned cha return 1; } -void service_http_proxy_urlenum(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_http_proxy_urlenum(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_HTTP_PROXY, mysslport = PORT_HTTP_PROXY_SSL; @@ -239,33 +248,34 @@ void service_http_proxy_urlenum(char *ip, int32_t sp, unsigned char options, cha while (1) { next_run = 0; switch (run) { - case 1: /* connect and service init function */ - { - if (sock >= 0) - sock = hydra_disconnect(sock); -// usleepn(275); - if ((options & OPTION_SSL) == 0) { - if (port != 0) - myport = port; - sock = hydra_connect_tcp(ip, myport); - port = myport; - } else { - if (port != 0) - mysslport = port; - sock = hydra_connect_ssl(ip, mysslport, hostname); - port = mysslport; - } - if (sock < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); - } - next_run = 2; - break; + case 1: /* connect and service init function */ + { + if (sock >= 0) + sock = hydra_disconnect(sock); + // usleepn(275); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; } - case 2: /* run the cracking function */ + if (sock < 0) { + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + next_run = 2; + break; + } + case 2: /* run the cracking function */ next_run = start_http_proxy_urlenum(sock, ip, port, options, miscptr, fp, hostname); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -278,13 +288,13 @@ void service_http_proxy_urlenum(char *ip, int32_t sp, unsigned char options, cha } } -int32_t service_http_proxy_urlenum_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_http_proxy_urlenum_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -292,9 +302,13 @@ int32_t service_http_proxy_urlenum_init(char *ip, int32_t sp, unsigned char opti return 0; } -void usage_http_proxy_urlenum(const char* service) { - printf("Module http-proxy-urlenum only uses the -L option, not -x or -p/-P option.\n" +void usage_http_proxy_urlenum(const char *service) { + printf("Module http-proxy-urlenum only uses the -L option, not -x or -p/-P " + "option.\n" "The -L loginfile must contain the URL list to try through the proxy.\n" "The proxy credentials cann be put as the optional parameter, e.g.\n" - " hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum user:pass\n" " hydra -L urllist.txt http-proxy-urlenum://target.com:3128/user:pass\n\n"); + " hydra -L urllist.txt -s 3128 target.com http-proxy-urlenum " + "user:pass\n" + " hydra -L urllist.txt " + "http-proxy-urlenum://target.com:3128/user:pass\n\n"); } diff --git a/hydra-http-proxy.c b/hydra-http-proxy.c index cc9ad6b..3aeeb41 100644 --- a/hydra-http-proxy.c +++ b/hydra-http-proxy.c @@ -5,12 +5,12 @@ extern char *HYDRA_EXIT; static int32_t http_proxy_auth_mechanism = AUTH_ERROR; char *http_proxy_buf = NULL; -int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *hostname) { +int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname) { char *empty = ""; - char *login, *pass, buffer[500], buffer2[500]; - char url[210], host[30]; - char *header = ""; /* XXX TODO */ - char *ptr, *fooptr; + char *login, *pass, buffer[5000], buffer2[4500]; + char url[510], host[60]; + char *header = ""; /* XXX TODO */ + char *ptr, *fooptr, *auth_hdr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; @@ -21,23 +21,23 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option strcpy(url, "http://www.microsoft.com/"); strcpy(host, "Host: www.microsoft.com\r\n"); } else { - sprintf(url, "%.200s", miscptr); - ptr = strstr(miscptr, "://"); // :// check is in hydra.c - sprintf(host, "Host: %.200s", ptr + 3); - if ((ptr = index(host, '/')) != NULL) + sprintf(url, "%.500s", miscptr); + ptr = strstr(miscptr, "://"); // :// check is in hydra.c + sprintf(host, "Host: %.50s", ptr + 3); + if ((ptr = strchr(host, '/')) != NULL) *ptr = 0; - if ((ptr = index(host + 6, ':')) != NULL && host[0] != '[') + if ((ptr = strchr(host + 6, ':')) != NULL && host[0] != '[') *ptr = 0; strcat(host, "\r\n"); } if (http_proxy_auth_mechanism != AUTH_BASIC && (http_proxy_auth_mechanism == AUTH_ERROR || http_proxy_buf == NULL)) { - //send dummy request + // send dummy request sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 3; - //receive first 40x + // receive first 40x http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/") == NULL) { free(http_proxy_buf); @@ -50,26 +50,26 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option return 3; } - if (debug) - hydra_report(stderr, "S:%s\n", http_proxy_buf); + if (debug) { + hydra_report(stderr, "S:%-.*s\n", (int)(strchr(http_proxy_buf, '\r') - http_proxy_buf), http_proxy_buf); + } - free(http_proxy_buf); - http_proxy_buf = hydra_receive_line(s); - while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) { + while (http_proxy_buf != NULL && (auth_hdr = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:")) == NULL) { free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); } - if (http_proxy_buf == NULL) { + if (auth_hdr == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Proxy seems not to require authentication\n"); return 3; } - if (debug) - hydra_report(stderr, "S:%s\n", http_proxy_buf); + if (debug) { + hydra_report(stderr, "S:%-.*s\n", (int)(strchr(auth_hdr, '\r') - auth_hdr), auth_hdr); + } - //after the first query we should have been disconnected from web server + // after the first query we should have been disconnected from web server s = hydra_disconnect(s); if ((options & OPTION_SSL) == 0) { s = hydra_connect_tcp(ip, port); @@ -78,11 +78,15 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option } } - if (http_proxy_auth_mechanism == AUTH_BASIC || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Basic") != NULL) { + if (http_proxy_auth_mechanism == AUTH_BASIC || hydra_strcasestr(auth_hdr, "Proxy-Authenticate: Basic") != NULL) { http_proxy_auth_mechanism = AUTH_BASIC; + auth_hdr = NULL; sprintf(buffer2, "%.50s:%.50s", login, pass); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, buffer2, header); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + sprintf(buffer, + "GET %s HTTP/1.0\r\n%sProxy-Authorization: Basic %s\r\nUser-Agent: " + "Mozilla/4.0 (Hydra)\r\n%s\r\n", + url, host, buffer2, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) @@ -94,36 +98,41 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option http_proxy_buf = hydra_receive_line(s); } - //if server cut the connection, just exit cleanly or - //this will be an infinite loop + // if server cut the connection, just exit cleanly or + // this will be an infinite loop if (http_proxy_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } - if (debug) - hydra_report(stderr, "S:%s\n", http_proxy_buf); + if (debug) { + hydra_report(stderr, "S:%-.*s\n", (int)(strchr(http_proxy_buf, '\r') - http_proxy_buf), http_proxy_buf); + } } else { - if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM") != NULL) { - + if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(auth_hdr, "Proxy-Authenticate: NTLM") != NULL) { unsigned char buf1[4096]; unsigned char buf2[4096]; char *pos = NULL; http_proxy_auth_mechanism = AUTH_NTLM; - //send auth and receive challenge - //send auth request: let the server send it's own hostname and domainname - buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); + auth_hdr = NULL; + // send auth and receive challenge + // send auth request: let the server send it's own hostname and domainname + buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2)); - /* to be portable, no snprintf, buffer is big enough so it can't overflow */ - //send the first.. - sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); + /* to be portable, no snprintf, buffer is big enough so it can't overflow + */ + // send the first.. + sprintf(buffer, + "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: " + "Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", + url, host, buf1, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 3; - //receive challenge + // receive challenge free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && (pos = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM ")) == NULL) { @@ -141,24 +150,27 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option pos[str - pos] = 0; } } - //recover challenge + // recover challenge if (http_proxy_buf != NULL && strlen(http_proxy_buf) >= 4) { - from64tobits((char *) buf1, pos); + from64tobits((char *)buf1, pos); free(http_proxy_buf); http_proxy_buf = NULL; return 3; } - //Send response - buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); - sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); + // Send response + buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2)); + sprintf(buffer, + "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: " + "Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", + url, host, buf1, header); if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 3; if (http_proxy_buf != NULL) - free(http_proxy_buf); + free(http_proxy_buf); http_proxy_buf = hydra_receive_line(s); while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) { free(http_proxy_buf); @@ -169,19 +181,19 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option return 3; } else { #ifdef LIBOPENSSL - if (hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest") != NULL) { - - char *pbuffer; + if (hydra_strcasestr(auth_hdr, "Proxy-Authenticate: Digest") != NULL) { + char *pbuffer, *result; http_proxy_auth_mechanism = AUTH_DIGESTMD5; + auth_hdr = NULL; pbuffer = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; pbuffer = NULL; fooptr = buffer2; - sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header); - if (fooptr == NULL) + result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header); + if (result == NULL) return 3; if (debug) @@ -196,8 +208,9 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option http_proxy_buf = hydra_receive_line(s); } - if (debug && http_proxy_buf != NULL) - hydra_report(stderr, "S:%s\n", http_proxy_buf); + if (debug && http_proxy_buf != NULL) { + hydra_report(stderr, "S:%-.*s\n", (int)(strchr(http_proxy_buf, '\r') - http_proxy_buf), http_proxy_buf); + } if (http_proxy_buf == NULL) return 3; @@ -205,9 +218,10 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option } else #endif { - if (http_proxy_buf != NULL) { -// buf[strlen(http_proxy_buf) - 1] = '\0'; - hydra_report(stderr, "Unsupported Auth type:\n%s\n", http_proxy_buf); + if (auth_hdr != NULL) { + // buf[strlen(http_proxy_buf) - 1] = '\0'; + hydra_report(stderr, "Unsupported Auth type:\n%-.*s\n", (int)(strchr(http_proxy_buf, '\r') - auth_hdr), auth_hdr); + auth_hdr = NULL; free(http_proxy_buf); http_proxy_buf = NULL; } else { @@ -218,15 +232,15 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option } } - ptr = ((char *) index(http_proxy_buf, ' ')) + 1; - if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2')) { + ptr = ((char *)strchr(http_proxy_buf, ' ')) + 1; + if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2') || (*ptr == '4' && *(ptr + 2) == '4')) { hydra_report_found_host(port, ip, "http-proxy", fp); hydra_completed_pair_found(); free(http_proxy_buf); http_proxy_buf = NULL; } else { if (*ptr != '4') - hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char) *(index(http_proxy_buf, ' ') + 1), login, pass); + hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char)*(strchr(http_proxy_buf, ' ') + 1), login, pass); else if (verbose && *(ptr + 2) == '3') hydra_report(stderr, "[INFO] Potential success, could be false positive: %s:%s\n", login, pass); hydra_completed_pair(); @@ -246,7 +260,7 @@ int32_t start_http_proxy(int32_t s, char *ip, int32_t port, unsigned char option return 1; } -void service_http_proxy(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_http_proxy(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_HTTP_PROXY, mysslport = PORT_HTTP_PROXY_SSL; @@ -257,36 +271,37 @@ void service_http_proxy(char *ip, int32_t sp, unsigned char options, char *miscp while (1) { next_run = 0; switch (run) { - case 1: /* connect and service init function */ - { - if (http_proxy_buf != NULL) - free(http_proxy_buf); - if (sock >= 0) - sock = hydra_disconnect(sock); -// usleepn(275); - if ((options & OPTION_SSL) == 0) { - if (port != 0) - myport = port; - sock = hydra_connect_tcp(ip, myport); - port = myport; - } else { - if (port != 0) - mysslport = port; - sock = hydra_connect_ssl(ip, mysslport, hostname); - port = mysslport; - } - - if (sock < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); - } - next_run = 2; - break; + case 1: /* connect and service init function */ + { + if (http_proxy_buf != NULL) + free(http_proxy_buf); + if (sock >= 0) + sock = hydra_disconnect(sock); + // usleepn(275); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; } - case 2: /* run the cracking function */ + + if (sock < 0) { + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + next_run = 2; + break; + } + case 2: /* run the cracking function */ next_run = start_http_proxy(sock, ip, port, options, miscptr, fp, hostname); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -299,13 +314,13 @@ void service_http_proxy(char *ip, int32_t sp, unsigned char options, char *miscp } } -int32_t service_http_proxy_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_http_proxy_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -313,7 +328,9 @@ int32_t service_http_proxy_init(char *ip, int32_t sp, unsigned char options, cha return 0; } -void usage_http_proxy(const char* service) { +void usage_http_proxy(const char *service) { printf("Module http-proxy is optionally taking the page to authenticate at.\n" - "Default is http://www.microsoft.com/)\n" "Basic, DIGEST-MD5 and NTLM are supported and negotiated automatically.\n\n"); + "Default is http://www.microsoft.com/)\n" + "Basic, DIGEST-MD5 and NTLM are supported and negotiated " + "automatically.\n\n"); } diff --git a/hydra-http.c b/hydra-http.c old mode 100644 new mode 100755 index db9b500..e78f865 --- a/hydra-http.c +++ b/hydra-http.c @@ -5,15 +5,20 @@ extern char *HYDRA_EXIT; char *webtarget = NULL; char *slash = "/"; char *http_buf = NULL; -int32_t webport, freemischttp = 0; -int32_t http_auth_mechanism = AUTH_BASIC; -int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *type, ptr_header_node ptr_head) { +#define END_CONDITION_MAX_LEN 100 +static char end_condition[END_CONDITION_MAX_LEN]; +int end_condition_type = -1; + +int32_t webport; +int32_t http_auth_mechanism = AUTH_UNASSIGNED; + +int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *type, ptr_header_node ptr_head) { char *empty = ""; char *login, *pass, *buffer, buffer2[500]; char *header; char *ptr, *fooptr; - int32_t complete_line = 0; + int32_t complete_line = 0, buffer_size; char tmpreplybuf[1024] = "", *tmpreplybufptr; if (strlen(login = hydra_get_next_login()) == 0) @@ -26,7 +31,8 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha header = stringify_headers(&ptr_head); - if(!(buffer = malloc(strlen(header) + 500))) { + buffer_size = strlen(header) + 500; + if (!(buffer = malloc(buffer_size))) { free(header); return 3; } @@ -41,130 +47,153 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha switch (http_auth_mechanism) { case AUTH_BASIC: sprintf(buffer2, "%.50s:%.50s", login, pass); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); /* again: no snprintf to be portable. don't worry, buffer can't overflow */ if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) - sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", - type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header); + sprintf(buffer, + "%s http://%s%.250s HTTP/1.1\r\nHost: %s\r\nConnection: " + "close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic " + "%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", + type, webtarget, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header); else { if (use_proxy == 1) - sprintf(buffer, "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", - type, webtarget, webport, miscptr, webtarget, buffer2, header); + sprintf(buffer, + "%s http://%s%.250s HTTP/1.1\r\nHost: %s\r\nConnection: " + "close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 " + "(Hydra)\r\n%s\r\n", + type, webtarget, miscptr, webtarget, buffer2, header); else - sprintf(buffer, "%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", type, miscptr, webtarget, buffer2, header); + sprintf(buffer, + "%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: " + "close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 " + "(Hydra)\r\n%s\r\n", + type, miscptr, webtarget, buffer2, header); } if (debug) hydra_report(stderr, "C:%s\n", buffer); break; #ifdef LIBOPENSSL - case AUTH_DIGESTMD5:{ - char *pbuffer; + case AUTH_DIGESTMD5: { + char *pbuffer, *result; - pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest "); - strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer)); - buffer[sizeof(buffer) - 1] = '\0'; + pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest "); + strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), buffer_size - 1); + buffer[buffer_size - 1] = '\0'; - fooptr = buffer2; - sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header); - if (fooptr == NULL) { - free(buffer); - free(header); - return 3; - } - - if (debug) - hydra_report(stderr, "C:%s\n", buffer2); - strcpy(buffer, buffer2); + fooptr = buffer2; + result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header); + if (result == NULL) { + free(buffer); + free(header); + return 3; } - break; + + if (debug) + hydra_report(stderr, "C:%s\n", buffer2); + strcpy(buffer, buffer2); + } break; #endif - case AUTH_NTLM:{ - unsigned char buf1[4096]; - unsigned char buf2[4096]; - char *pos = NULL; + case AUTH_NTLM: { + unsigned char buf1[4096]; + unsigned char buf2[4096]; + char *pos = NULL; - //send auth and receive challenge - //send auth request: let the server send it's own hostname and domainname - buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); + // send auth and receive challenge + // send auth request: let the server send it's own hostname and domainname + buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2)); - /* to be portable, no snprintf, buffer is big enough so it can't overflow */ - //send the first.. - if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) + /* to be portable, no snprintf, buffer is big enough so it can't overflow */ + // send the first.. + if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) + sprintf(buffer, + "%s http://%s%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " + "%s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 " + "(Hydra)\r\n%s\r\n", + type, webtarget, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); + else { + if (use_proxy == 1) sprintf(buffer, - "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", - type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); - else { - if (use_proxy == 1) - sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", - type, webtarget, webport, miscptr, webtarget, buf1, header); - else - sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, - buf1, header); - } - - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - free(buffer); - free(header); - return 1; - } - - //receive challenge - if (http_buf != NULL) - free(http_buf); - http_buf = hydra_receive_line(s); - while (http_buf != NULL && (pos = hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM ")) == NULL) { - free(http_buf); - http_buf = hydra_receive_line(s); - } - - if (http_buf == NULL) { - free(buffer); - free(header); - return 1; - } - - if (pos != NULL) { - char *str; - - pos += 23; - if ((str = strchr(pos, '\r')) != NULL) { - pos[str - pos] = 0; - } - if ((str = strchr(pos, '\n')) != NULL) { - pos[str - pos] = 0; - } - } - //recover challenge - from64tobits((char *) buf1, pos); - free(http_buf); - http_buf = NULL; - - //Send response - buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); - - //create the auth response - if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) + "%s http://%s%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " + "%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", + type, webtarget, miscptr, webtarget, buf1, header); + else sprintf(buffer, - "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", - type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); - else { - if (use_proxy == 1) - sprintf(buffer, "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", - type, webtarget, webport, miscptr, webtarget, buf1, header); - else - sprintf(buffer, "%s %s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\nAuthorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, - buf1, header); - } - - if (debug) - hydra_report(stderr, "C:%s\n", buffer); + "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " + "%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", + type, miscptr, webtarget, buf1, header); } - break; + + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + free(buffer); + free(header); + return 1; + } + + // receive challenge + if (http_buf != NULL) + free(http_buf); + + http_buf = hydra_receive_line(s); + if (http_buf == NULL) { + if (verbose) + hydra_report(stderr, "[ERROR] Server did not answer\n"); + free(buffer); + free(header); + return 3; + } + + pos = hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM "); + if (pos != NULL) { + char *str; + + pos += 23; + if ((str = strchr(pos, '\r')) != NULL) { + pos[str - pos] = 0; + } + if ((str = strchr(pos, '\n')) != NULL) { + pos[str - pos] = 0; + } + } else { + hydra_report(stderr, "[ERROR] It is not NTLM authentication type\n"); + return 3; + } + + // recover challenge + from64tobits((char *)buf1, pos); + free(http_buf); + http_buf = NULL; + + // Send response + buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2)); + + // create the auth response + if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) + sprintf(buffer, + "%s http://%s%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " + "%s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 " + "(Hydra)\r\n%s\r\n", + type, webtarget, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); + else { + if (use_proxy == 1) + sprintf(buffer, + "%s http://%s%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " + "%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", + type, webtarget, miscptr, webtarget, buf1, header); + else + sprintf(buffer, + "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " + "%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", + type, miscptr, webtarget, buf1, header); + } + + if (debug) + hydra_report(stderr, "C:%s\n", buffer); + } break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { @@ -179,8 +208,9 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha complete_line = 0; tmpreplybuf[0] = 0; - while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (index(http_buf, '\n') == NULL && complete_line == 0))) { - if (debug) printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf); + while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (strchr(http_buf, '\n') == NULL && complete_line == 0))) { + if (debug) + printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf); if (tmpreplybuf[0] == 0 && strstr(http_buf, "HTTP/1.") != NULL) { strncpy(tmpreplybuf, http_buf, sizeof(tmpreplybuf) - 1); tmpreplybuf[sizeof(tmpreplybuf) - 1] = 0; @@ -193,7 +223,8 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha strcat(tmpreplybufptr, http_buf); free(http_buf); http_buf = tmpreplybufptr; - if (debug) printf("http_buf now: %s\n", http_buf); + if (debug) + printf("http_buf now: %s\n", http_buf); } } else { free(http_buf); @@ -201,8 +232,8 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha } } - //if server cut the connection, just exit cleanly or - //this will be an infinite loop + // if server cut the connection, just exit cleanly or + // this will be an infinite loop if (http_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); @@ -214,23 +245,35 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha if (debug) hydra_report(stderr, "S:%s\n", http_buf); - ptr = ((char *) index(http_buf, ' ')); + ptr = ((char *)strchr(http_buf, ' ')); if (ptr != NULL) ptr++; if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) { - hydra_report_found_host(port, ip, "www", fp); - hydra_completed_pair_found(); +#ifdef HAVE_PCRE + if (end_condition_type >= 0 && hydra_string_match(http_buf, end_condition) != end_condition_type) { +#else + if (end_condition_type >= 0 && (strstr(http_buf, end_condition) == NULL ? 0 : 1) != end_condition_type) { +#endif + if (debug) + hydra_report(stderr, "End condition not match continue.\n"); + hydra_completed_pair(); + } else { + if (debug) + hydra_report(stderr, "END condition %s match.\n", end_condition); + hydra_report_found_host(port, ip, "www", fp); + hydra_completed_pair_found(); + } if (http_buf != NULL) { free(http_buf); http_buf = NULL; } } else { if (ptr != NULL && *ptr != '4') - fprintf(stderr, "[WARNING] Unusual return code: %.3s for %s:%s\n", (char *) ptr, login, pass); + fprintf(stderr, "[WARNING] Unusual return code: %.3s for %s:%s\n", (char *)ptr, login, pass); - //the first authentication type failed, check the type from server header + // the first authentication type failed, check the type from server header if ((hydra_strcasestr(http_buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) { - //seems the auth supported is not Basic shceme so testing further + // seems the auth supported is not Basic scheme so testing further int32_t find_auth = 0; if (hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM") != NULL) { @@ -245,56 +288,41 @@ int32_t start_http(int32_t s, char *ip, int32_t port, unsigned char options, cha #endif if (find_auth) { -// free(http_buf); -// http_buf = NULL; - free(buffer); - free(header); + // free(http_buf); + // http_buf = NULL; + free(buffer); + free(header); return 1; } } hydra_completed_pair(); } -// free(http_buf); -// http_buf = NULL; + // free(http_buf); + // http_buf = NULL; + free(buffer); free(header); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; + return 1; } -void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname, char *type) { +void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname, char *type) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_HTTP, mysslport = PORT_HTTP_SSL; char *ptr, *ptr2; ptr_header_node ptr_head = NULL; +#ifdef AF_INET6 + unsigned char addr6[sizeof(struct in6_addr)]; +#endif hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; - if ((webtarget = strstr(miscptr, "://")) != NULL) { - webtarget += strlen("://"); - if ((ptr2 = index(webtarget, ':')) != NULL) { /* step over port if present */ - *ptr2 = 0; - ptr2++; - ptr = ptr2; - if (*ptr == '/' || (ptr = index(ptr2, '/')) != NULL) - miscptr = ptr; - else - miscptr = slash; /* to make things easier to user */ - } else if ((ptr2 = index(webtarget, '/')) != NULL) { - miscptr = malloc(strlen(ptr2) + 1); - freemischttp = 1; - strcpy(miscptr, ptr2); - *ptr2 = 0; - } else - webtarget = hostname; - } else - if (strlen(miscptr) == 0) - miscptr = strdup("/"); - if (webtarget == NULL) - webtarget = hostname; + if (strlen(miscptr) == 0) + miscptr = strdup("/"); if (port != 0) webport = port; else if ((options & OPTION_SSL) == 0) @@ -302,6 +330,27 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI else webport = mysslport; + /* normalise the webtarget for ipv6/port number */ + webtarget = malloc(strlen(hostname) + 1 /* null */ + 6 /* :65535 */ +#ifdef AF_INET6 + + 2 /* [] */ +#endif + ); +#ifdef AF_INET6 + /* let libc decide if target is an ipv6 address */ + if (inet_pton(AF_INET6, hostname, addr6)) { + ptr = webtarget + sprintf(webtarget, "[%s]", hostname); + } else { +#endif + ptr = webtarget + sprintf(webtarget, "%s", hostname); +#ifdef AF_INET6 + } +#endif + if (options & OPTION_SSL && webport != PORT_HTTP_SSL || !(options & OPTION_SSL) && webport != PORT_HTTP) { + sprintf(ptr, ":%d", webport); + } + ptr = NULL; + /* Advance to options string */ ptr = miscptr; while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\')) @@ -310,49 +359,48 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI *ptr++ = 0; optional1 = ptr; - if (!parse_options(optional1, &ptr_head)) + if (!parse_options(optional1, + &ptr_head)) // this function is in hydra-http-form.c !! run = 4; + if (http_auth_mechanism == AUTH_UNASSIGNED) + http_auth_mechanism = AUTH_BASIC; + while (1) { next_run = 0; switch (run) { - case 1: /* connect and service init function */ - { - if (sock >= 0) - sock = hydra_disconnect(sock); - if ((options & OPTION_SSL) == 0) { - if (port != 0) - myport = port; - sock = hydra_connect_tcp(ip, myport); - port = myport; - } else { - if (port != 0) - mysslport = port; - sock = hydra_connect_ssl(ip, mysslport, hostname); - port = mysslport; - } - if (sock < 0) { - if (freemischttp) - free(miscptr); - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); - } - next_run = 2; - break; - } - case 2: /* run the cracking function */ - next_run = start_http(sock, ip, port, options, miscptr, fp, type, ptr_head); - break; - case 3: /* clean exit */ + case 1: /* connect and service init function */ + { + if (sock >= 0) + sock = hydra_disconnect(sock); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; + } + if (sock < 0) { + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + next_run = 2; + break; + } + case 2: /* run the cracking function */ + next_run = start_http(sock, ip, port, options, miscptr, fp, type, ptr_head); + break; + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); - if (freemischttp) - free(miscptr); hydra_child_exit(0); return; default: - if (freemischttp) - free(miscptr); fprintf(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); } @@ -360,35 +408,78 @@ void service_http(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } } -void service_http_get(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { - service_http(ip, sp, options, miscptr, fp, port, hostname, "GET"); -} +void service_http_get(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_http(ip, sp, options, miscptr, fp, port, hostname, "GET"); } -void service_http_post(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { - service_http(ip, sp, options, miscptr, fp, port, hostname, "POST"); -} +void service_http_post(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_http(ip, sp, options, miscptr, fp, port, hostname, "POST"); } -void service_http_head(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { - service_http(ip, sp, options, miscptr, fp, port, hostname, "HEAD"); -} +void service_http_head(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_http(ip, sp, options, miscptr, fp, port, hostname, "HEAD"); } -int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here + /*POU CODE */ + char *start = strstr(miscptr, "F="); + if (start == NULL) + start = strstr(miscptr, "S="); + + if (start != NULL) { + if (start[0] == 'F') + end_condition_type = 0; + else + end_condition_type = 1; + + int condition_len = strlen(start); + memset(end_condition, 0, END_CONDITION_MAX_LEN); + if (condition_len >= END_CONDITION_MAX_LEN) { + hydra_report(stderr, "Condition string cannot be bigger than %u.", END_CONDITION_MAX_LEN); + return -1; + } + // copy condition witout starting string (F= or S= 2char) + strncpy(end_condition, start + 2, condition_len - 2); + if (debug) + hydra_report(stderr, "End condition is %s, mod is %d\n", end_condition, end_condition_type); + + if (*(start - 1) == ' ') + start--; + memset(start, '\0', condition_len); + if (debug) + hydra_report(stderr, "Modified options:%s\n", miscptr); + } else { + if (debug) + hydra_report(stderr, "Condition not found\n"); + } + return 0; } -void usage_http(const char* service) { +void usage_http(const char *service) { printf("Module %s requires the page to authenticate.\n" "The following parameters are optional:\n" - " (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each request\n" - "For example: \"/secret\" or \"http://bla.com/foo/bar:H=Cookie\\: sessid=aaaa\" or \"https://test.com:8080/members\"\n\n", service); + " (a|A)=auth-type specify authentication mechanism to use: BASIC, " + "NTLM or MD5\n" + " (h|H)=My-Hdr\\: foo to send a user defined HTTP header with each " + "request\n" + " (F|S)=check for text in the HTTP reply. S= means if this text is " + "found, a\n" + " valid account has been found, F= means if this string is " + "present the\n" + " combination is invalid. Note: this must be the last option " + "supplied.\n" + "For example: \"/secret\" or \"http://bla.com/foo/bar:H=Cookie\\: " + "sessid=aaaa\" or \"https://test.com:8080/members:A=NTLM\"\n" + "To attack multiple targets, you can use the -M option with a file " + "containing the targets and their parameters.\n" + "Example file content:\n" + " localhost:5000/protected:A=BASIC\n" + " localhost:5002/protected_path:A=NTLM\n" + " ...\n\n", + service); } diff --git a/hydra-http.h b/hydra-http.h index b6b4c2b..18a12f0 100644 --- a/hydra-http.h +++ b/hydra-http.h @@ -4,10 +4,10 @@ #include "hydra-mod.h" /* HTTP Header Types */ -#define HEADER_TYPE_USERHEADER 'h' -#define HEADER_TYPE_USERHEADER_REPL 'H' -#define HEADER_TYPE_DEFAULT 'D' -#define HEADER_TYPE_DEFAULT_REPL 'd' +#define HEADER_TYPE_USERHEADER 'h' +#define HEADER_TYPE_USERHEADER_REPL 'H' +#define HEADER_TYPE_DEFAULT 'D' +#define HEADER_TYPE_DEFAULT_REPL 'd' typedef struct header_node t_header_node, *ptr_header_node; @@ -15,7 +15,7 @@ extern char *webtarget; extern char *slash; extern char *optional1; -extern int32_t parse_options(char *miscptr, ptr_header_node * ptr_head); -extern int32_t add_header(ptr_header_node * ptr_head, char *header, char *value, char type); +extern int32_t parse_options(char *miscptr, ptr_header_node *ptr_head); +extern int32_t add_header(ptr_header_node *ptr_head, char *header, char *value, char type); extern char *stringify_headers(ptr_header_node *ptr_head); #endif diff --git a/hydra-icq.c b/hydra-icq.c index 68fd667..c59e38a 100644 --- a/hydra-icq.c +++ b/hydra-icq.c @@ -4,32 +4,10 @@ extern char *HYDRA_EXIT; extern int32_t child_head_no; int32_t seq = 1; -const unsigned char icq5_table[] = { - 0x59, 0x60, 0x37, 0x6B, 0x65, 0x62, 0x46, 0x48, 0x53, 0x61, 0x4C, - 0x59, 0x60, 0x57, 0x5B, 0x3D, 0x5E, 0x34, 0x6D, 0x36, 0x50, 0x3F, - 0x6F, 0x67, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x47, 0x63, 0x39, 0x50, - 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 0x69, 0x48, 0x33, 0x31, 0x64, - 0x35, 0x5A, 0x4A, 0x42, 0x56, 0x40, 0x67, 0x53, 0x41, 0x07, 0x6C, - 0x49, 0x58, 0x3B, 0x4D, 0x46, 0x68, 0x43, 0x69, 0x48, 0x33, 0x31, - 0x44, 0x65, 0x62, 0x46, 0x48, 0x53, 0x41, 0x07, 0x6C, 0x69, 0x48, - 0x33, 0x51, 0x54, 0x5D, 0x4E, 0x6C, 0x49, 0x38, 0x4B, 0x55, 0x4A, - 0x62, 0x46, 0x48, 0x33, 0x51, 0x34, 0x6D, 0x36, 0x50, 0x5F, 0x5F, - 0x5F, 0x3F, 0x6F, 0x47, 0x63, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64, - 0x35, 0x5A, 0x6A, 0x52, 0x6E, 0x3C, 0x51, 0x34, 0x6D, 0x36, 0x50, - 0x5F, 0x5F, 0x3F, 0x4F, 0x37, 0x4B, 0x35, 0x5A, 0x4A, 0x62, 0x66, - 0x58, 0x3B, 0x4D, 0x66, 0x58, 0x5B, 0x5D, 0x4E, 0x6C, 0x49, 0x58, - 0x3B, 0x4D, 0x66, 0x58, 0x3B, 0x4D, 0x46, 0x48, 0x53, 0x61, 0x4C, - 0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 0x55, 0x6A, 0x32, 0x3E, 0x44, - 0x45, 0x52, 0x6E, 0x3C, 0x31, 0x64, 0x55, 0x6A, 0x52, 0x4E, 0x6C, - 0x69, 0x48, 0x53, 0x61, 0x4C, 0x39, 0x30, 0x6F, 0x47, 0x63, 0x59, - 0x60, 0x57, 0x5B, 0x3D, 0x3E, 0x64, 0x35, 0x3A, 0x3A, 0x5A, 0x6A, - 0x52, 0x4E, 0x6C, 0x69, 0x48, 0x53, 0x61, 0x6C, 0x49, 0x58, 0x3B, - 0x4D, 0x46, 0x68, 0x63, 0x39, 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x67, - 0x53, 0x41, 0x25, 0x41, 0x3C, 0x51, 0x54, 0x3D, 0x5E, 0x54, 0x5D, - 0x4E, 0x4C, 0x39, 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, - 0x69, 0x48, 0x33, 0x51, 0x54, 0x5D, 0x6E, 0x3C, 0x31, 0x64, 0x35, - 0x5A, 0x00, 0x00 -}; +const unsigned char icq5_table[] = {0x59, 0x60, 0x37, 0x6B, 0x65, 0x62, 0x46, 0x48, 0x53, 0x61, 0x4C, 0x59, 0x60, 0x57, 0x5B, 0x3D, 0x5E, 0x34, 0x6D, 0x36, 0x50, 0x3F, 0x6F, 0x67, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x47, 0x63, 0x39, 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 0x69, 0x48, 0x33, 0x31, 0x64, 0x35, 0x5A, 0x4A, 0x42, 0x56, 0x40, 0x67, 0x53, 0x41, 0x07, 0x6C, 0x49, 0x58, 0x3B, 0x4D, 0x46, 0x68, 0x43, 0x69, 0x48, + 0x33, 0x31, 0x44, 0x65, 0x62, 0x46, 0x48, 0x53, 0x41, 0x07, 0x6C, 0x69, 0x48, 0x33, 0x51, 0x54, 0x5D, 0x4E, 0x6C, 0x49, 0x38, 0x4B, 0x55, 0x4A, 0x62, 0x46, 0x48, 0x33, 0x51, 0x34, 0x6D, 0x36, 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x63, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 0x35, 0x5A, 0x6A, 0x52, 0x6E, 0x3C, 0x51, 0x34, 0x6D, 0x36, 0x50, 0x5F, 0x5F, 0x3F, 0x4F, 0x37, 0x4B, 0x35, + 0x5A, 0x4A, 0x62, 0x66, 0x58, 0x3B, 0x4D, 0x66, 0x58, 0x5B, 0x5D, 0x4E, 0x6C, 0x49, 0x58, 0x3B, 0x4D, 0x66, 0x58, 0x3B, 0x4D, 0x46, 0x48, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 0x55, 0x6A, 0x32, 0x3E, 0x44, 0x45, 0x52, 0x6E, 0x3C, 0x31, 0x64, 0x55, 0x6A, 0x52, 0x4E, 0x6C, 0x69, 0x48, 0x53, 0x61, 0x4C, 0x39, 0x30, 0x6F, 0x47, 0x63, 0x59, 0x60, 0x57, 0x5B, 0x3D, 0x3E, + 0x64, 0x35, 0x3A, 0x3A, 0x5A, 0x6A, 0x52, 0x4E, 0x6C, 0x69, 0x48, 0x53, 0x61, 0x6C, 0x49, 0x58, 0x3B, 0x4D, 0x46, 0x68, 0x63, 0x39, 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x67, 0x53, 0x41, 0x25, 0x41, 0x3C, 0x51, 0x54, 0x3D, 0x5E, 0x54, 0x5D, 0x4E, 0x4C, 0x39, 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 0x69, 0x48, 0x33, 0x51, 0x54, 0x5D, 0x6E, 0x3C, 0x31, 0x64, 0x35, 0x5A, 0x00, 0x00}; void fix_packet(char *buf, int32_t len) { unsigned long c1, c2; @@ -141,7 +119,7 @@ int32_t icq_ack(int32_t s, char *login) { return (hydra_send(s, buf, 10, 0)); } -int32_t start_icq(int32_t sock, char *ip, int32_t port, FILE * output, char *miscptr, FILE * fp) { +int32_t start_icq(int32_t sock, char *ip, int32_t port, FILE *output, char *miscptr, FILE *fp) { unsigned char buf[1024]; char *login, *pass; char *empty = ""; @@ -153,7 +131,7 @@ int32_t start_icq(int32_t sock, char *ip, int32_t port, FILE * output, char *mis pass = empty; for (i = 0; login[i]; i++) - if (!isdigit((int32_t) login[i])) { + if (!isdigit((int32_t)login[i])) { fprintf(stderr, "[ERROR] Invalid UIN %s\n, ignoring.", login); hydra_completed_pair(); return 2; @@ -162,13 +140,13 @@ int32_t start_icq(int32_t sock, char *ip, int32_t port, FILE * output, char *mis icq_login(sock, login, pass); while (1) { - if ((r = hydra_recv(sock, (char *) buf, sizeof(buf))) == 0) { + if ((r = hydra_recv(sock, (char *)buf, sizeof(buf))) == 0) { return 1; } if (r < 0) { if (verbose) - fprintf(stderr, "[ERROR] Process %d: Can not connect [unreachable]\n", (int32_t) getpid()); + fprintf(stderr, "[ERROR] Process %d: Can not connect [unreachable]\n", (int32_t)getpid()); return 3; } @@ -177,9 +155,9 @@ int32_t start_icq(int32_t sock, char *ip, int32_t port, FILE * output, char *mis hydra_completed_pair_found(); icq_ack(sock, login); icq_login_1(sock, login); - hydra_recv(sock, (char *) buf, sizeof(buf)); + hydra_recv(sock, (char *)buf, sizeof(buf)); icq_ack(sock, login); - hydra_recv(sock, (char *) buf, sizeof(buf)); + hydra_recv(sock, (char *)buf, sizeof(buf)); icq_ack(sock, login); icq_disconnect(sock, login); break; @@ -188,7 +166,8 @@ int32_t start_icq(int32_t sock, char *ip, int32_t port, FILE * output, char *mis break; } -/* if((buf[2] != 10 || buf[3] != 0) && (buf[2] != 250 || buf[3] != 0)) */ + /* if((buf[2] != 10 || buf[3] != 0) && (buf[2] != 250 || buf[3] != 0)) + */ } if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) @@ -196,7 +175,7 @@ int32_t start_icq(int32_t sock, char *ip, int32_t port, FILE * output, char *mis return 1; } -void service_icq(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_icq(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_ICQ; @@ -221,7 +200,8 @@ void service_icq(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL sock = hydra_disconnect(sock); sock = hydra_connect_udp(ip, myport); if (sock < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } next_run = 2; @@ -233,21 +213,23 @@ void service_icq(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); + break; default: fprintf(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); + break; } run = next_run; } } -int32_t service_icq_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_icq_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-imap.c b/hydra-imap.c index f9a3822..f84e9fb 100644 --- a/hydra-imap.c +++ b/hydra-imap.c @@ -20,7 +20,8 @@ char *imap_read_server_capacity(int32_t sock) { if (strstr(buf, "CAPABILITY") != NULL && buf[0] == '*') { resp = 1; usleepn(300); - /* we got the capability info then get the completed warning info from server */ + /* we got the capability info then get the completed warning info from + * server */ while (hydra_data_ready(sock)) { free(buf); buf = hydra_receive_line(sock); @@ -30,7 +31,7 @@ char *imap_read_server_capacity(int32_t sock) { buf[strlen(buf) - 1] = 0; if (buf[strlen(buf) - 1] == '\r') buf[strlen(buf) - 1] = 0; - if (isdigit((int32_t) *ptr) && *(ptr + 1) == ' ') { + if (isdigit((int32_t)*ptr) && *(ptr + 1) == ' ') { resp = 1; } } @@ -39,8 +40,8 @@ char *imap_read_server_capacity(int32_t sock) { return buf; } -int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { - char *empty = ""; +int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { + char *empty = "", *result = NULL; char *login, *pass, buffer[500], buffer2[500], *fooptr; if (strlen(login = hydra_get_next_login()) == 0) @@ -69,7 +70,7 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha } free(buf); strcpy(buffer2, login); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { @@ -84,7 +85,7 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha } free(buf); strcpy(buffer2, pass); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); break; @@ -103,227 +104,227 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha free(buf); memset(buffer2, 0, sizeof(buffer2)); - sasl_plain(buffer2, login, pass); + result = sasl_plain(buffer2, login, pass); + if (result == NULL) + return 3; sprintf(buffer, "%.250s\r\n", buffer2); break; #ifdef LIBOPENSSL case AUTH_CRAMMD5: case AUTH_CRAMSHA1: - case AUTH_CRAMSHA256:{ - int32_t rc = 0; - char *preplogin; + case AUTH_CRAMSHA256: { + int32_t rc = 0; + char *preplogin; - rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); - if (rc) { - return 3; - } + rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); + if (rc) { + return 3; + } + switch (imap_auth_mechanism) { + case AUTH_CRAMMD5: + sprintf(buffer, "%d AUTHENTICATE CRAM-MD5\r\n", counter); + break; + case AUTH_CRAMSHA1: + sprintf(buffer, "%d AUTHENTICATE CRAM-SHA1\r\n", counter); + break; + case AUTH_CRAMSHA256: + sprintf(buffer, "%d AUTHENTICATE CRAM-SHA256\r\n", counter); + break; + } + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; + } + // get the one-time BASE64 encoded challenge + if ((buf = hydra_receive_line(s)) == NULL) + return 1; + if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { switch (imap_auth_mechanism) { - case AUTH_CRAMMD5: - sprintf(buffer, "%d AUTHENTICATE CRAM-MD5\r\n", counter); + hydra_report(stderr, "[ERROR] IMAP CRAM-MD5 AUTH : %s\n", buf); break; case AUTH_CRAMSHA1: - sprintf(buffer, "%d AUTHENTICATE CRAM-SHA1\r\n", counter); + hydra_report(stderr, "[ERROR] IMAP CRAM-SHA1 AUTH : %s\n", buf); break; case AUTH_CRAMSHA256: - sprintf(buffer, "%d AUTHENTICATE CRAM-SHA256\r\n", counter); + hydra_report(stderr, "[ERROR] IMAP CRAM-SHA256 AUTH : %s\n", buf); break; } - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - //get the one-time BASE64 encoded challenge - if ((buf = hydra_receive_line(s)) == NULL) - return 1; - if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { - switch (imap_auth_mechanism) { - case AUTH_CRAMMD5: - hydra_report(stderr, "[ERROR] IMAP CRAM-MD5 AUTH : %s\n", buf); - break; - case AUTH_CRAMSHA1: - hydra_report(stderr, "[ERROR] IMAP CRAM-SHA1 AUTH : %s\n", buf); - break; - case AUTH_CRAMSHA256: - hydra_report(stderr, "[ERROR] IMAP CRAM-SHA256 AUTH : %s\n", buf); - break; - } - free(buf); - return 3; - } - - memset(buffer, 0, sizeof(buffer)); - from64tobits((char *) buffer, buf + 2); free(buf); + return 3; + } + + memset(buffer, 0, sizeof(buffer)); + from64tobits((char *)buffer, buf + 2); + free(buf); + + memset(buffer2, 0, sizeof(buffer2)); + + switch (imap_auth_mechanism) { + case AUTH_CRAMMD5: { + result = sasl_cram_md5(buffer2, pass, buffer); + if (result == NULL) + return 3; + sprintf(buffer, "%s %.250s", preplogin, buffer2); + } break; + case AUTH_CRAMSHA1: { + result = sasl_cram_sha1(buffer2, pass, buffer); + if (result == NULL) + return 3; + sprintf(buffer, "%s %.250s", preplogin, buffer2); + } break; + case AUTH_CRAMSHA256: { + result = sasl_cram_sha256(buffer2, pass, buffer); + if (result == NULL) + return 3; + sprintf(buffer, "%s %.250s", preplogin, buffer2); + } break; + } + hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer)); + + char tmp_buffer[sizeof(buffer)]; + sprintf(tmp_buffer, "%.250s\r\n", buffer); + strcpy(buffer, tmp_buffer); + + free(preplogin); + } break; + case AUTH_DIGESTMD5: { + sprintf(buffer, "%d AUTHENTICATE DIGEST-MD5\r\n", counter); + + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) + return 1; + // receive + if ((buf = hydra_receive_line(s)) == NULL) + return 1; + if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { + hydra_report(stderr, "[ERROR] IMAP DIGEST-MD5 AUTH : %s\n", buf); + free(buf); + return 3; + } + memset(buffer, 0, sizeof(buffer)); + from64tobits((char *)buffer, buf); + free(buf); + + if (debug) + hydra_report(stderr, "DEBUG S: %s\n", buffer); + + fooptr = buffer2; + result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "imap", NULL, 0, NULL); + if (result == NULL) + return 3; + if (debug) + hydra_report(stderr, "DEBUG C: %s\n", buffer2); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + sprintf(buffer, "%s\r\n", buffer2); + + } break; + case AUTH_SCRAMSHA1: { + char clientfirstmessagebare[200]; + char serverfirstmessage[200]; + char *preplogin; + int32_t rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); + + if (rc) { + return 3; + } + sprintf(buffer, "%d AUTHENTICATE SCRAM-SHA-1\r\n", counter); + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; + } + if ((buf = hydra_receive_line(s)) == NULL) + return 1; + if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { + hydra_report(stderr, "[ERROR] IMAP SCRAM-SHA1 AUTH : %s\n", buf); + free(buf); + return 3; + } + free(buf); + + snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin); + free(preplogin); + memset(buffer2, 0, sizeof(buffer2)); + sprintf(buffer2, "n,,%.200s", clientfirstmessagebare); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + snprintf(buffer, sizeof(buffer), "%s\r\n", buffer2); + + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; + } + buf = hydra_receive_line(s); + if (buf == NULL) + return 1; + if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { + if (verbose || debug) + hydra_report(stderr, "[ERROR] Not a valid server challenge\n"); + free(buf); + return 1; + } else { + /* recover server challenge */ + memset(buffer, 0, sizeof(buffer)); + //+ cj1oeWRyYU9VNVZqcHQ5RjNqcmVXRVFWTCxzPWhGbTNnRGw0akdidzJVVHosaT00MDk2 + from64tobits((char *)buffer, buf + 2); + free(buf); + strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1); + serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0'; memset(buffer2, 0, sizeof(buffer2)); - - switch (imap_auth_mechanism) { - case AUTH_CRAMMD5:{ - sasl_cram_md5(buffer2, pass, buffer); - sprintf(buffer, "%s %.250s", preplogin, buffer2); - } - break; - case AUTH_CRAMSHA1:{ - sasl_cram_sha1(buffer2, pass, buffer); - sprintf(buffer, "%s %.250s", preplogin, buffer2); - } - break; - case AUTH_CRAMSHA256:{ - sasl_cram_sha256(buffer2, pass, buffer); - sprintf(buffer, "%s %.250s", preplogin, buffer2); - } - break; - } - hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); - - char tmp_buffer[sizeof(buffer)]; - sprintf(tmp_buffer, "%.250s\r\n", buffer); - strcpy(buffer, tmp_buffer); - - free(preplogin); - } - break; - case AUTH_DIGESTMD5:{ - sprintf(buffer, "%d AUTHENTICATE DIGEST-MD5\r\n", counter); - - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; - //receive - if ((buf = hydra_receive_line(s)) == NULL) - return 1; - if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { - hydra_report(stderr, "[ERROR] IMAP DIGEST-MD5 AUTH : %s\n", buf); - free(buf); - return 3; - } - memset(buffer, 0, sizeof(buffer)); - from64tobits((char *) buffer, buf); - free(buf); - - if (debug) - hydra_report(stderr, "DEBUG S: %s\n", buffer); - fooptr = buffer2; - sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "imap", NULL, 0, NULL); - if (fooptr == NULL) - return 3; - if (debug) - hydra_report(stderr, "DEBUG C: %s\n", buffer2); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); + result = sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage); + if (result == NULL) { + hydra_report(stderr, "[ERROR] Can't compute client response\n"); + return 1; + } + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); - } - break; - case AUTH_SCRAMSHA1:{ - char clientfirstmessagebare[200]; - char serverfirstmessage[200]; - char *preplogin; - int32_t rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); - - if (rc) { - return 3; - } - sprintf(buffer, "%d AUTHENTICATE SCRAM-SHA-1\r\n", counter); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - if ((buf = hydra_receive_line(s)) == NULL) - return 1; - if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { - hydra_report(stderr, "[ERROR] IMAP SCRAM-SHA1 AUTH : %s\n", buf); - free(buf); - return 3; - } - free(buf); - - snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin); - free(preplogin); - memset(buffer2, 0, sizeof(buffer2)); - sprintf(buffer2, "n,,%.200s", clientfirstmessagebare); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - snprintf(buffer, sizeof(buffer), "%s\r\n", buffer2); - - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - buf = hydra_receive_line(s); - if (buf == NULL) - return 1; - if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { - if (verbose || debug) - hydra_report(stderr, "[ERROR] Not a valid server challenge\n"); - free(buf); - return 1; - } else { - /* recover server challenge */ - memset(buffer, 0, sizeof(buffer)); - //+ cj1oeWRyYU9VNVZqcHQ5RjNqcmVXRVFWTCxzPWhGbTNnRGw0akdidzJVVHosaT00MDk2 - from64tobits((char *) buffer, buf + 2); - free(buf); - strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1); - serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0'; - - memset(buffer2, 0, sizeof(buffer2)); - fooptr = buffer2; - sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage); - if (fooptr == NULL) { - hydra_report(stderr, "[ERROR] Can't compute client response\n"); - return 1; - } - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - sprintf(buffer, "%s\r\n", buffer2); - } - } - break; + } break; #endif - case AUTH_NTLM:{ - unsigned char buf1[4096]; - unsigned char buf2[4096]; + case AUTH_NTLM: { + unsigned char buf1[4096]; + unsigned char buf2[4096]; - //Send auth request - sprintf(buffer, "%d AUTHENTICATE NTLM\r\n", counter); + // Send auth request + sprintf(buffer, "%d AUTHENTICATE NTLM\r\n", counter); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; - //receive - if ((buf = hydra_receive_line(s)) == NULL) - return 1; - if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { - hydra_report(stderr, "[ERROR] IMAP NTLM AUTH : %s\n", buf); - free(buf); - return 3; - } + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) + return 1; + // receive + if ((buf = hydra_receive_line(s)) == NULL) + return 1; + if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { + hydra_report(stderr, "[ERROR] IMAP NTLM AUTH : %s\n", buf); free(buf); - //send auth and receive challenge - //send auth request: lst the server send it's own hostname and domainname - buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); - - sprintf(buffer, "%s\r\n", buf1); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; - if ((buf = hydra_receive_line(s)) == NULL) - return 1; - if (strlen(buf) < 6) { - free(buf); - return 1; - } - - //recover challenge - from64tobits((char *) buf1, buf + 2); - free(buf); - - //Send response - buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); - - sprintf(buffer, "%s\r\n", buf1); + return 3; } - break; + free(buf); + // send auth and receive challenge + // send auth request: lst the server send it's own hostname and domainname + buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2)); + + sprintf(buffer, "%s\r\n", buf1); + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) + return 1; + if ((buf = hydra_receive_line(s)) == NULL) + return 1; + if (strlen(buf) < 6) { + free(buf); + return 1; + } + + // recover challenge + from64tobits((char *)buf1, buf + 2); + free(buf); + + // Send response + buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2)); + + sprintf(buffer, "%s\r\n", buf1); + } break; default: - //clear authentication + // clear authentication sprintf(buffer, "%d LOGIN \"%.100s\" \"%.100s\"\r\n", counter, login, pass); } @@ -353,7 +354,7 @@ int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, cha return 1; } -void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_IMAP, mysslport = PORT_IMAP_SSL, disable_tls = 1; char *buffer1 = "1 CAPABILITY\r\n"; @@ -363,10 +364,10 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(275); + // usleepn(275); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -380,12 +381,12 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } buf = hydra_receive_line(sock); - if ((buf == NULL) || (strstr(buf, "OK") == NULL && buf[0] != '*')) { /* check the first line */ + if ((buf == NULL) || (strstr(buf, "OK") == NULL && buf[0] != '*')) { /* check the first line */ if (verbose || debug) hydra_report(stderr, "[ERROR] Not an IMAP protocol or service shutdown:\n"); if (buf != NULL) @@ -407,7 +408,7 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI int32_t i; for (i = 0; i < strlen(miscptr); i++) - miscptr[i] = (char) toupper((int32_t) miscptr[i]); + miscptr[i] = (char)toupper((int32_t)miscptr[i]); if (strstr(miscptr, "TLS") || strstr(miscptr, "SSL") || strstr(miscptr, "STARTTLS")) { disable_tls = 0; @@ -415,14 +416,16 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } #ifdef LIBOPENSSL if (!disable_tls) { - /* check for STARTTLS, if available we may have access to more basic auth methods */ + /* check for STARTTLS, if available we may have access to more basic + * auth methods */ if (strstr(buf, "STARTTLS") != NULL) { hydra_send(sock, "2 STARTTLS\r\n", strlen("2 STARTTLS\r\n"), 0); counter++; free(buf); buf = hydra_receive_line(sock); if (buf == NULL || (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL)) { - hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n"); + hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer " + "received from STARTTLS request\n"); } else { free(buf); if ((hydra_connect_to_ssl(sock, hostname) == -1)) { @@ -444,15 +447,16 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI hydra_child_exit(2); } } else - hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n"); + hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is " + "not supported by the server\n"); } #endif if (verbose) hydra_report(stderr, "[VERBOSE] CAPABILITY: %s", buf); - //authentication should be listed AUTH= like in the extract below - //STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 + // authentication should be listed AUTH= like in the extract below + // STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=NTLM") != NULL)) { imap_auth_mechanism = AUTH_NTLM; } @@ -487,7 +491,6 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI free(buf); if ((miscptr != NULL) && (strlen(miscptr) > 0)) { - if (strstr(miscptr, "CLEAR")) imap_auth_mechanism = AUTH_CLEAR; @@ -554,11 +557,11 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_imap(sock, ip, port, options, miscptr, fp); counter++; break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -571,13 +574,13 @@ void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } } -int32_t service_imap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_imap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -585,8 +588,11 @@ int32_t service_imap_init(char *ip, int32_t sp, unsigned char options, char *mis return 0; } -void usage_imap(const char* service) { +void usage_imap(const char *service) { printf("Module imap is optionally taking one authentication type of:\n" " CLEAR or APOP (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n" - " CRAM-SHA256, DIGEST-MD5, NTLM\n" "Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: imap://target/TLS:PLAIN\n"); + " CRAM-SHA256, DIGEST-MD5, NTLM\n" + "Additionally TLS encryption via STARTTLS can be enforced with the " + "TLS option.\n\n" + "Example: imap://target/TLS:PLAIN\n"); } diff --git a/hydra-irc.c b/hydra-irc.c index f41f655..d56eec4 100644 --- a/hydra-irc.c +++ b/hydra-irc.c @@ -7,11 +7,10 @@ RFC 1459: Internet Relay Chat Protocol */ extern char *HYDRA_EXIT; -char *buf; char buffer[300] = ""; int32_t myport = PORT_IRC, mysslport = PORT_IRC_SSL; -int32_t start_oper_irc(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_oper_irc(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass; int32_t ret; @@ -53,7 +52,7 @@ int32_t send_nick(int32_t s, char *ip, char *pass) { if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return -1; } - sprintf(buffer, "NICK hydra%d\r\nUSER hydra%d hydra %s :hydra\r\n", (int32_t) getpid(), (int32_t) getpid(), hydra_address2string(ip)); + sprintf(buffer, "NICK hydra%d\r\nUSER hydra%d hydra %s :hydra\r\n", (int32_t)getpid(), (int32_t)getpid(), hydra_address2string(ip)); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return -1; } @@ -63,7 +62,7 @@ int32_t send_nick(int32_t s, char *ip, char *pass) { int32_t irc_server_connect(char *ip, int32_t sock, int32_t port, unsigned char options, char *hostname) { if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(275); + // usleepn(275); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -78,7 +77,7 @@ int32_t irc_server_connect(char *ip, int32_t sock, int32_t port, unsigned char o return sock; } -int32_t start_pass_irc(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *hostname) { +int32_t start_pass_irc(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname) { char *empty = ""; char *pass; int32_t ret; @@ -88,7 +87,7 @@ int32_t start_pass_irc(int32_t s, char *ip, int32_t port, unsigned char options, s = irc_server_connect(ip, s, port, options, hostname); if (s < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); return 3; } @@ -106,10 +105,16 @@ int32_t start_pass_irc(int32_t s, char *ip, int32_t port, unsigned char options, #endif hydra_report_pass_found(port, ip, "irc", fp); hydra_completed_pair_found(); - hydra_report(stderr, "[INFO] Server password '%s' is working, you can pass it as argument\nto irc module to then try login/password oper mode\n", pass); + hydra_report(stderr, + "[INFO] Server password '%s' is working, you can pass it as " + "argument\nto irc module to then try login/password oper mode\n", + pass); } else { if (verbose && (miscptr != NULL)) - hydra_report(stderr, "[VERBOSE] Server is requesting a general password, '%s' you entered is not working\n", miscptr); + hydra_report(stderr, + "[VERBOSE] Server is requesting a general password, '%s' " + "you entered is not working\n", + miscptr); hydra_completed_pair(); } @@ -118,7 +123,7 @@ int32_t start_pass_irc(int32_t s, char *ip, int32_t port, unsigned char options, return 4; } -void service_irc(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_irc(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1, ret; char *buf; @@ -129,11 +134,11 @@ void service_irc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL while (1) { next_run = 0; switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ sock = irc_server_connect(ip, sock, port, options, hostname); if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } @@ -148,7 +153,7 @@ void service_irc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL if ((ret = hydra_recv(sock, buffer, sizeof(buffer) - 1)) >= 0) buffer[ret] = 0; - /* ERROR :Bad password */ + /* ERROR :Bad password */ #ifdef HAVE_PCRE if ((ret > 0) && (hydra_string_match(buffer, "ERROR\\s.*password"))) { #else @@ -181,19 +186,23 @@ void service_irc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL hydra_child_exit(0); } - /* ERROR :Bad password is returned from ngircd when it s waiting for a server password */ + /* ERROR :Bad password is returned from ngircd when it s waiting for a + * server password */ if ((ret > 0) && (strstr(buffer, " 001 ") == NULL)) { /* seems we not successfully connected */ - hydra_report(stderr, "[ERROR] should not be able to identify server msg, please report it\n%s\n", buffer); + hydra_report(stderr, + "[ERROR] should not be able to identify server msg, " + "please report it\n%s\n", + buffer); hydra_child_exit(0); } next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_oper_irc(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -209,13 +218,13 @@ void service_irc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL } } -int32_t service_irc_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_irc_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -223,6 +232,8 @@ int32_t service_irc_init(char *ip, int32_t sp, unsigned char options, char *misc return 0; } -void usage_irc(const char* service) { - printf("Module irc is optionally taking the general server password, if the server is requiring one, and if none is passed the password from -p/-P will be used\n\n"); +void usage_irc(const char *service) { + printf("Module irc is optionally taking the general server password, if the " + "server is requiring one, and if none is passed the password from " + "-p/-P will be used\n\n"); } diff --git a/hydra-ldap.c b/hydra-ldap.c index e00265e..9e6f9cd 100644 --- a/hydra-ldap.c +++ b/hydra-ldap.c @@ -7,8 +7,8 @@ unsigned char *buf; int32_t counter; int32_t tls_required = 0; -int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp, char *hostname, char version, int32_t auth_method) { - char *empty = ""; +int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname, char version, int32_t auth_method) { + char *empty = "", *result = NULL; char *login = "", *pass, *fooptr = ""; unsigned char buffer[512]; int32_t length = 0; @@ -18,7 +18,7 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha The LDAP "simple" method has three modes of operation: * anonymous= no user no pass * unauthenticated= user but no pass - * user/password authenticated= user and pass + * user/password authenticated= user and pass */ if ((miscptr != NULL) && (ldap_auth_mechanism == AUTH_CLEAR)) { @@ -65,9 +65,9 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha if (ldap_auth_mechanism == AUTH_CLEAR) { buffer[11] = strlen(login); /* DN */ memcpy(&buffer[12], login, strlen(login)); - buffer[12 + strlen(login)] = (unsigned char) 128; + buffer[12 + strlen(login)] = (unsigned char)128; buffer[13 + strlen(login)] = strlen(pass); - memcpy(&buffer[14 + strlen(login)], pass, strlen(pass)); /* PASS */ + memcpy(&buffer[14 + strlen(login)], pass, strlen(pass)); /* PASS */ } else { char *authm = "DIGEST-MD5"; @@ -79,7 +79,7 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha miscptr[sizeof(buffer) - 16 - strlen(authm)] = '\0'; } - buffer[11] = strlen(miscptr); /* DN */ + buffer[11] = strlen(miscptr); /* DN */ memcpy(&buffer[12], miscptr, strlen(miscptr)); buffer[12 + strlen(miscptr)] = 163; buffer[13 + strlen(miscptr)] = 2 + strlen(authm); @@ -87,9 +87,9 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha buffer[15 + strlen(miscptr)] = strlen(authm); memcpy(&buffer[16 + strlen(miscptr)], authm, strlen(authm)); } - if (hydra_send(s, (char *) buffer, length, 0) < 0) + if (hydra_send(s, (char *)buffer, length, 0) < 0) return 1; - if ((buf = (unsigned char *) hydra_receive_line(s)) == NULL) + if ((buf = (unsigned char *)hydra_receive_line(s)) == NULL) return 1; if (buf[0] != 0 && buf[0] != 32 && buf[9] == 2) { @@ -115,16 +115,16 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha } #ifdef LIBOPENSSL -/* one more step auth for CRAM and DIGEST */ + /* one more step auth for CRAM and DIGEST */ if (ldap_auth_mechanism == AUTH_CRAMMD5) { /* get the challenge, need to extract it */ char *ptr; char buf2[32]; - ptr = strstr((char *) buf, "<"); + ptr = strstr((char *)buf, "<"); fooptr = buf2; - sasl_cram_md5(fooptr, pass, ptr); - if (fooptr == NULL) + result = sasl_cram_md5(fooptr, pass, ptr); + if (result == NULL) return 1; counter++; if (strstr(miscptr, "^USER^") != NULL) { @@ -148,7 +148,7 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha buffer[9] = version; buffer[10] = 4; - buffer[11] = strlen(miscptr); /* DN */ + buffer[11] = strlen(miscptr); /* DN */ memcpy(&buffer[12], miscptr, strlen(miscptr)); buffer[12 + strlen(miscptr)] = 163; buffer[13 + strlen(miscptr)] = 2 + strlen("CRAM-MD5") + 2 + strlen(login) + 1 + strlen(buf2); @@ -161,10 +161,10 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha buffer[18 + strlen(miscptr) + strlen("CRAM-MD5") + strlen(login)] = ' '; memcpy(&buffer[18 + strlen(miscptr) + strlen("CRAM-MD5") + strlen(login) + 1], buf2, strlen(buf2)); - if (hydra_send(s, (char *) buffer, length, 0) < 0) + if (hydra_send(s, (char *)buffer, length, 0) < 0) return 1; free(buf); - if ((buf = (unsigned char *) hydra_receive_line(s)) == NULL) + if ((buf = (unsigned char *)hydra_receive_line(s)) == NULL) return 1; } else { if (ldap_auth_mechanism == AUTH_DIGESTMD5) { @@ -172,7 +172,7 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha char buffer2[500]; int32_t ind = 0; - ptr = strstr((char *) buf, "realm="); + ptr = strstr((char *)buf, "realm="); counter++; if (strstr(miscptr, "^USER^") != NULL) { @@ -180,8 +180,8 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha } fooptr = buffer2; - sasl_digest_md5(fooptr, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL); - if (fooptr == NULL) { + result = sasl_digest_md5(fooptr, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL); + if (result == NULL) { free(buf); return 3; } @@ -213,7 +213,7 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha ind++; buffer[ind] = counter % 256; ind++; - buffer[ind] = 96; /*0x60 */ + buffer[ind] = 96; /*0x60 */ ind++; buffer[ind] = 130; ind++; @@ -240,9 +240,9 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha buffer[ind] = strlen(miscptr); ind++; memcpy(&buffer[ind], miscptr, strlen(miscptr)); - /*DN*/ buffer[ind + strlen(miscptr)] = 163; //0xa3 + /*DN*/ buffer[ind + strlen(miscptr)] = 163; // 0xa3 ind++; - buffer[ind + strlen(miscptr)] = 130; //0x82 + buffer[ind + strlen(miscptr)] = 130; // 0x82 ind++; if (strlen(buffer2) + 6 + strlen("DIGEST-MD5") > 255) { @@ -279,10 +279,10 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha memcpy(&buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")], buffer2, strlen(buffer2)); ind++; - if (hydra_send(s, (char *) buffer, length, 0) < 0) + if (hydra_send(s, (char *)buffer, length, 0) < 0) return 1; free(buf); - if ((buf = (unsigned char *) hydra_receive_line(s)) == NULL) + if ((buf = (unsigned char *)hydra_receive_line(s)) == NULL) return 1; } } @@ -306,21 +306,27 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 53) { if (verbose) - hydra_report(stderr, "[VERBOSE] Server unwilling to perform action, maybe deny by server config or too busy when tried login: %s password: %s\n", login, pass); + hydra_report(stderr, + "[VERBOSE] Server unwilling to perform action, maybe deny by server " + "config or too busy when tried login: %s password: %s\n", + login, pass); free(buf); return 1; } if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 2) { - hydra_report(stderr, "[ERROR] Invalid protocol version, you tried ldap%c, better try ldap%c\n", version + '0', version == 2 ? '3' : '2'); + hydra_report(stderr, + "[ERROR] Invalid protocol version, you tried ldap%c, better " + "try ldap%c\n", + version + '0', version == 2 ? '3' : '2'); free(buf); hydra_child_exit(2); sleep(1); hydra_child_exit(2); } -//0 0x30, 0x84, 0x20, 0x20, 0x20, 0x10, 0x02, 0x01, -//8 0x01, 0x61, 0x84, 0x20, 0x20, 0x20, 0x07, 0x0a, -//16 0x01, 0x20, 0x04, 0x20, 0x04, 0x20, 0x00, 0x00, + // 0 0x30, 0x84, 0x20, 0x20, 0x20, 0x10, 0x02, 0x01, + // 8 0x01, 0x61, 0x84, 0x20, 0x20, 0x20, 0x07, 0x0a, + // 16 0x01, 0x20, 0x04, 0x20, 0x04, 0x20, 0x00, 0x00, // this is for w2k8 active directory ldap auth if (buf[0] == 48 && buf[1] == 132) { @@ -335,10 +341,9 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha } } } else { - if (buf[9] != 49 && buf[9] != 2 && buf[9] != 53) { hydra_report(stderr, "[ERROR] Uh, unknown LDAP response! Please report this: \n"); - print_hex((unsigned char *) buf, 24); + print_hex((unsigned char *)buf, 24); free(buf); return 3; } @@ -351,7 +356,7 @@ int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, cha return 2; } -void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname, char version, int32_t auth_method) { +void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname, char version, int32_t auth_method) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_LDAP, mysslport = PORT_LDAP_SSL; @@ -360,10 +365,10 @@ void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(275); + // usleepn(275); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -377,22 +382,25 @@ void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } counter = 1; if (tls_required) { - /* Start TLS operation OID = 1.3.6.1.4.1.1466.20037 according to RFC 2830 */ - char confidentiality_required[] = "\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37"; + /* Start TLS operation OID = 1.3.6.1.4.1.1466.20037 according to RFC + * 2830 */ + char confidentiality_required[] = "\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31" + "\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37"; if (hydra_send(sock, confidentiality_required, strlen(confidentiality_required), 0) < 0) hydra_child_exit(1); - if ((buf = (unsigned char *) hydra_receive_line(sock)) == NULL) + if ((buf = (unsigned char *)hydra_receive_line(sock)) == NULL) hydra_child_exit(1); if ((buf[0] != 0 && buf[9] == 0) || (buf[0] != 32 && buf[9] == 32)) { /* TLS option negociation goes well, now trying to connect */ + free(buf); if ((hydra_connect_to_ssl(sock, hostname) == -1) && verbose) { hydra_report(stderr, "[ERROR] Can't use TLS\n"); hydra_child_exit(1); @@ -403,16 +411,17 @@ void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } } else { hydra_report(stderr, "[ERROR] Can't use TLS %s\n", buf); + free(buf); hydra_child_exit(1); } } next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_ldap(sock, ip, port, options, miscptr, fp, hostname, version, auth_method); counter++; break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -425,47 +434,46 @@ void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } } -void service_ldap2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { - service_ldap(ip, sp, options, miscptr, fp, port, hostname, 2, AUTH_CLEAR); -} +void service_ldap2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 2, AUTH_CLEAR); } -void service_ldap3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { - service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CLEAR); -} +void service_ldap3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CLEAR); } -void service_ldap3_cram_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { - service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CRAMMD5); -} +void service_ldap3_cram_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CRAMMD5); } -void service_ldap3_digest_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { - service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_DIGESTMD5); -} +void service_ldap3_digest_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_DIGESTMD5); } -int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here if (miscptr != NULL && strlen(miscptr) > 220) { - fprintf(stderr, "[ERROR] the option string to this module may not be larger than 220 bytes\n"); + fprintf(stderr, "[ERROR] the option string to this module may not be " + "larger than 220 bytes\n"); return -1; } return 0; } -void usage_ldap(const char* service) { - printf("Module %s is optionally taking the DN (depending of the auth method choosed\n" - "Note: you can also specify the DN as login when Simple auth method is used).\n" +void usage_ldap(const char *service) { + printf("Module %s is optionally taking the DN (depending of the auth method " + "choosed\n" + "Note: you can also specify the DN as login when Simple auth method " + "is used).\n" "The keyword \"^USER^\" is replaced with the login.\n" - "Special notes for Simple method has 3 operation modes: anonymous, (no user no pass),\n" - "unauthenticated (user but no pass), user/pass authenticated (user and pass).\n" + "Special notes for Simple method has 3 operation modes: anonymous, " + "(no user no pass),\n" + "unauthenticated (user but no pass), user/pass authenticated (user " + "and pass).\n" "So don't forget to set empty string as user/pass to test all modes.\n" - "Hint: to authenticate to a windows active directory ldap, this is usually\n" - " cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com\n\n", service); + "Hint: to authenticate to a windows active directory ldap, this is " + "usually\n" + " cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com\n\n", + service); } diff --git a/hydra-memcached.c b/hydra-memcached.c new file mode 100644 index 0000000..5a7c112 --- /dev/null +++ b/hydra-memcached.c @@ -0,0 +1,179 @@ +// This plugin was written by +// Tested on memcached 1.5.6-0ubuntu1 + +#ifdef LIBMCACHED +#include +#endif + +#include "hydra-mod.h" + +#ifndef LIBMCACHED +void dummy_mcached() { printf("\n"); } +#else + +extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); + +extern hydra_option hydra_options; +extern char *HYDRA_EXIT; + +int mcached_send_com_quit(int32_t sock) { + char *com_quit = "quit\r\n"; + + if (hydra_send(sock, com_quit, strlen(com_quit), 0) < 0) + return 1; + return 0; +} + +int mcached_send_com_version(int32_t sock) { + char *com_version = "version\r\n"; + + if (hydra_send(sock, com_version, strlen(com_version), 0) < 0) + return 1; + return 0; +} + +int32_t start_mcached(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { + char *empty = ""; + char *login, *pass; + + memcached_server_st *servers = NULL; + memcached_return_t rc; + memcached_st *cache; + + if (strlen(login = hydra_get_next_login()) == 0) + login = empty; + if (strlen(pass = hydra_get_next_password()) == 0) + pass = empty; + + cache = memcached_create(NULL); + + rc = memcached_set_sasl_auth_data(cache, login, pass); + if (rc != MEMCACHED_SUCCESS) { + if (verbose) + hydra_report(stderr, "[ERROR] Couldn't setup SASL auth: %s\n", memcached_strerror(cache, rc)); + memcached_free(cache); + return 3; + } + + rc = memcached_behavior_set(cache, MEMCACHED_BEHAVIOR_BINARY_PROTOCOL, 1); + if (rc != MEMCACHED_SUCCESS) { + if (verbose) + hydra_report(stderr, "[ERROR] Couldn't use the binary protocol: %s\n", memcached_strerror(cache, rc)); + memcached_destroy_sasl_auth_data(cache); + memcached_free(cache); + return 3; + } + rc = memcached_behavior_set(cache, MEMCACHED_BEHAVIOR_CONNECT_TIMEOUT, 10000); + if (rc != MEMCACHED_SUCCESS) { + if (verbose) + hydra_report(stderr, "[ERROR] Couldn't set the connect timeout: %s\n", memcached_strerror(cache, rc)); + memcached_destroy_sasl_auth_data(cache); + memcached_free(cache); + return 3; + } + + servers = memcached_server_list_append(servers, hydra_address2string(ip), port, &rc); + rc = memcached_server_push(cache, servers); + if (rc != MEMCACHED_SUCCESS) { + if (verbose) + hydra_report(stderr, "[ERROR] Couldn't add server: %s\n", memcached_strerror(cache, rc)); + memcached_destroy_sasl_auth_data(cache); + memcached_free(cache); + return 3; + } + + rc = memcached_stat_execute(cache, "", NULL, NULL); + if (rc != MEMCACHED_SUCCESS) { + if (verbose) + hydra_report(stderr, "[ERROR] Couldn't get server stats: %s\n", memcached_strerror(cache, rc)); + memcached_destroy_sasl_auth_data(cache); + memcached_free(cache); + hydra_completed_pair_skip(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + return 3; + } + return 2; + } + + memcached_destroy_sasl_auth_data(cache); + memcached_free(cache); + + hydra_report_found_host(port, ip, "memcached", fp); + hydra_completed_pair_found(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 3; + + return 2; +} + +void service_mcached(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { + int32_t run = 1, next_run = 1, sock = -1; + + hydra_register_socket(sp); + + while (1) { + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return; + + switch (run) { + case 1: + next_run = start_mcached(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); + break; + case 2: + hydra_child_exit(0); + return; + default: + if (!verbose) + hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose " + "option for more details\n"); + hydra_child_exit(2); + } + run = next_run; + } +} + +int32_t service_mcached_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { + // called before the childrens are forked off, so this is the function + // which should be filled if initial connections and service setup has to be + // performed once only. + + int32_t sock = -1; + int32_t myport = PORT_MCACHED; + char *buf; + + if (port != 0) + myport = port; + + sock = hydra_connect_tcp(ip, myport); + if (sock < 0) { + if (verbose || debug) + hydra_report(stderr, "[ERROR] Can not connect\n"); + return -1; + } + + if (mcached_send_com_version(sock)) { + if (verbose || debug) + hydra_report(stderr, "[ERROR] Can not send request\n"); + return -1; + } + + if (hydra_data_ready_timed(sock, 0, 1000) > 0) { + buf = hydra_receive_line(sock); + if (strstr(buf, "VERSION ")) { + hydra_report_found_host(port, ip, "memcached", fp); + mcached_send_com_quit(sock); + if (sock >= 0) + sock = hydra_disconnect(sock); + hydra_report(stderr, "[ERROR] Memcached server does not require any authentication\n"); + } + free(buf); + return -1; + } + if (sock >= 0) + sock = hydra_disconnect(sock); + return 0; +} + +#endif diff --git a/hydra-mod.c b/hydra-mod.c index 251ef27..c988c1d 100644 --- a/hydra-mod.c +++ b/hydra-mod.c @@ -1,13 +1,14 @@ #include "hydra-mod.h" #include #ifdef LIBOPENSSL -#include -#include #include +#include #include +#include #endif #ifdef HAVE_PCRE -#include +#define PCRE2_CODE_UNIT_WIDTH 8 +#include #endif #define MAX_CONNECT_RETRY 1 @@ -15,17 +16,17 @@ #define HYDRA_DUMP_ROWS 16 /* rfc 1928 SOCKS proxy */ -#define SOCKS_V5 5 -#define SOCKS_V4 4 -#define SOCKS_NOAUTH 0 +#define SOCKS_V5 5 +#define SOCKS_V4 4 +#define SOCKS_NOAUTH 0 /* http://tools.ietf.org/html/rfc1929 */ -#define SOCKS_PASSAUTH 2 -#define SOCKS_NOMETHOD 0xff -#define SOCKS_CONNECT 1 -#define SOCKS_IPV4 1 -#define SOCKS_DOMAIN 3 -#define SOCKS_IPV6 4 +#define SOCKS_PASSAUTH 2 +#define SOCKS_NOMETHOD 0xff +#define SOCKS_CONNECT 1 +#define SOCKS_IPV4 1 +#define SOCKS_DOMAIN 3 +#define SOCKS_IPV6 4 extern int32_t conwait; char quiet; @@ -33,7 +34,7 @@ int32_t do_retry = 1; int32_t module_auth_type = -1; int32_t intern_socket, extern_socket; char pair[260]; -char HYDRA_EXIT[5] = "\x00\xff\x00\xff\x00"; +char *HYDRA_EXIT = "\x00\xff\x00\xff\x00"; char *HYDRA_EMPTY = "\x00\x00\x00\x00"; char *fe80 = "\xfe\x80\x00"; int32_t fail = 0; @@ -56,26 +57,29 @@ RSA *rsa = NULL; #endif /* prototype */ -int32_t my_select(int32_t fd, fd_set * fdread, fd_set * fdwrite, fd_set * fdex, long sec, long usec); +int32_t my_select(int32_t fd, fd_set *fdread, fd_set *fdwrite, fd_set *fdex, long sec, long usec); /* ----------------- alarming functions ---------------- */ void alarming() { fail++; alarm_went_off++; -/* uh, I think it's not good for performance if we try to reconnect to a timeout system! - * if (fail > MAX_CONNECT_RETRY) { - */ - //fprintf(stderr, "Process %d: Can not connect [timeout], process exiting\n", (int32_t) getpid()); + /* uh, I think it's not good for performance if we try to reconnect to a + * timeout system! if (fail > MAX_CONNECT_RETRY) { + */ + // fprintf(stderr, "Process %d: Can not connect [timeout], process exiting\n", + // (int32_t) getpid()); if (debug) printf("DEBUG_CONNECT_TIMEOUT\n"); hydra_child_exit(1); -/* - * } else { - * if (verbose) fprintf(stderr, "Process %d: Can not connect [timeout], retrying (%d of %d retries)\n", (int32_t)getpid(), fail, MAX_CONNECT_RETRY); - * } - */ + /* + * } else { + * if (verbose) fprintf(stderr, "Process %d: Can not connect [timeout], + * retrying (%d of %d retries)\n", (int32_t)getpid(), fail, + * MAX_CONNECT_RETRY); + * } + */ } void interrupt() { @@ -85,7 +89,7 @@ void interrupt() { /* ----------------- internal functions ----------------- */ -int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int32_t type) { +int32_t internal__hydra_connect(char *host, int32_t port, int32_t type, int32_t protocol) { int32_t s, ret = -1, ipv6 = 0, reset_selected = 0; #ifdef AF_INET6 @@ -96,12 +100,14 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 struct sockaddr_in sin; char *buf, *tmpptr = NULL; int32_t err = 0; - + if (proxy_count > 0 && use_proxy > 0 && selected_proxy == -1) { reset_selected = 1; selected_proxy = random() % proxy_count; - } + } + memset(&target, 0, sizeof(target)); + memset(&sin, 0, sizeof(sin)); #ifdef AF_INET6 memset(&target6, 0, sizeof(target6)); memset(&sin6, 0, sizeof(sin6)); @@ -111,10 +117,10 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 #ifdef AF_INET6 if (ipv6) - s = socket(AF_INET6, protocol, type); + s = socket(AF_INET6, type, protocol); else #endif - s = socket(PF_INET, protocol, type); + s = socket(PF_INET, type, protocol); if (s >= 0) { if (src_port != 0) { int32_t bind_ok = 0; @@ -131,14 +137,14 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 sin.sin_addr.s_addr = INADDR_ANY; } - //we will try to find a free port down to 512 + // we will try to find a free port down to 512 while (!bind_ok && src_port >= 512) { #ifdef AF_INET6 if (ipv6) - ret = bind(s, (struct sockaddr *) &sin6, sizeof(sin6)); + ret = bind(s, (struct sockaddr *)&sin6, sizeof(sin6)); else #endif - ret = bind(s, (struct sockaddr *) &sin, sizeof(sin)); + ret = bind(s, (struct sockaddr *)&sin, sizeof(sin)); if (ret == -1) { if (verbose) @@ -165,7 +171,6 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 } } if (use_proxy > 0 && proxy_count > 0) { - if (proxy_string_ip[selected_proxy][0] == 4) { memcpy(&target.sin_addr.s_addr, &proxy_string_ip[selected_proxy][1], 4); target.sin_family = AF_INET; @@ -212,18 +217,21 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 #endif if (ipv6) - ret = connect(s, (struct sockaddr *) &target6, sizeof(target6)); + ret = connect(s, (struct sockaddr *)&target6, sizeof(target6)); else #endif - ret = connect(s, (struct sockaddr *) &target, sizeof(target)); + ret = connect(s, (struct sockaddr *)&target, sizeof(target)); alarm(0); if (ret < 0 && alarm_went_off == 0) { fail++; - if (verbose ) { + if (verbose) { if (do_retry && fail <= MAX_CONNECT_RETRY) - fprintf(stderr, "Process %d: Can not connect [unreachable], retrying (%d of %d retries)\n", (int32_t) getpid(), fail, MAX_CONNECT_RETRY); + fprintf(stderr, + "Process %d: Can not connect [unreachable], retrying (%d " + "of %d retries)\n", + (int32_t)getpid(), fail, MAX_CONNECT_RETRY); else - fprintf(stderr, "Process %d: Can not connect [unreachable]\n", (int32_t) getpid()); + fprintf(stderr, "Process %d: Can not connect [unreachable]\n", (int32_t)getpid()); } } } while (ret < 0 && fail <= MAX_CONNECT_RETRY && do_retry); @@ -231,10 +239,11 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 if (debug) printf("DEBUG_CONNECT_UNREACHABLE\n"); -/* we wont quit here, thats up to the module to decide what to do - * fprintf(stderr, "Process %d: Can not connect [unreachable], process exiting\n", (int32_t)getpid()); - * hydra_child_exit(1); - */ + /* we wont quit here, thats up to the module to decide what to do + * fprintf(stderr, "Process %d: Can not connect + * [unreachable], process exiting\n", (int32_t)getpid()); + * hydra_child_exit(1); + */ extern_socket = -1; close(s); ret = -1; @@ -278,19 +287,22 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 else snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\n\r\n", hydra_address2string(host), port); else if (host[0] == 16) - snprintf(buf, 4096, "CONNECT [%s]:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication[selected_proxy]); + snprintf(buf, 4096, + "CONNECT [%s]:%d HTTP/1.0\r\nProxy-Authorization: Basic " + "%s\r\n\r\n", + hydra_address2string(host), port, proxy_authentication[selected_proxy]); else snprintf(buf, 4096, "CONNECT %s:%d HTTP/1.0\r\nProxy-Authorization: Basic %s\r\n\r\n", hydra_address2string(host), port, proxy_authentication[selected_proxy]); send(s, buf, strlen(buf), 0); if (debug) { - char *ptr = index(buf, '\r'); + char *ptr = strchr(buf, '\r'); if (ptr != NULL) *ptr = 0; printf("DEBUG_CONNECT_PROXY_SENT: %s\n", buf); } recv(s, buf, 4096, 0); - if (strncmp("HTTP/", buf, 5) == 0 && (tmpptr = index(buf, ' ')) != NULL && *++tmpptr == '2') { + if (strncmp("HTTP/", buf, 5) == 0 && (tmpptr = strchr(buf, ' ')) != NULL && *++tmpptr == '2') { if (debug) printf("DEBUG_CONNECT_PROXY_OK\n"); } else { @@ -300,10 +312,10 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 fprintf(stderr, "[ERROR] CONNECT call to proxy failed with code %c%c%c\n", *tmpptr, *(tmpptr + 1), *(tmpptr + 2)); err = 1; } -// free(buf); + // free(buf); } else { if (hydra_strcasestr(proxy_string_type[selected_proxy], "socks5")) { -// char buf[1024]; + // char buf[1024]; size_t cnt, wlen; /* socks v5 support */ @@ -323,19 +335,20 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 hydra_report(stderr, "[ERROR] SOCKS5 proxy read failed (%zu/2)\n", cnt); err = 1; } - if ((unsigned char) buf[1] == SOCKS_NOMETHOD) { - hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication method negotiation failed\n"); + if ((unsigned char)buf[1] == SOCKS_NOMETHOD) { + hydra_report(stderr, "[ERROR] SOCKS5 proxy authentication method " + "negotiation failed\n"); err = 1; } /* SOCKS_DOMAIN not supported here, do we need it ? */ if (err != 1) { /* send user/pass */ if (proxy_authentication[selected_proxy] != NULL) { - //format was checked previously + // format was checked previously char *login = strtok(proxy_authentication[selected_proxy], ":"); char *pass = strtok(NULL, ":"); - snprintf(buf, 4096, "\x01%c%s%c%s", (char) strlen(login), login, (char) strlen(pass), pass); + snprintf(buf, 4096, "\x01%c%s%c%s", (char)strlen(login), login, (char)strlen(pass), pass); cnt = hydra_send(s, buf, strlen(buf), 0); if (cnt != strlen(buf)) { @@ -406,15 +419,15 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 hydra_report(stderr, "[ERROR] SOCKS4 proxy does not support IPv6\n"); err = 1; } else { -// char buf[1024]; + // char buf[1024]; size_t cnt, wlen; /* socks v4 support */ buf[0] = SOCKS_V4; - buf[1] = SOCKS_CONNECT; /* connect */ + buf[1] = SOCKS_CONNECT; /* connect */ memcpy(buf + 2, &target.sin_port, sizeof target.sin_port); memcpy(buf + 4, &target.sin_addr, sizeof target.sin_addr); - buf[8] = 0; /* empty username */ + buf[8] = 0; /* empty username */ wlen = 9; cnt = hydra_send(s, buf, wlen, 0); if (cnt != wlen) { @@ -437,7 +450,10 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 } } } else { - hydra_report(stderr, "[ERROR] Unknown proxy type: %s, valid type are \"connect\", \"socks4\" or \"socks5\"\n", proxy_string_type[selected_proxy]); + hydra_report(stderr, + "[ERROR] Unknown proxy type: %s, valid type are " + "\"connect\", \"socks4\" or \"socks5\"\n", + proxy_string_type[selected_proxy]); err = 1; } } @@ -463,25 +479,26 @@ int32_t internal__hydra_connect(char *host, int32_t port, int32_t protocol, int3 } #if defined(LIBOPENSSL) && !defined(LIBRESSL_VERSION_NUMBER) -RSA *ssl_temp_rsa_cb(SSL * ssl, int32_t export, int32_t keylength) { - int32_t ok = 0; +RSA *ssl_temp_rsa_cb(SSL *ssl, int32_t export, int32_t keylength) { + int32_t nok = 0; #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L BIGNUM *n; - n = BN_new(); - RSA_get0_key(rsa, &n, NULL, NULL); - ok = BN_zero(n); + if ((n = BN_new()) == NULL) + nok = 1; + RSA_get0_key(rsa, (const struct bignum_st **)&n, NULL, NULL); + BN_zero(n); #else if (rsa->n == 0) - ok = 1; + nok = 1; #endif - if(ok == 0 && RSA_size(rsa)!=(keylength/8)){ // n is not zero -#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L - BN_free(n); + if (nok == 0 && RSA_size(rsa) != (keylength / 8)) { // n is not zero +#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L + BN_free(n); #endif - RSA_free(rsa); - rsa = NULL; + RSA_free(rsa); + rsa = NULL; } - if (ok != 0) { // n is zero + if (nok != 0) { // n is zero #if defined(NO_RSA_LEGACY) || OPENSSL_VERSION_NUMBER >= 0x10100000L RSA *rsa = RSA_new(); BIGNUM *f4 = BN_new(); @@ -504,8 +521,8 @@ int32_t internal__hydra_connect_to_ssl(int32_t socket, char *hostname) { if (ssl_first) { SSL_load_error_strings(); -// SSL_add_ssl_algoritms(); - SSL_library_init(); // ? + // SSL_add_ssl_algoritms(); + SSL_library_init(); // ? ssl_first = 0; } @@ -521,11 +538,11 @@ int32_t internal__hydra_connect_to_ssl(int32_t socket, char *hostname) { } } else { #ifndef TLSv1_2_client_method - #if OPENSSL_VERSION_NUMBER < 0x10100000L - #define TLSv1_2_client_method TLSv1_2_client_method - #else - #define TLSv1_2_client_method TLS_client_method - #endif +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define TLSv1_2_client_method TLSv1_2_client_method +#else +#define TLSv1_2_client_method TLS_client_method +#endif #endif if ((sslContext = SSL_CTX_new(TLSv1_2_client_method())) == NULL) { if (verbose) { @@ -537,11 +554,11 @@ int32_t internal__hydra_connect_to_ssl(int32_t socket, char *hostname) { } /* set the compatbility mode */ SSL_CTX_set_options(sslContext, SSL_OP_ALL); -// SSL_CTX_set_options(sslContext, SSL_OP_NO_SSLv2); -// SSL_CTX_set_options(sslContext, SSL_OP_NO_TLSv1); + // SSL_CTX_set_options(sslContext, SSL_OP_NO_SSLv2); + // SSL_CTX_set_options(sslContext, SSL_OP_NO_TLSv1); /* we set the default verifiers and don't care for the results */ - (void) SSL_CTX_set_default_verify_paths(sslContext); + (void)SSL_CTX_set_default_verify_paths(sslContext); #if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb); #endif @@ -564,7 +581,7 @@ int32_t internal__hydra_connect_to_ssl(int32_t socket, char *hostname) { SSL_set_fd(ssl, socket); if (SSL_connect(ssl) <= 0) { -// fprintf(stderr, "[ERROR] SSL Connect %d\n", SSL_connect(ssl)); + // fprintf(stderr, "[ERROR] SSL Connect %d\n", SSL_connect(ssl)); if (verbose) { err = ERR_get_error(); fprintf(stderr, "[VERBOSE] Could not create an SSL session: %s\n", ERR_error_string(err, NULL)); @@ -580,10 +597,10 @@ int32_t internal__hydra_connect_to_ssl(int32_t socket, char *hostname) { return socket; } -int32_t internal__hydra_connect_ssl(char *host, int32_t port, int32_t protocol, int32_t type, char *hostname) { +int32_t internal__hydra_connect_ssl(char *host, int32_t port, int32_t type, int32_t protocol, char *hostname) { int32_t socket; - if ((socket = internal__hydra_connect(host, port, protocol, type)) < 0) + if ((socket = internal__hydra_connect(host, port, type, protocol)) < 0) return -1; return internal__hydra_connect_to_ssl(socket, hostname); @@ -615,38 +632,40 @@ void hydra_child_exit(int32_t code) { if (debug) printf("[DEBUG] pid %d called child_exit with code %d\n", getpid(), code); - if (code == 0) /* normal quitting */ + if (code == 0) /* normal quitting */ __fck = write(intern_socket, "Q", 1); - else if (code == 1) /* no connect possible */ + else if (code == 1) /* no connect possible */ __fck = write(intern_socket, "C", 1); - else if (code == 2) /* application protocol error or service shutdown */ + else if (code == 2) /* application protocol error or service shutdown */ __fck = write(intern_socket, "E", 1); - // code 3 means exit without telling mommy about it - a bad idea. mommy should know - else if (code == -1 || code > 3) { - fprintf(stderr, "[TOTAL FUCKUP] a module should not use hydra_child_exit(-1) ! Fix it in the source please ...\n"); + else if (code == 3) /* application protocol error or service shutdown */ + __fck = write(intern_socket, "D", 1); + // code 4 means exit without telling mommy about it - a bad idea. mommy should + // know + else if (code == -1 || code > 4) { + fprintf(stderr, "[TOTAL FUCKUP] a module should not use " + "hydra_child_exit(-1) ! Fix it in the source please ...\n"); __fck = write(intern_socket, "E", 1); } do { usleepn(10); } while (read(intern_socket, buf, 1) <= 0); close(intern_socket); -// sleep(2); // be sure that mommy receives our message - exit(0); // might be killed before reaching this + // sleep(2); // be sure that mommy receives our message + exit(0); // might be killed before reaching this } -void hydra_register_socket(int32_t s) { - intern_socket = s; -} +void hydra_register_socket(int32_t s) { intern_socket = s; } char *hydra_get_next_pair() { if (pair[0] == 0) { pair[sizeof(pair) - 1] = 0; __fck = read(intern_socket, pair, sizeof(pair) - 1); - //if (debug) hydra_dump_data(pair, __fck, "CHILD READ PAIR"); - if (memcmp(&HYDRA_EXIT, &pair, sizeof(HYDRA_EXIT)) == 0) - return HYDRA_EXIT; - if (pair[0] == 0) + // if (debug) hydra_dump_data(pair, __fck, "CHILD READ PAIR"); + if (pair[0] == 0 || __fck <= 0) return HYDRA_EMPTY; + if (__fck >= sizeof(HYDRA_EXIT) && memcmp(&HYDRA_EXIT, &pair, sizeof(HYDRA_EXIT)) == 0) + return HYDRA_EXIT; } return pair; } @@ -694,7 +713,7 @@ void hydra_completed_pair_skip() { /* based on writeError from Medusa project */ -void hydra_report_debug(FILE * st, char *format, ...) { +void hydra_report_debug(FILE *st, char *format, ...) { va_list ap; char buf[8200]; char bufOut[33000]; @@ -713,7 +732,7 @@ void hydra_report_debug(FILE * st, char *format, ...) { // Convert any chars less than 32d or greater than 126d to hex for (i = 0; i < len; i++) { memset(temp, 0, 6); - cTemp = (unsigned char) buf[i]; + cTemp = (unsigned char)buf[i]; if (cTemp < 32 || cTemp > 126) { sprintf(temp, "[%02X]", cTemp); } else @@ -730,96 +749,99 @@ void hydra_report_debug(FILE * st, char *format, ...) { return; } -void hydra_report_found(int32_t port, char *svc, FILE * fp) { -/* - if (!strcmp(svc, "rsh")) - if (colored_output) - fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m\n", port, svc, hydra_get_next_login()); - else - fprintf(fp, "[%d][%s] login: %s\n", port, svc, hydra_get_next_login()); - else if (colored_output) - fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m password: \e[32m%s\e[0m\n", port, svc, hydra_get_next_login(), hydra_get_next_password()); - else - fprintf(fp, "[%d][%s] login: %s password: %s\n", port, svc, hydra_get_next_login(), hydra_get_next_password()); - - if (stdout != fp) { +void hydra_report_found(int32_t port, char *svc, FILE *fp) { + /* if (!strcmp(svc, "rsh")) - printf("[%d][%s] login: %s\n", port, svc, hydra_get_next_login()); - else - printf("[%d][%s] login: %s password: %s\n", port, svc, hydra_get_next_login(), hydra_get_next_password()); - } + if (colored_output) + fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m\n", + port, svc, hydra_get_next_login()); else fprintf(fp, "[%d][%s] login: %s\n", + port, svc, hydra_get_next_login()); else if (colored_output) fprintf(fp, + "[\e[31m%d\e[0m][\e[31m%s\e[0m] login: \e[32m%s\e[0m password: + \e[32m%s\e[0m\n", port, svc, hydra_get_next_login(), + hydra_get_next_password()); else fprintf(fp, "[%d][%s] login: %s password: + %s\n", port, svc, hydra_get_next_login(), hydra_get_next_password()); - fflush(fp); -*/ + if (stdout != fp) { + if (!strcmp(svc, "rsh")) + printf("[%d][%s] login: %s\n", port, svc, hydra_get_next_login()); + else + printf("[%d][%s] login: %s password: %s\n", port, svc, + hydra_get_next_login(), hydra_get_next_password()); + } + + fflush(fp); + */ } /* needed for irc module to display the general server password */ -void hydra_report_pass_found(int32_t port, char *ip, char *svc, FILE * fp) { -/* - strcpy(ipaddr_str, hydra_address2string(ip)); - if (colored_output) - fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); - else - fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password()); - if (stdout != fp) - printf("[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password()); - fflush(fp); -*/ +void hydra_report_pass_found(int32_t port, char *ip, char *svc, FILE *fp) { + /* + strcpy(ipaddr_str, hydra_address2string(ip)); + if (colored_output) + fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password: + \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); else + fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, + hydra_get_next_password()); if (stdout != fp) printf("[%d][%s] host: %s + password: %s\n", port, svc, ipaddr_str, hydra_get_next_password()); + fflush(fp); + */ } -void hydra_report_found_host(int32_t port, char *ip, char *svc, FILE * fp) { -/* char *keyw = "password"; +void hydra_report_found_host(int32_t port, char *ip, char *svc, FILE *fp) { + /* char *keyw = "password"; - strcpy(ipaddr_str, hydra_address2string(ip)); - if (!strcmp(svc, "smtp-enum")) - keyw = "domain"; - if (!strcmp(svc, "rsh") || !strcmp(svc, "oracle-sid")) - if (colored_output) - fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login()); - else - fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_login()); - else if (!strcmp(svc, "snmp3")) - if (colored_output) - fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); - else - fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_password()); - else if (!strcmp(svc, "cisco-enable") || !strcmp(svc, "cisco")) - if (colored_output) - fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); - else - fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password()); - else if (colored_output) - fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m %s: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw, - hydra_get_next_password()); - else - fprintf(fp, "[%d][%s] host: %s login: %s %s: %s\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw, hydra_get_next_password()); - if (stdout != fp) { + strcpy(ipaddr_str, hydra_address2string(ip)); + if (!strcmp(svc, "smtp-enum")) + keyw = "domain"; if (!strcmp(svc, "rsh") || !strcmp(svc, "oracle-sid")) - printf("[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_login()); - else if (!strcmp(svc, "snmp3")) - printf("[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_password()); - else if (!strcmp(svc, "cisco-enable") || !strcmp(svc, "cisco")) - printf("[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_password()); + if (colored_output) + fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: + \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login()); else + fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, + hydra_get_next_login()); else if (!strcmp(svc, "snmp3")) if (colored_output) + fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: + \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); else + fprintf(fp, "[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, + hydra_get_next_password()); else if (!strcmp(svc, "cisco-enable") || + !strcmp(svc, "cisco")) if (colored_output) fprintf(fp, + "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m password: + \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_password()); else + fprintf(fp, "[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, + hydra_get_next_password()); else if (colored_output) fprintf(fp, + "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m + %s: \e[32m%s\e[0m\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw, + hydra_get_next_password()); else - printf("[%d][%s] host: %s login: %s %s: %s\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw, hydra_get_next_password()); - } - fflush(fp); - fflush(stdout); -*/ + fprintf(fp, "[%d][%s] host: %s login: %s %s: %s\n", port, svc, + ipaddr_str, hydra_get_next_login(), keyw, hydra_get_next_password()); if + (stdout != fp) { if (!strcmp(svc, "rsh") || !strcmp(svc, "oracle-sid")) + printf("[%d][%s] host: %s login: %s\n", port, svc, ipaddr_str, + hydra_get_next_login()); else if (!strcmp(svc, "snmp3")) printf("[%d][%s] + host: %s login: %s\n", port, svc, ipaddr_str, hydra_get_next_password()); + else if (!strcmp(svc, "cisco-enable") || !strcmp(svc, "cisco")) + printf("[%d][%s] host: %s password: %s\n", port, svc, ipaddr_str, + hydra_get_next_password()); else printf("[%d][%s] host: %s login: %s %s: + %s\n", port, svc, ipaddr_str, hydra_get_next_login(), keyw, + hydra_get_next_password()); + } + fflush(fp); + fflush(stdout); + */ } -void hydra_report_found_host_msg(int32_t port, char *ip, char *svc, FILE * fp, char *msg) { -/* - strcpy(ipaddr_str, hydra_address2string(ip)); - if (colored_output) - fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: \e[32m%s\e[0m password: \e[32m%s\e[0m [%s]\n", port, svc, ipaddr_str, hydra_get_next_login(), - hydra_get_next_password(), msg); - else - fprintf(fp, "[%d][%s] host: %s login: %s password: %s [%s]\n", port, svc, ipaddr_str, hydra_get_next_login(), hydra_get_next_password(), msg); - if (stdout != fp) - printf("[%d][%s] host: %s login: %s password: %s\n", port, svc, ipaddr_str, hydra_get_next_login(), hydra_get_next_password()); - fflush(fp); -*/ +void hydra_report_found_host_msg(int32_t port, char *ip, char *svc, FILE *fp, char *msg) { + /* + strcpy(ipaddr_str, hydra_address2string(ip)); + if (colored_output) + fprintf(fp, "[\e[31m%d\e[0m][\e[31m%s\e[0m] host: \e[32m%s\e[0m login: + \e[32m%s\e[0m password: \e[32m%s\e[0m [%s]\n", port, svc, ipaddr_str, + hydra_get_next_login(), hydra_get_next_password(), msg); else fprintf(fp, + "[%d][%s] host: %s login: %s password: %s [%s]\n", port, svc, + ipaddr_str, hydra_get_next_login(), hydra_get_next_password(), msg); if + (stdout != fp) printf("[%d][%s] host: %s login: %s password: %s\n", + port, svc, ipaddr_str, hydra_get_next_login(), hydra_get_next_password()); + fflush(fp); + */ } int32_t hydra_connect_to_ssl(int32_t socket, char *hostname) { @@ -883,9 +905,7 @@ int32_t hydra_data_ready_writing_timed(int32_t socket, long sec, long usec) { return (my_select(socket + 1, &fds, NULL, NULL, sec, usec)); } -int32_t hydra_data_ready_writing(int32_t socket) { - return (hydra_data_ready_writing_timed(socket, 30, 0)); -} +int32_t hydra_data_ready_writing(int32_t socket) { return (hydra_data_ready_writing_timed(socket, 30, 0)); } int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec) { fd_set fds; @@ -895,9 +915,7 @@ int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec) { return (my_select(socket + 1, &fds, NULL, NULL, sec, usec)); } -int32_t hydra_data_ready(int32_t socket) { - return (hydra_data_ready_timed(socket, 0, 100)); -} +int32_t hydra_data_ready(int32_t socket) { return (hydra_data_ready_timed(socket, 0, 100)); } int32_t hydra_recv(int32_t socket, char *buf, uint32_t length) { int32_t ret; @@ -907,7 +925,8 @@ int32_t hydra_recv(int32_t socket, char *buf, uint32_t length) { if (debug) { sprintf(text, "[DEBUG] RECV [pid:%d]", getpid()); hydra_dump_data(buf, ret, text); - //hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]", buf, getpid(), ret); + // hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]", + // buf, getpid(), ret); } return ret; } @@ -916,7 +935,7 @@ int32_t hydra_recv_nb(int32_t socket, char *buf, uint32_t length) { int32_t ret = -1; char text[64]; - if (hydra_data_ready_timed(socket, (long) waittime, 0) > 0) { + if (hydra_data_ready_timed(socket, (long)waittime, 0) > 0) { if ((ret = internal__hydra_recv(socket, buf, length)) <= 0) { buf[0] = 0; if (debug) { @@ -928,81 +947,87 @@ int32_t hydra_recv_nb(int32_t socket, char *buf, uint32_t length) { if (debug) { sprintf(text, "[DEBUG] RECV [pid:%d]", getpid()); hydra_dump_data(buf, ret, text); - //hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]", buf, getpid(), ret); + // hydra_report_debug(stderr, "DEBUG_RECV_BEGIN|%s|END [pid:%d ret:%d]", + // buf, getpid(), ret); } } return ret; } char *hydra_receive_line(int32_t socket) { - char buf[1024], *buff, *buff2, text[64]; - int32_t i, j = 1, k, got = 0; + char buf[1024], *buff, *buff2, pid[64]; + int32_t i, j, k, got = 0; if ((buff = malloc(sizeof(buf))) == NULL) { fprintf(stderr, "[ERROR] could not malloc\n"); return NULL; } - memset(buff, 0, sizeof(buf)); - if (debug) - printf("[DEBUG] hydra_receive_line: waittime: %d, conwait: %d, socket: %d, pid: %d\n", waittime, conwait, socket, getpid()); - if ((i = hydra_data_ready_timed(socket, (long) waittime, 0)) > 0) { - if ((got = internal__hydra_recv(socket, buff, sizeof(buf) - 1)) < 0) { + memset(buff, 0, sizeof(buf)); + + if (debug) + printf("[DEBUG] hydra_receive_line: waittime: %d, conwait: %d, socket: %d, " + "pid: %d\n", + waittime, conwait, socket, getpid()); + + if ((i = hydra_data_ready_timed(socket, (long)waittime, 0)) > 0) { + do { + j = internal__hydra_recv(socket, buf, sizeof(buf) - 1); + if (j > 0) { + for (k = 0; k < j; k++) + if (buf[k] == 0) + buf[k] = 32; + + buf[j] = 0; + + if ((buff2 = realloc(buff, got + j + 1)) == NULL) { + free(buff); + return NULL; + } + + buff = buff2; + memcpy(buff + got, &buf, j + 1); + got += j; + buff[got] = 0; + } else if (j < 0) { + // some error occured + got = -1; + } + } while (hydra_data_ready(socket) > 0 && j > 0 +#ifdef LIBOPENSSL + || use_ssl && SSL_pending(ssl) +#endif + ); + + if (got > 0) { + if (debug) { + sprintf(pid, "[DEBUG] RECV [pid:%d]", getpid()); + hydra_dump_data(buff, got, pid); + // hydra_report_debug(stderr, "DEBUG_RECV_BEGIN [pid:%d len:%d]|%s|END", + // getpid(), got, buff); + } + } else { + if (got < 0) { + if (debug) { + sprintf(pid, "[DEBUG] RECV [pid:%d]", getpid()); + hydra_dump_data((unsigned char *)"", -1, pid); + // hydra_report_debug(stderr, "DEBUG_RECV_BEGIN||END [pid:%d %d]", + // getpid(), i); + perror("recv"); + } + } free(buff); return NULL; } + + usleepn(100); } else { if (debug) - printf("[DEBUG] hydra_data_ready_timed: %d, waittime: %d, conwait: %d, socket: %d\n", i, waittime, conwait, socket); + printf("[DEBUG] hydra_data_ready_timed: %d, waittime: %d, conwait: %d, " + "socket: %d\n", + i, waittime, conwait, socket); } - if (got < 0) { - if (debug) { - sprintf(text, "[DEBUG] RECV [pid:%d]", getpid()); - hydra_dump_data((unsigned char*)"", -1, text); - //hydra_report_debug(stderr, "DEBUG_RECV_BEGIN||END [pid:%d %d]", getpid(), i); - perror("recv"); - } - free(buff); - return NULL; - } else { - if (got > 0) { - for (k = 0; k < got; k++) - if (buff[k] == 0) - buff[k] = 32; - buff[got] = 0; - usleepn(100); - } - } - - while (hydra_data_ready(socket) > 0 && j > 0) { - j = internal__hydra_recv(socket, buf, sizeof(buf) - 1); - if (j > 0) { - for (k = 0; k < j; k++) - if (buf[k] == 0) - buf[k] = 32; - buf[j] = 0; - if ((buff2 = realloc(buff, got + j + 1)) == NULL) { - free(buff); - return NULL; - } else - buff = buff2; - memcpy(buff + got, &buf, j + 1); - got += j; - buff[got] = 0; - } - usleepn(100); - } - - if (debug) { - sprintf(text, "[DEBUG] RECV [pid:%d]", getpid()); - hydra_dump_data(buff, got, text); - //hydra_report_debug(stderr, "DEBUG_RECV_BEGIN [pid:%d len:%d]|%s|END", getpid(), got, buff); - } - if (got == 0) { - free(buff); - return NULL; - } return buff; } @@ -1013,22 +1038,23 @@ int32_t hydra_send(int32_t socket, char *buf, uint32_t size, int32_t options) { sprintf(text, "[DEBUG] SEND [pid:%d]", getpid()); hydra_dump_data(buf, size, text); -/* int32_t k; - char *debugbuf = malloc(size + 1); + /* int32_t k; + char *debugbuf = malloc(size + 1); - if (debugbuf != NULL) { - for (k = 0; k < size; k++) - if (buf[k] == 0) - debugbuf[k] = 32; - else - debugbuf[k] = buf[k]; - debugbuf[size] = 0; - hydra_report_debug(stderr, "DEBUG_SEND_BEGIN|%s|END [pid:%d]", debugbuf, getpid()); - free(debugbuf); - }*/ + if (debugbuf != NULL) { + for (k = 0; k < size; k++) + if (buf[k] == 0) + debugbuf[k] = 32; + else + debugbuf[k] = buf[k]; + debugbuf[size] = 0; + hydra_report_debug(stderr, "DEBUG_SEND_BEGIN|%s|END [pid:%d]", + debugbuf, getpid()); free(debugbuf); + }*/ } -/* if (hydra_data_ready_writing(socket)) < 1) return -1; XXX maybe needed in the future */ + /* if (hydra_data_ready_writing(socket)) < 1) return -1; XXX maybe needed + * in the future */ return (internal__hydra_send(socket, buf, size, options)); } @@ -1036,7 +1062,7 @@ int32_t make_to_lower(char *buf) { if (buf == NULL) return 1; while (buf[0] != 0) { - buf[0] = tolower((int32_t) buf[0]); + buf[0] = tolower((int32_t)buf[0]); buf++; } return 1; @@ -1044,15 +1070,16 @@ int32_t make_to_lower(char *buf) { char *hydra_strrep(char *string, char *oldpiece, char *newpiece) { int32_t str_index, newstr_index, oldpiece_index, end, new_len, old_len, cpy_len; - char *c, oldstring[6096], newstring[6096]; //updated due to issue 192 on github. + char *c, oldstring[6096], + newstring[6096]; // updated due to issue 192 on github. static char finalstring[6096]; - if (string == NULL || oldpiece == NULL || newpiece == NULL || strlen(string) >= sizeof(oldstring) - 1 - || (strlen(string) + strlen(newpiece) - strlen(oldpiece) >= sizeof(newstring) - 1 && strlen(string) > strlen(oldpiece))) + if (string == NULL || oldpiece == NULL || newpiece == NULL || strlen(string) >= sizeof(oldstring) - 1 || (strlen(string) + strlen(newpiece) - strlen(oldpiece) >= sizeof(newstring) - 1 && strlen(string) > strlen(oldpiece))) return NULL; if (strlen(string) > 6000) { - hydra_report(stderr, "[ERROR] Supplied URL or POST data too large. Max limit is 6000 characters.\n"); + hydra_report(stderr, "[ERROR] Supplied URL or POST data too large. Max " + "limit is 6000 characters.\n"); exit(-1); } @@ -1060,7 +1087,7 @@ char *hydra_strrep(char *string, char *oldpiece, char *newpiece) { strcpy(oldstring, string); // while ((c = (char *) strstr(oldstring, oldpiece)) != NULL) { - c = (char *) strstr(oldstring, oldpiece); + c = (char *)strstr(oldstring, oldpiece); new_len = strlen(newpiece); old_len = strlen(oldpiece); end = strlen(oldstring) - old_len; @@ -1079,13 +1106,13 @@ char *hydra_strrep(char *string, char *oldpiece, char *newpiece) { newstr_index += new_len; str_index += old_len; /* Check for another pattern match */ - if ((c = (char *) strstr(oldstring + str_index, oldpiece)) != NULL) + if ((c = (char *)strstr(oldstring + str_index, oldpiece)) != NULL) oldpiece_index = c - oldstring; } /* Copy remaining characters from the right of last matched pattern */ strcpy(newstring + newstr_index, oldstring + str_index); strcpy(oldstring, newstring); -// } + // } strcpy(finalstring, newstring); return finalstring; } @@ -1108,14 +1135,14 @@ unsigned char hydra_conv64(unsigned char in) { } void hydra_tobase64(unsigned char *buf, uint32_t buflen, uint32_t bufsize) { - unsigned char small[3] = { 0, 0, 0 }; + unsigned char small[3] = {0, 0, 0}; unsigned char big[5]; unsigned char *ptr = buf; uint32_t i = bufsize; uint32_t len = 0; unsigned char bof[i]; - if (buf == NULL || strlen((char *) buf) == 0 || buflen == 0) + if (buf == NULL || strlen((char *)buf) == 0 || buflen == 0) return; bof[0] = 0; memset(big, 0, sizeof(big)); @@ -1127,12 +1154,12 @@ void hydra_tobase64(unsigned char *buf, uint32_t buflen, uint32_t bufsize) { big[1] = hydra_conv64(((*ptr & 3) << 4) + (*(ptr + 1) >> 4)); big[2] = hydra_conv64(((*(ptr + 1) & 15) << 2) + (*(ptr + 2) >> 6)); big[3] = hydra_conv64(*(ptr + 2) & 63); - len += strlen((char *) big); + len += strlen((char *)big); if (len > bufsize) { buf[0] = 0; return; } - strcat((char *) bof, (char *) big); + strcat((char *)bof, (char *)big); ptr += 3; } @@ -1150,14 +1177,14 @@ void hydra_tobase64(unsigned char *buf, uint32_t buflen, uint32_t bufsize) { if (small[1] == 0) big[2] = '='; big[3] = '='; - strcat((char *) bof, (char *) big); + strcat((char *)bof, (char *)big); } - strcpy((char *) buf, (char *) bof); /* can not overflow */ + strcpy((char *)buf, (char *)bof); /* can not overflow */ } void hydra_dump_asciihex(unsigned char *string, int32_t length) { - unsigned char *p = (unsigned char *) string; + unsigned char *p = (unsigned char *)string; unsigned char lastrow_data[16]; int32_t rows = length / HYDRA_DUMP_ROWS; int32_t lastrow = length % HYDRA_DUMP_ROWS; @@ -1215,10 +1242,10 @@ char *hydra_address2string(char *address) { if (address[0] == 4) { memcpy(&target.sin_addr.s_addr, &address[1], 4); - return inet_ntoa((struct in_addr) target.sin_addr); + return inet_ntoa((struct in_addr)target.sin_addr); } else #ifdef AF_INET6 - if (address[0] == 16) { + if (address[0] == 16) { memcpy(&target6.sin6_addr, &address[1], 16); inet_ntop(AF_INET6, &target6.sin6_addr, ipstring, sizeof(ipstring)); return ipstring; @@ -1229,7 +1256,7 @@ char *hydra_address2string(char *address) { fprintf(stderr, "[ERROR] unknown address string size!\n"); return NULL; } - return NULL; // not reached + return NULL; // not reached } char *hydra_address2string_beautiful(char *address) { @@ -1238,10 +1265,10 @@ char *hydra_address2string_beautiful(char *address) { if (address[0] == 4) { memcpy(&target.sin_addr.s_addr, &address[1], 4); - return inet_ntoa((struct in_addr) target.sin_addr); + return inet_ntoa((struct in_addr)target.sin_addr); } else #ifdef AF_INET6 - if (address[0] == 16) { + if (address[0] == 16) { memcpy(&target6.sin6_addr, &address[1], 16); ipstring[0] = '['; inet_ntop(AF_INET6, &target6.sin6_addr, ipstring + 1, sizeof(ipstring) - 1); @@ -1258,28 +1285,30 @@ char *hydra_address2string_beautiful(char *address) { fprintf(stderr, "[ERROR] unknown address string size!\n"); return NULL; } - return NULL; // not reached + return NULL; // not reached } -void hydra_set_srcport(int32_t port) { - src_port = port; -} +void hydra_set_srcport(int32_t port) { src_port = port; } #ifdef HAVE_PCRE int32_t hydra_string_match(char *str, const char *regex) { - pcre *re = NULL; - int32_t offset_error = 0; - const char *error = NULL; + pcre2_code *re = NULL; + int32_t error_code = 0; + PCRE2_SIZE error_offset; int32_t rc = 0; - re = pcre_compile(regex, PCRE_CASELESS | PCRE_DOTALL, &error, &offset_error, NULL); + re = pcre2_compile(regex, PCRE2_ZERO_TERMINATED, PCRE2_CASELESS | PCRE2_DOTALL, &error_code, &error_offset, NULL); if (re == NULL) { - fprintf(stderr, "[ERROR] PCRE compilation failed at offset %d: %s\n", offset_error, error); + fprintf(stderr, "[ERROR] PCRE compilation failed at offset %d: %d\n", error_offset, error_code); return 0; } - rc = pcre_exec(re, NULL, str, strlen(str), 0, 0, NULL, 0); - if (rc >= 0) { + pcre2_match_data *match_data = pcre2_match_data_create_from_pattern(re, NULL); + rc = pcre2_match(re, str, PCRE2_ZERO_TERMINATED, 0, 0, match_data, NULL); + pcre2_match_data_free(match_data); + pcre2_code_free(re); + + if (rc >= 1) { return 1; } return 0; @@ -1290,9 +1319,9 @@ int32_t hydra_string_match(char *str, const char *regex) { * str_replace.c implements a str_replace PHP like function * Copyright (C) 2009 chantra * - * Create a new string with [substr] being replaced ONCE by [replacement] in [string] - * Returns the new string, or NULL if out of memory. - * The caller is responsible for freeing this new string. + * Create a new string with [substr] being replaced ONCE by [replacement] in + * [string] Returns the new string, or NULL if out of memory. The caller is + * responsible for freeing this new string. * */ char *hydra_string_replace(const char *string, const char *substr, const char *replacement) { @@ -1321,16 +1350,16 @@ char *hydra_strcasestr(const char *haystack, const char *needle) { return NULL; for (; *haystack; ++haystack) { - if (toupper((int32_t) *haystack) == toupper((int32_t) *needle)) { + if (toupper((int32_t)*haystack) == toupper((int32_t)*needle)) { const char *h, *n; for (h = haystack, n = needle; *h && *n; ++h, ++n) { - if (toupper((int32_t) *h) != toupper((int32_t) *n)) { + if (toupper((int32_t)*h) != toupper((int32_t)*n)) { break; } } - if (!*n) { /* matched all of 'needle' to null termination */ - return (char *) haystack; /* return the start of the match */ + if (!*n) { /* matched all of 'needle' to null termination */ + return (char *)haystack; /* return the start of the match */ } } } @@ -1338,7 +1367,7 @@ char *hydra_strcasestr(const char *haystack, const char *needle) { } void hydra_dump_data(unsigned char *buf, int32_t len, char *text) { - unsigned char *p = (unsigned char *) buf; + unsigned char *p = (unsigned char *)buf; unsigned char lastrow_data[16]; int32_t rows = len / 16; int32_t lastrow = len % 16; diff --git a/hydra-mod.h b/hydra-mod.h index 5d613f7..f0c22c4 100644 --- a/hydra-mod.h +++ b/hydra-mod.h @@ -4,11 +4,11 @@ #include "hydra.h" #ifdef __sun - #include +#include #elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX) - #include +#include #else - #include +#include #endif extern char quiet; @@ -21,10 +21,10 @@ extern char *hydra_get_next_password(); extern void hydra_completed_pair(); extern void hydra_completed_pair_found(); extern void hydra_completed_pair_skip(); -extern void hydra_report_found(int32_t port, char *svc, FILE * fp); -extern void hydra_report_pass_found(int32_t port, char *ip, char *svc, FILE * fp); -extern void hydra_report_found_host(int32_t port, char *ip, char *svc, FILE * fp); -extern void hydra_report_found_host_msg(int32_t port, char *ip, char *svc, FILE * fp, char *msg); +extern void hydra_report_found(int32_t port, char *svc, FILE *fp); +extern void hydra_report_pass_found(int32_t port, char *ip, char *svc, FILE *fp); +extern void hydra_report_found_host(int32_t port, char *ip, char *svc, FILE *fp); +extern void hydra_report_found_host_msg(int32_t port, char *ip, char *svc, FILE *fp, char *msg); extern void hydra_report_debug(FILE *st, char *format, ...); extern int32_t hydra_connect_to_ssl(int32_t socket, char *hostname); extern int32_t hydra_connect_ssl(char *host, int32_t port, char *hostname); @@ -67,7 +67,16 @@ char proxy_string_type[MAX_PROXY_COUNT][10]; char *proxy_authentication[MAX_PROXY_COUNT]; char *cmdlinetarget; +#ifndef __APPLE__ typedef int32_t BOOL; +#else /* __APPLE__ */ +/* ensure compatibility with objc libraries */ +#if (TARGET_OS_IPHONE && __LP64__) || TARGET_OS_WATCH +typedef bool BOOL; +#else +typedef signed char BOOL; +#endif +#endif /* __APPLE__ */ #define hydra_report fprintf diff --git a/hydra-mongodb.c b/hydra-mongodb.c new file mode 100644 index 0000000..66269be --- /dev/null +++ b/hydra-mongodb.c @@ -0,0 +1,195 @@ +// This plugin was written by +// Tested on mongodb-server 1:3.6.3-0ubuntu1 +// MONGODB-CR is been deprecated + +#ifdef LIBMONGODB +#include +#endif + +#include "hydra-mod.h" + +#ifndef LIBMONGODB +void dummy_mongodb() { printf("\n"); } +#else + +extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); + +extern hydra_option hydra_options; +extern char *HYDRA_EXIT; +char *buf; + +#define DEFAULT_DB "admin" + +int is_error_msg(char *msg) { + if (strstr(msg, "errmsg ")) { + if (debug) + hydra_report(stderr, "[ERROR] %s\n", msg); + return 1; + } + return 0; +} + +int require_auth(int32_t sock) { + unsigned char m_hdr[] = "\x3f\x00\x00\x00" // messageLength (63) + "\x00\x00\x00\x41" // requestID + "\xff\xff\xff\xff" // responseTo + "\xd4\x07\x00\x00" // opCode (2004 OP_QUERY) + "\x00\x00\x00\x00" // flags + "\x61\x64\x6d\x69\x6e\x2e\x24\x63\x6d\x64\x00" // fullCollectionName + // (admin.$cmd) + "\x00\x00\x00\x00" // numberToSkip (0) + "\x01\x00\x00\x00" // numberToReturn (1) + "\x18\x00\x00\x00\x10\x6c\x69\x73\x74\x44\x61\x74\x61\x62\x61\x73\x65\x73" + "\x00\x01\x00\x00\x00\x00"; // query ({"listDatabases"=>1}) + + if (hydra_send(sock, m_hdr, sizeof(m_hdr), 0) > 0) { + if (hydra_data_ready_timed(sock, 0, 1000) > 0) { + buf = hydra_receive_line(sock); + return is_error_msg(buf); + } + } + return 2; +} + +int32_t start_mongodb(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { + char *empty = ""; + char *login, *pass; + char uri[256]; + mongoc_client_t *client; + mongoc_database_t *database; + mongoc_collection_t *collection; + mongoc_cursor_t *cursor; + bson_t q; + const bson_t *doc; + bson_error_t error; + bool r; + + if (strlen(login = hydra_get_next_login()) == 0) + login = empty; + if (strlen(pass = hydra_get_next_password()) == 0) + pass = empty; + + mongoc_init(); + mongoc_log_set_handler(NULL, NULL); + bson_init(&q); + + if (login[0] == '\0' && pass[0] == '\0') { + snprintf(uri, sizeof(uri), "mongodb://%s:%d/?authSource=%s", hydra_address2string(ip), port, miscptr); + } else { + snprintf(uri, sizeof(uri), "mongodb://%s:%s@%s:%d/?authSource=%s", login, pass, hydra_address2string(ip), port, miscptr); + } + + client = mongoc_client_new(uri); + if (!client) { + hydra_completed_pair_skip(); + return 3; + } + + mongoc_client_set_appname(client, "hydra"); + collection = mongoc_client_get_collection(client, miscptr, "test"); + cursor = mongoc_collection_find_with_opts(collection, &q, NULL, NULL); + r = mongoc_cursor_next(cursor, &doc); + if (!r) { + r = mongoc_cursor_error(cursor, &error); + if (r) { + if (verbose) + hydra_report(stderr, "[ERROR] Can not read document: %s\n", error.message); + mongoc_cursor_destroy(cursor); + mongoc_collection_destroy(collection); + mongoc_client_destroy(client); + mongoc_cleanup(); + hydra_completed_pair(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + return 3; + } + return 1; + } + } + + mongoc_cursor_destroy(cursor); + mongoc_collection_destroy(collection); + mongoc_client_destroy(client); + mongoc_cleanup(); + + hydra_report_found_host(port, ip, "mongodb", fp); + hydra_completed_pair_found(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 3; + + return 2; +} + +void service_mongodb(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { + int32_t run = 1, next_run = 1, sock = -1; + + if (!miscptr) { + if (verbose) + hydra_report(stderr, "[INFO] Using default database \"admin\"\n"); + miscptr = DEFAULT_DB; + } + + hydra_register_socket(sp); + + while (1) { + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return; + + switch (run) { + case 1: + next_run = start_mongodb(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); + break; + case 2: + hydra_child_exit(0); + return; + default: + if (!verbose) + hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose " + "option for more details\n"); + hydra_child_exit(2); + } + run = next_run; + } +} + +int32_t service_mongodb_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { + // called before the childrens are forked off, so this is the function + // which should be filled if initial connections and service setup has to be + // performed once only. + + int32_t myport = PORT_MONGODB; + int32_t sock = -1; + + if (port != 0) + myport = port; + + if ((options & OPTION_SSL) == 0) + sock = hydra_connect_tcp(ip, myport); + else + sock = hydra_connect_ssl(ip, myport, hostname); + + if (sock < 0) { + if (verbose || debug) + hydra_report(stderr, "[ERROR] Can not connect\n"); + return -1; + } + + if (!require_auth(sock)) { + hydra_report_found_host(port, ip, "mongodb", fp); + hydra_report(stderr, "[ERROR] Mongodb server does not require any authentication\n"); + if (sock >= 0) + sock = hydra_disconnect(sock); + return -1; + } + if (sock >= 0) + sock = hydra_disconnect(sock); + return 0; +} + +#endif + +void usage_mongodb(const char *service) { + printf("Module mongodb is optionally taking a database name to attack, " + "default is \"admin\"\n\n"); +} diff --git a/hydra-mssql.c b/hydra-mssql.c index 2f9608b..1133641 100644 --- a/hydra-mssql.c +++ b/hydra-mssql.c @@ -1,53 +1,66 @@ #include "hydra-mod.h" - -#define MSLEN 30 - extern char *HYDRA_EXIT; char *buf; -unsigned char p_hdr[] = - "\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00"; -unsigned char p_pk2[] = - "\x30\x30\x30\x30\x30\x30\x61\x30\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x20\x18\x81\xb8\x2c\x08\x03" - "\x01\x06\x0a\x09\x01\x01\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x73\x71\x75\x65\x6c\x64\x61" - "\x20\x31\x2e\x30\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00"; -unsigned char p_pk3[] = - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x04\x02\x00\x00\x4d\x53\x44" - "\x42\x4c\x49\x42\x00\x00\x00\x07\x06\x00\x00" "\x00\x00\x0d\x11\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00"; -unsigned char p_lng[] = - "\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00" - "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x30\x30\x30\x00\x00" "\x00\x03\x00\x00\x00"; +#if defined(HAVE_SYBFRONT) && defined(HAVE_SYBDB) +#include +#include +#endif -int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +#define MSLEN 30 + +unsigned char p_hdr[] = "\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00"; +unsigned char p_pk2[] = "\x30\x30\x30\x30\x30\x30\x61\x30\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x20\x18\x81\xb8\x2c\x08\x03" + "\x01\x06\x0a\x09\x01\x01\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x73\x71\x75\x65\x6c\x64\x61" + "\x20\x31\x2e\x30\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00"; +unsigned char p_pk3[] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x04\x02\x00\x00\x4d\x53\x44" + "\x42\x4c\x49\x42\x00\x00\x00\x07\x06\x00\x00" + "\x00\x00\x0d\x11\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00"; +unsigned char p_lng[] = "\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00" + "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x30\x30\x30\x00\x00" + "\x00\x03\x00\x00\x00"; + +int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, buffer[1024]; + char *ipaddr_str = hydra_address2string(ip); char ms_login[MSLEN + 1]; char ms_pass[MSLEN + 1]; unsigned char len_login, len_pass; @@ -57,6 +70,42 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; +#if defined(HAVE_SYBFRONT) && defined(HAVE_SYBDB) + if ((strlen(login) > MSLEN) || (strlen(pass) > MSLEN)){ + + DBPROCESS *dbproc; + LOGINREC *attempt; + + attempt = dblogin(); + + DBSETLUSER(attempt, login); + DBSETLPWD(attempt, pass); + + // Connect without specifying a database + dbproc = dbopen(attempt, ipaddr_str); + + if (dbproc != NULL) { + dbclose(dbproc); + dbexit(); + hydra_report_found_host(port, ip, "mssql", fp); + hydra_completed_pair_found(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 2; + return 1; + } + + hydra_completed_pair(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 2; + + return 1; + + } +#else + if ((strlen(login) > MSLEN) || (strlen(pass) > MSLEN)){ + fprintf(stderr,"[WARNING] To crack credentials longer than 30 characters, install freetds and recompile\n"); + } +#endif if (strlen(login) > MSLEN) login[MSLEN - 1] = 0; if (strlen(pass) > MSLEN) @@ -81,7 +130,7 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch if (hydra_send(s, buffer, MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN + 270, 0) < 0) return 1; - if (hydra_send(s, (char *) p_lng, 71, 0) < 0) + if (hydra_send(s, (char *)p_lng, 71, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); @@ -107,16 +156,20 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } -void service_mssql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_mssql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_MSSQL, mysslport = PORT_MSSQL_SSL; + #if defined(HAVE_SYBFRONT) && defined(HAVE_SYBDB) + dbinit(); + #endif + hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -129,18 +182,18 @@ void service_mssql(char *ip, int32_t sp, unsigned char options, char *miscptr, F port = mysslport; } if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } next_run = start_mssql(sock, ip, port, options, miscptr, fp); hydra_disconnect(sock); break; - case 2: /* clean exit */ + case 2: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); @@ -153,13 +206,13 @@ void service_mssql(char *ip, int32_t sp, unsigned char options, char *miscptr, F } } -int32_t service_mssql_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_mssql_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-mysql.c b/hydra-mysql.c index 0fda989..01a258e 100644 --- a/hydra-mysql.c +++ b/hydra-mysql.c @@ -1,19 +1,16 @@ /* mysql 3.2x.x to 4.x support - by mcbethh (at) u-n-f (dot) com */ -/* david (dot) maciejak (at) gmail (dot) com for using libmysqlclient-dev, adding support for mysql version 5.x */ +/* david (dot) maciejak (at) gmail (dot) com for using libmysqlclient-dev, + * adding support for mysql version 5.x */ #include "hydra-mod.h" #ifndef HAVE_MATH_H #include -void dummy_mysql() { - printf("\n"); -} +void dummy_mysql() { printf("\n"); } -void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { - printf("\n"); -} +void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { printf("\n"); } #else #include @@ -38,10 +35,12 @@ char *hydra_scramble(char *to, const char *message, const char *password); extern int32_t internal__hydra_recv(int32_t socket, char *buf, int32_t length); extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); +extern hydra_option hydra_options; extern char *HYDRA_EXIT; char mysqlsalt[9]; -/* modified hydra_receive_line, I've striped code which changed every 0x00 to 0x20 */ +/* modified hydra_receive_line, I've striped code which changed every 0x00 to + * 0x20 */ char *hydra_mysql_receive_line(int32_t socket) { char buf[300], *buff, *buff2; int32_t i = 0, j = 0, buff_size = 300; @@ -51,7 +50,7 @@ char *hydra_mysql_receive_line(int32_t socket) { return NULL; memset(buff, 0, sizeof(buf)); - i = hydra_data_ready_timed(socket, (long) waittime, 0); + i = hydra_data_ready_timed(socket, (long)waittime, 0); if (i > 0) { if ((i = internal__hydra_recv(socket, buff, sizeof(buf))) < 0) { free(buff); @@ -98,7 +97,7 @@ char hydra_mysql_init(int32_t sock) { protocol = buf[4]; if (protocol == 0xff) { pos = &buf[6]; -// *(strchr(pos, '.')) = '\0'; + // *(strchr(pos, '.')) = '\0'; hydra_report(stderr, "[ERROR] %s\n", pos); free(buf); return 2; @@ -108,7 +107,10 @@ char hydra_mysql_init(int32_t sock) { return 2; } if (protocol > 10) { - fprintf(stderr, "[INFO] This is protocol version %d, only v10 is supported, not sure if it will work\n", protocol); + fprintf(stderr, + "[INFO] This is protocol version %d, only v10 is supported, not " + "sure if it will work\n", + protocol); } server_version = &buf[5]; pos = buf + strlen(server_version) + 10; @@ -116,7 +118,8 @@ char hydra_mysql_init(int32_t sock) { if (!strstr(server_version, "3.") && !strstr(server_version, "4.") && strstr(server_version, "5.")) { #ifndef LIBMYSQLCLIENT - hydra_report(stderr, "[ERROR] Not an MySQL protocol or unsupported version,\ncheck configure to see if libmysql is found\n"); + hydra_report(stderr, "[ERROR] Not an MySQL protocol or unsupported version,\ncheck " + "configure to see if libmysql is found\n"); #endif free(buf); return 2; @@ -130,35 +133,32 @@ char hydra_mysql_init(int32_t sock) { char *hydra_mysql_prepare_auth(char *login, char *pass) { unsigned char *response; unsigned long login_len = strlen(login) > 32 ? 32 : strlen(login); - unsigned long response_len = 4 /* header */ + - 2 /* client flags */ + - 3 /* max packet len */ + - login_len + 1 + 8 /* scrambled password len */ ; + unsigned long response_len = 4 /* header */ + 2 /* client flags */ + 3 /* max packet len */ + login_len + 1 + 8 /* scrambled password len */; - response = (unsigned char *) malloc(response_len + 4); + response = (unsigned char *)malloc(response_len + 4); if (response == NULL) { fprintf(stderr, "[ERROR] could not allocate memory\n"); return NULL; } memset(response, 0, response_len + 4); - *((unsigned long *) response) = response_len - 4; - response[3] = 0x01; /* packet number */ + *((unsigned long *)response) = response_len - 4; + response[3] = 0x01; /* packet number */ response[4] = 0x85; - response[5] = 0x24; /* client flags */ - response[6] = response[7] = response[8] = 0x00; /* max packet */ - memcpy(&response[9], login, login_len); /* login */ - response[9 + login_len] = '\0'; /* null terminate login */ - hydra_scramble((char *) &response[9 + login_len + 1], mysqlsalt, pass); + response[5] = 0x24; /* client flags */ + response[6] = response[7] = response[8] = 0x00; /* max packet */ + memcpy(&response[9], login, login_len); /* login */ + response[9 + login_len] = '\0'; /* null terminate login */ + hydra_scramble((char *)&response[9 + login_len + 1], mysqlsalt, pass); - return (char *) response; + return (char *)response; } /* returns 0 if authentication succeed */ /* and 1 if failed */ char hydra_mysql_parse_response(unsigned char *response) { - unsigned long response_len = *((unsigned long *) response) & 0xffffff; + unsigned long response_len = *((unsigned long *)response) & 0xffffff; if (response_len < 4) return 0; @@ -170,29 +170,23 @@ char hydra_mysql_parse_response(unsigned char *response) { } char hydra_mysql_send_com_quit(int32_t sock) { - char com_quit_packet[5] = { 0x01, 0x00, 0x00, 0x00, 0x01 }; + char com_quit_packet[5] = {0x01, 0x00, 0x00, 0x00, 0x01}; hydra_send(sock, com_quit_packet, 5, 0); return 0; } -int32_t start_mysql(int32_t sock, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_mysql(int32_t sock, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *response = NULL, *login = NULL, *pass = NULL; unsigned long response_len; char res = 0; - char database[256]; + char *database = NULL; login = hydra_get_next_login(); pass = hydra_get_next_password(); if (miscptr) - strncpy(database, miscptr, sizeof(database) - 1); - else { - strncpy(database, DEFAULT_DB, sizeof(database) - 1); - if (verbose) - hydra_report(stderr, "[VERBOSE] using default db 'mysql'\n"); - } - database[sizeof(database) - 1] = 0; + database = miscptr; /* read server greeting */ res = hydra_mysql_init(sock); @@ -227,7 +221,8 @@ int32_t start_mysql(int32_t sock, char *ip, int32_t port, unsigned char options, } if (my_errno == 1251) { - hydra_report(stderr, "[ERROR] Client does not support authentication protocol requested by server\n"); + hydra_report(stderr, "[ERROR] Client does not support authentication " + "protocol requested by server\n"); } /* @@ -241,8 +236,8 @@ int32_t start_mysql(int32_t sock, char *ip, int32_t port, unsigned char options, */ - //if the error is more critical, we just try to reconnect - //to the db later with the mysql_init + // if the error is more critical, we just try to reconnect + // to the db later with the mysql_init if ((my_errno != 1044) && (my_errno != 1045)) { mysql_close(mysql); mysql = NULL; @@ -270,7 +265,7 @@ int32_t start_mysql(int32_t sock, char *ip, int32_t port, unsigned char options, response = hydra_mysql_prepare_auth(login, pass); if (response == NULL) return 3; - response_len = *((unsigned long *) response) & 0xffffff; + response_len = *((unsigned long *)response) & 0xffffff; /* send client auth packet */ /* dunny why, mysql IO code had problem reading my response. */ @@ -286,7 +281,7 @@ int32_t start_mysql(int32_t sock, char *ip, int32_t port, unsigned char options, /* read authentication response */ if ((response = hydra_mysql_receive_line(sock)) == NULL) return 1; - res = hydra_mysql_parse_response((unsigned char *) response); + res = hydra_mysql_parse_response((unsigned char *)response); if (!res) { hydra_mysql_send_com_quit(sock); @@ -308,7 +303,7 @@ int32_t start_mysql(int32_t sock, char *ip, int32_t port, unsigned char options, return 1; } -void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_MYSQL; @@ -317,12 +312,12 @@ void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, F return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) { hydra_mysql_send_com_quit(sock); sock = hydra_disconnect(sock); } -// usleepn(300); + // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -330,15 +325,18 @@ void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, F port = myport; } if (sock < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_mysql(sock, ip, port, options, miscptr, fp); + if ((next_run == 1 || next_run == 2) && hydra_options.conwait) + sleep(hydra_options.conwait); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) { hydra_mysql_send_com_quit(sock); sock = hydra_disconnect(sock); @@ -355,8 +353,6 @@ void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, F #ifndef LIBMYSQLCLIENT - - #endif /************************************************************************/ @@ -373,9 +369,9 @@ struct hydra_rand_struct { double max_value_dbl; }; -void hydra_randominit(struct hydra_rand_struct *rand_st, unsigned long seed1, unsigned long seed2) { /* For mysql 3.21.# */ +void hydra_randominit(struct hydra_rand_struct *rand_st, unsigned long seed1, unsigned long seed2) { /* For mysql 3.21.# */ rand_st->max_value = 0x3FFFFFFFL; - rand_st->max_value_dbl = (double) rand_st->max_value; + rand_st->max_value_dbl = (double)rand_st->max_value; rand_st->seed1 = seed1 % rand_st->max_value; rand_st->seed2 = seed2 % rand_st->max_value; } @@ -383,7 +379,7 @@ void hydra_randominit(struct hydra_rand_struct *rand_st, unsigned long seed1, un double hydra_rnd(struct hydra_rand_struct *rand_st) { rand_st->seed1 = (rand_st->seed1 * 3 + rand_st->seed2) % rand_st->max_value; rand_st->seed2 = (rand_st->seed1 + rand_st->seed2 + 33) % rand_st->max_value; - return (((double) rand_st->seed1) / rand_st->max_value_dbl); + return (((double)rand_st->seed1) / rand_st->max_value_dbl); } void hydra_hash_password(unsigned long *result, const char *password) { register unsigned long nr = 1345345333L, add = 7, nr2 = 0x12345671L; @@ -391,14 +387,15 @@ void hydra_hash_password(unsigned long *result, const char *password) { for (; *password; password++) { if (*password == ' ' || *password == '\t') - continue; /* skipp space in password */ - tmp = (unsigned long) (unsigned char) *password; + continue; /* skipp space in password */ + tmp = (unsigned long)(unsigned char)*password; nr ^= (((nr & 63) + add) * tmp) + (nr << 8); nr2 += (nr2 << 8) ^ nr; add += tmp; } - result[0] = nr & (((unsigned long) 1L << 31) - 1L); /* Don't use sign bit (str2int) */ ; - result[1] = nr2 & (((unsigned long) 1L << 31) - 1L); + result[0] = nr & (((unsigned long)1L << 31) - 1L); /* Don't use sign bit (str2int) */ + ; + result[1] = nr2 & (((unsigned long)1L << 31) - 1L); return; } @@ -414,8 +411,8 @@ char *hydra_scramble(char *to, const char *message, const char *password) { hydra_hash_password(hash_message, message); hydra_randominit(&rand_st, hash_pass[0] ^ hash_message[0], hash_pass[1] ^ hash_message[1]); while (*message++) - *to++ = (char) (floor(hydra_rnd(&rand_st) * 31) + 64); - extra = (char) (floor(hydra_rnd(&rand_st) * 31)); + *to++ = (char)(floor(hydra_rnd(&rand_st) * 31) + 64); + extra = (char)(floor(hydra_rnd(&rand_st) * 31)); while (to_start != to) *(to_start++) ^= extra; } @@ -424,13 +421,13 @@ char *hydra_scramble(char *to, const char *message, const char *password) { } #endif -int32_t service_mysql_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_mysql_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -438,6 +435,7 @@ int32_t service_mysql_init(char *ip, int32_t sp, unsigned char options, char *mi return 0; } -void usage_mysql(const char* service) { - printf("Module mysql is optionally taking the database to attack, default is \"mysql\"\n\n"); +void usage_mysql(const char *service) { + printf("Module mysql is optionally taking the database to attack, default is " + "\"mysql\"\n\n"); } diff --git a/hydra-ncp.c b/hydra-ncp.c index 5c68d13..edbdfaa 100644 --- a/hydra-ncp.c +++ b/hydra-ncp.c @@ -1,28 +1,25 @@ /* * Novell Network Core Protocol Support - by David Maciejak @ GMAIL dot com * Tested on Netware 6.5 - * + * * you need to install libncp and libncp-dev (tested with version 2.2.6-3) - * + * * you can passed full context as OPT * * example: ./hydra -L login -P passw 172.16.246.129 ncp .O=cx * */ - #include "hydra-mod.h" #ifndef LIBNCP -void dummy_ncp() { - printf("\n"); -} +void dummy_ncp() { printf("\n"); } #else -#include -#include -#include #include +#include +#include +#include extern char *HYDRA_EXIT; extern int32_t child_head_no; @@ -33,11 +30,10 @@ typedef struct __NCP_DATA { char *context; } _NCP_DATA; -//uncomment line below to see more trace stack +// uncomment line below to see more trace stack //#define NCP_DEBUG -int32_t start_ncp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { - +int32_t start_ncp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *login; char *pass; char context[256]; @@ -47,13 +43,11 @@ int32_t start_ncp(int32_t s, char *ip, int32_t port, unsigned char options, char _NCP_DATA *session; - session = malloc(sizeof(_NCP_DATA)); memset(session, 0, sizeof(_NCP_DATA)); login = empty; pass = empty; - if (strlen(login = hydra_get_next_login()) == 0) { login = empty; } else { @@ -71,8 +65,8 @@ int32_t start_ncp(int32_t s, char *ip, int32_t port, unsigned char options, char } } - //login and password are case insensitive - //str_upper(login); + // login and password are case insensitive + // str_upper(login); if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; @@ -91,27 +85,27 @@ int32_t start_ncp(int32_t s, char *ip, int32_t port, unsigned char options, char memset(session->spec.password, 0, sizeof(session->spec.password)); memcpy(session->spec.password, pass, strlen(pass) + 1); - //str_upper(session->spec.password); + // str_upper(session->spec.password); ncp_lib_error_code = ncp_login_conn(session->conn, session->spec.user, object_type, session->spec.password); switch (ncp_lib_error_code & 0x0000FFFF) { - case 0x0000: /* Success */ + case 0x0000: /* Success */ #ifdef NCP_DEBUG printf("Connection success (%s / %s). Error code: %X\n", login, pass, ncp_lib_error_code); #endif ncp_close(session->conn); - hydra_report_found_host(port, ip, "ncp", fp); //ok + hydra_report_found_host(port, ip, "ncp", fp); // ok hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) - return 3; //exit + return 3; // exit free(session); - return 2; //next + return 2; // next break; - case 0x89DE: /* PASSWORD INVALID */ - case 0x89F0: /* BIND WILDCARD INVALID */ - case 0x89FF: /* NO OBJ OR BAD PASSWORD */ - case 0xFD63: /* FAILED_AUTHENTICATION */ - case 0xFDA7: /* NO_SUCH_ENTRY */ + case 0x89DE: /* PASSWORD INVALID */ + case 0x89F0: /* BIND WILDCARD INVALID */ + case 0x89FF: /* NO OBJ OR BAD PASSWORD */ + case 0xFD63: /* FAILED_AUTHENTICATION */ + case 0xFDA7: /* NO_SUCH_ENTRY */ #ifdef NCP_DEBUG printf("Incorrect password (%s / %s). Error code: %X\n", login, pass, ncp_lib_error_code); #endif @@ -119,7 +113,7 @@ int32_t start_ncp(int32_t s, char *ip, int32_t port, unsigned char options, char hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { free(session); - return 2; //next + return 2; // next } break; default: @@ -131,10 +125,10 @@ int32_t start_ncp(int32_t s, char *ip, int32_t port, unsigned char options, char break; } free(session); - return 1; //reconnect + return 1; // reconnect } -void service_ncp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_ncp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_NCP; @@ -144,7 +138,7 @@ void service_ncp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if (port != 0) @@ -152,14 +146,15 @@ void service_ncp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL sock = hydra_connect_tcp(ip, myport); port = myport; if (sock < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } next_run = 2; break; case 2: /* - * Here we start the password cracking process + * Here we start the password cracking process */ next_run = start_ncp(sock, ip, port, options, miscptr, fp); break; @@ -183,13 +178,13 @@ void service_ncp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL #endif -int32_t service_ncp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_ncp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -197,6 +192,7 @@ int32_t service_ncp_init(char *ip, int32_t sp, unsigned char options, char *misc return 0; } -void usage_ncp(const char* service) { - printf("Module ncp is optionally taking the full context, for example \".O=cx\"\n\n"); +void usage_ncp(const char *service) { + printf("Module ncp is optionally taking the full context, for example " + "\".O=cx\"\n\n"); } diff --git a/hydra-nntp.c b/hydra-nntp.c index f6b7f35..8531356 100644 --- a/hydra-nntp.c +++ b/hydra-nntp.c @@ -25,7 +25,7 @@ char *nntp_read_server_capacity(int32_t sock) { free(buf); ptr = buf = hydra_receive_line(sock); if (buf != NULL) { - if (isdigit((int32_t) buf[0]) && buf[3] == ' ') + if (isdigit((int32_t)buf[0]) && buf[3] == ' ') resp = 1; else { if (buf[strlen(buf) - 1] == '\n') @@ -38,7 +38,7 @@ char *nntp_read_server_capacity(int32_t sock) { if ((ptr = strrchr(buf, '\n')) != NULL) { #endif ptr++; - if (isdigit((int32_t) *ptr) && *(ptr + 3) == ' ') + if (isdigit((int32_t)*ptr) && *(ptr + 3) == ' ') resp = 1; } } @@ -47,8 +47,8 @@ char *nntp_read_server_capacity(int32_t sock) { return buf; } -int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { - char *empty = "\"\""; +int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { + char *empty = "\"\"", *result = NULL; char *login, *pass, buffer[500], buffer2[500], *fooptr; int32_t i = 1; @@ -79,7 +79,7 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha } free(buf); strcpy(buffer2, login); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { @@ -94,7 +94,7 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha } free(buf); strcpy(buffer2, pass); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); break; case AUTH_PLAIN: @@ -112,7 +112,9 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha free(buf); memset(buffer, 0, sizeof(buffer)); - sasl_plain(buffer, login, pass); + result = sasl_plain(buffer, login, pass); + if (result == NULL) + return 3; char tmp_buffer[sizeof(buffer)]; sprintf(tmp_buffer, "%.250s\r\n", buffer); @@ -120,128 +122,125 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha break; #ifdef LIBOPENSSL - case AUTH_CRAMMD5:{ - int32_t rc = 0; - char *preplogin; + case AUTH_CRAMMD5: { + int32_t rc = 0; + char *preplogin; - rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); - if (rc) { - return 3; - } - - sprintf(buffer, "AUTHINFO SASL CRAM-MD5\r\n"); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - //get the one-time BASE64 encoded challenge - if ((buf = hydra_receive_line(s)) == NULL) - return 1; - if (buf == NULL || strstr(buf, "383") == NULL) { - hydra_report(stderr, "[ERROR] NNTP CRAM-MD5 AUTH : %s\n", buf); - free(buf); - return 3; - } - - memset(buffer, 0, sizeof(buffer)); - from64tobits((char *) buffer, buf + 4); - free(buf); - - memset(buffer2, 0, sizeof(buffer2)); - sasl_cram_md5(buffer2, pass, buffer); - - sprintf(buffer, "%s %.250s", preplogin, buffer2); - hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); - - char tmp_buffer[sizeof(buffer)]; - sprintf(tmp_buffer, "%.250s\r\n", buffer); - strcpy(buffer, tmp_buffer); - free(preplogin); + rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); + if (rc) { + return 3; } - break; - case AUTH_DIGESTMD5:{ - sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n"); - - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; - //receive - if ((buf = hydra_receive_line(s)) == NULL) - return 1; - if (buf == NULL || strstr(buf, "383") == NULL || strlen(buf) < 8) { - hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf); - free(buf); - return 3; - } - memset(buffer, 0, sizeof(buffer)); - from64tobits((char *) buffer, buf + 4); - free(buf); - - if (debug) - hydra_report(stderr, "DEBUG S: %s\n", buffer); - fooptr = buffer2; - sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL); - if (fooptr == NULL) - return 3; - - if (debug) - hydra_report(stderr, "DEBUG C: %s\n", buffer2); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - sprintf(buffer, "%s\r\n", buffer2); + sprintf(buffer, "AUTHINFO SASL CRAM-MD5\r\n"); + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; } - break; + // get the one-time BASE64 encoded challenge + if ((buf = hydra_receive_line(s)) == NULL) + return 1; + if (buf == NULL || strstr(buf, "383") == NULL) { + hydra_report(stderr, "[ERROR] NNTP CRAM-MD5 AUTH : %s\n", buf); + free(buf); + return 3; + } + + memset(buffer, 0, sizeof(buffer)); + from64tobits((char *)buffer, buf + 4); + free(buf); + + memset(buffer2, 0, sizeof(buffer2)); + result = sasl_cram_md5(buffer2, pass, buffer); + if (result == NULL) + return 3; + + sprintf(buffer, "%s %.250s", preplogin, buffer2); + hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer)); + + char tmp_buffer[sizeof(buffer)]; + sprintf(tmp_buffer, "%.250s\r\n", buffer); + strcpy(buffer, tmp_buffer); + free(preplogin); + } break; + + case AUTH_DIGESTMD5: { + sprintf(buffer, "AUTHINFO SASL DIGEST-MD5\r\n"); + + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) + return 1; + // receive + if ((buf = hydra_receive_line(s)) == NULL) + return 1; + if (buf == NULL || strstr(buf, "383") == NULL || strlen(buf) < 8) { + hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf); + free(buf); + return 3; + } + memset(buffer, 0, sizeof(buffer)); + from64tobits((char *)buffer, buf + 4); + free(buf); + + if (debug) + hydra_report(stderr, "DEBUG S: %s\n", buffer); + fooptr = buffer2; + result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL); + if (result == NULL) + return 3; + + if (debug) + hydra_report(stderr, "DEBUG C: %s\n", buffer2); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + sprintf(buffer, "%s\r\n", buffer2); + } break; #endif - case AUTH_NTLM:{ - unsigned char buf1[4096]; - unsigned char buf2[4096]; + case AUTH_NTLM: { + unsigned char buf1[4096]; + unsigned char buf2[4096]; - //send auth and receive challenge - buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); - sprintf(buffer, "AUTHINFO SASL NTLM %s\r\n", (char *) buf1); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - if ((buf = hydra_receive_line(s)) == NULL) - return 1; - if (buf == NULL || strstr(buf, "383") == NULL || strlen(buf) < 8) { - hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf); - free(buf); - return 3; - } - //recover challenge - from64tobits((char *) buf1, buf + 4); - free(buf); - - buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); - sprintf(buffer, "%s\r\n", (char *) buf1); + // send auth and receive challenge + buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2)); + sprintf(buffer, "AUTHINFO SASL NTLM %s\r\n", (char *)buf1); + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; } - break; - - default:{ - sprintf(buffer, "AUTHINFO USER %.250s\r\n", login); - - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - buf = hydra_receive_line(s); - if (buf == NULL) - return 1; - if (buf[0] != '3') { - if (verbose || debug) - hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf); - free(buf); - return (3); - } + if ((buf = hydra_receive_line(s)) == NULL) + return 1; + if (buf == NULL || strstr(buf, "383") == NULL || strlen(buf) < 8) { + hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf); free(buf); - sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass); + return 3; } - break; + // recover challenge + from64tobits((char *)buf1, buf + 4); + free(buf); + + buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2)); + sprintf(buffer, "%s\r\n", (char *)buf1); + } break; + + default: { + sprintf(buffer, "AUTHINFO USER %.250s\r\n", login); + + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; + } + buf = hydra_receive_line(s); + if (buf == NULL) + return 1; + if (buf[0] != '3') { + if (verbose || debug) + hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf); + free(buf); + return (3); + } + free(buf); + sprintf(buffer, "AUTHINFO PASS %.250s\r\n", pass); + } break; } - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } @@ -266,7 +265,7 @@ int32_t start_nntp(int32_t s, char *ip, int32_t port, unsigned char options, cha return 2; } -void service_nntp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_nntp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t i = 0, run = 1, next_run = 1, sock = -1; int32_t myport = PORT_NNTP, mysslport = PORT_NNTP_SSL, disable_tls = 0; char *buffer1 = "CAPABILITIES\r\n"; @@ -276,10 +275,10 @@ void service_nntp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(300); + // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -293,12 +292,12 @@ void service_nntp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } -// usleepn(300); + // usleepn(300); buf = hydra_receive_line(sock); - if (buf == NULL || buf[0] != '2') { /* check the first line */ + if (buf == NULL || buf[0] != '2') { /* check the first line */ if (verbose || debug) hydra_report(stderr, "[ERROR] Not an NNTP protocol or service shutdown: %s\n", buf); hydra_child_exit(2); @@ -352,10 +351,10 @@ void service_nntp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } #endif -/* -AUTHINFO USER SASL -SASL PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5 -*/ + /* + AUTHINFO USER SASL + SASL PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5 + */ #ifdef HAVE_PCRE if (hydra_string_match(buf, "SASL\\s.*NTLM")) { @@ -405,7 +404,7 @@ SASL PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5 if ((miscptr != NULL) && (strlen(miscptr) > 0)) { for (i = 0; i < strlen(miscptr); i++) - miscptr[i] = (char) toupper((int32_t) miscptr[i]); + miscptr[i] = (char)toupper((int32_t)miscptr[i]); if (strncmp(miscptr, "USER", 4) == 0) nntp_auth_mechanism = AUTH_CLEAR; @@ -426,7 +425,6 @@ SASL PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5 if (strncmp(miscptr, "NTLM", 4) == 0) nntp_auth_mechanism = AUTH_NTLM; - } if (verbose) { switch (nntp_auth_mechanism) { @@ -456,10 +454,10 @@ SASL PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5 free(buf); next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_nntp(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -472,13 +470,13 @@ SASL PLAIN DIGEST-MD5 LOGIN NTLM CRAM-MD5 } } -int32_t service_nntp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_nntp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -486,6 +484,7 @@ int32_t service_nntp_init(char *ip, int32_t sp, unsigned char options, char *mis return 0; } -void usage_nntp(const char* service) { - printf("Module nntp is optionally taking one authentication type of:\n" " USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n"); +void usage_nntp(const char *service) { + printf("Module nntp is optionally taking one authentication type of:\n" + " USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n"); } diff --git a/hydra-oracle-listener.c b/hydra-oracle-listener.c index 4f32997..563670b 100644 --- a/hydra-oracle-listener.c +++ b/hydra-oracle-listener.c @@ -13,14 +13,13 @@ at http://marcellmajor.com/frame_listenerhash.html #include "hydra-mod.h" #ifndef LIBOPENSSL #include -void dummy_oracle_listener() { - printf("\n"); -} +void dummy_oracle_listener() { printf("\n"); } #else #include "sasl.h" #include #define HASHSIZE 17 +extern hydra_option hydra_options; extern char *HYDRA_EXIT; char *buf; unsigned char *hash; @@ -31,7 +30,7 @@ int32_t initial_permutation(unsigned char **result, char *p_str, int32_t *sz) { int32_t i = strlen(p_str); char *buff; - //expand the string with zero so that length is a multiple of 4 + // expand the string with zero so that length is a multiple of 4 while ((i % 4) != 0) { i = i + 1; } @@ -44,14 +43,14 @@ int32_t initial_permutation(unsigned char **result, char *p_str, int32_t *sz) { memset(buff, 0, i + 4); strcpy(buff, p_str); - //swap the order of every byte pair + // swap the order of every byte pair for (k = 0; k < i; k += 2) { char bck = buff[k + 1]; buff[k + 1] = buff[k]; buff[k] = bck; } - //convert to unicode + // convert to unicode if ((*result = malloc(2 * i)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); free(buff); @@ -75,7 +74,7 @@ int32_t ora_hash(unsigned char **orahash, unsigned char *buf, int32_t len) { } for (i = 0; i < 8; i++) { - sprintf(((char *) *orahash) + i * 2, "%02X", buf[len - 8 + i]); + sprintf(((char *)*orahash) + i * 2, "%02X", buf[len - 8 + i]); } return 0; } @@ -106,8 +105,8 @@ int32_t ora_descrypt(unsigned char **rs, unsigned char *result, int32_t siz) { int32_t i = 0; char lastkey[8]; DES_key_schedule ks1; - unsigned char key1[8] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF }; - unsigned char ivec1[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; + unsigned char key1[8] = {0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}; + unsigned char ivec1[] = {0, 0, 0, 0, 0, 0, 0, 0}; unsigned char *desresult; memset(ivec1, 0, sizeof(ivec1)); @@ -115,14 +114,14 @@ int32_t ora_descrypt(unsigned char **rs, unsigned char *result, int32_t siz) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } - DES_key_sched((const_DES_cblock *) key1, &ks1); + DES_key_sched((const_DES_cblock *)key1, &ks1); DES_ncbc_encrypt(result, desresult, siz, &ks1, &ivec1, DES_ENCRYPT); for (i = 0; i < 8; i++) { lastkey[i] = desresult[siz - 8 + i]; } - DES_key_sched((const_DES_cblock *) lastkey, &ks1); + DES_key_sched((const_DES_cblock *)lastkey, &ks1); memset(desresult, 0, siz); memset(ivec1, 0, sizeof(ivec1)); DES_ncbc_encrypt(result, desresult, siz, &ks1, &ivec1, DES_ENCRYPT); @@ -146,7 +145,7 @@ int32_t ora_hash_password(char *pass) { memset(buff, 0, sizeof(buff)); - //concatenate Arb string and convert the resulting string to uppercase + // concatenate Arb string and convert the resulting string to uppercase snprintf(buff, sizeof(buff), "Arb%s", pass); strupper(buff); @@ -179,13 +178,11 @@ int32_t ora_hash_password(char *pass) { return 0; } -int32_t start_oracle_listener(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { - unsigned char tns_packet_begin[22] = { - "\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00" - }; - unsigned char tns_packet_end[32] = { - "\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00" - }; +int32_t start_oracle_listener(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { + unsigned char tns_packet_begin[22] = {"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e" + "\x00\x00\x01\x00"}; + unsigned char tns_packet_end[32] = {"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"}; char *empty = ""; char *pass; @@ -210,9 +207,12 @@ int32_t start_oracle_listener(int32_t s, char *ip, int32_t port, unsigned char o free(hash); return 1; } - pass = (char *) hash; + pass = (char *)hash; } - snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE=)(VERSION=169869568)))", pass); + snprintf(connect_string, sizeof(connect_string), + "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(" + "PASSWORD=%s)(SERVICE=)(VERSION=169869568)))", + pass); if (hash != NULL) free(hash); @@ -226,7 +226,7 @@ int32_t start_oracle_listener(int32_t s, char *ip, int32_t port, unsigned char o } else { buffer2[1] = siz; } - memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin)); + memcpy(buffer2 + 2, (char *)tns_packet_begin, sizeof(tns_packet_begin)); siz = strlen(connect_string); if (siz > 255) { buffer2[2 + sizeof(tns_packet_begin)] = 1; @@ -234,7 +234,7 @@ int32_t start_oracle_listener(int32_t s, char *ip, int32_t port, unsigned char o } else { buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz; } - memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end)); + memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *)tns_packet_end, sizeof(tns_packet_end)); memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string)); if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) { return 1; @@ -257,7 +257,7 @@ int32_t start_oracle_listener(int32_t s, char *ip, int32_t port, unsigned char o return 1; } -void service_oracle_listener(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_oracle_listener(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_ORACLE, mysslport = PORT_ORACLE_SSL; @@ -283,10 +283,10 @@ void service_oracle_listener(char *ip, int32_t sp, unsigned char options, char * while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(300); + // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -300,13 +300,15 @@ void service_oracle_listener(char *ip, int32_t sp, unsigned char options, char * } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } /* run the cracking function */ next_run = start_oracle_listener(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -324,13 +326,13 @@ void service_oracle_listener(char *ip, int32_t sp, unsigned char options, char * } } -int32_t service_oracle_listener_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_oracle_listener_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -338,8 +340,9 @@ int32_t service_oracle_listener_init(char *ip, int32_t sp, unsigned char options return 0; } -void usage_oracle_listener(const char* service) { - printf("Module oracle-listener / tns is optionally taking the mode the password is stored as, could be PLAIN (default) or CLEAR\n\n"); +void usage_oracle_listener(const char *service) { + printf("Module oracle-listener / tns is optionally taking the mode the " + "password is stored as, could be PLAIN (default) or CLEAR\n\n"); } #endif diff --git a/hydra-oracle-sid.c b/hydra-oracle-sid.c index 7570379..32ac557 100644 --- a/hydra-oracle-sid.c +++ b/hydra-oracle-sid.c @@ -11,30 +11,26 @@ find a big list on the Internet #include "hydra-mod.h" #ifndef LIBOPENSSL #include -void dummy_oracle_sid() { - printf("\n"); -} +void dummy_oracle_sid() { printf("\n"); } #else #include #define HASHSIZE 16 +extern hydra_option hydra_options; extern char *HYDRA_EXIT; char *buf; unsigned char *hash; - -int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { /* PP is the packet length XX is the length of connect data PP + tns_packet_begin + XX + tns_packet_end */ - unsigned char tns_packet_begin[22] = { - "\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e\x00\x00\x01\x00" - }; - unsigned char tns_packet_end[32] = { - "\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00" - }; + unsigned char tns_packet_begin[22] = {"\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x86\x0e" + "\x00\x00\x01\x00"}; + unsigned char tns_packet_end[32] = {"\x00\x3a\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x09\x94\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"}; char *empty = ""; char *login; char connect_string[200]; @@ -47,8 +43,10 @@ int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char option if (strlen(login = hydra_get_next_login()) == 0) login = empty; - snprintf(connect_string, sizeof(connect_string), "(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))", login, - hydra_address2string(ip), port); + snprintf(connect_string, sizeof(connect_string), + "(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)(" + "USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))", + login, hydra_address2string(ip), port); siz = 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string); if (siz > 255) { buffer2[0] = 1; @@ -56,7 +54,7 @@ int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char option } else { buffer2[1] = siz; } - memcpy(buffer2 + 2, (char *) tns_packet_begin, sizeof(tns_packet_begin)); + memcpy(buffer2 + 2, (char *)tns_packet_begin, sizeof(tns_packet_begin)); siz = strlen(connect_string); if (siz > 255) { buffer2[2 + sizeof(tns_packet_begin)] = 1; @@ -64,7 +62,7 @@ int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char option } else { buffer2[1 + 2 + sizeof(tns_packet_begin)] = siz; } - memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *) tns_packet_end, sizeof(tns_packet_end)); + memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2, (char *)tns_packet_end, sizeof(tns_packet_end)); memcpy(buffer2 + 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end), connect_string, strlen(connect_string)); if (hydra_send(s, buffer2, 2 + sizeof(tns_packet_begin) + 2 + sizeof(tns_packet_end) + strlen(connect_string), 0) < 0) { return 1; @@ -72,7 +70,8 @@ int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char option if ((buf = hydra_receive_line(s)) == NULL) return 1; - //if no error reported. it should be a resend packet type 00 08 00 00 0b 00 00 00, 4 is refuse + // if no error reported. it should be a resend packet type 00 08 00 00 0b 00 + // 00 00, 4 is refuse if ((strstr(buf, "ERR=") == NULL) && (buf[4] != 4)) { hydra_report_found_host(port, ip, "oracle-sid", fp); hydra_completed_pair_found(); @@ -85,7 +84,7 @@ int32_t start_oracle_sid(int32_t s, char *ip, int32_t port, unsigned char option return 1; } -void service_oracle_sid(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_oracle_sid(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_ORACLE, mysslport = PORT_ORACLE_SSL; @@ -94,10 +93,10 @@ void service_oracle_sid(char *ip, int32_t sp, unsigned char options, char *miscp return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(300); + // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -110,13 +109,15 @@ void service_oracle_sid(char *ip, int32_t sp, unsigned char options, char *miscp port = mysslport; } if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } /* run the cracking function */ next_run = start_oracle_sid(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -134,13 +135,13 @@ void service_oracle_sid(char *ip, int32_t sp, unsigned char options, char *miscp } } -int32_t service_oracle_sid_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_oracle_sid_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-oracle.c b/hydra-oracle.c index e598401..2ae18de 100644 --- a/hydra-oracle.c +++ b/hydra-oracle.c @@ -4,8 +4,8 @@ david: code is based on SNORT spo_database.c tested with : -instantclient_10_2 on Oracle 10.2.0 --instantclient-basic-linux.*-11.2.0.3.0.zip + instantclient-sdk-linux.*-11.2.0.3.0.zip -on Oracle 9i and on Oracle 11g +-instantclient-basic-linux.*-11.2.0.3.0.zip + +instantclient-sdk-linux.*-11.2.0.3.0.zip on Oracle 9i and on Oracle 11g */ @@ -13,15 +13,15 @@ on Oracle 9i and on Oracle 11g #ifndef LIBORACLE -void dummy_oracle() { - printf("\n"); -} +void dummy_oracle() { printf("\n"); } #else #include +#include #include +extern hydra_option hydra_options; extern char *HYDRA_EXIT; OCIEnv *o_environment; @@ -40,7 +40,7 @@ void print_oracle_error(char *err) { } } -int32_t start_oracle(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_oracle(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, buffer[200], sid[100]; @@ -55,14 +55,17 @@ int32_t start_oracle(int32_t s, char *ip, int32_t port, unsigned char options, c /* - To use the Easy Connect naming method, PHP must be linked with Oracle 10g or greater Client libraries. - The Easy Connect string for Oracle 10g is of the form: [//]host_name[:port][/service_name]. - With Oracle 11g, the syntax is: [//]host_name[:port][/service_name][:server_type][/instance_name]. - Service names can be found by running the Oracle utility lsnrctl status on the database server machine. + To use the Easy Connect naming method, PHP must be linked with Oracle 10g + or greater Client libraries. The Easy Connect string for Oracle 10g is of + the form: [//]host_name[:port][/service_name]. With Oracle 11g, the syntax + is: [//]host_name[:port][/service_name][:server_type][/instance_name]. + Service names can be found by running the Oracle utility lsnrctl status on + the database server machine. - The tnsnames.ora file can be in the Oracle Net search path, which includes $ORACLE_HOME/network/admin - and /etc. Alternatively set TNS_ADMIN so that $TNS_ADMIN/tnsnames.ora is read. Make sure the web - daemon has read access to the file. + The tnsnames.ora file can be in the Oracle Net search path, which includes + $ORACLE_HOME/network/admin and /etc. Alternatively set TNS_ADMIN so that + $TNS_ADMIN/tnsnames.ora is read. Make sure the web daemon has read access + to the file. */ @@ -78,61 +81,59 @@ int32_t start_oracle(int32_t s, char *ip, int32_t port, unsigned char options, c print_oracle_error("OCIEnvInit 2"); return 4; } - if (OCIHandleAlloc(o_environment, (dvoid **) & o_error, OCI_HTYPE_ERROR, (size_t) 0, NULL)) { + if (OCIHandleAlloc(o_environment, (dvoid **)&o_error, OCI_HTYPE_ERROR, (size_t)0, NULL)) { print_oracle_error("OCIHandleAlloc"); return 4; } - if (OCILogon(o_environment, o_error, &o_servicecontext, (const OraText *) login, strlen(login), (const OraText *) pass, strlen(pass), (const OraText *) buffer, strlen(buffer))) { + bool success = true; + if (OCILogon(o_environment, o_error, &o_servicecontext, (const OraText *)login, strlen(login), (const OraText *)pass, strlen(pass), (const OraText *)buffer, strlen(buffer))) { + success = false; OCIErrorGet(o_error, 1, NULL, &o_errorcode, o_errormsg, sizeof(o_errormsg), OCI_HTYPE_ERROR); - //database: oracle_error: ORA-01017: invalid username/password; logon denied - //database: oracle_error: ORA-12514: TNS:listener does not currently know of service requested in connect descriptor - //database: oracle_error: ORA-28000: the account is locked - //Failed login attempts is set to 10 by default + // database: oracle_error: ORA-01017: invalid username/password; logon + // denied database: oracle_error: ORA-12514: TNS:listener does not currently + // know of service requested in connect descriptor database: oracle_error: + // ORA-28000: the account is locked Failed login attempts is set to 10 by + // default if (verbose) { hydra_report(stderr, "[VERBOSE] database: oracle_error: %s\n", o_errormsg); } - if (strstr((const char *) o_errormsg, "ORA-12514") != NULL) { - hydra_report(stderr, "[ERROR] ORACLE SID is not valid, you should try to enumerate them.\n"); + if (strstr((const char *)o_errormsg, "ORA-12514") != NULL) { + hydra_report(stderr, "[ERROR] ORACLE SID is not valid, you should try to " + "enumerate them.\n"); hydra_completed_pair(); return 3; } - if (strstr((const char *) o_errormsg, "ORA-28000") != NULL) { + if (strstr((const char *)o_errormsg, "ORA-28000") != NULL) { hydra_report(stderr, "[INFO] ORACLE account %s is locked.\n", login); hydra_completed_pair_skip(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 2; } - - if (o_error) { - OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR); + // ORA-28002: the password will expire within 7 days + if (strstr((const char *)o_errormsg, "ORA-28002") != NULL) { + hydra_report(stderr, "[INFO] ORACLE account %s password will expire soon.\n", login); + success = true; } + } - hydra_completed_pair(); - //by default, set in sqlnet.ora, the trace file is generated in pwd to log any errors happening, - //as we don't care, we are deleting the file - //set these parameters to not generate the file - //LOG_DIRECTORY_CLIENT = /dev/null - //LOG_FILE_CLIENT = /dev/null - - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) - return 3; - return 2; - } else { + if (success) { OCILogoff(o_servicecontext, o_error); - if (o_error) { - OCIHandleFree((dvoid *) o_error, OCI_HTYPE_ERROR); - } hydra_report_found_host(port, ip, "oracle", fp); hydra_completed_pair_found(); + } else { + hydra_completed_pair(); + } + if (o_error) { + OCIHandleFree((dvoid *)o_error, OCI_HTYPE_ERROR); } if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; - return 1; + return success ? 1 : 2; } -void service_oracle(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_oracle(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_ORACLE; @@ -141,14 +142,14 @@ void service_oracle(char *ip, int32_t sp, unsigned char options, char *miscptr, return; if ((miscptr == NULL) || (strlen(miscptr) == 0)) { - //SID is required as miscptr + // SID is required as miscptr hydra_report(stderr, "[ERROR] Oracle SID is required, using ORCL as default\n"); miscptr = "ORCL"; } while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if (port != 0) @@ -158,18 +159,24 @@ void service_oracle(char *ip, int32_t sp, unsigned char options, char *miscptr, if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } next_run = 2; break; case 2: next_run = start_oracle(sock, ip, port, options, miscptr, fp); - hydra_child_exit(0); + if ((next_run == 1 || next_run == 2) && hydra_options.conwait) + sleep(hydra_options.conwait); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); + + // by default, set in sqlnet.ora, the trace file is generated in pwd to log + // any errors happening, as we don't care, we are deleting the file set + // these parameters to not generate the file LOG_DIRECTORY_CLIENT = + // /dev/null LOG_FILE_CLIENT = /dev/null unlink("sqlnet.log"); hydra_child_exit(0); return; @@ -183,13 +190,13 @@ void service_oracle(char *ip, int32_t sp, unsigned char options, char *miscptr, #endif -int32_t service_oracle_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_oracle_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -197,6 +204,7 @@ int32_t service_oracle_init(char *ip, int32_t sp, unsigned char options, char *m return 0; } -void usage_oracle(const char* service) { - printf("Module oracle / ora is optionally taking the ORACLE SID, default is \"ORCL\"\n\n"); +void usage_oracle(const char *service) { + printf("Module oracle / ora is optionally taking the ORACLE SID, default is " + "\"ORCL\"\n\n"); } diff --git a/hydra-pcanywhere.c b/hydra-pcanywhere.c index 483e6fd..ea450e1 100644 --- a/hydra-pcanywhere.c +++ b/hydra-pcanywhere.c @@ -1,6 +1,6 @@ -//This plugin was written by +// This plugin was written by // -//PC-Anywhere authentication protocol test on Symantec PC-Anywhere 10.5 +// PC-Anywhere authentication protocol test on Symantec PC-Anywhere 10.5 // // no memleaks found on 110425 @@ -71,7 +71,6 @@ void pca_encrypt(char *cleartxt) { passwd[strlen(passwd)] = '\0'; strcpy(cleartxt, passwd); } - } void pca_decrypt(char *password) { @@ -92,7 +91,7 @@ void debugprintf(char *msg) { printf("debug: %s\n", msg); } -int32_t start_pcanywhere(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_pcanywhere(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass; char buffer[2048] = ""; @@ -119,7 +118,6 @@ int32_t start_pcanywhere(int32_t s, char *ip, int32_t port, unsigned char option server[3] = "Enter login name"; server[4] = "denying connection"; - if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) @@ -158,13 +156,15 @@ int32_t start_pcanywhere(int32_t s, char *ip, int32_t port, unsigned char option if (i == 0 || i == 3) clean_buffer(buffer, ret); - if (debug) show_buffer(buffer, ret); + if (debug) + show_buffer(buffer, ret); if (i == 2) { clean_buffer(buffer, ret); buffer[sizeof(buffer) - 1] = 0; if (strstr(buffer, server[i + 2]) != NULL) { - fprintf(stderr, "[ERROR] PC Anywhere host denying connection because you have requested a lower encrypt level\n"); + fprintf(stderr, "[ERROR] PC Anywhere host denying connection because " + "you have requested a lower encrypt level\n"); return 3; } } @@ -224,7 +224,7 @@ int32_t start_pcanywhere(int32_t s, char *ip, int32_t port, unsigned char option return 1; } -void service_pcanywhere(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_pcanywhere(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_PCANYWHERE, mysslport = PORT_PCANYWHERE_SSL; @@ -233,9 +233,8 @@ void service_pcanywhere(char *ip, int32_t sp, unsigned char options, char *miscp return; while (1) { - switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); usleepn(275); @@ -251,7 +250,8 @@ void service_pcanywhere(char *ip, int32_t sp, unsigned char options, char *miscp port = mysslport; } if (sock < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } @@ -278,13 +278,13 @@ void service_pcanywhere(char *ip, int32_t sp, unsigned char options, char *miscp } } -int32_t service_pcanywhere_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_pcanywhere_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-pcnfs.c b/hydra-pcnfs.c index dc9e41a..3f9a963 100644 --- a/hydra-pcnfs.c +++ b/hydra-pcnfs.c @@ -5,11 +5,11 @@ extern char *HYDRA_EXIT; char *buf; -#define LEN_HDR_RPC 24 -#define LEN_AUTH_UNIX 72+12 +#define LEN_HDR_RPC 24 +#define LEN_AUTH_UNIX 72 + 12 /* RPC common hdr */ -struct rpc_hdr { /* 24 */ +struct rpc_hdr { /* 24 */ unsigned long xid; unsigned long type_msg; unsigned long version_rpc; @@ -29,11 +29,11 @@ struct pr_auth_args { char comments[255]; }; -#define LEN_HDR_PCN_AUTH sizeof(struct pr_auth_args) +#define LEN_HDR_PCN_AUTH sizeof(struct pr_auth_args) /* Lets start ... */ -int32_t start_pcnfs(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_pcnfs(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, buffer[LEN_HDR_RPC + LEN_AUTH_UNIX + LEN_HDR_PCN_AUTH]; char *ptr, *pkt = buffer; @@ -51,22 +51,24 @@ int32_t start_pcnfs(int32_t s, char *ip, int32_t port, unsigned char options, ch memset(pkt, 0, sizeof(buffer)); - rpch = (struct rpc_hdr *) (pkt); - authp = (unsigned long *) (pkt + LEN_HDR_RPC); - prh = (struct pr_auth_args *) (pkt + LEN_HDR_RPC + LEN_AUTH_UNIX); + rpch = (struct rpc_hdr *)(pkt); + authp = (unsigned long *)(pkt + LEN_HDR_RPC); + prh = (struct pr_auth_args *)(pkt + LEN_HDR_RPC + LEN_AUTH_UNIX); rpch->xid = htonl(0x32544843); rpch->type_msg = htonl(0); rpch->version_rpc = htonl(2); rpch->prog_id = htonl(150001); rpch->prog_ver = htonl(2); - rpch->prog_proc = htonl(13); /* PCNFSD_PROC_PRAUTH */ + rpch->prog_proc = htonl(13); /* PCNFSD_PROC_PRAUTH */ prh->len_clnt = htonl(63); prh->len_id = htonl(31); prh->len_passwd = htonl(63); prh->len_comments = htonl(254); - strcpy(prh->comments, " Hydra - THC password cracker - visit https://github.com/vanhauser-thc/thc-hydra - use only allowed for legal purposes "); + strcpy(prh->comments, " Hydra - THC password cracker - visit " + "https://github.com/vanhauser-thc/thc-hydra - use only " + "allowed for legal purposes "); strcpy(prh->name, "localhost"); ptr = prh->id; @@ -82,16 +84,16 @@ int32_t start_pcnfs(int32_t s, char *ip, int32_t port, unsigned char options, ch } *ptr = 0; - gettimeofday(&tv, (struct timezone *) NULL); - *(authp) = htonl(1); /* auth unix */ - *(++authp) = htonl(LEN_AUTH_UNIX - 16); /* length auth */ - *(++authp) = htonl(tv.tv_sec); /* local time */ - *(++authp) = htonl(9); /* length host */ - strcpy((char *) ++authp, "localhost"); /* hostname */ - authp += (3); /* len(host)%4 */ - *(authp) = htonl(0); /* uid root */ - *(++authp) = htonl(0); /* gid root */ - *(++authp) = htonl(9); /* 9 gid grps */ + gettimeofday(&tv, (struct timezone *)NULL); + *(authp) = htonl(1); /* auth unix */ + *(++authp) = htonl(LEN_AUTH_UNIX - 16); /* length auth */ + *(++authp) = htonl(tv.tv_sec); /* local time */ + *(++authp) = htonl(9); /* length host */ + strcpy((char *)++authp, "localhost"); /* hostname */ + authp += (3); /* len(host)%4 */ + *(authp) = htonl(0); /* uid root */ + *(++authp) = htonl(0); /* gid root */ + *(++authp) = htonl(9); /* 9 gid grps */ /* group root, bin, daemon, sys, adm, disk, wheel, floppy, "user gid" */ *(++authp) = htonl(0); *(++authp) = htonl(1); @@ -113,7 +115,7 @@ int32_t start_pcnfs(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } -/* analyze the output */ + /* analyze the output */ if (buf[2] != 'g' || buf[5] != 32) { fprintf(stderr, "[ERROR] RPC answer status : bad proc/version/auth\n"); free(buf); @@ -136,7 +138,7 @@ int32_t start_pcnfs(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } -void service_pcnfs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_pcnfs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; hydra_register_socket(sp); @@ -155,22 +157,23 @@ void service_pcnfs(char *ip, int32_t sp, unsigned char options, char *miscptr, F while (1) { next_run = 0; switch (run) { - case 1: /* connect and service init function */ - { - if (sock >= 0) - sock = hydra_disconnect(sock); -// usleepn(275); - if ((sock = hydra_connect_udp(ip, port)) < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); - } - next_run = 2; - break; + case 1: /* connect and service init function */ + { + if (sock >= 0) + sock = hydra_disconnect(sock); + // usleepn(275); + if ((sock = hydra_connect_udp(ip, port)) < 0) { + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); + hydra_child_exit(1); } - case 2: /* run the cracking function */ + next_run = 2; + break; + } + case 2: /* run the cracking function */ next_run = start_pcnfs(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -183,13 +186,13 @@ void service_pcnfs(char *ip, int32_t sp, unsigned char options, char *miscptr, F } } -int32_t service_pcnfs_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_pcnfs_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-pop3.c b/hydra-pop3.c index fe07eed..3671a95 100644 --- a/hydra-pop3.c +++ b/hydra-pop3.c @@ -1,12 +1,12 @@ #include "hydra-mod.h" #include "sasl.h" -//openssl s_client -starttls pop3 -crlf -connect 192.168.0.10:110 +// openssl s_client -starttls pop3 -crlf -connect 192.168.0.10:110 typedef struct pool_str { char ip[36]; - /* int32_t port;*/// not needed + /* int32_t port;*/ // not needed int32_t pop3_auth_mechanism; int32_t disable_tls; struct pool_str *next; @@ -18,7 +18,7 @@ char apop_challenge[300] = ""; pool *plist = NULL, *p = NULL; /* functions */ -int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); pool *list_create(pool data) { pool *p; @@ -27,7 +27,7 @@ pool *list_create(pool data) { return NULL; memcpy(p->ip, data.ip, 36); - //p->port = data.port; + // p->port = data.port; p->pop3_auth_mechanism = data.pop3_auth_mechanism; p->disable_tls = data.disable_tls; p->next = NULL; @@ -40,7 +40,7 @@ pool *list_insert(pool data) { newnode = list_create(data); newnode->next = plist; - plist = newnode->next; // to be sure! + plist = newnode->next; // to be sure! return newnode; } @@ -59,7 +59,7 @@ pool *list_find(char *ip) { /* how to know when to release the mem ? -> well, after _start has determined which pool number it is */ -int32_t list_remove(pool * node) { +int32_t list_remove(pool *node) { pool *save, *list = plist; int32_t ok = -1; @@ -88,18 +88,18 @@ char *pop3_read_server_capacity(int32_t sock) { free(buf); ptr = buf = hydra_receive_line(sock); if (buf != NULL) { + /* + exchange capa: -/* -exchange capa: + +OK + UIDL + STLS -+OK -UIDL -STLS - -*/ + */ if (strstr(buf, "\r\n.\r\n") != NULL && buf[0] == '+') { resp = 1; - /* we got the capability info then get the completed warning info from server */ + /* we got the capability info then get the completed warning info from + * server */ while (hydra_data_ready(sock)) { free(buf); buf = hydra_receive_line(sock); @@ -109,7 +109,7 @@ STLS buf[strlen(buf) - 1] = 0; if (buf[strlen(buf) - 1] == '\r') buf[strlen(buf) - 1] = 0; - if (*(ptr) == '.' || *(ptr) == '-') + if (buf[strlen(buf) - 1] == '.' || *(ptr) == '.' || *(ptr) == '-') resp = 1; } } @@ -117,8 +117,8 @@ STLS return buf; } -int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { - char *empty = "\"\""; +int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { + char *empty = "\"\"", *result = NULL; char *login, *pass, buffer[500], buffer2[500], *fooptr; if (strlen(login = hydra_get_next_login()) == 0) @@ -134,235 +134,234 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha switch (p->pop3_auth_mechanism) { #ifdef LIBOPENSSL - case AUTH_APOP:{ - MD5_CTX c; - unsigned char md5_raw[MD5_DIGEST_LENGTH]; - int32_t i; - char *pbuffer = buffer2; + case AUTH_APOP: { + MD5_CTX c; + unsigned char md5_raw[MD5_DIGEST_LENGTH]; + int32_t i; + char *pbuffer = buffer2; - MD5_Init(&c); - MD5_Update(&c, apop_challenge, strlen(apop_challenge)); - MD5_Update(&c, pass, strlen(pass)); - MD5_Final(md5_raw, &c); + MD5_Init(&c); + MD5_Update(&c, apop_challenge, strlen(apop_challenge)); + MD5_Update(&c, pass, strlen(pass)); + MD5_Final(md5_raw, &c); - for (i = 0; i < MD5_DIGEST_LENGTH; i++) { - sprintf(pbuffer, "%02x", md5_raw[i]); - pbuffer += 2; - } - sprintf(buffer, "APOP %s %s\r\n", login, buffer2); + for (i = 0; i < MD5_DIGEST_LENGTH; i++) { + sprintf(pbuffer, "%02x", md5_raw[i]); + pbuffer += 2; } - break; + sprintf(buffer, "APOP %s %s\r\n", login, buffer2); + } break; #endif - case AUTH_LOGIN:{ - sprintf(buffer, "AUTH LOGIN\r\n"); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - if ((buf = hydra_receive_line(s)) == NULL) - return 4; - if (buf[0] != '+') { - hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf); - free(buf); - return 3; - } - free(buf); - strcpy(buffer2, login); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - - sprintf(buffer, "%.250s\r\n", buffer2); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - if ((buf = hydra_receive_line(s)) == NULL) - return 4; - - if (buf[0] != '+') { - hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf); - free(buf); - return 3; - } - free(buf); - strcpy(buffer2, pass); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - sprintf(buffer, "%.250s\r\n", buffer2); + case AUTH_LOGIN: { + sprintf(buffer, "AUTH LOGIN\r\n"); + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; } - break; - - case AUTH_PLAIN:{ - sprintf(buffer, "AUTH PLAIN\r\n"); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - if ((buf = hydra_receive_line(s)) == NULL) - return 4; - if (buf[0] != '+') { - hydra_report(stderr, "[ERROR] POP3 PLAIN AUTH : %s\n", buf); - free(buf); - return 3; - } + if ((buf = hydra_receive_line(s)) == NULL) + return 4; + if (buf[0] != '+') { + hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf); free(buf); - - memset(buffer, 0, sizeof(buffer)); - sasl_plain(buffer, login, pass); - - char tmp_buffer[sizeof(buffer)]; - sprintf(tmp_buffer, "%.250s\r\n", buffer); - strcpy(buffer, tmp_buffer); + return 3; } - break; + free(buf); + strcpy(buffer2, login); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + + sprintf(buffer, "%.250s\r\n", buffer2); + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; + } + if ((buf = hydra_receive_line(s)) == NULL) + return 4; + + if (buf[0] != '+') { + hydra_report(stderr, "[ERROR] POP3 LOGIN AUTH : %s\n", buf); + free(buf); + return 3; + } + free(buf); + strcpy(buffer2, pass); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + sprintf(buffer, "%.250s\r\n", buffer2); + } break; + + case AUTH_PLAIN: { + sprintf(buffer, "AUTH PLAIN\r\n"); + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; + } + if ((buf = hydra_receive_line(s)) == NULL) + return 4; + if (buf[0] != '+') { + hydra_report(stderr, "[ERROR] POP3 PLAIN AUTH : %s\n", buf); + free(buf); + return 3; + } + free(buf); + + memset(buffer, 0, sizeof(buffer)); + result = sasl_plain(buffer, login, pass); + if (result == NULL) + return 3; + + char tmp_buffer[sizeof(buffer)]; + sprintf(tmp_buffer, "%.250s\r\n", buffer); + strcpy(buffer, tmp_buffer); + } break; #ifdef LIBOPENSSL case AUTH_CRAMMD5: case AUTH_CRAMSHA1: - case AUTH_CRAMSHA256:{ - int32_t rc = 0; - char *preplogin; + case AUTH_CRAMSHA256: { + int32_t rc = 0; + char *preplogin; - rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); - if (rc) { - return 3; - } + rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); + if (rc) { + return 3; + } + switch (p->pop3_auth_mechanism) { + case AUTH_CRAMMD5: + sprintf(buffer, "AUTH CRAM-MD5\r\n"); + break; + case AUTH_CRAMSHA1: + sprintf(buffer, "AUTH CRAM-SHA1\r\n"); + break; + case AUTH_CRAMSHA256: + sprintf(buffer, "AUTH CRAM-SHA256\r\n"); + break; + } + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; + } + // get the one-time BASE64 encoded challenge + + if ((buf = hydra_receive_line(s)) == NULL) + return 4; + if (buf[0] != '+') { switch (p->pop3_auth_mechanism) { case AUTH_CRAMMD5: - sprintf(buffer, "AUTH CRAM-MD5\r\n"); + hydra_report(stderr, "[ERROR] POP3 CRAM-MD5 AUTH : %s\n", buf); break; case AUTH_CRAMSHA1: - sprintf(buffer, "AUTH CRAM-SHA1\r\n"); + hydra_report(stderr, "[ERROR] POP3 CRAM-SHA1 AUTH : %s\n", buf); break; case AUTH_CRAMSHA256: - sprintf(buffer, "AUTH CRAM-SHA256\r\n"); + hydra_report(stderr, "[ERROR] POP3 CRAM-SHA256 AUTH : %s\n", buf); break; } - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - //get the one-time BASE64 encoded challenge - - if ((buf = hydra_receive_line(s)) == NULL) - return 4; - if (buf[0] != '+') { - switch (p->pop3_auth_mechanism) { - case AUTH_CRAMMD5: - hydra_report(stderr, "[ERROR] POP3 CRAM-MD5 AUTH : %s\n", buf); - break; - case AUTH_CRAMSHA1: - hydra_report(stderr, "[ERROR] POP3 CRAM-SHA1 AUTH : %s\n", buf); - break; - case AUTH_CRAMSHA256: - hydra_report(stderr, "[ERROR] POP3 CRAM-SHA256 AUTH : %s\n", buf); - break; - } - free(buf); - return 3; - } - - memset(buffer, 0, sizeof(buffer)); - from64tobits((char *) buffer, buf + 2); free(buf); - - memset(buffer2, 0, sizeof(buffer2)); - - switch (p->pop3_auth_mechanism) { - case AUTH_CRAMMD5:{ - sasl_cram_md5(buffer2, pass, buffer); - sprintf(buffer, "%s %.250s", preplogin, buffer2); - } - break; - case AUTH_CRAMSHA1:{ - sasl_cram_sha1(buffer2, pass, buffer); - sprintf(buffer, "%s %.250s", preplogin, buffer2); - } - break; - case AUTH_CRAMSHA256:{ - sasl_cram_sha256(buffer2, pass, buffer); - sprintf(buffer, "%s %.250s", preplogin, buffer2); - } - break; - } - hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); - - char tmp_buffer[sizeof(buffer)]; - sprintf(tmp_buffer, "%.250s\r\n", buffer); - strcpy(buffer, tmp_buffer); - free(preplogin); + return 3; } - break; - case AUTH_DIGESTMD5:{ - sprintf(buffer, "AUTH DIGEST-MD5\r\n"); + memset(buffer, 0, sizeof(buffer)); + from64tobits((char *)buffer, buf + 2); + free(buf); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; - //receive - if ((buf = hydra_receive_line(s)) == NULL) - return 4; - if (buf[0] != '+') { - hydra_report(stderr, "[ERROR] POP3 DIGEST-MD5 AUTH : %s\n", buf); - free(buf); + memset(buffer2, 0, sizeof(buffer2)); + + switch (p->pop3_auth_mechanism) { + case AUTH_CRAMMD5: { + result = sasl_cram_md5(buffer2, pass, buffer); + if (result == NULL) return 3; - } - memset(buffer, 0, sizeof(buffer)); - from64tobits((char *) buffer, buf); + sprintf(buffer, "%s %.250s", preplogin, buffer2); + } break; + case AUTH_CRAMSHA1: { + result = sasl_cram_sha1(buffer2, pass, buffer); + if (result == NULL) + return 3; + sprintf(buffer, "%s %.250s", preplogin, buffer2); + } break; + case AUTH_CRAMSHA256: { + result = sasl_cram_sha256(buffer2, pass, buffer); + if (result == NULL) + return 3; + sprintf(buffer, "%s %.250s", preplogin, buffer2); + } break; + } + hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer)); + + char tmp_buffer[sizeof(buffer)]; + sprintf(tmp_buffer, "%.250s\r\n", buffer); + strcpy(buffer, tmp_buffer); + free(preplogin); + } break; + + case AUTH_DIGESTMD5: { + sprintf(buffer, "AUTH DIGEST-MD5\r\n"); + + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) + return 1; + // receive + if ((buf = hydra_receive_line(s)) == NULL) + return 4; + if (buf[0] != '+') { + hydra_report(stderr, "[ERROR] POP3 DIGEST-MD5 AUTH : %s\n", buf); free(buf); - - if (debug) - hydra_report(stderr, "[DEBUG] S: %s\n", buffer); - - fooptr = buffer2; - sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "pop", NULL, 0, NULL); - if (fooptr == NULL) - return 3; - - if (debug) - hydra_report(stderr, "[DEBUG] C: %s\n", buffer2); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - sprintf(buffer, "%s\r\n", buffer2); + return 3; } - break; + memset(buffer, 0, sizeof(buffer)); + from64tobits((char *)buffer, buf); + free(buf); + + if (debug) + hydra_report(stderr, "[DEBUG] S: %s\n", buffer); + + fooptr = buffer2; + result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "pop", NULL, 0, NULL); + if (result == NULL) + return 3; + + if (debug) + hydra_report(stderr, "[DEBUG] C: %s\n", buffer2); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + sprintf(buffer, "%s\r\n", buffer2); + } break; #endif - case AUTH_NTLM:{ - unsigned char buf1[4096]; - unsigned char buf2[4096]; + case AUTH_NTLM: { + unsigned char buf1[4096]; + unsigned char buf2[4096]; - //Send auth request - sprintf(buffer, "AUTH NTLM\r\n"); + // Send auth request + sprintf(buffer, "AUTH NTLM\r\n"); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; - //receive - if ((buf = hydra_receive_line(s)) == NULL) - return 4; - if (buf[0] != '+') { - hydra_report(stderr, "[ERROR] POP3 NTLM AUTH : %s\n", buf); - free(buf); - return 3; - } + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) + return 1; + // receive + if ((buf = hydra_receive_line(s)) == NULL) + return 4; + if (buf[0] != '+') { + hydra_report(stderr, "[ERROR] POP3 NTLM AUTH : %s\n", buf); free(buf); - //send auth and receive challenge - //send auth request: lst the server send it's own hostname and domainname - buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); - - sprintf(buffer, "%s\r\n", buf1); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; - if ((buf = hydra_receive_line(s)) == NULL || strlen(buf) < 6) - return 4; - - //recover challenge - from64tobits((char *) buf1, buf + 2); - free(buf); - - //Send response - buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); - - sprintf(buffer, "%s\r\n", buf1); + return 3; } - break; + free(buf); + // send auth and receive challenge + // send auth request: lst the server send it's own hostname and domainname + buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2)); + + sprintf(buffer, "%s\r\n", buf1); + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) + return 1; + if ((buf = hydra_receive_line(s)) == NULL || strlen(buf) < 6) + return 4; + + // recover challenge + from64tobits((char *)buf1, buf + 2); + free(buf); + + // Send response + buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2)); + + sprintf(buffer, "%s\r\n", buf1); + } break; default: sprintf(buffer, "USER %.250s\r\n", login); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { @@ -413,11 +412,11 @@ int32_t start_pop3(int32_t s, char *ip, int32_t port, unsigned char options, cha return 2; } -void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; char *ptr = NULL; - //extract data from the pool, ip is the key + // extract data from the pool, ip is the key if (plist == NULL) if (service_pop3_init(ip, sp, options, miscptr, fp, port, hostname) != 0) hydra_child_exit(2); @@ -433,10 +432,9 @@ void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FI if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; - while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); @@ -448,11 +446,11 @@ void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } buf = hydra_receive_line(sock); - if (buf == NULL || buf[0] != '+') { /* check the first line */ + if (buf == NULL || buf[0] != '+') { /* check the first line */ if (verbose || debug) hydra_report(stderr, "[ERROR] Not an POP3 protocol or service shutdown: %s\n", buf); hydra_child_exit(2); @@ -470,11 +468,13 @@ void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FI #ifdef LIBOPENSSL if (!p->disable_tls) { - /* check for STARTTLS, if available we may have access to more basic auth methods */ + /* check for STARTTLS, if available we may have access to more basic + * auth methods */ hydra_send(sock, "STLS\r\n", strlen("STLS\r\n"), 0); buf = hydra_receive_line(sock); if (buf[0] != '+') { - hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n"); + hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer " + "received from STARTTLS request\n"); } else { free(buf); if ((hydra_connect_to_ssl(sock, hostname) == -1)) { @@ -491,15 +491,15 @@ void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FI next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_pop3(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; - case 4: /* clean exit */ + case 4: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); @@ -512,8 +512,7 @@ void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } } - -int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t myport = PORT_POP3, mysslport = PORT_POP3_SSL; char *ptr = NULL; int32_t sock = -1; @@ -523,6 +522,7 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis p.pop3_auth_mechanism = AUTH_CLEAR; p.disable_tls = 1; + p.next = NULL; memcpy(p.ip, ip, 36); if ((options & OPTION_SSL) == 0) { @@ -536,11 +536,11 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] pid %d terminating, can not connect\n", (int32_t)getpid()); return -1; } buf = hydra_receive_line(sock); - if (buf == NULL || buf[0] != '+') { /* check the first line */ + if (buf == NULL || buf[0] != '+') { /* check the first line */ if (verbose || debug) hydra_report(stderr, "[ERROR] Not an POP3 protocol or service shutdown: %s\n", buf); return -1; @@ -574,7 +574,7 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis int32_t i; for (i = 0; i < strlen(miscptr); i++) - miscptr[i] = (char) toupper((int32_t) miscptr[i]); + miscptr[i] = (char)toupper((int32_t)miscptr[i]); if (strstr(miscptr, "TLS") || strstr(miscptr, "SSL") || strstr(miscptr, "STARTTLS")) { p.disable_tls = 0; @@ -583,13 +583,15 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis #ifdef LIBOPENSSL if (!p.disable_tls) { - /* check for STARTTLS, if available we may have access to more basic auth methods */ + /* check for STARTTLS, if available we may have access to more basic auth + * methods */ if (strstr(buf, "STLS") != NULL) { hydra_send(sock, "STLS\r\n", strlen("STLS\r\n"), 0); free(buf); buf = hydra_receive_line(sock); if (buf[0] != '+') { - hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n"); + hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer " + "received from STARTTLS request\n"); } else { free(buf); if ((hydra_connect_to_ssl(sock, hostname) == -1)) { @@ -615,16 +617,16 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis } } } else - hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n"); + hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not " + "supported by the server\n"); } #endif if (hydra_send(sock, quit_str, strlen(quit_str), 0) < 0) { - //we don't care if the server is not receiving the quit msg + // we don't care if the server is not receiving the quit msg } hydra_disconnect(sock); - if (verbose) hydra_report(stderr, "[VERBOSE] CAPABILITY: %s", buf); @@ -647,7 +649,8 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis which are supported. */ - /* which mean threre will *always* have a space before the LOGIN auth keyword */ + /* which mean threre will *always* have a space before the LOGIN auth keyword + */ if ((strstr(buf, " LOGIN") == NULL) && (strstr(buf, "NTLM") != NULL)) { p.pop3_auth_mechanism = AUTH_NTLM; } @@ -687,12 +690,10 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis #else p.pop3_auth_mechanism = AUTH_CLEAR; #endif - } free(buf); if ((miscptr != NULL) && (strlen(miscptr) > 0)) { - if (strstr(miscptr, "CLEAR")) p.pop3_auth_mechanism = AUTH_CLEAR; @@ -721,7 +722,6 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis if (strstr(miscptr, "NTLM")) p.pop3_auth_mechanism = AUTH_NTLM; - } if (verbose) { @@ -764,7 +764,6 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis case AUTH_NTLM: hydra_report(stderr, "[VERBOSE] using POP3 NTLM AUTH mechanism\n"); break; - } } @@ -776,8 +775,11 @@ int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *mis return 0; } -void usage_pop3(const char* service) { +void usage_pop3(const char *service) { printf("Module pop3 is optionally taking one authentication type of:\n" " CLEAR (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n" - " CRAM-SHA256, DIGEST-MD5, NTLM.\n" "Additionally TLS encryption via STLS can be enforced with the TLS option.\n\n" "Example: pop3://target/TLS:PLAIN\n"); + " CRAM-SHA256, DIGEST-MD5, NTLM.\n" + "Additionally TLS encryption via STLS can be enforced with the TLS " + "option.\n\n" + "Example: pop3://target/TLS:PLAIN\n"); } diff --git a/hydra-postgres.c b/hydra-postgres.c index 0be1363..3b2cac9 100644 --- a/hydra-postgres.c +++ b/hydra-postgres.c @@ -1,26 +1,25 @@ /* - * PostgresSQL Support - by Diaul (at) devilopers.org + * PostgresSQL Support - by Diaul (at) devilopers.org + * * - * * 110425 no obvious memleaks found */ #include "hydra-mod.h" #ifndef LIBPOSTGRES -void dummy_postgres() { - printf("\n"); -} +void dummy_postgres() { printf("\n"); } #else -#include "libpq-fe.h" // Postgres connection functions +#include "libpq-fe.h" // Postgres connection functions #include #define DEFAULT_DB "template1" +extern hydra_option hydra_options; extern char *HYDRA_EXIT; -int32_t start_postgres(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_postgres(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass; char database[256]; @@ -42,8 +41,7 @@ int32_t start_postgres(int32_t s, char *ip, int32_t port, unsigned char options, * Building the connection string */ - - snprintf(connection_string, sizeof(connection_string), "host = '%s' dbname = '%s' user = '%s' password = '%s' ", hydra_address2string(ip), database, login, pass); + snprintf(connection_string, sizeof(connection_string), "host = '%s' port = '%d' dbname = '%s' user = '%s' password = '%s' ", hydra_address2string(ip), port, database, login, pass); if (verbose) hydra_report(stderr, "connection string: %s\n", connection_string); @@ -65,7 +63,7 @@ int32_t start_postgres(int32_t s, char *ip, int32_t port, unsigned char options, return 1; } -void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_POSTGRES, mysslport = PORT_POSTGRES_SSL; @@ -74,12 +72,11 @@ void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr return; while (1) { - switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(275); + // usleepn(275); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -92,16 +89,19 @@ void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr port = mysslport; } if (sock < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } next_run = 2; break; case 2: /* - * Here we start the password cracking process + * Here we start the password cracking process */ next_run = start_postgres(sock, ip, port, options, miscptr, fp); + if ((next_run == 2 || next_run == 1) && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 3: if (sock >= 0) @@ -118,13 +118,13 @@ void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr #endif -int32_t service_postgres_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_postgres_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -132,6 +132,7 @@ int32_t service_postgres_init(char *ip, int32_t sp, unsigned char options, char return 0; } -void usage_postgres(const char* service) { - printf("Module postgres is optionally taking the database to attack, default is \"template1\"\n\n"); +void usage_postgres(const char *service) { + printf("Module postgres is optionally taking the database to attack, default " + "is \"template1\"\n\n"); } diff --git a/hydra-radmin2.c b/hydra-radmin2.c index e72c838..bc6b461 100644 --- a/hydra-radmin2.c +++ b/hydra-radmin2.c @@ -7,42 +7,42 @@ extern char *HYDRA_EXIT; -//RAdmin 2.x +// RAdmin 2.x struct rmessage { - uint8_t magic; //Indicates version, probably? - uint32_t length; //Total message size of data. - uint32_t checksum; //Checksum from type to end of data. - uint8_t type; //Command type, table below. - unsigned char data[32]; //data to be sent. + uint8_t magic; // Indicates version, probably? + uint32_t length; // Total message size of data. + uint32_t checksum; // Checksum from type to end of data. + uint8_t type; // Command type, table below. + unsigned char data[32]; // data to be sent. }; /* * Usage: sum = checksum(message); - * Function: Returns a 4 byte little endian sum of the messages typecode+data. This data is zero padded for alignment. - * Example message (big endian): - * [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)]) - * Sum: is 0f43d461 (big endian) + * Function: Returns a 4 byte little endian sum of the messages typecode+data. + * This data is zero padded for alignment. Example message (big endian): + * [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9 + * 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)]) Sum: is 0f43d461 (big endian) */ uint32_t checksum(struct rmessage *msg) { int32_t blen; uint8_t *stream; uint32_t sum; - blen = msg->length; //Get the real length. + blen = msg->length; // Get the real length. blen += (4 - (blen % 4)); - //Allocate a worksapce. + // Allocate a worksapce. stream = calloc(blen, sizeof(uint8_t)); memcpy(stream, &msg->type, sizeof(uint8_t)); - memcpy(stream+1, msg->data, blen-1); + memcpy(stream + 1, msg->data, blen - 1); sum = 0; - for(blen -= sizeof(uint32_t); blen > 0; blen -= sizeof(uint32_t)) { + for (blen -= sizeof(uint32_t); blen > 0; blen -= sizeof(uint32_t)) { sum += *(uint32_t *)(stream + blen); } sum += *(uint32_t *)stream; - //Free the workspace. + // Free the workspace. free(stream); return sum; @@ -50,7 +50,8 @@ uint32_t checksum(struct rmessage *msg) { /* * Usage: challenge_request(message); - * Function: Modifies message to reflect a request for a challenge. Updates the checksum as appropriate. + * Function: Modifies message to reflect a request for a challenge. Updates the + * checksum as appropriate. */ void challenge_request(struct rmessage *msg) { msg->magic = 0x01; @@ -61,7 +62,8 @@ void challenge_request(struct rmessage *msg) { /* * Usage: challenge_request(message); - * Function: Modifies message to reflect a response to a challenge. Updates the checksum as appropriate. + * Function: Modifies message to reflect a response to a challenge. Updates the + * checksum as appropriate. */ void challenge_response(struct rmessage *msg, unsigned char *solution) { msg->magic = 0x01; @@ -72,46 +74,47 @@ void challenge_response(struct rmessage *msg, unsigned char *solution) { } /* - * Usage: buffer = message2buffer(message); send(buffer, message->length + 10); free(buffer) - * Function: Allocates a buffer for transmission and fills the buffer with message data such that it is ready to transmit. + * Usage: buffer = message2buffer(message); send(buffer, message->length + 10); + * free(buffer) Function: Allocates a buffer for transmission and fills the + * buffer with message data such that it is ready to transmit. */ -//TODO: conver to a sendMessage() function? +// TODO: conver to a sendMessage() function? char *message2buffer(struct rmessage *msg) { char *data; - if(msg == NULL) { + if (msg == NULL) { hydra_report(stderr, "rmessage is null\n"); hydra_child_exit(0); return NULL; } - switch(msg->type) { - case 0x1b: //Challenge request - data = (char *)calloc (10, sizeof(char)); - if(data == NULL) { - hydra_report(stderr, "calloc failure\n"); - hydra_child_exit(0); - } - memcpy(data, &msg->magic, sizeof(char)); - *((int32_t *)(data+1)) = htonl(msg->length); - *((int32_t *)(data+5)) = htonl(msg->checksum); - memcpy((data+9), &msg->type, sizeof(char)); - break; - case 0x09: - data = (char *)calloc (42, sizeof(char)); - if(data == NULL) { - hydra_report(stderr, "calloc failure\n"); - hydra_child_exit(0); - } - memcpy(data, &msg->magic, sizeof(char)); - *((int32_t *)(data+1)) = htonl(msg->length); - *((int32_t *)(data+5)) = htonl(msg->checksum); - memcpy((data+9), &msg->type, sizeof(char)); - memcpy((data+10), msg->data, sizeof(char) * 32); - break; - default: - hydra_report(stderr, "unknown rmessage type\n"); + switch (msg->type) { + case 0x1b: // Challenge request + data = (char *)calloc(10, sizeof(char)); + if (data == NULL) { + hydra_report(stderr, "calloc failure\n"); hydra_child_exit(0); - return NULL; + } + memcpy(data, &msg->magic, sizeof(char)); + *((int32_t *)(data + 1)) = htonl(msg->length); + *((int32_t *)(data + 5)) = htonl(msg->checksum); + memcpy((data + 9), &msg->type, sizeof(char)); + break; + case 0x09: + data = (char *)calloc(42, sizeof(char)); + if (data == NULL) { + hydra_report(stderr, "calloc failure\n"); + hydra_child_exit(0); + } + memcpy(data, &msg->magic, sizeof(char)); + *((int32_t *)(data + 1)) = htonl(msg->length); + *((int32_t *)(data + 5)) = htonl(msg->checksum); + memcpy((data + 9), &msg->type, sizeof(char)); + memcpy((data + 10), msg->data, sizeof(char) * 32); + break; + default: + hydra_report(stderr, "unknown rmessage type\n"); + hydra_child_exit(0); + return NULL; } return data; } @@ -119,12 +122,12 @@ char *message2buffer(struct rmessage *msg) { struct rmessage *buffer2message(char *buffer) { struct rmessage *msg; msg = calloc(1, sizeof(struct rmessage)); - if(msg == NULL) { + if (msg == NULL) { hydra_report(stderr, "calloc failure\n"); hydra_child_exit(0); } - //Start parsing... + // Start parsing... msg->magic = buffer[0]; buffer += sizeof(char); msg->length = ntohl(*((uint32_t *)(buffer))); @@ -134,41 +137,38 @@ struct rmessage *buffer2message(char *buffer) { msg->type = buffer[0]; buffer += sizeof(char); - //Verify known fields... - if(msg->magic != 0x01) { + // Verify known fields... + if (msg->magic != 0x01) { hydra_report(stderr, "Bad magic\n"); hydra_child_exit(0); return NULL; } - switch(msg->type) { - case 0x1b: - if(msg->length != 0x21) { - hydra_report(stderr, "Bad length...%08x\n", msg->length); - hydra_child_exit(0); - return NULL; - } - memcpy(msg->data, buffer, 32); - break; - case 0x0a: - //Win! - case 0x0b: - //Lose! - break; - default: - hydra_report(stderr, "unknown rmessage type"); + switch (msg->type) { + case 0x1b: + if (msg->length != 0x21) { + hydra_report(stderr, "Bad length...%08x\n", msg->length); hydra_child_exit(0); return NULL; + } + memcpy(msg->data, buffer, 32); + break; + case 0x0a: + // Win! + case 0x0b: + // Lose! + break; + default: + hydra_report(stderr, "unknown rmessage type"); + hydra_child_exit(0); + return NULL; } return msg; } +int32_t start_radmin2(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { return 0; } -int32_t start_radmin2(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { - return 0; -} - -void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { #ifdef HAVE_GCRYPT int32_t sock = -1; int32_t index; @@ -185,7 +185,7 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, gcry_cipher_hd_t cipher; gcry_md_hd_t md; - if(port != 0) { + if (port != 0) { myport = port; } @@ -193,14 +193,13 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, memset(buffer, 0x00, sizeof(buffer)); - //Phone the mother ship + // Phone the mother ship hydra_register_socket(sp); - if( memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { return; } - while(1) { - + while (1) { /* Typical conversation goes as follows... 0) connect to server 1) request challenge @@ -210,7 +209,7 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, */ // 0) Connect to the server sock = hydra_connect_tcp(ip, myport); - if(sock < 0) { + if (sock < 0) { hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } @@ -220,140 +219,165 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, challenge_request(msg); request = message2buffer(msg); hydra_send(sock, request, 10, 0); - free(msg); + free(msg); free(request); - //2) receive response (working) + // 2) receive response (working) index = 0; - while(index < 42) { //We're always expecting back a 42 byte buffer from a challenge request. - switch(hydra_data_ready(sock)) { - case -1: - hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno)); + while (index < 42) { // We're always expecting back a 42 byte buffer from a + // challenge request. + switch (hydra_data_ready(sock)) { + case -1: + hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno)); + hydra_child_exit(1); + break; + case 0: + // keep waiting... + break; + default: + bytecount = hydra_recv(sock, buffer + index, 42 - index); + if (bytecount < 0) { + hydra_report(stderr, + "Error: Child with pid %d terminating, receive " + "error\nerror:\t%s\n", + (int32_t)getpid(), strerror(errno)); hydra_child_exit(1); - break; - case 0: - //keep waiting... - break; - default: - bytecount = hydra_recv(sock, buffer+index, 42 - index); - if(bytecount < 0) { - hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno)); - hydra_child_exit(1); - } - index += bytecount; + } + index += bytecount; } } - //3) Send challenge solution. + // 3) Send challenge solution. - // Get a password to work with. - memset(password, 0x00, sizeof(password)); - memset(encrypted, 0x00, sizeof(encrypted)); + // Get a password to work with. + memset(password, 0x00, sizeof(password)); + memset(encrypted, 0x00, sizeof(encrypted)); hydra_get_next_pair(); - strncpy(password, hydra_get_next_password(), sizeof(password)-1); + strncpy(password, hydra_get_next_password(), sizeof(password) - 1); - //MD5 the password to generate the password key, this is used with twofish below. + // MD5 the password to generate the password key, this is used with twofish + // below. err = gcry_md_open(&md, GCRY_MD_MD5, 0); - if(err) { - hydra_report(stderr, "Error: Child with pid %d terminating, gcry_md_open error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err)); + if (err) { + hydra_report(stderr, + "Error: Child with pid %d terminating, gcry_md_open error " + "(%08x)\n%s/%s", + (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err)); hydra_child_exit(1); } gcry_md_reset(md); gcry_md_write(md, password, 100); - if(gcry_md_read(md, 0) == NULL) { + if (gcry_md_read(md, 0) == NULL) { hydra_report(stderr, "Error: Child with pid %d terminating, gcry_md_read error (%08x)\n", (int32_t)getpid(), index); hydra_child_exit(1); } memcpy(rawkey, gcry_md_read(md, 0), 16); gcry_md_close(md); - //3.a) generate a new message from the buffer + // 3.a) generate a new message from the buffer msg = buffer2message(buffer); - //3.b) encrypt data received using pkey & known IV - err= gcry_cipher_open(&cipher, GCRY_CIPHER_TWOFISH128, GCRY_CIPHER_MODE_CBC, 0); - if(err) { - hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_open error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err)); + // 3.b) encrypt data received using pkey & known IV + err = gcry_cipher_open(&cipher, GCRY_CIPHER_TWOFISH128, GCRY_CIPHER_MODE_CBC, 0); + if (err) { + hydra_report(stderr, + "Error: Child with pid %d terminating, gcry_cipher_open " + "error (%08x)\n%s/%s", + (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err)); hydra_child_exit(1); } err = gcry_cipher_setiv(cipher, IV, 16); - if(err) { - hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_setiv error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err)); + if (err) { + hydra_report(stderr, + "Error: Child with pid %d terminating, gcry_cipher_setiv " + "error (%08x)\n%s/%s", + (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err)); hydra_child_exit(1); } err = gcry_cipher_setkey(cipher, rawkey, 16); - if(err) { - hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_setkey error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err)); + if (err) { + hydra_report(stderr, + "Error: Child with pid %d terminating, gcry_cipher_setkey " + "error (%08x)\n%s/%s", + (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err)); hydra_child_exit(1); } err = gcry_cipher_encrypt(cipher, encrypted, 32, msg->data, 32); - if(err) { - hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_encrypt error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err)); + if (err) { + hydra_report(stderr, + "Error: Child with pid %d terminating, gcry_cipher_encrypt " + "error (%08x)\n%s/%s", + (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err)); hydra_child_exit(1); } gcry_cipher_close(cipher); - //3.c) half sum - this is the solution to the challenge. - for(index=0; index < 16; index++) { - *(encrypted+index) += *(encrypted+index+16); + // 3.c) half sum - this is the solution to the challenge. + for (index = 0; index < 16; index++) { + *(encrypted + index) += *(encrypted + index + 16); } - memset((encrypted+16), 0x00, 16); + memset((encrypted + 16), 0x00, 16); - //3.d) send half sum + // 3.d) send half sum challenge_response(msg, encrypted); request = message2buffer(msg); hydra_send(sock, request, 42, 0); free(msg); free(request); - //4) receive auth success/failure + // 4) receive auth success/failure index = 0; - while(index < 10) { //We're always expecting back a 42 byte buffer from a challenge request. - switch(hydra_data_ready(sock)) { - case -1: - hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno)); + while (index < 10) { // We're always expecting back a 42 byte buffer from a + // challenge request. + switch (hydra_data_ready(sock)) { + case -1: + hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno)); + hydra_child_exit(1); + break; + case 0: + // keep waiting... + break; + default: + bytecount = hydra_recv(sock, buffer + index, 10 - index); + if (bytecount < 0) { + hydra_report(stderr, + "Error: Child with pid %d terminating, receive " + "error\nerror:\t%s\n", + (int32_t)getpid(), strerror(errno)); hydra_child_exit(1); - break; - case 0: - //keep waiting... - break; - default: - bytecount = hydra_recv(sock, buffer+index, 10 - index); - if(bytecount < 0) { - hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno)); - hydra_child_exit(1); - } - index += bytecount; + } + index += bytecount; } } msg = buffer2message(buffer); - switch(msg->type) { - case 0x0a: - hydra_completed_pair_found(); - break; - case 0x0b: - hydra_completed_pair(); - hydra_disconnect(sock); - break; - default: - hydra_report(stderr, "Error: Child with pid %d terminating, protocol error\n", (int32_t)getpid()); - hydra_child_exit(2); + switch (msg->type) { + case 0x0a: + hydra_completed_pair_found(); + break; + case 0x0b: + hydra_completed_pair(); + hydra_disconnect(sock); + break; + default: + hydra_report(stderr, "Error: Child with pid %d terminating, protocol error\n", (int32_t)getpid()); + hydra_child_exit(2); } + free(msg); } #endif } -int32_t service_radmin2_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_radmin2_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-rdp.c b/hydra-rdp.c index 8b9394c..0b3c690 100644 --- a/hydra-rdp.c +++ b/hydra-rdp.c @@ -1,2456 +1,58 @@ /* - david: this module is heavily based on rdesktop v 1.7.0 - - rdesktop: A Remote Desktop Protocol client. - Protocol services - RDP layer - Copyright (C) Matthew Chapman 1999-2008 - Copyright 2003-2011 Peter Astrand for Cendio AB - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . - -note: - -this module was tested on w2k, xp, w2k3, w2k8 - -in terminal services configuration, in rdp-tcp properties -in Logon Settings tab, if 'Always prompt for password' is checked, -the password can't be passed interactively so there is no way -to test the credential (unless manually). - -it's advised to lower the number of parallel tasks as RDP server -can't handle multiple connections at the same time. -It's particularly true on windows XP + This module is using freerdp3 lib + Tested on: + - Windows 7 pro SP1 + - Windows 10 pro build 1809 + - Windows Server 2016 build 1607 */ #include "hydra-mod.h" -#ifndef LIBOPENSSL -#include -void dummy_rdp() { - printf("\n"); -} -#else - -#include "rdp.h" +extern hydra_option hydra_options; extern char *HYDRA_EXIT; - -BOOL g_encryption = True; -BOOL g_use_rdp5 = True; -BOOL g_console_session = False; -BOOL g_bitmap_cache = True; -BOOL g_bitmap_cache_persist_enable = False; -BOOL g_bitmap_compression = True; -BOOL g_desktop_save = True; -int32_t g_server_depth = -1; -int32_t os_version = 0; //2000 - -uint32 g_rdp5_performanceflags = RDP5_NO_WALLPAPER | RDP5_NO_FULLWINDOWDRAG | RDP5_NO_MENUANIMATIONS; - -/* Session Directory redirection */ -BOOL g_redirect = False; -uint32 g_redirect_flags = 0; - -uint32 g_reconnect_logonid = 0; -char g_reconnect_random[16]; -BOOL g_has_reconnect_random = False; -uint8 g_client_random[SEC_RANDOM_SIZE]; - -/* - 0 unknown - 1 success - 2 failed -*/ -#define LOGIN_UNKN 0 -#define LOGIN_SUCC 1 -#define LOGIN_FAIL 2 -int32_t login_result = LOGIN_UNKN; - -uint8 *g_next_packet; -uint32 g_rdp_shareid; - -/* Called during redirection to reset the state to support redirection */ -void rdp_reset_state(void) { - g_next_packet = NULL; /* reset the packet information */ - g_rdp_shareid = 0; - sec_reset_state(); -} - -static void rdesktop_reset_state(void) { - rdp_reset_state(); -} - -static RDP_ORDER_STATE g_order_state; - -#define TCP_STRERROR strerror(errno) -#define TCP_BLOCKS (errno == EWOULDBLOCK) - - -#ifndef INADDR_NONE -#define INADDR_NONE ((unsigned long) -1) -#endif - -#define STREAM_COUNT 1 - - -int32_t g_sock; -static struct stream g_in; -static struct stream g_out[STREAM_COUNT]; - -/* wait till socket is ready to write or timeout */ -static BOOL tcp_can_send(int32_t sck, int32_t millis) { - fd_set wfds; - struct timeval time; - int32_t sel_count; - - time.tv_sec = millis / 1000; - time.tv_usec = (millis * 1000) % 1000000; - FD_ZERO(&wfds); - FD_SET(sck, &wfds); - sel_count = select(sck + 1, 0, &wfds, 0, &time); - if (sel_count > 0) { - return True; - } - return False; -} - -/* Initialise TCP transport data packet */ -STREAM tcp_init(uint32 maxlen) { - static int32_t cur_stream_id = 0; - STREAM result = NULL; - - result = &g_out[cur_stream_id]; - cur_stream_id = (cur_stream_id + 1) % STREAM_COUNT; - - - if (maxlen > result->size) { - result->data = (uint8 *) xrealloc(result->data, maxlen); - result->size = maxlen; - } - - result->p = result->data; - result->end = result->data; // + result->size; - return result; -} - -/* Send TCP transport data packet */ -void tcp_send(STREAM s) { - int32_t length = s->end - s->data; - int32_t sent, total = 0; - - - while (total < length) { - sent = hydra_send(g_sock, (char *) (s->data + total), length - total, 0); - if (sent <= 0) { - if (sent == -1 && TCP_BLOCKS) { - tcp_can_send(g_sock, 100); - sent = 0; - } else { - if (g_sock && !login_result) - error("send: %s\n", TCP_STRERROR); - return; - } - } - total += sent; - } -} - -/* Receive a message on the TCP layer */ -STREAM tcp_recv(STREAM s, uint32 length) { - uint32 new_length, end_offset, p_offset; - int32_t rcvd = 0; - - if (s == NULL) { - /* read into "new" stream */ - g_in.data = (uint8 *) xmalloc(length); - g_in.size = length; - g_in.end = g_in.p = g_in.data; - s = &g_in; - } else { - /* append to existing stream */ - new_length = (s->end - s->data) + length; - if (new_length > s->size) { - p_offset = s->p - s->data; - end_offset = s->end - s->data; -//printf("length: %d, %p s->data, %p +%d s->p, %p +%d s->end, end-data %d, size %d\n", length, s->data, s->p, s->p - s->data, s->end, s->end - s->p, s->end - s->data, s->size); - s->data = (uint8 *) xrealloc(s->data, new_length); - s->size = new_length; - s->p = s->data + p_offset; - s->end = s->data + end_offset; - } - } - - - while (length > 0) { - rcvd = hydra_recv(g_sock, (char *) s->end, length); - if (rcvd < 0) { - if (rcvd == -1 && TCP_BLOCKS) { - rcvd = 0; - } else { - //error("recv: %s\n", TCP_STRERROR); - return NULL; - } - } else if (rcvd == 0) { - error("Connection closed\n"); - return NULL; - } - s->end += rcvd; - length -= rcvd; - } - - - return s; -} - -char *tcp_get_address() { - static char ipaddr[32]; - struct sockaddr_in sockaddr; - socklen_t len = sizeof(sockaddr); - - if (getsockname(g_sock, (struct sockaddr *) &sockaddr, &len) == 0) { - uint8 *ip = (uint8 *) & sockaddr.sin_addr; - - sprintf(ipaddr, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); - } else - strcpy(ipaddr, "127.0.0.1"); - return ipaddr; -} - -/* reset the state of the tcp layer */ -void tcp_reset_state(void) { - int32_t i; - - g_sock = -1; /* reset socket */ - - /* Clear the incoming stream */ - if (g_in.data != NULL) - free(g_in.data); - g_in.p = NULL; - g_in.end = NULL; - g_in.data = NULL; - g_in.size = 0; - g_in.iso_hdr = NULL; - g_in.mcs_hdr = NULL; - g_in.sec_hdr = NULL; - g_in.rdp_hdr = NULL; - g_in.channel_hdr = NULL; - - /* Clear the outgoing stream(s) */ - for (i = 0; i < STREAM_COUNT; i++) { - if (g_out[i].data != NULL) - free(g_out[i].data); - g_out[i].p = NULL; - g_out[i].end = NULL; - g_out[i].data = NULL; - g_out[i].size = 0; - g_out[i].iso_hdr = NULL; - g_out[i].mcs_hdr = NULL; - g_out[i].sec_hdr = NULL; - g_out[i].rdp_hdr = NULL; - g_out[i].channel_hdr = NULL; - } -} - -uint16 g_mcs_userid; - -/* Parse an ASN.1 BER header */ -static BOOL ber_parse_header(STREAM s, int32_t tagval, int32_t *length) { - int32_t tag, len; - - - if (tagval > 0xff) { - in_uint16_be(s, tag); - } else { - in_uint8(s, tag); - } - - if (tag != tagval) { - error("expected tag %d, got %d\n", tagval, tag); - return False; - } - - in_uint8(s, len); - - if (len & 0x80) { - len &= ~0x80; - *length = 0; - while (len--) - next_be(s, *length); - } else - *length = len; - - return s_check(s); -} - -/* Output an ASN.1 BER header */ -static void ber_out_header(STREAM s, int32_t tagval, int32_t length) { - - - if (tagval > 0xff) { - out_uint16_be(s, tagval); - } else { - out_uint8(s, tagval); - } - - if (length >= 0x80) { - out_uint8(s, 0x82); - out_uint16_be(s, length); - } else - out_uint8(s, length); -} - -/* Output an ASN.1 BER integer */ -static void ber_out_integer(STREAM s, int32_t value) { - ber_out_header(s, BER_TAG_INTEGER, 2); - out_uint16_be(s, value); -} - -/* Output a DOMAIN_PARAMS structure (ASN.1 BER) */ -static void mcs_out_domain_params(STREAM s, int32_t max_channels, int32_t max_users, int32_t max_tokens, int32_t max_pdusize) { - ber_out_header(s, MCS_TAG_DOMAIN_PARAMS, 32); - ber_out_integer(s, max_channels); - ber_out_integer(s, max_users); - ber_out_integer(s, max_tokens); - ber_out_integer(s, 1); /* num_priorities */ - ber_out_integer(s, 0); /* min_throughput */ - ber_out_integer(s, 1); /* max_height */ - ber_out_integer(s, max_pdusize); - ber_out_integer(s, 2); /* ver_protocol */ -} - -/* Parse a DOMAIN_PARAMS structure (ASN.1 BER) */ -static BOOL mcs_parse_domain_params(STREAM s) { - int32_t length = 0; - - ber_parse_header(s, MCS_TAG_DOMAIN_PARAMS, &length); - in_uint8s(s, length); - - return s_check(s); -} - -/* Send an MCS_CONNECT_INITIAL message (ASN.1 BER) */ -static void mcs_send_connect_initial(STREAM mcs_data) { - int32_t datalen = mcs_data->end - mcs_data->data; - int32_t length = 9 + 3 * 34 + 4 + datalen; - STREAM s; - - s = iso_init(length + 5); - - ber_out_header(s, MCS_CONNECT_INITIAL, length); - ber_out_header(s, BER_TAG_OCTET_STRING, 1); /* calling domain */ - out_uint8(s, 1); - ber_out_header(s, BER_TAG_OCTET_STRING, 1); /* called domain */ - out_uint8(s, 1); - - ber_out_header(s, BER_TAG_BOOLEAN, 1); - out_uint8(s, 0xff); /* upward flag */ - - mcs_out_domain_params(s, 34, 2, 0, 0xffff); /* target params */ - mcs_out_domain_params(s, 1, 1, 1, 0x420); /* min params */ - mcs_out_domain_params(s, 0xffff, 0xfc17, 0xffff, 0xffff); /* max params */ - - ber_out_header(s, BER_TAG_OCTET_STRING, datalen); - out_uint8p(s, mcs_data->data, datalen); - - s_mark_end(s); - iso_send(s); -} - -/* Expect a MCS_CONNECT_RESPONSE message (ASN.1 BER) */ -static BOOL mcs_recv_connect_response(STREAM mcs_data) { - uint8 result; - int32_t length = 0; - STREAM s; - - s = iso_recv(NULL); - if (s == NULL) - return False; - - ber_parse_header(s, MCS_CONNECT_RESPONSE, &length); - - ber_parse_header(s, BER_TAG_RESULT, &length); - in_uint8(s, result); - if (result != 0) { - error("MCS connect: %d\n", result); - return False; - } - - ber_parse_header(s, BER_TAG_INTEGER, &length); - in_uint8s(s, length); /* connect id */ - mcs_parse_domain_params(s); - - ber_parse_header(s, BER_TAG_OCTET_STRING, &length); - - sec_process_mcs_data(s); - /* - if (length > mcs_data->size) - { - error("MCS data length %d, expected %d\n", length, - mcs_data->size); - length = mcs_data->size; - } - - in_uint8a(s, mcs_data->data, length); - mcs_data->p = mcs_data->data; - mcs_data->end = mcs_data->data + length; - */ - return s_check_end(s); -} - -/* Send an EDrq message (ASN.1 PER) */ -static void mcs_send_edrq(void) { - STREAM s; - - s = iso_init(5); - - out_uint8(s, (MCS_EDRQ << 2)); - out_uint16_be(s, 1); /* height */ - out_uint16_be(s, 1); /* interval */ - - s_mark_end(s); - iso_send(s); -} - -/* Send an AUrq message (ASN.1 PER) */ -static void mcs_send_aurq(void) { - STREAM s; - - s = iso_init(1); - - out_uint8(s, (MCS_AURQ << 2)); - - s_mark_end(s); - iso_send(s); -} - -/* Expect a AUcf message (ASN.1 PER) */ -static BOOL mcs_recv_aucf(uint16 * mcs_userid) { - uint8 opcode, result; - STREAM s; - - s = iso_recv(NULL); - if (s == NULL) - return False; - - in_uint8(s, opcode); - if ((opcode >> 2) != MCS_AUCF) { - error("expected AUcf, got %d\n", opcode); - return False; - } - - in_uint8(s, result); - if (result != 0) { - error("AUrq: %d\n", result); - return False; - } - - if (opcode & 2) - in_uint16_be(s, *mcs_userid); - - return s_check_end(s); -} - -/* Send a CJrq message (ASN.1 PER) */ -static void mcs_send_cjrq(uint16 chanid) { - STREAM s; - - DEBUG_RDP5(("Sending CJRQ for channel #%d\n", chanid)); - - s = iso_init(5); - - out_uint8(s, (MCS_CJRQ << 2)); - out_uint16_be(s, g_mcs_userid); - out_uint16_be(s, chanid); - - s_mark_end(s); - iso_send(s); -} - -/* Expect a CJcf message (ASN.1 PER) */ -static BOOL mcs_recv_cjcf(void) { - uint8 opcode, result; - STREAM s; - - s = iso_recv(NULL); - if (s == NULL) - return False; - - in_uint8(s, opcode); - if ((opcode >> 2) != MCS_CJCF) { - error("expected CJcf, got %d\n", opcode); - return False; - } - - in_uint8(s, result); - if (result != 0) { - error("CJrq: %d\n", result); - return False; - } - - in_uint8s(s, 4); /* mcs_userid, req_chanid */ - if (opcode & 2) - in_uint8s(s, 2); /* join_chanid */ - - return s_check_end(s); -} - -/* Initialise an MCS transport data packet */ -STREAM mcs_init(int32_t length) { - STREAM s; - - s = iso_init(length + 8); - s_push_layer(s, mcs_hdr, 8); - - return s; -} - -/* Send an MCS transport data packet to a specific channel */ -void mcs_send_to_channel(STREAM s, uint16 channel) { - uint16 length; - - s_pop_layer(s, mcs_hdr); - length = s->end - s->p - 8; - length |= 0x8000; - - out_uint8(s, (MCS_SDRQ << 2)); - out_uint16_be(s, g_mcs_userid); - out_uint16_be(s, channel); - out_uint8(s, 0x70); /* flags */ - out_uint16_be(s, length); - - iso_send(s); -} - -/* Send an MCS transport data packet to the global channel */ -void mcs_send(STREAM s) { - mcs_send_to_channel(s, MCS_GLOBAL_CHANNEL); -} - -/* Receive an MCS transport data packet */ -STREAM mcs_recv(uint16 * channel, uint8 * rdpver) { - uint8 opcode, appid, length; - STREAM s; - - s = iso_recv(rdpver); - if (s == NULL) - return NULL; - if (rdpver != NULL) - if (*rdpver != 3) - return s; - in_uint8(s, opcode); - appid = opcode >> 2; - if (appid != MCS_SDIN) { - if (appid != MCS_DPUM) { - error("expected data, got %d\n", opcode); - } - return NULL; - } - in_uint8s(s, 2); /* userid */ - in_uint16_be(s, *channel); - in_uint8s(s, 1); /* flags */ - in_uint8(s, length); - if (length & 0x80) - in_uint8s(s, 1); /* second byte of length */ - return s; -} - -BOOL mcs_connect(char *server, STREAM mcs_data, char *username, BOOL reconnect) { - if (!iso_connect(server, username, reconnect)) - return False; - mcs_send_connect_initial(mcs_data); - if (!mcs_recv_connect_response(mcs_data)) - goto error; - mcs_send_edrq(); - mcs_send_aurq(); - if (!mcs_recv_aucf(&g_mcs_userid)) - goto error; - mcs_send_cjrq(g_mcs_userid + MCS_USERCHANNEL_BASE); - if (!mcs_recv_cjcf()) - goto error; - mcs_send_cjrq(MCS_GLOBAL_CHANNEL); - if (!mcs_recv_cjcf()) - goto error; - return True; -error: - iso_disconnect(); - return False; -} - -/* Disconnect from the MCS layer */ -void mcs_disconnect(void) { - iso_disconnect(); -} - -/* reset the state of the mcs layer */ -void mcs_reset_state(void) { - g_mcs_userid = 0; - iso_reset_state(); -} - -/* Send a self-contained ISO PDU */ -static void iso_send_msg(uint8 code) { - STREAM s; - - s = tcp_init(11); - - out_uint8(s, 3); /* version */ - out_uint8(s, 0); /* reserved */ - out_uint16_be(s, 11); /* length */ - - out_uint8(s, 6); /* hdrlen */ - out_uint8(s, code); - out_uint16(s, 0); /* dst_ref */ - out_uint16(s, 0); /* src_ref */ - out_uint8(s, 0); /* class */ - - s_mark_end(s); - tcp_send(s); -} - -static void iso_send_connection_request(char *username) { - STREAM s; - int32_t length = 30 + strlen(username); - - s = tcp_init(length); - - out_uint8(s, 3); /* version */ - out_uint8(s, 0); /* reserved */ - out_uint16_be(s, length); /* length */ - - out_uint8(s, length - 5); /* hdrlen */ - out_uint8(s, ISO_PDU_CR); - out_uint16(s, 0); /* dst_ref */ - out_uint16(s, 0); /* src_ref */ - out_uint8(s, 0); /* class */ - - out_uint8p(s, "Cookie: mstshash=", strlen("Cookie: mstshash=")); - out_uint8p(s, username, strlen(username)); - - out_uint8(s, 0x0d); /* Unknown */ - out_uint8(s, 0x0a); /* Unknown */ - - s_mark_end(s); - tcp_send(s); -} - -/* Send a single input event fast JL, this is required for win8 */ -void rdp_send_fast_input_kbd(uint32 time, uint16 flags, uint16 param1) { - STREAM s; - uint8 fast_flags = 0; - uint8 len = 4; - - fast_flags |= (flags & RDP_KEYRELEASE) ? FASTPATH_INPUT_KBDFLAGS_RELEASE : 0; - s = tcp_init(len); - out_uint8(s, (1 << 2)); //one event - out_uint8(s, len); - out_uint8(s, fast_flags | (FASTPATH_INPUT_EVENT_SCANCODE << 5)); - out_uint8(s, param1); - s_mark_end(s); - tcp_send(s); -} - -/* Send a single input event fast JL, this is required for win8 */ -void rdp_send_fast_input_mouse(uint32 time, uint16 flags, uint16 param1, uint16 param2) { - STREAM s; - uint8 len = 9; - - s = tcp_init(len); - out_uint8(s, (1 << 2)); //one event - out_uint8(s, len); - out_uint8(s, (FASTPATH_INPUT_EVENT_MOUSE << 5)); - out_uint16(s, flags); - out_uint16(s, param1); - out_uint16(s, param2); - s_mark_end(s); - tcp_send(s); -} - - -/* Receive a message on the ISO layer, return code */ -static STREAM iso_recv_msg(uint8 * code, uint8 * rdpver) { - STREAM s; - uint16 length; - uint8 version; - - s = tcp_recv(NULL, 4); - if (s == NULL) - return NULL; - in_uint8(s, version); - if (rdpver != NULL) - *rdpver = version; - if (version == 3) { - in_uint8s(s, 1); /* pad */ - in_uint16_be(s, length); - } else { - in_uint8(s, length); - if (length & 0x80) { - length &= ~0x80; - next_be(s, length); - } - } - if (length < 5) { - error("Bad packet header\n"); - return NULL; - } - s = tcp_recv(s, length - 4); - if (s == NULL) - return NULL; - if (version != 3) - return s; - in_uint8s(s, 1); /* hdrlen */ - in_uint8(s, *code); - if (*code == ISO_PDU_DT) { - in_uint8s(s, 1); /* eot */ - return s; - } - in_uint8s(s, 5); /* dst_ref, src_ref, class */ - return s; -} - -/* Initialise ISO transport data packet */ -STREAM iso_init(int32_t length) { - STREAM s; - - s = tcp_init(length + 7); - s_push_layer(s, iso_hdr, 7); - - return s; -} - -/* Send an ISO data PDU */ -void iso_send(STREAM s) { - uint16 length; - - s_pop_layer(s, iso_hdr); - length = s->end - s->p; - - out_uint8(s, 3); /* version */ - out_uint8(s, 0); /* reserved */ - out_uint16_be(s, length); - - out_uint8(s, 2); /* hdrlen */ - out_uint8(s, ISO_PDU_DT); /* code */ - out_uint8(s, 0x80); /* eot */ - - tcp_send(s); -} - -/* Receive ISO transport data packet */ -STREAM iso_recv(uint8 * rdpver) { - STREAM s; - uint8 code = 0; - - s = iso_recv_msg(&code, rdpver); - if (s == NULL) - return NULL; - if (rdpver != NULL) - if (*rdpver != 3) - return s; - if (code != ISO_PDU_DT) { - error("expected DT, got 0x%x\n", code); - return NULL; - } - return s; -} - -/* Establish a connection up to the ISO layer */ -BOOL iso_connect(char *server, char *username, BOOL reconnect) { - uint8 code = 0; - - if (reconnect) { - iso_send_msg(ISO_PDU_CR); - } else { - iso_send_connection_request(username); - } - if (iso_recv_msg(&code, NULL) == NULL) { - return False; - } - if (code != ISO_PDU_CC) { - error("expected CC, got 0x%x\n", code); - hydra_disconnect(g_sock); - return False; - } - - return True; -} - -/* Disconnect from the ISO layer */ -void iso_disconnect(void) { - iso_send_msg(ISO_PDU_DR); - g_sock = hydra_disconnect(g_sock); -} - -/* reset the state to support reconnecting */ -void iso_reset_state(void) { - tcp_reset_state(); -} - -static int32_t g_rc4_key_len; -static SSL_RC4 g_rc4_decrypt_key; -static SSL_RC4 g_rc4_encrypt_key; -static uint32 g_server_public_key_len; - -static uint8 g_sec_sign_key[16]; -static uint8 g_sec_decrypt_key[16]; -static uint8 g_sec_encrypt_key[16]; -static uint8 g_sec_decrypt_update_key[16]; -static uint8 g_sec_encrypt_update_key[16]; -static uint8 g_sec_crypted_random[SEC_MAX_MODULUS_SIZE]; - -uint16 g_server_rdp_version = 0; - -/* These values must be available to reset state - Session Directory */ -static int32_t g_sec_encrypt_use_count = 0; -static int32_t g_sec_decrypt_use_count = 0; - - -void ssl_sha1_init(SSL_SHA1 * sha1) { - SHA1_Init(sha1); -} - -void ssl_sha1_update(SSL_SHA1 * sha1, uint8 * data, uint32 len) { - SHA1_Update(sha1, data, len); -} - -void ssl_sha1_final(SSL_SHA1 * sha1, uint8 * out_data) { - SHA1_Final(out_data, sha1); -} - -void ssl_md5_init(SSL_MD5 * md5) { - MD5_Init(md5); -} - -void ssl_md5_update(SSL_MD5 * md5, uint8 * data, uint32 len) { - MD5_Update(md5, data, len); -} - -void ssl_md5_final(SSL_MD5 * md5, uint8 * out_data) { - MD5_Final(out_data, md5); -} - -void ssl_rc4_set_key(SSL_RC4 * rc4, uint8 * key, uint32 len) { - RC4_set_key(rc4, len, key); -} - -void ssl_rc4_crypt(SSL_RC4 * rc4, uint8 * in_data, uint8 * out_data, uint32 len) { - RC4(rc4, len, in_data, out_data); -} - -static void reverse(uint8 * p, int32_t len) { - int32_t i, j; - uint8 temp; - - for (i = 0, j = len - 1; i < j; i++, j--) { - temp = p[i]; - p[i] = p[j]; - p[j] = temp; - } -} - -void ssl_rsa_encrypt(uint8 * out, uint8 * in, int32_t len, uint32 modulus_size, uint8 * modulus, uint8 * exponent) { - BN_CTX *ctx; - BIGNUM *mod, *exp, *x, *y; - uint8 inr[SEC_MAX_MODULUS_SIZE]; - int32_t outlen; - - reverse(modulus, modulus_size); - reverse(exponent, SEC_EXPONENT_SIZE); - memcpy(inr, in, len); - reverse(inr, len); - - ctx = BN_CTX_new(); - mod = BN_new(); - exp = BN_new(); - x = BN_new(); - y = BN_new(); - - BN_bin2bn(modulus, modulus_size, mod); - BN_bin2bn(exponent, SEC_EXPONENT_SIZE, exp); - BN_bin2bn(inr, len, x); - BN_mod_exp(y, x, exp, mod, ctx); - outlen = BN_bn2bin(y, out); - reverse(out, outlen); - if (outlen < (int32_t) modulus_size) - memset(out + outlen, 0, modulus_size - outlen); - - BN_free(y); - BN_free(x); - BN_free(exp); - BN_free(mod); - BN_CTX_free(ctx); -} - -/* returns newly allocated X509 or NULL */ -X509 *ssl_cert_read(uint8 * data, uint32 len) { - /* this will move the data pointer but we don't care, we don't use it again */ - return d2i_X509(NULL, (D2I_X509_CONST unsigned char **) &data, len); -} - -static void ssl_cert_free(X509 * cert) { - X509_free(cert); -} - -/* returns newly allocated SSL_RKEY or NULL */ -SSL_RKEY *ssl_cert_to_rkey(X509 * cert, uint32 * key_len) { - EVP_PKEY *epk = NULL; - SSL_RKEY *lkey; - int32_t nid; - - /* By some reason, Microsoft sets the OID of the Public RSA key to - the oid for "MD5 with RSA Encryption" instead of "RSA Encryption" - - Kudos to Richard Levitte for the following (. intuitive .) - lines of code that resets the OID and let's us extract the key. */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - nid = X509_get_signature_nid(cert); +#ifndef LIBFREERDP +void dummy_rdp() { printf("\n"); } #else - nid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm); + +#include +#include +freerdp *instance = 0; +BOOL rdp_connect(char *server, int32_t port, char *domain, char *login, char *password) { + int32_t err = 0; + + rdpSettings* settings = instance->context->settings; + + settings->Username = login; + settings->Password = password; + settings->IgnoreCertificate = TRUE; + if (password[0] == 0) + settings->AuthenticationOnly = FALSE; + else + settings->AuthenticationOnly = TRUE; + settings->ServerHostname = server; + settings->ServerPort = port; + settings->Domain = domain; + +#if FREERDP_VERSION_MAJOR == 2 + settings->MaxTimeInCheckLoop = 100; #endif - if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption)) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -// fprintf(stderr, "[ERROR] the current experimental openssl-1.1 support in hydra does not support RDP :( \n"); -// hydra_child_exit(2); - X509_ALGOR *algor = X509_get0_tbs_sigalg(cert); - DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n")); - ASN1_OBJECT_free(algor->algorithm); - algor->algorithm = OBJ_nid2obj(NID_rsaEncryption); - //X509_ALGOR_set0(algor, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_SEQUENCE, NULL /*pbe_str*/); -#else - DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n")); - ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm); - cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption); -#endif - } - epk = X509_get_pubkey(cert); - if (NULL == epk) { - error("Failed to extract public key from certificate\n"); - return NULL; - } - - lkey = RSAPublicKey_dup(EVP_PKEY_get1_RSA(epk)); - EVP_PKEY_free(epk); - *key_len = RSA_size(lkey); - return lkey; + // freerdp timeout format is microseconds -> default:15000 + settings->TcpConnectTimeout = hydra_options.waittime * 1000; + settings->TlsSecLevel = 0; + freerdp_connect(instance); + err = freerdp_get_last_error(instance->context); + return err; } -int32_t ssl_cert_print_fp(FILE * fp, X509 * cert) { - return X509_print_fp(fp, cert); -} - -void ssl_rkey_free(SSL_RKEY * rkey) { - RSA_free(rkey); -} - -/* returns error */ -int32_t ssl_rkey_get_exp_mod(SSL_RKEY * rkey, uint8 * exponent, uint32 max_exp_len, uint8 * modulus, uint32 max_mod_len) { - int32_t len; - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - BIGNUM *n, *e, *d; - - n = BN_new(); - e = BN_new(); - RSA_get0_key(rkey, &n, &e, NULL); - if ((BN_num_bytes(e) > (int32_t) max_exp_len) || (BN_num_bytes(n) > (int32_t) max_mod_len)) { - return 1; - } - len = BN_bn2bin(e, exponent); - reverse(exponent, len); - len = BN_bn2bin(n, modulus); - reverse(modulus, len); - BN_free(n); - BN_free(e); -#else - if ((BN_num_bytes(rkey->e) > (int32_t) max_exp_len) || (BN_num_bytes(rkey->n) > (int32_t) max_mod_len)) - return 1; - len = BN_bn2bin(rkey->e, exponent); - reverse(exponent, len); - len = BN_bn2bin(rkey->n, modulus); - reverse(modulus, len); -#endif - return 0; -} - -/* returns boolean */ -BOOL ssl_sig_ok(uint8 * exponent, uint32 exp_len, uint8 * modulus, uint32 mod_len, uint8 * signature, uint32 sig_len) { - return True; -} - - -void ssl_hmac_md5(const void *key, int32_t key_len, const unsigned char *msg, int32_t msg_len, unsigned char *md) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - HMAC_CTX *ctx; - ctx = HMAC_CTX_new(); - HMAC(EVP_md5(), key, key_len, msg, msg_len, md, NULL); - HMAC_CTX_free(ctx); -#else - HMAC_CTX ctx; - HMAC_CTX_init(&ctx); - HMAC(EVP_md5(), key, key_len, msg, msg_len, md, NULL); - HMAC_CTX_cleanup(&ctx); -#endif -} - - -/* - * I believe this is based on SSLv3 with the following differences: - * MAC algorithm (5.2.3.1) uses only 32-bit length in place of seq_num/type/length fields - * MAC algorithm uses SHA1 and MD5 for the two hash functions instead of one or other - * key_block algorithm (6.2.2) uses 'X', 'YY', 'ZZZ' instead of 'A', 'BB', 'CCC' - * key_block partitioning is different (16 bytes each: MAC secret, decrypt key, encrypt key) - * encryption/decryption keys updated every 4096 packets - * See http://wp.netscape.com/eng/ssl3/draft302.txt - */ - -/* - * 48-byte transformation used to generate master secret (6.1) and key material (6.2.2). - * Both SHA1 and MD5 algorithms are used. - */ -void sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt) { - uint8 shasig[20]; - uint8 pad[4]; - SSL_SHA1 sha1; - SSL_MD5 md5; - int32_t i; - - for (i = 0; i < 3; i++) { - memset(pad, salt + i, i + 1); - - ssl_sha1_init(&sha1); - ssl_sha1_update(&sha1, pad, i + 1); - ssl_sha1_update(&sha1, in, 48); - ssl_sha1_update(&sha1, salt1, 32); - ssl_sha1_update(&sha1, salt2, 32); - ssl_sha1_final(&sha1, shasig); - - ssl_md5_init(&md5); - ssl_md5_update(&md5, in, 48); - ssl_md5_update(&md5, shasig, 20); - ssl_md5_final(&md5, &out[i * 16]); - } -} - -/* - * 16-byte transformation used to generate export keys (6.2.2). - */ -void sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2) { - SSL_MD5 md5; - - ssl_md5_init(&md5); - ssl_md5_update(&md5, in, 16); - ssl_md5_update(&md5, salt1, 32); - ssl_md5_update(&md5, salt2, 32); - ssl_md5_final(&md5, out); -} - -/* Reduce key entropy from 64 to 40 bits */ -static void sec_make_40bit(uint8 * key) { - key[0] = 0xd1; - key[1] = 0x26; - key[2] = 0x9e; -} - -/* Generate encryption keys given client and server randoms */ -static void sec_generate_keys(uint8 * client_random, uint8 * server_random, int32_t rc4_key_size) { - uint8 pre_master_secret[48]; - uint8 master_secret[48]; - uint8 key_block[48]; - - /* Construct pre-master secret */ - memcpy(pre_master_secret, client_random, 24); - memcpy(pre_master_secret + 24, server_random, 24); - - /* Generate master secret and then key material */ - sec_hash_48(master_secret, pre_master_secret, client_random, server_random, 'A'); - sec_hash_48(key_block, master_secret, client_random, server_random, 'X'); - - /* First 16 bytes of key material is MAC secret */ - memcpy(g_sec_sign_key, key_block, 16); - - /* Generate export keys from next two blocks of 16 bytes */ - sec_hash_16(g_sec_decrypt_key, &key_block[16], client_random, server_random); - sec_hash_16(g_sec_encrypt_key, &key_block[32], client_random, server_random); - - if (rc4_key_size == 1) { - DEBUG(("40-bit encryption enabled\n")); - sec_make_40bit(g_sec_sign_key); - sec_make_40bit(g_sec_decrypt_key); - sec_make_40bit(g_sec_encrypt_key); - g_rc4_key_len = 8; - } else { - DEBUG(("rc_4_key_size == %d, 128-bit encryption enabled\n", rc4_key_size)); - g_rc4_key_len = 16; - } - - /* Save initial RC4 keys as update keys */ - memcpy(g_sec_decrypt_update_key, g_sec_decrypt_key, 16); - memcpy(g_sec_encrypt_update_key, g_sec_encrypt_key, 16); - - /* Initialise RC4 state arrays */ - ssl_rc4_set_key(&g_rc4_decrypt_key, g_sec_decrypt_key, g_rc4_key_len); - ssl_rc4_set_key(&g_rc4_encrypt_key, g_sec_encrypt_key, g_rc4_key_len); -} - -static uint8 pad_54[40] = { - 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, - 54, 54, 54, - 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, 54, - 54, 54, 54 -}; - -static uint8 pad_92[48] = { - 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, - 92, 92, 92, 92, 92, 92, 92, - 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, - 92, 92, 92, 92, 92, 92, 92 -}; - -/* Output a uint32 into a buffer (little-endian) */ -void buf_out_uint32(uint8 * buffer, uint32 value) { - buffer[0] = (value) & 0xff; - buffer[1] = (value >> 8) & 0xff; - buffer[2] = (value >> 16) & 0xff; - buffer[3] = (value >> 24) & 0xff; -} - -/* Generate a MAC hash (5.2.3.1), using a combination of SHA1 and MD5 */ -void sec_sign(uint8 * signature, int32_t siglen, uint8 * session_key, int32_t keylen, uint8 * data, int32_t datalen) { - uint8 shasig[20]; - uint8 md5sig[16]; - uint8 lenhdr[4]; - SSL_SHA1 sha1; - SSL_MD5 md5; - - buf_out_uint32(lenhdr, datalen); - - ssl_sha1_init(&sha1); - ssl_sha1_update(&sha1, session_key, keylen); - ssl_sha1_update(&sha1, pad_54, 40); - ssl_sha1_update(&sha1, lenhdr, 4); - ssl_sha1_update(&sha1, data, datalen); - ssl_sha1_final(&sha1, shasig); - - ssl_md5_init(&md5); - ssl_md5_update(&md5, session_key, keylen); - ssl_md5_update(&md5, pad_92, 48); - ssl_md5_update(&md5, shasig, 20); - ssl_md5_final(&md5, md5sig); - - memcpy(signature, md5sig, siglen); -} - -/* Update an encryption key */ -static void sec_update(uint8 * key, uint8 * update_key) { - uint8 shasig[20]; - SSL_SHA1 sha1; - SSL_MD5 md5; - SSL_RC4 update; - - ssl_sha1_init(&sha1); - ssl_sha1_update(&sha1, update_key, g_rc4_key_len); - ssl_sha1_update(&sha1, pad_54, 40); - ssl_sha1_update(&sha1, key, g_rc4_key_len); - ssl_sha1_final(&sha1, shasig); - - ssl_md5_init(&md5); - ssl_md5_update(&md5, update_key, g_rc4_key_len); - ssl_md5_update(&md5, pad_92, 48); - ssl_md5_update(&md5, shasig, 20); - ssl_md5_final(&md5, key); - - ssl_rc4_set_key(&update, key, g_rc4_key_len); - ssl_rc4_crypt(&update, key, key, g_rc4_key_len); - - if (g_rc4_key_len == 8) - sec_make_40bit(key); -} - -/* Encrypt data using RC4 */ -static void sec_encrypt(uint8 * data, int32_t length) { - if (g_sec_encrypt_use_count == 4096) { - sec_update(g_sec_encrypt_key, g_sec_encrypt_update_key); - ssl_rc4_set_key(&g_rc4_encrypt_key, g_sec_encrypt_key, g_rc4_key_len); - g_sec_encrypt_use_count = 0; - } - - ssl_rc4_crypt(&g_rc4_encrypt_key, data, data, length); - g_sec_encrypt_use_count++; -} - -/* Decrypt data using RC4 */ -void sec_decrypt(uint8 * data, int32_t length) { - if (g_sec_decrypt_use_count == 4096) { - sec_update(g_sec_decrypt_key, g_sec_decrypt_update_key); - ssl_rc4_set_key(&g_rc4_decrypt_key, g_sec_decrypt_key, g_rc4_key_len); - g_sec_decrypt_use_count = 0; - } - - ssl_rc4_crypt(&g_rc4_decrypt_key, data, data, length); - g_sec_decrypt_use_count++; -} - -/* Perform an RSA public key encryption operation */ -static void sec_rsa_encrypt(uint8 * out, uint8 * in, int32_t len, uint32 modulus_size, uint8 * modulus, uint8 * exponent) { - ssl_rsa_encrypt(out, in, len, modulus_size, modulus, exponent); -} - -/* Initialise secure transport packet */ -STREAM sec_init(uint32 flags, int32_t maxlen) { - int32_t hdrlen; - STREAM s; - -// if (!g_licence_issued) - hdrlen = (flags & SEC_ENCRYPT) ? 12 : 4; -// else - -// hdrlen = (flags & SEC_ENCRYPT) ? 12 : 0; - s = mcs_init(maxlen + hdrlen); - s_push_layer(s, sec_hdr, hdrlen); - - return s; -} - -/* Transmit secure transport packet over specified channel */ -void sec_send_to_channel(STREAM s, uint32 flags, uint16 channel) { - int32_t datalen; - - s_pop_layer(s, sec_hdr); - out_uint32_le(s, flags); - - if (flags & SEC_ENCRYPT) { - flags &= ~SEC_ENCRYPT; - datalen = s->end - s->p - 8; - - sec_sign(s->p, 8, g_sec_sign_key, g_rc4_key_len, s->p + 8, datalen); - sec_encrypt(s->p + 8, datalen); - } - - mcs_send_to_channel(s, channel); -} - -/* Transmit secure transport packet */ - -void sec_send(STREAM s, uint32 flags) { - sec_send_to_channel(s, flags, MCS_GLOBAL_CHANNEL); -} - - -/* Transfer the client random to the server */ -static void sec_establish_key(void) { - uint32 length = g_server_public_key_len + SEC_PADDING_SIZE; - uint32 flags = SEC_CLIENT_RANDOM; - STREAM s; - - s = sec_init(flags, length + 4); - - out_uint32_le(s, length); - out_uint8p(s, g_sec_crypted_random, g_server_public_key_len); - out_uint8s(s, SEC_PADDING_SIZE); - - s_mark_end(s); - sec_send(s, flags); -} - -/* Output a string in Unicode */ -void rdp_out_unistr(STREAM s, char *string, int32_t len) { - int32_t i = 0, j = 0; - - len += 2; - while (i < len) { - s->p[i++] = string[j++]; - s->p[i++] = 0; - } - s->p += len; -} - -/* Output connect initial data blob */ -static void sec_out_mcs_data(STREAM s) { - char *g_hostname = "hydra"; - int32_t hostlen = 2 * strlen(g_hostname); - int32_t length = 158 + 76 + 12 + 4; - -/* - if (g_num_channels > 0) - length += g_num_channels * 12 + 8; -*/ - if (hostlen > 30) - hostlen = 30; - - /* Generic Conference Control (T.124) ConferenceCreateRequest */ - out_uint16_be(s, 5); - out_uint16_be(s, 0x14); - out_uint8(s, 0x7c); - out_uint16_be(s, 1); - - out_uint16_be(s, (length | 0x8000)); /* remaining length */ - - out_uint16_be(s, 8); /* length? */ - out_uint16_be(s, 16); - out_uint8(s, 0); - out_uint16_le(s, 0xc001); - out_uint8(s, 0); - - out_uint32_le(s, 0x61637544); /* OEM ID: "Duca", as in Ducati. */ - out_uint16_be(s, ((length - 14) | 0x8000)); /* remaining length */ - - /* Client information */ - out_uint16_le(s, SEC_TAG_CLI_INFO); - out_uint16_le(s, 212); /* length */ - out_uint16_le(s, g_use_rdp5 ? 4 : 1); /* RDP version. 1 == RDP4, 4 == RDP5. */ - out_uint16_le(s, 8); - out_uint16_le(s, 800); - out_uint16_le(s, 600); - out_uint16_le(s, 0xca01); - out_uint16_le(s, 0xaa03); - out_uint32_le(s, 0x409); - out_uint32_le(s, 2600); /* Client build. We are now 2600 compatible :-) */ - - /* Unicode name of client, padded to 32 bytes */ - rdp_out_unistr(s, g_hostname, hostlen); - out_uint8s(s, 30 - hostlen); - - /* See - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wceddk40/html/cxtsksupportingremotedesktopprotocol.asp */ - out_uint32_le(s, 0x4); - out_uint32_le(s, 0x0); - out_uint32_le(s, 0xc); - out_uint8s(s, 64); /* reserved? 4 + 12 doublewords */ - out_uint16_le(s, 0xca01); /* colour depth? */ - out_uint16_le(s, 1); - - out_uint32(s, 0); - out_uint8(s, g_server_depth); - out_uint16_le(s, 0x0700); - out_uint8(s, 0); - out_uint32_le(s, 1); - out_uint8s(s, 64); /* End of client info */ - - out_uint16_le(s, SEC_TAG_CLI_4); - out_uint16_le(s, 12); - out_uint32_le(s, g_console_session ? 0xb : 9); - out_uint32(s, 0); - - /* Client encryption settings */ - out_uint16_le(s, SEC_TAG_CLI_CRYPT); - out_uint16_le(s, 12); /* length */ - out_uint32_le(s, g_encryption ? 0x3 : 0); /* encryption supported, 128-bit supported */ - out_uint32(s, 0); /* Unknown */ - -/* - DEBUG_RDP5(("g_num_channels is %d\n", g_num_channels)); - if (g_num_channels > 0) - { - out_uint16_le(s, SEC_TAG_CLI_CHANNELS); - out_uint16_le(s, g_num_channels * 12 + 8); // length - out_uint32_le(s, g_num_channels); // number of virtual channels - for (i = 0; i < g_num_channels; i++) - { - DEBUG_RDP5(("Requesting channel %s\n", g_channels[i].name)); - out_uint8a(s, g_channels[i].name, 8); - out_uint32_be(s, g_channels[i].flags); - } - } -*/ - s_mark_end(s); -} - -/* Parse a public key structure */ -static BOOL sec_parse_public_key(STREAM s, uint8 * modulus, uint8 * exponent) { - uint32 magic, modulus_len; - - in_uint32_le(s, magic); - - if (magic != SEC_RSA_MAGIC) { - error("RSA magic 0x%x\n", magic); - return False; - } - - in_uint32_le(s, modulus_len); - modulus_len -= SEC_PADDING_SIZE; - if ((modulus_len < SEC_MODULUS_SIZE) || (modulus_len > SEC_MAX_MODULUS_SIZE)) { - error("Bad server public key size (%u bits)\n", modulus_len * 8); - return False; - } - - in_uint8s(s, 8); /* modulus_bits, unknown */ - in_uint8a(s, exponent, SEC_EXPONENT_SIZE); - in_uint8a(s, modulus, modulus_len); - in_uint8s(s, SEC_PADDING_SIZE); - g_server_public_key_len = modulus_len; - - return s_check(s); -} - -/* Parse a public signature structure */ -static BOOL sec_parse_public_sig(STREAM s, uint32 len, uint8 * modulus, uint8 * exponent) { - uint8 signature[SEC_MAX_MODULUS_SIZE]; - uint32 sig_len; - - if (len != 72) { - return True; - } - memset(signature, 0, sizeof(signature)); - sig_len = len - 8; - in_uint8a(s, signature, sig_len); - return ssl_sig_ok(exponent, SEC_EXPONENT_SIZE, modulus, g_server_public_key_len, signature, sig_len); -} - -/* Parse a crypto information structure */ -static BOOL sec_parse_crypt_info(STREAM s, uint32 * rc4_key_size, uint8 ** server_random, uint8 * modulus, uint8 * exponent) { - uint32 crypt_level, random_len, rsa_info_len; - uint32 cacert_len, cert_len, flags; - X509 *cacert, *server_cert; - SSL_RKEY *server_public_key; - uint16 tag, length; - uint8 *next_tag, *end; - - in_uint32_le(s, *rc4_key_size); /* 1 = 40-bit, 2 = 128-bit */ - in_uint32_le(s, crypt_level); /* 1 = low, 2 = medium, 3 = high */ - if (crypt_level == 0) /* no encryption */ - return False; - in_uint32_le(s, random_len); - in_uint32_le(s, rsa_info_len); - - if (random_len != SEC_RANDOM_SIZE) { - error("random len %d, expected %d\n", random_len, SEC_RANDOM_SIZE); - return False; - } - - in_uint8p(s, *server_random, random_len); - - /* RSA info */ - end = s->p + rsa_info_len; - if (end > s->end) - return False; - - in_uint32_le(s, flags); /* 1 = RDP4-style, 0x80000002 = X.509 */ - if (flags & 1) { - DEBUG_RDP5(("We're going for the RDP4-style encryption\n")); - in_uint8s(s, 8); /* unknown */ - - while (s->p < end) { - in_uint16_le(s, tag); - in_uint16_le(s, length); - - next_tag = s->p + length; - - switch (tag) { - case SEC_TAG_PUBKEY: - if (!sec_parse_public_key(s, modulus, exponent)) - return False; - DEBUG_RDP5(("Got Public key, RDP4-style\n")); - - break; - - case SEC_TAG_KEYSIG: - if (!sec_parse_public_sig(s, length, modulus, exponent)) - return False; - break; - - default: - unimpl("crypt tag 0x%x\n", tag); - } - - s->p = next_tag; - } - } else { - uint32 certcount; - - DEBUG_RDP5(("We're going for the RDP5-style encryption\n")); - in_uint32_le(s, certcount); /* Number of certificates */ - if (certcount < 2) { - error("Server didn't send enough X509 certificates\n"); - return False; - } - for (; certcount > 2; certcount--) { /* ignore all the certificates between the root and the signing CA */ - uint32 ignorelen; - X509 *ignorecert; - - DEBUG_RDP5(("Ignored certs left: %d\n", certcount)); - in_uint32_le(s, ignorelen); - DEBUG_RDP5(("Ignored Certificate length is %d\n", ignorelen)); - ignorecert = ssl_cert_read(s->p, ignorelen); - in_uint8s(s, ignorelen); - if (ignorecert == NULL) { /* XXX: error out? */ - DEBUG_RDP5(("got a bad cert: this will probably screw up the rest of the communication\n")); - } -#ifdef WITH_DEBUG_RDP5 - DEBUG_RDP5(("cert #%d (ignored):\n", certcount)); - ssl_cert_print_fp(stdout, ignorecert); -#endif - } - /* Do da funky X.509 stuffy - - "How did I find out about this? I looked up and saw a - bright light and when I came to I had a scar on my forehead - and knew about X.500" - - Peter Gutman in a early version of - http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt - */ - in_uint32_le(s, cacert_len); - DEBUG_RDP5(("CA Certificate length is %d\n", cacert_len)); - cacert = ssl_cert_read(s->p, cacert_len); - in_uint8s(s, cacert_len); - if (NULL == cacert) { - error("Couldn't load CA Certificate from server\n"); - return False; - } - in_uint32_le(s, cert_len); - DEBUG_RDP5(("Certificate length is %d\n", cert_len)); - server_cert = ssl_cert_read(s->p, cert_len); - in_uint8s(s, cert_len); - if (NULL == server_cert) { - ssl_cert_free(cacert); - error("Couldn't load Certificate from server\n"); - return False; - } - ssl_cert_free(cacert); - in_uint8s(s, 16); /* Padding */ - server_public_key = ssl_cert_to_rkey(server_cert, &g_server_public_key_len); - if (NULL == server_public_key) { - DEBUG_RDP5(("Didn't parse X509 correctly\n")); - ssl_cert_free(server_cert); - return False; - } - ssl_cert_free(server_cert); - if ((g_server_public_key_len < SEC_MODULUS_SIZE) || (g_server_public_key_len > SEC_MAX_MODULUS_SIZE)) { - error("Bad server public key size (%u bits)\n", g_server_public_key_len * 8); - ssl_rkey_free(server_public_key); - return False; - } - if (ssl_rkey_get_exp_mod(server_public_key, exponent, SEC_EXPONENT_SIZE, modulus, SEC_MAX_MODULUS_SIZE) != 0) { - error("Problem extracting RSA exponent, modulus"); - ssl_rkey_free(server_public_key); - return False; - } - ssl_rkey_free(server_public_key); - return True; /* There's some garbage here we don't care about */ - } - return s_check_end(s); -} - -/* Process crypto information blob */ -static void sec_process_crypt_info(STREAM s) { - uint8 *server_random = NULL; - uint8 modulus[SEC_MAX_MODULUS_SIZE]; - uint8 exponent[SEC_EXPONENT_SIZE]; - uint32 rc4_key_size; - - memset(modulus, 0, sizeof(modulus)); - memset(exponent, 0, sizeof(exponent)); - if (!sec_parse_crypt_info(s, &rc4_key_size, &server_random, modulus, exponent)) { - DEBUG(("Failed to parse crypt info\n")); - return; - } - DEBUG(("Generating client random\n")); - generate_random(g_client_random); - sec_rsa_encrypt(g_sec_crypted_random, g_client_random, SEC_RANDOM_SIZE, g_server_public_key_len, modulus, exponent); - sec_generate_keys(g_client_random, server_random, rc4_key_size); -} - - -/* Process SRV_INFO, find RDP version supported by server */ -static void sec_process_srv_info(STREAM s) { - in_uint16_le(s, g_server_rdp_version); - if (verbose) - hydra_report(stderr, "[VERBOSE] Server RDP version is %d\n", g_server_rdp_version); - if (1 == g_server_rdp_version) { - g_use_rdp5 = 0; - g_server_depth = 8; - } -} - - -/* Process connect response data blob */ -void sec_process_mcs_data(STREAM s) { - uint16 tag, length; - uint8 *next_tag; - uint8 len; - - in_uint8s(s, 21); /* header (T.124 ConferenceCreateResponse) */ - in_uint8(s, len); - if (len & 0x80) - in_uint8(s, len); - - while (s->p < s->end) { - in_uint16_le(s, tag); - in_uint16_le(s, length); - - if (length <= 4) - return; - - next_tag = s->p + length - 4; - - switch (tag) { - case SEC_TAG_SRV_INFO: - sec_process_srv_info(s); - break; - - case SEC_TAG_SRV_CRYPT: - sec_process_crypt_info(s); - break; - - case SEC_TAG_SRV_CHANNELS: - break; - - default: - unimpl("response tag 0x%x\n", tag); - } - - s->p = next_tag; - } -} - -/* Receive secure transport packet */ -STREAM sec_recv(uint8 * rdpver) { - uint32 sec_flags; - uint16 channel = 0; - STREAM s; - - while ((s = mcs_recv(&channel, rdpver)) != NULL) { - if (rdpver != NULL) { - if (*rdpver != 3) { - if (*rdpver & 0x80) { - in_uint8s(s, 8); /* signature */ - sec_decrypt(s->p, s->end - s->p); - } - return s; - } - } - //if (g_encryption || !g_licence_issued) - if (g_encryption) { - in_uint32_le(s, sec_flags); - - if (sec_flags & SEC_ENCRYPT) { - in_uint8s(s, 8); /* signature */ - sec_decrypt(s->p, s->end - s->p); - } - - if (sec_flags & SEC_LICENCE_NEG) { - //licence_process(s); - continue; - } - - if (sec_flags & 0x0400) { /* SEC_REDIRECT_ENCRYPT */ - uint8 swapbyte; - - in_uint8s(s, 8); /* signature */ - sec_decrypt(s->p, s->end - s->p); - - /* Check for a redirect packet, starts with 00 04 */ - if (s->p[0] == 0 && s->p[1] == 4) { - /* for some reason the PDU and the length seem to be swapped. - This isn't good, but we're going to do a byte for byte - swap. So the first foure value appear as: 00 04 XX YY, - where XX YY is the little endian length. We're going to - use 04 00 as the PDU type, so after our swap this will look - like: XX YY 04 00 */ - swapbyte = s->p[0]; - s->p[0] = s->p[2]; - s->p[2] = swapbyte; - - swapbyte = s->p[1]; - s->p[1] = s->p[3]; - s->p[3] = swapbyte; - - swapbyte = s->p[2]; - s->p[2] = s->p[3]; - s->p[3] = swapbyte; - } -#ifdef WITH_DEBUG - /* warning! this debug statement will show passwords in the clear! */ - hexdump(s->p, s->end - s->p); -#endif - } - - } - - if (channel != MCS_GLOBAL_CHANNEL) { - if (rdpver != NULL) - *rdpver = 0xff; - return s; - } - - return s; - } - - return NULL; -} - -/* Establish a secure connection */ -BOOL sec_connect(char *server, char *username, BOOL reconnect) { - struct stream mcs_data; - - /* We exchange some RDP data during the MCS-Connect */ - mcs_data.size = 512; - mcs_data.end = mcs_data.p = mcs_data.data = (uint8 *) xmalloc(mcs_data.size); - sec_out_mcs_data(&mcs_data); - - if (!mcs_connect(server, &mcs_data, username, reconnect)) - return False; - if (g_encryption) - sec_establish_key(); - free(mcs_data.data); - mcs_data.data = NULL; - return True; -} - -/* Disconnect a connection */ -void sec_disconnect(void) { - mcs_disconnect(); -} - -/* reset the state of the sec layer */ -void sec_reset_state(void) { - g_server_rdp_version = 0; - g_sec_encrypt_use_count = 0; - g_sec_decrypt_use_count = 0; - mcs_reset_state(); -} - - - -/* Read field indicating which parameters are present */ -static void rdp_in_present(STREAM s, uint32 * present, uint8 flags, int32_t size) { - uint8 bits; - int32_t i; - - if (flags & RDP_ORDER_SMALL) { - size--; - } - - if (flags & RDP_ORDER_TINY) { - if (size < 2) - size = 0; - else - size -= 2; - } - - *present = 0; - for (i = 0; i < size; i++) { - in_uint8(s, bits); - *present |= bits << (i * 8); - } -} - -/* Read a co-ordinate (16-bit, or 8-bit delta) */ -static void rdp_in_coord(STREAM s, sint16 * coord, BOOL delta) { - sint8 change; - - if (delta) { - in_uint8(s, change); - *coord += change; - } else { - in_uint16_le(s, *coord); - } -} - -/* Read a colour entry */ -static void rdp_in_colour(STREAM s, uint32 * colour) { - uint32 i; - - in_uint8(s, i); - *colour = i; - in_uint8(s, i); - *colour |= i << 8; - in_uint8(s, i); - *colour |= i << 16; -} - -/* Parse bounds information */ -static BOOL rdp_parse_bounds(STREAM s, BOUNDS * bounds) { - uint8 present; - - in_uint8(s, present); - - if (present & 1) - rdp_in_coord(s, &bounds->left, False); - else if (present & 16) - rdp_in_coord(s, &bounds->left, True); - - if (present & 2) - rdp_in_coord(s, &bounds->top, False); - else if (present & 32) - rdp_in_coord(s, &bounds->top, True); - - if (present & 4) - rdp_in_coord(s, &bounds->right, False); - else if (present & 64) - rdp_in_coord(s, &bounds->right, True); - - if (present & 8) - rdp_in_coord(s, &bounds->bottom, False); - else if (present & 128) - rdp_in_coord(s, &bounds->bottom, True); - - return s_check(s); -} - -/* Process an opaque rectangle order */ -static void process_rect(STREAM s, RECT_ORDER * os, uint32 present, BOOL delta) { - uint32 i; - - if (present & 0x01) - rdp_in_coord(s, &os->x, delta); - - if (present & 0x02) - rdp_in_coord(s, &os->y, delta); - - if (present & 0x04) - rdp_in_coord(s, &os->cx, delta); - - if (present & 0x08) - rdp_in_coord(s, &os->cy, delta); - - if (present & 0x10) { - in_uint8(s, i); - os->colour = (os->colour & 0xffffff00) | i; - } - - if (present & 0x20) { - in_uint8(s, i); - os->colour = (os->colour & 0xffff00ff) | (i << 8); - } - - if (present & 0x40) { - in_uint8(s, i); - os->colour = (os->colour & 0xff00ffff) | (i << 16); - } - - DEBUG(("RECT(x=%d,y=%d,cx=%d,cy=%d,fg=0x%x)\n", os->x, os->y, os->cx, os->cy, os->colour)); -} - -/* Process a desktop save order */ -static void process_desksave(STREAM s, DESKSAVE_ORDER * os, uint32 present, BOOL delta) { - //int32_t width, height; - - if (present & 0x01) - in_uint32_le(s, os->offset); - - if (present & 0x02) - rdp_in_coord(s, &os->left, delta); - - if (present & 0x04) - rdp_in_coord(s, &os->top, delta); - - if (present & 0x08) - rdp_in_coord(s, &os->right, delta); - - if (present & 0x10) - rdp_in_coord(s, &os->bottom, delta); - - if (present & 0x20) - in_uint8(s, os->action); - - DEBUG(("DESKSAVE(l=%d,t=%d,r=%d,b=%d,off=%d,op=%d)\n", os->left, os->top, os->right, os->bottom, os->offset, os->action)); - - //width = os->right - os->left + 1; - //height = os->bottom - os->top + 1; -} - -/* Process a memory blt order */ -static void process_memblt(STREAM s, MEMBLT_ORDER * os, uint32 present, BOOL delta) { - //on win 7, vista, 2008, the login failed has to be catched here - if (present & 0x0001) { - in_uint8(s, os->cache_id); - in_uint8(s, os->colour_table); - } - - if (present & 0x0002) - rdp_in_coord(s, &os->x, delta); - - if (present & 0x0004) - rdp_in_coord(s, &os->y, delta); - - if (present & 0x0008) - rdp_in_coord(s, &os->cx, delta); - - if (present & 0x0010) - rdp_in_coord(s, &os->cy, delta); - - if (present & 0x0020) - in_uint8(s, os->opcode); - - if (present & 0x0040) - rdp_in_coord(s, &os->srcx, delta); - - if (present & 0x0080) - rdp_in_coord(s, &os->srcy, delta); - - if (present & 0x0100) - in_uint16_le(s, os->cache_idx); - - DEBUG(("MEMBLT(op=0x%x,x=%d,y=%d,cx=%d,cy=%d,id=%d,idx=%d)\n", os->opcode, os->x, os->y, os->cx, os->cy, os->cache_id, os->cache_idx)); - //MEMBLT(op=0xcc,x=640,y=128,cx=64,cy=64,id=2,idx=117) => win8 failed - - if ((os->opcode == 0xcc && os->x == 740 && os->y == 448 && os->cx == 60 && os->cy == 56 && os->cache_id == 2) || - (os->opcode == 0xcc && os->x == 640 && os->y == 128 && os->cx == 64 && os->cy == 64 && os->cache_id == 2 && os->cache_idx > 100)) { - if (debug) - hydra_report(stderr, "[DEBUG] Login failed from process_memblt\n"); - login_result = LOGIN_FAIL; - } -} - -/* Process a text order */ -static void process_text2(STREAM s, TEXT2_ORDER * os, uint32 present, BOOL delta) { - int32_t i; - - if (present & 0x000001) - in_uint8(s, os->font); - - if (present & 0x000002) - in_uint8(s, os->flags); - - if (present & 0x000004) - in_uint8(s, os->opcode); - - if (present & 0x000008) - in_uint8(s, os->mixmode); - - if (present & 0x000010) - rdp_in_colour(s, &os->fgcolour); - - if (present & 0x000020) - rdp_in_colour(s, &os->bgcolour); - - if (present & 0x000040) - in_uint16_le(s, os->clipleft); - - if (present & 0x000080) - in_uint16_le(s, os->cliptop); - - if (present & 0x000100) - in_uint16_le(s, os->clipright); - - if (present & 0x000200) - in_uint16_le(s, os->clipbottom); - - if (present & 0x000400) - in_uint16_le(s, os->boxleft); - - if (present & 0x000800) - in_uint16_le(s, os->boxtop); - - if (present & 0x001000) - in_uint16_le(s, os->boxright); - - if (present & 0x002000) - in_uint16_le(s, os->boxbottom); - - //rdp_parse_brush(s, &os->brush, present >> 14); - - if (present & 0x080000) - in_uint16_le(s, os->x); - - if (present & 0x100000) - in_uint16_le(s, os->y); - - if (present & 0x200000) { - in_uint8(s, os->length); - in_uint8a(s, os->text, os->length); - } - //printf("TEXT2(x=%d,y=%d,cl=%d,ct=%d,cr=%d,cb=%d,bl=%d,bt=%d,br=%d,bb=%d,bs=%d,bg=0x%x,fg=0x%x,font=%d,fl=0x%x,op=0x%x,mix=%d,n=%d)\n", os->x, os->y, os->clipleft, os->cliptop, os->clipright, os->clipbottom, os->boxleft, os->boxtop, os->boxright, os->boxbottom, , os->bgcolour, os->fgcolour, os->font, os->flags, os->opcode, os->mixmode, os->length); - - if (debug) { - printf("[DEBUG] process_text2: "); - - for (i = 0; i < os->length; i++) - printf("%02x ", os->text[i]); - printf(" *** "); - - printf("size: %d\n", os->length); - } - //there is no way to determine if the message from w2k is a success or failure at first - //so we identify it here and set the os version as win 2000 same for win2k3 - if (!memcmp(os->text, LOGON_MESSAGE_2K, 31)) { - os_version = 2000; - } - if (!memcmp(os->text, LOGON_MESSAGE_FAILED_2K3, 18)) { - os_version = 2003; - } - //on win2k, error can be fe 00 00 or fe 02 00 - if (((os->text[0] == 254) && (os->text[2] == 0)) || (!memcmp(os->text, LOGON_MESSAGE_FAILED_XP, 18))) { - if (debug) - hydra_report(stderr, "[DEBUG] login failed from process_text2\n"); - login_result = LOGIN_FAIL; - } else { - //if it's not an well known error and if it's not just traffic from win 2000 server - - if ((os_version == 2000) && (os->length > 50)) { - if (debug) - hydra_report(stderr, "[DEBUG] login success from process_text2\n"); - login_result = LOGIN_SUCC; - } - } -} - -/* Process a secondary order */ -static void process_secondary_order(STREAM s) { - /* The length isn't calculated correctly by the server. - * For very compact orders the length becomes negative - * so a signed integer must be used. */ - uint16 length; - //uint16 flags; - //uint8 type; - uint8 *next_order; - - in_uint16_le(s, length); - //in_uint16_le(s, flags); /* used by bmpcache2 */ - //in_uint8(s, type); - - next_order = s->p + (sint16) length + 7; - - /* - switch (type) - { - case RDP_ORDER_RAW_BMPCACHE: - break; - - case RDP_ORDER_COLCACHE: - break; - - case RDP_ORDER_BMPCACHE: - break; - - case RDP_ORDER_FONTCACHE: - process_fontcache(s); - break; - - case RDP_ORDER_RAW_BMPCACHE2: - break; - - case RDP_ORDER_BMPCACHE2: - break; - - case RDP_ORDER_BRUSHCACHE: - process_brushcache(s, flags); - break; - - default: - unimpl("secondary order %d\n", type); - } - */ - s->p = next_order; -} - -/* Process an order PDU */ -void process_orders(STREAM s, uint16 num_orders) { - RDP_ORDER_STATE *os = &g_order_state; - uint32 present; - uint8 order_flags; - int32_t size, processed = 0; - BOOL delta; - - while (processed < num_orders) { - in_uint8(s, order_flags); - - if (os_version == 2003) - os_version = 0; - - if (!(order_flags & RDP_ORDER_STANDARD)) { - //error("order parsing failed\n"); - //we detected the os is a win 2000 version and the next text msg will be either an error LOGON_MESSAGE_FAILED_2K - //or any other traffic indicating the logon was successfull, so we reset the os_version and let process_text2 handle the msg - if (os_version == 2003) - login_result = LOGIN_SUCC; - break; - } - - if (order_flags & RDP_ORDER_SECONDARY) { - process_secondary_order(s); - } else { - if (order_flags & RDP_ORDER_CHANGE) { - in_uint8(s, os->order_type); - } - - switch (os->order_type) { - case RDP_ORDER_TRIBLT: - case RDP_ORDER_TEXT2: - size = 3; - break; - - case RDP_ORDER_PATBLT: - case RDP_ORDER_MEMBLT: - case RDP_ORDER_LINE: - case RDP_ORDER_POLYGON2: - case RDP_ORDER_ELLIPSE2: - size = 2; - break; - - default: - size = 1; - } - - rdp_in_present(s, &present, order_flags, size); - - if (order_flags & RDP_ORDER_BOUNDS) { - if (!(order_flags & RDP_ORDER_LASTBOUNDS)) - rdp_parse_bounds(s, &os->bounds); - - } - - delta = order_flags & RDP_ORDER_DELTA; - -//printf("order %d\n", os->order_type); - - if (login_result) - return; - - switch (os->order_type) { - - case RDP_ORDER_RECT: - process_rect(s, &os->rect, present, delta); - break; - - case RDP_ORDER_DESKSAVE: - process_desksave(s, &os->desksave, present, delta); - break; - - case RDP_ORDER_MEMBLT: - process_memblt(s, &os->memblt, present, delta); - break; - - case RDP_ORDER_TEXT2: - process_text2(s, &os->text2, present, delta); - break; - - default: - if (debug) - printf("[DEBUG] unknown order_type: %d\n", os->order_type); - - } - } - - processed++; - } -} - -/* Reset order state */ -void reset_order_state(void) { - memset(&g_order_state, 0, sizeof(g_order_state)); - g_order_state.order_type = RDP_ORDER_PATBLT; -} - -/* Disconnect from the RDP layer */ -void rdp_disconnect(void) { - sec_disconnect(); -} - - -void rdp5_process(STREAM s) { - uint16 length, count; - uint8 type/*, ctype*/; - uint8 *next; - - struct stream *ts; - - while (s->p < s->end) { - in_uint8(s, type); - if (type & RDP5_COMPRESSED) { - //in_uint8(s, ctype); - in_uint16_le(s, length); - type ^= RDP5_COMPRESSED; - } else { - //ctype = 0; - in_uint16_le(s, length); - } - g_next_packet = next = s->p + length; - ts = s; -//printf("type: %d\n", type); - switch (type) { - case 0: /* update orders */ - in_uint16_le(ts, count); - process_orders(ts, count); - break; - - } - - s->p = next; - } -} - - -/* Receive an RDP packet */ -static STREAM rdp_recv(uint8 * type) { - static STREAM rdp_s; - uint16 length, pdu_type; - uint8 rdpver; - - if ((rdp_s == NULL) || (g_next_packet >= rdp_s->end) || (g_next_packet == NULL)) { - rdp_s = sec_recv(&rdpver); - if (rdp_s == NULL) - return NULL; - if (rdpver == 0xff) { - g_next_packet = rdp_s->end; - *type = 0; - return rdp_s; - } else if (rdpver != 3) { - /* rdp5_process should move g_next_packet ok */ - rdp5_process(rdp_s); - *type = 0; - return rdp_s; - } - - g_next_packet = rdp_s->p; - } else { - rdp_s->p = g_next_packet; - } - - in_uint16_le(rdp_s, length); - /* 32k packets are really 8, keepalive fix */ - if (length == 0x8000) { - g_next_packet += 8; - *type = 0; - return rdp_s; - } - in_uint16_le(rdp_s, pdu_type); - in_uint8s(rdp_s, 2); /* userid */ - *type = pdu_type & 0xf; - - g_next_packet += length; - return rdp_s; -} - -/* used in uiports and rdp_main_loop, processes the rdp packets waiting */ -BOOL rdp_loop(BOOL * deactivated, uint32 * ext_disc_reason) { - uint8 type; - BOOL cont = True; - STREAM s; - - while (cont) { - s = rdp_recv(&type); - - if (s == NULL) - return False; - switch (type) { - case RDP_PDU_DEMAND_ACTIVE: - process_demand_active(s); - *deactivated = False; - break; - case RDP_PDU_DEACTIVATE: - DEBUG(("RDP_PDU_DEACTIVATE\n")); - *deactivated = True; - break; - case RDP_PDU_REDIRECT: - break; - case RDP_PDU_DATA: - process_data_pdu(s, ext_disc_reason); - break; - case 0: - break; - default: - unimpl("PDU %d\n", type); - } - cont = g_next_packet < s->end; - } - return True; -} - -/* Process incoming packets */ -int32_t rdp_main_loop(BOOL * deactivated, uint32 * ext_disc_reason) { - while (rdp_loop(deactivated, ext_disc_reason)) { - if (login_result != LOGIN_UNKN) { - return login_result; - } - } - return 0; -} - - - -/* Parse a logon info packet */ -static void rdp_send_logon_info(uint32 flags, char *domain, char *user, char *password, char *program, char *directory) { - char *ipaddr = tcp_get_address(); - int32_t len_domain = 2 * strlen(domain); - int32_t len_user = 2 * strlen(user); - int32_t len_password = 2 * strlen(password); - int32_t len_program = 2 * strlen(program); - int32_t len_directory = 2 * strlen(directory); - int32_t len_ip = 2 * strlen(ipaddr); - int32_t len_dll = 2 * strlen("C:\\WINNT\\System32\\mstscax.dll"); - int32_t packetlen = 0; - uint32 sec_flags = g_encryption ? (SEC_LOGON_INFO | SEC_ENCRYPT) : SEC_LOGON_INFO; - STREAM s = NULL; - time_t t = time(NULL); - time_t tzone; - uint8 security_verifier[16]; - - if (!g_use_rdp5 || 1 == g_server_rdp_version) { - DEBUG_RDP5(("Sending RDP4-style Logon packet\n")); - - s = sec_init(sec_flags, 18 + len_domain + len_user + len_password + len_program + len_directory + 10); - - out_uint32(s, 0); - out_uint32_le(s, flags); - out_uint16_le(s, len_domain); - out_uint16_le(s, len_user); - out_uint16_le(s, len_password); - out_uint16_le(s, len_program); - out_uint16_le(s, len_directory); - rdp_out_unistr(s, domain, len_domain); - rdp_out_unistr(s, user, len_user); - rdp_out_unistr(s, password, len_password); - rdp_out_unistr(s, program, len_program); - rdp_out_unistr(s, directory, len_directory); - } else { - - flags |= RDP_LOGON_BLOB; - DEBUG_RDP5(("Sending RDP5-style Logon packet\n")); - packetlen = 4 + /* Unknown uint32 */ - 4 + /* flags */ - 2 + /* len_domain */ - 2 + /* len_user */ - (flags & RDP_LOGON_AUTO ? 2 : 0) + /* len_password */ - (flags & RDP_LOGON_BLOB && !(flags & RDP_LOGON_AUTO) ? 2 : 0) + /* Length of BLOB */ - 2 + /* len_program */ - 2 + /* len_directory */ - (0 < len_domain ? len_domain : 2) + /* domain */ - len_user + /* len user */ - (flags & RDP_LOGON_AUTO ? len_password : 0) + /* len pass */ - 0 + /* We have no 512 byte BLOB. Perhaps we must? */ - (flags & RDP_LOGON_BLOB && !(flags & RDP_LOGON_AUTO) ? 2 : 0) + /* After the BLOB is a unknown int16. If there is a BLOB, that is. */ - (0 < len_program ? len_program : 2) + /* program */ - (0 < len_directory ? len_directory : 2) + /* dir */ - 2 + /* Unknown (2) */ - 2 + /* Client ip length */ - len_ip + /* Client ip */ - 2 + /* DLL string length */ - len_dll + /* DLL string */ - 4 + /* zone */ - strlen("GTB, normaltid") * 2 + /* zonestring */ - 1 + /* len */ - 5 * 4 + /* some int32 */ - 2 * strlen("GTB, sommartid") + /* zonestring */ - 1 + /* len */ - 5 * 4 + /* some int32 */ - 2 * 4 + /* some int32 */ - (g_has_reconnect_random ? 14 + sizeof(security_verifier) : 2) + 105 + /* ??? we need this */ - 0; // end -//printf("pl: %d - flags %d - AUTO %d - BLOB %d\n", packetlen, flags, RDP_LOGON_AUTO, RDP_LOGON_BLOB); - - s = sec_init(sec_flags, packetlen); - DEBUG_RDP5(("Called sec_init with packetlen %d\n", packetlen)); - - out_uint32(s, 0); /* Unknown */ - out_uint32_le(s, flags); - out_uint16_le(s, len_domain); - out_uint16_le(s, len_user); - if (flags & RDP_LOGON_AUTO) { - out_uint16_le(s, len_password); - } - if (flags & RDP_LOGON_BLOB && !(flags & RDP_LOGON_AUTO)) { - out_uint16_le(s, 0); - } - out_uint16_le(s, len_program); - out_uint16_le(s, len_directory); - if (0 < len_domain) - rdp_out_unistr(s, domain, len_domain); - else - out_uint16_le(s, 0); - rdp_out_unistr(s, user, len_user); - if (flags & RDP_LOGON_AUTO) { - rdp_out_unistr(s, password, len_password); - } - if (flags & RDP_LOGON_BLOB && !(flags & RDP_LOGON_AUTO)) { - out_uint16_le(s, 0); - } - if (0 < len_program) { - rdp_out_unistr(s, program, len_program); - } else { - out_uint16_le(s, 0); - } - if (0 < len_directory) { - rdp_out_unistr(s, directory, len_directory); - } else { - out_uint16_le(s, 0); - } - /* TS_EXTENDED_INFO_PACKET */ - out_uint16_le(s, 2); /* clientAddressFamily = AF_INET */ - out_uint16_le(s, len_ip + 2); /* cbClientAddress, Length of client ip */ - rdp_out_unistr(s, ipaddr, len_ip); /* clientAddress */ - out_uint16_le(s, len_dll + 2); /* cbClientDir */ - rdp_out_unistr(s, "C:\\WINNT\\System32\\mstscax.dll", len_dll); /* clientDir */ - - /* TS_TIME_ZONE_INFORMATION */ - tzone = (mktime(gmtime(&t)) - mktime(localtime(&t))) / 60; - out_uint32_le(s, tzone); - rdp_out_unistr(s, "GTB, normaltid", 2 * strlen("GTB, normaltid")); - out_uint8s(s, 62 - 2 * strlen("GTB, normaltid")); - out_uint32_le(s, 0x0a0000); - out_uint32_le(s, 0x050000); - out_uint32_le(s, 3); - out_uint32_le(s, 0); - out_uint32_le(s, 0); - rdp_out_unistr(s, "GTB, sommartid", 2 * strlen("GTB, sommartid")); - out_uint8s(s, 62 - 2 * strlen("GTB, sommartid")); - out_uint32_le(s, 0x30000); - out_uint32_le(s, 0x050000); - out_uint32_le(s, 2); - out_uint32(s, 0); - out_uint32_le(s, 0xffffffc4); /* DaylightBias */ - - /* Rest of TS_EXTENDED_INFO_PACKET */ - out_uint32_le(s, 0xfffffffe); /* clientSessionId, consider changing to 0 */ - out_uint32_le(s, g_rdp5_performanceflags); - - /* Client Auto-Reconnect */ - if (g_has_reconnect_random) { - out_uint16_le(s, 28); /* cbAutoReconnectLen */ - /* ARC_CS_PRIVATE_PACKET */ - out_uint32_le(s, 28); /* cbLen */ - out_uint32_le(s, 1); /* Version */ - out_uint32_le(s, g_reconnect_logonid); /* LogonId */ - ssl_hmac_md5(g_reconnect_random, sizeof(g_reconnect_random), g_client_random, SEC_RANDOM_SIZE, security_verifier); - out_uint8a(s, security_verifier, sizeof(security_verifier)); - } else { - out_uint16_le(s, 0); /* cbAutoReconnectLen */ - } - - } - s_mark_end(s); - sec_send(s, sec_flags); -} - -/* Establish a connection up to the RDP layer */ -BOOL rdp_connect(char *server, uint32 flags, char *domain, char *login, char *password, char *command, char *directory, BOOL reconnect) { - - if (!sec_connect(server, login, reconnect)) - return False; - - rdp_send_logon_info(flags, domain, login, password, command, directory); - return True; -} - -int32_t start_rdp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +/* Client program */ +int32_t start_rdp(char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass; char server[64]; char domain[256]; - char shell[256]; - char directory[256]; - BOOL deactivated = 0; - uint32 flags, ext_disc_reason = 0; + int32_t login_result = 0; - flags = RDP_LOGON_NORMAL; - flags |= RDP_LOGON_AUTO; - - os_version = 0; - g_redirect = False; - g_redirect_flags = 0; - login_result = LOGIN_UNKN; - - shell[0] = directory[0] = 0; memset(domain, 0, sizeof(domain)); if (strlen(login = hydra_get_next_login()) == 0) @@ -2458,37 +60,61 @@ int32_t start_rdp(int32_t s, char *ip, int32_t port, unsigned char options, char if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; - strcpy(server, hydra_address2string(ip)); + strncpy(server, hydra_address2string(ip), sizeof(server) - 1); if ((miscptr != NULL) && (strlen(miscptr) > 0)) { strncpy(domain, miscptr, sizeof(domain) - 1); domain[sizeof(domain) - 1] = 0; } - if (!rdp_connect(server, flags, domain, login, pass, shell, directory, g_redirect)) - return 3; - - rdp_main_loop(&deactivated, &ext_disc_reason); - - if (login_result == LOGIN_SUCC) { + login_result = rdp_connect(server, port, domain, login, pass); + if (debug) + hydra_report(stderr, "[DEBUG] rdp reported %08x\n", login_result); + switch (login_result) { + case 0: + // login success hydra_report_found_host(port, ip, "rdp", fp); hydra_completed_pair_found(); - } else { + break; + case 0x00020009: + case 0x00020014: + case 0x00020015: + // login failure hydra_completed_pair(); + break; + case 0x0002000f: + // login failure + hydra_completed_pair_skip(); + break; + case 0x0002000d: + hydra_report(stderr, + "[%d][rdp] account on %s might be valid but account not " + "active for remote desktop: login: %s password: %s, " + "continuing attacking the account.\n", + port, hydra_address2string_beautiful(ip), login, pass); + hydra_completed_pair(); + break; + case 0x00020006: + case 0x00020008: + case 0x0002000c: + // cannot establish rdp connection, either the port is not opened or it's + // not rdp + return 3; + default: + if (verbose) { + hydra_report(stderr, "[ERROR] freerdp: %s (0x%.8x)\n", freerdp_get_last_error_string(login_result), login_result); + } + return login_result; } - - rdp_disconnect(); - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; - } -/* Client program */ -void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1; int32_t myport = PORT_RDP; + int32_t __first_rdp_connect = 1; if (port != 0) myport = port; @@ -2496,760 +122,62 @@ void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; - while (1) { next_run = 0; switch (run) { - case 1: /* run the cracking function */ - rdesktop_reset_state(); - g_sock = hydra_connect_tcp(ip, myport); - if (g_sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); - } - next_run = start_rdp(g_sock, ip, port, options, miscptr, fp); + case 1: /* run the cracking function */ + if (__first_rdp_connect != 0) + __first_rdp_connect = 0; + else + sleep(hydra_options.conwait); + next_run = start_rdp(ip, myport, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; - case 2: /* clean exit */ - if (g_sock >= 0) - rdp_disconnect(); + case 2: /* clean exit */ + freerdp_disconnect(instance); + freerdp_free(instance); hydra_child_exit(0); return; - case 3: /* connection error case */ + case 3: /* connection error case */ + hydra_report(stderr, "[ERROR] freerdp: %s\n", "The connection failed to establish."); + freerdp_free(instance); hydra_child_exit(1); return; default: - hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); } run = next_run; } } -/* Generate a 32-byte random for the secure transport code. */ -void generate_random(uint8 * random) { - struct stat st; - struct tms tmsbuf; - SSL_MD5 md5; - uint32 *r; - int32_t fd, n; - - /* If we have a kernel random device, try that first */ - if (((fd = open("/dev/urandom", O_RDONLY)) != -1) - || ((fd = open("/dev/random", O_RDONLY)) != -1)) { - n = read(fd, random, 32); - close(fd); - if (n == 32) - return; - } - - r = (uint32 *) random; - r[0] = (getpid()) | (getppid() << 16); - r[1] = (getuid()) | (getgid() << 16); - r[2] = times(&tmsbuf); /* system uptime (clocks) */ - gettimeofday((struct timeval *) &r[3], NULL); /* sec and usec */ - stat("/tmp", &st); - r[5] = st.st_atime; - r[6] = st.st_mtime; - r[7] = st.st_ctime; - - /* Hash both halves with MD5 to obscure possible patterns */ - ssl_md5_init(&md5); - ssl_md5_update(&md5, random, 16); - ssl_md5_final(&md5, random); - ssl_md5_update(&md5, random + 16, 16); - ssl_md5_final(&md5, random + 16); -} - -/* malloc; exit if out of memory */ -void *xmalloc(int32_t size) { - void *mem = malloc(size); - - if (mem == NULL) { - error("xmalloc %d\n", size); - return NULL; - } - return mem; -} - -/* strdup */ -char *xstrdup(const char *s) { - char *mem = strdup(s); - - if (mem == NULL) { - perror("strdup"); - return NULL; - } - return mem; -} - -/* realloc; exit if out of memory */ -void *xrealloc(void *oldmem, size_t size) { - void *mem; - - if (size == 0) - size = 1; -//printf("---? %p %d\n", oldmem, size); - mem = realloc(oldmem, size); -//printf("---!\n"); - if (mem == NULL) { - error("xrealloc %ld\n", size); - return NULL; - } - return mem; -} - -/* report an error */ -void error(char *format, ...) { - va_list ap; - - fprintf(stderr, "[ERROR]: "); - - va_start(ap, format); - hydra_report(stderr, format, ap); - va_end(ap); -} - -/* report a warning */ -void warning(char *format, ...) { - if (verbose) { - va_list ap; - - fprintf(stderr, "[VERBOSE]: "); - - va_start(ap, format); - hydra_report(stderr, format, ap); - va_end(ap); - } -} - -/* report an unimplemented protocol feature */ -void unimpl(char *format, ...) { - if (debug) { - va_list ap; - - fprintf(stderr, "[DEBUG] not implemented: "); - - va_start(ap, format); - hydra_report(stderr, format, ap); - va_end(ap); - } -} - -/* produce a hex dump */ -void hexdump(unsigned char *p, uint32_t len) { - unsigned char *line = p; - int32_t i, thisline, offset = 0; - - while (offset < len) { - printf("%04x ", offset); - thisline = len - offset; - if (thisline > 16) - thisline = 16; - - for (i = 0; i < thisline; i++) - printf("%02x ", line[i]); - - for (; i < 16; i++) - printf(" "); - - for (i = 0; i < thisline; i++) - printf("%c", (line[i] >= 0x20 && line[i] < 0x7f) ? line[i] : '.'); - - printf("\n"); - offset += thisline; - line += thisline; - } -} - -/* Initialise an RDP data packet */ -static STREAM rdp_init_data(int32_t maxlen) { - STREAM s; - - s = sec_init(g_encryption ? SEC_ENCRYPT : 0, maxlen + 18); - s_push_layer(s, rdp_hdr, 18); - - return s; -} - -/* Send an RDP data packet */ -static void rdp_send_data(STREAM s, uint8 data_pdu_type) { - uint16 length; - - s_pop_layer(s, rdp_hdr); - length = s->end - s->p; - - out_uint16_le(s, length); - out_uint16_le(s, (RDP_PDU_DATA | 0x10)); - out_uint16_le(s, (g_mcs_userid + 1001)); - - out_uint32_le(s, g_rdp_shareid); - out_uint8(s, 0); /* pad */ - out_uint8(s, 1); /* streamid */ - out_uint16_le(s, (length - 14)); - out_uint8(s, data_pdu_type); - out_uint8(s, 0); /* compress_type */ - out_uint16(s, 0); /* compress_len */ - - sec_send(s, g_encryption ? SEC_ENCRYPT : 0); -} - -/* Input a string in Unicode - * - * Returns str_len of string - */ -int32_t rdp_in_unistr(STREAM s, char *string, int32_t str_size, int32_t in_len) { - int32_t i = 0; - int32_t len = in_len / 2; - int32_t rem = 0; - - if (len > str_size - 1) { - warning("server sent an unexpectedly long string, truncating\n"); - len = str_size - 1; - rem = in_len - 2 * len; - } - - while (i < len) { - in_uint8a(s, &string[i++], 1); - in_uint8s(s, 1); - } - - in_uint8s(s, rem); - string[len] = 0; - return len; -} - -/* Send a control PDU */ -static void rdp_send_control(uint16 action) { - STREAM s; - - s = rdp_init_data(8); - - out_uint16_le(s, action); - out_uint16(s, 0); /* userid */ - out_uint32(s, 0); /* control id */ - - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_CONTROL); -} - -/* Send a synchronisation PDU */ -static void rdp_send_synchronise(void) { - STREAM s; - - s = rdp_init_data(4); - out_uint16_le(s, 1); /* type */ - out_uint16_le(s, 1002); - - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_SYNCHRONISE); -} - -/* Send a single input event */ -void rdp_send_input(uint32 time, uint16 message_type, uint16 device_flags, uint16 param1, uint16 param2) { - STREAM s; - - switch (message_type) { - case RDP_INPUT_MOUSE: - rdp_send_fast_input_mouse(time, device_flags, param1, param2); - break; - case RDP_INPUT_SCANCODE: - rdp_send_fast_input_kbd(time, device_flags, param1); - break; - default: - s = rdp_init_data(16); - out_uint16_le(s, 1); /* number of events */ - out_uint16(s, 0); /* pad */ - out_uint32_le(s, time); - out_uint16_le(s, message_type); - out_uint16_le(s, device_flags); - out_uint16_le(s, param1); - out_uint16_le(s, param2); - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_INPUT); - } -} - -/* Send an (empty) font information PDU */ -static void rdp_send_fonts(uint16 seq) { - STREAM s; - - s = rdp_init_data(8); - - out_uint16(s, 0); /* number of fonts */ - out_uint16_le(s, 0); /* pad? */ - out_uint16_le(s, seq); /* unknown */ - out_uint16_le(s, 0x32); /* entry size */ - - s_mark_end(s); - rdp_send_data(s, RDP_DATA_PDU_FONT2); -} - -/* Output general capability set */ -static void rdp_out_general_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_GENERAL); - out_uint16_le(s, RDP_CAPLEN_GENERAL); - out_uint16_le(s, 1); /* OS major type */ - out_uint16_le(s, 3); /* OS minor type */ - out_uint16_le(s, 0x200); /* Protocol version */ - out_uint16(s, 0); /* Pad */ - out_uint16(s, 0); /* Compression types */ - out_uint16_le(s, g_use_rdp5 ? 0x40d : 0); - /* Pad, according to T.128. 0x40d seems to - trigger - the server to start sending RDP5 packets. - However, the value is 0x1d04 with W2KTSK and - NT4MS. Hmm.. Anyway, thankyou, Microsoft, - for sending such information in a padding - field.. */ - out_uint16(s, 0); /* Update capability */ - out_uint16(s, 0); /* Remote unshare capability */ - out_uint16(s, 0); /* Compression level */ - out_uint16(s, 0); /* Pad */ -} - -/* Output bitmap capability set */ -static void rdp_out_bitmap_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_BITMAP); - out_uint16_le(s, RDP_CAPLEN_BITMAP); - out_uint16_le(s, g_server_depth); /* Preferred colour depth */ - out_uint16_le(s, 1); /* Receive 1 BPP */ - out_uint16_le(s, 1); /* Receive 4 BPP */ - out_uint16_le(s, 1); /* Receive 8 BPP */ - out_uint16_le(s, 800); /* Desktop width */ - out_uint16_le(s, 600); /* Desktop height */ - out_uint16(s, 0); /* Pad */ - out_uint16(s, 1); /* Allow resize */ - out_uint16_le(s, g_bitmap_compression ? 1 : 0); /* Support compression */ - out_uint16(s, 0); /* Unknown */ - out_uint16_le(s, 1); /* Unknown */ - out_uint16(s, 0); /* Pad */ -} - -/* Output order capability set */ -static void rdp_out_order_caps(STREAM s) { - uint8 order_caps[32]; - - memset(order_caps, 0, 32); - order_caps[0] = 1; /* dest blt */ - order_caps[1] = 1; /* pat blt */ - order_caps[2] = 1; /* screen blt */ - order_caps[3] = (g_bitmap_cache ? 1 : 0); /* memblt */ - order_caps[4] = 0; /* triblt */ - order_caps[8] = 1; /* line */ - order_caps[9] = 1; /* line */ - order_caps[10] = 1; /* rect */ - order_caps[11] = (g_desktop_save ? 1 : 0); /* desksave */ - order_caps[13] = 1; /* memblt */ - order_caps[14] = 1; /* triblt */ - order_caps[20] = 1; /* polygon */ - order_caps[21] = 1; /* polygon2 */ - order_caps[22] = 1; /* polyline */ - order_caps[25] = 1; /* ellipse */ - order_caps[26] = 1; /* ellipse2 */ - order_caps[27] = 1; /* text2 */ - out_uint16_le(s, RDP_CAPSET_ORDER); - out_uint16_le(s, RDP_CAPLEN_ORDER); - - out_uint8s(s, 20); /* Terminal desc, pad */ - out_uint16_le(s, 1); /* Cache X granularity */ - out_uint16_le(s, 20); /* Cache Y granularity */ - out_uint16(s, 0); /* Pad */ - out_uint16_le(s, 1); /* Max order level */ - out_uint16_le(s, 0x147); /* Number of fonts */ - out_uint16_le(s, 0x2a); /* Capability flags */ - out_uint8p(s, order_caps, 32); /* Orders supported */ - out_uint16_le(s, 0x6a1); /* Text capability flags */ - out_uint8s(s, 6); /* Pad */ - out_uint32_le(s, g_desktop_save == False ? 0 : 0x38400); /* Desktop cache size */ - out_uint32(s, 0); /* Unknown */ - out_uint32_le(s, 0x4e4); /* Unknown */ -} - -/* Output bitmap cache capability set */ -static void rdp_out_bmpcache_caps(STREAM s) { - int32_t Bpp; - - out_uint16_le(s, RDP_CAPSET_BMPCACHE); - out_uint16_le(s, RDP_CAPLEN_BMPCACHE); - Bpp = (g_server_depth + 7) / 8; /* bytes per pixel */ - out_uint8s(s, 24); /* unused */ - out_uint16_le(s, 0x258); /* entries */ - out_uint16_le(s, 0x100 * Bpp); /* max cell size */ - out_uint16_le(s, 0x12c); /* entries */ - out_uint16_le(s, 0x400 * Bpp); /* max cell size */ - out_uint16_le(s, 0x106); /* entries */ - out_uint16_le(s, 0x1000 * Bpp); /* max cell size */ -} - -/* Output bitmap cache v2 capability set */ -static void rdp_out_bmpcache2_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_BMPCACHE2); - out_uint16_le(s, RDP_CAPLEN_BMPCACHE2); - out_uint16_le(s, g_bitmap_cache_persist_enable ? 2 : 0); /* version */ - out_uint16_be(s, 3); /* number of caches in this set */ - - /* max cell size for cache 0 is 16x16, 1 = 32x32, 2 = 64x64, etc */ - out_uint32_le(s, BMPCACHE2_C0_CELLS); - out_uint32_le(s, BMPCACHE2_C1_CELLS); - out_uint32_le(s, BMPCACHE2_C2_CELLS); - out_uint8s(s, 20); /* other bitmap caches not used */ -} - -/* Output control capability set */ -static void rdp_out_control_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_CONTROL); - out_uint16_le(s, RDP_CAPLEN_CONTROL); - out_uint16(s, 0); /* Control capabilities */ - out_uint16(s, 0); /* Remote detach */ - out_uint16_le(s, 2); /* Control interest */ - out_uint16_le(s, 2); /* Detach interest */ -} - -/* Output activation capability set */ -static void rdp_out_activate_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_ACTIVATE); - out_uint16_le(s, RDP_CAPLEN_ACTIVATE); - out_uint16(s, 0); /* Help key */ - out_uint16(s, 0); /* Help index key */ - out_uint16(s, 0); /* Extended help key */ - out_uint16(s, 0); /* Window activate */ -} - -/* Output pointer capability set */ -static void rdp_out_pointer_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_POINTER); - out_uint16_le(s, RDP_CAPLEN_POINTER); - out_uint16(s, 0); /* Colour pointer */ - out_uint16_le(s, 20); /* Cache size */ -} - -/* Output new pointer capability set */ -static void rdp_out_newpointer_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_POINTER); - out_uint16_le(s, RDP_CAPLEN_NEWPOINTER); - out_uint16_le(s, 1); /* Colour pointer */ - out_uint16_le(s, 20); /* Cache size */ - out_uint16_le(s, 20); /* Cache size for new pointers */ -} - -/* Output share capability set */ -static void rdp_out_share_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_SHARE); - out_uint16_le(s, RDP_CAPLEN_SHARE); - out_uint16(s, 0); /* userid */ - out_uint16(s, 0); /* pad */ -} - -/* Output colour cache capability set */ -static void rdp_out_colcache_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_COLCACHE); - out_uint16_le(s, RDP_CAPLEN_COLCACHE); - out_uint16_le(s, 6); /* cache size */ - out_uint16(s, 0); /* pad */ -} - -/* Output brush cache capability set */ -static void rdp_out_brushcache_caps(STREAM s) { - out_uint16_le(s, RDP_CAPSET_BRUSHCACHE); - out_uint16_le(s, RDP_CAPLEN_BRUSHCACHE); - out_uint32_le(s, 1); /* cache type */ -} - -static uint8 caps_0x0d[] = { - 0x01, 0x00, 0x00, 0x00, 0x09, 0x04, 0x00, 0x00, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00 -}; - -static uint8 caps_0x0c[] = { 0x01, 0x00, 0x00, 0x00 }; - -static uint8 caps_0x0e[] = { 0x01, 0x00, 0x00, 0x00 }; - -static uint8 caps_0x10[] = { - 0xFE, 0x00, 0x04, 0x00, 0xFE, 0x00, 0x04, 0x00, - 0xFE, 0x00, 0x08, 0x00, 0xFE, 0x00, 0x08, 0x00, - 0xFE, 0x00, 0x10, 0x00, 0xFE, 0x00, 0x20, 0x00, - 0xFE, 0x00, 0x40, 0x00, 0xFE, 0x00, 0x80, 0x00, - 0xFE, 0x00, 0x00, 0x01, 0x40, 0x00, 0x00, 0x08, - 0x00, 0x01, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00 -}; - -/* Output unknown capability sets */ -static void rdp_out_unknown_caps(STREAM s, uint16 id, uint16 length, uint8 * caps) { - out_uint16_le(s, id); - out_uint16_le(s, length); - out_uint8p(s, caps, length - 4); -} - -#define RDP5_FLAG 0x0030 - -/* Send a confirm active PDU */ -static void rdp_send_confirm_active(void) { - STREAM s; - uint32 sec_flags = g_encryption ? (RDP5_FLAG | SEC_ENCRYPT) : RDP5_FLAG; - uint16 caplen = - RDP_CAPLEN_GENERAL + RDP_CAPLEN_BITMAP + RDP_CAPLEN_ORDER + - RDP_CAPLEN_COLCACHE + RDP_CAPLEN_ACTIVATE + RDP_CAPLEN_CONTROL + RDP_CAPLEN_SHARE + RDP_CAPLEN_BRUSHCACHE + 0x58 + 0x08 + 0x08 + 0x34 /* unknown caps */ + - 4 /* w2k fix, sessionid */ ; - - if (g_use_rdp5) { - caplen += RDP_CAPLEN_BMPCACHE2; - caplen += RDP_CAPLEN_NEWPOINTER; - } else { - caplen += RDP_CAPLEN_BMPCACHE; - caplen += RDP_CAPLEN_POINTER; - } - - s = sec_init(sec_flags, 6 + 14 + caplen + sizeof(RDP_SOURCE)); - - out_uint16_le(s, 2 + 14 + caplen + sizeof(RDP_SOURCE)); - out_uint16_le(s, (RDP_PDU_CONFIRM_ACTIVE | 0x10)); /* Version 1 */ - out_uint16_le(s, (g_mcs_userid + 1001)); - - out_uint32_le(s, g_rdp_shareid); - out_uint16_le(s, 0x3ea); /* userid */ - out_uint16_le(s, sizeof(RDP_SOURCE)); - out_uint16_le(s, caplen); - - out_uint8p(s, RDP_SOURCE, sizeof(RDP_SOURCE)); - out_uint16_le(s, 0xe); /* num_caps */ - out_uint8s(s, 2); /* pad */ - - rdp_out_general_caps(s); - rdp_out_bitmap_caps(s); - rdp_out_order_caps(s); - if (g_use_rdp5) { - rdp_out_bmpcache2_caps(s); - rdp_out_newpointer_caps(s); - } else { - rdp_out_bmpcache_caps(s); - rdp_out_pointer_caps(s); - } - - rdp_out_colcache_caps(s); - rdp_out_activate_caps(s); - rdp_out_control_caps(s); - rdp_out_share_caps(s); - rdp_out_brushcache_caps(s); - - rdp_out_unknown_caps(s, 0x0d, 0x58, caps_0x0d); /* CAPSTYPE_INPUT */ - rdp_out_unknown_caps(s, 0x0c, 0x08, caps_0x0c); /* CAPSTYPE_SOUND */ - rdp_out_unknown_caps(s, 0x0e, 0x08, caps_0x0e); /* CAPSTYPE_FONT */ - rdp_out_unknown_caps(s, 0x10, 0x34, caps_0x10); /* CAPSTYPE_GLYPHCACHE */ - - s_mark_end(s); - sec_send(s, sec_flags); -} - -/* Process a general capability set */ -static void rdp_process_general_caps(STREAM s) { - uint16 pad2octetsB; /* rdp5 flags? */ - - in_uint8s(s, 10); - in_uint16_le(s, pad2octetsB); - if (!pad2octetsB) - g_use_rdp5 = False; -} - -/* Process a bitmap capability set */ -static void rdp_process_bitmap_caps(STREAM s) { - uint16 width, height, depth; - - in_uint16_le(s, depth); - in_uint8s(s, 6); - in_uint16_le(s, width); - in_uint16_le(s, height); - DEBUG(("setting desktop size and depth to: %dx%dx%d\n", width, height, depth)); -} - -/* Process server capabilities */ -static void rdp_process_server_caps(STREAM s, uint16 length) { - int32_t n; - uint8 *next, *start; - uint16 ncapsets, capset_type, capset_length; - - start = s->p; - - in_uint16_le(s, ncapsets); - in_uint8s(s, 2); /* pad */ - - for (n = 0; n < ncapsets; n++) { - if (s->p > start + length) - return; - - in_uint16_le(s, capset_type); - in_uint16_le(s, capset_length); - - next = s->p + capset_length - 4; - - switch (capset_type) { - case RDP_CAPSET_GENERAL: - rdp_process_general_caps(s); - break; - - case RDP_CAPSET_BITMAP: - rdp_process_bitmap_caps(s); - break; - } - - s->p = next; - } -} - -/* Respond to a demand active PDU */ -static void process_demand_active(STREAM s) { - uint8 type; - uint16 len_src_descriptor, len_combined_caps; - - in_uint32_le(s, g_rdp_shareid); - in_uint16_le(s, len_src_descriptor); - in_uint16_le(s, len_combined_caps); - in_uint8s(s, len_src_descriptor); - - DEBUG(("DEMAND_ACTIVE(id=0x%x)\n", g_rdp_shareid)); - rdp_process_server_caps(s, len_combined_caps); - - rdp_send_confirm_active(); - rdp_send_synchronise(); - rdp_send_control(RDP_CTL_COOPERATE); - rdp_send_control(RDP_CTL_REQUEST_CONTROL); - rdp_recv(&type); /* RDP_PDU_SYNCHRONIZE */ - rdp_recv(&type); /* RDP_CTL_COOPERATE */ - rdp_recv(&type); /* RDP_CTL_GRANT_CONTROL */ - rdp_send_input(0, 0, 0, 0, 0); /* RDP_INPUT_SYNCHRONIZE */ - // here? XXX TODO BUGFIX - - if (g_use_rdp5) { - rdp_send_fonts(3); - } else { - rdp_send_fonts(1); - rdp_send_fonts(2); - } - - rdp_recv(&type); /* RDP_PDU_UNKNOWN 0x28 (Fonts?) */ - reset_order_state(); -} - -/* Process an update PDU */ -static void process_update_pdu(STREAM s) { - uint16 update_type, count; - - in_uint16_le(s, update_type); - - //ui_begin_update(); - switch (update_type) { - case RDP_UPDATE_ORDERS: - in_uint8s(s, 2); /* pad */ - in_uint16_le(s, count); - in_uint8s(s, 2); /* pad */ - process_orders(s, count); - break; - - case RDP_UPDATE_BITMAP: - //process_bitmap_updates(s); - break; - - case RDP_UPDATE_PALETTE: - //process_palette(s); - break; - - case RDP_UPDATE_SYNCHRONIZE: - break; - - default: - unimpl("update %d\n", update_type); - } -} - - -/* Process a disconnect PDU */ -void process_disconnect_pdu(STREAM s, uint32 * ext_disc_reason) { - in_uint32_le(s, *ext_disc_reason); - - DEBUG(("Received disconnect PDU\n")); -} - -/* Process data PDU */ -static BOOL process_data_pdu(STREAM s, uint32 * ext_disc_reason) { - uint8 data_pdu_type; - //uint8 ctype; - uint16 clen; - //uint32 len; - - in_uint8s(s, 6); /* shareid, pad, streamid */ - //in_uint16_le(s, len); - in_uint8(s, data_pdu_type); - //in_uint8(s, ctype); - in_uint16_le(s, clen); - clen -= 18; - - switch (data_pdu_type) { - case RDP_DATA_PDU_UPDATE: - process_update_pdu(s); - break; - - case RDP_DATA_PDU_CONTROL: - DEBUG(("Received Control PDU\n")); - break; - - case RDP_DATA_PDU_SYNCHRONISE: - DEBUG(("Received Sync PDU\n")); - break; - - case RDP_DATA_PDU_POINTER: - //process_pointer_pdu(s); - break; - - case RDP_DATA_PDU_BELL: - //ui_bell(); - break; - - case RDP_DATA_PDU_LOGON: - DEBUG(("Received Logon PDU\n")); - /* User logged on */ - login_result = LOGIN_SUCC; - return 1; - break; - - case RDP_DATA_PDU_DISCONNECT: - process_disconnect_pdu(s, ext_disc_reason); - - /* We used to return true and disconnect immediately here, but - * Windows Vista sends a disconnect PDU with reason 0 when - * reconnecting to a disconnected session, and MSTSC doesn't - * drop the connection. I think we should just save the status. - */ - break; - - default: - unimpl("data PDU %d\n", data_pdu_type); - } - return False; -} -#endif - -int32_t service_rdp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_rdp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here + // Disable freerdp output + wLog *root = WLog_GetRoot(); + WLog_SetStringLogLevel(root, "OFF"); + + // Init freerdp instance + instance = freerdp_new(); + if (instance == NULL || freerdp_context_new(instance) == FALSE) { + hydra_report(stderr, "[ERROR] freerdp init failed\n"); + return -1; + } return 0; } -void usage_rdp(const char* service) { - printf("Module rdp is optionally taking the windows domain name.\n" "For example:\nhydra rdp://192.168.0.1/firstdomainname -l john -p doe\n\n"); +void usage_rdp(const char *service) { + printf("Module rdp is optionally taking the windows domain name.\n" + "For example:\nhydra rdp://192.168.0.1/firstdomainname -l john -p " + "doe\n\n"); } +#endif diff --git a/hydra-redis.c b/hydra-redis.c index 76a6afb..5a81cec 100644 --- a/hydra-redis.c +++ b/hydra-redis.c @@ -3,7 +3,7 @@ extern char *HYDRA_EXIT; char *buf; -int32_t start_redis(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_redis(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *pass, buffer[510]; char *empty = ""; @@ -15,7 +15,7 @@ int32_t start_redis(int32_t s, char *ip, int32_t port, unsigned char options, ch snprintf(pass_num, 50, "%d", pass_len); memset(buffer, 0, sizeof(buffer)); - sprintf(buffer, "*2\r\n$4\r\nAUTH\r\n$%.250s\r\n%.250s\r\n", pass_num, pass); + sprintf(buffer, "*2\r\n$4\r\nAUTH\r\n$%.50s\r\n%.250s\r\n", pass_num, pass); if (debug) hydra_report(stderr, "[DEBUG] Auth:\n %s\n", buffer); @@ -24,6 +24,11 @@ int32_t start_redis(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } buf = hydra_receive_line(s); + if (buf == NULL) { + hydra_report(stderr, "[ERROR] Failed to receive response from Redis server.\n"); + return 3; + } + if (buf[0] == '+') { hydra_report_found_host(port, ip, "redis", fp); hydra_completed_pair_found(); @@ -51,7 +56,7 @@ int32_t start_redis(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } -void service_redis_core(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname, int32_t tls) { +void service_redis_core(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname, int32_t tls) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_REDIS, mysslport = PORT_REDIS_SSL; @@ -61,7 +66,7 @@ void service_redis_core(char *ip, int32_t sp, unsigned char options, char *miscp while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { @@ -77,24 +82,25 @@ void service_redis_core(char *ip, int32_t sp, unsigned char options, char *miscp } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } usleepn(250); next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_redis(sock, ip, port, options, miscptr, fp); break; - case 3: /* error exit */ + case 3: /* error exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); break; - case 4: /* clean exit */ + case 4: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); + break; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); @@ -103,32 +109,32 @@ void service_redis_core(char *ip, int32_t sp, unsigned char options, char *miscp } } -void service_redis(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { - service_redis_core(ip, sp, options, miscptr, fp, port, hostname, 0); -} +void service_redis(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_redis_core(ip, sp, options, miscptr, fp, port, hostname, 0); } -/* -* Initial password authentication test and response test for the redis server, -* added by Petar Kaleychev -* The service_redis_init function is generating ping request as redis-cli (command line interface). -* You can use redis-cli to connect with Redis. After start of the redis-server in another terminal the following: -* % ./redis-cli -* redis> ping -* when the server does not require password, leads to: -* PONG -* when the server requires password, leads to: -* (error) NOAUTH Authentication required. -* or -* (error) ERR operation not permitted (for older redis versions) -* That is used for initial password authentication and redis server response tests in service_redis_init -*/ -int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +/* + * Initial password authentication test and response test for the redis server, + * added by Petar Kaleychev + * The service_redis_init function is generating ping request as redis-cli + * (command line interface). You can use redis-cli to connect with Redis. After + * start of the redis-server in another terminal the following: % ./redis-cli + * redis> ping + * when the server does not require password, leads to: + * PONG + * when the server requires password, leads to: + * (error) NOAUTH Authentication required. + * or + * (error) ERR operation not permitted (for older redis versions) + * That is used for initial password authentication and redis server response + * tests in service_redis_init + */ +int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // return codes: // 0 - when the server is redis and it requires password - // 1 - when the server is not redis or when the server does not require password + // n - when the server is not redis or when the server does not require + // password int32_t sock = -1; int32_t myport = PORT_REDIS, mysslport = PORT_REDIS_SSL; @@ -147,35 +153,36 @@ int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *mi port = mysslport; } if (verbose) - printf("[VERBOSE] Initial redis password authentication test and response test ...\n"); + printf("[VERBOSE] Initial redis password authentication test and response " + "test ...\n"); if (sock < 0) { hydra_report(stderr, "[ERROR] Can not connect to port %d on the target\n", myport); - hydra_child_exit(1); + return 3; } // generating ping request as redis-cli if (debug) printf("[DEBUG] buffer = %s\n", buffer); - // [debug mode]: buffer is: - // *1 - // $4 - // ping + // [debug mode]: buffer is: + // *1 + // $4 + // ping if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) { - return 1; + return 2; } buf = hydra_receive_line(sock); if (debug) printf("[DEBUG] buf = %s\n", buf); // authentication test if (strstr(buf, "+PONG") != NULL) { // the server does not require password - hydra_report(stderr, "[!] The server does not require password.\n"); + hydra_report(stderr, "[!] The server %s does not require password.\n", hostname); free(buf); - return 1; + return 2; } // server response test if (strstr(buf, "-NOAUTH Authentication required") == NULL && strstr(buf, "-ERR operation not permitted") == NULL) { hydra_report(stderr, "[ERROR] The server is not redis, exit.\n"); free(buf); - return 1; + return 2; } if (verbose) printf("[VERBOSE] The redis server requires password.\n"); diff --git a/hydra-rexec.c b/hydra-rexec.c index 5b7073a..3571527 100644 --- a/hydra-rexec.c +++ b/hydra-rexec.c @@ -5,9 +5,8 @@ #define COMMAND "/bin/ls /" extern char *HYDRA_EXIT; -char *buf; -int32_t start_rexec(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_rexec(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, buffer[300] = "", buffer2[100], *bptr = buffer2; int32_t ret; @@ -45,7 +44,7 @@ int32_t start_rexec(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } -void service_rexec(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_rexec(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_REXEC, mysslport = PORT_REXEC_SSL; @@ -55,33 +54,33 @@ void service_rexec(char *ip, int32_t sp, unsigned char options, char *miscptr, F while (1) { next_run = 0; switch (run) { - case 1: /* connect and service init function */ - { - if (sock >= 0) - sock = hydra_disconnect(sock); -// usleepn(275); - if ((options & OPTION_SSL) == 0) { - if (port != 0) - myport = port; - sock = hydra_connect_tcp(ip, myport); - port = myport; - } else { - if (port != 0) - mysslport = port; - sock = hydra_connect_ssl(ip, mysslport, hostname); - port = mysslport; - } - if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); - } - next_run = 2; - break; + case 1: /* connect and service init function */ + { + if (sock >= 0) + sock = hydra_disconnect(sock); + // usleepn(275); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; } - case 2: /* run the cracking function */ + if (sock < 0) { + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + next_run = 2; + break; + } + case 2: /* run the cracking function */ next_run = start_rexec(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -89,19 +88,18 @@ void service_rexec(char *ip, int32_t sp, unsigned char options, char *miscptr, F default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); - } run = next_run; } } -int32_t service_rexec_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_rexec_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-rlogin.c b/hydra-rlogin.c index 5819250..f9dc694 100644 --- a/hydra-rlogin.c +++ b/hydra-rlogin.c @@ -8,13 +8,11 @@ client have to use port from 512 -> 1023 or server is denying the connection no memleaks found on 110425 */ - #define TERM "vt100/9600" extern char *HYDRA_EXIT; -char *buf; -int32_t start_rlogin(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_rlogin(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, buffer[300] = "", buffer2[100], *bptr = buffer2; int32_t ret; @@ -79,7 +77,8 @@ int32_t start_rlogin(int32_t s, char *ip, int32_t port, unsigned char options, c hydra_completed_pair(); } } else { - /* if password is asked a second time, it means the pass we provided is wrong */ + /* if password is asked a second time, it means the pass we provided is + * wrong */ hydra_completed_pair(); } @@ -88,7 +87,7 @@ int32_t start_rlogin(int32_t s, char *ip, int32_t port, unsigned char options, c return 1; } -void service_rlogin(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_rlogin(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_RLOGIN, mysslport = PORT_RLOGIN_SSL; @@ -99,35 +98,35 @@ void service_rlogin(char *ip, int32_t sp, unsigned char options, char *miscptr, while (1) { next_run = 0; switch (run) { - case 1: /* connect and service init function */ - { - /* 512 -> 1023 */ - hydra_set_srcport(1023); - if (sock >= 0) - sock = hydra_disconnect(sock); -// usleepn(275); - if ((options & OPTION_SSL) == 0) { - if (port != 0) - myport = port; - sock = hydra_connect_tcp(ip, myport); - port = myport; - } else { - if (port != 0) - mysslport = port; - sock = hydra_connect_ssl(ip, mysslport, hostname); - port = mysslport; - } - if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); - } - next_run = 2; - break; + case 1: /* connect and service init function */ + { + /* 512 -> 1023 */ + hydra_set_srcport(1023); + if (sock >= 0) + sock = hydra_disconnect(sock); + // usleepn(275); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; } - case 2: /* run the cracking function */ + if (sock < 0) { + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + next_run = 2; + break; + } + case 2: /* run the cracking function */ next_run = start_rlogin(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -140,13 +139,13 @@ void service_rlogin(char *ip, int32_t sp, unsigned char options, char *miscptr, } } -int32_t service_rlogin_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_rlogin_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-rpcap.c b/hydra-rpcap.c index 2fa4956..700d0cc 100644 --- a/hydra-rpcap.c +++ b/hydra-rpcap.c @@ -6,7 +6,7 @@ extern char *HYDRA_EXIT; char *buf; -int32_t start_rpcap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_rpcap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, buffer[1024]; @@ -21,7 +21,8 @@ int32_t start_rpcap(int32_t s, char *ip, int32_t port, unsigned char options, ch char bfr4[] = " "; bfr4[0] = strlen(login) + strlen(pass) + 8; char bfr5[] = "\x00"; - char bfr6[] = "\x01"; // x01 - when a password is required, x00 - when no need of password + char bfr6[] = "\x01"; // x01 - when a password is required, x00 - when no need + // of password char bfr7[] = "\x00\x00\x00"; char bfr8[] = " "; bfr8[0] = strlen(login); @@ -57,13 +58,12 @@ int32_t start_rpcap(int32_t s, char *ip, int32_t port, unsigned char options, ch return 3; return 1; } -/* - if (strstr(buf, "Logon failure") == NULL) { - hydra_report(stderr, "[ERROR] rpcap error or service shutdown: %s\n", buf); - free(buf); - return 4; - } -*/ + /* + if (strstr(buf, "Logon failure") == NULL) { + hydra_report(stderr, "[ERROR] rpcap error or service shutdown: %s\n", + buf); free(buf); return 4; + } + */ free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) @@ -72,7 +72,7 @@ int32_t start_rpcap(int32_t s, char *ip, int32_t port, unsigned char options, ch return 2; } -void service_rpcap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_rpcap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_RPCAP, mysslport = PORT_RPCAP_SSL; @@ -81,10 +81,10 @@ void service_rpcap(char *ip, int32_t sp, unsigned char options, char *miscptr, F return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); - //usleep(300000); + // usleep(300000); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -99,18 +99,19 @@ void service_rpcap(char *ip, int32_t sp, unsigned char options, char *miscptr, F if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_rpcap(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); + break; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); @@ -119,7 +120,7 @@ void service_rpcap(char *ip, int32_t sp, unsigned char options, char *miscptr, F } } -int32_t service_rpcap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_rpcap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, performed once only. // return codes: // 0 - rpcap with authentication @@ -153,7 +154,7 @@ int32_t service_rpcap_init(char *ip, int32_t sp, unsigned char options, char *mi buf = hydra_receive_line(sock); - if (strstr(buf, "NULL autentication not permitted") == NULL) { + if (strstr(buf, "NULL authentication not permitted") == NULL) { hydra_report(stderr, "[!] rpcap error or no need of authentication!\n"); free(buf); return 1; diff --git a/hydra-rsh.c b/hydra-rsh.c index 67c5e5b..6bb3cac 100644 --- a/hydra-rsh.c +++ b/hydra-rsh.c @@ -11,9 +11,8 @@ no memleaks found on 110425 */ extern char *HYDRA_EXIT; -char *buf; -int32_t start_rsh(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_rsh(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, buffer[300] = "", buffer2[100], *bptr = buffer2; int32_t ret; @@ -40,8 +39,8 @@ int32_t start_rsh(int32_t s, char *ip, int32_t port, unsigned char options, char if ((ret = hydra_recv(s, buffer, sizeof(buffer) - 1)) > 0) buffer[ret] = 0; else /* 0x00 is sent but hydra_recv transformed it */ - if ((ret = hydra_recv(s, buffer, sizeof(buffer) - 1)) > 0) - buffer[ret] = 0; + if ((ret = hydra_recv(s, buffer, sizeof(buffer) - 1)) > 0) + buffer[ret] = 0; #ifdef HAVE_PCRE if (ret > 0 && (!hydra_string_match(buffer, "\\s(failure|incorrect|denied)"))) { #else @@ -58,7 +57,7 @@ int32_t start_rsh(int32_t s, char *ip, int32_t port, unsigned char options, char return 1; } -void service_rsh(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_rsh(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_RSH, mysslport = PORT_RSH_SSL; @@ -69,34 +68,34 @@ void service_rsh(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL while (1) { next_run = 0; switch (run) { - case 1: /* connect and service init function */ - { - hydra_set_srcport(1023); - if (sock >= 0) - sock = hydra_disconnect(sock); -// usleepn(275); - if ((options & OPTION_SSL) == 0) { - if (port != 0) - myport = port; - sock = hydra_connect_tcp(ip, myport); - port = myport; - } else { - if (port != 0) - mysslport = port; - sock = hydra_connect_ssl(ip, mysslport, hostname); - port = mysslport; - } - if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); - hydra_child_exit(1); - } - next_run = 2; - break; + case 1: /* connect and service init function */ + { + hydra_set_srcport(1023); + if (sock >= 0) + sock = hydra_disconnect(sock); + // usleepn(275); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; } - case 2: /* run the cracking function */ + if (sock < 0) { + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + next_run = 2; + break; + } + case 2: /* run the cracking function */ next_run = start_rsh(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -109,13 +108,13 @@ void service_rsh(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL } } -int32_t service_rsh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_rsh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-rtsp.c b/hydra-rtsp.c index e0eb6b5..5526f9b 100644 --- a/hydra-rtsp.c +++ b/hydra-rtsp.c @@ -6,19 +6,21 @@ // // -#include +#ifndef _GNU_SOURCE +#define _GNU_SOURCE +#endif + #include "hydra-mod.h" -#include #include "sasl.h" +#include +#include extern char *HYDRA_EXIT; -char *buf; char packet[500]; char packet2[500]; int32_t is_Unauthorized(char *s) { - - if (strstr(s, "401 Unauthorized") != NULL) { + if (strcasestr(s, "401 Unauthorized") != NULL) { return 1; } else { return 0; @@ -26,8 +28,7 @@ int32_t is_Unauthorized(char *s) { } int32_t is_NotFound(char *s) { - - if (strstr(s, "404 Stream Not Found") != NULL) { + if (strcasestr(s, "404 Stream") != NULL || strcasestr(s, "404 Not") != NULL) { return 1; } else { return 0; @@ -35,8 +36,7 @@ int32_t is_NotFound(char *s) { } int32_t is_Authorized(char *s) { - - if (strstr(s, "200 OK") != NULL) { + if (strcasestr(s, "200 OK") != NULL) { return 1; } else { return 0; @@ -44,8 +44,7 @@ int32_t is_Authorized(char *s) { } int32_t use_Basic_Auth(char *s) { - - if (strstr(s, "WWW-Authenticate: Basic") != NULL) { + if (strcasestr(s, "WWW-Authenticate: Basic") != NULL) { return 1; } else { return 0; @@ -53,16 +52,13 @@ int32_t use_Basic_Auth(char *s) { } int32_t use_Digest_Auth(char *s) { - - if (strstr(s, "WWW-Authenticate: Digest") != NULL) { + if (strcasestr(s, "WWW-Authenticate: Digest") != NULL) { return 1; } else { return 0; } } - - void create_core_packet(int32_t control, char *ip, int32_t port) { char *target = hydra_address2string(ip); @@ -76,12 +72,14 @@ void create_core_packet(int32_t control, char *ip, int32_t port) { } } } -int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; - char *login, *pass, buffer[500], buffer2[500]; - + char *login, *pass, buffer[1030], buffer2[500]; char *lresp; + memset(buffer, 0, sizeof(buffer)); + memset(buffer2, 0, sizeof(buffer2)); + if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) @@ -95,57 +93,57 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha lresp = hydra_receive_line(s); if (lresp == NULL) { - fprintf(stderr, "[ERROR] no server reply"); + hydra_report(stderr, "[ERROR] no server reply\n"); return 1; } if (is_NotFound(lresp)) { - printf("[INFO] Server does not need credentials\n"); + free(lresp); + hydra_report(stderr, "[INFO] Server does not need credentials\n"); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { return 3; } return 1; } else { - create_core_packet(1, ip, port); - if (use_Basic_Auth(lresp) == 1) { - - sprintf(buffer2, "%.260s:%.260s", login, pass); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - - sprintf(buffer, "%sAuthorization: : Basic %s\r\n\r\n", packet2, buffer2); - - if (debug) { - hydra_report(stderr, "C:%s\n", buffer); - } - } - if (use_Digest_Auth(lresp) == 1) { - char *dbuf = NULL; - char aux[500] = ""; - + char aux[500] = "", dbuf[500] = "", *result = NULL; char *pbuffer = hydra_strcasestr(lresp, "WWW-Authenticate: Digest "); - strncpy(aux, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer)); + strncpy(aux, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(aux)); aux[sizeof(aux) - 1] = '\0'; + free(lresp); #ifdef LIBOPENSSL - sasl_digest_md5(dbuf, login, pass, aux, miscptr, "rtsp", hydra_address2string(ip), port, ""); + result = sasl_digest_md5(dbuf, login, pass, aux, miscptr, "rtsp", hydra_address2string(ip), port, ""); #else - printf("[ERROR] Digest auth required but compiled without OpenSSL/MD5 support\n"); + hydra_report(stderr, "[ERROR] Digest auth required but compiled " + "without OpenSSL/MD5 support\n"); return 3; #endif - - if (dbuf == NULL) { - fprintf(stderr, "[ERROR] digest generation failed\n"); + if (result == NULL) { + hydra_report(stderr, "[ERROR] digest generation failed\n"); return 3; } - sprintf(buffer, "%sAuthorization: Digest %s\r\n\r\n", packet2, dbuf); - - if (debug) { + sprintf(buffer, "%.500sAuthorization: Digest %.500s\r\n\r\n", packet2, dbuf); + if (debug) hydra_report(stderr, "C:%s\n", buffer); - } + } else if (use_Basic_Auth(lresp) == 1) { + free(lresp); + sprintf(buffer2, "%.249s:%.249s", login, pass); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + sprintf(buffer, "%.500sAuthorization: : Basic %.500s\r\n\r\n", packet2, buffer2); + if (debug) + hydra_report(stderr, "C:%s\n", buffer); + } else { + hydra_report(stderr, "[ERROR] unknown authentication protocol\n"); + return 1; + } + + if (strlen(buffer) == 0) { + hydra_report(stderr, "[ERROR] could not identify HTTP authentication used\n"); + return 1; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { @@ -153,33 +151,36 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha } lresp = NULL; - lresp = hydra_receive_line(s); - if ((is_NotFound(lresp))) { + if (lresp == NULL) { + hydra_report(stderr, "[ERROR] no server reply\n"); + return 1; + } + if (is_NotFound(lresp) || is_Authorized(lresp)) { + free(lresp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { return 3; } return 1; - - } + free(lresp); hydra_completed_pair(); } if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; -//not rechead + // not rechead return 2; } -void service_rtsp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_rtsp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; - int32_t myport = PORT_RTSP/*, mysslport = PORT_RTSP_SSL*/; + int32_t myport = PORT_RTSP /*, mysslport = PORT_RTSP_SSL*/; hydra_register_socket(sp); @@ -187,9 +188,8 @@ void service_rtsp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI return; while (1) { - switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) { sock = hydra_disconnect(sock); } @@ -202,16 +202,16 @@ void service_rtsp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_rtsp(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) { sock = hydra_disconnect(sock); } @@ -225,7 +225,7 @@ void service_rtsp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } } -int32_t service_rtsp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_rtsp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. diff --git a/hydra-s7-300.c b/hydra-s7-300.c index 31b11aa..9f7f3a3 100644 --- a/hydra-s7-300.c +++ b/hydra-s7-300.c @@ -1,4 +1,5 @@ -// submitted by Alexander Timorin and Sergey Gordeychik +// submitted by Alexander Timorin and Sergey +// Gordeychik #include "hydra-mod.h" @@ -6,16 +7,24 @@ extern char *HYDRA_EXIT; -unsigned char p_cotp[] = "\x03\x00\x00\x16\x11\xe0\x00\x00\x00\x17" "\x00\xc1\x02\x01\x00\xc2\x02\x01\x02\xc0" "\x01\x0a"; +unsigned char p_cotp[] = "\x03\x00\x00\x16\x11\xe0\x00\x00\x00\x17" + "\x00\xc1\x02\x01\x00\xc2\x02\x01\x02\xc0" + "\x01\x0a"; -unsigned char p_s7_negotiate_pdu[] = "\x03\x00\x00\x19\x02\xf0\x80\x32\x01\x00" "\x00\x02\x00\x00\x08\x00\x00\xf0\x00\x00" "\x01\x00\x01\x01\xe0"; +unsigned char p_s7_negotiate_pdu[] = "\x03\x00\x00\x19\x02\xf0\x80\x32\x01\x00" + "\x00\x02\x00\x00\x08\x00\x00\xf0\x00\x00" + "\x01\x00\x01\x01\xe0"; -unsigned char p_s7_read_szl[] = "\x03\x00\x00\x21\x02\xf0\x80\x32\x07\x00" "\x00\x03\x00\x00\x08\x00\x08\x00\x01\x12" "\x04\x11\x44\x01\x00\xff\x09\x00\x04\x01" "\x32\x00\x04"; +unsigned char p_s7_read_szl[] = "\x03\x00\x00\x21\x02\xf0\x80\x32\x07\x00" + "\x00\x03\x00\x00\x08\x00\x08\x00\x01\x12" + "\x04\x11\x44\x01\x00\xff\x09\x00\x04\x01" + "\x32\x00\x04"; -unsigned char p_s7_password_request[] = "\x03\x00\x00\x25\x02\xf0\x80\x32\x07\x00" "\x00\x00\x00\x00\x08\x00\x0c\x00\x01\x12" "\x04\x11\x45\x01\x00\xff\x09\x00\x08"; +unsigned char p_s7_password_request[] = "\x03\x00\x00\x25\x02\xf0\x80\x32\x07\x00" + "\x00\x00\x00\x00\x08\x00\x0c\x00\x01\x12" + "\x04\x11\x45\x01\x00\xff\x09\x00\x08"; - -int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *pass, buffer[1024]; char context[S7PASSLEN + 1]; @@ -45,7 +54,7 @@ int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, c } // send p_cotp and check first 2 bytes of answer - if (hydra_send(s, (char *) p_cotp, 22, 0) < 0) + if (hydra_send(s, (char *)p_cotp, 22, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret = hydra_recv_nb(s, buffer, sizeof(buffer)); @@ -57,7 +66,7 @@ int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, c return 3; // send p_s7_negotiate_pdu and check first 2 bytes of answer - if (hydra_send(s, (char *) p_s7_negotiate_pdu, 25, 0) < 0) + if (hydra_send(s, (char *)p_s7_negotiate_pdu, 25, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret = hydra_recv_nb(s, buffer, sizeof(buffer)); @@ -69,7 +78,7 @@ int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, c return 3; // send p_s7_read_szl and check first 2 bytes of answer - if (hydra_send(s, (char *) p_s7_read_szl, 33, 0) < 0) + if (hydra_send(s, (char *)p_s7_read_szl, 33, 0) < 0) return 1; memset(buffer, 0, sizeof(buffer)); ret = hydra_recv_nb(s, buffer, sizeof(buffer)); @@ -108,7 +117,7 @@ int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, c } if (buffer[27] == '\xd6' && buffer[28] == '\x05') { - //hydra_report_found_host(port, ip, "s7-300", fp); + // hydra_report_found_host(port, ip, "s7-300", fp); hydra_completed_pair_found(); hydra_report(stderr, "[INFO] No password protection enabled\n"); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) @@ -124,7 +133,7 @@ int32_t start_s7_300(int32_t s, char *ip, int32_t port, unsigned char options, c return 1; } -void service_s7_300(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_s7_300(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t s7port = PORT_S7_300; @@ -136,21 +145,21 @@ void service_s7_300(char *ip, int32_t sp, unsigned char options, char *miscptr, return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ sock = hydra_connect_tcp(ip, s7port); if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } next_run = start_s7_300(sock, ip, s7port, options, miscptr, fp); sock = hydra_disconnect(sock); break; - case 2: /* clean exit */ + case 2: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); @@ -163,13 +172,13 @@ void service_s7_300(char *ip, int32_t sp, unsigned char options, char *miscptr, } } -int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // 1 skip target without generating an error @@ -211,7 +220,7 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m } // send p_cotp and check first 2 bytes of answer - if (hydra_send(sock, (char *) p_cotp, 22, 0) < 0) { + if (hydra_send(sock, (char *)p_cotp, 22, 0) < 0) { fprintf(stderr, "[ERROR] can not send data to service\n"); return 3; } @@ -226,7 +235,7 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m return 3; } // send p_s7_negotiate_pdu and check first 2 bytes of answer - if (hydra_send(sock, (char *) p_s7_negotiate_pdu, 25, 0) < 0) { + if (hydra_send(sock, (char *)p_s7_negotiate_pdu, 25, 0) < 0) { fprintf(stderr, "[ERROR] can not send data to service (2)\n"); return 3; } @@ -241,7 +250,7 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m return 3; } // send p_s7_read_szl and check first 2 bytes of answer - if (hydra_send(sock, (char *) p_s7_read_szl, 33, 0) < 0) { + if (hydra_send(sock, (char *)p_s7_read_szl, 33, 0) < 0) { fprintf(stderr, "[ERROR] can not send data to service (3)\n"); return 3; } @@ -276,7 +285,8 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m // 0xd602 - wrong password if (ret > 30) { if ((buffer[27] == '\x00' && buffer[28] == '\x00') || (buffer[27] == '\xd6' && buffer[28] == '\x05')) { - hydra_report(stderr, "[INFO] No password protection enabled, no password tests are necessary!\n"); + hydra_report(stderr, "[INFO] No password protection enabled, no password " + "tests are necessary!\n"); return 1; } } @@ -286,6 +296,7 @@ int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *m return 0; } -void usage_s7_300(const char* service) { - printf("Module S7-300 is for a special Siemens PLC. It either requires only a password or no authentication, so just use the -p or -P option.\n\n"); +void usage_s7_300(const char *service) { + printf("Module S7-300 is for a special Siemens PLC. It either requires only a " + "password or no authentication, so just use the -p or -P option.\n\n"); } diff --git a/hydra-sapr3.c b/hydra-sapr3.c index c3b729d..76ce7b7 100644 --- a/hydra-sapr3.c +++ b/hydra-sapr3.c @@ -1,25 +1,24 @@ #include "hydra-mod.h" // checked for memleaks on 110425, none found #ifndef LIBSAPR3 -void dummy_sapr3() { - printf("\n"); -} +void dummy_sapr3() { printf("\n"); } #else -#include #include +#include /* temporary workaround fix */ const int32_t *__ctype_tolower; const int32_t *__ctype_toupper; const int32_t *__ctype_b; -extern void flood(); /* for -lm */ +extern void flood(); /* for -lm */ +extern hydra_option hydra_options; extern char *HYDRA_EXIT; RFC_ERROR_INFO_EX error_info; -int32_t start_sapr3(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_sapr3(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { RFC_HANDLE handle; char *empty = ""; char *login, *pass, buffer[1024]; @@ -28,7 +27,8 @@ int32_t start_sapr3(int32_t s, char *ip, int32_t port, unsigned char options, ch int32_t sysnr = port % 100; char opts[] = "RFCINI=N RFCTRACE=N BALANCE=N DEBUG=N TRACE=0 ABAP_DEBUG=0"; -// char opts[] = "RFCINI=N RFCTRACE=Y BALANCE=N DEBUG=Y TRACE=Y ABAP_DEBUG=Y"; + // char opts[] = "RFCINI=N RFCTRACE=Y BALANCE=N DEBUG=Y TRACE=Y + // ABAP_DEBUG=Y"; if (strlen(login = hydra_get_next_login()) == 0) login = empty; @@ -37,36 +37,37 @@ int32_t start_sapr3(int32_t s, char *ip, int32_t port, unsigned char options, ch if (strlen(login) > 0) for (i = 0; i < strlen(login); i++) - login[i] = (char) toupper(login[i]); + login[i] = (char)toupper(login[i]); if (strlen(pass) > 0) for (i = 0; i < strlen(pass); i++) - pass[i] = (char) toupper(pass[i]); + pass[i] = (char)toupper(pass[i]); memset(buffer, 0, sizeof(buffer)); memset(&error_info, 0, sizeof(error_info)); -//strcpy(buf, "mvse001"); + // strcpy(buf, "mvse001"); snprintf(buffer, sizeof(buffer), "ASHOST=%s SYSNR=%02d CLIENT=%03d USER=\"%s\" PASSWD=\"%s\" LANG=DE %s", hydra_address2string(ip), sysnr, atoi(miscptr), login, pass, opts); -/* - USER=SAPCPIC PASSWORD=admin - USER=SAP* PASSWORD=PASS + /* + USER=SAPCPIC PASSWORD=admin + USER=SAP* PASSWORD=PASS - ## do we need these options? - SAPSYS=3 SNC_MODE=N SAPGUI=N INVISIBLE=N GUIATOPEN=Y NRCALL=00001 CLOSE=N + ## do we need these options? + SAPSYS=3 SNC_MODE=N SAPGUI=N INVISIBLE=N GUIATOPEN=Y NRCALL=00001 CLOSE=N - ASHOST= // IP - SYSNR= // port - 3200, scale 2 - CLIENT= // miscptr, scale 2 - ABAP_DEBUG=0 - USER= - PASSWD= - LANG=DE -*/ -//printf ("DEBUG: %d Connectstring \"%s\"\n",sizeof(error_info),buffer); + ASHOST= // IP + SYSNR= // port - 3200, scale 2 + CLIENT= // miscptr, scale 2 + ABAP_DEBUG=0 + USER= + PASSWD= + LANG=DE + */ + // printf ("DEBUG: %d Connectstring \"%s\"\n",sizeof(error_info),buffer); handle = RfcOpenEx(buffer, &error_info); -//printf("DEBUG: handle %d, key %s, message %s\n", handle, error_info.key, error_info.message); + // printf("DEBUG: handle %d, key %s, message %s\n", handle, error_info.key, + // error_info.message); if (handle <= RFC_HANDLE_NULL) return 3; @@ -89,7 +90,7 @@ int32_t start_sapr3(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } -void service_sapr3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_sapr3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; hydra_register_socket(sp); @@ -97,12 +98,14 @@ void service_sapr3(char *ip, int32_t sp, unsigned char options, char *miscptr, F return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ next_run = start_sapr3(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 2: hydra_child_exit(0); - case 3: /* clean exit */ + case 3: /* clean exit */ fprintf(stderr, "[ERROR] could not connect to target port %d\n", port); hydra_child_exit(1); case 4: @@ -117,13 +120,13 @@ void service_sapr3(char *ip, int32_t sp, unsigned char options, char *miscptr, F #endif -int32_t service_sapr3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_sapr3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -131,6 +134,4 @@ int32_t service_sapr3_init(char *ip, int32_t sp, unsigned char options, char *mi return 0; } -void usage_sapr3(const char* service) { - printf("Module sapr3 requires the client id, a number between 0 and 99\n\n"); -} +void usage_sapr3(const char *service) { printf("Module sapr3 requires the client id, a number between 0 and 99\n\n"); } diff --git a/hydra-sip.c b/hydra-sip.c index 22de26c..c9d71d2 100644 --- a/hydra-sip.c +++ b/hydra-sip.c @@ -1,4 +1,4 @@ -/* simple sip digest auth (md5) module 2009/02/19 +/* simple sip digest auth (md5) module 2009/02/19 * written by gh0st 2005 * modified by Jean-Baptiste Aviat - should * work now, but only with -T 1 @@ -10,13 +10,11 @@ #ifndef LIBOPENSSL #include -void dummy_sip() { - printf("\n"); -} +void dummy_sip() { printf("\n"); } #else -#include #include "sasl.h" +#include extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); @@ -25,8 +23,7 @@ char *get_iface_ip(uint64_t ip); int32_t cseq; extern char *HYDRA_EXIT; - -#define SIP_MAX_BUF 1024 +#define SIP_MAX_BUF 1024 void empty_register(char *buf, char *host, char *lhost, int32_t port, int32_t lport, char *user) { memset(buf, 0, SIP_MAX_BUF); @@ -45,13 +42,13 @@ int32_t get_sip_code(char *buf) { int32_t code; char tmpbuf[SIP_MAX_BUF], word[SIP_MAX_BUF]; - if (sscanf(buf, "%s %i %s", tmpbuf, &code, word) != 3) + if (sscanf(buf, "%256s %i %256s", tmpbuf, &code, word) != 3) return -1; return code; } -int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, unsigned char options, char *miscptr, FILE * fp) { - char *login, *pass, *host, buffer[SIP_MAX_BUF]; +int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, unsigned char options, char *miscptr, FILE *fp) { + char *login, *pass, *host, buffer[SIP_MAX_BUF], *result = NULL; int32_t i; char buf[SIP_MAX_BUF]; @@ -81,7 +78,7 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u while (try < 2 && !has_sip_cred) { try++; if (hydra_data_ready_timed(s, 3, 0) > 0) { - i = hydra_recv(s, (char *) buf, sizeof(buf) - 1); + i = hydra_recv(s, (char *)buf, sizeof(buf) - 1); if (i > 0) buf[i] = '\0'; if (strncmp(buf, "SIP/2.0 404", 11) == 0) { @@ -94,17 +91,21 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u // if we already tried to connect, exit if (external_ip_addr[0]) { - hydra_report(stdout, "[ERROR] Get error code 606 : session is not acceptable by the server\n"); + hydra_report(stdout, "[ERROR] Get error code 606 : session is not " + "acceptable by the server\n"); return 2; } if (verbose) - hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not acceptable by the server,\n" - "maybe it's an addressing issue as you are using NAT, trying to reconnect\n" "using addr from the server reply\n"); - /* - SIP/2.0 606 Not Acceptable - Via: SIP/2.0/UDP 192.168.0.21:46759;received=82.227.229.137 - */ + hydra_report(stdout, "[VERBOSE] Get error code 606 : session is not " + "acceptable by the server,\n" + "maybe it's an addressing issue as you are " + "using NAT, trying to reconnect\n" + "using addr from the server reply\n"); + /* + SIP/2.0 606 Not Acceptable + Via: SIP/2.0/UDP 192.168.0.21:46759;received=82.227.229.137 + */ #ifdef HAVE_PCRE if (hydra_string_match(buf, "Via: SIP.*received=")) { ptr = strstr(buf, "received="); @@ -135,7 +136,9 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u hydra_report(stderr, "[INFO] S: %s\n", buf); char buffer2[512]; - sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL); + result = sasl_digest_md5(buffer2, login, pass, strstr(buf, "WWW-Authenticate: Digest") + strlen("WWW-Authenticate: Digest") + 1, host, "sip", NULL, 0, NULL); + if (result == NULL) + return 3; memset(buffer, 0, SIP_MAX_BUF); snprintf(buffer, SIP_MAX_BUF, @@ -143,7 +146,11 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u "Via: SIP/2.0/UDP %s:%i\n" "From: \n" "To: \n" - "Call-ID: 1337@%s\n" "CSeq: %i REGISTER\n" "Authorization: Digest %s\n" "Content-Length: 0\n\n", host, lip, lport, login, host, login, host, host, cseq, buffer2); + "Call-ID: 1337@%s\n" + "CSeq: %i REGISTER\n" + "Authorization: Digest %s\n" + "Content-Length: 0\n\n", + host, lip, lport, login, host, login, host, host, cseq, buffer2); cseq++; if (debug) @@ -159,7 +166,7 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u try++; if (hydra_data_ready_timed(s, 5, 0) > 0) { memset(buf, 0, sizeof(buf)); - if ((i = hydra_recv(s, (char *) buf, sizeof(buf) - 1)) >= 0) + if ((i = hydra_recv(s, (char *)buf, sizeof(buf) - 1)) >= 0) buf[i] = 0; if (debug) hydra_report(stderr, "[INFO] S: %s\n", buf); @@ -182,17 +189,18 @@ int32_t start_sip(int32_t s, char *ip, char *lip, int32_t port, int32_t lport, u return 1; } -void service_sip(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_sip(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_SIP, mysslport = PORT_SIP_SSL; - char *lip = get_iface_ip((int32_t) *(&ip[1])); + char *lip = get_iface_ip((int32_t) * (&ip[1])); hydra_register_socket(sp); // FIXME IPV6 if (ip[0] != 4) { - fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are appreciated.\n"); + fprintf(stderr, "[ERROR] sip module is not ipv6 enabled yet, patches are " + "appreciated.\n"); hydra_child_exit(2); } @@ -224,7 +232,7 @@ void service_sip(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); free(lip); hydra_child_exit(1); } @@ -263,7 +271,7 @@ char *get_iface_ip(uint64_t ip) { tparamet.sin_port = htons(2000); tparamet.sin_addr.s_addr = ip; - if (connect(sfd, (const struct sockaddr *) &tparamet, sizeof(struct sockaddr_in))) { + if (connect(sfd, (const struct sockaddr *)&tparamet, sizeof(struct sockaddr_in))) { perror("connect"); close(sfd); return NULL; @@ -271,7 +279,7 @@ char *get_iface_ip(uint64_t ip) { struct sockaddr_in *local = malloc(sizeof(struct sockaddr_in)); int32_t size = sizeof(struct sockaddr_in); - if (getsockname(sfd, (void *) local, (socklen_t *) & size)) { + if (getsockname(sfd, (void *)local, (socklen_t *)&size)) { perror("getsockname"); close(sfd); free(local); @@ -281,7 +289,7 @@ char *get_iface_ip(uint64_t ip) { char buff[32]; - if (!inet_ntop(AF_INET, (void *) &local->sin_addr, buff, 32)) { + if (!inet_ntop(AF_INET, (void *)&local->sin_addr, buff, 32)) { perror("inet_ntop"); free(local); return NULL; @@ -295,13 +303,13 @@ char *get_iface_ip(uint64_t ip) { #endif -int32_t service_sip_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_sip_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-smb.c b/hydra-smb.c index 0337ffd..0db54da 100644 --- a/hydra-smb.c +++ b/hydra-smb.c @@ -1,17 +1,14 @@ #include "hydra-mod.h" #ifndef LIBOPENSSL -void dummy_smb() { - printf("\n"); -} +void dummy_smb() { printf("\n"); } #else -#include -#include #include "hmacmd5.h" #include "sasl.h" +#include +#include // FIXME XXX BUG: several malloc()s without return code checking - /* http://technet.microsoft.com/en-us/library/cc960646.aspx @@ -41,10 +38,10 @@ http://technet.microsoft.com/en-us/library/cc960646.aspx Based on code from: SMB Auditing Tool [Copyright (C) Patrik Karlsson 2001] This code allows Hydra to directly test NTLM hashes against - a Windows. This may be useful for an auditor who has aquired - a sam._ or pwdump file and would like to quickly determine - which are valid entries. This module can also be used to test - SMB passwords against devices that do not allow clear text + a Windows. This may be useful for an auditor who has aquired + a sam._ or pwdump file and would like to quickly determine + which are valid entries. This module can also be used to test + SMB passwords against devices that do not allow clear text LanMan passwords. The "-m 'METHOD'" option is required for this module. The @@ -54,23 +51,23 @@ http://technet.microsoft.com/en-us/library/cc960646.aspx Local == Check local account. Domain == Check credentials against this hosts primary domain controller via this host. - Hash == Use a NTLM hash rather than a password. - Machine == Use the Machine's NetBIOS name as the password. + Hash == Use a NTLM hash rather than a password. + Machine == Use the Machine's NetBIOS name as the password. NTLMV2, NTLM, LMV2, LM == set the dialect Be careful of mass domain account lockout with this. For - example, assume you are checking several accounts against + example, assume you are checking several accounts against many domain workstations. If you are not using the 'L' - options and these accounts do not exist locally on the + options and these accounts do not exist locally on the workstations, each workstation will in turn check their - respective domain controller. This could cause a bunch of - lockouts. Of course, it'd look like the workstations, not + respective domain controller. This could cause a bunch of + lockouts. Of course, it'd look like the workstations, not you, were doing it. ;) **FYI, this code is unable to test accounts on default XP hosts which are not part of a domain and do not have normal file sharing enabled. Default XP does not allow shares and - returns STATUS_LOGON_FAILED for both valid and invalid + returns STATUS_LOGON_FAILED for both valid and invalid credentials. XP with simple sharing enabled returns SUCCESS for both valid and invalid credentials. If anyone knows a way to test in these configurations... @@ -80,29 +77,25 @@ http://technet.microsoft.com/en-us/library/cc960646.aspx #define WIN2000_NATIVEMODE 1 #define WIN_NETBIOSMODE 2 - #define PLAINTEXT 10 #define ENCRYPTED 11 - #ifndef CHAR_BIT #define CHAR_BIT 8 #endif #ifndef TIME_T_MIN -#define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \ - : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1)) +#define TIME_T_MIN ((time_t)0 < (time_t)-1 ? (time_t)0 : ~(time_t)0 << (sizeof(time_t) * CHAR_BIT - 1)) #endif #ifndef TIME_T_MAX -#define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN) +#define TIME_T_MAX (~(time_t)0 - TIME_T_MIN) #endif -#define IVAL_NC(buf,pos) (*(uint32_t *)((char *)(buf) + (pos))) /* Non const version of above. */ -#define SIVAL(buf,pos,val) IVAL_NC(buf,pos)=((uint32_t)(val)) +#define IVAL_NC(buf, pos) (*(uint32_t *)((char *)(buf) + (pos))) /* Non const version of above. */ +#define SIVAL(buf, pos, val) IVAL_NC(buf, pos) = ((uint32_t)(val)) #define TIME_FIXUP_CONSTANT_INT 11644473600LL - extern char *HYDRA_EXIT; static unsigned char challenge[8]; static unsigned char workgroup[16]; @@ -113,43 +106,43 @@ int32_t hashFlag, accntFlag, protoFlag; int32_t smb_auth_mechanism = AUTH_NTLM; int32_t security_mode = ENCRYPTED; -static size_t UTF8_UTF16LE(unsigned char *in, int32_t insize, unsigned char *out, int32_t outsize) -{ - int32_t i=0,j=0; +static size_t UTF8_UTF16LE(unsigned char *in, int32_t insize, unsigned char *out, int32_t outsize) { + int32_t i = 0, j = 0; uint64_t ch; if (debug) { - hydra_report(stderr, "[DEBUG] UTF8_UTF16LE in:\n"); - hydra_dump_asciihex(in, insize); + hydra_report(stderr, "[DEBUG] UTF8_UTF16LE in:\n"); + hydra_dump_asciihex(in, insize); } - for (i = 0; i < insize; i++) { - if (in[i] < 128) { // one byte - out[j] = in[i]; - out[j+1] = 0; - j=j+2; - } else if ((in[i] >= 0xc0) && (in[i] <= 0xdf)) { // Two bytes - out[j+1] = 0x07 & (in[i] >> 2); - out[j] = (0xc0 & (in[i] << 6)) | (0x3f & in[i+1]); - j=j+2; - i=i+1; - } else if ((in[i] >= 0xe0) && (in[i] <= 0xef)) { // Three bytes - out[j] = (0xc0 & (in[i+1] << 6)) | (0x3f & in[i+2]); - out[j+1] = (0xf0 & (in[i] << 4)) | (0x0f & (in[i+1] >> 2)); - j=j+2; - i=i+2; - } else if ((in[i] >= 0xf0) && (in[i] <= 0xf7)) { // Four bytes - ch = ((in[i] & 0x07) << 18) + ((0x3f & in[i+1]) << 12) + ((0x3f & in[i+2]) << 6) + (0x3f & in[i+3])- 0x10000; - out[j] = (ch >> 10) & 0xff; - out[j+1] = 0xd8 | ((ch >> 18) & 0xff); - out[j+2] = ch & 0xff; - out[j+3] = 0xdc | ((ch >> 8) & 0x3 ); - j=j+4; - i=i+3; - } - if ( j-2 > outsize) break; + for (i = 0; i < insize; i++) { + if (in[i] < 128) { // one byte + out[j] = in[i]; + out[j + 1] = 0; + j = j + 2; + } else if ((in[i] >= 0xc0) && (in[i] <= 0xdf)) { // Two bytes + out[j + 1] = 0x07 & (in[i] >> 2); + out[j] = (0xc0 & (in[i] << 6)) | (0x3f & in[i + 1]); + j = j + 2; + i = i + 1; + } else if ((in[i] >= 0xe0) && (in[i] <= 0xef)) { // Three bytes + out[j] = (0xc0 & (in[i + 1] << 6)) | (0x3f & in[i + 2]); + out[j + 1] = (0xf0 & (in[i] << 4)) | (0x0f & (in[i + 1] >> 2)); + j = j + 2; + i = i + 2; + } else if ((in[i] >= 0xf0) && (in[i] <= 0xf7)) { // Four bytes + ch = ((in[i] & 0x07) << 18) + ((0x3f & in[i + 1]) << 12) + ((0x3f & in[i + 2]) << 6) + (0x3f & in[i + 3]) - 0x10000; + out[j] = (ch >> 10) & 0xff; + out[j + 1] = 0xd8 | ((ch >> 18) & 0xff); + out[j + 2] = ch & 0xff; + out[j + 3] = 0xdc | ((ch >> 8) & 0x3); + j = j + 4; + i = i + 3; + } + if (j - 2 > outsize) + break; } if (debug) { - hydra_report(stderr, "[DEBUG] UTF8_UTF16LE out:\n"); - hydra_dump_asciihex(out,j); + hydra_report(stderr, "[DEBUG] UTF8_UTF16LE out:\n"); + hydra_dump_asciihex(out, j); } return j; } @@ -157,8 +150,8 @@ static size_t UTF8_UTF16LE(unsigned char *in, int32_t insize, unsigned char *out static unsigned char Get7Bits(unsigned char *input, int32_t startBit) { register uint32_t word; - word = (unsigned) input[startBit / 8] << 8; - word |= (unsigned) input[startBit / 8 + 1]; + word = (unsigned)input[startBit / 8] << 8; + word |= (unsigned)input[startBit / 8 + 1]; word >>= 15 - (startBit % 8 + 7); @@ -176,7 +169,7 @@ static void MakeKey(unsigned char *key, unsigned char *DES_key) { DES_key[6] = Get7Bits(key, 42); DES_key[7] = Get7Bits(key, 49); - DES_set_odd_parity((DES_cblock *) DES_key); + DES_set_odd_parity((DES_cblock *)DES_key); } /* Do the DesEncryption */ @@ -186,7 +179,7 @@ void DesEncrypt(unsigned char *clear, unsigned char *key, unsigned char *cipher) MakeKey(key, DES_key); DES_set_key(&DES_key, &key_schedule); - DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cipher, &key_schedule, 1); + DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher, &key_schedule, 1); } /* @@ -198,7 +191,7 @@ void DesEncrypt(unsigned char *clear, unsigned char *key, unsigned char *cipher) challenge = the challenge recieved from the server */ int32_t HashLM(unsigned char **lmhash, unsigned char *pass, unsigned char *challenge) { - static unsigned char magic[] = { 0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 }; + static unsigned char magic[] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25}; unsigned char password[14 + 1]; unsigned char lm_hash[21]; unsigned char lm_response[24]; @@ -237,25 +230,25 @@ int32_t HashLM(unsigned char **lmhash, unsigned char *pass, unsigned char *chall for (i = 0; i < 16; i++) { HexValue = 0x0; for (j = 0; j < 2; j++) { - HexChar = (char) p[2 * i + j]; + HexChar = (char)p[2 * i + j]; if (HexChar > 0x39) - HexChar = HexChar | 0x20; /* convert upper case to lower */ + HexChar = HexChar | 0x20; /* convert upper case to lower */ - if (!(((HexChar >= 0x30) && (HexChar <= 0x39)) || /* 0 - 9 */ - ((HexChar >= 0x61) && (HexChar <= 0x66)))) { /* a - f */ + if (!(((HexChar >= 0x30) && (HexChar <= 0x39)) || /* 0 - 9 */ + ((HexChar >= 0x61) && (HexChar <= 0x66)))) { /* a - f */ hydra_report(stderr, "[ERROR] Invalid char (%c) for hash.\n", HexChar); HexChar = 0x30; } HexChar -= 0x30; - if (HexChar > 0x09) /* HexChar is "a" - "f" */ + if (HexChar > 0x09) /* HexChar is "a" - "f" */ HexChar -= 0x27; - HexValue = (HexValue << 4) | (char) HexChar; + HexValue = (HexValue << 4) | (char)HexChar; } - lm_hash[i] = (unsigned char) HexValue; + lm_hash[i] = (unsigned char)HexValue; } } } else { @@ -263,15 +256,15 @@ int32_t HashLM(unsigned char **lmhash, unsigned char *pass, unsigned char *chall if (hashFlag == 2) { for (i = 0; i < 16; i++) { if (machine_name[i] > 0x39) - machine_name[i] = machine_name[i] | 0x20; /* convert upper case to lower */ + machine_name[i] = machine_name[i] | 0x20; /* convert upper case to lower */ pass = machine_name; } } /* convert lower case characters to upper case */ - strncpy((char *) password, (char *) pass, 14); + strncpy((char *)password, (char *)pass, 14); for (i = 0; i < 14; i++) { - if ((password[i] >= 0x61) && (password[i] <= 0x7a)) /* a - z */ + if ((password[i] >= 0x61) && (password[i] <= 0x7a)) /* a - z */ password[i] -= 0x20; } @@ -280,7 +273,7 @@ int32_t HashLM(unsigned char **lmhash, unsigned char *pass, unsigned char *chall DesEncrypt(magic, &password[7], &lm_hash[8]); } - /* + /* NULL-pad 16-byte LM hash to 21-bytes Split resultant value into three 7-byte thirds DES-encrypt challenge using each third as a key @@ -295,15 +288,14 @@ int32_t HashLM(unsigned char **lmhash, unsigned char *pass, unsigned char *chall return 0; } - /* MakeNTLM - Function: Create a NTLM hash from the password + Function: Create a NTLM hash from the password */ int32_t MakeNTLM(unsigned char *ntlmhash, unsigned char *pass) { MD4_CTX md4Context; - unsigned char hash[16]; /* MD4_SIGNATURE_SIZE = 16 */ - unsigned char unicodePassword[256 * 2]; /* MAX_NT_PASSWORD = 256 */ + unsigned char hash[16]; /* MD4_SIGNATURE_SIZE = 16 */ + unsigned char unicodePassword[256 * 2]; /* MAX_NT_PASSWORD = 256 */ int32_t i = 0, j = 0; int32_t mdlen; unsigned char *p = NULL; @@ -312,7 +304,8 @@ int32_t MakeNTLM(unsigned char *ntlmhash, unsigned char *pass) { /* Use NTLM Hash instead of password */ if (hashFlag == 1) { - /* 1000:D42E35E1A1E4C22BD32E2170E4857C20:5E20780DD45857A68402938C7629D3B2::: */ + /* 1000:D42E35E1A1E4C22BD32E2170E4857C20:5E20780DD45857A68402938C7629D3B2::: + */ p = pass; while ((*p != '\0') && (i < 1)) { if (*p == ':') @@ -328,13 +321,13 @@ int32_t MakeNTLM(unsigned char *ntlmhash, unsigned char *pass) { for (i = 0; i < 16; i++) { HexValue = 0x0; for (j = 0; j < 2; j++) { - HexChar = (char) p[2 * i + j]; + HexChar = (char)p[2 * i + j]; if (HexChar > 0x39) - HexChar = HexChar | 0x20; /* convert upper case to lower */ + HexChar = HexChar | 0x20; /* convert upper case to lower */ - if (!(((HexChar >= 0x30) && (HexChar <= 0x39)) || /* 0 - 9 */ - ((HexChar >= 0x61) && (HexChar <= 0x66)))) { /* a - f */ + if (!(((HexChar >= 0x30) && (HexChar <= 0x39)) || /* 0 - 9 */ + ((HexChar >= 0x61) && (HexChar <= 0x66)))) { /* a - f */ /* * fprintf(stderr, "Error invalid char (%c) for hash.\n", HexChar); * hydra_child_exit(0); @@ -343,19 +336,19 @@ int32_t MakeNTLM(unsigned char *ntlmhash, unsigned char *pass) { } HexChar -= 0x30; - if (HexChar > 0x09) /* HexChar is "a" - "f" */ + if (HexChar > 0x09) /* HexChar is "a" - "f" */ HexChar -= 0x27; - HexValue = (HexValue << 4) | (char) HexChar; + HexValue = (HexValue << 4) | (char)HexChar; } - hash[i] = (unsigned char) HexValue; + hash[i] = (unsigned char)HexValue; } } else { /* Password == Machine Name */ if (hashFlag == 2) { for (i = 0; i < 16; i++) { if (machine_name[i] > 0x39) - machine_name[i] = machine_name[i] | 0x20; /* convert upper case to lower */ + machine_name[i] = machine_name[i] | 0x20; /* convert upper case to lower */ pass = machine_name; } } @@ -363,13 +356,13 @@ int32_t MakeNTLM(unsigned char *ntlmhash, unsigned char *pass) { /* Initialize the Unicode version of the secret (== password). */ /* This implicitly supports most UTF8 characters. */ - j = UTF8_UTF16LE(pass, strlen((char *) pass), unicodePassword, sizeof(unicodePassword)); + j = UTF8_UTF16LE(pass, strlen((char *)pass), unicodePassword, sizeof(unicodePassword)); - mdlen = j; /* length in bytes */ + mdlen = j; /* length in bytes */ MD4_Init(&md4Context); MD4_Update(&md4Context, unicodePassword, mdlen); - MD4_Final(hash, &md4Context); /* Tell MD4 we're done */ + MD4_Final(hash, &md4Context); /* Tell MD4 we're done */ } memcpy(ntlmhash, hash, 16); @@ -379,9 +372,9 @@ int32_t MakeNTLM(unsigned char *ntlmhash, unsigned char *pass) { /* HashLMv2 - This function implements the LMv2 response algorithm. The LMv2 response is used to - provide pass-through authentication compatibility with older servers. The response - is based on the NTLM password hash and is exactly 24 bytes. + This function implements the LMv2 response algorithm. The LMv2 response is + used to provide pass-through authentication compatibility with older servers. + The response is based on the NTLM password hash and is exactly 24 bytes. The below code is based heavily on the following resources: @@ -397,7 +390,7 @@ int32_t HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char HMACMD5Context ctx; unsigned char kr_buf[16]; int32_t ret, i; - unsigned char client_challenge[8] = { 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 }; + unsigned char client_challenge[8] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}; memset(ntlm_hash, 0, 16); memset(lmv2_response, 0, 24); @@ -406,52 +399,54 @@ int32_t HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char /* --- HMAC #1 Caculations --- */ /* Calculate and set NTLM password hash */ - ret = MakeNTLM((unsigned char *) &ntlm_hash, (unsigned char *) szPassword); + ret = MakeNTLM((unsigned char *)&ntlm_hash, (unsigned char *)szPassword); if (ret == -1) return -1; /* - The Unicode uppercase username is concatenated with the Unicode authentication target - (the domain or server name specified in the Target Name field of the Type 3 message). - Note that this calculation always uses the Unicode representation, even if OEM encoding - has been negotiated; also note that the username is converted to uppercase, while the - authentication target is case-sensitive and must match the case presented in the Target + The Unicode uppercase username is concatenated with the Unicode + authentication target (the domain or server name specified in the Target + Name field of the Type 3 message). Note that this calculation always uses + the Unicode representation, even if OEM encoding has been negotiated; also + note that the username is converted to uppercase, while the authentication + target is case-sensitive and must match the case presented in the Target Name field. - The HMAC-MD5 message authentication code algorithm (described in RFC 2104) is applied to - this value using the 16-byte NTLM hash as the key. This results in a 16-byte value - the - NTLMv2 hash. + The HMAC-MD5 message authentication code algorithm (described in RFC 2104) + is applied to this value using the 16-byte NTLM hash as the key. This + results in a 16-byte value - the NTLMv2 hash. */ /* Initialize the Unicode version of the username and target. */ /* This implicitly supports 8-bit ISO8859/1 characters. */ /* convert lower case characters to upper case */ bzero(unicodeUsername, sizeof(unicodeUsername)); - for (i = 0; i < strlen((char *) szLogin); i++) { - if ((szLogin[i] >= 0x61) && (szLogin[i] <= 0x7a)) /* a - z */ - unicodeUsername[i * 2] = (unsigned char) szLogin[i] - 0x20; + for (i = 0; i < strlen((char *)szLogin); i++) { + if ((szLogin[i] >= 0x61) && (szLogin[i] <= 0x7a)) /* a - z */ + unicodeUsername[i * 2] = (unsigned char)szLogin[i] - 0x20; else - unicodeUsername[i * 2] = (unsigned char) szLogin[i]; + unicodeUsername[i * 2] = (unsigned char)szLogin[i]; } bzero(unicodeTarget, sizeof(unicodeTarget)); - for (i = 0; i < strlen((char *) workgroup); i++) - unicodeTarget[i * 2] = (unsigned char) workgroup[i]; + for (i = 0; i < strlen((char *)workgroup); i++) + unicodeTarget[i * 2] = (unsigned char)workgroup[i]; hmac_md5_init_limK_to_64(ntlm_hash, 16, &ctx); - hmac_md5_update((const unsigned char *) unicodeUsername, 2 * strlen((char *) szLogin), &ctx); - hmac_md5_update((const unsigned char *) unicodeTarget, 2 * strlen((char *) workgroup), &ctx); + hmac_md5_update((const unsigned char *)unicodeUsername, 2 * strlen((char *)szLogin), &ctx); + hmac_md5_update((const unsigned char *)unicodeTarget, 2 * strlen((char *)workgroup), &ctx); hmac_md5_final(kr_buf, &ctx); /* --- HMAC #2 Calculations --- */ /* - The challenge from the Type 2 message is concatenated with our fixed client nonce. The HMAC-MD5 - message authentication code algorithm is applied to this value using the 16-byte NTLMv2 hash - (calculated above) as the key. This results in a 16-byte output value. + The challenge from the Type 2 message is concatenated with our fixed client + nonce. The HMAC-MD5 message authentication code algorithm is applied to + this value using the 16-byte NTLMv2 hash (calculated above) as the key. + This results in a 16-byte output value. */ hmac_md5_init_limK_to_64(kr_buf, 16, &ctx); - hmac_md5_update((const unsigned char *) challenge, 8, &ctx); + hmac_md5_update((const unsigned char *)challenge, 8, &ctx); hmac_md5_update(client_challenge, 8, &ctx); hmac_md5_final(lmv2_response, &ctx); @@ -468,12 +463,13 @@ int32_t HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char /* HashNTLMv2 - This function implements the NTLMv2 response algorithm. Support for this algorithm - was added with Microsoft Windows with NT 4.0 SP4. It should be noted that code doesn't - currently work with Microsoft Vista. While NTLMv2 authentication with Samba and Windows - 2003 functions as expected, Vista systems respond with the oh-so-helpful - "INVALID_PARAMETER" error code. LMv2-only authentication appears to work against Vista - in cases where LM and NTLM are refused. + This function implements the NTLMv2 response algorithm. Support for this + algorithm was added with Microsoft Windows with NT 4.0 SP4. It should be noted + that code doesn't currently work with Microsoft Vista. While NTLMv2 + authentication with Samba and Windows 2003 functions as expected, Vista + systems respond with the oh-so-helpful "INVALID_PARAMETER" error code. + LMv2-only authentication appears to work against Vista in cases where LM and + NTLM are refused. The below code is based heavily on the following two resources: @@ -482,7 +478,7 @@ int32_t HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char NTLMv2 network authentication is required when attempting to authenticated to a system which has the following policy enforced: - + GPO: "Network Security: LAN Manager authentication level" Setting: "Send NTLMv2 response only\refuse LM & NTLM" */ @@ -494,30 +490,25 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha HMACMD5Context ctx; unsigned char kr_buf[16]; int32_t ret, i, iTargetLen; - unsigned char client_challenge[8] = { 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 }; + unsigned char client_challenge[8] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}; /* -- Example NTLMv2 Response Data -- - [0] HMAC: (16 bytes) + [0] HMAC: (16 bytes) [16] Header: Blob Signature [01 01 00 00] (4 bytes) [20] Reserved: [00 00 00 00] (4 bytes) - [24] Time: Little-endian, 64-bit signed value representing the number of - tenths of a microsecond since January 1, 1601. (8 bytes) - [32] Client Nonce: (8 bytes) - [40] Unknown: 00 00 00 00 (4 bytes) - [44] Target Information (from the Type 2 message) - NetBIOS domain/workgroup: - Type: domain 02 00 (2 bytes) - Length: 12 00 (2 bytes) - Name: WORKGROUP [NULL spacing -> 57 00 4f 00 ...] (18 bytes) - End-of-list: 00 00 00 00 (4 bytes) + [24] Time: Little-endian, 64-bit signed value representing the number + of tenths of a microsecond since January 1, 1601. (8 bytes) [32] Client + Nonce: (8 bytes) [40] Unknown: 00 00 00 00 (4 bytes) [44] Target + Information (from the Type 2 message) NetBIOS domain/workgroup: Type: + domain 02 00 (2 bytes) Length: 12 00 (2 bytes) Name: WORKGROUP [NULL + spacing -> 57 00 4f 00 ...] (18 bytes) End-of-list: 00 00 00 00 (4 bytes) Termination: 00 00 00 00 (4 bytes) */ - - iTargetLen = 2 * strlen((char *) workgroup); + iTargetLen = 2 * strlen((char *)workgroup); memset(ntlm_hash, 0, 16); memset(ntlmv2_response, 0, 56 + 20 * 2 + 256 * 2); @@ -526,69 +517,70 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha /* --- HMAC #1 Caculations --- */ /* Calculate and set NTLM password hash */ - ret = MakeNTLM((unsigned char *) &ntlm_hash, (unsigned char *) szPassword); + ret = MakeNTLM((unsigned char *)&ntlm_hash, (unsigned char *)szPassword); if (ret == -1) return -1; /* - The Unicode uppercase username is concatenated with the Unicode authentication target - (the domain or server name specified in the Target Name field of the Type 3 message). - Note that this calculation always uses the Unicode representation, even if OEM encoding - has been negotiated; also note that the username is converted to uppercase, while the - authentication target is case-sensitive and must match the case presented in the Target + The Unicode uppercase username is concatenated with the Unicode + authentication target (the domain or server name specified in the Target + Name field of the Type 3 message). Note that this calculation always uses + the Unicode representation, even if OEM encoding has been negotiated; also + note that the username is converted to uppercase, while the authentication + target is case-sensitive and must match the case presented in the Target Name field. - The HMAC-MD5 message authentication code algorithm (described in RFC 2104) is applied to - this value using the 16-byte NTLM hash as the key. This results in a 16-byte value - the - NTLMv2 hash. + The HMAC-MD5 message authentication code algorithm (described in RFC 2104) + is applied to this value using the 16-byte NTLM hash as the key. This + results in a 16-byte value - the NTLMv2 hash. */ /* Initialize the Unicode version of the username and target. */ /* This implicitly supports 8-bit ISO8859/1 characters. */ /* convert lower case characters to upper case */ bzero(unicodeUsername, sizeof(unicodeUsername)); - for (i = 0; i < strlen((char *) szLogin); i++) { - if ((szLogin[i] >= 0x61) && (szLogin[i] <= 0x7a)) /* a - z */ - unicodeUsername[i * 2] = (unsigned char) szLogin[i] - 0x20; + for (i = 0; i < strlen((char *)szLogin); i++) { + if ((szLogin[i] >= 0x61) && (szLogin[i] <= 0x7a)) /* a - z */ + unicodeUsername[i * 2] = (unsigned char)szLogin[i] - 0x20; else - unicodeUsername[i * 2] = (unsigned char) szLogin[i]; + unicodeUsername[i * 2] = (unsigned char)szLogin[i]; } bzero(unicodeTarget, sizeof(unicodeTarget)); - for (i = 0; i < strlen((char *) workgroup); i++) - unicodeTarget[i * 2] = (unsigned char) workgroup[i]; + for (i = 0; i < strlen((char *)workgroup); i++) + unicodeTarget[i * 2] = (unsigned char)workgroup[i]; hmac_md5_init_limK_to_64(ntlm_hash, 16, &ctx); - hmac_md5_update((const unsigned char *) unicodeUsername, 2 * strlen((char *) szLogin), &ctx); - hmac_md5_update((const unsigned char *) unicodeTarget, 2 * strlen((char *) workgroup), &ctx); + hmac_md5_update((const unsigned char *)unicodeUsername, 2 * strlen((char *)szLogin), &ctx); + hmac_md5_update((const unsigned char *)unicodeTarget, 2 * strlen((char *)workgroup), &ctx); hmac_md5_final(kr_buf, &ctx); /* --- Blob Construction --- */ - memset(ntlmv2_response + 16, 1, 2); /* Blob Signature 0x01010000 */ + memset(ntlmv2_response + 16, 1, 2); /* Blob Signature 0x01010000 */ memset(ntlmv2_response + 18, 0, 2); - memset(ntlmv2_response + 20, 0, 4); /* Reserved */ + memset(ntlmv2_response + 20, 0, 4); /* Reserved */ /* Time -- Take a Unix time and convert to an NT TIME structure: - Little-endian, 64-bit signed value representing the number of tenths of a + Little-endian, 64-bit signed value representing the number of tenths of a microsecond since January 1, 1601. */ struct timespec ts; unsigned long long nt; - ts.tv_sec = (time_t) time(NULL); + ts.tv_sec = (time_t)time(NULL); ts.tv_nsec = 0; if (ts.tv_sec == 0) nt = 0; else if (ts.tv_sec == TIME_T_MAX) nt = 0x7fffffffffffffffLL; - else if (ts.tv_sec == (time_t) - 1) - nt = (unsigned long) -1; + else if (ts.tv_sec == (time_t)-1) + nt = (unsigned long)-1; else { nt = ts.tv_sec; nt += TIME_FIXUP_CONSTANT_INT; - nt *= 1000 * 1000 * 10; /* nt is now in the 100ns units */ + nt *= 1000 * 1000 * 10; /* nt is now in the 100ns units */ } SIVAL(ntlmv2_response + 24, 0, nt & 0xFFFFFFFF); @@ -596,8 +588,8 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha /* End time calculation */ /* Set client challenge - using a non-random value in this case. */ - memcpy(ntlmv2_response + 32, client_challenge, 8); /* Client Nonce */ - memset(ntlmv2_response + 40, 0, 4); /* Unknown */ + memcpy(ntlmv2_response + 32, client_challenge, 8); /* Client Nonce */ + memset(ntlmv2_response + 40, 0, 4); /* Unknown */ /* Target Information Block */ /* @@ -606,26 +598,28 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha 0x0300 Fully-qualified DNS host name 0x0400 DNS domain name - TODO: Need to rework negotiation code to correctly extract target information + TODO: Need to rework negotiation code to correctly extract target + information */ - memset(ntlmv2_response + 44, 0x02, 1); /* Type: Domain */ + memset(ntlmv2_response + 44, 0x02, 1); /* Type: Domain */ memset(ntlmv2_response + 45, 0x00, 1); - memset(ntlmv2_response + 46, iTargetLen, 1); /* Length */ + memset(ntlmv2_response + 46, iTargetLen, 1); /* Length */ memset(ntlmv2_response + 47, 0x00, 1); /* Name of domain or workgroup */ - for (i = 0; i < strlen((char *) workgroup); i++) - ntlmv2_response[48 + i * 2] = (unsigned char) workgroup[i]; + for (i = 0; i < strlen((char *)workgroup); i++) + ntlmv2_response[48 + i * 2] = (unsigned char)workgroup[i]; - memset(ntlmv2_response + 48 + iTargetLen, 0, 4); /* End-of-list */ + memset(ntlmv2_response + 48 + iTargetLen, 0, 4); /* End-of-list */ /* --- HMAC #2 Caculations --- */ /* - The challenge from the Type 2 message is concatenated with the blob. The HMAC-MD5 message - authentication code algorithm is applied to this value using the 16-byte NTLMv2 hash - (calculated above) as the key. This results in a 16-byte output value. + The challenge from the Type 2 message is concatenated with the blob. The + HMAC-MD5 message authentication code algorithm is applied to this value + using the 16-byte NTLMv2 hash (calculated above) as the key. This results + in a 16-byte output value. */ hmac_md5_init_limK_to_64(kr_buf, 16, &ctx); @@ -652,11 +646,11 @@ int32_t HashNTLMv2(unsigned char **NTLMv2hash, int32_t *iByteCount, unsigned cha */ int32_t HashNTLM(unsigned char **ntlmhash, unsigned char *pass, unsigned char *challenge, char *miscptr) { int32_t ret; - unsigned char hash[16]; /* MD4_SIGNATURE_SIZE = 16 */ + unsigned char hash[16]; /* MD4_SIGNATURE_SIZE = 16 */ unsigned char p21[21]; unsigned char ntlm_response[24]; - ret = MakeNTLM((unsigned char *) &hash, (unsigned char *) pass); + ret = MakeNTLM((unsigned char *)&hash, (unsigned char *)pass); if (ret == -1) hydra_child_exit(0); @@ -678,9 +672,9 @@ int32_t HashNTLM(unsigned char **ntlmhash, unsigned char *pass, unsigned char *c Returns: TRUE on success else FALSE. */ int32_t NBSSessionRequest(int32_t s) { - char nb_name[32]; /* netbiosname */ - char nb_local[32]; /* netbios localredirector */ - unsigned char rqbuf[7] = { 0x81, 0x00, 0x00, 0x44, 0x20, 0x00, 0x20 }; + char nb_name[32]; /* netbiosname */ + char nb_local[32]; /* netbios localredirector */ + unsigned char rqbuf[7] = {0x81, 0x00, 0x00, 0x44, 0x20, 0x00, 0x20}; char *buf; unsigned char rbuf[400]; int32_t k; @@ -692,31 +686,30 @@ int32_t NBSSessionRequest(int32_t s) { /* convert computer name to netbios name */ memset(nb_name, 0, 32); memset(nb_local, 0, 32); - memcpy(nb_name, "CKFDENECFDEFFCFGEFFCCACACACACACA", 32); /* *SMBSERVER */ - memcpy(nb_local, "EIFJEEFCEBCACACACACACACACACACACA", 32); /* HYDRA */ + memcpy(nb_name, "CKFDENECFDEFFCFGEFFCCACACACACACA", 32); /* *SMBSERVER */ + memcpy(nb_local, "EIFJEEFCEBCACACACACACACACACACACA", 32); /* HYDRA */ - if ((buf = (char *) malloc(100)) == NULL) + if ((buf = (char *)malloc(100)) == NULL) return -1; memset(buf, 0, 100); - memcpy(buf, (char *) rqbuf, 5); + memcpy(buf, (char *)rqbuf, 5); memcpy(buf + 5, nb_name, 32); - memcpy(buf + 37, (char *) rqbuf + 5, 2); + memcpy(buf + 37, (char *)rqbuf + 5, 2); memcpy(buf + 39, nb_local, 32); - memcpy(buf + 71, (char *) rqbuf + 5, 1); + memcpy(buf + 71, (char *)rqbuf + 5, 1); hydra_send(s, buf, 72, 0); free(buf); memset(rbuf, 0, 400); - k = hydra_recv(s, (char *) rbuf, sizeof(rbuf)); + k = hydra_recv(s, (char *)rbuf, sizeof(rbuf)); if (k > 0 && (rbuf[0] == 0x82)) - return 0; /* success */ + return 0; /* success */ else - return -1; /* failed */ + return -1; /* failed */ } - /* SMBNegProt Function: Negotiate protocol with server ... @@ -728,61 +721,39 @@ int32_t NBSSessionRequest(int32_t s) { */ int32_t SMBNegProt(int32_t s) { unsigned char buf[] = { - 0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42, - 0x72, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc0, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x7d, - 0x00, 0x00, 0x01, 0x00, 0x00, 0x9b, 0x00, 0x02, - 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, - 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, - 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, - 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, - 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, - 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, - 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, - 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, - 0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00, - 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, - 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, - 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x44, - 0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, - 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41, - 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, - 0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, - 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, - 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, - 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, - 0x32, 0x00 + 0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x7d, 0x00, 0x00, 0x01, 0x00, 0x00, 0x9b, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4d, + 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, + 0x30, 0x30, 0x32, 0x00, 0x02, 0x44, 0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00 -/* -0x02, - 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, - 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, - 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, - 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, - 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, - 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, - 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, - 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, - 0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00, - 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, - 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, - 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x53, - 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, 0x4e, 0x54, - 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, - 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, - 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00 -*/ + /* + 0x02, + 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, + 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, + 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, + 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, + 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, + 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, + 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, + 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, + 0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00, + 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, + 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, + 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x53, + 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, 0x4e, 0x54, + 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, + 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, + 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00 + */ }; unsigned char rbuf[400]; unsigned char sess_key[2]; - unsigned char userid[2] = { 0xCD, 0xEF }; + unsigned char userid[2] = {0xCD, 0xEF}; int32_t i = 0, j = 0, k; int32_t iLength = 194; int32_t iResponseOffset = 73; - memset((char *) rbuf, 0, 400); + memset((char *)rbuf, 0, 400); /* set session key */ sess_key[1] = getpid() / 100; @@ -793,24 +764,24 @@ int32_t SMBNegProt(int32_t s) { if (smb_auth_mechanism == AUTH_LM) { if (verbose) hydra_report(stderr, "[VERBOSE] Setting Negotiate Protocol Response for LM.\n"); - buf[3] = 0xA3; // Set message length - buf[37] = 0x80; // Set byte count for dialects + buf[3] = 0xA3; // Set message length + buf[37] = 0x80; // Set byte count for dialects iLength = 167; iResponseOffset = 65; } - - hydra_send(s, (char *) buf, iLength, 0); - k = hydra_recv(s, (char *) rbuf, sizeof(rbuf)); + hydra_send(s, (char *)buf, iLength, 0); + k = hydra_recv(s, (char *)rbuf, sizeof(rbuf)); if (k == 0) return 3; /* retrieve the security mode */ /* - [0] Mode: (0) ? (1) USER security mode - [1] Password: (0) PLAINTEXT password (1) ENCRYPTED password. Use challenge/response - [2] Signatures: (0) Security signatures NOT enabled (1) ENABLED - [3] Sig Req: (0) Security signatures NOT required (1) REQUIRED + [0] Mode: (0) ? (1) USER security + mode [1] Password: (0) PLAINTEXT password (1) ENCRYPTED + password. Use challenge/response [2] Signatures: (0) Security signatures + NOT enabled (1) ENABLED [3] Sig Req: (0) Security signatures NOT + required (1) REQUIRED SAMBA: 0x01 (default) WinXP: 0x0F (default) @@ -818,25 +789,28 @@ int32_t SMBNegProt(int32_t s) { */ switch (rbuf[39]) { case 0x01: - //real plaintext should be used with LM auth + // real plaintext should be used with LM auth if (verbose) hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password.\n"); security_mode = PLAINTEXT; if (hashFlag == 1) { if (verbose) - hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. HASH password mode not supported for this configuration.\n"); + hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. HASH " + "password mode not supported for this configuration.\n"); return 3; } if (hashFlag == 2) { if (verbose) - hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. MACHINE password mode not supported for this configuration.\n"); + hydra_report(stderr, "[VERBOSE] Server requested PLAINTEXT password. MACHINE " + "password mode not supported for this configuration.\n"); return 3; } break; case 0x03: if (verbose) - hydra_report(stderr, "[VERBOSE] Server requested ENCRYPTED password without security signatures.\n"); + hydra_report(stderr, "[VERBOSE] Server requested ENCRYPTED password " + "without security signatures.\n"); security_mode = ENCRYPTED; break; case 0x07: @@ -847,20 +821,23 @@ int32_t SMBNegProt(int32_t s) { break; default: if (verbose) - hydra_report(stderr, "[VERBOSE] Unknown security mode request: %2.2X. Proceeding using ENCRYPTED password mode.\n", rbuf[39]); + hydra_report(stderr, + "[VERBOSE] Unknown security mode request: %2.2X. Proceeding " + "using ENCRYPTED password mode.\n", + rbuf[39]); security_mode = ENCRYPTED; break; } /* Retrieve the challenge */ - memcpy(challenge, (char *) rbuf + iResponseOffset, sizeof(challenge)); + memcpy(challenge, (char *)rbuf + iResponseOffset, sizeof(challenge)); /* Find the primary domain/workgroup name */ memset(workgroup, 0, 16); memset(machine_name, 0, 16); - //seems using LM only the domain is returned not the server - //and the domain is not padded with null chars + // seems using LM only the domain is returned not the server + // and the domain is not padded with null chars if (smb_auth_mechanism == AUTH_LM) { while ((rbuf[iResponseOffset + 8 + i] != 0) && (i < 16)) { workgroup[i] = rbuf[iResponseOffset + 8 + i]; @@ -882,12 +859,10 @@ int32_t SMBNegProt(int32_t s) { hydra_report(stderr, "[VERBOSE] Server machine name: %s\n", machine_name); hydra_report(stderr, "[VERBOSE] Server primary domain: %s\n", workgroup); } - //success + // success return 2; } - - /* SMBSessionSetup Function: Send username + response to the challenge from @@ -900,7 +875,7 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char * unsigned char *NTLMv2hash = NULL; unsigned char *NTLMhash = NULL; unsigned char *LMhash = NULL; -// unsigned char unicodeLogin[32 * 2]; + // unsigned char unicodeLogin[32 * 2]; int32_t j; char bufReceive[512]; int32_t nReceiveBufferSize = 0; @@ -908,37 +883,58 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char * int32_t iByteCount = 0, iOffset = 0; if (accntFlag == 0) { - strcpy((char *) workgroup, "localhost"); + strcpy((char *)workgroup, "localhost"); } else if (accntFlag == 2) { memset(workgroup, 0, 16); } - //domain flag is not needed here, it will be auto set, - //below it's domain specified on cmd line + // domain flag is not needed here, it will be auto set, + // below it's domain specified on cmd line else if (accntFlag == 4) { - strncpy((char *) workgroup, (char *) domain, 16); + strncpy((char *)workgroup, (char *)domain, 16); } /* NetBIOS Session Service */ unsigned char szNBSS[4] = { - 0x00, /* Message Type: Session Message */ - 0x00, 0x00, 0x85 /* Length -- MUST SET */ + 0x00, /* Message Type: Session Message */ + 0x00, 0x00, 0x85 /* Length -- MUST SET */ }; /* SMB Header */ unsigned char szSMB[32] = { - 0xff, 0x53, 0x4d, 0x42, /* Server Component */ - 0x73, /* SMB Command: Session Setup AndX */ - 0x00, 0x00, 0x00, 0x00, /* NT Status: STATUS_SUCCESS */ - 0x08, /* Flags */ - 0x01, 0xc0, /* Flags2 */ /* add Unicode */ - 0x00, 0x00, /* Process ID High */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Signature */ - 0x00, 0x00, /* Reserved */ - 0x00, 0x00, /* Tree ID */ - 0x13, 0x37, /* Process ID */ - 0x00, 0x00, /* User ID */ - 0x01, 0x00 /* Multiplx ID */ + 0xff, + 0x53, + 0x4d, + 0x42, /* Server Component */ + 0x73, /* SMB Command: Session Setup AndX */ + 0x00, + 0x00, + 0x00, + 0x00, /* NT Status: STATUS_SUCCESS */ + 0x08, /* Flags */ + 0x01, + 0xc0, + /* Flags2 */ /* add Unicode */ + 0x00, + 0x00, /* Process ID High */ + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, /* Signature */ + 0x00, + 0x00, /* Reserved */ + 0x00, + 0x00, /* Tree ID */ + 0x13, + 0x37, /* Process ID */ + 0x00, + 0x00, /* User ID */ + 0x01, + 0x00 /* Multiplx ID */ }; memset(buf, 0, 512); @@ -952,31 +948,31 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char * hydra_report(stderr, "[VERBOSE] Attempting LM password authentication.\n"); unsigned char szSessionRequest[23] = { - 0x0a, /* Word Count */ - 0xff, /* AndXCommand: No further commands */ - 0x00, /* Reserved */ - 0x00, 0x00, /* AndXOffset */ - 0xff, 0xff, /* Max Buffer */ - 0x02, 0x00, /* Max Mpx Count */ - 0x3c, 0x7d, /* VC Number */ - 0x00, 0x00, 0x00, 0x00, /* Session Key */ - 0x18, 0x00, /* LAN Manager Password Hash Length */ - 0x00, 0x00, 0x00, 0x00, /* Reserved */ - 0x49, 0x00 /* Byte Count -- MUST SET */ + 0x0a, /* Word Count */ + 0xff, /* AndXCommand: No further commands */ + 0x00, /* Reserved */ + 0x00, 0x00, /* AndXOffset */ + 0xff, 0xff, /* Max Buffer */ + 0x02, 0x00, /* Max Mpx Count */ + 0x3c, 0x7d, /* VC Number */ + 0x00, 0x00, 0x00, 0x00, /* Session Key */ + 0x18, 0x00, /* LAN Manager Password Hash Length */ + 0x00, 0x00, 0x00, 0x00, /* Reserved */ + 0x49, 0x00 /* Byte Count -- MUST SET */ }; - iOffset = 59; /* szNBSS + szSMB + szSessionRequest */ - iByteCount = 24; /* Start with length of LM hash */ + iOffset = 59; /* szNBSS + szSMB + szSessionRequest */ + iByteCount = 24; /* Start with length of LM hash */ /* Set Session Setup AndX Request header information */ memcpy(buf + 36, szSessionRequest, 23); /* Calculate and set LAN Manager password hash */ - if ((LMhash = (unsigned char *) malloc(24)) == NULL) + if ((LMhash = (unsigned char *)malloc(24)) == NULL) return -1; memset(LMhash, 0, 24); - ret = HashLM(&LMhash, (unsigned char *) szPassword, (unsigned char *) challenge); + ret = HashLM(&LMhash, (unsigned char *)szPassword, (unsigned char *)challenge); if (ret == -1) { free(LMhash); return -1; @@ -990,34 +986,52 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char * hydra_report(stderr, "[VERBOSE] Attempting NTLM password authentication.\n"); unsigned char szSessionRequest[29] = { - 0x0d, /* Word Count */ - 0xff, /* AndXCommand: No further commands */ - 0x00, /* Reserved */ - 0x00, 0x00, /* AndXOffset */ - 0xff, 0xff, /* Max Buffer */ - 0x02, 0x00, /* Max Mpx Count */ - 0x3c, 0x7d, /* VC Number */ - 0x00, 0x00, 0x00, 0x00, /* Session Key */ - 0x18, 0x00, /* LAN Manager Password Hash Length */ - 0x18, 0x00, /* NT LAN Manager Password Hash Length */ - 0x00, 0x00, 0x00, 0x00, /* Reserved */ - 0x5c, 0x00, 0x00, 0x00, /* Capabilities */ /* Add Unicode */ - 0x49, 0x00 /* Byte Count -- MUST SET */ + 0x0d, /* Word Count */ + 0xff, /* AndXCommand: No further commands */ + 0x00, /* Reserved */ + 0x00, + 0x00, /* AndXOffset */ + 0xff, + 0xff, /* Max Buffer */ + 0x02, + 0x00, /* Max Mpx Count */ + 0x3c, + 0x7d, /* VC Number */ + 0x00, + 0x00, + 0x00, + 0x00, /* Session Key */ + 0x18, + 0x00, /* LAN Manager Password Hash Length */ + 0x18, + 0x00, /* NT LAN Manager Password Hash Length */ + 0x00, + 0x00, + 0x00, + 0x00, /* Reserved */ + 0x5c, + 0x00, + 0x00, + 0x00, + /* Capabilities */ /* Add Unicode */ + 0x49, + 0x00 /* Byte Count -- MUST SET */ }; - iOffset = 65; /* szNBSS + szSMB + szSessionRequest */ - iByteCount = 48; /* Start with length of NTLM and LM hashes */ + iOffset = 65; /* szNBSS + szSMB + szSessionRequest */ + iByteCount = 48; /* Start with length of NTLM and LM hashes */ /* Set Session Setup AndX Request header information */ memcpy(buf + 36, szSessionRequest, 29); /* Calculate and set NTLM password hash */ - if ((NTLMhash = (unsigned char *) malloc(24)) == NULL) + if ((NTLMhash = (unsigned char *)malloc(24)) == NULL) return -1; memset(NTLMhash, 0, 24); - /* We don't need to actually calculated a LM hash for this mode, only NTLM */ - ret = HashNTLM(&NTLMhash, (unsigned char *) szPassword, (unsigned char *) challenge, miscptr); + /* We don't need to actually calculated a LM hash for this mode, only NTLM + */ + ret = HashNTLM(&NTLMhash, (unsigned char *)szPassword, (unsigned char *)challenge, miscptr); if (ret == -1) return -1; @@ -1028,33 +1042,33 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char * hydra_report(stderr, "[VERBOSE] Attempting LMv2 password authentication.\n"); unsigned char szSessionRequest[29] = { - 0x0d, /* Word Count */ - 0xff, /* AndXCommand: No further commands */ - 0x00, /* Reserved */ - 0x00, 0x00, /* AndXOffset */ - 0xff, 0xff, /* Max Buffer */ - 0x02, 0x00, /* Max Mpx Count */ - 0x3c, 0x7d, /* VC Number */ - 0x00, 0x00, 0x00, 0x00, /* Session Key */ - 0x18, 0x00, /* LAN Manager Password Hash Length */ - 0x00, 0x00, /* NT LAN Manager Password Hash Length */ - 0x00, 0x00, 0x00, 0x00, /* Reserved */ - 0x50, 0x00, 0x00, 0x00, /* Capabilities */ - 0x49, 0x00 /* Byte Count -- MUST SET */ + 0x0d, /* Word Count */ + 0xff, /* AndXCommand: No further commands */ + 0x00, /* Reserved */ + 0x00, 0x00, /* AndXOffset */ + 0xff, 0xff, /* Max Buffer */ + 0x02, 0x00, /* Max Mpx Count */ + 0x3c, 0x7d, /* VC Number */ + 0x00, 0x00, 0x00, 0x00, /* Session Key */ + 0x18, 0x00, /* LAN Manager Password Hash Length */ + 0x00, 0x00, /* NT LAN Manager Password Hash Length */ + 0x00, 0x00, 0x00, 0x00, /* Reserved */ + 0x50, 0x00, 0x00, 0x00, /* Capabilities */ + 0x49, 0x00 /* Byte Count -- MUST SET */ }; - iOffset = 65; /* szNBSS + szSMB + szSessionRequest */ - iByteCount = 24; /* Start with length of LMv2 response */ + iOffset = 65; /* szNBSS + szSMB + szSessionRequest */ + iByteCount = 24; /* Start with length of LMv2 response */ /* Set Session Setup AndX Request header information */ memcpy(buf + 36, szSessionRequest, 29); /* Calculate and set LMv2 response hash */ - if ((LMv2hash = (unsigned char *) malloc(24)) == NULL) + if ((LMv2hash = (unsigned char *)malloc(24)) == NULL) return -1; memset(LMv2hash, 0, 24); - ret = HashLMv2(&LMv2hash, (unsigned char *) szLogin, (unsigned char *) szPassword); + ret = HashLMv2(&LMv2hash, (unsigned char *)szLogin, (unsigned char *)szPassword); if (ret == -1) { free(LMv2hash); return -1; @@ -1067,28 +1081,28 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char * hydra_report(stderr, "[VERBOSE] Attempting LMv2/NTLMv2 password authentication.\n"); unsigned char szSessionRequest[29] = { - 0x0d, /* Word Count */ - 0xff, /* AndXCommand: No further commands */ - 0x00, /* Reserved */ - 0x00, 0x00, /* AndXOffset */ - 0xff, 0xff, /* Max Buffer */ - 0x02, 0x00, /* Max Mpx Count */ - 0x3c, 0x7d, /* VC Number */ - 0x00, 0x00, 0x00, 0x00, /* Session Key */ - 0x18, 0x00, /* LMv2 Response Hash Length */ - 0x4b, 0x00, /* NTLMv2 Response Hash Length -- MUST SET */ - 0x00, 0x00, 0x00, 0x00, /* Reserved */ - 0x50, 0x00, 0x00, 0x00, /* Capabilities */ - 0x49, 0x00 /* Byte Count -- MUST SET */ + 0x0d, /* Word Count */ + 0xff, /* AndXCommand: No further commands */ + 0x00, /* Reserved */ + 0x00, 0x00, /* AndXOffset */ + 0xff, 0xff, /* Max Buffer */ + 0x02, 0x00, /* Max Mpx Count */ + 0x3c, 0x7d, /* VC Number */ + 0x00, 0x00, 0x00, 0x00, /* Session Key */ + 0x18, 0x00, /* LMv2 Response Hash Length */ + 0x4b, 0x00, /* NTLMv2 Response Hash Length -- MUST SET */ + 0x00, 0x00, 0x00, 0x00, /* Reserved */ + 0x50, 0x00, 0x00, 0x00, /* Capabilities */ + 0x49, 0x00 /* Byte Count -- MUST SET */ }; - iOffset = 65; /* szNBSS + szSMB + szSessionRequest */ + iOffset = 65; /* szNBSS + szSMB + szSessionRequest */ /* Set Session Setup AndX Request header information */ memcpy(buf + 36, szSessionRequest, 29); /* Calculate and set LMv2 response hash */ - ret = HashLMv2(&LMv2hash, (unsigned char *) szLogin, (unsigned char *) szPassword); + ret = HashLMv2(&LMv2hash, (unsigned char *)szLogin, (unsigned char *)szPassword); if (ret == -1) return -1; @@ -1096,7 +1110,7 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char * free(LMv2hash); /* Calculate and set NTLMv2 response hash */ - ret = HashNTLMv2(&NTLMv2hash, &iByteCount, (unsigned char *) szLogin, (unsigned char *) szPassword); + ret = HashNTLMv2(&NTLMv2hash, &iByteCount, (unsigned char *)szLogin, (unsigned char *)szPassword); if (ret == -1) return -1; @@ -1108,71 +1122,75 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char * memcpy(buf + iOffset + 24, NTLMv2hash, iByteCount); free(NTLMv2hash); - iByteCount += 24; /* Reflects length of both LMv2 and NTLMv2 responses */ + iByteCount += 24; /* Reflects length of both LMv2 and NTLMv2 responses */ } } else if (security_mode == PLAINTEXT) { if (verbose) hydra_report(stderr, "[VERBOSE] Attempting PLAINTEXT password authentication.\n"); unsigned char szSessionRequest[23] = { - 0x0a, /* Word Count */ - 0xff, /* AndXCommand: No further commands */ - 0x00, /* Reserved */ - 0x00, 0x00, /* AndXOffset */ - 0xff, 0xff, /* Max Buffer */ - 0x02, 0x00, /* Max Mpx Count */ - 0x3c, 0x7d, /* VC Number */ - 0x00, 0x00, 0x00, 0x00, /* Session Key */ - 0x00, 0x00, /* Password Length -- MUST SET */ - 0x00, 0x00, 0x00, 0x00, /* Reserved */ - 0x49, 0x00 /* Byte Count -- MUST SET */ + 0x0a, /* Word Count */ + 0xff, /* AndXCommand: No further commands */ + 0x00, /* Reserved */ + 0x00, 0x00, /* AndXOffset */ + 0xff, 0xff, /* Max Buffer */ + 0x02, 0x00, /* Max Mpx Count */ + 0x3c, 0x7d, /* VC Number */ + 0x00, 0x00, 0x00, 0x00, /* Session Key */ + 0x00, 0x00, /* Password Length -- MUST SET */ + 0x00, 0x00, 0x00, 0x00, /* Reserved */ + 0x49, 0x00 /* Byte Count -- MUST SET */ }; - iOffset = 59; /* szNBSS + szSMB + szSessionRequest */ + iOffset = 59; /* szNBSS + szSMB + szSessionRequest */ /* Set Session Setup AndX Request header information */ memcpy(buf + 36, szSessionRequest, 23); /* Calculate and set password length */ - /* Samba appears to append NULL characters equal to the password length plus 2 */ - //iByteCount = 2 * strlen(szPassword) + 2; + /* Samba appears to append NULL characters equal to the password length plus + * 2 */ + // iByteCount = 2 * strlen(szPassword) + 2; iByteCount = strlen(szPassword) + 1; buf[iOffset - 8] = (iByteCount) % 256; buf[iOffset - 7] = (iByteCount) / 256; /* set ANSI password */ /* - Depending on the SAMBA server configuration, multiple passwords may be successful - when dealing with mixed-case values. The SAMBA parameter "password level" appears - to determine how many characters within a password are tested by the server both - upper and lower case. For example, assume a SAMBA account has a password of "Fred" - and the server is configured with "password level = 2". Medusa sends the password - "FRED". The SAMBA server will brute-force test this value for us with values - like: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ... The default setting - is "password level = 0". This results in only two attempts to being made by the - remote server; the password as is and the password in all-lower case. + Depending on the SAMBA server configuration, multiple passwords may be + successful when dealing with mixed-case values. The SAMBA parameter + "password level" appears to determine how many characters within a + password are tested by the server both upper and lower case. For example, + assume a SAMBA account has a password of "Fred" and the server is + configured with "password level = 2". Medusa sends the password "FRED". + The SAMBA server will brute-force test this value for us with values + like: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ... The default + setting is "password level = 0". This results in only two attempts to + being made by the remote server; the password as is and the password in + all-lower case. */ - strncpy((char *) (buf + iOffset), szPassword, 256); + strncpy((char *)(buf + iOffset), szPassword, 256); } else { - hydra_report(stderr, "[ERROR] Security_mode was not properly set. This should not happen.\n"); + hydra_report(stderr, "[ERROR] Security_mode was not properly set. This " + "should not happen.\n"); return -1; } /* Set account and workgroup values */ - j = UTF8_UTF16LE((unsigned char *) szLogin, strlen(szLogin), buf + iOffset + iByteCount+1, 2*strlen(szLogin)); - iByteCount += j +3; /* NULL pad account name */ - j = UTF8_UTF16LE(workgroup, strlen((char *) workgroup), buf+iOffset+iByteCount, 2*strlen((char *) workgroup)); - iByteCount += j+2; // NULL pad workgroup name + j = UTF8_UTF16LE((unsigned char *)szLogin, strlen(szLogin), buf + iOffset + iByteCount + 1, 2 * strlen(szLogin)); + iByteCount += j + 3; /* NULL pad account name */ + j = UTF8_UTF16LE(workgroup, strlen((char *)workgroup), buf + iOffset + iByteCount, 2 * strlen((char *)workgroup)); + iByteCount += j + 2; // NULL pad workgroup name /* Set native OS and LAN Manager values */ char *szOSName = "Unix"; - j = UTF8_UTF16LE((unsigned char *) szOSName, strlen(szOSName), buf+iOffset+iByteCount, 2*sizeof(szOSName)); - iByteCount += j+2; // NULL terminated + j = UTF8_UTF16LE((unsigned char *)szOSName, strlen(szOSName), buf + iOffset + iByteCount, 2 * sizeof(szOSName)); + iByteCount += j + 2; // NULL terminated char *szLANMANName = "Samba"; - j = UTF8_UTF16LE((unsigned char *) szLANMANName, strlen(szLANMANName), buf+iOffset+iByteCount, 2*sizeof(szLANMANName)); - iByteCount += j+2; // NULL terminated + j = UTF8_UTF16LE((unsigned char *)szLANMANName, strlen(szLANMANName), buf + iOffset + iByteCount, 2 * sizeof(szLANMANName)); + iByteCount += j + 2; // NULL terminated /* Set the header length */ buf[2] = (iOffset - 4 + iByteCount) / 256; @@ -1186,7 +1204,7 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char * if (verbose) hydra_report(stderr, "[VERBOSE] Set byte count: %2.2X\n", buf[57]); - hydra_send(s, (char *) buf, iOffset + iByteCount, 0); + hydra_send(s, (char *)buf, iOffset + iByteCount, 0); nReceiveBufferSize = hydra_recv(s, bufReceive, sizeof(bufReceive)); if (/*(bufReceive == NULL) ||*/ (nReceiveBufferSize == 0)) @@ -1197,7 +1215,7 @@ unsigned long SMBSessionSetup(int32_t s, char *szLogin, char *szPassword, char * return (((bufReceive[41] & 0x01) << 24) | ((bufReceive[11] & 0xFF) << 16) | ((bufReceive[10] & 0xFF) << 8) | (bufReceive[9] & 0xFF)); } -int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass; int32_t SMBerr, SMBaction; @@ -1212,86 +1230,103 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; - strcpy(ipaddr_str, hydra_address2string(ip)); + strncpy(ipaddr_str, hydra_address2string(ip), sizeof(ipaddr_str) - 1); SMBSessionRet = SMBSessionSetup(s, login, pass, miscptr); if (SMBSessionRet == -1) return 3; - SMBerr = (unsigned long) SMBSessionRet & 0x00FFFFFF; - SMBaction = ((unsigned long) SMBSessionRet & 0xFF000000) >> 24; + SMBerr = (unsigned long)SMBSessionRet & 0x00FFFFFF; + SMBaction = ((unsigned long)SMBSessionRet & 0xFF000000) >> 24; if (verbose) - hydra_report(stderr, "[VERBOSE] SMBSessionRet: %8.8X SMBerr: %4.4X SMBaction: %2.2X\n", (uint32_t) SMBSessionRet, SMBerr, SMBaction); + hydra_report(stderr, "[VERBOSE] SMBSessionRet: %8.8X SMBerr: %4.4X SMBaction: %2.2X\n", (uint32_t)SMBSessionRet, SMBerr, SMBaction); /* some error code are available here: http://msdn.microsoft.com/en-us/library/ee441884(v=prot.13).aspx */ - if (SMBerr == 0x000000) { /* success */ - if (SMBaction == 0x01) { /* invalid account - anonymous connection */ - fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: Invalid account (Anonymous success)\n", port, ipaddr_str, login); + if (SMBerr == 0x000000) { /* success */ + if (SMBaction == 0x01) { /* invalid account - anonymous connection */ + fprintf(stderr, + "[%d][smb] Host: %s Account: %s Error: Invalid account " + "(Anonymous success)\n", + port, ipaddr_str, login); hydra_completed_pair_skip(); - } else { /* valid account */ + } else { /* valid account */ hydra_report_found_host(port, ip, "smb", fp); hydra_completed_pair_found(); } } else if ((SMBerr == 0x00000D) && (SMBaction == 0x00)) { - hydra_report(stderr, "[ERROR] Invalid parameter status received, either the account or the method used are not valid\n"); + hydra_report(stderr, "[ERROR] Invalid parameter status received, either " + "the account or the method used are not valid\n"); hydra_completed_pair_skip(); - } else if (SMBerr == 0x00006E) { /* Valid password, GPO Disabling Remote Connections Using NULL Passwords */ - if (verbose) - hydra_report(stderr, "[VERBOSE] Valid password, GPO Disabling Remote Connections Using NULL Passwords\n"); + } else if (SMBerr == 0x00006E) { /* Valid password, GPO Disabling Remote + Connections Using NULL Passwords */ + hydra_report(stdout, + "[%d][smb] Host: %s Account: %s Valid password, GPO Disabling " + "Remote Connections Using NULL Passwords\n", + port, ipaddr_str, login); hydra_report_found_host(port, ip, "smb", fp); hydra_completed_pair_found(); - } else if (SMBerr == 0x00015B) { /* Valid password, GPO "Deny access to this computer from the network" */ - if (verbose) - hydra_report(stderr, "[VERBOSE] Valid password, GPO Deny access to this computer from the network\n"); + } else if (SMBerr == 0x00015B) { /* Valid password, GPO "Deny access to this + computer from the network" */ + hydra_report(stdout, + "[%d][smb] Host: %s Account: %s Valid password, GPO Deny " + "access to this computer from the network\n", + port, ipaddr_str, login); hydra_report_found_host(port, ip, "smb", fp); hydra_completed_pair_found(); - } else if (SMBerr == 0x000193) { /* Valid password, account expired */ - if (verbose) - hydra_report(stderr, "[VERBOSE] Valid password, account expired\n"); + } else if (SMBerr == 0x000193) { /* Valid password, account expired */ + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, account expired\n", port, ipaddr_str, login); + hydra_report_found_host(port, ip, "smb", fp); + hydra_completed_pair_skip(); + } else if ((SMBerr == 0x000224) || (SMBerr == 0xC20002)) { /* Valid password, password expired */ + hydra_report(stdout, + "[%d][smb] Host: %s Account: %s Valid password, password " + "expired and must be changed on next logon\n", + port, ipaddr_str, login); hydra_report_found_host(port, ip, "smb", fp); hydra_completed_pair_found(); - } else if ((SMBerr == 0x000224) || (SMBerr == 0xC20002)) { /* Valid password, account expired */ - if (verbose) - hydra_report(stderr, "[VERBOSE] Valid password, password expired and must be changed on next logon\n"); + } else if ((SMBerr == 0x00006F) || (SMBerr == 0xC10002)) { /* Invalid logon hours */ + hydra_report(stdout, + "[%d][smb] Host: %s Account: %s Valid password, but logon " + "hours invalid\n", + port, ipaddr_str, login); hydra_report_found_host(port, ip, "smb", fp); hydra_completed_pair_found(); - } else if ((SMBerr == 0x00006F) || (SMBerr == 0xC10002)) { /* Invalid logon hours */ - if (verbose) - hydra_report(stderr, "[VERBOSE] Valid password, but logon hours invalid\n"); - hydra_report_found_host(port, ip, "smb", fp); - hydra_completed_pair_found(); - } else if (SMBerr == 0x050001) { /* AS/400 -- Incorrect password */ - if (verbose) - fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: Incorrect password or account disabled\n", port, ipaddr_str, login); + } else if (SMBerr == 0x050001) { /* AS/400 -- Incorrect password */ + hydra_report(stdout, + "[%d][smb] Host: %s Account: %s Error: Incorrect password or " + "account disabled\n", + port, ipaddr_str, login); if ((miscptr) && (strstr(miscptr, "LM"))) hydra_report(stderr, "[INFO] LM dialect may be disabled, try LMV2 instead\n"); hydra_completed_pair_skip(); - } else if (SMBerr == 0x000024) { /* change password on next login [success] */ - fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD\n", port, ipaddr_str, login); + } else if (SMBerr == 0x000024) { /* change password on next login [success] */ + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Information: ACCOUNT_CHANGE_PASSWORD\n", port, ipaddr_str, login); hydra_completed_pair_found(); - } else if (SMBerr == 0x00006D) { /* STATUS_LOGON_FAILURE */ + } else if (SMBerr == 0x00006D) { /* STATUS_LOGON_FAILURE */ hydra_completed_pair(); - } else if (SMBerr == 0x000071) { /* password expired */ - if (verbose) - fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED\n", port, ipaddr_str, login); - hydra_completed_pair_skip(); - } else if ((SMBerr == 0x000072) || (SMBerr == 0xBF0002)) { /* account disabled *//* BF0002 on w2k */ + } else if (SMBerr == 0x000071) { /* password expired */ + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Information: PASSWORD EXPIRED\n", port, ipaddr_str, login); + hydra_completed_pair_found(); + } else if ((SMBerr == 0x000072) || (SMBerr == 0xBF0002)) { /* account disabled */ /* BF0002 on w2k */ if (verbose) fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: ACCOUNT_DISABLED\n", port, ipaddr_str, login); hydra_completed_pair_skip(); - } else if (SMBerr == 0x000034 || SMBerr == 0x000234) { /* account locked out */ + } else if (SMBerr == 0x000034 || SMBerr == 0x000234) { /* account locked out */ if (verbose) fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: ACCOUNT_LOCKED\n", port, ipaddr_str, login); hydra_completed_pair_skip(); - } else if (SMBerr == 0x00008D) { /* ummm... broken client-domain membership */ + } else if (SMBerr == 0x00008D) { /* ummm... broken client-domain membership */ if (verbose) - fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE\n", port, ipaddr_str, login); + fprintf(stderr, + "[%d][smb] Host: %s Account: %s Error: " + "NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE\n", + port, ipaddr_str, login); hydra_completed_pair(); - } else { /* failed */ + } else { /* failed */ if (verbose) fprintf(stderr, "[%d][smb] Host: %s Account: %s Unknown Error: %6.6X\n", port, ipaddr_str, login, SMBerr); hydra_completed_pair(); @@ -1303,30 +1338,30 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char return 1; } -void service_smb(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_smb(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; - //default is both (local and domain) checks and normal passwd - accntFlag = 2; //BOTH - hashFlag = 0; //PASS + // default is both (local and domain) checks and normal passwd + accntFlag = 2; // BOTH + hashFlag = 0; // PASS smb_auth_mechanism = AUTH_NTLM; if (miscptr) { - //check group + // check group strupper(miscptr); if (strstr(miscptr, "OTHER_DOMAIN:") != NULL) { char *tmpdom; int32_t err = 0; - accntFlag = 4; //OTHER DOMAIN + accntFlag = 4; // OTHER DOMAIN tmpdom = strstr(miscptr, "OTHER_DOMAIN:"); tmpdom = tmpdom + strlen("OTHER_DOMAIN:"); if (tmpdom) { - //split the string after the domain if there are other values + // split the string after the domain if there are other values strtok(tmpdom, " "); if (tmpdom) { - strncpy((char *) domain, (char *) tmpdom, sizeof(domain) - 1); + strncpy((char *)domain, (char *)tmpdom, sizeof(domain) - 1); domain[sizeof(domain) - 1] = 0; } else { err = 1; @@ -1341,17 +1376,17 @@ void service_smb(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL accntFlag = 2; } } else if (strstr(miscptr, "LOCAL") != NULL) { - accntFlag = 0; //LOCAL + accntFlag = 0; // LOCAL } else if (strstr(miscptr, "DOMAIN") != NULL) { - accntFlag = 1; //DOMAIN + accntFlag = 1; // DOMAIN } - //check pass + // check pass if (strstr(miscptr, "HASH") != NULL) { hashFlag = 1; } else if (strstr(miscptr, "MACHINE") != NULL) { hashFlag = 2; } - //check auth + // check auth if (strstr(miscptr, "NTLMV2") != NULL) { smb_auth_mechanism = AUTH_NTLMv2; } else if (strstr(miscptr, "NTLM") != NULL) { @@ -1372,10 +1407,10 @@ void service_smb(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL return; for (;;) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(300); + // usleepn(300); if (port != 0) { sock = hydra_connect_tcp(ip, port); @@ -1394,14 +1429,16 @@ void service_smb(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL port = PORT_SMBNT; protoFlag = WIN2000_NATIVEMODE; } else { - hydra_report(stderr, "Failed to establish WIN2000_NATIVE mode. Attempting WIN_NETBIOS mode.\n"); + hydra_report(stderr, "Failed to establish WIN2000_NATIVE mode. " + "Attempting WIN_NETBIOS mode.\n"); port = PORT_SMB; protoFlag = WIN_NETBIOSMODE; sock = hydra_connect_tcp(ip, PORT_SMB); } } if (sock < 0) { - if (quiet != 1) fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + if (quiet != 1) + fprintf(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } if (NBSSessionRequest(sock) < 0) { @@ -1410,10 +1447,10 @@ void service_smb(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL } next_run = SMBNegProt(sock); break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_smb(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -1427,51 +1464,27 @@ void service_smb(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL } #endif -int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here time_t ctime; int ready = 0, sock = hydra_connect_tcp(ip, port); - unsigned char buf[] = { - 0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42, - 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0xc8, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x9b, 0x00, 0x02, - 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, - 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, - 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, - 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, - 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, - 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, - 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, - 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, - 0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00, - 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, - 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, - 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x44, - 0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, - 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41, - 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, - 0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, - 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, - 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, - 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, - 0x32, 0x00 }; + unsigned char buf[] = {0x00, 0x00, 0x00, 0xbe, 0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x43, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9b, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4d, + 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x33, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, + 0x30, 0x30, 0x32, 0x00, 0x02, 0x44, 0x4f, 0x53, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x53, 0x61, 0x6d, 0x62, 0x61, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00}; - if (sock < 0) { fprintf(stderr, "[ERROR] could not connect to target smb://%s:%d/\n", hostname, port); return -1; } - + if (send(sock, buf, sizeof(buf), 0) < 0) { fprintf(stderr, "[ERROR] unable to send to target smb://%s:%d/\n", hostname, port); return -1; @@ -1480,35 +1493,39 @@ int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *misc ctime = time(NULL); do { usleepn(300); - } while ((ready = hydra_data_ready(sock)) <= 0 && ctime + 5 <= time(NULL)); - + } while ((ready = hydra_data_ready(sock)) <= 0 && ctime + 5 >= time(NULL)); + if (ready <= 0) { fprintf(stderr, "[ERROR] no reply from target smb://%s:%d/\n", hostname, port); return -1; } - + if ((ready = recv(sock, buf, sizeof(buf), 0)) < 40) { fprintf(stderr, "[ERROR] invalid reply from target smb://%s:%d/\n", hostname, port); return -1; } close(sock); - + if (buf[37] == buf[38] && buf[38] == 0xff) { fprintf(stderr, "[ERROR] target smb://%s:%d/ does not support SMBv1\n", hostname, port); return -1; } - + if ((buf[15] & 16) == 16) { - fprintf(stderr, "[ERROR] target smb://%s:%d/ requires signing which we do not support\n", hostname, port); + fprintf(stderr, + "[ERROR] target smb://%s:%d/ requires signing which we do not " + "support\n", + hostname, port); return -1; } - + return 0; } -void usage_smb(const char* service) { - printf("Module smb default value is set to test both local and domain account, using a simple password with NTLM dialect.\n" +void usage_smb(const char *service) { + printf("Module smb default value is set to test both local and domain account, " + "using a simple password with NTLM dialect.\n" "Note: you can set the group type using LOCAL or DOMAIN keyword\n" " or other_domain:{value} to specify a trusted domain.\n" " you can set the password type using HASH or MACHINE keyword\n" @@ -1516,6 +1533,9 @@ void usage_smb(const char* service) { " you can set the dialect using NTLMV2, NTLM, LMV2, LM keyword.\n" "Example: \n" " hydra smb://microsoft.com -l admin -p tooeasy -m \"local lmv2\"\n" - " hydra smb://microsoft.com -l admin -p D5731CFC6C2A069C21FD0D49CAEBC9EA:2126EE7712D37E265FD63F2C84D2B13D::: -m \"local hash\"\n" - " hydra smb://microsoft.com -l admin -p tooeasy -m \"other_domain:SECONDDOMAIN\"\n\n"); + " hydra smb://microsoft.com -l admin -p " + "D5731CFC6C2A069C21FD0D49CAEBC9EA:2126EE7712D37E265FD63F2C84D2B13D::: -m " + "\"local hash\"\n" + " hydra smb://microsoft.com -l admin -p tooeasy -m " + "\"other_domain:SECONDDOMAIN\"\n\n"); } diff --git a/hydra-smb2.c b/hydra-smb2.c new file mode 100644 index 0000000..d1d220d --- /dev/null +++ b/hydra-smb2.c @@ -0,0 +1,321 @@ +/** + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * + * Copyright (C) 2021 Karim Kanso, all rights reserved. + * kaz 'dot' kanso 'at' g mail 'dot' com + */ + +#if defined(LIBSMBCLIENT) + +#include "hydra-mod.h" + +#include +#include +#include +#include +#include + +extern hydra_option hydra_options; +extern char *HYDRA_EXIT; + +typedef struct creds { + const char *workgroup; + const char *user; + const char *pass; +} creds_t; + +const char default_workgroup[] = "WORKGROUP"; +bool use_nt_hash = false; +const char *workgroup = default_workgroup; +const char *netbios_name = NULL; + +#define EXIT_PROTOCOL_ERROR hydra_child_exit(2) +#define EXIT_CONNECTION_ERROR hydra_child_exit(1) +#define EXIT_NORMAL hydra_child_exit(0) + +void smb2_auth_provider(SMBCCTX *c, const char *srv, const char *shr, char *wg, int wglen, char *un, int unlen, char *pw, int pwlen) { + creds_t *cr = (creds_t *)smbc_getOptionUserData(c); + strncpy(wg, cr->workgroup, wglen); + strncpy(un, cr->user, unlen); + strncpy(pw, cr->pass, pwlen); + wg[wglen - 1] = 0; + un[unlen - 1] = 0; + pw[pwlen - 1] = 0; +} + +bool smb2_run_test(creds_t *cr, const char *server, uint16_t port) { + SMBCCTX *ctx = smbc_new_context(); + if (ctx == NULL) { + hydra_report(stderr, "[ERROR] failed to create context\n"); + EXIT_PROTOCOL_ERROR; + } + // samba internal debugging will be dumped to stderr + smbc_setDebug(ctx, debug ? 7 : 0); + smbc_setOptionDebugToStderr(ctx, true); + smbc_setFunctionAuthDataWithContext(ctx, smb2_auth_provider); + smbc_setOptionUserData(ctx, cr); + // 0 will use default port + smbc_setPort(ctx, port); + smbc_setOptionNoAutoAnonymousLogin(ctx, false); + smbc_setOptionUseNTHash(ctx, use_nt_hash); + if (netbios_name) { + smbc_setNetbiosName(ctx, (char *)netbios_name); + } + + ctx = smbc_init_context(ctx); + if (!ctx) { + hydra_report(stderr, "[ERROR] smbc_init_context fail\n"); + smbc_free_context(ctx, 1); + EXIT_PROTOCOL_ERROR; + } + + char uri[2048]; + snprintf(uri, sizeof(uri) - 1, "smb://%s/IPC$", server); + uri[sizeof(uri) - 1] = 0; + if (verbose) { + printf("[INFO] Connecting to: %s with %s\\%s%%%s\n", uri, cr->workgroup, cr->user, cr->pass); + } + SMBCFILE *fd = smbc_getFunctionOpendir(ctx)(ctx, uri); + if (fd) { + hydra_report(stderr, "[WARNING] Unexpected open on IPC$\n"); + smbc_getFunctionClosedir(ctx)(ctx, fd); + smbc_free_context(ctx, 1); + fd = NULL; + return true; + } + + /* + errno is set to 22 (EINVAL) when IPC$ as been opened but can not + be opened like a normal share. This corresponds to samba error + NT_STATUS_INVALID_INFO_CLASS, however this precise error code is + not available outside of the library. Thus, instead the library + sets a generic error (EINVAL) which can also correspond to other + cases (see below test). + + This is not ideal, but appears to be the best that the + libsmbclient library offers as detailed state information is + internalised and not available. Further, it is also not possible + from the api to separate the connection, authentication and + authorisation. + + The following text is taken from the libsmbclient header file for + the return value of the smbc_getFunctionOpendir function: + + Valid directory handle. < 0 on error with errno set: + - EACCES Permission denied. + - EINVAL A NULL file/URL was passed, or the URL would + not parse, or was of incorrect form or smbc_init not + called. + - ENOENT durl does not exist, or name is an + - ENOMEM Insufficient memory to complete the + operation. + - ENOTDIR name is not a directory. + - EPERM the workgroup could not be found. + - ENODEV the workgroup or server could not be found. + + */ + switch (errno) { + case 0: + // maybe false positive? unclear ... :( ... needs more testing + smbc_free_context(ctx, 1); + return true; + break; + case ENOENT: + // Noticed this when connecting to older samba servers on linux + // where any credentials are accepted. + hydra_report(stderr, "[WARNING] %s might accept any credential\n", server); + case EINVAL: // 22 + // probably password ok, nominal case when connecting to a windows + // smb server with good credentials. + smbc_free_context(ctx, 1); + return true; + break; + case EPERM: + // Probably this means access denied inspite of mention above + // about being related to wrong workgroup. I have observed + // libsmbclient emitting this when connecting to a vanilla install + // of Windows 2019 server (non-domain) with wrong credentials. It + // appears related to a fallback null session being rejected after + // the library tries with provided credentials. If the null + // session is accepted, EACCES is returned. + case EACCES: + // 100% access denied + break; + case EHOSTUNREACH: + case ETIMEDOUT: + case ECONNREFUSED: + // there are probably more codes that could be added here to + // indicate connection errors. + hydra_report(stderr, "[ERROR] Error %s (%d) while connecting to %s\n", strerror(errno), errno, server); + smbc_free_context(ctx, 1); + EXIT_CONNECTION_ERROR; + break; + default: + // unexpected error + hydra_report(stderr, "[ERROR] %s (%d)\n", strerror(errno), errno); + smbc_free_context(ctx, 1); + EXIT_PROTOCOL_ERROR; + } + + smbc_free_context(ctx, 1); + return false; +} + +void service_smb2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { + static int first_run = 0; + hydra_register_socket(sp); + + while (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT))) { + char *login, *pass; + + if (first_run && hydra_options.conwait) + sleep(hydra_options.conwait); + + login = hydra_get_next_login(); + pass = hydra_get_next_password(); + + creds_t cr = { + .user = login, + .pass = pass, + .workgroup = workgroup, + }; + + if (smb2_run_test(&cr, hydra_address2string(ip), port & 0xffff)) { + hydra_completed_pair_found(); + } else { + hydra_completed_pair(); + } + + first_run = 1; + } + EXIT_NORMAL; +} + +// constants used by option parser +const char tkn_workgroup[] = "workgroup:{"; +const char tkn_nthash_true[] = "nthash:true"; +const char tkn_nthash_false[] = "nthash:false"; +const char tkn_netbios[] = "netbios:{"; + +#define CMP(s1, s2) (strncmp(s1, s2, sizeof(s1) - 1) == 0) + +int32_t service_smb2_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { + if (!miscptr) + return 0; + + while (*miscptr) { + if (isspace(*miscptr)) { + miscptr++; + continue; + } + if (CMP(tkn_workgroup, miscptr)) { + if (workgroup != default_workgroup) { + // miscptr has already been processed, goto end + miscptr += strlen(miscptr) + 1; + continue; + } + miscptr += sizeof(tkn_workgroup) - 1; + char *p = strchr(miscptr, '}'); + if (p == NULL) { + hydra_report(stderr, "[ERROR] missing closing brace in workgroup\n"); + return -1; + } + *p = '\0'; + workgroup = miscptr; + miscptr = p + 1; + if (verbose || debug) { + printf("[VERBOSE] Set workgroup to: %s\n", workgroup); + } + continue; + } + if (CMP(tkn_netbios, miscptr)) { + if (netbios_name != NULL) { + // miscptr has already been processed, goto end + miscptr += strlen(miscptr) + 1; + continue; + } + miscptr += sizeof(tkn_netbios) - 1; + char *p = strchr(miscptr, '}'); + if (p == NULL) { + hydra_report(stderr, "[ERROR] missing closing brace in netbios name\n"); + return -1; + } + *p = '\0'; + netbios_name = miscptr; + miscptr = p + 1; + if (verbose || debug) { + printf("[VERBOSE] Set netbios name to: %s\n", netbios_name); + } + continue; + } + if (CMP(tkn_nthash_true, miscptr)) { + miscptr += sizeof(tkn_nthash_true) - 1; + use_nt_hash = true; + if (verbose || debug) { + printf("[VERBOSE] Enabled nthash.\n"); + } + continue; + } + if (CMP(tkn_nthash_false, miscptr)) { + miscptr += sizeof(tkn_nthash_false) - 1; + use_nt_hash = false; + if (verbose || debug) { + printf("[VERBOSE] Disabled nthash.\n"); + } + continue; + } + + hydra_report(stderr, "[ERROR] unable to parse: %s\n", miscptr); + return -1; + } + + return 0; +} + +void usage_smb2(const char *service) { + puts("Module is a thin wrapper over the Samba client library (libsmbclient).\n" + "Thus, is capable of negotiating v1, v2 and v3 of the protocol.\n" + "\n" + "As this relies on Samba libraries, the system smb.conf will be parsed\n" + "when library starts up. It is possible to add configuration options\n" + "into that file that affect this module (such as min/max supported\n" + "protocol version).\n" + "\n" + "Caution: due to the high-level libsmbclient api (compared the smb\n" + "Hydra module), the accuracy is reduced. That is, this module works by\n" + "attempting to open the IPC$ share, which is reported as an error,\n" + "e.g. try this with the smbclient tool and it will raise the\n" + "NT_STATUS_INVALID_INFO_CLASS error). Sadly, the level of feedback\n" + "from the api does not distinguish this error from general/unknown\n" + "errors, so it might be possible to have false positives due to this\n" + "fact. One example of this is when the library can not parse the uri\n" + "correctly. On the other hand, false negatives could occur when a\n" + "valid credential is unable to open the share due to access control,\n" + "e.g. a locked/suspended account.\n" + "\n" + "There are three module options available:\n" + " workgroup:{XXX} - set the users workgroup\n" + " netbios:{XXX} - set the recipients netbios name\n" + " nthash:true or nthash:false - threat password as an nthash\n" + "\n" + "Examples: \n" + " hydra smb2://abc.com -l admin -p xxx -m workgroup:{OFFICE}\n" + " hydra smb2://1.2.3.4 -l admin -p F54F3A1D3C38140684FF4DAD029F25B5 -m " + "'workgroup:{OFFICE} nthash:true'\n" + " hydra -l admin -p F54F3A1D3C38140684FF4DAD029F25B5 " + "'smb2://1.2.3.4/workgroup:{OFFICE} nthash:true'\n"); +} + +#endif // LIBSMBCLIENT diff --git a/hydra-smtp-enum.c b/hydra-smtp-enum.c index ebcd379..d887307 100644 --- a/hydra-smtp-enum.c +++ b/hydra-smtp-enum.c @@ -24,7 +24,7 @@ int32_t tosent = 0; int32_t smtp_enum_cmd = VRFY; -int32_t start_smtp_enum(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_smtp_enum(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, buffer[500]; @@ -55,7 +55,7 @@ int32_t start_smtp_enum(int32_t s, char *ip, int32_t port, unsigned char options return (1); if (debug) hydra_report(stderr, "DEBUG S: %s", buf); - /* good return values are something like 25x */ + /* good return values are something like 25x */ #ifdef HAVE_PCRE if (hydra_string_match(buf, "^25\\d\\s")) { #else @@ -103,7 +103,7 @@ int32_t start_smtp_enum(int32_t s, char *ip, int32_t port, unsigned char options return (1); if (debug) hydra_report(stderr, "DEBUG S: %s", buf); - /* good return values are something like 25x */ + /* good return values are something like 25x */ #ifdef HAVE_PCRE if (hydra_string_match(buf, "^25\\d\\s")) { #else @@ -119,21 +119,25 @@ int32_t start_smtp_enum(int32_t s, char *ip, int32_t port, unsigned char options err = strstr(buf, "Error"); if (err || tosent || strncmp(buf, "50", 2) == 0) { // we should report command not identified by the server - //502 5.5.2 Error: command not recognized -//#ifdef HAVE_PCRE -// if ((debug || hydra_string_match(buf, "\\scommand\\snot\\srecognized")) && err) { -//#else -// if ((debug || strstr(buf, "command") != NULL) && err) { -//#endif -// hydra_report(stderr, "Server %s", err); -// } - if (strncmp(buf, "500 ", 4) == 0) { - hydra_report(stderr, "[ERROR] command is disabled on the server (choose different method): %s", buf); + // 502 5.5.2 Error: command not recognized + //#ifdef HAVE_PCRE + // if ((debug || hydra_string_match(buf, + // "\\scommand\\snot\\srecognized")) && err) { + //#else + // if ((debug || strstr(buf, "command") != NULL) && err) { + //#endif + // hydra_report(stderr, "Server %s", err); + // } + if (strncmp(buf, "500 ", 4) == 0 || strncmp(buf, "502 ", 4) == 0) { + hydra_report(stderr, + "[ERROR] command is disabled on the server (choose " + "different method): %s", + buf); free(buf); - return 3; + return 4; } memset(buffer, 0, sizeof(buffer)); - //503 5.5.1 Error: nested MAIL command + // 503 5.5.1 Error: nested MAIL command strncpy(buffer, "RSET\r\n", sizeof(buffer)); free(buf); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) @@ -150,7 +154,7 @@ int32_t start_smtp_enum(int32_t s, char *ip, int32_t port, unsigned char options return 2; } -void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1, i = 0; int32_t myport = PORT_SMTP, mysslport = PORT_SMTP_SSL; char *buffer = "HELO hydra\r\n"; @@ -160,7 +164,7 @@ void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscpt return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { @@ -175,7 +179,7 @@ void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscpt port = mysslport; } if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } /* receive initial header */ @@ -185,17 +189,17 @@ void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscpt hydra_report(stderr, "Warning: SMTP does not allow connecting: %s\n", buf); hydra_child_exit(2); } -// while (strstr(buf, "220 ") == NULL) { -// free(buf); -// buf = hydra_receive_line(sock); -// } + // while (strstr(buf, "220 ") == NULL) { + // free(buf); + // buf = hydra_receive_line(sock); + // } -// if (buf[0] != '2') { + // if (buf[0] != '2') { if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) { free(buf); hydra_child_exit(2); } -// } + // } free(buf); if ((buf = hydra_receive_line(sock)) == NULL) @@ -207,7 +211,7 @@ void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscpt if ((miscptr != NULL) && (strlen(miscptr) > 0)) { for (i = 0; i < strlen(miscptr); i++) - miscptr[i] = (char) toupper((int32_t) miscptr[i]); + miscptr[i] = (char)toupper((int32_t)miscptr[i]); if (strncmp(miscptr, "EXPN", 4) == 0) smtp_enum_cmd = EXPN; @@ -216,8 +220,8 @@ void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscpt smtp_enum_cmd = RCPT; } if (debug) { + hydra_report(stdout, "[VERBOSE] "); switch (smtp_enum_cmd) { - hydra_report(stdout, "[VERBOSE] "); case VRFY: hydra_report(stdout, "using SMTP VRFY command\n"); break; @@ -232,15 +236,21 @@ void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscpt free(buf); next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_smtp_enum(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) { sock = hydra_disconnect(sock); } hydra_child_exit(0); return; + case 4: /* unsupported exit */ + if (sock >= 0) { + sock = hydra_disconnect(sock); + } + hydra_child_exit(3); + return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); @@ -249,13 +259,13 @@ void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscpt } } -int32_t service_smtp_enum_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_smtp_enum_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -263,9 +273,11 @@ int32_t service_smtp_enum_init(char *ip, int32_t sp, unsigned char options, char return 0; } -void usage_smtp_enum(const char* service) { +void usage_smtp_enum(const char *service) { printf("Module smtp-enum is optionally taking one SMTP command of:\n\n" "VRFY (default), EXPN, RCPT (which will connect using \"root\" account)\n" - "login parameter is used as username and password parameter as the domain name\n" - "For example to test if john@localhost exists on 192.168.0.1:\n" "hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost\n\n"); + "login parameter is used as username and password parameter as the " + "domain name\n" + "For example to test if john@localhost exists on 192.168.0.1:\n" + "hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost\n\n"); } diff --git a/hydra-smtp.c b/hydra-smtp.c index b27ec0f..97d5b72 100644 --- a/hydra-smtp.c +++ b/hydra-smtp.c @@ -14,7 +14,7 @@ char *smtp_read_server_capacity(int32_t sock) { free(buf); ptr = buf = hydra_receive_line(sock); if (buf != NULL) { - if (isdigit((int32_t) buf[0]) && buf[3] == ' ') + if (isdigit((int32_t)buf[0]) && buf[3] == ' ') resp = 1; else { if (buf[strlen(buf) - 1] == '\n') @@ -27,7 +27,7 @@ char *smtp_read_server_capacity(int32_t sock) { if ((ptr = strrchr(buf, '\n')) != NULL) { #endif ptr++; - if (isdigit((int32_t) *ptr) && *(ptr + 3) == ' ') + if (isdigit((int32_t)*ptr) && *(ptr + 3) == ' ') resp = 1; } } @@ -36,8 +36,8 @@ char *smtp_read_server_capacity(int32_t sock) { return buf; } -int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { - char *empty = ""; +int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { + char *empty = "", *result = NULL; char *login, *pass, buffer[500], buffer2[500], *fooptr, *buf; if (strlen(login = hydra_get_next_login()) == 0) @@ -52,7 +52,6 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha } switch (smtp_auth_mechanism) { - case AUTH_PLAIN: sprintf(buffer, "AUTH PLAIN\r\n"); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { @@ -62,13 +61,19 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP PLAIN AUTH : %s\n", buf); + if (strstr(buf, "503") != NULL) { + free(buf); + return 4; + } free(buf); return 3; } free(buf); memset(buffer, 0, sizeof(buffer)); - sasl_plain(buffer, login, pass); + result = sasl_plain(buffer, login, pass); + if (result == NULL) + return 3; char tmp_buffer[sizeof(buffer)]; sprintf(tmp_buffer, "%.250s\r\n", buffer); @@ -77,105 +82,104 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha break; #ifdef LIBOPENSSL - case AUTH_CRAMMD5:{ - int32_t rc = 0; - char *preplogin; + case AUTH_CRAMMD5: { + int32_t rc = 0; + char *preplogin; - rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); - if (rc) { - return 3; - } - - sprintf(buffer, "AUTH CRAM-MD5\r\n"); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - //get the one-time BASE64 encoded challenge - if ((buf = hydra_receive_line(s)) == NULL) - return 1; - if (strstr(buf, "334") == NULL || strlen(buf) < 8) { - hydra_report(stderr, "[ERROR] SMTP CRAM-MD5 AUTH : %s\n", buf); - free(buf); - return 3; - } - memset(buffer, 0, sizeof(buffer)); - from64tobits((char *) buffer, buf + 4); - free(buf); - - memset(buffer2, 0, sizeof(buffer2)); - sasl_cram_md5(buffer2, pass, buffer); - - sprintf(buffer, "%s %.250s", preplogin, buffer2); - hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); - - char tmp_buffer[sizeof(buffer)]; - sprintf(tmp_buffer, "%.250s\r\n", buffer); - strcpy(buffer, tmp_buffer); - - free(preplogin); + rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); + if (rc) { + return 3; } - break; - case AUTH_DIGESTMD5:{ - sprintf(buffer, "AUTH DIGEST-MD5\r\n"); - - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; - //receive - if ((buf = hydra_receive_line(s)) == NULL) - return 1; - if (strstr(buf, "334") == NULL) { - hydra_report(stderr, "[ERROR] SMTP DIGEST-MD5 AUTH : %s\n", buf); - free(buf); - return 3; - } - memset(buffer, 0, sizeof(buffer)); - from64tobits((char *) buffer, buf + 4); - free(buf); - - if (debug) - hydra_report(stderr, "DEBUG S: %s\n", buffer); - - fooptr = buffer2; - sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL); - if (fooptr == NULL) - return 3; - - if (debug) - hydra_report(stderr, "DEBUG C: %s\n", buffer2); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - sprintf(buffer, "%s\r\n", buffer2); + sprintf(buffer, "AUTH CRAM-MD5\r\n"); + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; } - break; + // get the one-time BASE64 encoded challenge + if ((buf = hydra_receive_line(s)) == NULL) + return 1; + if (strstr(buf, "334") == NULL || strlen(buf) < 8) { + hydra_report(stderr, "[ERROR] SMTP CRAM-MD5 AUTH : %s\n", buf); + free(buf); + return 3; + } + memset(buffer, 0, sizeof(buffer)); + from64tobits((char *)buffer, buf + 4); + free(buf); + + memset(buffer2, 0, sizeof(buffer2)); + result = sasl_cram_md5(buffer2, pass, buffer); + if (result == NULL) + return 3; + + sprintf(buffer, "%s %.250s", preplogin, buffer2); + hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer)); + + char tmp_buffer[sizeof(buffer)]; + sprintf(tmp_buffer, "%.250s\r\n", buffer); + strcpy(buffer, tmp_buffer); + + free(preplogin); + } break; + + case AUTH_DIGESTMD5: { + sprintf(buffer, "AUTH DIGEST-MD5\r\n"); + + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) + return 1; + // receive + if ((buf = hydra_receive_line(s)) == NULL) + return 1; + if (strstr(buf, "334") == NULL) { + hydra_report(stderr, "[ERROR] SMTP DIGEST-MD5 AUTH : %s\n", buf); + free(buf); + return 3; + } + memset(buffer, 0, sizeof(buffer)); + from64tobits((char *)buffer, buf + 4); + free(buf); + + if (debug) + hydra_report(stderr, "DEBUG S: %s\n", buffer); + + fooptr = buffer2; + result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL); + if (result == NULL) + return 3; + + if (debug) + hydra_report(stderr, "DEBUG C: %s\n", buffer2); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + sprintf(buffer, "%s\r\n", buffer2); + } break; #endif - case AUTH_NTLM:{ - unsigned char buf1[4096]; - unsigned char buf2[4096]; + case AUTH_NTLM: { + unsigned char buf1[4096]; + unsigned char buf2[4096]; - //send auth and receive challenge - buildAuthRequest((tSmbNtlmAuthRequest *) buf2, 0, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *) buf2)); - sprintf(buffer, "AUTH NTLM %s\r\n", buf1); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - return 1; - } - if ((buf = hydra_receive_line(s)) == NULL) - return 1; - if (strstr(buf, "334") == NULL || strlen(buf) < 8) { - hydra_report(stderr, "[ERROR] SMTP NTLM AUTH : %s\n", buf); - free(buf); - return 3; - } - //recover challenge - from64tobits((char *) buf1, buf + 4); - free(buf); - - buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); - to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *) buf2)); - sprintf(buffer, "%s\r\n", buf1); + // send auth and receive challenge + buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2)); + sprintf(buffer, "AUTH NTLM %s\r\n", buf1); + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; } - break; + if ((buf = hydra_receive_line(s)) == NULL) + return 1; + if (strstr(buf, "334") == NULL || strlen(buf) < 8) { + hydra_report(stderr, "[ERROR] SMTP NTLM AUTH : %s\n", buf); + free(buf); + return 3; + } + // recover challenge + from64tobits((char *)buf1, buf + 4); + free(buf); + + buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL); + to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2)); + sprintf(buffer, "%s\r\n", buf1); + } break; default: /* by default trying AUTH LOGIN */ @@ -188,13 +192,16 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha /* 504 5.7.4 Unrecognized authentication type */ if (strstr(buf, "334") == NULL) { - hydra_report(stderr, "[ERROR] SMTP LOGIN AUTH, either this auth is disabled or server is not using auth: %s\n", buf); + hydra_report(stderr, + "[ERROR] SMTP LOGIN AUTH, either this auth is disabled or " + "server is not using auth: %s\n", + buf); free(buf); return 3; } free(buf); sprintf(buffer2, "%.250s", login); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { @@ -210,7 +217,7 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha free(buf); sprintf(buffer2, "%.250s", pass); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); } @@ -224,7 +231,7 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha if (smtp_auth_mechanism == AUTH_DIGESTMD5) { if (strstr(buf, "334") != NULL && strlen(buf) >= 8) { memset(buffer2, 0, sizeof(buffer2)); - from64tobits((char *) buffer2, buf + 4); + from64tobits((char *)buffer2, buf + 4); if (strstr(buffer2, "rspauth=") != NULL) { hydra_report_found_host(port, ip, "smtp", fp); hydra_completed_pair_found(); @@ -254,7 +261,7 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha return 2; } -void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1, i = 0; int32_t myport = PORT_SMTP, mysslport = PORT_SMTP_SSL, disable_tls = 1; char *buf; @@ -266,7 +273,7 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { @@ -282,7 +289,7 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } @@ -310,7 +317,7 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI if ((miscptr != NULL) && (strlen(miscptr) > 0)) { for (i = 0; i < strlen(miscptr); i++) - miscptr[i] = (char) toupper((int32_t) miscptr[i]); + miscptr[i] = (char)toupper((int32_t)miscptr[i]); if (strstr(miscptr, "TLS") || strstr(miscptr, "SSL") || strstr(miscptr, "STARTTLS")) { disable_tls = 0; @@ -325,7 +332,8 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI free(buf); buf = hydra_receive_line(sock); if (buf[0] != '2') { - hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer received from STARTTLS request\n"); + hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer " + "received from STARTTLS request\n"); } else { free(buf); if ((hydra_connect_to_ssl(sock, hostname) == -1)) { @@ -346,9 +354,11 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI hydra_child_exit(2); } } else - hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n"); + hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it " + "is not supported by the server\n"); } else - hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is not supported by the server\n"); + hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is " + "not supported by the server\n"); } #endif @@ -380,9 +390,7 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI smtp_auth_mechanism = AUTH_PLAIN; } - if ((miscptr != NULL) && (strlen(miscptr) > 0)) { - if (strstr(miscptr, "LOGIN")) smtp_auth_mechanism = AUTH_LOGIN; @@ -399,7 +407,6 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI if (strstr(miscptr, "NTLM")) smtp_auth_mechanism = AUTH_NTLM; - } if (verbose) { @@ -426,15 +433,21 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI free(buf); next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_smtp(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) { sock = hydra_disconnect(sock); } hydra_child_exit(0); return; + case 4: /* error exit */ + if (sock >= 0) { + sock = hydra_disconnect(sock); + } + hydra_child_exit(3); + return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); @@ -443,13 +456,13 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } } -int32_t service_smtp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_smtp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -457,8 +470,10 @@ int32_t service_smtp_init(char *ip, int32_t sp, unsigned char options, char *mis return 0; } -void usage_smtp(const char* service) { +void usage_smtp(const char *service) { printf("Module smtp is optionally taking one authentication type of:\n" " LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, NTLM\n\n" - "Additionally TLS encryption via STARTTLS can be enforced with the TLS option.\n\n" "Example: smtp://target/TLS:PLAIN\n"); + "Additionally TLS encryption via STARTTLS can be enforced with the " + "TLS option.\n\n" + "Example: smtp://target/TLS:PLAIN\n"); } diff --git a/hydra-snmp.c b/hydra-snmp.c index 5ffc4ef..415ceb8 100644 --- a/hydra-snmp.c +++ b/hydra-snmp.c @@ -1,10 +1,10 @@ #include "hydra-mod.h" #ifdef LIBOPENSSL +#include +#include #include #include #include -#include -#include #endif extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); @@ -15,31 +15,13 @@ extern int32_t child_head_no; char snmpv3buf[1024], *snmpv3info = NULL; int32_t snmpv3infolen = 0, snmpversion = 1, snmpread = 1, hashtype = 1, enctype = 0; -unsigned char snmpv3_init[] = { 0x30, 0x3e, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02, - 0x04, 0x08, 0x86, 0xdd, 0xf0, 0x02, 0x03, 0x00, - 0xff, 0xe3, 0x04, 0x01, 0x04, 0x02, 0x01, 0x03, - 0x04, 0x10, 0x30, 0x0e, 0x04, 0x00, 0x02, 0x01, - 0x00, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x00, - 0x04, 0x00, 0x30, 0x14, 0x04, 0x00, 0x04, 0x00, - 0xa0, 0x0e, 0x02, 0x04, 0x3f, 0x44, 0x5c, 0xbc, - 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x00 -}; +unsigned char snmpv3_init[] = {0x30, 0x3e, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02, 0x04, 0x08, 0x86, 0xdd, 0xf0, 0x02, 0x03, 0x00, 0xff, 0xe3, 0x04, 0x01, 0x04, 0x02, 0x01, 0x03, 0x04, 0x10, 0x30, 0x0e, 0x04, 0x00, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x30, 0x14, 0x04, 0x00, 0x04, 0x00, 0xa0, 0x0e, 0x02, 0x04, 0x3f, 0x44, 0x5c, 0xbc, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x00}; -unsigned char snmpv3_get1[] = { 0x30, 0x77, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02, - 0x04, 0x08, 0x86, 0xdd, 0xef, 0x02, 0x03, 0x00, - 0xff, 0xe3, 0x04, 0x01, 0x05, 0x02, 0x01, 0x03 -}; +unsigned char snmpv3_get1[] = {0x30, 0x77, 0x02, 0x01, 0x03, 0x30, 0x11, 0x02, 0x04, 0x08, 0x86, 0xdd, 0xef, 0x02, 0x03, 0x00, 0xff, 0xe3, 0x04, 0x01, 0x05, 0x02, 0x01, 0x03}; -unsigned char snmpv3_get2[] = { 0x30, 0x2e, 0x04, 0x0c, 0x80, 0x00, 0x00, - 0x09, 0x03, 0x00, 0x00, 0x1f, 0xca, 0x8d, 0x82, - 0x1b, 0x04, 0x00, 0xa0, 0x1c, 0x02, 0x04, 0x3f, - 0x44, 0x5c, 0xbb, 0x02, 0x01, 0x00, 0x02, 0x01, - 0x00, 0x30, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2b, - 0x06, 0x01, 0x02, 0x01, 0x01, 0x01, 0x00, 0x05, - 0x00 -}; +unsigned char snmpv3_get2[] = {0x30, 0x2e, 0x04, 0x0c, 0x80, 0x00, 0x00, 0x09, 0x03, 0x00, 0x00, 0x1f, 0xca, 0x8d, 0x82, 0x1b, 0x04, 0x00, 0xa0, 0x1c, 0x02, 0x04, 0x3f, 0x44, 0x5c, 0xbb, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x02, 0x01, 0x01, 0x01, 0x00, 0x05, 0x00}; -unsigned char snmpv3_nouser[] = { 0x04, 0x00, 0x04, 0x00, 0x04, 0x00 }; +unsigned char snmpv3_nouser[] = {0x04, 0x00, 0x04, 0x00, 0x04, 0x00}; struct SNMPV1_A { char ID; @@ -49,13 +31,11 @@ struct SNMPV1_A { char comlen; }; -struct SNMPV1_A snmpv1_a = { - .ID = '\x30', - .len = '\x00', - .ver = "\x02\x01\x00", /* \x02\x01\x01 for snmpv2c, \x02\x01\x03 for snmpv3 */ - .comid = '\x04', - .comlen = '\x00' -}; +struct SNMPV1_A snmpv1_a = {.ID = '\x30', + .len = '\x00', + .ver = "\x02\x01\x00", /* \x02\x01\x01 for snmpv2c, \x02\x01\x03 for snmpv3 */ + .comid = '\x04', + .comlen = '\x00'}; struct SNMPV1_R { unsigned char type[2]; @@ -67,12 +47,14 @@ struct SNMPV1_R { unsigned char object[11]; unsigned char value[3]; } snmpv1_r = { - .type = "\xa0\x1b", /* GET */ - .identid = "\x02\x04",.ident = "\x1a\x5e\x97\x00", /* random crap :) */ - .errstat = "\x02\x01\x00", /* no error */ - .errind = "\x02\x01\x00", /* error index 0 */ - .objectid = "\x30\x0d",.object = "\x30\x0b\x06\x07\x2b\x06\x01\x02\x01\x01\x01", /* sysDescr */ - .value = "\x05\x00" /* we just read, so value = 0 */ + .type = "\xa0\x1b", /* GET */ + .identid = "\x02\x04", + .ident = "\x1a\x5e\x97\x00", /* random crap :) */ + .errstat = "\x02\x01\x00", /* no error */ + .errind = "\x02\x01\x00", /* error index 0 */ + .objectid = "\x30\x0d", + .object = "\x30\x0b\x06\x07\x2b\x06\x01\x02\x01\x01\x01", /* sysDescr */ + .value = "\x05\x00" /* we just read, so value = 0 */ }; struct SNMPV1_W { @@ -85,20 +67,22 @@ struct SNMPV1_W { unsigned char object[12]; unsigned char value[8]; } snmpv1_w = { - .type = "\xa3\x21", /* SET */ - .identid = "\x02\x04",.ident = "\x1a\x5e\x97\x22", /* random crap :) */ - .errstat = "\x02\x01\x00", /* no error */ - .errind = "\x02\x01\x00", /* error index 0 */ - .objectid = "\x30\x13", /* string */ - .object = "\x30\x11\x06\x08\x2b\x06\x01\x02\x01\x01\x05\x00",.value = "\x04\x05Hydra" /* writing hydra :-) */ + .type = "\xa3\x21", /* SET */ + .identid = "\x02\x04", + .ident = "\x1a\x5e\x97\x22", /* random crap :) */ + .errstat = "\x02\x01\x00", /* no error */ + .errind = "\x02\x01\x00", /* error index 0 */ + .objectid = "\x30\x13", /* string */ + .object = "\x30\x11\x06\x08\x2b\x06\x01\x02\x01\x01\x05\x00", + .value = "\x04\x05Hydra" /* writing hydra :-) */ }; #ifdef LIBOPENSSL -void password_to_key_md5(u_char * password, /* IN */ - u_int passwordlen, /* IN */ - u_char * engineID, /* IN - pointer to snmpEngineID */ - u_int engineLength, /* IN - length of snmpEngineID */ - u_char * key) { /* OUT - pointer to caller 16-octet buffer */ +void password_to_key_md5(u_char *password, /* IN */ + u_int passwordlen, /* IN */ + u_char *engineID, /* IN - pointer to snmpEngineID */ + u_int engineLength, /* IN - length of snmpEngineID */ + u_char *key) { /* OUT - pointer to caller 16-octet buffer */ MD5_CTX MD; u_char *cp, password_buf[80], *mypass = password, bpass[17]; u_long password_index = 0, count = 0, i, mylen, myelen = engineLength; @@ -111,7 +95,7 @@ void password_to_key_md5(u_char * password, /* IN */ if (mylen < 8) { memset(bpass, 0, sizeof(bpass)); - strcpy(bpass, password); + strncpy(bpass, password, sizeof(bpass) - 1); while (mylen < 8) { strcat(bpass, password); mylen += passwordlen; @@ -121,7 +105,7 @@ void password_to_key_md5(u_char * password, /* IN */ if (myelen > 32) myelen = 32; - MD5_Init(&MD); /* initialize MD5 */ + MD5_Init(&MD); /* initialize MD5 */ /* Use while loop until we've done 1 Megabyte */ while (count < 1048576) { cp = password_buf; @@ -133,7 +117,7 @@ void password_to_key_md5(u_char * password, /* IN */ MD5_Update(&MD, password_buf, 64); count += 64; } - MD5_Final(key, &MD); /* tell MD5 we're done */ + MD5_Final(key, &MD); /* tell MD5 we're done */ /* Now localize the key with the engineID and pass */ /* through MD5 to produce final key */ /* May want to ensure that engineLength <= 32, */ @@ -147,11 +131,11 @@ void password_to_key_md5(u_char * password, /* IN */ return; } -void password_to_key_sha(u_char * password, /* IN */ - u_int passwordlen, /* IN */ - u_char * engineID, /* IN - pointer to snmpEngineID */ - u_int engineLength, /* IN - length of snmpEngineID */ - u_char * key) { /* OUT - pointer to caller 20-octet buffer */ +void password_to_key_sha(u_char *password, /* IN */ + u_int passwordlen, /* IN */ + u_char *engineID, /* IN - pointer to snmpEngineID */ + u_int engineLength, /* IN - length of snmpEngineID */ + u_char *key) { /* OUT - pointer to caller 20-octet buffer */ SHA_CTX SH; u_char *cp, password_buf[80], *mypass = password, bpass[17]; u_long password_index = 0, count = 0, i, mylen = passwordlen, myelen = engineLength; @@ -169,7 +153,7 @@ void password_to_key_sha(u_char * password, /* IN */ if (myelen > 32) myelen = 32; - SHA1_Init(&SH); /* initialize SHA */ + SHA1_Init(&SH); /* initialize SHA */ /* Use while loop until we've done 1 Megabyte */ while (count < 1048576) { cp = password_buf; @@ -181,7 +165,7 @@ void password_to_key_sha(u_char * password, /* IN */ SHA1_Update(&SH, password_buf, 64); count += 64; } - SHA1_Final(key, &SH); /* tell SHA we're done */ + SHA1_Final(key, &SH); /* tell SHA we're done */ /* Now localize the key with the engineID and pass */ /* through SHA to produce final key */ /* May want to ensure that engineLength <= 32, */ @@ -196,7 +180,7 @@ void password_to_key_sha(u_char * password, /* IN */ } #endif -int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = "\"\"", *ptr, *login, *pass, buffer[1024], buf[1024], hash[64], key[256] = "", salt[8] = ""; int32_t i, j, k, size, off = 0, off2 = 0; unsigned char initVect[8], privacy_params[8]; @@ -223,7 +207,7 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha size = sizeof(snmpv1_w); } - snmpv1_a.comlen = (char) strlen(pass); + snmpv1_a.comlen = (char)strlen(pass); snmpv1_a.len = snmpv1_a.comlen + size + sizeof(snmpv1_a) - 3; i = sizeof(snmpv1_a); @@ -238,7 +222,7 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha memcpy(buffer + i, &snmpv1_w, size); i += sizeof(snmpv1_w); } - } else { // snmpv3 + } else { // snmpv3 if (enctype == 0) { memcpy(buffer, snmpv3_get1, sizeof(snmpv3_get1)); i = sizeof(snmpv3_get1); @@ -277,7 +261,8 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha if (enctype == 0) buffer[1] = 48 + sizeof(snmpv3_get1) + buffer[i + 1]; i += snmpv3infolen; -//printf("2 + %d + %d + %d = 0x%02x\n", off, snmpv3infolen, strlen(login), buffer[1]); + // printf("2 + %d + %d + %d = 0x%02x\n", off, snmpv3infolen, strlen(login), + // buffer[1]); buffer[i] = 0x04; buffer[i + 1] = strlen(login); @@ -301,7 +286,7 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha i += 2; } else { buffer[i + 1] = 8; - memcpy(buffer + i + 2, salt, 8); // uninitialized and we don't care + memcpy(buffer + i + 2, salt, 8); // uninitialized and we don't care i += 10; } @@ -314,49 +299,49 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha #ifdef LIBOPENSSL -/* -//PrivDES::encrypt(const unsigned char *key, -// const uint32_t key_len, -// const unsigned char *buffer, -// const uint32_t buffer_len, -// unsigned char *out_buffer, -// uint32_t *out_buffer_len, -// unsigned char *privacy_params, -// uint32_t *privacy_params_len, -// const unsigned long engine_boots, -// const unsigned long engine_time) -// last 8 bytes of key are used as base for initialization vector */ + /* + //PrivDES::encrypt(const unsigned char *key, + // const uint32_t key_len, + // const unsigned char *buffer, + // const uint32_t buffer_len, + // unsigned char *out_buffer, + // uint32_t *out_buffer_len, + // unsigned char *privacy_params, + // uint32_t *privacy_params_len, + // const unsigned long engine_boots, + // const unsigned long engine_time) + // last 8 bytes of key are used as base for initialization vector */ k = 0; - memcpy((char *) initVect, key + 8, 8); + memcpy((char *)initVect, key + 8, 8); // put salt in privacy_params j = htonl(engine_boots); - memcpy(privacy_params, (char *) &j, 4); - memcpy(privacy_params + 4, salt, 4); // ??? correct? - // xor initVect with salt + memcpy(privacy_params, (char *)&j, 4); + memcpy(privacy_params + 4, salt, 4); // ??? correct? + // xor initVect with salt for (i = 0; i < 8; i++) initVect[i] ^= privacy_params[i]; - DES_key_sched((const_DES_cblock *) key, &symcbc); - DES_ncbc_encrypt(snmpv3_get2 + 2, buf, sizeof(snmpv3_get2) - 2, &symcbc, (const_DES_cblock *) (initVect), DES_ENCRYPT); + DES_key_sched((const_DES_cblock *)key, &symcbc); + DES_ncbc_encrypt(snmpv3_get2 + 2, buf, sizeof(snmpv3_get2) - 2, &symcbc, (const_DES_cblock *)(initVect), DES_ENCRYPT); #endif -/* for (i = 0; i <= sizeof(snmpv3_get2) - 8; i += 8) { - DES_ncbc_encrypt(snmpv3_get2 + i, buf + i, 8, (const_DES_cblock*)(initVect), DES_ENCRYPT); - } - // last part of buffer - if (buffer_len % 8) { - unsigned char tmp_buf[8]; - unsigned char *tmp_buf_ptr = tmp_buf; - int32_t start = buffer_len - (buffer_len % 8); - memset(tmp_buf, 0, 8); - for (uint32_t l = start; l < buffer_len; l++) - *tmp_buf_ptr++ = buffer[l]; - DES_ncbc_encrypt(tmp_buf, buf + start, 1, &symcbc, (const_DES_cblock*)(initVect), DES_ENCRYPT); - *out_buffer_len = buffer_len + 8 - (buffer_len % 8); - } else - *out_buffer_len = buffer_len; -*/ - //dummy + /* for (i = 0; i <= sizeof(snmpv3_get2) - 8; i += 8) { + DES_ncbc_encrypt(snmpv3_get2 + i, buf + i, 8, + (const_DES_cblock*)(initVect), DES_ENCRYPT); + } + // last part of buffer + if (buffer_len % 8) { + unsigned char tmp_buf[8]; + unsigned char *tmp_buf_ptr = tmp_buf; + int32_t start = buffer_len - (buffer_len % 8); + memset(tmp_buf, 0, 8); + for (uint32_t l = start; l < buffer_len; l++) + *tmp_buf_ptr++ = buffer[l]; + DES_ncbc_encrypt(tmp_buf, buf + start, 1, &symcbc, + (const_DES_cblock*)(initVect), DES_ENCRYPT); *out_buffer_len = + buffer_len + 8 - (buffer_len % 8); } else *out_buffer_len = buffer_len; + */ + // dummy k = ((sizeof(snmpv3_get2) - 2) / 8); if ((sizeof(snmpv3_get2) - 2) % 8 != 0) k++; @@ -364,13 +349,13 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha i += k * 8 + 2; } - i++; // just to conform with the snmpv1/2 code + i++; // just to conform with the snmpv1/2 code #ifdef LIBOPENSSL if (hashtype == 1) { - HMAC((EVP_MD *) EVP_md5(), key, 16, buffer, i - 1, hash, NULL); + HMAC((EVP_MD *)EVP_md5(), key, 16, buffer, i - 1, hash, NULL); memcpy(buffer + off, hash, 12); } else if (hashtype == 2) { - HMAC((EVP_MD *) EVP_sha1(), key, 20, buffer, i - 1, hash, NULL); + HMAC((EVP_MD *)EVP_sha1(), key, 20, buffer, i - 1, hash, NULL); memcpy(buffer + off, hash, 12); } #endif @@ -384,19 +369,19 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha } while (hydra_data_ready_timed(s, 1, 0) <= 0 && j < 3); if (hydra_data_ready_timed(s, 5, 0) > 0) { - i = hydra_recv(s, (char *) buf, sizeof(buf)); + i = hydra_recv(s, (char *)buf, sizeof(buf)); if (snmpversion < 3) { /* stolen from ADMsnmp... :P */ for (j = 0; j < i; j++) { if (buf[j] == '\x04') { /* community name */ for (j = j + buf[j + 1]; j + 2 < i; j++) { - if (buf[j] == '\xa2') { /* PDU Response */ + if (buf[j] == '\xa2') { /* PDU Response */ for (; j + 2 < i; j++) { if (buf[j] == '\x02') { /* ID */ for (j = j + (buf[j + 1]); j + 2 < i; j++) { if (buf[j] == '\x02') { - if (buf[j + 1] == '\x01') { /* good ! */ + if (buf[j + 1] == '\x01') { /* good ! */ hydra_report_found_host(port, ip, "snmp", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) @@ -411,7 +396,7 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha } } } - } else { // snmpv3 reply + } else { // snmpv3 reply off = 0; if (buf[0] == 0x30) { if (buf[4] == 0x03 && buf[5] == 0x30) @@ -453,7 +438,8 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; - } else if ((buf[off + 15] & 5) == 4 && hydra_memsearch(buf, i, snmpv3_nouser, sizeof(snmpv3_nouser)) >= 0) { // user does not exist + } else if ((buf[off + 15] & 5) == 4 && hydra_memsearch(buf, i, snmpv3_nouser, + sizeof(snmpv3_nouser)) >= 0) { // user does not exist if (verbose) printf("[INFO] user %s does not exist, skipping\n", login); hydra_completed_pair_skip(); @@ -470,7 +456,7 @@ int32_t start_snmp(int32_t s, char *ip, int32_t port, unsigned char options, cha return 1; } -void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1, i = 0; int32_t myport = PORT_SNMP; char *lptr; @@ -519,7 +505,7 @@ void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI hydra_register_socket(sp); if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, no socket available\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, no socket available\n", (int32_t)getpid()); hydra_child_exit(1); } @@ -528,7 +514,7 @@ void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI while (snmpv3info == NULL && next_run < 3) { hydra_send(sock, snmpv3_init, sizeof(snmpv3_init), 0); if (hydra_data_ready_timed(sock, 5, 0) > 0) { - if ((i = hydra_recv(sock, (char *) snmpv3buf, sizeof(snmpv3buf))) > 30) { + if ((i = hydra_recv(sock, (char *)snmpv3buf, sizeof(snmpv3buf))) > 30) { if (snmpv3buf[4] == 3 && snmpv3buf[5] == 0x30) { snmpv3info = snmpv3buf + 7 + snmpv3buf[6]; snmpv3infolen = snmpv3info[3] + 4; @@ -538,8 +524,9 @@ void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI if (debug) hydra_dump_asciihex(snmpv3info, snmpv3infolen); if (snmpv3info[10] == 3 && child_head_no == 0) - printf("[INFO] Remote device MAC address is %02x:%02x:%02x:%02x:%02x:%02x\n", (unsigned char) snmpv3info[12], (unsigned char) snmpv3info[13], - (unsigned char) snmpv3info[14], (unsigned char) snmpv3info[15], (unsigned char) snmpv3info[16], (unsigned char) snmpv3info[12]); + printf("[INFO] Remote device MAC address is " + "%02x:%02x:%02x:%02x:%02x:%02x\n", + (unsigned char)snmpv3info[12], (unsigned char)snmpv3info[13], (unsigned char)snmpv3info[14], (unsigned char)snmpv3info[15], (unsigned char)snmpv3info[16], (unsigned char)snmpv3info[12]); } } } @@ -557,10 +544,10 @@ void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ next_run = start_snmp(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); @@ -573,13 +560,13 @@ void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } } -int32_t service_snmp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_snmp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -587,20 +574,22 @@ int32_t service_snmp_init(char *ip, int32_t sp, unsigned char options, char *mis return 0; } -void usage_snmp(const char* service) { +void usage_snmp(const char *service) { printf("Module snmp is optionally taking the following parameters:\n" " READ perform read requests (default)\n" " WRITE perform write requests\n" " 1 use SNMP version 1 (default)\n" " 2 use SNMP version 2\n" " 3 use SNMP version 3\n" - " Note that SNMP version 3 usually uses both login and passwords!\n" + " Note that SNMP version 3 usually uses both login and " + "passwords!\n" " SNMP version 3 has the following optional sub parameters:\n" " MD5 use MD5 authentication (default)\n" " SHA use SHA authentication\n" " DES use DES encryption\n" " AES use AES encryption\n" - " if no -p/-P parameter is given, SNMPv3 noauth is performed, which\n" + " if no -p/-P parameter is given, SNMPv3 noauth is performed, " + "which\n" " only requires a password (or username) not both.\n" "To combine the options, use colons (\":\"), e.g.:\n" " hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ target.com snmp\n" diff --git a/hydra-socks5.c b/hydra-socks5.c index 6781916..aef0a68 100644 --- a/hydra-socks5.c +++ b/hydra-socks5.c @@ -14,7 +14,7 @@ unsigned char *buf; int32_t fail_cnt; -int32_t start_socks5(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_socks5(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, buffer[300]; int32_t pport, fud = 0; @@ -28,7 +28,7 @@ int32_t start_socks5(int32_t s, char *ip, int32_t port, unsigned char options, c if (hydra_send(s, buffer, 4, 0) < 0) { return 1; } - if ((buf = (unsigned char *) hydra_receive_line(s)) == NULL) { + if ((buf = (unsigned char *)hydra_receive_line(s)) == NULL) { fail_cnt++; if (fail_cnt >= 10) return 5; @@ -57,16 +57,16 @@ int32_t start_socks5(int32_t s, char *ip, int32_t port, unsigned char options, c } free(buf); -/* RFC 1929 - For username/password authentication the client's authentication request is - field 1: version number, 1 byte (must be 0x01) -*/ - snprintf(buffer, sizeof(buffer), "\x01%c%s%c%s", (char) strlen(login), login, (char) strlen(pass), pass); + /* RFC 1929 + For username/password authentication the client's authentication request is + field 1: version number, 1 byte (must be 0x01) + */ + snprintf(buffer, sizeof(buffer), "\x01%c%s%c%s", (char)strlen(login), login, (char)strlen(pass), pass); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; - if ((buf = (unsigned char *) hydra_receive_line(s)) == NULL) + if ((buf = (unsigned char *)hydra_receive_line(s)) == NULL) return (1); if (buf[1] != 255) { @@ -84,7 +84,7 @@ int32_t start_socks5(int32_t s, char *ip, int32_t port, unsigned char options, c memcpy(buffer + 8, &pport, 2); hydra_send(s, buffer, 10, 0); } - if ((buf = (unsigned char *) hydra_receive_line(s)) != NULL) { + if ((buf = (unsigned char *)hydra_receive_line(s)) != NULL) { if (buf[1] == 0 || buf[1] == 32) { hydra_report_found_host(port, ip, "socks5", fp); hydra_completed_pair_found(); @@ -104,7 +104,7 @@ int32_t start_socks5(int32_t s, char *ip, int32_t port, unsigned char options, c return 2; } -void service_socks5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_socks5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_SOCKS5, mysslport = PORT_SOCKS5_SSL; @@ -116,10 +116,10 @@ void service_socks5(char *ip, int32_t sp, unsigned char options, char *miscptr, while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(300); + // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -133,25 +133,25 @@ void service_socks5(char *ip, int32_t sp, unsigned char options, char *miscptr, } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_socks5(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; - case 4: /* clean exit */ + case 4: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); return; - case 5: /* clean exit, server may blocking connections */ + case 5: /* clean exit, server may blocking connections */ hydra_report(stderr, "[ERROR] Server may blocking connections\n"); if (sock >= 0) sock = hydra_disconnect(sock); @@ -165,13 +165,13 @@ void service_socks5(char *ip, int32_t sp, unsigned char options, char *miscptr, } } -int32_t service_socks5_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_socks5_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-ssh.c b/hydra-ssh.c index 2f1d2d5..6ccae4e 100644 --- a/hydra-ssh.c +++ b/hydra-ssh.c @@ -8,9 +8,7 @@ have to add option -DWITH_SSH1=On in the cmake #include "hydra-mod.h" #ifndef LIBSSH -void dummy_ssh() { - printf("\n"); -} +void dummy_ssh() { printf("\n"); } #else #include @@ -23,7 +21,7 @@ extern hydra_option hydra_options; extern char *HYDRA_EXIT; int32_t new_session = 1; -int32_t start_ssh(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_ssh(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, keep_login[300]; int32_t auth_state = 0, rc = 0, i = 0; @@ -36,11 +34,12 @@ int32_t start_ssh(int32_t s, char *ip, int32_t port, unsigned char options, char if (new_session) { if (session) { ssh_disconnect(session); - ssh_finalize(); + // ssh_finalize(); ssh_free(session); + } else { + ssh_init(); } - ssh_init(); session = ssh_new(); ssh_options_set(session, SSH_OPTIONS_PORT, &port); ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip)); @@ -48,8 +47,11 @@ int32_t start_ssh(int32_t s, char *ip, int32_t port, unsigned char options, char ssh_options_set(session, SSH_OPTIONS_TIMEOUT, &hydra_options.waittime); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none"); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none"); + // might be better to add the legacy (first two for KEX and HOST) to the default instead of specifying the full list + ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE, "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256"); + ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256"); if (ssh_connect(session) != 0) { - //if the connection was drop, exit and let hydra main handle it + // if the connection was drop, exit and let hydra main handle it if (verbose) hydra_report(stderr, "[ERROR] could not connect to target port %d: %s\n", port, ssh_get_error(session)); return 3; @@ -110,7 +112,7 @@ int32_t start_ssh(int32_t s, char *ip, int32_t port, unsigned char options, char return 1; } -void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; hydra_register_socket(sp); @@ -118,14 +120,17 @@ void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ next_run = start_ssh(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 2: ssh_disconnect(session); ssh_finalize(); ssh_free(session); hydra_child_exit(0); + break; case 3: ssh_disconnect(session); ssh_finalize(); @@ -133,12 +138,14 @@ void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL if (verbose) fprintf(stderr, "[ERROR] ssh protocol error\n"); hydra_child_exit(2); + break; case 4: ssh_disconnect(session); ssh_finalize(); ssh_free(session); fprintf(stderr, "[ERROR] ssh target does not support password auth\n"); hydra_child_exit(2); + break; default: ssh_disconnect(session); ssh_finalize(); @@ -155,16 +162,16 @@ void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL #endif // -// dirty workaround here: miscptr is the ptr to the logins, and the first one is used -// to test if password authentication is enabled!! +// dirty workaround here: miscptr is the ptr to the logins, and the first one is +// used to test if password authentication is enabled!! // -int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // 1 skip target without generating an error @@ -172,10 +179,13 @@ int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *misc // 3 skip target because its unreachable #ifdef LIBSSH int32_t rc, method; + ssh_init(); ssh_session session = ssh_new(); - + if (verbose || debug) - printf("[INFO] Testing if password authentication is supported by ssh://%s@%s:%d\n", miscptr == NULL ? "hydra" : miscptr, hydra_address2string_beautiful(ip), port); + printf("[INFO] Testing if password authentication is supported by " + "ssh://%s@%s:%d\n", + miscptr == NULL ? "hydra" : miscptr, hydra_address2string_beautiful(ip), port); ssh_options_set(session, SSH_OPTIONS_PORT, &port); ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip)); if (miscptr == NULL) @@ -185,29 +195,41 @@ int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *misc ssh_options_set(session, SSH_OPTIONS_TIMEOUT, &hydra_options.waittime); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none"); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none"); + // might be better to add the legacy (first two for KEX and HOST) to the default instead of specifying the full list + ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE, "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256"); + ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256"); if (ssh_connect(session) != 0) { fprintf(stderr, "[ERROR] could not connect to ssh://%s:%d - %s\n", hydra_address2string_beautiful(ip), port, ssh_get_error(session)); return 2; - } + } rc = ssh_userauth_none(session, NULL); - method = ssh_userauth_list(session, NULL); + method = ssh_userauth_list(session, NULL); ssh_disconnect(session); ssh_finalize(); ssh_free(session); - if (debug) printf("[DEBUG] SSH method check: %08x\n", method); + if (debug) + printf("[DEBUG] SSH method check: %08x\n", method); if ((method & SSH_AUTH_METHOD_INTERACTIVE) || (method & SSH_AUTH_METHOD_PASSWORD)) { if (verbose || debug) - printf("[INFO] Successful, password authentication is supported by ssh://%s:%d\n", hydra_address2string_beautiful(ip), port); + printf("[INFO] Successful, password authentication is supported by " + "ssh://%s:%d\n", + hydra_address2string_beautiful(ip), port); return 0; } else if (method == 0) { if (verbose || debug) - fprintf(stderr, "[WARNING] invalid SSH method reply from ssh://%s:%d, continuing anyway ... (check for empty password!)\n", hydra_address2string_beautiful(ip), port); + fprintf(stderr, + "[WARNING] invalid SSH method reply from ssh://%s:%d, continuing " + "anyway ... (check for empty password!)\n", + hydra_address2string_beautiful(ip), port); return 0; } - fprintf(stderr, "[ERROR] target ssh://%s:%d/ does not support password authentication (method reply %d).\n", hydra_address2string_beautiful(ip), port, method); + fprintf(stderr, + "[ERROR] target ssh://%s:%d/ does not support password " + "authentication (method reply %d).\n", + hydra_address2string_beautiful(ip), port, method); return 1; #else return 0; diff --git a/hydra-sshkey.c b/hydra-sshkey.c index a9b85b2..cac66e0 100644 --- a/hydra-sshkey.c +++ b/hydra-sshkey.c @@ -1,16 +1,14 @@ /* libssh is available at http://www.libssh.org - current version is 0.4.8 + current version is 0.4.8 If you want support for ssh v1 protocol, you have to add option -DWITH_SSH1=On in the cmake */ #include "hydra-mod.h" #ifndef LIBSSH -void dummy_sshkey() { - printf("\n"); -} +void dummy_sshkey() { printf("\n"); } #else #include @@ -18,10 +16,11 @@ void dummy_sshkey() { #if LIBSSH_VERSION_MAJOR >= 0 && LIBSSH_VERSION_MINOR >= 4 extern ssh_session session; +extern hydra_option hydra_options; extern char *HYDRA_EXIT; extern int32_t new_session; -int32_t start_sshkey(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_sshkey(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *key, keep_login[300]; int32_t auth_state = 0, rc = 0; @@ -35,8 +34,9 @@ int32_t start_sshkey(int32_t s, char *ip, int32_t port, unsigned char options, c if (new_session) { if (session) { ssh_disconnect(session); - ssh_finalize(); ssh_free(session); + } else { + ssh_init(); } session = ssh_new(); @@ -46,7 +46,7 @@ int32_t start_sshkey(int32_t s, char *ip, int32_t port, unsigned char options, c ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none"); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none"); if (ssh_connect(session) != 0) { - //if the connection was drop, exit and let hydra main handle it + // if the connection was drop, exit and let hydra main handle it if (verbose) hydra_report(stderr, "[ERROR] could not connect to target port %d\n", port); return 3; @@ -108,7 +108,7 @@ int32_t start_sshkey(int32_t s, char *ip, int32_t port, unsigned char options, c return 1; } -void service_sshkey(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_sshkey(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; hydra_register_socket(sp); @@ -116,26 +116,31 @@ void service_sshkey(char *ip, int32_t sp, unsigned char options, char *miscptr, return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ next_run = start_sshkey(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 2: ssh_disconnect(session); ssh_finalize(); ssh_free(session); hydra_child_exit(0); + break; case 3: ssh_disconnect(session); ssh_finalize(); ssh_free(session); fprintf(stderr, "[ERROR] ssh protocol error\n"); hydra_child_exit(2); + break; case 4: ssh_disconnect(session); ssh_finalize(); ssh_free(session); fprintf(stderr, "[ERROR] ssh target does not support pubkey auth\n"); hydra_child_exit(2); + break; default: ssh_disconnect(session); ssh_finalize(); @@ -151,13 +156,13 @@ void service_sshkey(char *ip, int32_t sp, unsigned char options, char *miscptr, #endif #endif -int32_t service_sshkey_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_sshkey_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -165,9 +170,11 @@ int32_t service_sshkey_init(char *ip, int32_t sp, unsigned char options, char *m return 0; } -void usage_sshkey(const char* service) { - printf("Module sshkey does not provide additional options, although the semantic for\n" +void usage_sshkey(const char *service) { + printf("Module sshkey does not provide additional options, although the " + "semantic for\n" "options -p and -P is changed:\n" " -p expects a path to an unencrypted private key in PEM format.\n" - " -P expects a filename containing a list of path to some unencrypted\n" " private keys in PEM format.\n\n"); + " -P expects a filename containing a list of path to some unencrypted\n" + " private keys in PEM format.\n\n"); } diff --git a/hydra-svn.c b/hydra-svn.c index 207b32f..0664924 100644 --- a/hydra-svn.c +++ b/hydra-svn.c @@ -1,39 +1,45 @@ -//This plugin was written by -//checked for memleaks on 110425, none found +// This plugin was written by +// checked for memleaks on 110425, none found #ifdef LIBSVN /* needed on openSUSE */ +#ifndef _GNU_SOURCE #define _GNU_SOURCE +#endif + +#if !defined PATH_MAX && defined HAVE_SYS_PARAM_H +#include +#endif #include #include -#include #include #include +#include +#include +#if SVN_VER_MINOR > 7 #include +#endif #endif #include "hydra-mod.h" #ifndef LIBSVN -void dummy_svn() { - printf("\n"); -} +void dummy_svn() { printf("\n"); } #else extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); +extern hydra_option hydra_options; extern char *HYDRA_EXIT; #define DEFAULT_BRANCH "trunk" -static svn_error_t *print_dirdummy(void *baton, const char *path, const svn_dirent_t * dirent, const svn_lock_t * lock, const char *abs_path, apr_pool_t * pool) { - return SVN_NO_ERROR; -} +static svn_error_t *print_dirdummy(void *baton, const char *path, const svn_dirent_t *dirent, const svn_lock_t *lock, const char *abs_path, apr_pool_t *pool) { return SVN_NO_ERROR; } -static svn_error_t *my_simple_prompt_callback(svn_auth_cred_simple_t ** cred, void *baton, const char *realm, const char *username, svn_boolean_t may_save, apr_pool_t * pool) { +static svn_error_t *my_simple_prompt_callback(svn_auth_cred_simple_t **cred, void *baton, const char *realm, const char *username, svn_boolean_t may_save, apr_pool_t *pool) { char *empty = ""; char *login, *pass; svn_auth_cred_simple_t *ret = apr_pcalloc(pool, sizeof(*ret)); @@ -50,11 +56,13 @@ static svn_error_t *my_simple_prompt_callback(svn_auth_cred_simple_t ** cred, vo return SVN_NO_ERROR; } -int32_t start_svn(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { - //int32_t ipv6 = 0; +int32_t start_svn(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { + // int32_t ipv6 = 0; char URL[1024]; char URLBRANCH[256]; +#if SVN_VER_MINOR > 7 const char *canonical; +#endif apr_pool_t *pool; svn_error_t *err; svn_opt_revision_t revision; @@ -71,31 +79,37 @@ int32_t start_svn(int32_t s, char *ip, int32_t port, unsigned char options, char if (svn_cmdline_init("hydra", stderr) != EXIT_SUCCESS) return 4; - //if (ip[0] == 16) + // if (ip[0] == 16) // ipv6 = 1; pool = svn_pool_create(NULL); err = svn_config_ensure(NULL, pool); if (err) { + svn_pool_destroy(pool); svn_handle_error2(err, stderr, FALSE, "hydra: "); return 4; } - //if ((err = svn_client_create_context(&ctx, pool))) { +#if SVN_VER_MINOR > 7 if ((err = svn_client_create_context2(&ctx, NULL, pool))) { +#else + if ((err = svn_client_create_context(&ctx, pool))) { +#endif + svn_pool_destroy(pool); svn_handle_error2(err, stderr, FALSE, "hydra: "); return 4; } if ((err = svn_config_get_config(&(ctx->config), NULL, pool))) { + svn_pool_destroy(pool); svn_handle_error2(err, stderr, FALSE, "hydra: "); return 4; } providers = apr_array_make(pool, 1, sizeof(svn_auth_provider_object_t *)); - svn_auth_get_simple_prompt_provider(&provider, my_simple_prompt_callback, NULL, /* baton */ + svn_auth_get_simple_prompt_provider(&provider, my_simple_prompt_callback, NULL, /* baton */ 0, pool); APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; @@ -105,24 +119,29 @@ int32_t start_svn(int32_t s, char *ip, int32_t port, unsigned char options, char revision.kind = svn_opt_revision_head; snprintf(URL, sizeof(URL), "svn://%s:%d/%s", hydra_address2string_beautiful(ip), port, URLBRANCH); dirents = SVN_DIRENT_KIND; +#if SVN_VER_MINOR > 9 canonical = svn_uri_canonicalize(URL, pool); - //err = svn_client_list2(canonical, &revision, &revision, svn_depth_unknown, dirents, FALSE, print_dirdummy, NULL, ctx, pool); - err = svn_client_list3(canonical, &revision, &revision, svn_depth_unknown, dirents, FALSE, FALSE, (svn_client_list_func2_t) print_dirdummy, NULL, ctx, pool); + err = svn_client_list4(canonical, &revision, &revision, NULL, svn_depth_unknown, dirents, FALSE, FALSE, (svn_client_list_func2_t)print_dirdummy, NULL, ctx, pool); +#elif SVN_VER_MINOR > 7 + canonical = svn_uri_canonicalize(URL, pool); + err = svn_client_list3(canonical, &revision, &revision, svn_depth_unknown, dirents, FALSE, FALSE, (svn_client_list_func2_t)print_dirdummy, NULL, ctx, pool); +#else +err = svn_client_list2(URL, &revision, &revision, svn_depth_unknown, dirents, FALSE, print_dirdummy, NULL, ctx, pool); +#endif - svn_pool_clear(pool); svn_pool_destroy(pool); if (err) { if (debug || (verbose && (err->apr_err != 170001 && err->apr_err != 170013))) hydra_report(stderr, "[ERROR] Access refused (error code %d) , message: %s\n", err->apr_err, err->message); - //Username not found 170001 ": Username not found" - //Password incorrect 170001 ": Password incorrect" + // Username not found 170001 ": Username not found" + // Password incorrect 170001 ": Password incorrect" if (err->apr_err != 170001 && err->apr_err != 170013) { - return 4; //error + return 4; // error } else { if (strstr(err->message, "Username not found")) { - //if (verbose) - //printf("[INFO] user %s does not exist, skipping\n", login); + // if (verbose) + // printf("[INFO] user %s does not exist, skipping\n", login); hydra_completed_pair_skip(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; @@ -142,7 +161,7 @@ int32_t start_svn(int32_t s, char *ip, int32_t port, unsigned char options, char return 3; } -void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_SVN, mysslport = PORT_SVN_SSL; @@ -153,11 +172,11 @@ void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL return; switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(300); + // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -171,7 +190,7 @@ void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } @@ -179,6 +198,8 @@ void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL break; case 2: next_run = start_svn(sock, ip, port, options, miscptr, fp); + if ((next_run == 1 || next_run == 2) && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 3: if (sock >= 0) @@ -187,7 +208,8 @@ void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL return; default: if (!verbose) - hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose option for more details\n"); + hydra_report(stderr, "[ERROR] Caught unknown return code, try verbose " + "option for more details\n"); hydra_child_exit(0); } run = next_run; @@ -196,20 +218,29 @@ void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL #endif -int32_t service_svn_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_svn_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here +#ifdef LIBSVN + if (verbose) + hydra_report(stderr, "[VERBOSE] detected subversion library v%d.%d\n", SVN_VER_MAJOR, SVN_VER_MINOR); + if (SVN_VER_MAJOR != 1 && SVN_VER_MINOR >= 5) { + hydra_report(stderr, "[ERROR] unsupported subversion library v%d.%d, exiting!\n", SVN_VER_MAJOR, SVN_VER_MINOR); + return -1; + } +#endif return 0; } -void usage_svn(const char* service) { - printf("Module svn is optionally taking the repository name to attack, default is \"trunk\"\n\n"); +void usage_svn(const char *service) { + printf("Module svn is optionally taking the repository name to attack, " + "default is \"trunk\"\n\n"); } diff --git a/hydra-teamspeak.c b/hydra-teamspeak.c index 3d9df94..d0d17c2 100644 --- a/hydra-teamspeak.c +++ b/hydra-teamspeak.c @@ -36,9 +36,8 @@ struct team_speak { extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); extern char *HYDRA_EXIT; -char *buf; -int32_t start_teamspeak(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_teamspeak(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass; char buf[100]; @@ -54,21 +53,21 @@ int32_t start_teamspeak(int32_t s, char *ip, int32_t port, unsigned char options memcpy(&teamspeak.header, "\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00", 16); teamspeak.clientlen = 9; - strcpy((char *) &teamspeak.client, "TeamSpeak"); + strcpy((char *)&teamspeak.client, "TeamSpeak"); teamspeak.oslen = 11; - strcpy((char *) &teamspeak.os, "Linux 2.6.9"); + strcpy((char *)&teamspeak.os, "Linux 2.6.9"); memcpy(&teamspeak.misc, "\x02\x00\x00\x00\x20\x00\x3c\x00\x01\x02", 10); teamspeak.userlen = strlen(login); - strncpy((char *) &teamspeak.user, login, 29); + strncpy((char *)&teamspeak.user, login, 29); teamspeak.passlen = strlen(pass); - strncpy((char *) &teamspeak.pass, pass, 29); + strncpy((char *)&teamspeak.pass, pass, 29); teamspeak.loginlen = 0; - strcpy((char *) &teamspeak.login, ""); + strcpy((char *)&teamspeak.login, ""); #ifdef HAVE_ZLIB teamspeak.crc = crc32(0L, (const Bytef *)&teamspeak, sizeof(struct team_speak)); @@ -76,22 +75,22 @@ int32_t start_teamspeak(int32_t s, char *ip, int32_t port, unsigned char options teamspeak.crc = crc32(&teamspeak, sizeof(struct team_speak)); #endif - if (hydra_send(s, (char *) &teamspeak, sizeof(struct team_speak), 0) < 0) { + if (hydra_send(s, (char *)&teamspeak, sizeof(struct team_speak), 0) < 0) { return 3; } if (hydra_data_ready_timed(s, 5, 0) > 0) { - hydra_recv(s, (char *) buf, sizeof(buf)); + hydra_recv(s, (char *)buf, sizeof(buf)); if (buf[0x58] == 1) { hydra_report_found_host(port, ip, "teamspeak", fp); hydra_completed_pair_found(); } if (buf[0x4B] != 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } } else { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } @@ -102,7 +101,7 @@ int32_t start_teamspeak(int32_t s, char *ip, int32_t port, unsigned char options return 1; } -void service_teamspeak(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_teamspeak(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_TEAMSPEAK; @@ -113,23 +112,23 @@ void service_teamspeak(char *ip, int32_t sp, unsigned char options, char *miscpt while (1) { switch (run) { - case 1: /* connect and service init function */ -// if (sock >= 0) -// sock = hydra_disconnect(sock); -// usleepn(300); + case 1: /* connect and service init function */ + // if (sock >= 0) + // sock = hydra_disconnect(sock); + // usleepn(300); if (sock < 0) { if (port != 0) myport = port; sock = hydra_connect_udp(ip, myport); port = myport; if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } } next_run = start_teamspeak(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(2); @@ -142,13 +141,13 @@ void service_teamspeak(char *ip, int32_t sp, unsigned char options, char *miscpt } } -int32_t service_teamspeak_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_teamspeak_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-telnet.c b/hydra-telnet.c index b938271..183621a 100644 --- a/hydra-telnet.c +++ b/hydra-telnet.c @@ -5,7 +5,7 @@ extern char *HYDRA_EXIT; char *buf; int32_t no_line_mode; -int32_t start_telnet(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_telnet(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, buffer[300]; int32_t i = 0; @@ -36,7 +36,7 @@ int32_t start_telnet(int32_t s, char *ip, int32_t port, unsigned char options, c if ((buf = hydra_receive_line(s)) == NULL) return 1; - if (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '%') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL) { + if (strchr(buf, '/') != NULL || strchr(buf, '>') != NULL || strchr(buf, '%') != NULL || strchr(buf, '$') != NULL || strchr(buf, '#') != NULL) { hydra_report_found_host(port, ip, "telnet", fp); hydra_completed_pair_found(); free(buf); @@ -44,7 +44,7 @@ int32_t start_telnet(int32_t s, char *ip, int32_t port, unsigned char options, c return 3; return 1; } - (void) make_to_lower(buf); + (void)make_to_lower(buf); if (hydra_strcasestr(buf, "asswor") != NULL || hydra_strcasestr(buf, "asscode") != NULL || hydra_strcasestr(buf, "ennwort") != NULL) i = 1; @@ -75,19 +75,41 @@ int32_t start_telnet(int32_t s, char *ip, int32_t port, unsigned char options, c } /*win7 answering with do terminal type = 0xfd 0x18 */ - while ((buf = hydra_receive_line(s)) != NULL && make_to_lower(buf) && (strstr(buf, "login:") == NULL || strstr(buf, "last login:") != NULL) && strstr(buf, "sername:") == NULL) { - if ((miscptr != NULL && strstr(buf, miscptr) != NULL) || (miscptr == NULL && - strstr(buf, "invalid") == NULL && strstr(buf, "failed") == NULL && strstr(buf, "bad ") == NULL && - (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL || - index(buf, '%') != NULL || ((buf[1] == '\xfd') && (buf[2] == '\x18'))))) { + while ((buf = hydra_receive_line(s)) != NULL && make_to_lower(buf) && (strstr(buf, "password:") == NULL || strstr(buf, "login:") == NULL || strstr(buf, "last login:") != NULL) && strstr(buf, "sername:") == NULL) { + if ((miscptr != NULL && strstr(buf, miscptr) != NULL) || (miscptr == NULL && strstr(buf, "invalid") == NULL && strstr(buf, "incorrect") == NULL && strstr(buf, "bad ") == NULL && (strchr(buf, '/') != NULL || strchr(buf, '>') != NULL || strchr(buf, '$') != NULL || strchr(buf, '#') != NULL || strchr(buf, '%') != NULL || ((buf[1] == '\xfd') && (buf[2] == '\x18'))))) { hydra_report_found_host(port, ip, "telnet", fp); hydra_completed_pair_found(); free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; - } - free(buf); + } else if (buf && strstr(buf, "assword:")) { + hydra_completed_pair(); + // printf("password prompt\n"); + free(buf); + if (strlen(pass = hydra_get_next_password()) == 0) + pass = empty; + sprintf(buffer, "%s\r", pass); + if (no_line_mode) { + for (i = 0; i < strlen(buffer); i++) { + if (strcmp(&buffer[i], "\r") == 0) { + send(s, "\r\0", 2, 0); + } else { + send(s, &buffer[i], 1, 0); + } + usleepn(20); + } + } else { + if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) { + return 1; + } + } + } else if (buf && strstr(buf, "login:")) { + free(buf); + hydra_completed_pair(); + return 2; + } else + free(buf); } hydra_completed_pair(); @@ -96,7 +118,7 @@ int32_t start_telnet(int32_t s, char *ip, int32_t port, unsigned char options, c return 2; } -void service_telnet(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_telnet(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1, fck; int32_t myport = PORT_TELNET, mysslport = PORT_TELNET_SSL; @@ -110,10 +132,10 @@ void service_telnet(char *ip, int32_t sp, unsigned char options, char *miscptr, int32_t old_waittime = waittime; switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(300); + // usleepn(300); no_line_mode = 0; first = 0; if ((options & OPTION_SSL) == 0) { @@ -128,13 +150,13 @@ void service_telnet(char *ip, int32_t sp, unsigned char options, char *miscptr, port = mysslport; } if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } - if ((buf = hydra_receive_line(sock)) == NULL) { /* check the first line */ + if ((buf = hydra_receive_line(sock)) == NULL) { /* check the first line */ hydra_report(stderr, "[ERROR] Not a TELNET protocol or service shutdown\n"); hydra_child_exit(2); -// hydra_child_exit(2); + // hydra_child_exit(2); } if (hydra_strcasestr(buf, "ress ENTER") != NULL) { hydra_send(sock, "\r\n", 2, 0); @@ -150,7 +172,7 @@ void service_telnet(char *ip, int32_t sp, unsigned char options, char *miscptr, hydra_report(stdout, "DEBUG: waittime set to %d\n", waittime); } do { - unsigned char *buf2 = (unsigned char *) buf; + unsigned char *buf2 = (unsigned char *)buf; while (*buf2 == IAC) { if (first == 0) { @@ -175,23 +197,23 @@ void service_telnet(char *ip, int32_t sp, unsigned char options, char *miscptr, buf2 = buf2 + 3; } - if (buf2 != (unsigned char *) buf) { + if (buf2 != (unsigned char *)buf) { free(buf); buf = hydra_receive_line(sock); } else { buf[0] = 0; } - if (buf != NULL && buf[0] != 0 && (unsigned char) buf[0] != IAC) + if (buf != NULL && buf[0] != 0 && (unsigned char)buf[0] != IAC) make_to_lower(buf); - } while (buf != NULL && (unsigned char) buf[0] == IAC && hydra_strcasestr(buf, "ogin:") == NULL && hydra_strcasestr(buf, "sername:") == NULL); + } while (buf != NULL && (unsigned char)buf[0] == IAC && hydra_strcasestr(buf, "ogin:") == NULL && hydra_strcasestr(buf, "sername:") == NULL); free(buf); waittime = old_waittime; next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_telnet(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -204,13 +226,13 @@ void service_telnet(char *ip, int32_t sp, unsigned char options, char *miscptr, } } -int32_t service_telnet_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_telnet_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -218,7 +240,9 @@ int32_t service_telnet_init(char *ip, int32_t sp, unsigned char options, char *m return 0; } -void usage_telnet(const char* service) { +void usage_telnet(const char *service) { printf("Module telnet is optionally taking the string which is displayed after\n" - "a successful login (case insensitive), use if the default in the telnet\n" "module produces too many false positives\n\n"); + "a successful login (case insensitive), use if the default in the " + "telnet\n" + "module produces too many false positives\n\n"); } diff --git a/hydra-time.c b/hydra-time.c index bbd068d..393377a 100644 --- a/hydra-time.c +++ b/hydra-time.c @@ -2,30 +2,23 @@ #ifndef _WIN32 #include -int32_t sleepn(time_t seconds) -{ - struct timespec ts; - ts.tv_sec = seconds; - ts.tv_nsec = 0; - return nanosleep(&ts, NULL); +int32_t sleepn(time_t seconds) { + struct timespec ts; + ts.tv_sec = seconds; + ts.tv_nsec = 0; + return nanosleep(&ts, NULL); } int32_t usleepn(uint64_t milisec) { - struct timespec ts; - ts.tv_sec = milisec / 1000; - ts.tv_nsec = (milisec % 1000) * 1000000L; - return nanosleep(&ts, NULL); + struct timespec ts; + ts.tv_sec = milisec / 1000; + ts.tv_nsec = (milisec % 1000) * 1000000L; + return nanosleep(&ts, NULL); } #else #include -int32_t sleepn(uint32_t seconds) -{ - return SleepEx(milisec*1000,TRUE); -} +int32_t sleepn(uint32_t seconds) { return SleepEx(milisec * 1000, TRUE); } -int32_t usleepn(uint32_t milisec) -{ - return SleepEx(milisec,TRUE); -} +int32_t usleepn(uint32_t milisec) { return SleepEx(milisec, TRUE); } #endif diff --git a/hydra-vmauthd.c b/hydra-vmauthd.c index 95ba53f..7f66f5a 100644 --- a/hydra-vmauthd.c +++ b/hydra-vmauthd.c @@ -1,16 +1,15 @@ -//This plugin was written by david@ +// This plugin was written by david@ // -//This plugin is written for VMware Authentication Daemon +// This plugin is written for VMware Authentication Daemon // #include "hydra-mod.h" - extern char *HYDRA_EXIT; char *buf; -int32_t start_vmauthd(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_vmauthd(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = "\"\""; char *login, *pass, buffer[300]; @@ -45,9 +44,9 @@ int32_t start_vmauthd(int32_t s, char *ip, int32_t port, unsigned char options, if ((buf = hydra_receive_line(s)) == NULL) return (1); -//fprintf(stderr, "%s\n", buf); -//230 User test logged in. -//530 Login incorrect. + // fprintf(stderr, "%s\n", buf); + // 230 User test logged in. + // 530 Login incorrect. if (strncmp(buf, "230 ", 4) == 0) { hydra_report_found_host(port, ip, "vmauthd", fp); @@ -65,7 +64,7 @@ int32_t start_vmauthd(int32_t s, char *ip, int32_t port, unsigned char options, return 2; } -void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_VMAUTHD, mysslport = PORT_VMAUTHD_SSL; @@ -74,10 +73,10 @@ void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr, return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); -// usleepn(300); + // usleepn(300); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; @@ -92,14 +91,15 @@ void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr, if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } buf = hydra_receive_line(sock); -//fprintf(stderr, "%s\n",buf); -//220 VMware Authentication Daemon Version 1.00 -//220 VMware Authentication Daemon Version 1.10: SSL Required -//220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , + // fprintf(stderr, "%s\n",buf); + // 220 VMware Authentication Daemon Version 1.00 + // 220 VMware Authentication Daemon Version 1.10: SSL Required + // 220 VMware Authentication Daemon Version 1.10: SSL Required, + // ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , if (buf == NULL || strstr(buf, "220 VMware Authentication Daemon Version ") == NULL) { /* check the first line */ @@ -108,14 +108,17 @@ void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr, hydra_child_exit(2); } if ((strstr(buf, "Version 1.00") == NULL) && (strstr(buf, "Version 1.10") == NULL)) { - hydra_report(stderr, "[ERROR] this vmware authd protocol is not supported, please report: %s\n", buf); + hydra_report(stderr, + "[ERROR] this vmware authd protocol is not supported, " + "please report: %s\n", + buf); free(buf); hydra_child_exit(2); } - //by default this service is waiting for ssl connections + // by default this service is waiting for ssl connections if (strstr(buf, "SSL Required") != NULL) { if ((options & OPTION_SSL) == 0) { - //reconnecting using SSL + // reconnecting using SSL if (hydra_connect_to_ssl(sock, hostname) == -1) { free(buf); hydra_report(stderr, "[ERROR] Can't use SSL\n"); @@ -127,13 +130,14 @@ void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr, next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_vmauthd(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); + break; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); @@ -142,13 +146,13 @@ void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr, } } -int32_t service_vmauthd_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_vmauthd_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-vnc.c b/hydra-vnc.c index 6dc3cdd..c836371 100644 --- a/hydra-vnc.c +++ b/hydra-vnc.c @@ -5,21 +5,21 @@ * */ -#include "hydra-mod.h" #include "d3des.h" +#include "hydra-mod.h" #define CHALLENGESIZE 16 -//for RFB 003.003 & 003.005 +// for RFB 003.003 & 003.005 #define RFB33 1 -//for RFB 3.7 and onwards +// for RFB 3.7 and onwards #define RFB37 2 int32_t vnc_client_version = RFB33; int32_t failed_auth = 0; extern char *HYDRA_EXIT; -char *buf; +static char *buf; /* * Encrypt CHALLENGESIZE bytes in memory using a password. @@ -44,7 +44,7 @@ void vncEncryptBytes(unsigned char *bytes, char *passwd) { } } -int32_t start_vnc(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { +int32_t start_vnc(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *pass; unsigned char buf2[CHALLENGESIZE + 4]; @@ -57,26 +57,27 @@ int32_t start_vnc(int32_t s, char *ip, int32_t port, unsigned char options, char if (vnc_client_version == RFB37) { int32_t i; - //fprintf(stderr,"number of security types supported: %d\n", buf2[0]); + // fprintf(stderr,"number of security types supported: %d\n", buf2[0]); if (buf2[0] == 0 || buf2[0] > CHALLENGESIZE + 4) { hydra_report(stderr, "[ERROR] VNC server connection failed\n"); hydra_child_exit(0); } for (i = 1; i <= buf2[0]; i++) { - //fprintf(stderr,"sec type %u\n",buf2[i]); - //check if weak security types are available + // fprintf(stderr,"sec type %u\n",buf2[i]); + // check if weak security types are available if (buf2[i] <= 0x2) { buf2[3] = buf2[i]; break; } } } - //supported security type + // supported security type switch (buf2[3]) { case 0x0: - hydra_report(stderr, "[ERROR] VNC server told us to quit %c\n", buf[3]); + hydra_report(stderr, "[ERROR] VNC server told us to quit %c\n", buf2[3]); hydra_child_exit(0); + break; case 0x1: hydra_report(fp, "VNC server does not require authentication.\n"); if (fp != stdout) @@ -84,35 +85,36 @@ int32_t start_vnc(int32_t s, char *ip, int32_t port, unsigned char options, char hydra_report_found_host(port, ip, "vnc", fp); hydra_completed_pair_found(); hydra_child_exit(2); + break; case 0x2: - //VNC security type supported is the only type supported for now + // VNC security type supported is the only type supported for now if (vnc_client_version == RFB37) { sprintf(buf, "%c", 0x2); if (hydra_send(s, buf, strlen(buf), 0) < 0) { return 1; } - //get authentication challenge from server + // get authentication challenge from server if (recv(s, buf2, CHALLENGESIZE, 0) == -1) return 1; - //send response + // send response vncEncryptBytes(buf2, pass); - if (hydra_send(s, (char *) buf2, CHALLENGESIZE, 0) < 0) { + if (hydra_send(s, (char *)buf2, CHALLENGESIZE, 0) < 0) { return 1; } } else { - //in old proto, challenge is following the security type - vncEncryptBytes((unsigned char *) buf2 + 4, pass); - if (hydra_send(s, (char *) buf2 + 4, CHALLENGESIZE, 0) < 0) { + // in old proto, challenge is following the security type + vncEncryptBytes((unsigned char *)buf2 + 4, pass); + if (hydra_send(s, (char *)buf2 + 4, CHALLENGESIZE, 0) < 0) { return 1; } } break; default: - hydra_report(stderr, "[ERROR] unknown VNC security type\n"); + hydra_report(stderr, "[ERROR] unknown VNC security type 0x%x\n", buf2[3]); hydra_child_exit(2); } - //check security result value + // check security result value recv(s, buf, 4, 0); if (buf == NULL) return 1; @@ -140,10 +142,10 @@ int32_t start_vnc(int32_t s, char *ip, int32_t port, unsigned char options, char return 1; } - return 1; /* never reached */ + return 1; /* never reached */ } -void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_VNC, mysslport = PORT_VNC_SSL; @@ -152,7 +154,7 @@ void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL return; while (1) { switch (run) { - case 1: /* connect and service init function */ + case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { @@ -167,26 +169,28 @@ void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL port = mysslport; } if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } usleepn(300); buf = hydra_receive_line(sock); - if (buf == NULL || (strncmp(buf, "RFB", 3) != 0)) { /* check the first line */ + if (buf == NULL || (strncmp(buf, "RFB", 3) != 0)) { /* check the first line */ hydra_report(stderr, "[ERROR] Not a VNC protocol or service shutdown: %s\n", buf); hydra_child_exit(2); } - if (strstr(buf, " security failures") != NULL) { /* check the first line */ + if (strstr(buf, " security failures") != NULL) { /* check the first line */ /* - VNC has a 'blacklisting' scheme that blocks an IP address after five unsuccessful connection attempts. - The IP address is initially blocked for ten seconds, - but this doubles for each unsuccessful attempt thereafter. - A successful connection from an IP address resets the blacklist timeout. - This is built in to VNC Server and does not rely on operating system support. + VNC has a 'blacklisting' scheme that blocks an IP address after five + unsuccessful connection attempts. The IP address is initially blocked + for ten seconds, but this doubles for each unsuccessful attempt + thereafter. A successful connection from an IP address resets the + blacklist timeout. This is built in to VNC Server and does not rely + on operating system support. */ failed_auth++; - hydra_report(stderr, "VNC server reported too many authentication failures, have to wait some seconds ...\n"); + hydra_report(stderr, "VNC server reported too many authentication " + "failures, have to wait some seconds ...\n"); sleep(12 * failed_auth); free(buf); next_run = 1; @@ -194,13 +198,14 @@ void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL } if (verbose) hydra_report(stderr, "[VERBOSE] Server banner is %s\n", buf); - if (((strstr(buf, "RFB 004.001") != NULL) || (strstr(buf, "RFB 003.007") != NULL) || (strstr(buf, "RFB 003.008") != NULL))) { - //using proto version 003.008 to talk to server 004.001 same for 3.7 and 3.8 + if (((strstr(buf, "RFB 005.000") != NULL) || (strstr(buf, "RFB 004") != NULL) || (strstr(buf, "RFB 003.007") != NULL) || (strstr(buf, "RFB 003.008") != NULL))) { + // using proto version 003.007 to talk to server 005.xxx and 004.xxx + // same for 3.7 and 3.8 vnc_client_version = RFB37; free(buf); buf = strdup("RFB 003.007\n"); } else { - //for RFB 3.3 and fake 3.5 + // for RFB 3.3 and fake 3.5 vnc_client_version = RFB33; free(buf); buf = strdup("RFB 003.003\n"); @@ -208,10 +213,10 @@ void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL hydra_send(sock, buf, strlen(buf), 0); next_run = 2; break; - case 2: /* run the cracking function */ + case 2: /* run the cracking function */ next_run = start_vnc(sock, ip, port, options, miscptr, fp); break; - case 3: /* clean exit */ + case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -229,13 +234,13 @@ void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL } } -int32_t service_vnc_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_vnc_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here diff --git a/hydra-wizard.sh b/hydra-wizard.sh index 1370661..d4e3c3f 100755 --- a/hydra-wizard.sh +++ b/hydra-wizard.sh @@ -33,10 +33,10 @@ test -e "$pass" && passs="-P $pass" test -e "$pass" || passs="-p $pass" test -n "$port" && ports="-s $port" test -n "$pw" && pws="-e $pw" -test -n "$opt" && opts="-m '$opt'" +test -n "$opt" && { opts="-m $opt" ; dopts="-m '$opt'" ; } echo The following command will be executed now: -echo " hydra $users $passs -u $pws $ports $opts $targets $service" +echo " hydra $users $passs -u $pws $ports $dopts $targets $service" echo read -p "Do you want to run the command now? [Y/n] " yn test "$yn" = "n" -o "$yn" = "N" && { echo Exiting. ; exit 0 ; } diff --git a/hydra-xmpp.c b/hydra-xmpp.c index 6f6b3cb..fe0a2f0 100644 --- a/hydra-xmpp.c +++ b/hydra-xmpp.c @@ -9,10 +9,11 @@ static char *domain = NULL; int32_t xmpp_auth_mechanism = AUTH_ERROR; char *JABBER_CLIENT_INIT_STR = ""; +char *JABBER_CLIENT_INIT_END_STR = "' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' " + "version='1.0'>"; -int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) { - char *empty = "\"\""; +int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { + char *empty = "\"\"", *result = NULL; char *login, *pass, buffer[500], buffer2[500]; char *AUTH_STR = ""; @@ -71,131 +72,30 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen); buffer2[chglen] = '\0'; memset(buffer, 0, sizeof(buffer)); - from64tobits((char *) buffer, buffer2); + from64tobits((char *)buffer, buffer2); if (debug) hydra_report(stderr, "DEBUG S: %s\n", buffer); } switch (xmpp_auth_mechanism) { - case AUTH_LOGIN:{ - if (strstr(buffer, "sername") != NULL) { - strncpy(buffer2, login, sizeof(buffer2) - 1); - buffer2[sizeof(buffer2) - 1] = '\0'; + case AUTH_LOGIN: { + if (strstr(buffer, "sername") != NULL) { + strncpy(buffer2, login, sizeof(buffer2) - 1); + buffer2[sizeof(buffer2) - 1] = '\0'; - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); - if (debug) - hydra_report(stderr, "DEBUG C: %s\n", buffer); - if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { - free(buf); - return 1; - } - buf = hydra_receive_line(s); - if (buf == NULL) - return 1; - /* server now would ask for the password */ - if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) { - char *ptr = strstr(buf, CHALLENGE_STR); - - if (!ptr) - ptr = strstr(buf, CHALLENGE_STR2); - char *ptr_end = strstr(ptr, CHALLENGE_END_STR); - int32_t chglen = ptr_end - ptr - strlen(CHALLENGE_STR); - - if ((chglen > 0) && (chglen < sizeof(buffer2))) { - strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen); - buffer2[chglen] = '\0'; - memset(buffer, 0, sizeof(buffer)); - from64tobits((char *) buffer, buffer2); - if (strstr(buffer, "assword") != NULL) { - strncpy(buffer2, pass, sizeof(buffer2) - 1); - buffer2[sizeof(buffer2) - 1] = '\0'; - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); - } - } else { - hydra_report(stderr, "[ERROR] xmpp could not extract challenge from server\n"); - free(buf); - return 1; - } - } - } - } - break; -#ifdef LIBOPENSSL - case AUTH_PLAIN:{ - memset(buffer2, 0, sizeof(buffer)); - sasl_plain(buffer2, login, pass); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); if (debug) hydra_report(stderr, "DEBUG C: %s\n", buffer); - - } - break; - case AUTH_CRAMMD5:{ - int32_t rc = 0; - char *preplogin; - - memset(buffer2, 0, sizeof(buffer2)); - sasl_cram_md5(buffer2, pass, buffer); - - rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); - if (rc) { - free(buf); - return 3; - } - - sprintf(buffer, "%.200s %.250s", preplogin, buffer2); - if (debug) - hydra_report(stderr, "DEBUG C: %s\n", buffer); - hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); - sprintf(buffer2, "%s%.250s%s", RESPONSE_STR, buffer, RESPONSE_END_STR); - strncpy(buffer, buffer2, sizeof(buffer) - 1); - buffer[sizeof(buffer) - 1] = '\0'; - free(preplogin); - } - break; - case AUTH_DIGESTMD5:{ - memset(buffer2, 0, sizeof(buffer2)); - fooptr = buffer2; - sasl_digest_md5(fooptr, login, pass, buffer, domain, "xmpp", NULL, 0, NULL); - if (fooptr == NULL) { - free(buf); - return 3; - } - if (debug) - hydra_report(stderr, "DEBUG C: %s\n", buffer2); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); - } - break; - case AUTH_SCRAMSHA1:{ - /*client-first-message */ - char clientfirstmessagebare[200]; - char *preplogin; - int32_t rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); - - if (rc) { - free(buf); - return 3; - } - - snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin); - free(preplogin); - sprintf(buffer2, "n,,%.200s", clientfirstmessagebare); - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); - - free(buf); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + free(buf); return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; - + /* server now would ask for the password */ if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) { - char serverfirstmessage[200]; char *ptr = strstr(buf, CHALLENGE_STR); if (!ptr) @@ -206,36 +106,136 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha if ((chglen > 0) && (chglen < sizeof(buffer2))) { strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen); buffer2[chglen] = '\0'; + memset(buffer, 0, sizeof(buffer)); + from64tobits((char *)buffer, buffer2); + if (strstr(buffer, "assword") != NULL) { + strncpy(buffer2, pass, sizeof(buffer2) - 1); + buffer2[sizeof(buffer2) - 1] = '\0'; + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); + } } else { hydra_report(stderr, "[ERROR] xmpp could not extract challenge from server\n"); free(buf); return 1; } + } + } + } break; +#ifdef LIBOPENSSL + case AUTH_PLAIN: { + memset(buffer2, 0, sizeof(buffer)); + result = sasl_plain(buffer2, login, pass); + if (result == NULL) + return 3; + sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); + if (debug) + hydra_report(stderr, "DEBUG C: %s\n", buffer); - /*server-first-message */ - memset(buffer, 0, sizeof(buffer)); - from64tobits((char *) buffer, buffer2); - strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1); - serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0'; + } break; + case AUTH_CRAMMD5: { + int32_t rc = 0; + char *preplogin; - memset(buffer2, 0, sizeof(buffer2)); - fooptr = buffer2; - sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage); - if (fooptr == NULL) { - hydra_report(stderr, "[ERROR] Can't compute client response\n"); - free(buf); - return 1; - } - hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); - snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); + memset(buffer2, 0, sizeof(buffer2)); + result = sasl_cram_md5(buffer2, pass, buffer); + if (result == NULL) + return 3; + + rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); + if (rc) { + free(buf); + return 3; + } + + sprintf(buffer, "%.200s %.250s", preplogin, buffer2); + if (debug) + hydra_report(stderr, "DEBUG C: %s\n", buffer); + hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer)); + sprintf(buffer2, "%s%.250s%s", RESPONSE_STR, buffer, RESPONSE_END_STR); + strncpy(buffer, buffer2, sizeof(buffer) - 1); + buffer[sizeof(buffer) - 1] = '\0'; + free(preplogin); + } break; + case AUTH_DIGESTMD5: { + memset(buffer2, 0, sizeof(buffer2)); + fooptr = buffer2; + result = sasl_digest_md5(fooptr, login, pass, buffer, domain, "xmpp", NULL, 0, NULL); + if (result == NULL) { + free(buf); + return 3; + } + if (debug) + hydra_report(stderr, "DEBUG C: %s\n", buffer2); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); + } break; + case AUTH_SCRAMSHA1: { + /*client-first-message */ + char clientfirstmessagebare[200]; + char *preplogin; + int32_t rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); + + if (rc) { + free(buf); + return 3; + } + + snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin); + free(preplogin); + sprintf(buffer2, "n,,%.200s", clientfirstmessagebare); + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); + + free(buf); + if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { + return 1; + } + buf = hydra_receive_line(s); + if (buf == NULL) + return 1; + + if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) { + char serverfirstmessage[200]; + char *ptr = strstr(buf, CHALLENGE_STR); + + if (!ptr) + ptr = strstr(buf, CHALLENGE_STR2); + char *ptr_end = strstr(ptr, CHALLENGE_END_STR); + int32_t chglen = ptr_end - ptr - strlen(CHALLENGE_STR); + + if ((chglen > 0) && (chglen < sizeof(buffer2))) { + strncpy(buffer2, ptr + strlen(CHALLENGE_STR), chglen); + buffer2[chglen] = '\0'; } else { - if (verbose || debug) - hydra_report(stderr, "[ERROR] Not a valid server challenge\n"); + hydra_report(stderr, "[ERROR] xmpp could not extract challenge from server\n"); free(buf); return 1; } + + /*server-first-message */ + memset(buffer, 0, sizeof(buffer)); + from64tobits((char *)buffer, buffer2); + strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1); + serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0'; + + memset(buffer2, 0, sizeof(buffer2)); + fooptr = buffer2; + result = sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage); + if (result == NULL) { + hydra_report(stderr, "[ERROR] Can't compute client response\n"); + free(buf); + return 1; + } + hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); + snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); + } else { + if (verbose || debug) + hydra_report(stderr, "[ERROR] Not a valid server challenge\n"); + free(buf); + return 1; } - break; + } break; #endif ptr = 0; } @@ -249,8 +249,9 @@ int32_t start_xmpp(int32_t s, char *ip, int32_t port, unsigned char options, cha if (buf == NULL) return 1; - //we test the challenge tag as digest-md5 when connected is sending "rspauth" value - //so if we are receiving a second challenge we assume the auth is good + // we test the challenge tag as digest-md5 when connected is sending + // "rspauth" value so if we are receiving a second challenge we assume the + // auth is good if ((strstr(buf, "= 0) sock = hydra_disconnect(sock); if ((options & OPTION_SSL) == 0) { @@ -325,7 +328,7 @@ void service_xmpp(char *target, char *ip, int32_t sp, unsigned char options, cha } if (sock < 0) { if (verbose || debug) - hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t) getpid()); + hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } memset(buffer, 0, sizeof(buffer)); @@ -333,7 +336,7 @@ void service_xmpp(char *target, char *ip, int32_t sp, unsigned char options, cha if (hydra_send(sock, buffer, strlen(buffer), 0) < 0) { hydra_child_exit(1); } - //some server is longer to answer + // some server is longer to answer usleepn(300); do { if ((buf = hydra_receive_line(sock)) == NULL) { @@ -351,7 +354,11 @@ void service_xmpp(char *target, char *ip, int32_t sp, unsigned char options, cha if (strstr(buf, "= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); @@ -485,13 +492,13 @@ void service_xmpp(char *target, char *ip, int32_t sp, unsigned char options, cha } } -int32_t service_xmpp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) { +int32_t service_xmpp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. - // + // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here @@ -499,8 +506,9 @@ int32_t service_xmpp_init(char *ip, int32_t sp, unsigned char options, char *mis return 0; } -void usage_xmpp(const char* service) { +void usage_xmpp(const char *service) { printf("Module xmpp is optionally taking one authentication type of:\n" " LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1\n\n" - "Note, the target passed should be a fdqn as the value is used in the Jabber init request, example: hermes.jabber.org\n\n"); + "Note, the target passed should be a fdqn as the value is used in the " + "Jabber init request, example: hermes.jabber.org\n\n"); } diff --git a/hydra.1 b/hydra.1 index 37ddf3e..b9cb7a5 100644 --- a/hydra.1 +++ b/hydra.1 @@ -1,6 +1,6 @@ -.TH "HYDRA" "1" "01/01/2019" +.TH "HYDRA" "1" "01/01/2023" .SH NAME -hydra \- a very fast network logon cracker which support many different services +hydra \- a very fast network logon cracker which supports many different services .SH SYNOPSIS .B hydra [[[\-l LOGIN|\-L FILE] [\-p PASS|\-P FILE|\-x OPT \-y]] | [\-C FILE]] diff --git a/hydra.c b/hydra.c index 64d7da3..416cf25 100644 --- a/hydra.c +++ b/hydra.c @@ -1,220 +1,246 @@ /* - * hydra (c) 2001-2019 by van Hauser / THC + * hydra (c) 2001-2023 by van Hauser / THC * https://github.com/vanhauser-thc/thc-hydra * * Parallized network login hacker. - * Don't use in military or secret service organizations, or for illegal purposes. + * Please don't use in military or secret service organizations, or for illegal + * purposes. This is a wish and is non-binding. + * If you ignore this be sure you are not a good person though. * * License: GNU AFFERO GENERAL PUBLIC LICENSE v3.0, see LICENSE file */ #include "hydra.h" #include "bfg.h" +#include #ifdef LIBNCURSES #include #include #endif -void usage_oracle(const char* service); -void usage_oracle_listener(const char* service); -void usage_cvs(const char* service); -void usage_xmpp(const char* service); -void usage_pop3(const char* service); -void usage_rdp(const char* service); -void usage_s7_300(const char* service); -void usage_nntp(const char* service); -void usage_imap(const char* service); -void usage_smtp_enum(const char* service); -void usage_smtp(const char* service); -void usage_svn(const char* service); -void usage_ncp(const char* service); -void usage_firebird(const char* service); -void usage_mysql(const char* service); -void usage_irc(const char* service); -void usage_postgres(const char* service); -void usage_telnet(const char* service); -void usage_sapr3(const char* service); -void usage_sshkey(const char* service); -void usage_cisco_enable(const char* service); -void usage_cisco(const char* service); -void usage_ldap(const char* service); -void usage_smb(const char* service); -void usage_http_form(const char* service); -void usage_http_proxy(const char* service); -void usage_http_proxy_urlenum(const char* service); -void usage_snmp(const char* service); -void usage_http(const char* service); +void usage_oracle(const char *service); +void usage_oracle_listener(const char *service); +void usage_cvs(const char *service); +void usage_xmpp(const char *service); +void usage_pop3(const char *service); +void usage_rdp(const char *service); +void usage_s7_300(const char *service); +void usage_nntp(const char *service); +void usage_imap(const char *service); +void usage_smtp_enum(const char *service); +void usage_smtp(const char *service); +void usage_svn(const char *service); +void usage_ncp(const char *service); +void usage_firebird(const char *service); +void usage_mysql(const char *service); +void usage_mongodb(const char *service); +void usage_irc(const char *service); +void usage_postgres(const char *service); +void usage_telnet(const char *service); +void usage_sapr3(const char *service); +void usage_sshkey(const char *service); +void usage_cisco_enable(const char *service); +void usage_cisco(const char *service); +void usage_ldap(const char *service); +void usage_smb(const char *service); +void usage_http_form(const char *service); +void usage_http_proxy(const char *service); +void usage_http_proxy_urlenum(const char *service); +void usage_snmp(const char *service); +void usage_http(const char *service); +void usage_smb2(const char *service); - -extern void service_asterisk(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_telnet(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_ftp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_ftps(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_ldap2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_ldap3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_ldap3_cram_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_ldap3_digest_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_adam6500(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_cisco(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_socks5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_rexec(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_rlogin(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_rsh(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_nntp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_http_head(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_http_get(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_http_post(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_http_get_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_http_post_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_icq(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_pcnfs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_mssql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_cvs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_teamspeak(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_pcanywhere(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_http_proxy(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_xmpp(char *target, char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_irc(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_redis(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_http_proxy_urlenum(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_s7_300(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_rtsp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_rpcap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_asterisk(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_telnet(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_ftp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_ftps(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_pop3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_vmauthd(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_ldap2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_ldap3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_ldap3_cram_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_ldap3_digest_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_adam6500(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_cisco(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_cisco_enable(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_vnc(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_socks5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_rexec(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_rlogin(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_rsh(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_nntp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_http_head(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_http_get(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_http_post(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_http_get_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_http_post_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_icq(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_pcnfs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_mssql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_cobaltstrike(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_cvs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_smtp_enum(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_teamspeak(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_pcanywhere(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_http_proxy(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_xmpp(char *target, char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_irc(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_redis(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_http_proxy_urlenum(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_s7_300(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_rtsp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_rpcap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); // ADD NEW SERVICES HERE +#if defined(LIBSMBCLIENT) +extern int32_t service_smb2_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_smb2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +#endif #ifdef HAVE_MATH_H -extern void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_mysql_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_mysql_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); #endif #ifdef LIBPOSTGRES -extern void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_postgres_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_postgres_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); #endif #ifdef LIBOPENSSL -extern void service_smb(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_oracle_listener(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_oracle_listener_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_oracle_sid(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_oracle_sid_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_sip(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_sip_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_rdp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_smb(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_smb_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_oracle_listener(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_oracle_listener_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_oracle_sid(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_oracle_sid_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_sip(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_sip_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +#endif +#ifdef LIBFREERDP +extern void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_rdp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); #endif #ifdef LIBSAPR3 -extern void service_sapr3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_sapr3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_sapr3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_sapr3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); #endif #ifdef LIBFIREBIRD -extern void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_firebird_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_firebird_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); #endif #ifdef LIBAFP -extern void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_afp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_afp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_afp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); #endif #ifdef LIBNCP -extern void service_ncp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_ncp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_ncp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_ncp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); #endif #ifdef LIBSSH -extern void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern void service_sshkey(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_sshkey_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern void service_sshkey(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_sshkey_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); #endif #ifdef LIBSVN -extern void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_svn_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_svn_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); #endif #ifdef LIBORACLE -extern void service_oracle(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_oracle_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_oracle(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_oracle_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); #endif #ifdef HAVE_GCRYPT -extern void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_radmin2_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_radmin2_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +#endif +#ifdef LIBMCACHED +extern void service_mcached(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_mcached_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +#endif +#ifdef LIBMONGODB +extern void service_mongodb(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_mongodb_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); #endif - -extern int32_t service_adam6500_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_cisco_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_cisco_enable_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_cvs_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_smtp_enum_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_http_form_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_ftp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_icq_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_imap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_irc_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_mssql_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_nntp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_pcanywhere_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_pcnfs_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_http_proxy_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_asterisk_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_rexec_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_rlogin_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_rsh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_smtp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_snmp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_socks5_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_teamspeak_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_telnet_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_http_proxy_urlenum_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_vmauthd_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_vnc_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_xmpp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_rtsp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -extern int32_t service_rpcap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); +extern int32_t service_adam6500_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_cisco_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_cisco_enable_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_cvs_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_smtp_enum_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_http_form_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_ftp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_icq_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_imap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_irc_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_mssql_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_cobaltstrike_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_nntp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_pcanywhere_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_pcnfs_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_pop3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_http_proxy_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_asterisk_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_redis_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_rexec_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_rlogin_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_rsh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_smtp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_snmp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_socks5_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_teamspeak_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_telnet_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_http_proxy_urlenum_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_vmauthd_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_vnc_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_xmpp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_s7_300_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_rtsp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +extern int32_t service_rpcap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); // ADD NEW SERVICES HERE -char *SERVICES = - "adam6500 asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp"; +char *SERVICES = "adam6500 asterisk afp cisco cisco-enable cobaltstrike cvs firebird ftp[s] " + "http[s]-{head|get|post} http[s]-{get|post}-form http-proxy " + "http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] " + "memcached mongodb mssql mysql ncp nntp oracle oracle-listener oracle-sid " + "pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap " + "rsh rtsp s7-300 sapr3 sip smb smb2 smtp[s] smtp-enum snmp socks5 ssh " + "sshkey svn teamspeak telnet[s] vmauthd vnc xmpp"; -#define MAXBUF 520 -#define MAXLINESIZE ( ( MAXBUF / 2 ) - 4 ) -#define MAXTASKS 64 -#define MAXSERVERS 16 -#define MAXFAIL 3 -#define MAXENDWAIT 20 -#define WAITTIME 32 -#define TASKS 16 -#define SKIPLOGIN 256 -#define USLEEP_LOOP 10 -#define MAX_LINES 50000000 // 50 millions, do not put more than 65millions -#define MAX_BYTES 500000000 // 500 millions, do not put more than 650millions +#define MAXBUF 520 +#define MAXLINESIZE ((MAXBUF / 2) - 4) +#define MAXTASKS 64 +#define MAXSERVERS 16 +#define MAXFAIL 3 +#define MAXENDWAIT 20 +#define WAITTIME 32 +#define TASKS 16 +#define SKIPLOGIN 256 +#define USLEEP_LOOP 10 +#define MAX_LINES 50000000 // 50 millions, do not put more than 65millions +#define MAX_BYTES 500000000 // 500 millions, do not put more than 650millions #define RESTOREFILE "./hydra.restore" -#define PROGRAM "Hydra" -#define VERSION "v8.8" -#define AUTHOR "van Hauser/THC" -#define EMAIL "" -#define RESOURCE "https://github.com/vanhauser-thc/thc-hydra" +#define PROGRAM "Hydra" +#define VERSION "v9.6dev" +#define AUTHOR "van Hauser/THC" +#define EMAIL "" +#define AUTHOR2 "David Maciejak" +#define EMAIL2 "" +#define RESOURCE "https://github.com/vanhauser-thc/thc-hydra" extern char *hydra_strcasestr(const char *haystack, const char *needle); extern void hydra_tobase64(unsigned char *buf, int32_t buflen, int32_t bufsize); extern char *hydra_string_replace(const char *string, const char *substr, const char *replacement); extern char *hydra_address2string(char *address); extern char *hydra_address2string_beautiful(char *address); -extern int32_t colored_output; +extern uint32_t colored_output; extern char quiet; extern int32_t do_retry; extern int32_t old_ssl; @@ -222,18 +248,9 @@ extern int32_t old_ssl; void hydra_kill_head(int32_t head_no, int32_t killit, int32_t fail); // some enum definitions -typedef enum { - HEAD_DISABLED = -1, - HEAD_UNUSED = 0, - HEAD_ACTIVE = 1 -} head_state_t; +typedef enum { HEAD_DISABLED = -1, HEAD_UNUSED = 0, HEAD_ACTIVE = 1 } head_state_t; -typedef enum { - TARGET_ACTIVE = 0, - TARGET_FINISHED = 1, - TARGET_ERROR = 2, - TARGET_UNRESOLVED = 3 -} target_state_t; +typedef enum { TARGET_ACTIVE = 0, TARGET_FINISHED = 1, TARGET_ERROR = 2, TARGET_UNRESOLVED = 3 } target_state_t; // some structure definitions typedef struct { @@ -250,6 +267,7 @@ typedef struct { typedef struct { char *target; + char *miscptr; char ip[36]; char *login_ptr; char *pass_ptr; @@ -273,7 +291,7 @@ typedef struct { } hydra_target; typedef struct { - int32_t active; // active tasks of hydra_options.max_use + int32_t active; // active tasks of hydra_options.max_use int32_t targets; int32_t finished; int32_t exit; @@ -295,7 +313,7 @@ typedef struct { } hydra_portlist; // external vars -extern char HYDRA_EXIT[5]; +extern char *HYDRA_EXIT; #if !defined(ANDROID) && !defined(__BIONIC__) extern int32_t errno; #endif @@ -326,6 +344,11 @@ int32_t prefer_ipv6 = 0, conwait = 0, loop_cnt = 0, fck = 0, options = 0, killed int32_t child_head_no = -1, child_socket; int32_t total_redo_count = 0; +// requred for distributed attack capability +uint32_t num_segments = 0; +uint32_t my_segment = 0; +char junk_file[50]; + // moved for restore feature int32_t process_restore = 0, dont_unlink; char *login_ptr = NULL, *pass_ptr = "", *csv_ptr = NULL, *servers_ptr = NULL; @@ -338,128 +361,141 @@ int32_t snpdone, snp_is_redo, snpbuflen, snpi, snpj, snpdont; #include "performance.h" -typedef void (*service_t)(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -typedef int32_t (*service_init_t)(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname); -typedef void (*service_usage_t)(const char* service); +typedef void (*service_t)(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +typedef int32_t (*service_init_t)(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); +typedef void (*service_usage_t)(const char *service); -#define SERVICE2(name, func) { name, service_##func##_init, service_##func, NULL } -#define SERVICE(name) { #name, service_##name##_init, service_##name, NULL } -#define SERVICE3(name, func) { name, service_##func##_init, service_##func, usage_##func } +#define SERVICE2(name, func) \ + { name, service_##func##_init, service_##func, NULL } +#define SERVICE(name) \ + { #name, service_##name##_init, service_##name, NULL } +#define SERVICE3(name, func) \ + { name, service_##func##_init, service_##func, usage_##func } static const struct { - const char* name; + const char *name; service_init_t init; service_t exec; service_usage_t usage; -} services[] = { - SERVICE(adam6500), +} services[] = {SERVICE(adam6500), #ifdef LIBAFP - SERVICE(afp), + SERVICE(afp), #endif - SERVICE(asterisk), - SERVICE3("cisco", cisco), - SERVICE3("cisco-enable", cisco_enable), - SERVICE3("cvs", cvs), + SERVICE(asterisk), + SERVICE3("cisco", cisco), + SERVICE3("cisco-enable", cisco_enable), + SERVICE3("cvs", cvs), #ifdef LIBFIREBIRD - SERVICE3("firebird", firebird), + SERVICE3("firebird", firebird), +#endif + SERVICE(ftp), + {"ftps", service_ftp_init, service_ftps, NULL}, + {"http-get", service_http_init, service_http_get, usage_http}, + {"http-get-form", service_http_form_init, service_http_get_form, usage_http_form}, + {"http-head", service_http_init, service_http_head, NULL}, + {"http-form", service_http_form_init, NULL, usage_http_form}, + {"http-post", service_http_init, service_http_post, usage_http}, + {"http-post-form", service_http_form_init, service_http_post_form, usage_http_form}, + SERVICE3("http-proxy", http_proxy), + SERVICE3("http-proxy-urlenum", http_proxy_urlenum), + SERVICE(icq), + SERVICE3("imap", imap), + SERVICE3("irc", irc), + {"ldap", service_ldap_init, service_ldap2, usage_ldap}, + {"ldap2", service_ldap_init, service_ldap2, usage_ldap}, + {"ldap3", service_ldap_init, service_ldap3, usage_ldap}, + {"ldap3-crammd5", service_ldap_init, service_ldap3_cram_md5, usage_ldap}, + {"ldap3-digestmd5", service_ldap_init, service_ldap3_digest_md5, usage_ldap}, +#ifdef LIBMCACHED + {"memcached", service_mcached_init, service_mcached, NULL}, +#endif + SERVICE(mssql), + SERVICE(cobaltstrike), +#ifdef LIBMONGODB + SERVICE3("mongodb", mongodb), #endif - SERVICE(ftp), - { "ftps", service_ftp_init, service_ftps, NULL }, - { "http-get", service_http_init, service_http_get, usage_http }, - { "http-get-form", service_http_form_init, service_http_get_form, usage_http_form }, - { "http-head", service_http_init, service_http_head, NULL }, - { "http-form", service_http_form_init, NULL, usage_http_form }, - { "http-post", NULL, service_http_post, usage_http }, - { "http-post-form", service_http_form_init, service_http_post_form, usage_http_form }, - SERVICE3("http-proxy", http_proxy), - SERVICE3("http-proxy-urlenum", http_proxy_urlenum), - SERVICE(icq), - SERVICE3("imap", imap), - SERVICE3("irc", irc), - { "ldap", service_ldap_init, service_ldap2, usage_ldap }, - { "ldap2", service_ldap_init, service_ldap2, usage_ldap }, - { "ldap3", service_ldap_init, service_ldap3, usage_ldap }, - { "ldap3-crammd5", service_ldap_init, service_ldap3_cram_md5, usage_ldap }, - { "ldap3-digestmd5", service_ldap_init, service_ldap3_digest_md5, usage_ldap }, - SERVICE(mssql), #ifdef HAVE_MATH_H - SERVICE3("mysql", mysql), + SERVICE3("mysql", mysql), #endif #ifdef LIBNCP - SERVICE3("ncp", ncp), + SERVICE3("ncp", ncp), #endif - SERVICE3("nntp", nntp), + SERVICE3("nntp", nntp), #ifdef LIBORACLE - SERVICE3("oracle", oracle), + SERVICE3("oracle", oracle), #endif #ifdef LIBOPENSSL - SERVICE3("oracle-listener", oracle_listener), - SERVICE2("oracle-sid", oracle_sid), + SERVICE3("oracle-listener", oracle_listener), + SERVICE2("oracle-sid", oracle_sid), #endif - SERVICE(pcanywhere), - SERVICE(pcnfs), - SERVICE3("pop3", pop3), + SERVICE(pcanywhere), + SERVICE(pcnfs), + SERVICE3("pop3", pop3), #ifdef LIBPOSTGRES - SERVICE3("postgres", postgres), + SERVICE3("postgres", postgres), #endif - SERVICE(redis), - SERVICE(rexec), -#ifdef LIBOPENSSL - SERVICE3("rdp", rdp), + SERVICE(redis), + SERVICE(rexec), +#ifdef LIBFREERDP + SERVICE3("rdp", rdp), #endif - SERVICE(rlogin), - SERVICE(rsh), - SERVICE(rtsp), - SERVICE(rpcap), - SERVICE3("s7-300", s7_300), + SERVICE(rlogin), + SERVICE(rsh), + SERVICE(rtsp), + SERVICE(rpcap), + SERVICE3("s7-300", s7_300), #ifdef LIBSAPR3 - SERVICE3("sarp3", sapr3), + SERVICE3("sarp3", sapr3), #endif #ifdef LIBOPENSSL - SERVICE(sip), - SERVICE3("smbnt", smb), - SERVICE3("smb", smb), + SERVICE(sip), + SERVICE3("smbnt", smb), + SERVICE3("smb", smb), #endif - SERVICE3("smtp", smtp), - SERVICE3("smtp-enum", smtp_enum), - SERVICE3("snmp", snmp), - SERVICE(socks5), +#if defined(LIBSMBCLIENT) + SERVICE3("smb2", smb2), +#endif + SERVICE3("smtp", smtp), + SERVICE3("smtp-enum", smtp_enum), + SERVICE3("snmp", snmp), + SERVICE(socks5), #ifdef LIBSSH - { "ssh", NULL, service_ssh, NULL }, - SERVICE3("sshkey", sshkey), + {"ssh", NULL, service_ssh, NULL}, + SERVICE3("sshkey", sshkey), #endif #ifdef LIBSVN - SERVICE3("svn", svn), + SERVICE3("svn", svn), #endif - SERVICE(teamspeak), - SERVICE3("telnet", telnet), - SERVICE(vmauthd), - SERVICE(vnc), + SERVICE(teamspeak), + SERVICE3("telnet", telnet), + SERVICE(vmauthd), + SERVICE(vnc), #ifdef HAVE_GCRYPT - SERVICE(radmin2), + SERVICE(radmin2), #endif - { "xmpp", service_xmpp_init, NULL, usage_xmpp } -}; - + {"xmpp", service_xmpp_init, NULL, usage_xmpp}}; #define PRINT_NORMAL(ext, text, ...) printf(text, ##__VA_ARGS__) -#define PRINT_EXTEND(ext, text, ...) do { \ - if (ext) \ - printf(text, ##__VA_ARGS__); \ - } while(0) +#define PRINT_EXTEND(ext, text, ...) \ + do { \ + if (ext) \ + printf(text, ##__VA_ARGS__); \ + } while (0) - -int32_t /*inline*/ check_flag(int32_t value, int32_t flag) { // inline does not compile with debug +int32_t /*inline*/ +check_flag(int32_t value, int32_t flag) { // inline does not compile with debug return (value & flag) == flag; } void help(int32_t ext) { - PRINT_NORMAL(ext, "Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr]" - " [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT]" + PRINT_NORMAL(ext, "Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | " + "[-C FILE]] [-e nsr]" + " [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W " + "TIME] [-f] [-s PORT]" #ifdef HAVE_MATH_H " [-x MIN:MAX:CHARSET]" #endif - " [-c TIME] [-ISOuvVd46] " + " [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] " //"[server service [OPT]]|" "[service://server[:PORT][/OPT]]\n"); PRINT_NORMAL(ext, "\nOptions:\n"); @@ -468,53 +504,84 @@ void help(int32_t ext) { #ifdef LIBOPENSSL " -S perform an SSL connect\n" #endif - " -s PORT if the service is on a different default port, define it here\n"); - PRINT_NORMAL(ext, " -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE\n" - " -p PASS or -P FILE try password PASS, or load several passwords from FILE\n"); + " -s PORT if the service is on a different default port, define it " + "here\n"); + PRINT_NORMAL(ext, " -l LOGIN or -L FILE login with LOGIN name, or load " + "several logins from FILE\n" + " -p PASS or -P FILE try password PASS, or load several " + "passwords from FILE\n"); PRINT_EXTEND(ext, #ifdef HAVE_MATH_H - " -x MIN:MAX:CHARSET password bruteforce generation, type \"-x -h\" to get help\n" - " -y disable use of symbols in bruteforce, see above\n" + " -x MIN:MAX:CHARSET password bruteforce generation, type " + "\"-x -h\" to get help\n" + " -y disable use of symbols in bruteforce, see above\n" + " -r use a non-random shuffling method for option -x\n" #endif - " -e nsr try \"n\" null password, \"s\" login as pass and/or \"r\" reversed login\n" - " -u loop around users, not passwords (effective! implied with -x)\n"); - PRINT_NORMAL(ext, " -C FILE colon separated \"login:pass\" format, instead of -L/-P options\n" - " -M FILE list of servers to attack, one entry per line, ':' to specify port\n"); + " -e nsr try \"n\" null password, \"s\" login as pass " + "and/or \"r\" reversed login\n" + " -u loop around users, not passwords (effective! " + "implied with -x)\n"); + PRINT_NORMAL(ext, " -C FILE colon separated \"login:pass\" format, " + "instead of -L/-P options\n" + " -M FILE list of servers to attack, one entry per " + "line, ':' to specify port\n"); + PRINT_NORMAL(ext, " -D XofY Divide wordlist into Y segments and use the " + "Xth segment.\n"); PRINT_EXTEND(ext, " -o FILE write found login/password pairs to FILE instead of stdout\n" - " -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1\n" - " -f / -F exit when a login/pass pair is found (-M: -f per host, -F global)\n"); - PRINT_NORMAL(ext, " -t TASKS run TASKS number of connects in parallel per target (default: %d)\n", TASKS); - PRINT_EXTEND(ext, " -T TASKS run TASKS connects in parallel overall (for -M, default: %d)\n" - " -w / -W TIME wait time for a response (%d) / between connects per thread (%d)\n" + " -b FORMAT specify the format for the -o FILE: text(default), json, " + "jsonv1\n" + " -f / -F exit when a login/pass pair is found (-M: -f per host, -F " + "global)\n"); + PRINT_NORMAL(ext, + " -t TASKS run TASKS number of connects in parallel per " + "target (default: %d)\n", + TASKS); + PRINT_EXTEND(ext, + " -T TASKS run TASKS connects in parallel overall (for -M, default: " + "%d)\n" + " -w / -W TIME wait time for a response (%d) / between connects per " + "thread (%d)\n" #ifdef MSG_PEEK - " -c TIME wait time per login attempt over all threads (enforces -t 1)\n" + " -c TIME wait time per login attempt over all threads (enforces -t " + "1)\n" #endif - " -4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)\n" - " -v / -V / -d verbose mode / show login+pass for each attempt / debug mode \n" - " -O use old SSL v2 and v3\n" - " -q do not print messages about connection errors\n", - MAXTASKS, WAITTIME, conwait - ); + " -4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also " + "in -M)\n" + " -v / -V / -d verbose mode / show login+pass for each attempt / debug " + "mode \n" + " -O use old SSL v2 and v3\n" + " -K do not redo failed attempts (good for -M mass scanning)\n" + " -q do not print messages about connection errors\n", + MAXTASKS, WAITTIME, conwait); PRINT_NORMAL(ext, " -U service module usage details\n" + " -m OPT options specific for a module, see -U output for " + "information\n" " -h more command line options (COMPLETE HELP)\n" - " server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)\n" + " server the target: DNS, IP or 192.168.0.0/24 (this OR the -M " + "option)\n" " service the service to crack (see below for supported protocols)\n" - " OPT some service modules support additional input (-U for module help)\n"); - PRINT_NORMAL(ext, "\nSupported services: %s\n" - "\n%s is a tool to guess/crack valid login/password pairs. Licensed under AGPL\n" - "v3.0. The newest version is always available at %s\n" - "Don't use in military or secret service organizations, or for illegal purposes.\n", - SERVICES, PROGRAM, RESOURCE - ); + " OPT some service modules support additional input (-U for " + "module help)\n"); + PRINT_NORMAL(ext, + "\nSupported services: %s\n" + "\n%s is a tool to guess/crack valid login/password pairs.\n" + "Licensed under AGPL v3.0. The newest version is always available at;\n%s\n" + "Please don't use in military or secret service organizations, or for illegal\n" + "purposes. (This is a wish and non-binding - most such people do not care about\n" + "laws and ethics anyway - and tell themselves they are one of the good ones.)\n", + SERVICES, PROGRAM, RESOURCE); if (ext && strlen(unsupported) > 0) { if (unsupported[strlen(unsupported) - 1] == ' ') unsupported[strlen(unsupported) - 1] = 0; printf("These services were not compiled in: %s.\n", unsupported); } - PRINT_EXTEND(ext, "\nUse HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.\n" - "E.g. %% export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)\n" - " %% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)\n" + PRINT_EXTEND(ext, "\nUse HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy " + "setup.\n" + "E.g. %% export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// " + "connect://)\n" + " %% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 " + "entries)\n" " %% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080\n" " %% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)\n"); PRINT_NORMAL(ext, "\nExample%s:%s hydra -l user -P passlist.txt ftp://192.168.0.1\n", ext == 0 ? "" : "s", ext == 0 ? "" : "\n"); @@ -530,36 +597,45 @@ void help_bfg() { " -x MIN:MAX:CHARSET\n\n" " MIN is the minimum number of characters in the password\n" " MAX is the maximum number of characters in the password\n" - " CHARSET is a specification of the characters to use in the generation\n" + " CHARSET is a specification of the characters to use in the " + "generation\n" " valid CHARSET values are: 'a' for lowercase letters,\n" - " 'A' for uppercase letters, '1' for numbers, and for all others,\n" + " 'A' for uppercase letters, '1' for numbers, and for all " + "others,\n" " just add their real representation.\n" - " -y disable the use of the above letters as placeholders\n\n" + " -y disable the use of the above letters as placeholders\n" "Examples:\n" - " -x 3:5:a generate passwords from length 3 to 5 with all lowercase letters\n" - " -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers\n" - " -x 1:3:/ generate passwords from length 1 to 3 containing only slashes\n" - " -x 5:5:/%%,.- generate passwords with length 5 which consists only of /%%,.-\n" - " -x 3:5:aA1 -y generate passwords from length 3 to 5 with a, A and 1 only\n" - "\nThe bruteforce mode was made by Jan Dlabal, http://houbysoft.com/bfg/\n"); + " -x 3:5:a generate passwords from length 3 to 5 with all " + "lowercase letters\n" + " -x 5:8:A1 generate passwords from length 5 to 8 with uppercase " + "and numbers\n" + " -x 1:3:/ generate passwords from length 1 to 3 containing only " + "slashes\n" + " -x 5:5:/%%,.- generate passwords with length 5 which consists " + "only of /%%,.-\n" + " -x 3:5:aA1 -y generate passwords from length 3 to 5 with a, A and " + "1 only\n" + "\nThe bruteforce mode was made by Jan Dlabal, " + "http://houbysoft.com/bfg/\n"); exit(-1); } void module_usage() { int32_t i; - if (!hydra_options.service) { - printf("The Module %s does not need or support optional parameters\n", hydra_options.service); - exit(0); - } - printf("\nHelp for module %s:\n============================================================================\n", hydra_options.service); + printf("\nHelp for module " + "%s:\n================================================================" + "============\n", + hydra_options.service); + if (strncmp(hydra_options.service, "https-", 6) == 0) + memmove(hydra_options.service + 4, hydra_options.service + 5, strlen(hydra_options.service) - 4); for (i = 0; i < sizeof(services) / sizeof(services[0]); i++) { - if (strcmp(hydra_options.service, services[i].name) == 0) { - if (services[i].usage) { - services[i].usage(hydra_options.service); - exit(0); - } + if (strcmp(hydra_options.service, services[i].name) == 0) { + if (services[i].usage) { + services[i].usage(hydra_options.service); + exit(0); } + } } printf("The Module %s does not need or support optional parameters\n", hydra_options.service); @@ -574,34 +650,20 @@ void hydra_debug(int32_t force, char *string) { if (!debug && !force) return; - printf("[DEBUG] Code: %s Time: %lu\n", string, (uint64_t) time(NULL)); - printf("[DEBUG] Options: mode %d ssl %d restore %d showAttempt %d tasks %d max_use %d tnp %d tpsal %d tprl %d exit_found %d miscptr %s service %s\n", - hydra_options.mode, hydra_options.ssl, hydra_options.restore, - hydra_options.showAttempt, hydra_options.tasks, hydra_options.max_use, - hydra_options.try_null_password, hydra_options.try_password_same_as_login, - hydra_options.try_password_reverse_login, hydra_options.exit_found, - STR_NULL(hydra_options.miscptr), hydra_options.service); + printf("[DEBUG] Code: %s Time: %" hPRIu64 "\n", string, (uint64_t)time(NULL)); + printf("[DEBUG] Options: mode %d ssl %d restore %d showAttempt %d tasks " + "%d max_use %d tnp %d tpsal %d tprl %d exit_found %d miscptr %s " + "service %s\n", + hydra_options.mode, hydra_options.ssl, hydra_options.restore, hydra_options.showAttempt, hydra_options.tasks, hydra_options.max_use, hydra_options.try_null_password, hydra_options.try_password_same_as_login, hydra_options.try_password_reverse_login, hydra_options.exit_found, STR_NULL(hydra_options.miscptr), hydra_options.service); - printf("[DEBUG] Brains: active %d targets %d finished %d todo_all %lu todo %lu sent %lu found %lu countlogin %lu sizelogin %lu countpass %lu sizepass %lu\n", - hydra_brains.active, hydra_brains.targets, hydra_brains.finished, - hydra_brains.todo_all + total_redo_count, hydra_brains.todo, - hydra_brains.sent, hydra_brains.found, - (uint64_t) hydra_brains.countlogin, - (uint64_t) hydra_brains.sizelogin, - (uint64_t) hydra_brains.countpass, - (uint64_t) hydra_brains.sizepass); + printf("[DEBUG] Brains: active %d targets %d finished %d todo_all %" hPRIu64 " todo %" hPRIu64 " sent %" hPRIu64 " found %" hPRIu64 " countlogin %" hPRIu64 " sizelogin %" hPRIu64 " countpass %" hPRIu64 " sizepass %" hPRIu64 "\n", hydra_brains.active, hydra_brains.targets, hydra_brains.finished, hydra_brains.todo_all + total_redo_count, hydra_brains.todo, hydra_brains.sent, hydra_brains.found, (uint64_t)hydra_brains.countlogin, (uint64_t)hydra_brains.sizelogin, (uint64_t)hydra_brains.countpass, + (uint64_t)hydra_brains.sizepass); for (i = 0; i < hydra_brains.targets; i++) { - hydra_target* target = hydra_targets[i]; - printf - ("[DEBUG] Target %d - target %s ip %s login_no %lu pass_no %lu sent %lu pass_state %d redo_state %d (%d redos) use_count %d failed %d done %d fail_count %d login_ptr %s pass_ptr %s\n", - i, STR_NULL(target->target), hydra_address2string_beautiful(target->ip), - target->login_no, target->pass_no, target->sent, - target->pass_state, target->redo_state, target->redo, - target->use_count, target->failed, target->done, - target->fail_count, - STR_NULL(target->login_ptr), - STR_NULL(target->pass_ptr)); + hydra_target *target = hydra_targets[i]; + printf("[DEBUG] Target %d - target %s ip %s login_no %" hPRIu64 " pass_no %" hPRIu64 " sent %" hPRIu64 " pass_state %d redo_state %d (%d redos) use_count %d failed %d " + " done %d fail_count %d login_ptr %s pass_ptr %s\n", + i, STR_NULL(target->target), hydra_address2string_beautiful(target->ip), target->login_no, target->pass_no, target->sent, target->pass_state, target->redo_state, target->redo, target->use_count, target->failed, target->done, target->fail_count, STR_NULL(target->login_ptr), STR_NULL(target->pass_ptr)); } if (hydra_heads == NULL) @@ -609,12 +671,9 @@ void hydra_debug(int32_t force, char *string) { for (i = 0; i < hydra_options.max_use; i++) { if (hydra_heads[i]->active >= HEAD_UNUSED) { - printf("[DEBUG] Task %d - pid %d active %d redo %d current_login_ptr %s current_pass_ptr %s\n", - i, (int32_t) hydra_heads[i]->pid, - hydra_heads[i]->active, - hydra_heads[i]->redo, - STR_NULL(hydra_heads[i]->current_login_ptr), - STR_NULL(hydra_heads[i]->current_pass_ptr)); + printf("[DEBUG] Task %d - pid %d active %d redo %d current_login_ptr " + "%s current_pass_ptr %s\n", + i, (int32_t)hydra_heads[i]->pid, hydra_heads[i]->active, hydra_heads[i]->redo, STR_NULL(hydra_heads[i]->current_login_ptr), STR_NULL(hydra_heads[i]->current_pass_ptr)); if (hydra_heads[i]->active == HEAD_UNUSED) inactive++; else @@ -632,7 +691,7 @@ void bail(char *text) { void hydra_restore_write(int32_t print_msg) { FILE *f; hydra_brain brain; - char mynull[4] = { 0, 0, 0, 0 }, buf[4]; + char mynull[4] = {0, 0, 0, 0}, buf[4]; int32_t i = 0, j = 0; hydra_head hh; @@ -648,7 +707,7 @@ void hydra_restore_write(int32_t print_msg) { } if ((f = fopen(RESTOREFILE, "w")) == NULL) { - fprintf(stderr, "[ERROR] Can not create restore file (%s) - \n", RESTOREFILE); + fprintf(stderr, "[ERROR] Can not create restore file (%s) - ", RESTOREFILE); perror(""); process_restore = 0; return; @@ -659,7 +718,7 @@ void hydra_restore_write(int32_t print_msg) { buf[0] = VERSION[1]; buf[1] = VERSION[3]; buf[2] = sizeof(int32_t) % 256; - buf[3] = sizeof(hydra_target*) % 256; + buf[3] = sizeof(hydra_target *) % 256; fwrite(buf, 1, 4, f); memcpy(&brain, &hydra_brains, sizeof(hydra_brain)); brain.targets = i; @@ -684,8 +743,7 @@ void hydra_restore_write(int32_t print_msg) { for (j = 0; j < hydra_brains.targets; j++) if (hydra_targets[j]->done != TARGET_FINISHED) { fck = fwrite(hydra_targets[j], sizeof(hydra_target), 1, f); - fprintf(f, "%s\n%d\n%d\n", hydra_targets[j]->target == NULL ? "" : hydra_targets[j]->target, (int32_t) (hydra_targets[j]->login_ptr - login_ptr), - (int32_t) (hydra_targets[j]->pass_ptr - pass_ptr)); + fprintf(f, "%s\n%d\n%d\n", hydra_targets[j]->target == NULL ? "" : hydra_targets[j]->target, (int32_t)(hydra_targets[j]->login_ptr - login_ptr), (int32_t)(hydra_targets[j]->pass_ptr - pass_ptr)); fprintf(f, "%s\n%s\n", hydra_targets[j]->login_ptr, hydra_targets[j]->pass_ptr); if (hydra_targets[j]->redo) for (i = 0; i < hydra_targets[j]->redo; i++) @@ -695,21 +753,21 @@ void hydra_restore_write(int32_t print_msg) { fprintf(f, "%s\n", hydra_targets[j]->skiplogin[i]); } for (j = 0; j < hydra_options.max_use; j++) { - memcpy((char *) &hh, hydra_heads[j], sizeof(hydra_head)); + memcpy((char *)&hh, hydra_heads[j], sizeof(hydra_head)); if (j == 0 && debug) { printf("[DEBUG] sizeof hydra_head: %lu\n", sizeof(hydra_head)); printf("[DEBUG] memcmp: %d\n", memcmp(hydra_heads[j], &hh, sizeof(hydra_head))); } - hh.active = 0; // re-enable disabled heads - if ((hh.current_login_ptr != NULL && hh.current_login_ptr != empty_login) - || (hh.current_pass_ptr != NULL && hh.current_pass_ptr != empty_login)) { + hh.active = 0; // re-enable disabled heads + if ((hh.current_login_ptr != NULL && hh.current_login_ptr != empty_login) || (hh.current_pass_ptr != NULL && hh.current_pass_ptr != empty_login)) { hh.redo = 1; if (print_msg && debug) - printf("[DEBUG] we will redo the following combination: target %s child %d login \"%s\" pass \"%s\"\n", hydra_targets[hh.target_no]->target, - j, hh.current_login_ptr, hh.current_pass_ptr); + printf("[DEBUG] we will redo the following combination: target %s " + "child %d login \"%s\" pass \"%s\"\n", + hydra_targets[hh.target_no]->target, j, hh.current_login_ptr, hh.current_pass_ptr); } - fck = fwrite((char *) &hh, sizeof(hydra_head), 1, f); - if (hh.redo /* && (hydra_options.bfg == 0 || (hh.current_pass_ptr == hydra_targets[hh.target_no]->bfg_ptr[j] && isprint((char) hh.current_pass_ptr[0]))) */ ) + fck = fwrite((char *)&hh, sizeof(hydra_head), 1, f); + if (hh.redo /* && (hydra_options.bfg == 0 || (hh.current_pass_ptr == hydra_targets[hh.target_no]->bfg_ptr[j] && isprint((char) hh.current_pass_ptr[0]))) */) fprintf(f, "%s\n%s\n", hh.current_login_ptr == NULL ? "" : hh.current_login_ptr, hh.current_pass_ptr == NULL ? "" : hh.current_pass_ptr); else fprintf(f, "\n\n"); @@ -720,7 +778,8 @@ void hydra_restore_write(int32_t print_msg) { if (debug) printf("[DEBUG] done writing session file\n"); if (print_msg) - printf("The session file ./hydra.restore was written. Type \"hydra -R\" to resume session.\n"); + printf("The session file ./hydra.restore was written. Type \"hydra -R\" to " + "resume session.\n"); hydra_debug(0, "hydra_restore_write()"); } @@ -745,7 +804,7 @@ void hydra_restore_read() { exit(-1); } - if ((fck = (int32_t) fread(buf, 1, 4, f)) != 4) { + if ((fck = (int32_t)fread(buf, 1, 4, f)) != 4) { fprintf(stderr, "[ERROR] invalid restore file (platform)\n"); exit(-1); } @@ -754,14 +813,18 @@ void hydra_restore_read() { exit(-1); } if (buf[0] != VERSION[1] || buf[1] != VERSION[3]) - fprintf(stderr, "[WARNING] restore file was created by version %c.%c, this is version %s\n", buf[0], buf[2], VERSION); - if (buf[2] != sizeof(int32_t) % 256 || buf[3] != sizeof(hydra_head*) % 256) { - fprintf(stderr, "[ERROR] restore file was created on a different, incompatible processor platform!\n"); + fprintf(stderr, + "[WARNING] restore file was created by version %c.%c, this is " + "version %s\n", + buf[0], buf[1], VERSION); + if (buf[2] != sizeof(int32_t) % 256 || buf[3] != sizeof(hydra_head *) % 256) { + fprintf(stderr, "[ERROR] restore file was created on a different, " + "incompatible processor platform!\n"); exit(-1); } - fck = (int32_t) fread(&bf_options, sizeof(bf_options), 1, f); - fck = (int32_t) fread(mynull, sizeof(mynull), 1, f); + fck = (int32_t)fread(&bf_options, sizeof(bf_options), 1, f); + fck = (int32_t)fread(mynull, sizeof(mynull), 1, f); if (debug) printf("[DEBUG] reading restore file: Step 1 complete\n"); if (mynull[0] + mynull[1] + mynull[2] + mynull[3] == 0) { @@ -774,9 +837,9 @@ void hydra_restore_read() { if (debug) printf("[DEBUG] reading restore file: Step 2 complete\n"); - fck = (int32_t) fread(&hydra_brains, sizeof(hydra_brain), 1, f); + fck = (int32_t)fread(&hydra_brains, sizeof(hydra_brain), 1, f); hydra_brains.ofp = stdout; - fck = (int32_t) fread(&hydra_options, sizeof(hydra_option), 1, f); + fck = (int32_t)fread(&hydra_options, sizeof(hydra_option), 1, f); hydra_options.restore = 1; verbose = hydra_options.verbose; debug = hydra_options.debug; @@ -829,23 +892,39 @@ void hydra_restore_read() { printf("[DEBUG] reading restore file: Step 8 complete\n"); login_ptr = malloc(hydra_brains.sizelogin + hydra_brains.countlogin + 8); - fck = (int32_t) fread(login_ptr, hydra_brains.sizelogin + hydra_brains.countlogin + 8, 1, f); + if (!login_ptr) { + fprintf(stderr, "Error: malloc(%lu) failed\n", hydra_brains.sizelogin + hydra_brains.countlogin + 8); + exit(-1); + } + fck = (int32_t)fread(login_ptr, hydra_brains.sizelogin + hydra_brains.countlogin + 8, 1, f); if (debug) printf("[DEBUG] reading restore file: Step 9 complete\n"); - if (!check_flag(hydra_options.mode, MODE_COLON_FILE)) { // NOT colonfile mode + if (!check_flag(hydra_options.mode, MODE_COLON_FILE)) { // NOT colonfile mode pass_ptr = malloc(hydra_brains.sizepass + hydra_brains.countpass + 8); - fck = (int32_t) fread(pass_ptr, hydra_brains.sizepass + hydra_brains.countpass + 8, 1, f); - } else { // colonfile mode - hydra_options.colonfile = empty_login; // dummy + if (!pass_ptr) { + fprintf(stderr, "Error: malloc(%lu) failed\n", hydra_brains.sizepass + hydra_brains.countpass + 8); + exit(-1); + } + fck = (int32_t)fread(pass_ptr, hydra_brains.sizepass + hydra_brains.countpass + 8, 1, f); + } else { // colonfile mode + hydra_options.colonfile = empty_login; // dummy pass_ptr = csv_ptr = login_ptr; } if (debug) printf("[DEBUG] reading restore file: Step 10 complete\n"); - hydra_targets = (hydra_target **) malloc((hydra_brains.targets + 3) * sizeof(hydra_target*)); + hydra_targets = (hydra_target **)malloc((hydra_brains.targets + 3) * sizeof(hydra_target *)); + if (!hydra_targets) { + fprintf(stderr, "Error: malloc(%lu) failed\n", (hydra_brains.targets + 3) * sizeof(hydra_target *)); + exit(-1); + } for (j = 0; j < hydra_brains.targets; j++) { hydra_targets[j] = malloc(sizeof(hydra_target)); - fck = (int32_t) fread(hydra_targets[j], sizeof(hydra_target), 1, f); + if (!hydra_targets[j]) { + fprintf(stderr, "Error: malloc(%lu) failed\n", sizeof(hydra_target)); + exit(-1); + } + fck = (int32_t)fread(hydra_targets[j], sizeof(hydra_target), 1, f); sck = fgets(out, sizeof(out), f); if (out[0] != 0 && out[strlen(out) - 1] == '\n') out[strlen(out) - 1] = 0; @@ -855,7 +934,7 @@ void hydra_restore_read() { hydra_targets[j]->login_ptr = login_ptr + atoi(out); sck = fgets(out, sizeof(out), f); hydra_targets[j]->pass_ptr = pass_ptr + atoi(out); - sck = fgets(out, sizeof(out), f); // target login_ptr, ignord + sck = fgets(out, sizeof(out), f); // target login_ptr, ignord sck = fgets(out, sizeof(out), f); if (hydra_options.bfg) { if (out[0] != 0 && out[strlen(out) - 1] == '\n') @@ -864,7 +943,8 @@ void hydra_restore_read() { strcpy(hydra_targets[j]->pass_ptr, out); } if (hydra_targets[j]->redo > 0) { - if (debug) printf("[DEBUG] target %d redo %d\n", j, hydra_targets[j]->redo); + if (debug) + printf("[DEBUG] target %d redo %d\n", j, hydra_targets[j]->redo); for (i = 0; i < hydra_targets[j]->redo; i++) { sck = fgets(out, sizeof(out), f); if (out[0] != 0 && out[strlen(out) - 1] == '\n') @@ -894,15 +974,24 @@ void hydra_restore_read() { } if (debug) printf("[DEBUG] reading restore file: Step 11 complete\n"); - hydra_heads = malloc(sizeof(hydra_head*) * hydra_options.max_use); + hydra_heads = malloc(sizeof(hydra_head *) * hydra_options.max_use); + if (!hydra_heads) { + fprintf(stderr, "Error: malloc(%lu) failed\n", sizeof(hydra_head *) * hydra_options.max_use); + exit(-1); + } for (j = 0; j < hydra_options.max_use; j++) { hydra_heads[j] = malloc(sizeof(hydra_head)); - fck = (int32_t) fread(hydra_heads[j], sizeof(hydra_head), 1, f); + if (!hydra_heads[j]) { + fprintf(stderr, "Error: malloc(%lu) failed\n", sizeof(hydra_head)); + exit(-1); + } + fck = (int32_t)fread(hydra_heads[j], sizeof(hydra_head), 1, f); hydra_heads[j]->sp[0] = -1; hydra_heads[j]->sp[1] = -1; sck = fgets(out, sizeof(out), f); if (hydra_heads[j]->redo) { - if (debug) printf("[DEBUG] head %d redo\n", j); + if (debug) + printf("[DEBUG] head %d redo\n", j); if (out[0] != 0 && out[strlen(out) - 1] == '\n') out[strlen(out) - 1] = 0; hydra_heads[j]->current_login_ptr = malloc(strlen(out) + 1); @@ -945,7 +1034,7 @@ void killed_childs(int32_t signo) { int32_t pid, i; killed++; - pid = wait3(NULL, WNOHANG, NULL); + pid = waitpid(-1, NULL, WNOHANG); for (i = 0; i < hydra_options.max_use; i++) { if (pid == hydra_heads[i]->pid) { hydra_heads[i]->pid = -1; @@ -956,8 +1045,8 @@ void killed_childs(int32_t signo) { } void killed_childs_report(int32_t signo) { - //if (debug) - printf("[ERROR] children crashed! (%d)\n", child_head_no); + // if (debug) + printf("[ERROR] children crashed! (%d)\n", child_head_no); fck = write(child_socket, "E", 1); _exit(-1); } @@ -980,7 +1069,7 @@ void kill_children(int32_t signo) { exit(0); } -uint64_t countlines(FILE * fd, int32_t colonmode) { +uint64_t countlines(FILE *fd, int32_t colonmode) { size_t clines = 0; char *buf = malloc(MAXLINESIZE); int32_t only_one_empty_line = 0; @@ -1022,19 +1111,21 @@ uint64_t countlines(FILE * fd, int32_t colonmode) { return clines; } -void fill_mem(char *ptr, FILE * fd, int32_t colonmode) { +void fill_mem(char *ptr, FILE *fd, int32_t colonmode) { char tmp[MAXBUF + 4] = "", *ptr2; uint32_t len; int32_t only_one_empty_line = 0; + + int read_flag = 0; #ifdef HAVE_ZLIB gzFile fp = gzdopen(fileno(fd), "r"); - while (!gzeof(fp)) { + while (!gzeof(fp) && !read_flag) { if (gzgets(fp, tmp, MAXLINESIZE) != NULL) { #else FILE *fp = fd; - while (!feof(fp)) { + while (!feof(fp) && !read_flag) { if (fgets(tmp, MAXLINESIZE, fp) != NULL) { #endif if (tmp[0] != 0) { @@ -1049,8 +1140,11 @@ void fill_mem(char *ptr, FILE * fd, int32_t colonmode) { tmp[len] = 0; } if (colonmode) { - if ((ptr2 = index(tmp, ':')) == NULL) { - fprintf(stderr, "[ERROR] invalid line in colon file (-C), missing colon in line: %s\n", tmp); + if ((ptr2 = strchr(tmp, ':')) == NULL) { + fprintf(stderr, + "[ERROR] invalid line in colon file (-C), missing colon " + "in line: %s\n", + tmp); exit(-1); } else { *ptr2 = 0; @@ -1062,6 +1156,8 @@ void fill_mem(char *ptr, FILE * fd, int32_t colonmode) { ptr++; } } + } else { + read_flag = 1; } } #ifdef HAVE_ZLIB @@ -1079,23 +1175,22 @@ char *hydra_build_time() { time(&epoch); the_time = localtime(&epoch); strftime(datetime, sizeof(datetime), "%Y-%m-%d %H:%M:%S", the_time); - return (char *) &datetime; + return (char *)&datetime; } void hydra_service_init(int32_t target_no) { int32_t x = 99; int32_t i; - hydra_target* t = hydra_targets[target_no]; - char* miscptr = hydra_options.miscptr; - FILE* ofp = hydra_brains.ofp; + hydra_target *t = hydra_targets[target_no]; + FILE *ofp = hydra_brains.ofp; for (i = 0; x == 99 && i < sizeof(services) / sizeof(services[0]); i++) { - if (strcmp(hydra_options.service, services[i].name) == 0) { - if (services[i].init) { - x = services[i].init(t->ip, -1, options, miscptr, ofp, t->port, t->target); - break; - } + if (strcmp(hydra_options.service, services[i].name) == 0) { + if (services[i].init) { + x = services[i].init(t->ip, -1, options, t->miscptr, ofp, t->port, t->target); + break; } + } } // dirty workaround here: @@ -1110,8 +1205,20 @@ void hydra_service_init(int32_t target_no) { else hydra_targets[target_no]->done = TARGET_ERROR; hydra_brains.finished++; - if (hydra_brains.targets == 1) + if (hydra_brains.targets == 1) { + if (hydra_brains.ofp != NULL && hydra_brains.ofp != stdout) { + if (hydra_options.outfile_format == FORMAT_JSONV1) { + char json_error[120]; + snprintf(json_error, sizeof(json_error), "[ERROR] unexpected result connecting to target %s port %d", hydra_address2string_beautiful(t->ip), t->port); + fprintf(hydra_brains.ofp, + "\n\t],\n\"success\": false,\n\"errormessages\": [ \"%s\" " + "],\n\"quantityfound\": %" hPRIu64 " }\n", + json_error, hydra_brains.found); + } + fclose(hydra_brains.ofp); + } exit(-1); + } } } @@ -1131,7 +1238,7 @@ int32_t hydra_spawn_head(int32_t head_no, int32_t target_no) { if (socketpair(PF_UNIX, SOCK_STREAM, 0, hydra_heads[head_no]->sp) == 0) { child_head_no = head_no; - if ((hydra_heads[head_no]->pid = fork()) == 0) { // THIS IS THE CHILD + if ((hydra_heads[head_no]->pid = fork()) == 0) { // THIS IS THE CHILD // set new signals for child process_restore = 0; child_socket = hydra_heads[head_no]->sp[1]; @@ -1162,24 +1269,25 @@ int32_t hydra_spawn_head(int32_t head_no, int32_t target_no) { if (debug) printf("[DEBUG] head_no %d has pid %d\n", head_no, getpid()); - hydra_target* t = hydra_targets[target_no]; + hydra_target *t = hydra_targets[target_no]; int32_t sp = hydra_heads[head_no]->sp[1]; - char* miscptr = hydra_options.miscptr; - FILE* ofp = hydra_brains.ofp; - hydra_target* head_target = hydra_targets[hydra_heads[head_no]->target_no]; + // char *miscptr = hydra_options.miscptr; + FILE *ofp = hydra_brains.ofp; + hydra_target *head_target = hydra_targets[hydra_heads[head_no]->target_no]; for (i = 0; i < sizeof(services) / sizeof(services[0]); i++) { - if (strcmp(hydra_options.service, services[i].name) == 0) { - if (services[i].exec) { - services[i].exec(t->ip, sp, options, miscptr, ofp, t->port, head_target->target); - // just in case a module returns (which it shouldnt) we let it exit here - exit(-1); - } + if (strcmp(hydra_options.service, services[i].name) == 0) { + if (services[i].exec) { + services[i].exec(t->ip, sp, options, t->miscptr, ofp, t->port, head_target->target); + // just in case a module returns (which it shouldnt) we let it exit + // here + exit(-1); } + } } // FIXME: dirty workaround here if (strcmp(hydra_options.service, "xmpp") == 0) { - service_xmpp(hydra_targets[target_no]->target, hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target); + service_xmpp(hydra_targets[target_no]->target, hydra_targets[target_no]->ip, hydra_heads[head_no]->sp[1], options, hydra_options.miscptr, hydra_brains.ofp, hydra_targets[target_no]->port, hydra_targets[hydra_heads[head_no]->target_no]->target); } // just in case a module returns (which it shouldnt) we let it exit here @@ -1187,8 +1295,11 @@ int32_t hydra_spawn_head(int32_t head_no, int32_t target_no) { } else { child_head_no = -1; if (hydra_heads[head_no]->pid > 0) { - fck = write(hydra_heads[head_no]->sp[1], "n", 1); // yes, a small "n" - this way we can distinguish later if the client successfully tested a pair and is requesting a new one or the mother did that - (void) fcntl(hydra_heads[head_no]->sp[0], F_SETFL, O_NONBLOCK); + fck = write(hydra_heads[head_no]->sp[1], "n", + 1); // yes, a small "n" - this way we can distinguish later + // if the client successfully tested a pair and is + // requesting a new one or the mother did that + (void)fcntl(hydra_heads[head_no]->sp[0], F_SETFL, O_NONBLOCK); if (hydra_heads[head_no]->redo != 1) hydra_heads[head_no]->target_no = target_no; hydra_heads[head_no]->active = HEAD_ACTIVE; @@ -1216,73 +1327,75 @@ int32_t hydra_spawn_head(int32_t head_no, int32_t target_no) { int32_t hydra_lookup_port(char *service) { int32_t i = 0, port = -2; - hydra_portlist hydra_portlists[] = { - {"ftp", PORT_FTP, PORT_FTP_SSL}, - {"ftps", PORT_FTP, PORT_FTP_SSL}, - {"http-head", PORT_HTTP, PORT_HTTP_SSL}, - {"http-post", PORT_HTTP, PORT_HTTP_SSL}, - {"http-get", PORT_HTTP, PORT_HTTP_SSL}, - {"http-get-form", PORT_HTTP, PORT_HTTP_SSL}, - {"http-post-form", PORT_HTTP, PORT_HTTP_SSL}, - {"https-get-form", PORT_HTTP, PORT_HTTP_SSL}, - {"https-post-form", PORT_HTTP, PORT_HTTP_SSL}, - {"https-head", PORT_HTTP, PORT_HTTP_SSL}, - {"https-get", PORT_HTTP, PORT_HTTP_SSL}, - {"http-proxy", PORT_HTTP_PROXY, PORT_HTTP_PROXY_SSL}, - {"http-proxy-urlenum", PORT_HTTP_PROXY, PORT_HTTP_PROXY_SSL}, - {"icq", PORT_ICQ, PORT_ICQ_SSL}, - {"imap", PORT_IMAP, PORT_IMAP_SSL}, - {"ldap2", PORT_LDAP, PORT_LDAP_SSL}, - {"ldap3", PORT_LDAP, PORT_LDAP_SSL}, - {"ldap3-crammd5", PORT_LDAP, PORT_LDAP_SSL}, - {"ldap3-digestmd5", PORT_LDAP, PORT_LDAP_SSL}, - {"oracle-listener", PORT_ORACLE, PORT_ORACLE_SSL}, - {"oracle-sid", PORT_ORACLE, PORT_ORACLE_SSL}, - {"oracle", PORT_ORACLE, PORT_ORACLE_SSL}, - {"mssql", PORT_MSSQL, PORT_MSSQL_SSL}, - {"mysql", PORT_MYSQL, PORT_MYSQL_SSL}, - {"postgres", PORT_POSTGRES, PORT_POSTGRES_SSL}, - {"pcanywhere", PORT_PCANYWHERE, PORT_PCANYWHERE_SSL}, - {"nntp", PORT_NNTP, PORT_NNTP_SSL}, - {"pcnfs", PORT_PCNFS, PORT_PCNFS_SSL}, - {"pop3", PORT_POP3, PORT_POP3_SSL}, - {"redis", PORT_REDIS, PORT_REDIS_SSL}, - {"rexec", PORT_REXEC, PORT_REXEC_SSL}, - {"rlogin", PORT_RLOGIN, PORT_RLOGIN_SSL}, - {"rsh", PORT_RSH, PORT_RSH_SSL}, - {"sapr3", PORT_SAPR3, PORT_SAPR3_SSL}, - {"smb", PORT_SMBNT, PORT_SMBNT_SSL}, - {"smbnt", PORT_SMBNT, PORT_SMBNT_SSL}, - {"socks5", PORT_SOCKS5, PORT_SOCKS5_SSL}, - {"ssh", PORT_SSH, PORT_SSH_SSL}, - {"sshkey", PORT_SSH, PORT_SSH_SSL}, - {"telnet", PORT_TELNET, PORT_TELNET_SSL}, - {"adam6500", PORT_ADAM6500, PORT_ADAM6500_SSL}, - {"cisco", PORT_TELNET, PORT_TELNET_SSL}, - {"cisco-enable", PORT_TELNET, PORT_TELNET_SSL}, - {"vnc", PORT_VNC, PORT_VNC_SSL}, - {"snmp", PORT_SNMP, PORT_SNMP_SSL}, - {"cvs", PORT_CVS, PORT_CVS_SSL}, - {"svn", PORT_SVN, PORT_SVN_SSL}, - {"firebird", PORT_FIREBIRD, PORT_FIREBIRD_SSL}, - {"afp", PORT_AFP, PORT_AFP_SSL}, - {"ncp", PORT_NCP, PORT_NCP_SSL}, - {"smtp", PORT_SMTP, PORT_SMTP_SSL}, - {"smtp-enum", PORT_SMTP, PORT_SMTP_SSL}, - {"teamspeak", PORT_TEAMSPEAK, PORT_TEAMSPEAK_SSL}, - {"sip", PORT_SIP, PORT_SIP_SSL}, - {"vmauthd", PORT_VMAUTHD, PORT_VMAUTHD_SSL}, - {"xmpp", PORT_XMPP, PORT_XMPP_SSL}, - {"irc", PORT_IRC, PORT_IRC_SSL}, - {"rdp", PORT_RDP, PORT_RDP_SSL}, - {"asterisk", PORT_ASTERISK, PORT_ASTERISK_SSL}, - {"s7-300", PORT_S7_300, PORT_S7_300_SSL}, - {"rtsp", PORT_RTSP, PORT_RTSP_SSL}, - {"rpcap", PORT_RPCAP, PORT_RPCAP_SSL}, - {"radmin2", PORT_RADMIN2, PORT_RADMIN2}, - // ADD NEW SERVICES HERE - add new port numbers to hydra.h - {"", PORT_NOPORT, PORT_NOPORT} - }; + hydra_portlist hydra_portlists[] = {{"ftp", PORT_FTP, PORT_FTP_SSL}, + {"ftps", PORT_FTP, PORT_FTP_SSL}, + {"http-head", PORT_HTTP, PORT_HTTP_SSL}, + {"http-post", PORT_HTTP, PORT_HTTP_SSL}, + {"http-get", PORT_HTTP, PORT_HTTP_SSL}, + {"http-get-form", PORT_HTTP, PORT_HTTP_SSL}, + {"http-post-form", PORT_HTTP, PORT_HTTP_SSL}, + {"https-get-form", PORT_HTTP, PORT_HTTP_SSL}, + {"https-post-form", PORT_HTTP, PORT_HTTP_SSL}, + {"https-head", PORT_HTTP, PORT_HTTP_SSL}, + {"https-get", PORT_HTTP, PORT_HTTP_SSL}, + {"http-proxy", PORT_HTTP_PROXY, PORT_HTTP_PROXY_SSL}, + {"http-proxy-urlenum", PORT_HTTP_PROXY, PORT_HTTP_PROXY_SSL}, + {"icq", PORT_ICQ, PORT_ICQ_SSL}, + {"imap", PORT_IMAP, PORT_IMAP_SSL}, + {"ldap2", PORT_LDAP, PORT_LDAP_SSL}, + {"ldap3", PORT_LDAP, PORT_LDAP_SSL}, + {"ldap3-crammd5", PORT_LDAP, PORT_LDAP_SSL}, + {"ldap3-digestmd5", PORT_LDAP, PORT_LDAP_SSL}, + {"oracle-listener", PORT_ORACLE, PORT_ORACLE_SSL}, + {"oracle-sid", PORT_ORACLE, PORT_ORACLE_SSL}, + {"oracle", PORT_ORACLE, PORT_ORACLE_SSL}, + {"memcached", PORT_MCACHED, PORT_MCACHED_SSL}, + {"mongodb", PORT_MONGODB, PORT_MONGODB}, + {"mssql", PORT_MSSQL, PORT_MSSQL_SSL}, + {"cobaltstrike", PORT_COBALTSTRIKE, PORT_COBALTSTRIKE_SSL}, + {"mysql", PORT_MYSQL, PORT_MYSQL_SSL}, + {"postgres", PORT_POSTGRES, PORT_POSTGRES_SSL}, + {"pcanywhere", PORT_PCANYWHERE, PORT_PCANYWHERE_SSL}, + {"nntp", PORT_NNTP, PORT_NNTP_SSL}, + {"pcnfs", PORT_PCNFS, PORT_PCNFS_SSL}, + {"pop3", PORT_POP3, PORT_POP3_SSL}, + {"redis", PORT_REDIS, PORT_REDIS_SSL}, + {"rexec", PORT_REXEC, PORT_REXEC_SSL}, + {"rlogin", PORT_RLOGIN, PORT_RLOGIN_SSL}, + {"rsh", PORT_RSH, PORT_RSH_SSL}, + {"sapr3", PORT_SAPR3, PORT_SAPR3_SSL}, + {"smb", PORT_SMBNT, PORT_SMBNT_SSL}, + {"smb2", PORT_SMBNT, PORT_SMBNT_SSL}, + {"smbnt", PORT_SMBNT, PORT_SMBNT_SSL}, + {"socks5", PORT_SOCKS5, PORT_SOCKS5_SSL}, + {"ssh", PORT_SSH, PORT_SSH_SSL}, + {"sshkey", PORT_SSH, PORT_SSH_SSL}, + {"telnet", PORT_TELNET, PORT_TELNET_SSL}, + {"adam6500", PORT_ADAM6500, PORT_ADAM6500_SSL}, + {"cisco", PORT_TELNET, PORT_TELNET_SSL}, + {"cisco-enable", PORT_TELNET, PORT_TELNET_SSL}, + {"vnc", PORT_VNC, PORT_VNC_SSL}, + {"snmp", PORT_SNMP, PORT_SNMP_SSL}, + {"cvs", PORT_CVS, PORT_CVS_SSL}, + {"svn", PORT_SVN, PORT_SVN_SSL}, + {"firebird", PORT_FIREBIRD, PORT_FIREBIRD_SSL}, + {"afp", PORT_AFP, PORT_AFP_SSL}, + {"ncp", PORT_NCP, PORT_NCP_SSL}, + {"smtp", PORT_SMTP, PORT_SMTP_SSL}, + {"smtp-enum", PORT_SMTP, PORT_SMTP_SSL}, + {"teamspeak", PORT_TEAMSPEAK, PORT_TEAMSPEAK_SSL}, + {"sip", PORT_SIP, PORT_SIP_SSL}, + {"vmauthd", PORT_VMAUTHD, PORT_VMAUTHD_SSL}, + {"xmpp", PORT_XMPP, PORT_XMPP_SSL}, + {"irc", PORT_IRC, PORT_IRC_SSL}, + {"rdp", PORT_RDP, PORT_RDP_SSL}, + {"asterisk", PORT_ASTERISK, PORT_ASTERISK_SSL}, + {"s7-300", PORT_S7_300, PORT_S7_300_SSL}, + {"rtsp", PORT_RTSP, PORT_RTSP_SSL}, + {"rpcap", PORT_RPCAP, PORT_RPCAP_SSL}, + {"radmin2", PORT_RADMIN2, PORT_RADMIN2}, + // ADD NEW SERVICES HERE - add new port numbers to hydra.h + {"", PORT_NOPORT, PORT_NOPORT}}; while (strlen(hydra_portlists[i].name) > 0 && port == -2) { if (strcmp(service, hydra_portlists[i].name) == 0) { @@ -1334,28 +1447,28 @@ void hydra_kill_head(int32_t head_no, int32_t killit, int32_t fail) { if (hydra_heads[head_no]->pid > 0 && killit) kill(hydra_heads[head_no]->pid, SIGKILL); hydra_heads[head_no]->pid = -1; - if (fail < 1 && hydra_heads[head_no]->target_no >= 0 && hydra_options.bfg && hydra_targets[hydra_heads[head_no]->target_no]->pass_state == 3 - && strlen(hydra_heads[head_no]->current_pass_ptr) > 0 && hydra_heads[head_no]->current_pass_ptr != hydra_heads[head_no]->current_login_ptr) { + if (fail < 1 && hydra_heads[head_no]->target_no >= 0 && hydra_options.bfg && hydra_targets[hydra_heads[head_no]->target_no]->pass_state == 3 && strlen(hydra_heads[head_no]->current_pass_ptr) > 0 && hydra_heads[head_no]->current_pass_ptr != hydra_heads[head_no]->current_login_ptr) { free(hydra_heads[head_no]->current_pass_ptr); hydra_heads[head_no]->current_pass_ptr = empty_login; // hydra_bfg_remove(head_no); - // hydra_targets[hydra_heads[head_no]->target_no]->bfg_ptr[head_no] = NULL; + // hydra_targets[hydra_heads[head_no]->target_no]->bfg_ptr[head_no] = + // NULL; } - (void) wait3(NULL, WNOHANG, NULL); + (void)waitpid(-1, NULL, WNOHANG); } void hydra_increase_fail_count(int32_t target_no, int32_t head_no) { int32_t i, k, maxfail = 0; - if (target_no < 0) + if (target_no < 0 || hydra_options.skip_redo) return; if (hydra_targets[target_no]->ok) { - const int32_t tasks = hydra_options.tasks; - const int32_t success = tasks - hydra_targets[target_no]->failed; - const int32_t t = tasks < 5 ? 6 - tasks : 1; - const int32_t s = success < 5 ? 6 - success : 1; - maxfail = MAXFAIL + t + s + 2; + const int32_t tasks = hydra_options.tasks; + const int32_t success = tasks - hydra_targets[target_no]->failed; + const int32_t t = tasks < 5 ? 6 - tasks : 1; + const int32_t s = success < 5 ? 6 - success : 1; + maxfail = MAXFAIL + t + s + 2; } hydra_targets[target_no]->fail_count++; @@ -1368,58 +1481,60 @@ void hydra_increase_fail_count(int32_t target_no, int32_t head_no) { k++; if (k <= 1) { // we need to put this in a list, otherwise we fail one login+pw test - if (hydra_targets[target_no]->done == TARGET_ACTIVE - && hydra_targets[target_no]->redo <= hydra_options.max_use * 2 - && ((hydra_heads[head_no]->current_login_ptr != empty_login && hydra_heads[head_no]->current_pass_ptr != empty_login) - || (hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL))) { + if (hydra_targets[target_no]->done == TARGET_ACTIVE && hydra_options.skip_redo == 0 && hydra_targets[target_no]->redo <= hydra_options.max_use * 2 && ((hydra_heads[head_no]->current_login_ptr != empty_login && hydra_heads[head_no]->current_pass_ptr != empty_login) || (hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL))) { hydra_targets[target_no]->redo_login[hydra_targets[target_no]->redo] = hydra_heads[head_no]->current_login_ptr; hydra_targets[target_no]->redo_pass[hydra_targets[target_no]->redo] = hydra_heads[head_no]->current_pass_ptr; hydra_targets[target_no]->redo++; total_redo_count++; if (debug) - printf("[DEBUG] - will be retried at the end: ip %s - login %s - pass %s - child %d\n", hydra_targets[target_no]->target, - hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, head_no); + printf("[DEBUG] - will be retried at the end: ip %s - login %s - " + "pass %s - child %d\n", + hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, head_no); hydra_heads[head_no]->current_login_ptr = empty_login; hydra_heads[head_no]->current_pass_ptr = empty_login; } if (hydra_targets[target_no]->fail_count >= MAXFAIL + hydra_options.tasks * hydra_targets[target_no]->ok) { - if (hydra_targets[target_no]->done == TARGET_ACTIVE && hydra_options.max_use == hydra_targets[target_no]->failed) { + if (hydra_targets[target_no]->done == TARGET_ACTIVE && hydra_options.max_use <= hydra_targets[target_no]->failed) { if (hydra_targets[target_no]->ok == 1) hydra_targets[target_no]->done = TARGET_ERROR; // mark target as done by errors else hydra_targets[target_no]->done = TARGET_UNRESOLVED; // mark target as done by unable to connect hydra_brains.finished++; - fprintf(stderr, "[ERROR] Too many connect errors to target, disabling %s://%s%s%s:%d\n", hydra_options.service, hydra_targets[target_no]->ip[0] == 16 - && index(hydra_targets[target_no]->target, ':') != NULL ? "[" : "", hydra_targets[target_no]->target, hydra_targets[target_no]->ip[0] == 16 - && index(hydra_targets[target_no]->target, ':') != NULL ? "]" : "", hydra_targets[target_no]->port); + fprintf(stderr, + "[ERROR] Too many connect errors to target, disabling " + "%s://%s%s%s:%d\n", + hydra_options.service, hydra_targets[target_no]->ip[0] == 16 && strchr(hydra_targets[target_no]->target, ':') != NULL ? "[" : "", hydra_targets[target_no]->target, hydra_targets[target_no]->ip[0] == 16 && strchr(hydra_targets[target_no]->target, ':') != NULL ? "]" : "", hydra_targets[target_no]->port); + } else { + hydra_targets[target_no]->failed++; } - if (hydra_brains.targets > hydra_brains.finished) + if (hydra_brains.targets <= hydra_brains.finished) hydra_kill_head(head_no, 1, 0); else hydra_kill_head(head_no, 1, 2); - } // we keep the last one alive as long as it make sense + } + // we keep the last one alive as long as it make sense } else { // we need to put this in a list, otherwise we fail one login+pw test - if (hydra_targets[target_no]->done == TARGET_ACTIVE - && hydra_targets[target_no]->redo <= hydra_options.max_use * 2 - && ((hydra_heads[head_no]->current_login_ptr != empty_login && hydra_heads[head_no]->current_pass_ptr != empty_login) - || (hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL))) { + if (hydra_targets[target_no]->done == TARGET_ACTIVE && hydra_options.skip_redo == 0 && hydra_targets[target_no]->redo <= hydra_options.max_use * 2 && ((hydra_heads[head_no]->current_login_ptr != empty_login && hydra_heads[head_no]->current_pass_ptr != empty_login) || (hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL))) { hydra_targets[target_no]->redo_login[hydra_targets[target_no]->redo] = hydra_heads[head_no]->current_login_ptr; hydra_targets[target_no]->redo_pass[hydra_targets[target_no]->redo] = hydra_heads[head_no]->current_pass_ptr; hydra_targets[target_no]->redo++; total_redo_count++; if (debug) - printf("[DEBUG] - will be retried at the end: ip %s - login %s - pass %s - child %d\n", hydra_targets[target_no]->target, - hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, head_no); + printf("[DEBUG] - will be retried at the end: ip %s - login %s - " + "pass %s - child %d\n", + hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, head_no); hydra_heads[head_no]->current_login_ptr = empty_login; hydra_heads[head_no]->current_pass_ptr = empty_login; } - hydra_targets[target_no]->fail_count--; - if (k < 5 && hydra_targets[target_no]->ok) - hydra_targets[target_no]->fail_count--; - if (k == 2 && hydra_targets[target_no]->ok) - hydra_targets[target_no]->fail_count--; - if (hydra_brains.targets > hydra_brains.finished) + /* + hydra_targets[target_no]->fail_count--; + if (k < 5 && hydra_targets[target_no]->ok) + hydra_targets[target_no]->fail_count--; + if (k == 2 && hydra_targets[target_no]->ok) + hydra_targets[target_no]->fail_count--; + */ + if (hydra_brains.targets <= hydra_brains.finished) hydra_kill_head(head_no, 1, 0); else { hydra_kill_head(head_no, 1, 2); @@ -1453,28 +1568,28 @@ char *hydra_reverse_login(int32_t head_no, char *login) { start = hydra_heads[head_no]->reverse; pos = start + j; - while(start < --pos) { - switch( (*pos & 0xF0) >> 4 ) { + while (start < --pos) { + switch ((*pos & 0xF0) >> 4) { case 0xF: /* U+010000-U+10FFFF: four bytes. */ keep = *pos; - *pos = *(pos-3); - *(pos-3) = keep; - keep = *(pos-1); - *(pos-1) = *(pos-2); - *(pos-2) = keep; + *pos = *(pos - 3); + *(pos - 3) = keep; + keep = *(pos - 1); + *(pos - 1) = *(pos - 2); + *(pos - 2) = keep; pos -= 3; break; case 0xE: /* U+000800-U+00FFFF: three bytes. */ keep = *pos; - *pos = *(pos-2); - *(pos-2) = keep; + *pos = *(pos - 2); + *(pos - 2) = keep; pos -= 2; break; case 0xC: /* fall-through */ case 0xD: /* U+000080-U+0007FF: two bytes. */ keep = *pos; - *pos = *(pos-1); - *(pos-1) = keep; + *pos = *(pos - 1); + *(pos - 1) = keep; pos--; break; } @@ -1483,13 +1598,80 @@ char *hydra_reverse_login(int32_t head_no, char *login) { return hydra_heads[head_no]->reverse; } +void delete_junk_files(){ + remove(junk_file); +} + +FILE *hydra_divide_file(FILE *file, uint32_t my_segment, uint32_t num_segments){ + + if(my_segment > num_segments){ + fprintf(stderr, "[ERROR] in option -D XofY, X must not be greater than Y: %s\n", hydra_options.passfile); + return NULL; + } + + FILE *output_file; + char line[500]; + char output_file_name[50]; + + uint32_t line_number = 0; + + double total_lines = countlines(file,0); + + if(num_segments > total_lines){ + fprintf(stderr, "[ERROR] in option -D XofY, Y must not be greater than the total number of lines in the file to be divided: %s\n", hydra_options.passfile); + return NULL; + } + + double segment_size_double = total_lines / num_segments; + + // round up segment_size_float to integer + uint64_t segment_size = (uint64_t)segment_size_double; + if(segment_size < segment_size_double) + segment_size++; + + uint64_t segment_start = segment_size * (my_segment - 1) + 1; + uint64_t segment_end = segment_size * my_segment; + + + + srand(time(NULL)); + int filetag = rand(); + + sprintf(output_file_name, "segment_%d_%d.txt",filetag, my_segment); + output_file = fopen(output_file_name, "w"); + + if(!output_file){ + fprintf(stderr, "[ERROR] Segment file empty: %s\n", hydra_options.passfile); + return NULL; + } + + strcpy(junk_file, output_file_name); + + atexit(delete_junk_files); + + while(fgets(line, sizeof line, file) != NULL && line_number < segment_end){ + line_number++; + + if(line_number >= segment_start && line_number <= segment_end) + fprintf(output_file, "%s", line); + + } + + rewind(file); + fclose(output_file); + output_file = fopen(output_file_name, "r"); + + return output_file; + + } + int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { // variables moved to save stack snpdone = 0; snp_is_redo = 0; snpdont = 0; loop_cnt++; - if (hydra_heads[head_no]->redo && hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL) { + if (hydra_heads[head_no]->redo == 1 && hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL) { hydra_heads[head_no]->redo = 0; snp_is_redo = 1; snpdone = 1; @@ -1499,35 +1681,38 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { hydra_targets[target_no]->done = TARGET_FINISHED; hydra_brains.finished++; if (verbose) - printf("[STATUS] attack finished for %s (waiting for children to complete tests)\n", hydra_targets[target_no]->target); + printf("[STATUS] attack finished for %s (waiting for children to " + "complete tests)\n", + hydra_targets[target_no]->target); } return -1; } } if (debug) - printf - ("[DEBUG] send_next_pair_init target %d, head %d, redo %d, redo_state %d, pass_state %d. loop_mode %d, curlogin %s, curpass %s, tlogin %s, tpass %s, logincnt %lu/%lu, passcnt %lu/%lu, loop_cnt %d\n", - target_no, head_no, hydra_targets[target_no]->redo, hydra_targets[target_no]->redo_state, hydra_targets[target_no]->pass_state, hydra_options.loop_mode, - hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->login_ptr, hydra_targets[target_no]->pass_ptr, - hydra_targets[target_no]->login_no, hydra_brains.countlogin, hydra_targets[target_no]->pass_no, hydra_brains.countpass, loop_cnt); + printf("[DEBUG] send_next_pair_init target %d, head %d, redo %d, " + "redo_state %d, pass_state %d. loop_mode %d, curlogin %s, curpass " + "%s, tlogin %s, tpass %s, logincnt %" hPRIu64 "/%" hPRIu64 ", passcnt %" hPRIu64 "/%" hPRIu64 ", loop_cnt %d\n", + target_no, head_no, hydra_targets[target_no]->redo, hydra_targets[target_no]->redo_state, hydra_targets[target_no]->pass_state, hydra_options.loop_mode, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->login_ptr, hydra_targets[target_no]->pass_ptr, hydra_targets[target_no]->login_no, hydra_brains.countlogin, hydra_targets[target_no]->pass_no, hydra_brains.countpass, loop_cnt); if (loop_cnt > (hydra_brains.countlogin * 2) + 1 && loop_cnt > (hydra_brains.countpass * 2) + 1) { if (debug) - printf("[DEBUG] too many loops in send_next_pair, returning -1 (loop_cnt %d, sent %lu, todo %lu)\n", loop_cnt, hydra_targets[target_no]->sent, hydra_brains.todo); + printf("[DEBUG] too many loops in send_next_pair, returning -1 (loop_cnt " + "%d, sent %" hPRIu64 ", todo %" hPRIu64 ")\n", + loop_cnt, hydra_targets[target_no]->sent, hydra_brains.todo); return -1; } - if (hydra_heads[head_no]->redo && hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL) { + if (hydra_heads[head_no]->redo == 1 && hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL) { hydra_heads[head_no]->redo = 0; snp_is_redo = 1; snpdone = 1; } else { if (debug && (hydra_heads[head_no]->current_login_ptr != NULL || hydra_heads[head_no]->current_pass_ptr != NULL)) - printf("[COMPLETED] target %s - login \"%s\" - pass \"%s\" - child %d - %lu of %lu\n", - hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, head_no, - hydra_targets[target_no]->sent, hydra_brains.todo + hydra_targets[target_no]->redo); - hydra_heads[head_no]->redo = 0; + printf("[COMPLETED] target %s - login \"%s\" - pass \"%s\" - child %d - " + "%" hPRIu64 " of %" hPRIu64 "\n", + hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, head_no, hydra_targets[target_no]->sent, hydra_brains.todo + hydra_targets[target_no]->redo); + // hydra_heads[head_no]->redo = 0; if (hydra_targets[target_no]->redo_state > 0) { if (hydra_targets[target_no]->redo_state <= hydra_targets[target_no]->redo) { hydra_heads[head_no]->current_pass_ptr = hydra_targets[target_no]->redo_pass[hydra_targets[target_no]->redo_state - 1]; @@ -1540,17 +1725,19 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { hydra_targets[target_no]->done = TARGET_FINISHED; hydra_brains.finished++; if (verbose) - printf("[STATUS] attack finished for %s (waiting for children to complete tests)\n", hydra_targets[target_no]->target); + printf("[STATUS] attack finished for %s (waiting for children to " + "complete tests)\n", + hydra_targets[target_no]->target); } loop_cnt = 0; return -1; } - } else { // normale state, no redo + } else { // normale state, no redo if (hydra_targets[target_no]->done != TARGET_ACTIVE) { loop_cnt = 0; - return -1; // head will be disabled by main while() + return -1; // head will be disabled by main while() } - if (hydra_options.loop_mode == 0) { // one user after another + if (hydra_options.loop_mode == 0) { // one user after another if (hydra_targets[target_no]->login_no < hydra_brains.countlogin) { // as we loop password in mode == 0 we set the current login first hydra_heads[head_no]->current_login_ptr = hydra_targets[target_no]->login_ptr; @@ -1564,7 +1751,8 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { hydra_targets[target_no]->pass_state++; } if (hydra_targets[target_no]->pass_state == 1 && snpdone == 0) { - // small check that there is a login name (could also be emtpy) and if we already tried empty password it would be a double + // small check that there is a login name (could also be emtpy) and + // if we already tried empty password it would be a double if (hydra_options.try_null_password) { if (hydra_options.try_password_same_as_login == 0 || (hydra_targets[target_no]->login_ptr != NULL && strlen(hydra_targets[target_no]->login_ptr) > 0)) { hydra_heads[head_no]->current_pass_ptr = empty_login; @@ -1578,11 +1766,10 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { hydra_targets[target_no]->pass_state++; } if (hydra_targets[target_no]->pass_state == 2 && snpdone == 0) { - // small check that there is a login name (could also be emtpy) and if we already tried empty password it would be a double + // small check that there is a login name (could also be emtpy) and + // if we already tried empty password it would be a double if (hydra_options.try_password_reverse_login) { - if ((hydra_options.try_password_same_as_login == 0 - || strcmp(hydra_targets[target_no]->login_ptr, hydra_reverse_login(head_no, hydra_heads[head_no]->current_login_ptr)) != 0) - && (hydra_options.try_null_password == 0 || (hydra_targets[target_no]->login_ptr != NULL && strlen(hydra_targets[target_no]->login_ptr) > 0))) { + if ((hydra_options.try_password_same_as_login == 0 || strcmp(hydra_targets[target_no]->login_ptr, hydra_reverse_login(head_no, hydra_heads[head_no]->current_login_ptr)) != 0) && (hydra_options.try_null_password == 0 || (hydra_targets[target_no]->login_ptr != NULL && strlen(hydra_targets[target_no]->login_ptr) > 0))) { hydra_heads[head_no]->current_pass_ptr = hydra_reverse_login(head_no, hydra_heads[head_no]->current_login_ptr); snpdone = 1; } else { @@ -1595,35 +1782,31 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { } // now we handle the -C -l/-L -p/-P data if (hydra_targets[target_no]->pass_state == 3 && snpdone == 0) { - if (check_flag(hydra_options.mode, MODE_COLON_FILE)) { // colon mode + if (check_flag(hydra_options.mode, MODE_COLON_FILE)) { // colon mode hydra_heads[head_no]->current_login_ptr = hydra_targets[target_no]->login_ptr; hydra_heads[head_no]->current_pass_ptr = hydra_targets[target_no]->pass_ptr; hydra_targets[target_no]->login_no++; snpdone = 1; hydra_targets[target_no]->login_ptr = hydra_targets[target_no]->pass_ptr; - //hydra_targets[target_no]->login_ptr++; + // hydra_targets[target_no]->login_ptr++; while (*hydra_targets[target_no]->login_ptr != 0) hydra_targets[target_no]->login_ptr++; hydra_targets[target_no]->login_ptr++; hydra_targets[target_no]->pass_ptr = hydra_targets[target_no]->login_ptr; - //hydra_targets[target_no]->pass_ptr++; + // hydra_targets[target_no]->pass_ptr++; while (*hydra_targets[target_no]->pass_ptr != 0) hydra_targets[target_no]->pass_ptr++; hydra_targets[target_no]->pass_ptr++; if (strcmp(hydra_targets[target_no]->login_ptr, hydra_heads[head_no]->current_login_ptr) != 0) hydra_targets[target_no]->pass_state = 0; - if ((hydra_options.try_password_same_as_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_heads[head_no]->current_login_ptr) == 0) - || (hydra_options.try_null_password && strlen(hydra_heads[head_no]->current_pass_ptr) == 0) - || - (hydra_options.try_password_reverse_login - && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_reverse_login(head_no, hydra_heads[head_no]->current_login_ptr)) == 0)) { + if ((hydra_options.try_password_same_as_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_heads[head_no]->current_login_ptr) == 0) || (hydra_options.try_null_password && strlen(hydra_heads[head_no]->current_pass_ptr) == 0) || (hydra_options.try_password_reverse_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_reverse_login(head_no, hydra_heads[head_no]->current_login_ptr)) == 0)) { hydra_brains.sent++; hydra_targets[target_no]->sent++; if (debug) printf("[DEBUG] double detected (-C)\n"); - return hydra_send_next_pair(target_no, head_no); // little trick to keep the code small + return hydra_send_next_pair(target_no, head_no); // little trick to keep the code small } - } else { // standard -l -L -p -P mode + } else { // standard -l -L -p -P mode hydra_heads[head_no]->current_pass_ptr = hydra_targets[target_no]->pass_ptr; hydra_targets[target_no]->pass_no++; // double check @@ -1645,22 +1828,18 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { hydra_targets[target_no]->pass_ptr++; hydra_targets[target_no]->pass_ptr++; } - if ((hydra_options.try_password_same_as_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_heads[head_no]->current_login_ptr) == 0) - || (hydra_options.try_null_password && strlen(hydra_heads[head_no]->current_pass_ptr) == 0) - || - (hydra_options.try_password_reverse_login - && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_reverse_login(head_no, hydra_heads[head_no]->current_login_ptr)) == 0)) { + if ((hydra_options.try_password_same_as_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_heads[head_no]->current_login_ptr) == 0) || (hydra_options.try_null_password && strlen(hydra_heads[head_no]->current_pass_ptr) == 0) || (hydra_options.try_password_reverse_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_reverse_login(head_no, hydra_heads[head_no]->current_login_ptr)) == 0)) { hydra_brains.sent++; hydra_targets[target_no]->sent++; if (debug) printf("[DEBUG] double detected (-Pp)\n"); - return hydra_send_next_pair(target_no, head_no); // little trick to keep the code small + return hydra_send_next_pair(target_no, head_no); // little trick to keep the code small } snpdone = 1; } } } - } else { // loop_mode == 1 + } else { // loop_mode == 1 if (hydra_targets[target_no]->pass_no < hydra_brains.countpass) { hydra_heads[head_no]->current_login_ptr = hydra_targets[target_no]->login_ptr; if (hydra_targets[target_no]->pass_state == 0) { @@ -1679,9 +1858,7 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { else hydra_heads[head_no]->current_pass_ptr = hydra_reverse_login(head_no, hydra_heads[head_no]->current_login_ptr); } else { - if (hydra_options.bfg && hydra_targets[target_no]->pass_state == 3 - && hydra_heads[head_no]->current_pass_ptr != NULL && - strlen(hydra_heads[head_no]->current_pass_ptr) > 0 && hydra_heads[head_no]->current_pass_ptr != hydra_heads[head_no]->current_login_ptr) + if (hydra_options.bfg && hydra_targets[target_no]->pass_state == 3 && hydra_heads[head_no]->current_pass_ptr != NULL && strlen(hydra_heads[head_no]->current_pass_ptr) > 0 && hydra_heads[head_no]->current_pass_ptr != hydra_heads[head_no]->current_login_ptr) free(hydra_heads[head_no]->current_pass_ptr); hydra_heads[head_no]->current_pass_ptr = strdup(hydra_targets[target_no]->pass_ptr); } @@ -1712,7 +1889,7 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { if (debug) printf("[DEBUG] bfg new password for next child: %s\n", hydra_targets[target_no]->pass_ptr); #endif - } else { // -p -P mode + } else { // -p -P mode hydra_targets[target_no]->pass_ptr++; while (*hydra_targets[target_no]->pass_ptr != 0) hydra_targets[target_no]->pass_ptr++; @@ -1731,14 +1908,12 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { hydra_targets[target_no]->login_ptr++; } if (hydra_targets[target_no]->pass_state == 3 && snpdont == 0) { - if ((hydra_options.try_null_password && strlen(hydra_heads[head_no]->current_pass_ptr) < 1) - || (hydra_options.try_password_same_as_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_heads[head_no]->current_login_ptr) == 0) - || (hydra_options.try_password_reverse_login && strcmp(hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr) == 0)) { + if ((hydra_options.try_null_password && strlen(hydra_heads[head_no]->current_pass_ptr) < 1) || (hydra_options.try_password_same_as_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_heads[head_no]->current_login_ptr) == 0) || (hydra_options.try_password_reverse_login && strcmp(hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr) == 0)) { hydra_brains.sent++; hydra_targets[target_no]->sent++; if (debug) printf("[DEBUG] double detected (1)\n"); - return hydra_send_next_pair(target_no, head_no); // little trick to keep the code small + return hydra_send_next_pair(target_no, head_no); // little trick to keep the code small } } } @@ -1746,16 +1921,16 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { } if (debug) - printf("[DEBUG] send_next_pair_mid done %d, pass_state %d, clogin %s, cpass %s, tlogin %s, tpass %s, redo %d\n", - snpdone, hydra_targets[target_no]->pass_state, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->login_ptr, - hydra_targets[target_no]->pass_ptr, hydra_targets[target_no]->redo); + printf("[DEBUG] send_next_pair_mid done %d, pass_state %d, clogin %s, " + "cpass %s, tlogin %s, tpass %s, redo %d\n", + snpdone, hydra_targets[target_no]->pass_state, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->login_ptr, hydra_targets[target_no]->pass_ptr, hydra_targets[target_no]->redo); // no pair? then we go for redo state if (!snpdone && hydra_targets[target_no]->redo_state == 0 && hydra_targets[target_no]->redo > 0) { if (debug) printf("[DEBUG] Entering redo_state\n"); hydra_targets[target_no]->redo_state++; - return hydra_send_next_pair(target_no, head_no); // little trick to keep the code small + return hydra_send_next_pair(target_no, head_no); // little trick to keep the code small } } @@ -1766,11 +1941,13 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { hydra_targets[target_no]->done = TARGET_FINISHED; hydra_brains.finished++; if (verbose) - printf("[STATUS] attack finished for %s (waiting for children to complete tests)\n", hydra_targets[target_no]->target); + printf("[STATUS] attack finished for %s (waiting for children to " + "complete tests)\n", + hydra_targets[target_no]->target); } } if (hydra_brains.targets > hydra_brains.finished) - hydra_kill_head(head_no, 1, 0); // otherwise done in main while loop + hydra_kill_head(head_no, 1, 0); // otherwise done in main while loop } else { if (hydra_targets[target_no]->skipcnt > 0) { snpj = 0; @@ -1802,7 +1979,7 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { hydra_targets[target_no]->pass_no = 0; hydra_targets[target_no]->pass_state = 0; } - return hydra_send_next_pair(target_no, head_no); // little trick to keep the code small + return hydra_send_next_pair(target_no, head_no); // little trick to keep the code small } } @@ -1821,22 +1998,25 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { hydra_brains.sent++; hydra_targets[target_no]->sent++; } else if (debug) - printf("[DEBUG] send_next_pair_redo done %d, pass_state %d, clogin %s, cpass %s, tlogin %s, tpass %s, is_redo %d\n", - snpdone, hydra_targets[target_no]->pass_state, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->login_ptr, - hydra_targets[target_no]->pass_ptr, snp_is_redo); - //hydra_dump_data(snpbuf, snpbuflen, "SENT"); + printf("[DEBUG] send_next_pair_redo done %d, pass_state %d, clogin %s, " + "cpass %s, tlogin %s, tpass %s, is_redo %d\n", + snpdone, hydra_targets[target_no]->pass_state, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->login_ptr, hydra_targets[target_no]->pass_ptr, snp_is_redo); + // hydra_dump_data(snpbuf, snpbuflen, "SENT"); fck = write(hydra_heads[head_no]->sp[0], snpbuf, snpbuflen); if (fck < snpbuflen) { if (verbose) fprintf(stderr, "[ERROR] can not write to child %d, restarting it ...\n", head_no); hydra_increase_fail_count(target_no, head_no); loop_cnt = 0; - return 0; // not prevent disabling it, if its needed its already done in the above line + return 0; // not prevent disabling it, if its needed its already done in + // the above line } if (debug || hydra_options.showAttempt) { - printf("[%sATTEMPT] target %s - login \"%s\" - pass \"%s\" - %lu of %lu [child %d] (%d/%d)\n", - hydra_targets[target_no]->redo_state ? "REDO-" : snp_is_redo ? "RE-" : "", hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, - hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->sent, hydra_brains.todo + hydra_targets[target_no]->redo, head_no, hydra_targets[target_no]->redo_state ? hydra_targets[target_no]->redo_state - 1 : 0, hydra_targets[target_no]->redo); + printf("[%sATTEMPT] target %s - login \"%s\" - pass \"%s\" - %" hPRIu64 " of %" hPRIu64 " [child %d] (%d/%d)\n", + hydra_targets[target_no]->redo_state ? "REDO-" + : snp_is_redo ? "RE-" + : "", + hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->sent, hydra_brains.todo + hydra_targets[target_no]->redo, head_no, hydra_targets[target_no]->redo_state ? hydra_targets[target_no]->redo_state - 1 : 0, hydra_targets[target_no]->redo); } loop_cnt = 0; return 0; @@ -1861,7 +2041,7 @@ void hydra_skip_user(int32_t target_no, char *username) { hydra_targets[target_no]->skipcnt++; } if (hydra_options.loop_mode == 0 && !check_flag(hydra_options.mode, MODE_COLON_FILE)) { - if (memcmp(username, hydra_targets[target_no]->login_ptr, strlen(username)) == 0) { + if (strcmp(username, hydra_targets[target_no]->login_ptr) == 0) { if (debug) printf("[DEBUG] skipping username %s\n", username); // increase count @@ -1902,7 +2082,8 @@ int32_t hydra_check_for_exit_condition() { if (hydra_heads[i]->active >= HEAD_UNUSED) k = 1; if (k == 0) { - fprintf(stderr, "[ERROR] all children were disabled due too many connection errors\n"); + fprintf(stderr, "[ERROR] all children were disabled due too many " + "connection errors\n"); return -1; } } @@ -1927,7 +2108,7 @@ void process_proxy_line(int32_t type, char *string) { struct addrinfo hints, *res, *p; struct sockaddr_in6 *ipv6 = NULL; struct sockaddr_in *ipv4 = NULL; - + if (string == NULL || string[0] == 0 || string[0] == '#') return; while (*string == ' ' || *string == '\t') @@ -1938,7 +2119,7 @@ void process_proxy_line(int32_t type, char *string) { string[strlen(string) - 1] = 0; if (string[strlen(string) - 1] == '\r') string[strlen(string) - 1] = 0; - if (proxy_count > MAX_PROXY_COUNT) { + if (proxy_count >= MAX_PROXY_COUNT) { fprintf(stderr, "[WARNING] maximum amount of proxies loaded, ignoring this entry: %s\n", string); return; } @@ -1950,23 +2131,26 @@ void process_proxy_line(int32_t type, char *string) { } *sep = 0; target_string = sep + 3; - if ((sep = index(target_string, '@')) != NULL) { + if ((sep = strchr(target_string, '@')) != NULL) { auth_string = target_string; *sep = 0; target_string = sep + 1; - if (index(auth_string, ':') == NULL) { - fprintf(stderr, "[WARNING] %s has an invalid authentication definition %s, must be in the format login:pass, entry ignored\n", target_string, auth_string); + if (strchr(auth_string, ':') == NULL) { + fprintf(stderr, + "[WARNING] %s has an invalid authentication definition %s, must " + "be in the format login:pass, entry ignored\n", + target_string, auth_string); return; } } - if ((sep = index(target_string, ':')) != NULL) { + if ((sep = strchr(target_string, ':')) != NULL) { *sep = 0; port_string = sep + 1; - if ((sep = index(port_string, '%')) != NULL) { + if ((sep = strchr(port_string, '%')) != NULL) { *sep = 0; device_string = sep + 1; } - if ((sep = index(port_string, '/')) != NULL) + if ((sep = strchr(port_string, '/')) != NULL) *sep = 0; port = atoi(port_string); if (port < 1 || port > 65535) { @@ -1974,19 +2158,28 @@ void process_proxy_line(int32_t type, char *string) { return; } } else { - fprintf(stderr, "[WARNING] %s has not port definition which is required, entry ignored\n", target_string); + fprintf(stderr, + "[WARNING] %s has not port definition which is required, entry " + "ignored\n", + target_string); return; } if (use_proxy == 1 && strcmp(type_string, "http") != 0) { - fprintf(stderr, "[WARNING] %s:// is an invalid type, must be http:// if you use HYDRA_PROXY_HTTP, entry ignored\n", type_string); + fprintf(stderr, + "[WARNING] %s:// is an invalid type, must be http:// if you use " + "HYDRA_PROXY_HTTP, entry ignored\n", + type_string); return; } if (use_proxy == 2 && strcmp(type_string, "connect") != 0 && strcmp(type_string, "socks4") != 0 && strcmp(type_string, "socks5") != 0) { - fprintf(stderr, "[WARNING] %s:// is an invalid type, must be connect://, socks4:// or socks5:// if you use HYDRA_PROXY, entry ignored\n", type_string); + fprintf(stderr, + "[WARNING] %s:// is an invalid type, must be connect://, socks4:// " + "or socks5:// if you use HYDRA_PROXY, entry ignored\n", + type_string); return; } - + memset(&hints, 0, sizeof hints); if (getaddrinfo(target_string, NULL, &hints, &res) != 0) { fprintf(stderr, "[ERROR] could not resolve proxy target %s, entry ignored\n", target_string); @@ -1996,13 +2189,13 @@ void process_proxy_line(int32_t type, char *string) { for (p = res; p != NULL; p = p->ai_next) { #ifdef AF_INET6 if (p->ai_family == AF_INET6) { - if (ipv6 == NULL || memcmp((char *) &ipv6->sin6_addr, fe80, 2) == 0) - ipv6 = (struct sockaddr_in6 *) p->ai_addr; + if (ipv6 == NULL || memcmp((char *)&ipv6->sin6_addr, fe80, 2) == 0) + ipv6 = (struct sockaddr_in6 *)p->ai_addr; } else #endif - if (p->ai_family == AF_INET) { + if (p->ai_family == AF_INET) { if (ipv4 == NULL) - ipv4 = (struct sockaddr_in *) p->ai_addr; + ipv4 = (struct sockaddr_in *)p->ai_addr; } } freeaddrinfo(res); @@ -2011,18 +2204,22 @@ void process_proxy_line(int32_t type, char *string) { #ifdef AF_INET6 if (ipv6 != NULL && (ipv4 == NULL || prefer_ipv6)) { if (memcmp(proxy_string_ip[proxy_count] + 1, fe80, 2) == 0 && device_string == NULL) { - fprintf(stderr, "[WARNING] The proxy address %s is a link local address, link local addresses require the interface being defined like this: fe80::1%%eth0, entry ignored\n", target_string); + fprintf(stderr, + "[WARNING] The proxy address %s is a link local address, link " + "local addresses require the interface being defined like this: " + "fe80::1%%eth0, entry ignored\n", + target_string); return; } proxy_string_ip[proxy_count][0] = 16; - memcpy(proxy_string_ip[proxy_count] + 1, (char *) &ipv6->sin6_addr, 16); + memcpy(proxy_string_ip[proxy_count] + 1, (char *)&ipv6->sin6_addr, 16); if (device_string != NULL && strlen(device_string) <= 16) strcpy(proxy_string_ip[proxy_count] + 17, device_string); } else #endif - if (ipv4 != NULL) { + if (ipv4 != NULL) { proxy_string_ip[proxy_count][0] = 4; - memcpy(proxy_string_ip[proxy_count] + 1, (char *) &ipv4->sin_addr, 4); + memcpy(proxy_string_ip[proxy_count] + 1, (char *)&ipv4->sin_addr, 4); } else { fprintf(stderr, "[WARNING] Could not resolve proxy address: %s, entry ignored\n", target_string); return; @@ -2034,27 +2231,27 @@ void process_proxy_line(int32_t type, char *string) { } strcpy(proxy_authentication[proxy_count], auth_string); if (strncmp(type_string, "socks", 5) != 0) // so it is web - hydra_tobase64((unsigned char *) proxy_authentication[proxy_count], strlen(proxy_authentication[proxy_count]), strlen(auth_string) * 2 + 8); + hydra_tobase64((unsigned char *)proxy_authentication[proxy_count], strlen(proxy_authentication[proxy_count]), strlen(auth_string) * 2 + 8); } else proxy_authentication[proxy_count] = NULL; strcpy(proxy_string_type[proxy_count], type_string); proxy_string_port[proxy_count] = port; - + if (debug) printf("[DEBUG] count %d type %s target %s port %d auth %s\n", proxy_count, proxy_string_type[proxy_count], target_string, proxy_string_port[proxy_count], proxy_authentication[proxy_count]); proxy_count++; } int main(int argc, char *argv[]) { - char *proxy_string = NULL, *device = NULL, *memcheck, *cmdtarget = NULL; + char *proxy_string = NULL, *device = NULL, *memcheck; char *outfile_format_tmp; - FILE *lfp = NULL, *pfp = NULL, *cfp = NULL, *ifp = NULL, *rfp = NULL, *proxyfp; + FILE *lfp = NULL, *pfp = NULL, *cfp = NULL, *ifp = NULL, *rfp = NULL, *proxyfp, *filecloser=NULL; size_t countinfile = 1, sizeinfile = 0; uint64_t math2; int32_t i = 0, j = 0, k, error = 0, modusage = 0, ignore_restore = 0, do_switch; int32_t head_no = 0, target_no = 0, exit_condition = 0, readres; time_t starttime, elapsed_status, elapsed_restore, status_print = 59, tmp_time; - char *tmpptr, *tmpptr2; + char *tmpptr, *tmpptr2, *tmpptr3; char rc, buf[MAXBUF]; time_t last_attempt = 0; fd_set fdreadheads; @@ -2063,7 +2260,9 @@ int main(int argc, char *argv[]) { struct sockaddr_in6 *ipv6 = NULL; struct sockaddr_in *ipv4 = NULL; - printf("%s %s (c) 2019 by %s - Please do not use in military or secret service organizations, or for illegal purposes.\n\n", PROGRAM, VERSION, AUTHOR); + printf("%s %s (c) 2023 by %s & %s - Please do not use in military or secret " + "service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\n", + PROGRAM, VERSION, AUTHOR, AUTHOR2); #ifndef LIBAFP SERVICES = hydra_string_replace(SERVICES, "afp ", ""); strcat(unsupported, "afp "); @@ -2072,6 +2271,14 @@ int main(int argc, char *argv[]) { SERVICES = hydra_string_replace(SERVICES, "firebird ", ""); strcat(unsupported, "firebird "); #endif +#ifndef LIBMCACHED + SERVICES = hydra_string_replace(SERVICES, "memcached ", ""); + strcat(unsupported, "memcached "); +#endif +#ifndef LIBMONGODB + SERVICES = hydra_string_replace(SERVICES, "mongodb ", ""); + strcat(unsupported, "mongodb "); +#endif #ifndef LIBMYSQLCLIENT SERVICES = hydra_string_replace(SERVICES, "mysql ", "mysql(v4) "); strcat(unsupported, "mysql5 "); @@ -2092,6 +2299,10 @@ int main(int argc, char *argv[]) { SERVICES = hydra_string_replace(SERVICES, "radmin2 ", ""); strcat(unsupported, "radmin2 "); #endif +#ifndef LIBFREERDP + SERVICES = hydra_string_replace(SERVICES, "rdp ", ""); + strcat(unsupported, "rdp "); +#endif #ifndef LIBSAPR3 SERVICES = hydra_string_replace(SERVICES, "sapr3 ", ""); strcat(unsupported, "sapr3 "); @@ -2106,9 +2317,14 @@ int main(int argc, char *argv[]) { SERVICES = hydra_string_replace(SERVICES, "svn ", ""); strcat(unsupported, "svn "); #endif +#if !defined(LIBSMBCLIENT) + SERVICES = hydra_string_replace(SERVICES, "smb2 ", ""); + strcat(unsupported, "smb2 "); +#endif + #ifndef LIBOPENSSL // for ftps - SERVICES = hydra_string_replace(SERVICES, " ftps", ""); + SERVICES = hydra_string_replace(SERVICES, "ftp[s]", "ftp"); // for pop3 SERVICES = hydra_string_replace(SERVICES, "pop3[s]", "pop3"); // for imap @@ -2125,8 +2341,6 @@ int main(int argc, char *argv[]) { SERVICES = hydra_string_replace(SERVICES, "[-{cram|digest}md5]", ""); // for sip SERVICES = hydra_string_replace(SERVICES, " sip", ""); - // for rdp - SERVICES = hydra_string_replace(SERVICES, " rdp", ""); // for oracle-listener SERVICES = hydra_string_replace(SERVICES, " oracle-listener", ""); // general @@ -2135,6 +2349,7 @@ int main(int argc, char *argv[]) { SERVICES = hydra_string_replace(SERVICES, " oracle-sid", ""); strcat(unsupported, "SSL-services (ftps, sip, rdp, oracle-services, ...) "); #endif + #ifndef HAVE_MATH_H if (strlen(unsupported) > 0) strcat(unsupported, "and "); @@ -2146,8 +2361,8 @@ int main(int argc, char *argv[]) { strcat(unsupported, "regex support "); #endif - (void) setvbuf(stdout, NULL, _IONBF, 0); - (void) setvbuf(stderr, NULL, _IONBF, 0); + (void)setvbuf(stdout, NULL, _IONBF, 0); + (void)setvbuf(stderr, NULL, _IONBF, 0); // set defaults memset(&hydra_options, 0, sizeof(hydra_options)); memset(&hydra_brains, 0, sizeof(hydra_brains)); @@ -2166,6 +2381,7 @@ int main(int argc, char *argv[]) { hydra_options.loginfile = NULL; hydra_options.pass = NULL; hydra_options.passfile = NULL; + hydra_options.distributed = NULL; hydra_options.tasks = TASKS; hydra_options.max_use = MAXTASKS; hydra_options.outfile_format = FORMAT_PLAIN_TEXT; @@ -2179,14 +2395,27 @@ int main(int argc, char *argv[]) { help(1); if (argc < 2) help(0); - while ((i = getopt(argc, argv, "hIq64Rde:vVl:fFg:L:p:OP:o:b:M:C:t:T:m:w:W:s:SUux:yc:")) >= 0) { + while ((i = getopt(argc, argv, "hIq64Rrde:vVl:fFg:D:L:p:OP:o:b:M:C:t:T:m:w:W:s:SUux:yc:K")) >= 0) { switch (i) { + case 'D': + hydra_options.distributed = optarg; + if (sscanf(hydra_options.distributed, "%dof%d", &my_segment, &num_segments) != 2) { + fprintf(stderr, "Invalid format. Expected format -D XofY where X and Y are integers.\n"); + exit(EXIT_FAILURE); + } + else{ + fprintf(stdout, "Option \'D\': successfully set X to %d and Y to %d\n", my_segment, num_segments); + } + break; case 'h': help(1); break; case 'q': quiet = 1; break; + case 'K': + hydra_options.skip_redo = 1; + break; case 'O': old_ssl = 1; break; @@ -2203,6 +2432,9 @@ int main(int argc, char *argv[]) { hydra_options.restore = 1; hydra_restore_read(); break; + case 'r': + fprintf(stderr, "Warning: the option -r has been removed.\n"); + break; case 'I': ignore_restore = 1; // this is not to be saved in hydra_options! break; @@ -2227,7 +2459,10 @@ int main(int argc, char *argv[]) { hydra_options.mode = hydra_options.mode | MODE_PASSWORD_SAME; break; default: - fprintf(stderr, "[ERROR] unknown mode %c for option -e, only supporting \"n\", \"s\" and \"r\"\n", optarg[i]); + fprintf(stderr, + "[ERROR] unknown mode %c for option -e, only supporting " + "\"n\", \"s\" and \"r\"\n", + optarg[i]); exit(-1); } i++; @@ -2265,12 +2500,12 @@ int main(int argc, char *argv[]) { break; case 'b': outfile_format_tmp = optarg; - if (0==strcasecmp(outfile_format_tmp,"text")) - hydra_options.outfile_format = FORMAT_PLAIN_TEXT; - else if (0==strcasecmp(outfile_format_tmp,"json")) // latest json formatting. - hydra_options.outfile_format = FORMAT_JSONV1; - else if (0==strcasecmp(outfile_format_tmp,"jsonv1")) - hydra_options.outfile_format = FORMAT_JSONV1; + if (strcasecmp(outfile_format_tmp, "text") == 0) + hydra_options.outfile_format = FORMAT_PLAIN_TEXT; + else if (strcasecmp(outfile_format_tmp, "json") == 0) // latest json formatting. + hydra_options.outfile_format = FORMAT_JSONV1; + else if (strcasecmp(outfile_format_tmp, "jsonv1") == 0) + hydra_options.outfile_format = FORMAT_JSONV1; else { fprintf(stderr, "[ERROR] Output file format must be (text, json, jsonv1)\n"); exit(-1); @@ -2293,7 +2528,8 @@ int main(int argc, char *argv[]) { fprintf(stderr, "[ERROR] waittime must be larger than 0\n"); exit(-1); } else if (waittime < 5) - fprintf(stderr, "[WARNING] the waittime you set is low, this can result in errornous results\n"); + fprintf(stderr, "[WARNING] the waittime you set is low, this can " + "result in errornous results\n"); break; case 'W': hydra_options.conwait = conwait = atoi(optarg); @@ -2307,14 +2543,16 @@ int main(int argc, char *argv[]) { if (hydra_options.time_next_attempt < 0) { fprintf(stderr, "[ERROR] -c option value can not be negative\n"); exit(-1); - } + } #else - fprintf(stderr, "[WARNING] -c option can not be used as your operating system is missing the MSG_PEEK feature\n"); + fprintf(stderr, "[WARNING] -c option can not be used as your operating " + "system is missing the MSG_PEEK feature\n"); #endif break; case 'S': #ifndef LIBOPENSSL - fprintf(stderr, "[WARNING] hydra was compiled without SSL support. Install openssl and recompile! Option ignored...\n"); + fprintf(stderr, "[WARNING] hydra was compiled without SSL support. " + "Install openssl and recompile! Option ignored...\n"); hydra_options.ssl = 0; break; #else @@ -2332,7 +2570,8 @@ int main(int argc, char *argv[]) { break; case 'x': #ifndef HAVE_MATH_H - fprintf(stderr, "[ERROR] -x option is not available as math.h was not found at compile time\n"); + fprintf(stderr, "[ERROR] -x option is not available as math.h was not " + "found at compile time\n"); exit(-1); #else if (strcmp(optarg, "-h") == 0) @@ -2356,20 +2595,23 @@ int main(int argc, char *argv[]) { hydra_options.tasks = 1; } - //check if output is redirected from the shell or in a file + // check if output is redirected from the shell or in a file if (colored_output && !isatty(fileno(stdout))) colored_output = 0; #ifdef LIBNCURSES - //then check if the term is color enabled using ncurses lib + // then check if the term is color enabled using ncurses lib if (colored_output) { if (!setupterm(NULL, 1, NULL) && (tigetnum("colors") <= 0)) { colored_output = 0; } + if (cur_term) { + del_curterm(cur_term); + } } #else - //don't want border line effect so disabling color output - //if we are not sure about the term + // don't want border line effect so disabling color output + // if we are not sure about the term colored_output = 0; #endif @@ -2378,7 +2620,7 @@ int main(int argc, char *argv[]) { if (hydra_options.restore && argc > 2 + debug + verbose) fprintf(stderr, "[WARNING] options after -R are now honored (since v8.6)\n"); -// bail("no option may be supplied together with -R"); + // bail("no option may be supplied together with -R"); printf("%s (%s) starting at %s\n", PROGRAM, RESOURCE, hydra_build_time()); if (debug) { @@ -2388,44 +2630,52 @@ int main(int argc, char *argv[]) { printf("\n"); } if (hydra_options.tasks > 1 && hydra_options.time_next_attempt) - fprintf(stderr, "[WARNING] when using the -c option, you should also set the task per target to one (-t 1)\n"); + fprintf(stderr, "[WARNING] when using the -c option, you should also set " + "the task per target to one (-t 1)\n"); if (hydra_options.login != NULL && hydra_options.loginfile != NULL) bail("You can only use -L OR -l, not both\n"); if (hydra_options.pass != NULL && hydra_options.passfile != NULL) bail("You can only use -P OR -p, not both\n"); if (hydra_options.outfile_format != FORMAT_PLAIN_TEXT && hydra_options.outfile_ptr == NULL) - fprintf(stderr, "[WARNING] output file format specified (-b) - but no output file (-o)\n"); - + fprintf(stderr, "[WARNING] output file format specified (-b) - but no " + "output file (-o)\n"); + if (hydra_options.restore) { -// hydra_restore_read(); + // hydra_restore_read(); // stuff we have to copy from the non-restore part if (strncmp(hydra_options.service, "http-", 5) == 0) { if (getenv("HYDRA_PROXY_HTTP") && getenv("HYDRA_PROXY")) - bail("Found HYDRA_PROXY_HTTP *and* HYDRA_PROXY environment variables - you can use only ONE for the service http-head/http-get/http-post!"); + bail("Found HYDRA_PROXY_HTTP *and* HYDRA_PROXY environment variables - " + "you can use only ONE for the service " + "http-head/http-get/http-post!"); if (getenv("HYDRA_PROXY_HTTP")) { printf("[INFO] Using HTTP Proxy: %s\n", getenv("HYDRA_PROXY_HTTP")); use_proxy = 1; } } - } else { // normal mode, aka non-restore mode + } else { // normal mode, aka non-restore mode if (hydra_options.colonfile) - hydra_options.loop_mode = 0; // just to be sure + hydra_options.loop_mode = 0; // just to be sure if (hydra_options.infile_ptr != NULL) { if (optind + 2 < argc) - bail("The -M FILE option can not be used together with a host on the commandline"); + bail("The -M FILE option can not be used together with a host on the " + "commandline"); if (optind + 1 > argc) bail("You need to define a service to attack"); if (optind + 2 == argc) - fprintf(stderr, "[WARNING] With the -M FILE option you can not specify a server on the commandline. Lets hope you did everything right!\n"); + fprintf(stderr, "[WARNING] With the -M FILE option you can not specify a server on " + "the commandline. Lets hope you did everything right!\n"); hydra_options.server = NULL; hydra_options.service = argv[optind]; if (optind + 2 == argc) hydra_options.miscptr = argv[optind + 1]; } else if (optind + 2 != argc && optind + 3 != argc && optind < argc) { - // check if targetdef follow syntax ://[:][/] or it's a syntax error + // check if targetdef follow syntax + // ://[:][/] or it's a + // syntax error char *targetdef = strdup(argv[optind]); char *service_pos, *target_pos, *port_pos = NULL, *param_pos = NULL; - cmdtarget = argv[optind]; + cmdlinetarget = argv[optind]; if ((targetdef != NULL) && (strstr(targetdef, "://") != NULL)) { service_pos = strstr(targetdef, "://"); @@ -2439,25 +2689,26 @@ int main(int argc, char *argv[]) { if (*target_pos == '[') { target_pos++; - if ((param_pos = index(target_pos, ']')) == NULL) + if ((param_pos = strchr(target_pos, ']')) == NULL) bail("no closing ']' found in target definition"); *param_pos++ = 0; if (*param_pos == ':') port_pos = ++param_pos; - if ((param_pos = index(param_pos, '/')) != NULL) + if ((param_pos = strchr(param_pos, '/')) != NULL) *param_pos++ = 0; } else { - port_pos = index(target_pos, ':'); - param_pos = index(target_pos, '/'); + port_pos = strchr(target_pos, ':'); + param_pos = strchr(target_pos, '/'); if (port_pos != NULL && param_pos != NULL && port_pos > param_pos) port_pos = NULL; if (port_pos != NULL) *port_pos++ = 0; if (param_pos != NULL) *param_pos++ = 0; - if (port_pos != NULL && index(port_pos, ':') != NULL) { + if (port_pos != NULL && strchr(port_pos, ':') != NULL) { if (prefer_ipv6) - bail("Illegal IPv6 target definition must be written within '[' ']'"); + bail("Illegal IPv6 target definition must be written within '[' " + "']'"); else bail("Illegal port definition"); } @@ -2473,11 +2724,12 @@ int main(int argc, char *argv[]) { *--param_pos = '/'; hydra_options.miscptr = strdup(param_pos); } - //printf("target: %s service: %s port: %s opt: %s\n", target_pos, hydra_options.service, port_pos, param_pos); + // printf("target: %s service: %s port: %s opt: %s\n", target_pos, + // hydra_options.service, port_pos, param_pos); if (debug) printf("[DEBUG] opt:%d argc:%d mod:%s tgt:%s port:%u misc:%s\n", optind, argc, hydra_options.service, hydra_options.server, hydra_options.port, hydra_options.miscptr); } else { - hydra_options.server = NULL; + hydra_options.server = NULL; hydra_options.service = NULL; if (modusage) { @@ -2487,12 +2739,16 @@ int main(int argc, char *argv[]) { } } else { if (modusage && argv[optind] == NULL) { - printf("[ERROR] you must supply a service name after the -U help switch\n"); + printf("[ERROR] you must supply a service name after the -U help " + "switch\n"); exit(-1); } if (argv[optind] == NULL || strstr(argv[optind], "://") != NULL) { printf("[ERROR] Invalid target definition!\n"); - printf("[ERROR] Either you use \"www.example.com module [optional-module-parameters]\" *or* you use the \"module://www.example.com/optional-module-parameters\" syntax!\n"); + printf("[ERROR] Either you use \"www.example.com module " + "[optional-module-parameters]\" *or* you use the " + "\"module://www.example.com/optional-module-parameters\" " + "syntax!\n"); exit(-1); } hydra_options.server = argv[optind]; @@ -2503,31 +2759,30 @@ int main(int argc, char *argv[]) { } if (getenv("HYDRA_PROXY_CONNECT")) - fprintf(stderr, "[WARNING] The environment variable HYDRA_PROXY_CONNECT is not used! Use HYDRA_PROXY instead!\n"); + fprintf(stderr, "[WARNING] The environment variable HYDRA_PROXY_CONNECT " + "is not used! Use HYDRA_PROXY instead!\n"); // wrong option use patch - if (hydra_options.ssl && ( ((strcmp(hydra_options.service, "smtp") == 0 || strcmp(hydra_options.service, "smtp-enum") == 0) && hydra_options.port != 465) || \ - (strcmp(hydra_options.service, "pop3") == 0 && hydra_options.port != 995) || \ - (strcmp(hydra_options.service, "imap") == 0 && hydra_options.port != 993) - )) - fprintf(stderr, "[WARNING] you want to access SMTP/POP3/IMAP with SSL. Are you sure you want to use direct SSL (-S) instead of STARTTLS (-m TLS)?\n"); + if (hydra_options.ssl && (((strcmp(hydra_options.service, "smtp") == 0 || strcmp(hydra_options.service, "smtp-enum") == 0) && hydra_options.port != 465) || (strcmp(hydra_options.service, "pop3") == 0 && hydra_options.port != 995) || (strcmp(hydra_options.service, "imap") == 0 && hydra_options.port != 993))) + fprintf(stderr, "[WARNING] you want to access SMTP/POP3/IMAP with SSL. Are you sure " + "you want to use direct SSL (-S) instead of STARTTLS (-m TLS)?\n"); if (strcmp(hydra_options.service, "http") == 0 || strcmp(hydra_options.service, "https") == 0) { - fprintf(stderr, "[ERROR] There is no service \"%s\", most likely you mean one of the many web modules, e.g. http-get or http-form-post. Read it up!\n", hydra_options.service); + fprintf(stderr, + "[ERROR] There is no service \"%s\", most likely you mean one of the " + "many web modules, e.g. http-get or http-form-post. Read it up!\n", + hydra_options.service); exit(-1); } - if (strcmp(hydra_options.service, "pop3s") == 0 || strcmp(hydra_options.service, "smtps") == 0 || strcmp(hydra_options.service, "imaps") == 0 - || strcmp(hydra_options.service, "telnets") == 0 || (strncmp(hydra_options.service, "ldap", 4) == 0 && hydra_options.service[strlen(hydra_options.service) - 1] == 's')) { + if (strcmp(hydra_options.service, "pop3s") == 0 || strcmp(hydra_options.service, "smtps") == 0 || strcmp(hydra_options.service, "imaps") == 0 || strcmp(hydra_options.service, "telnets") == 0 || (strncmp(hydra_options.service, "ldap", 4) == 0 && hydra_options.service[strlen(hydra_options.service) - 1] == 's')) { hydra_options.ssl = 1; hydra_options.service[strlen(hydra_options.service) - 1] = 0; } if (getenv("HYDRA_PROXY_HTTP") || getenv("HYDRA_PROXY")) { - if (strcmp(hydra_options.service, "afp") == 0 || strcmp(hydra_options.service, "firebird") == 0 || strncmp(hydra_options.service, "mysql", 5) == 0 || - strcmp(hydra_options.service, "ncp") == 0 || strcmp(hydra_options.service, "oracle") == 0 || strcmp(hydra_options.service, "postgres") == 0 || - strncmp(hydra_options.service, "ssh", 3) == 0 || strcmp(hydra_options.service, "sshkey") == 0 || strcmp(hydra_options.service, "svn") == 0 || - strcmp(hydra_options.service, "sapr3") == 0) { + if (strcmp(hydra_options.service, "afp") == 0 || strcmp(hydra_options.service, "firebird") == 0 || strncmp(hydra_options.service, "mysql", 5) == 0 || strcmp(hydra_options.service, "ncp") == 0 || strcmp(hydra_options.service, "oracle") == 0 || strcmp(hydra_options.service, "postgres") == 0 || strncmp(hydra_options.service, "ssh", 3) == 0 || strcmp(hydra_options.service, "sshkey") == 0 || strcmp(hydra_options.service, "svn") == 0 || strcmp(hydra_options.service, "sapr3") == 0 || + strcmp(hydra_options.service, "memcached") == 0 || strcmp(hydra_options.service, "mongodb") == 0) { fprintf(stderr, "[WARNING] module %s does not support HYDRA_PROXY* !\n", hydra_options.service); proxy_string = NULL; } @@ -2535,9 +2790,9 @@ int main(int argc, char *argv[]) { /* here start the services */ - if (strcmp(hydra_options.service, "ssl") == 0 || strcmp(hydra_options.service, "www") == 0 || strcmp(hydra_options.service, "http") == 0 - || strcmp(hydra_options.service, "https") == 0) { - fprintf(stderr, "[WARNING] The service http has been replaced with http-head and http-get, using by default GET method. Same for https.\n"); + if (strcmp(hydra_options.service, "ssl") == 0 || strcmp(hydra_options.service, "www") == 0 || strcmp(hydra_options.service, "http") == 0 || strcmp(hydra_options.service, "https") == 0) { + fprintf(stderr, "[WARNING] The service http has been replaced with http-head and " + "http-get, using by default GET method. Same for https.\n"); if (strcmp(hydra_options.service, "http") == 0) { hydra_options.service = malloc(strlen("http-get") + 1); strcpy(hydra_options.service, "http-get"); @@ -2559,7 +2814,8 @@ int main(int argc, char *argv[]) { if (modusage == 1) { if (hydra_options.service == NULL) { - printf("[ERROR] you must supply a service name after the -U help switch\n"); + printf("[ERROR] you must supply a service name after the -U help " + "switch\n"); exit(-1); } module_usage(); @@ -2567,21 +2823,25 @@ int main(int argc, char *argv[]) { i = 0; if (strcmp(hydra_options.service, "telnet") == 0) { - fprintf(stderr, "[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available\n"); + fprintf(stderr, "[WARNING] telnet is by its nature unreliable to analyze, if " + "possible better choose FTP, SSH, etc. if available\n"); i = 1; } if (strcmp(hydra_options.service, "ftp") == 0) i = 1; if (strcmp(hydra_options.service, "ftps") == 0) { - fprintf(stderr, "[WARNING] you enabled ftp-SSL (auth tls) mode. If you want to use direct SSL ftp, use -S and the ftp module instead.\n"); + fprintf(stderr, "[WARNING] you enabled ftp-SSL (auth tls) mode. If you want to " + "use direct SSL ftp, use -S and the ftp module instead.\n"); i = 1; } if (strcmp(hydra_options.service, "pop3") == 0) { - fprintf(stderr, "[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!\n"); + fprintf(stderr, "[INFO] several providers have implemented cracking protection, " + "check with a small wordlist first - and stay legal!\n"); i = 1; } if (strcmp(hydra_options.service, "imap") == 0) { - fprintf(stderr, "[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!\n"); + fprintf(stderr, "[INFO] several providers have implemented cracking protection, " + "check with a small wordlist first - and stay legal!\n"); i = 1; } if (strcmp(hydra_options.service, "redis") == 0) @@ -2601,18 +2861,41 @@ int main(int argc, char *argv[]) { if (strcmp(hydra_options.service, "socks5") == 0) i = 1; if (strcmp(hydra_options.service, "icq") == 0) { - fprintf(stderr, "[WARNING] The icq module is not working with the modern protocol version! (somebody else will need to fix this as I don't care for icq)\n"); + fprintf(stderr, "[WARNING] The icq module is not working with the modern " + "protocol version! (somebody else will need to fix this " + "as I don't care for icq)\n"); i = 1; } + if (strcmp(hydra_options.service, "memcached") == 0) +#ifdef LIBMCACHED + i = 1; +#else + bail("Compiled without LIBMCACHED support, module not available!"); +#endif + + if (strcmp(hydra_options.service, "mongodb") == 0) +#ifdef LIBMONGODB + { + i = 1; + if (hydra_options.miscptr == NULL || (strlen(hydra_options.miscptr) == 0)) + fprintf(stderr, "[INFO] The mongodb db wasn't passed so using admin by default\n"); + } +#else + bail("Compiled without LIBMONGODB support, module not available!"); +#endif + if (strcmp(hydra_options.service, "mysql") == 0) { i = 1; if (hydra_options.tasks > 4) { - fprintf(stderr, "[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)\n"); + fprintf(stderr, "[INFO] Reduced number of tasks to 4 (mysql does not " + "like many parallel connections)\n"); hydra_options.tasks = 4; } } if (strcmp(hydra_options.service, "mssql") == 0) i = 1; + if (strcmp(hydra_options.service, "cobaltstrike") == 0) + i = 2; if ((strcmp(hydra_options.service, "oracle-listener") == 0) || (strcmp(hydra_options.service, "tns") == 0)) { i = 2; hydra_options.service = malloc(strlen("oracle-listener") + 1); @@ -2660,6 +2943,7 @@ int main(int argc, char *argv[]) { #else bail("Compiled without LIBNCP support, module not available!"); #endif + if (strcmp(hydra_options.service, "pcanywhere") == 0) i = 1; if (strcmp(hydra_options.service, "http-proxy") == 0) { @@ -2670,18 +2954,21 @@ int main(int argc, char *argv[]) { if (strcmp(hydra_options.service, "cvs") == 0) { i = 1; if (hydra_options.miscptr == NULL || (strlen(hydra_options.miscptr) == 0)) { - fprintf(stderr, "[INFO] The CVS repository path wasn't passed so using /root by default\n"); + fprintf(stderr, "[INFO] The CVS repository path wasn't passed so using " + "/root by default\n"); } } if (strcmp(hydra_options.service, "svn") == 0) { i = 1; if (hydra_options.miscptr == NULL || (strlen(hydra_options.miscptr) == 0)) { - fprintf(stderr, "[INFO] The SVN repository path wasn't passed so using /trunk by default\n"); + fprintf(stderr, "[INFO] The SVN repository path wasn't passed so using " + "/trunk by default\n"); } } if (strcmp(hydra_options.service, "ssh") == 0 || strcmp(hydra_options.service, "sshkey") == 0) { if (hydra_options.tasks > 8) - fprintf(stderr, "[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n"); + fprintf(stderr, "[WARNING] Many SSH configurations limit the number of parallel " + "tasks, it is recommended to reduce the tasks: use -t 4\n"); #ifdef LIBSSH i = 1; #else @@ -2689,7 +2976,8 @@ int main(int argc, char *argv[]) { #endif } if (strcmp(hydra_options.service, "smtp") == 0) { - fprintf(stderr, "[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!\n"); + fprintf(stderr, "[INFO] several providers have implemented cracking protection, " + "check with a small wordlist first - and stay legal!\n"); i = 1; } if (strcmp(hydra_options.service, "smtp-enum") == 0) @@ -2698,43 +2986,67 @@ int main(int argc, char *argv[]) { i = 1; if ((strcmp(hydra_options.service, "smb") == 0) || (strcmp(hydra_options.service, "smbnt") == 0)) { if (hydra_options.tasks > 1) { - fprintf(stderr, "[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)\n"); + fprintf(stderr, "[INFO] Reduced number of tasks to 1 (smb does not " + "like parallel connections)\n"); hydra_options.tasks = 1; } - if (hydra_options.login != NULL && (index(hydra_options.login, '\\') != NULL || index(hydra_options.login, '/') != NULL)) - fprintf(stderr, "[WARNING] potential windows domain specification found in login. You must use the -m option to pass a domain.\n"); + if (hydra_options.login != NULL && (strchr(hydra_options.login, '\\') != NULL || strchr(hydra_options.login, '/') != NULL)) + fprintf(stderr, "[WARNING] potential windows domain specification found in " + "login. You must use the -m option to pass a domain.\n"); i = 1; } if ((strcmp(hydra_options.service, "smb") == 0) || (strcmp(hydra_options.service, "smbnt") == 0)) { #ifdef LIBOPENSSL if (hydra_options.tasks > 1) { - fprintf(stderr, "[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)\n"); + fprintf(stderr, "[INFO] Reduced number of tasks to 1 (smb does not " + "like parallel connections)\n"); hydra_options.tasks = 1; } i = 1; #endif } - if ((strcmp(hydra_options.service, "smb") == 0) || (strcmp(hydra_options.service, "smbnt") == 0) || - (strcmp(hydra_options.service, "sip") == 0) || (strcmp(hydra_options.service, "rdp") == 0) || - (strcmp(hydra_options.service, "oracle-listener") == 0) || (strcmp(hydra_options.service, "oracle-sid") == 0)) { + if ((strcmp(hydra_options.service, "smb") == 0) || (strcmp(hydra_options.service, "smbnt") == 0) || (strcmp(hydra_options.service, "sip") == 0) || (strcmp(hydra_options.service, "oracle-listener") == 0) || (strcmp(hydra_options.service, "oracle-sid") == 0)) { #ifndef LIBOPENSSL bail("Compiled without OPENSSL support, module not available!"); +#endif + } + if (strcmp(hydra_options.service, "smb2") == 0) { +#if !defined(LIBSMBCLIENT) + bail("Compiled without LIBSMBCLIENT support, module not available!"); +#else + if (hydra_options.login != NULL && (strchr(hydra_options.login, '\\') != NULL || strchr(hydra_options.login, '/') != NULL)) + fprintf(stderr, "[WARNING] potential windows domain specification found in " + "login. You must use the -m option to pass a domain.\n"); + if (hydra_options.miscptr == NULL || (strlen(hydra_options.miscptr) == 0)) { + fprintf(stderr, "[WARNING] Workgroup was not specified, using \"WORKGROUP\"\n"); + } + i = 1; +#endif + } + + if (strcmp(hydra_options.service, "rdp") == 0) { +#ifndef LIBFREERDP + bail("Compiled without FREERDP support, modules not available!"); #endif } if (strcmp(hydra_options.service, "pcnfs") == 0) { i = 1; if (port == 0) - bail("You must set the port for pcnfs with -s (run \"rpcinfo -p %s\" and look for the pcnfs v2 UDP port)"); + bail("You must set the port for pcnfs with -s (run \"rpcinfo -p %s\" " + "and look for the pcnfs v2 UDP port)"); } if (strcmp(hydra_options.service, "sapr3") == 0) { #ifdef LIBSAPR3 i = 1; if (port == PORT_SAPR3) - bail("You must set the port for sapr3 with -s , it should lie between 3200 and 3699."); + bail("You must set the port for sapr3 with -s , it should lie " + "between 3200 and 3699."); if (port < 3200 || port > 3699) - fprintf(stderr, "[WARNING] The port is not in the range 3200 to 3399 - please ensure it is ok!\n"); + fprintf(stderr, "[WARNING] The port is not in the range 3200 to 3399 - " + "please ensure it is ok!\n"); if (hydra_options.miscptr == NULL || atoi(hydra_options.miscptr) < 0 || atoi(hydra_options.miscptr) > 999 || !isdigit(hydra_options.miscptr[0])) - bail("You must set the client ID (0-999) as an additional option or via -m"); + bail("You must set the client ID (0-999) as an additional option or " + "via -m"); #else bail("Compiled without LIBSAPR3 support, module not available!"); #endif @@ -2742,13 +3054,17 @@ int main(int argc, char *argv[]) { if (strcmp(hydra_options.service, "cisco") == 0) { i = 2; if (hydra_options.tasks > 4) - fprintf(stderr, "[WARNING] you should set the number of parallel task to 4 for cisco services.\n"); + fprintf(stderr, "[WARNING] you should set the number of parallel task " + "to 4 for cisco services.\n"); } if (strcmp(hydra_options.service, "adam6500") == 0) { i = 2; - fprintf(stderr, "[WARNING] the module adam6500 is work in progress! please submit a pcap of a successful login as well as false positives to vh@thc.org\n"); + fprintf(stderr, "[WARNING] the module adam6500 is work in progress! " + "please submit a pcap of a successful login as well as " + "false positives to vh@thc.org\n"); if (hydra_options.tasks > 1) - fprintf(stderr, "[WARNING] reset the number of parallel task to 1 for adam6500 modbus authentication\n"); + fprintf(stderr, "[WARNING] reset the number of parallel task to 1 for " + "adam6500 modbus authentication\n"); hydra_options.tasks = 1; } if (strncmp(hydra_options.service, "snmpv", 5) == 0) { @@ -2806,30 +3122,37 @@ int main(int argc, char *argv[]) { } i = 2; if ((j & 3) < 3 && j > 2) - fprintf(stderr, "[WARNING] SNMPv1 and SNMPv2 do not support hash and encryption, ignored\n"); + fprintf(stderr, "[WARNING] SNMPv1 and SNMPv2 do not support hash and " + "encryption, ignored\n"); if ((j & 3) == 3) { - fprintf(stderr, "[WARNING] SNMPv3 is still in beta state, use at own risk and report problems\n"); + fprintf(stderr, "[WARNING] SNMPv3 is still in beta state, use at own " + "risk and report problems\n"); if (j >= 16) - bail("The SNMPv3 module so far only support authentication (md5/sha), not yet encryption\n"); - if (hydra_options.colonfile == NULL - && ((hydra_options.login == NULL && hydra_options.loginfile == NULL) || (hydra_options.pass == NULL && hydra_options.passfile == NULL && hydra_options.bfg == 0))) { + bail("The SNMPv3 module so far only support authentication " + "(md5/sha), not yet encryption\n"); + if (hydra_options.colonfile == NULL && ((hydra_options.login == NULL && hydra_options.loginfile == NULL) || (hydra_options.pass == NULL && hydra_options.passfile == NULL && hydra_options.bfg == 0))) { if (j > 3) { - fprintf(stderr, "[ERROR] you specified SNMPv3, defined hashing/encryption but only gave one of login or password list. Either supply both logins and passwords (this is what is usually used in SNMPv3), or remove the hashing/encryption option (unusual)\n"); + fprintf(stderr, "[ERROR] you specified SNMPv3, defined hashing/encryption but " + "only gave one of login or password list. Either supply both " + "logins and passwords (this is what is usually used in " + "SNMPv3), or remove the hashing/encryption option (unusual)\n"); exit(-1); } - fprintf(stderr, "[WARNING] you specified SNMPv3 but gave no logins, NoAuthNoPriv is assumed. This is an unusual case, you should know what you are doing\n"); + fprintf(stderr, "[WARNING] you specified SNMPv3 but gave no logins, " + "NoAuthNoPriv is assumed. This is an unusual case, " + "you should know what you are doing\n"); tmpptr = malloc(strlen(hydra_options.miscptr) + 8); strcpy(tmpptr, hydra_options.miscptr); strcat(tmpptr, ":"); strcat(tmpptr, "PLAIN"); hydra_options.miscptr = tmpptr; } else { - i = 1; // snmpv3 with login+pass mode + i = 1; // snmpv3 with login+pass mode #ifndef LIBOPENSSL - bail("hydra was not compiled with OPENSSL support, snmpv3 can only be used on NoAuthNoPriv mode (only logins, no passwords)!"); + bail("hydra was not compiled with OPENSSL support, snmpv3 can only " + "be used on NoAuthNoPriv mode (only logins, no passwords)!"); #endif - printf("[INFO] Using %s SNMPv3 with %s authentication and %s privacy\n", j > 16 ? "AuthPriv" : "AuthNoPriv", (j & 8) == 8 ? "SHA" : "MD5", - (j & 16) == 16 ? "DES" : (j > 16) ? "AES" : "no"); + printf("[INFO] Using %s SNMPv3 with %s authentication and %s privacy\n", j > 16 ? "AuthPriv" : "AuthNoPriv", (j & 8) == 8 ? "SHA" : "MD5", (j & 16) == 16 ? "DES" : (j > 16) ? "AES" : "no"); } } } @@ -2846,15 +3169,16 @@ int main(int argc, char *argv[]) { } } if (strcmp(hydra_options.service, "ldap") == 0) { - bail("Please select ldap2 or ldap3 for simple authentication or ldap3-crammd5 or ldap3-digestmd5\n"); + bail("Please select ldap2 or ldap3 for simple authentication or " + "ldap3-crammd5 or ldap3-digestmd5\n"); } if (strcmp(hydra_options.service, "ldap2") == 0 || strcmp(hydra_options.service, "ldap3") == 0) { i = 1; - if ((hydra_options.miscptr != NULL && hydra_options.login != NULL) - || (hydra_options.miscptr != NULL && hydra_options.loginfile != NULL) || (hydra_options.login != NULL && hydra_options.loginfile != NULL)) + if ((hydra_options.miscptr != NULL && hydra_options.login != NULL) || (hydra_options.miscptr != NULL && hydra_options.loginfile != NULL) || (hydra_options.login != NULL && hydra_options.loginfile != NULL)) bail("you may only use one of -l, -L or -m\n"); if (hydra_options.login == NULL && hydra_options.loginfile == NULL && hydra_options.miscptr == NULL) - fprintf(stderr, "[WARNING] no DN to authenticate is defined, using DN of null (use -m, -l or -L to define DNs)\n"); + fprintf(stderr, "[WARNING] no DN to authenticate is defined, using DN " + "of null (use -m, -l or -L to define DNs)\n"); if (hydra_options.login == NULL && hydra_options.loginfile == NULL) { i = 2; } @@ -2872,26 +3196,30 @@ int main(int argc, char *argv[]) { i = 1; if (strcmp(hydra_options.service, "s7-300") == 0) { if (hydra_options.tasks > 8) { - fprintf(stderr, "[INFO] Reduced number of tasks to 8 (the PLC does not like more connections)\n"); + fprintf(stderr, "[INFO] Reduced number of tasks to 8 (the PLC does not " + "like more connections)\n"); hydra_options.tasks = 8; } i = 2; } if (strcmp(hydra_options.service, "cisco-enable") == 0) { if (hydra_options.login != NULL || hydra_options.loginfile != NULL) - i = 1; // login will be the initial Username: login, or line Password: + i = 1; // login will be the initial Username: login, or line Password: else i = 2; if (hydra_options.miscptr == NULL) - fprintf(stderr, "[WARNING] You did not supply the initial support to the Cisco via -l, assuming direct console access\n"); + fprintf(stderr, "[WARNING] You did not supply the initial support to " + "the Cisco via -l, assuming direct console access\n"); if (hydra_options.tasks > 4) - fprintf(stderr, "[WARNING] you should set the number of parallel task to 4 for cisco enable services.\n"); + fprintf(stderr, "[WARNING] you should set the number of parallel task " + "to 4 for cisco enable services.\n"); } if (strcmp(hydra_options.service, "http-proxy-urlenum") == 0) { i = 4; hydra_options.pass = empty_login; if (hydra_options.miscptr == NULL) { - fprintf(stderr, "[WARNING] You did not supply proxy credentials via the optional parameter\n"); + fprintf(stderr, "[WARNING] You did not supply proxy credentials via " + "the optional parameter\n"); } if (hydra_options.bfg || hydra_options.passfile != NULL) bail("the http-proxy-urlenum does not need the -p/-P or -x option"); @@ -2899,7 +3227,8 @@ int main(int argc, char *argv[]) { if (strcmp(hydra_options.service, "vnc") == 0) { i = 2; if (hydra_options.tasks > 4) - fprintf(stderr, "[WARNING] you should set the number of parallel task to 4 for vnc services.\n"); + fprintf(stderr, "[WARNING] you should set the number of parallel task " + "to 4 for vnc services.\n"); } if (strcmp(hydra_options.service, "https-head") == 0 || strcmp(hydra_options.service, "https-get") == 0 || strcmp(hydra_options.service, "https-post") == 0) { #ifdef LIBOPENSSL @@ -2907,11 +3236,10 @@ int main(int argc, char *argv[]) { hydra_options.ssl = 1; if (strcmp(hydra_options.service, "https-head") == 0) strcpy(hydra_options.service, "http-head"); + else if (strcmp(hydra_options.service, "https-post") == 0) + strcpy(hydra_options.service, "http-post"); else - if (strcmp(hydra_options.service, "https-post") == 0) - strcpy(hydra_options.service, "http-post"); - else - strcpy(hydra_options.service, "http-get"); + strcpy(hydra_options.service, "http-get"); #else bail("Compiled without SSL support, module not available"); #endif @@ -2919,29 +3247,34 @@ int main(int argc, char *argv[]) { if (strcmp(hydra_options.service, "http-get") == 0 || strcmp(hydra_options.service, "http-head") == 0 || strcmp(hydra_options.service, "http-post") == 0) { i = 1; if (hydra_options.miscptr == NULL) { - fprintf(stderr, "[WARNING] You must supply the web page as an additional option or via -m, default path set to /\n"); + fprintf(stderr, "[WARNING] You must supply the web page as an " + "additional option or via -m, default path set to /\n"); hydra_options.miscptr = malloc(2); hydra_options.miscptr = "/"; } if (*hydra_options.miscptr != '/' && strstr(hydra_options.miscptr, "://") == NULL) - bail("The web page you supplied must start with a \"/\", \"http://\" or \"https://\", e.g. \"/protected/login\""); + bail("The web page you supplied must start with a \"/\", \"http://\" " + "or \"https://\", e.g. \"/protected/login\""); if (getenv("HYDRA_PROXY_HTTP") && getenv("HYDRA_PROXY")) - bail("Found HYDRA_PROXY_HTTP *and* HYDRA_PROXY environment variables - you can use only ONE for the service http-head/http-get!"); + bail("Found HYDRA_PROXY_HTTP *and* HYDRA_PROXY environment variables - " + "you can use only ONE for the service http-head/http-get!"); if (getenv("HYDRA_PROXY_HTTP")) { printf("[INFO] Using HTTP Proxy: %s\n", getenv("HYDRA_PROXY_HTTP")); use_proxy = 1; } if (strcmp(hydra_options.service, "http-head") == 0) - fprintf(stderr, "[WARNING] http-head auth does not work with every server, better use http-get\n"); + fprintf(stderr, "[WARNING] http-head auth does not work with every " + "server, better use http-get\n"); } - if (strcmp(hydra_options.service, "http-get-form") == 0 || strcmp(hydra_options.service, "http-post-form") == 0 || strcmp(hydra_options.service, "https-get-form") == 0 - || strcmp(hydra_options.service, "https-post-form") == 0) { - char bufferurl[6096+24], *url, *variables, *cond, *optional1; //6096 comes from issue 192 on github. Extra 24 bytes for null padding. + if (strcmp(hydra_options.service, "http-get-form") == 0 || strcmp(hydra_options.service, "http-post-form") == 0 || strcmp(hydra_options.service, "https-get-form") == 0 || strcmp(hydra_options.service, "https-post-form") == 0) { + char bufferurl[6096 + 24], *url, *variables, *cond, + *optional1; // 6096 comes from issue 192 on github. Extra 24 bytes for + // null padding. if (strncmp(hydra_options.service, "http-", 5) == 0) { i = 1; - } else { // https + } else { // https #ifdef LIBOPENSSL i = 1; hydra_options.ssl = 1; @@ -2953,60 +3286,79 @@ int main(int argc, char *argv[]) { bail("Compiled without SSL support, module not available"); #endif } - if (hydra_options.miscptr == NULL) { - fprintf(stderr, "[WARNING] You must supply the web page as an additional option or via -m, default path set to /\n"); - hydra_options.miscptr = malloc(2); - hydra_options.miscptr = "/"; - } - //if (*hydra_options.miscptr != '/' && strstr(hydra_options.miscptr, "://") == NULL) - // bail("The web page you supplied must start with a \"/\", \"http://\" or \"https://\", e.g. \"/protected/login\""); - if (hydra_options.miscptr[0] != '/') - bail("optional parameter must start with a '/' slash!\n"); - if (getenv("HYDRA_PROXY_HTTP") && getenv("HYDRA_PROXY")) - bail("Found HYDRA_PROXY_HTTP *and* HYDRA_PROXY environment variables - you can use only ONE for the service http-head/http-get!"); - if (getenv("HYDRA_PROXY_HTTP")) { - printf("[INFO] Using HTTP Proxy: %s\n", getenv("HYDRA_PROXY_HTTP")); - use_proxy = 1; - } - - if (strstr(hydra_options.miscptr, "\\:") != NULL) { - fprintf(stderr, "[INFORMATION] escape sequence \\: detected in module option, no parameter verification is performed.\n"); - } else { - sprintf(bufferurl, "%.6000s", hydra_options.miscptr); - url = strtok(bufferurl, ":"); - variables = strtok(NULL, ":"); - cond = strtok(NULL, ":"); - optional1 = strtok(NULL, "\n"); - if ((variables == NULL) || (strstr(variables, "^USER^") == NULL && strstr(variables, "^PASS^") == NULL && strstr(variables, "^USER64^") == NULL && strstr(variables, "^PASS64^") == NULL)) { - fprintf(stderr, "[ERROR] the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^: %s\n", STR_NULL(variables)); - exit(-1); + if (hydra_options.infile_ptr == NULL) { + if (hydra_options.miscptr == NULL) { + fprintf(stderr, "[WARNING] You must supply the web page as an " + "additional option or via -m, default path set to /\n"); + hydra_options.miscptr = malloc(2); + hydra_options.miscptr = "/"; } - if ((url == NULL) || (cond == NULL)) { - fprintf(stderr, "[ERROR] Wrong syntax, requires three arguments separated by a colon which may not be null: %s\n", bufferurl); - exit(-1); + // if (*hydra_options.miscptr != '/' && strstr(hydra_options.miscptr, + // "://") == NULL) + // bail("The web page you supplied must start with a \"/\", \"http://\" + // or \"https://\", e.g. \"/protected/login\""); + if (hydra_options.miscptr[0] != '/') + bail("optional parameter must start with a '/' slash!\n"); + if (getenv("HYDRA_PROXY_HTTP") && getenv("HYDRA_PROXY")) + bail("Found HYDRA_PROXY_HTTP *and* HYDRA_PROXY environment variables - " + "you can use only ONE for the service http-head/http-get!"); + if (getenv("HYDRA_PROXY_HTTP")) { + printf("[INFO] Using HTTP Proxy: %s\n", getenv("HYDRA_PROXY_HTTP")); + use_proxy = 1; } - while ((optional1 = strtok(NULL, ":")) != NULL) { - if (optional1[1] != '=' && optional1[1] != ':' && optional1[1] != 0) { - fprintf(stderr, "[ERROR] Wrong syntax of optional argument: %s\n", optional1); + if (strstr(hydra_options.miscptr, "\\:") != NULL) { + fprintf(stderr, "[INFORMATION] escape sequence \\: detected in module " + "option, no parameter verification is performed.\n"); + } else { + sprintf(bufferurl, "%.6000s", hydra_options.miscptr); + url = strtok(bufferurl, ":"); + variables = strtok(NULL, ":"); + cond = strtok(NULL, ":"); + optional1 = strtok(NULL, "\n"); + if ((variables == NULL) || (strstr(variables, "^USER^") == NULL && strstr(variables, "^PASS^") == NULL && strstr(variables, "^USER64^") == NULL && strstr(variables, "^PASS64^") == NULL)) { + fprintf(stderr, + "[ERROR] the variables argument needs at least the strings " + "^USER^, ^PASS^, ^USER64^ or ^PASS64^: %s\n", + STR_NULL(variables)); exit(-1); } - switch (optional1[0]) { - case 'C': // fall through - case 'c': - if (optional1[1] != '=' || optional1[2] != '/') { - fprintf(stderr, "[ERROR] Wrong syntax of parameter C, must look like 'C=/url/of/page', not http:// etc.: %s\n", optional1); + if ((url == NULL) || (cond == NULL)) { + fprintf(stderr, + "[ERROR] Wrong syntax, requires three arguments separated by " + "a colon which may not be null: %s\n", + bufferurl); + exit(-1); + } + while ((optional1 = strtok(NULL, ":")) != NULL) { + if (optional1[1] != '=' && optional1[1] != ':' && optional1[1] != 0) { + fprintf(stderr, "[ERROR] Wrong syntax of optional argument: %s\n", optional1); exit(-1); } - break; - case 'H': // fall through - case 'h': - if (optional1[1] != '=' || strtok(NULL, ":") == NULL) { - fprintf(stderr, "[ERROR] Wrong syntax of parameter H, must look like 'H=X-My-Header: MyValue', no http:// : %s\n", optional1); - exit(-1); + + switch (optional1[0]) { + case 'C': // fall through + case 'c': + if (optional1[1] != '=' || optional1[2] != '/') { + fprintf(stderr, + "[ERROR] Wrong syntax of parameter C, must look like " + "'C=/url/of/page', not http:// etc.: %s\n", + optional1); + exit(-1); + } + break; + case 'H': // fall through + case 'h': + if (optional1[1] != '=' || strtok(NULL, ":") == NULL) { + fprintf(stderr, + "[ERROR] Wrong syntax of parameter H, must look like " + "'H=X-My-Header: MyValue', no http:// : %s\n", + optional1); + exit(-1); + } + break; + default: + fprintf(stderr, "[ERROR] Unknown optional argument: %s\n", optional1); } - break; - default: - fprintf(stderr, "[ERROR] Unknown optional argument: %s\n", optional1); } } } @@ -3017,24 +3369,27 @@ int main(int argc, char *argv[]) { if (strcmp(hydra_options.service, "irc") == 0) i = 1; if (strcmp(hydra_options.service, "rdp") == 0) { - //if (hydra_options.tasks > 4) - // fprintf(stderr, "[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover\n"); - //if (hydra_options.tasks > 4) { - // fprintf(stderr, "[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)\n"); - // hydra_options.tasks = 4; - //} - //if (conwait == 0) - // hydra_options.conwait = conwait = 1; - //printf("[WARNING] the rdp module is currently reported to be unreliable, most likely against new Windows version. Please test, report - and if possible, fix.\n"); - printf("[ERROR] the rdp module does not support the current protocol, hence it is disabled. If you want to add it, please contact vh@thc.org\n"); - exit(-1); + if (hydra_options.tasks > 4) + fprintf(stderr, "[WARNING] rdp servers often don't like many connections, use -t 1 " + "or -t 4 to reduce the number of parallel connections and -W 1 or " + "-W 3 to wait between connection to allow the server to recover\n"); + if (hydra_options.tasks > 4) { + fprintf(stderr, "[INFO] Reduced number of tasks to 4 (rdp does not " + "like many parallel connections)\n"); + hydra_options.tasks = 4; + } + if (conwait == 0) + hydra_options.conwait = conwait = 1; + printf("[WARNING] the rdp module is experimental. Please test, report - " + "and if possible, fix.\n"); i = 1; } if (strcmp(hydra_options.service, "radmin2") == 0) { #ifdef HAVE_GCRYPT i = 1; #else - bail("hydra was not compiled with gcrypt support, radmin2 module not available"); + bail("hydra was not compiled with gcrypt support, radmin2 module not " + "available"); #endif } @@ -3046,24 +3401,33 @@ int main(int argc, char *argv[]) { } if (port < 1 || port > 65535) { if ((port = hydra_lookup_port(hydra_options.service)) < 1) { - fprintf(stderr, "[ERROR] No valid port set or no default port available. Use the -s Option.\n"); + fprintf(stderr, "[ERROR] No valid port set or no default port " + "available. Use the -s Option.\n"); exit(-1); } hydra_options.port = port; } + if (hydra_options.login == NULL && hydra_options.loginfile == NULL && hydra_options.colonfile == NULL) + hydra_options.exit_found = 1; + if (hydra_options.ssl == 0 && hydra_options.port == 443) - fprintf(stderr, "[WARNING] you specified port 443 for attacking a http service, however did not specify the -S ssl switch nor used https-..., therefore using plain HTTP\n"); + fprintf(stderr, "[WARNING] you specified port 443 for attacking a http " + "service, however did not specify the -S ssl switch nor " + "used https-..., therefore using plain HTTP\n"); if (hydra_options.loop_mode && hydra_options.colonfile != NULL) - bail("The loop mode option (-u) works with all modes - except colon files (-C)\n"); + bail("The loop mode option (-u) works with all modes - except colon " + "files (-C)\n"); if (strncmp(hydra_options.service, "http-", strlen("http-")) != 0 && strcmp(hydra_options.service, "http-head") != 0 && getenv("HYDRA_PROXY_HTTP") != NULL) - fprintf(stderr, "[WARNING] the HYDRA_PROXY_HTTP environment variable works only with the http-head/http-get module, ignored...\n"); + fprintf(stderr, "[WARNING] the HYDRA_PROXY_HTTP environment variable works only " + "with the http-head/http-get module, ignored...\n"); if (i == 2) { - if (hydra_options.colonfile != NULL - || ((hydra_options.login != NULL || hydra_options.loginfile != NULL) && (hydra_options.pass != NULL || hydra_options.passfile != NULL || hydra_options.bfg > 0))) - bail - ("The redis, adam6500, cisco, oracle-listener, s7-300, snmp and vnc modules are only using the -p or -P option, not login (-l, -L) or colon file (-C).\nUse the telnet module for cisco using \"Username:\" authentication.\n"); + if (hydra_options.colonfile != NULL || ((hydra_options.login != NULL || hydra_options.loginfile != NULL) && (hydra_options.pass != NULL || hydra_options.passfile != NULL || hydra_options.bfg > 0))) + bail("The redis, adam6500, cisco, oracle-listener, s7-300, snmp and " + "vnc modules are only using the -p or -P option, not login (-l, " + "-L) or colon file (-C).\nUse the telnet module for cisco using " + "\"Username:\" authentication.\n"); if ((hydra_options.login != NULL || hydra_options.loginfile != NULL) && (hydra_options.pass == NULL || hydra_options.passfile == NULL)) { hydra_options.pass = hydra_options.login; hydra_options.passfile = hydra_options.loginfile; @@ -3072,9 +3436,9 @@ int main(int argc, char *argv[]) { hydra_options.loginfile = NULL; } if (i == 3) { - if (hydra_options.colonfile != NULL || hydra_options.bfg > 0 - || ((hydra_options.login != NULL || hydra_options.loginfile != NULL) && (hydra_options.pass != NULL || hydra_options.passfile != NULL))) - bail("The rsh, oracle-sid login is neither using the -p, -P or -x options nor colon file (-C)\n"); + if (hydra_options.colonfile != NULL || hydra_options.bfg > 0 || ((hydra_options.login != NULL || hydra_options.loginfile != NULL) && (hydra_options.pass != NULL || hydra_options.passfile != NULL))) + bail("The rsh, oracle-sid login is neither using the -p, -P or -x " + "options nor colon file (-C)\n"); if ((hydra_options.login == NULL || hydra_options.loginfile == NULL) && (hydra_options.pass != NULL || hydra_options.passfile != NULL)) { hydra_options.login = hydra_options.pass; hydra_options.loginfile = hydra_options.passfile; @@ -3085,23 +3449,23 @@ int main(int argc, char *argv[]) { if (i == 3 && hydra_options.login == NULL && hydra_options.loginfile == NULL) bail("I need at least either the -l or -L option to know the login"); if (i == 2 && hydra_options.pass == NULL && hydra_options.passfile == NULL && hydra_options.bfg == 0) - bail("I need at least either the -p, -P or -x option to have a password to try"); + bail("I need at least either the -p, -P or -x option to have a password " + "to try"); if (i == 1 && hydra_options.login == NULL && hydra_options.loginfile == NULL && hydra_options.colonfile == NULL) bail("I need at least either the -l, -L or -C option to know the login"); - if (hydra_options.colonfile != NULL && ((hydra_options.bfg != 0 || hydra_options.login != NULL || hydra_options.loginfile != NULL) - || (hydra_options.pass != NULL && hydra_options.passfile != NULL))) + if (hydra_options.colonfile != NULL && ((hydra_options.bfg != 0 || hydra_options.login != NULL || hydra_options.loginfile != NULL) || (hydra_options.pass != NULL && hydra_options.passfile != NULL))) bail("The -C option is standalone, don't use it with -l/L, -p/P or -x!"); - if ((hydra_options.bfg) - && ((hydra_options.pass != NULL) || (hydra_options.passfile != NULL) - || (hydra_options.colonfile != NULL))) - bail("The -x (password bruteforce generation option) doesn't work with -p/P, -C or -e!\n"); - if (hydra_options.try_password_reverse_login == 0 && hydra_options.try_password_same_as_login == 0 && hydra_options.try_null_password == 0 - && (i != 3 && (hydra_options.pass == NULL && hydra_options.passfile == NULL && hydra_options.colonfile == NULL)) && hydra_options.bfg == 0) { - // test if the service is smtp-enum as it could be used either with a login+pass or only a login + if ((hydra_options.bfg) && ((hydra_options.pass != NULL) || (hydra_options.passfile != NULL) || (hydra_options.colonfile != NULL))) + bail("The -x (password bruteforce generation option) doesn't work with " + "-p/P, -C or -e!\n"); + if (hydra_options.try_password_reverse_login == 0 && hydra_options.try_password_same_as_login == 0 && hydra_options.try_null_password == 0 && (i != 3 && (hydra_options.pass == NULL && hydra_options.passfile == NULL && hydra_options.colonfile == NULL)) && hydra_options.bfg == 0) { + // test if the service is smtp-enum as it could be used either with a + // login+pass or only a login if (strstr(hydra_options.service, "smtp-enum") != NULL) hydra_options.pass = empty_login; else - bail("I need at least the -e, -p, -P or -x option to have some passwords!"); + bail("I need at least the -e, -p, -P or -x option to have some " + "passwords!"); } if (hydra_options.tasks < 1 || hydra_options.tasks > MAXTASKS) { fprintf(stderr, "[ERROR] Option -t needs to be a number between 1 and %d\n", MAXTASKS); @@ -3112,15 +3476,26 @@ int main(int argc, char *argv[]) { hydra_options.max_use = MAXTASKS; } // script kiddie patch - if (hydra_options.server != NULL && (hydra_strcasestr(hydra_options.server, "gmail.") != NULL || hydra_strcasestr(hydra_options.server, "googlemail.") != NULL)) - fprintf(stderr, "[WARNING] Google Mail has bruteforce detection and sends false positives. You are not doing anything illegal right?!\n"); - + if (hydra_options.server != NULL && (hydra_strcasestr(hydra_options.server, ".outlook.com") != NULL || hydra_strcasestr(hydra_options.server, ".hotmail.com") != NULL || hydra_strcasestr(hydra_options.server, ".yahoo.") != NULL || hydra_strcasestr(hydra_options.server, ".gmx.") != NULL || hydra_strcasestr(hydra_options.server, ".web.de") != NULL || hydra_strcasestr(hydra_options.server, ".gmail.") != NULL || hydra_strcasestr(hydra_options.server, "googlemail.") != NULL)) { + fprintf(stderr, "[WARNING] Google Mail and others have bruteforce and " + "hydra detection and send false positives. You are not " + "doing anything illegal right?!\n"); + fprintf(stderr, "[WARNING] !read the above!\n"); + sleep(5); + } if (hydra_options.colonfile == NULL) { if (hydra_options.loginfile != NULL) { if ((lfp = fopen(hydra_options.loginfile, "r")) == NULL) { fprintf(stderr, "[ERROR] File for logins not found: %s\n", hydra_options.loginfile); exit(-1); } + else if (hydra_options.passfile == NULL){ + if(my_segment && num_segments){ + filecloser = lfp; + lfp = hydra_divide_file(lfp, my_segment, num_segments); + fclose(filecloser); + } + } hydra_brains.countlogin = countlines(lfp, 0); hydra_brains.sizelogin = size_of_data; if (hydra_brains.countlogin == 0) { @@ -3128,11 +3503,14 @@ int main(int argc, char *argv[]) { exit(-1); } if (hydra_brains.countlogin > MAX_LINES) { - fprintf(stderr, "[ERROR] Maximum number of logins is %d, this file has %lu entries.\n", MAX_LINES, hydra_brains.countlogin); + fprintf(stderr, "[ERROR] Maximum number of logins is %d, this file has %" hPRIu64 " entries.\n", MAX_LINES, hydra_brains.countlogin); exit(-1); } if (hydra_brains.sizelogin > MAX_BYTES) { - fprintf(stderr, "[ERROR] Maximum size of the login file is %d, this file has %lu bytes.\n", MAX_BYTES, (uint64_t) hydra_brains.sizelogin); + fprintf(stderr, + "[ERROR] Maximum size of the login file is %d, this file has " + "%" hPRIu64 " bytes.\n", + MAX_BYTES, (uint64_t)hydra_brains.sizelogin); exit(-1); } login_ptr = malloc(hydra_brains.sizelogin + hydra_brains.countlogin + 8); @@ -3150,6 +3528,11 @@ int main(int argc, char *argv[]) { fprintf(stderr, "[ERROR] File for passwords not found: %s\n", hydra_options.passfile); exit(-1); } + else if(my_segment && num_segments){ + filecloser = pfp; + pfp = hydra_divide_file(pfp, my_segment, num_segments); + fclose(filecloser); + } hydra_brains.countpass = countlines(pfp, 0); hydra_brains.sizepass = size_of_data; if (hydra_brains.countpass == 0) { @@ -3157,11 +3540,17 @@ int main(int argc, char *argv[]) { exit(-1); } if (hydra_brains.countpass > MAX_LINES) { - fprintf(stderr, "[ERROR] Maximum number of passwords is %d, this file has %lu entries.\n", MAX_LINES, hydra_brains.countpass); + fprintf(stderr, + "[ERROR] Maximum number of passwords is %d, this file has " + "%" hPRIu64 " entries.\n", + MAX_LINES, hydra_brains.countpass); exit(-1); } if (hydra_brains.sizepass > MAX_BYTES) { - fprintf(stderr, "[ERROR] Maximum size of the password file is %d, this file has %lu bytes.\n", MAX_BYTES, (uint64_t) hydra_brains.sizepass); + fprintf(stderr, + "[ERROR] Maximum size of the password file is %d, this file " + "has %" hPRIu64 " bytes.\n", + MAX_BYTES, (uint64_t)hydra_brains.sizepass); exit(-1); } pass_ptr = malloc(hydra_brains.sizepass + hydra_brains.countpass + 8); @@ -3178,7 +3567,8 @@ int main(int argc, char *argv[]) { if (hydra_options.bfg) { #ifdef HAVE_MATH_H if (bf_init(bf_options.arg)) - exit(-1); // error description is handled by bf_init + exit(-1); // error description is handled by bf_init + pass_ptr = bf_next(); hydra_brains.countpass += bf_get_pcount(); hydra_brains.sizepass += BF_BUFLEN; @@ -3197,6 +3587,11 @@ int main(int argc, char *argv[]) { fprintf(stderr, "[ERROR] File for colon files (login:pass) not found: %s\n", hydra_options.colonfile); exit(-1); } + else if(my_segment && num_segments){ + filecloser = cfp; + cfp = hydra_divide_file(cfp, my_segment, num_segments); + fclose(filecloser); + } hydra_brains.countlogin = countlines(cfp, 1); hydra_brains.sizelogin = size_of_data; if (hydra_brains.countlogin == 0) { @@ -3204,11 +3599,17 @@ int main(int argc, char *argv[]) { exit(-1); } if (hydra_brains.countlogin > MAX_LINES / 2) { - fprintf(stderr, "[ERROR] Maximum number of colon file entries is %d, this file has %lu entries.\n", MAX_LINES / 2, hydra_brains.countlogin); + fprintf(stderr, + "[ERROR] Maximum number of colon file entries is %d, this file " + "has %" hPRIu64 " entries.\n", + MAX_LINES / 2, hydra_brains.countlogin); exit(-1); } if (hydra_brains.sizelogin > MAX_BYTES / 2) { - fprintf(stderr, "[ERROR] Maximum size of the colon file is %d, this file has %lu bytes.\n", MAX_BYTES / 2, (uint64_t) hydra_brains.sizelogin); + fprintf(stderr, + "[ERROR] Maximum size of the colon file is %d, this file has " + "%" hPRIu64 " bytes.\n", + MAX_BYTES / 2, (uint64_t)hydra_brains.sizelogin); exit(-1); } csv_ptr = malloc(hydra_brains.sizelogin + 2 * hydra_brains.countlogin + 8); @@ -3216,8 +3617,10 @@ int main(int argc, char *argv[]) { bail("Could not allocate enough memory for colon file data"); memset(csv_ptr, 0, hydra_brains.sizelogin + 2 * hydra_brains.countlogin + 8); fill_mem(csv_ptr, cfp, 1); - //printf("count: %d, size: %d\n", hydra_brains.countlogin, hydra_brains.sizelogin); - //hydra_dump_data(csv_ptr, hydra_brains.sizelogin + hydra_brains.countlogin + 8, "colon data"); + // printf("count: %d, size: %d\n", hydra_brains.countlogin, + // hydra_brains.sizelogin); hydra_dump_data(csv_ptr, + // hydra_brains.sizelogin + // + hydra_brains.countlogin + 8, "colon data"); hydra_brains.countpass = 1; pass_ptr = login_ptr = csv_ptr; while (*pass_ptr != 0) @@ -3232,13 +3635,19 @@ int main(int argc, char *argv[]) { } free(memcheck); if ((rfp = fopen(RESTOREFILE, "r")) != NULL) { - fprintf(stderr, "[WARNING] Restorefile (%s) from a previous session found, to prevent overwriting, %s\n", ignore_restore == 1 ? "ignored ..." : "you have 10 seconds to abort... (use option -I to skip waiting)", RESTOREFILE); + fprintf(stderr, + "[WARNING] Restorefile (%s) from a previous session found, to " + "prevent overwriting, %s\n", + ignore_restore == 1 ? "ignored ..." + : "you have 10 seconds to abort... (use " + "option -I to skip waiting)", + RESTOREFILE); if (ignore_restore != 1) sleep(10); fclose(rfp); } - if (hydra_options.infile_ptr != NULL) { + if (hydra_options.infile_ptr != NULL) { if ((ifp = fopen(hydra_options.infile_ptr, "r")) == NULL) { fprintf(stderr, "[ERROR] File for targets not found: %s\n", hydra_options.infile_ptr); exit(-1); @@ -3248,17 +3657,24 @@ int main(int argc, char *argv[]) { fprintf(stderr, "[ERROR] File for targets is empty: %s\n", hydra_options.infile_ptr); exit(-1); } - // if (countinfile > 60) fprintf(stderr, "[WARNING] the -M option is not working correctly at the moment for target lists > 60!\n"); - hydra_targets = malloc(sizeof(hydra_target*) * (countservers + 2) + 8); + // if (countinfile > 60) fprintf(stderr, "[WARNING] the -M option is not + // working correctly at the moment for target lists > 60!\n"); + hydra_targets = malloc(sizeof(hydra_target *) * (countservers + 2) + 8); if (hydra_targets == NULL) bail("Could not allocate enough memory for target data"); sizeinfile = size_of_data; if (countinfile > MAX_LINES / 1000) { - fprintf(stderr, "[ERROR] Maximum number of target file entries is %d, this file has %d entries.\n", MAX_LINES / 1000, (int32_t) countinfile); + fprintf(stderr, + "[ERROR] Maximum number of target file entries is %d, this " + "file has %d entries.\n", + MAX_LINES / 1000, (int32_t)countinfile); exit(-1); } if (sizeinfile > MAX_BYTES / 1000) { - fprintf(stderr, "[ERROR] Maximum size of the server file is %d, this file has %d bytes.\n", MAX_BYTES / 1000, (int32_t) sizeinfile); + fprintf(stderr, + "[ERROR] Maximum size of the server file is %d, this file has " + "%d bytes.\n", + MAX_BYTES / 1000, (int32_t)sizeinfile); exit(-1); } if ((servers_ptr = malloc(sizeinfile + countservers + 8)) == NULL) @@ -3273,13 +3689,14 @@ int main(int argc, char *argv[]) { if (*tmpptr == '[') { tmpptr++; hydra_targets[i]->target = tmpptr; - if ((tmpptr2 = index(tmpptr, ']')) != NULL) { + if ((tmpptr2 = strchr(tmpptr, ']')) != NULL) { *tmpptr2++ = 0; tmpptr = tmpptr2; } } else hydra_targets[i]->target = tmpptr; - if ((tmpptr2 = index(hydra_targets[i]->target, ':')) != NULL) { + + if ((tmpptr2 = strchr(tmpptr, ':')) != NULL) { *tmpptr2++ = 0; tmpptr = tmpptr2; hydra_targets[i]->port = atoi(tmpptr2); @@ -3288,6 +3705,13 @@ int main(int argc, char *argv[]) { } if (hydra_targets[i]->port == 0) hydra_targets[i]->port = hydra_options.port; + + if ((tmpptr3 = strchr(tmpptr, '/')) != NULL) { + hydra_targets[i]->miscptr = tmpptr3; + } + else + hydra_targets[i]->miscptr = "/"; + while (*tmpptr != 0) tmpptr++; tmpptr++; @@ -3295,77 +3719,83 @@ int main(int argc, char *argv[]) { } else if (hydra_options.server == NULL) { fprintf(stderr, "Error: no target server given, nor -M option used\n"); exit(-1); - } else if (index(hydra_options.server, '/') != NULL) { - if (cmdtarget == NULL) - bail("You seem to mix up \"service://target:port/options\" syntax with \"target service options\" syntax. Read the README on how to use hydra correctly!"); - if (strstr(cmdtarget, "://") != NULL) { - tmpptr = index(hydra_options.server, '/'); - if (tmpptr != NULL) - *tmpptr = 0; - countservers = hydra_brains.targets = 1; - hydra_targets = malloc(sizeof(hydra_target*) * 4); - hydra_targets[0] = malloc(sizeof(hydra_target)); - memset(hydra_targets[0], 0, sizeof(hydra_target)); - hydra_targets[0]->target = servers_ptr = hydra_options.server; - hydra_targets[0]->port = hydra_options.port; - sizeservers = strlen(hydra_options.server) + 1; - } else { - /* CIDR notation on command line, e.g. 192.168.0.0/24 */ - uint32_t four_from, four_to, addr_cur, addr_cur2, k, l; - in_addr_t addr4; - struct sockaddr_in target; + } else if (strchr(hydra_options.server, '/') != NULL) { + if (cmdlinetarget == NULL) + bail("You seem to mix up \"service://target:port/options\" syntax with " + "\"target service options\" syntax. Read the README on how to use " + "hydra correctly!"); + if (strstr(cmdlinetarget, "://") != NULL) { + tmpptr = strchr(hydra_options.server, '/'); + if (tmpptr != NULL) + *tmpptr = 0; + countservers = hydra_brains.targets = 1; + hydra_targets = malloc(sizeof(hydra_target *) * 4); + hydra_targets[0] = malloc(sizeof(hydra_target)); + memset(hydra_targets[0], 0, sizeof(hydra_target)); + hydra_targets[0]->target = servers_ptr = hydra_options.server; + hydra_targets[0]->port = hydra_options.port; + hydra_targets[0]->miscptr = hydra_options.miscptr; + sizeservers = strlen(hydra_options.server) + 1; + } else { + /* CIDR notation on command line, e.g. 192.168.0.0/24 */ + uint32_t four_from, four_to, addr_cur, addr_cur2, k, l; + in_addr_t addr4; + struct sockaddr_in target; - hydra_options.cidr = 1; - do_retry = 0; - if ((tmpptr = malloc(strlen(hydra_options.server) + 1)) == NULL) { - fprintf(stderr, "Error: can not allocate memory\n"); - exit(-1); + hydra_options.cidr = 1; + do_retry = 0; + if ((tmpptr = malloc(strlen(hydra_options.server) + 1)) == NULL) { + fprintf(stderr, "Error: can not allocate memory\n"); + exit(-1); + } + strcpy(tmpptr, hydra_options.server); + tmpptr2 = strchr(tmpptr, '/'); + *tmpptr2++ = 0; + if ((k = atoi(tmpptr2)) < 16 || k > 31) { + fprintf(stderr, "Error: network size may only be between /16 and /31: %s\n", hydra_options.server); + exit(-1); + } + if ((addr4 = htonl(inet_addr(tmpptr))) == 0xffffffff) { + fprintf(stderr, "Error: option is not a valid IPv4 address: %s\n", tmpptr); + exit(-1); + } + free(tmpptr); + l = 1 << (32 - k); + l--; + four_to = (addr4 | l); + l = 0xffffffff - l; + four_from = (addr4 & l); + l = 1 << (32 - k); + hydra_brains.targets = countservers = l; + hydra_targets = (hydra_target **)malloc(sizeof(hydra_target *) * (l + 2) + 8); + if (hydra_targets == NULL) + bail("Could not allocate enough memory for target data"); + i = 0; + addr_cur = four_from; + while (addr_cur <= four_to && i < l) { + hydra_targets[i] = malloc(sizeof(hydra_target)); + memset(hydra_targets[i], 0, sizeof(hydra_target)); + addr_cur2 = htonl(addr_cur); + memcpy(&target.sin_addr.s_addr, (char *)&addr_cur2, 4); + hydra_targets[i]->target = strdup(inet_ntoa((struct in_addr)target.sin_addr)); + hydra_targets[i]->port = hydra_options.port; + hydra_targets[i]->miscptr = hydra_options.miscptr; + addr_cur++; + i++; + } + if (verbose) + printf("[VERBOSE] CIDR attack from %s to %s\n", hydra_targets[0]->target, hydra_targets[l - 1]->target); + printf("[WARNING] The CIDR attack mode is still beta. Please report " + "issues.\n"); } - strcpy(tmpptr, hydra_options.server); - tmpptr2 = index(tmpptr, '/'); - *tmpptr2++ = 0; - if ((k = atoi(tmpptr2)) < 16 || k > 31) { - fprintf(stderr, "Error: network size may only be between /16 and /31: %s\n", hydra_options.server); - exit(-1); - } - if ((addr4 = htonl(inet_addr(tmpptr))) == 0xffffffff) { - fprintf(stderr, "Error: option is not a valid IPv4 address: %s\n", tmpptr); - exit(-1); - } - free(tmpptr); - l = 1 << (32 - k); - l--; - four_to = (addr4 | l); - l = 0xffffffff - l; - four_from = (addr4 & l); - l = 1 << (32 - k); - hydra_brains.targets = countservers = l; - hydra_targets = (hydra_target**)malloc(sizeof(hydra_target*) * (l + 2) + 8); - if (hydra_targets == NULL) - bail("Could not allocate enough memory for target data"); - i = 0; - addr_cur = four_from; - while (addr_cur <= four_to && i < l) { - hydra_targets[i] = malloc(sizeof(hydra_target)); - memset(hydra_targets[i], 0, sizeof(hydra_target)); - addr_cur2 = htonl(addr_cur); - memcpy(&target.sin_addr.s_addr, (char *) &addr_cur2, 4); - hydra_targets[i]->target = strdup(inet_ntoa((struct in_addr) target.sin_addr)); - hydra_targets[i]->port = hydra_options.port; - addr_cur++; - i++; - } - if (verbose) - printf("[VERBOSE] CIDR attack from %s to %s\n", hydra_targets[0]->target, hydra_targets[l - 1]->target); - printf("[WARNING] The CIDR attack mode is still beta. Please report issues.\n"); - } - } else { // standard: single target on command line + } else { // standard: single target on command line countservers = hydra_brains.targets = 1; - hydra_targets = malloc(sizeof(hydra_target*) * 4); + hydra_targets = malloc(sizeof(hydra_target *) * 4); hydra_targets[0] = malloc(sizeof(hydra_target)); memset(hydra_targets[0], 0, sizeof(hydra_target)); hydra_targets[0]->target = servers_ptr = hydra_options.server; hydra_targets[0]->port = hydra_options.port; + hydra_targets[0]->miscptr = hydra_options.miscptr; sizeservers = strlen(hydra_options.server) + 1; } for (i = 0; i < hydra_brains.targets; i++) { @@ -3383,7 +3813,7 @@ int main(int argc, char *argv[]) { hydra_targets[i]->pass_state = 3; } } - } // END OF restore == 0 + } // END OF restore == 0 // PROXY PROCESSING if (getenv("HYDRA_PROXY") && use_proxy == 0) { @@ -3395,13 +3825,18 @@ int main(int argc, char *argv[]) { if (use_proxy == 2) proxy_string = getenv("HYDRA_PROXY"); if (use_proxy && getenv("HYDRA_PROXY_AUTH") != NULL) - fprintf(stderr, "[WARNING] environment variable HYDRA_PROXY_AUTH is deprecated, use authentication in the HYDRA_PROXY definitions, e.g. type://auth@target:port\n"); + fprintf(stderr, "[WARNING] environment variable HYDRA_PROXY_AUTH is " + "deprecated, use authentication in the HYDRA_PROXY " + "definitions, e.g. type://auth@target:port\n"); if (use_proxy && proxy_string != NULL) { if (strstr(proxy_string, "://") != NULL) { process_proxy_line(use_proxy, proxy_string); } else { if ((proxyfp = fopen(proxy_string, "r")) == NULL) { - fprintf(stderr, "[ERROR] proxy definition %s is neither of the kind type://auth@target:port nor a file containing proxy entries!\n", proxy_string); + fprintf(stderr, + "[ERROR] proxy definition %s is neither of the kind " + "type://auth@target:port nor a file containing proxy entries!\n", + proxy_string); exit(-1); } while (fgets(buf, sizeof(buf), proxyfp) != NULL) @@ -3431,12 +3866,14 @@ int main(int argc, char *argv[]) { bail("No login/password combination given!"); if (hydra_brains.todo < hydra_options.tasks) { if (verbose && hydra_options.tasks != TASKS) - printf("[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to %lu\n", hydra_brains.todo); + printf("[VERBOSE] More tasks defined than login/pass pairs exist. " + "Tasks reduced to %" hPRIu64 "\n", + hydra_brains.todo); hydra_options.tasks = hydra_brains.todo; } } - if (hydra_options.max_use == MAXTASKS) { // only if it was not set via -T + if (hydra_options.max_use == MAXTASKS) { // only if it was not set via -T if (hydra_options.max_use < hydra_brains.targets * hydra_options.tasks) hydra_options.max_use = hydra_brains.targets * hydra_options.tasks; if (hydra_options.max_use > MAXTASKS) @@ -3445,10 +3882,13 @@ int main(int argc, char *argv[]) { if ((hydra_options.tasks == TASKS || hydra_options.tasks <= 8) && hydra_options.max_use < hydra_brains.targets * hydra_options.tasks) { if ((hydra_options.tasks = hydra_options.max_use / hydra_brains.targets) == 0) hydra_options.tasks = 1; - //fprintf(stderr, "[WARNING] More tasks defined per server than allowed for maximal connections. Tasks per server reduced to %d.\n", hydra_options.tasks); + // fprintf(stderr, "[WARNING] More tasks defined per server than allowed for + // maximal connections. Tasks per server reduced to %d.\n", + // hydra_options.tasks); } else { if (hydra_options.tasks > MAXTASKS) { - //fprintf(stderr, "[WARNING] reducing tasks to MAXTASKS (%d)\n", MAXTASKS); + // fprintf(stderr, "[WARNING] reducing tasks to MAXTASKS (%d)\n", + // MAXTASKS); hydra_options.tasks = MAXTASKS; } } @@ -3466,26 +3906,20 @@ int main(int argc, char *argv[]) { if (hydra_options.ssl) options = options | OPTION_SSL; - printf("[DATA] max %d task%s per %d server%s, overall %d task%s, %lu login tr", - hydra_options.tasks, hydra_options.tasks == 1 ? "" : "s", - hydra_brains.targets, hydra_brains.targets == 1 ? "" : "s", - hydra_options.max_use, hydra_options.max_use == 1 ? "" : "s", - hydra_brains.todo); + printf("[DATA] max %d task%s per %d server%s, overall %d task%s, %" hPRIu64 " login tr", hydra_options.tasks, hydra_options.tasks == 1 ? "" : "s", hydra_brains.targets, hydra_brains.targets == 1 ? "" : "s", hydra_options.max_use, hydra_options.max_use == 1 ? "" : "s", hydra_brains.todo); printf("%s", hydra_brains.todo == 1 ? "y" : "ies"); if (hydra_options.colonfile == NULL) { - printf(" (l:%lu/p:%lu), ~%lu tr", - (uint64_t) hydra_brains.countlogin, (uint64_t) hydra_brains.countpass, - math2); + printf(" (l:%" hPRIu64 "/p:%" hPRIu64 "), ~%" hPRIu64 " tr", (uint64_t)hydra_brains.countlogin, (uint64_t)hydra_brains.countpass, math2); } else { - printf(", ~%lu tr", math2); + printf(", ~%" hPRIu64 " tr", math2); } printf("%s", math2 == 1 ? "y" : "ies"); printf(" per task\n"); if (hydra_brains.targets == 1) { - if (index(hydra_targets[0]->target, ':') == NULL) { + if (strchr(hydra_targets[0]->target, ':') == NULL) { printf("[DATA] attacking %s%s://%s:", hydra_options.service, hydra_options.ssl == 1 ? "s" : "", hydra_targets[0]->target); - printf("%d%s%s\n", port, hydra_options.miscptr == NULL || hydra_options.miscptr[0] != '/' ? "/" : "", hydra_options.miscptr != NULL ? hydra_options.miscptr : ""); + printf("%d%s%s\n", port, hydra_options.miscptr == NULL || hydra_options.miscptr[0] != '/' ? "/" : "", hydra_options.miscptr != NULL ? hydra_options.miscptr : ""); } else { printf("[DATA] attacking %s%s://[%s]:", hydra_options.service, hydra_options.ssl == 1 ? "s" : "", hydra_targets[0]->target); printf("%d%s%s\n", port, hydra_options.miscptr == NULL || hydra_options.miscptr[0] != '/' ? "/" : "", hydra_options.miscptr != NULL ? hydra_options.miscptr : ""); @@ -3494,31 +3928,39 @@ int main(int argc, char *argv[]) { printf("[DATA] attacking %s%s://(%d targets):", hydra_options.service, hydra_options.ssl == 1 ? "s" : "", hydra_brains.targets); printf("%d%s%s\n", port, hydra_options.miscptr == NULL || hydra_options.miscptr[0] != '/' ? "/" : "", hydra_options.miscptr != NULL ? hydra_options.miscptr : ""); } - //service %s on port %d%s\n", hydra_options.service, port, hydra_options.ssl == 1 ? " with SSL" : ""); -// if (hydra_options.miscptr != NULL && hydra_options.miscptr[0] != 0) -// printf("[DATA] with additional data %s\n", hydra_options.miscptr); + // service %s on port %d%s\n", hydra_options.service, port, hydra_options.ssl + // == 1 ? " with SSL" : ""); + // if (hydra_options.miscptr != NULL && hydra_options.miscptr[0] != 0) + // printf("[DATA] with additional data %s\n", hydra_options.miscptr); if (hydra_options.outfile_ptr != NULL) { - if ((hydra_brains.ofp = fopen(hydra_options.outfile_ptr, "a+")) == NULL) { + char outfile_open_type[] = "a+"; // Default open in a+ mode + if (hydra_options.outfile_format == FORMAT_JSONV1 && hydra_options.restore != 1) { + outfile_open_type[0] = 'w'; // Creat new outfile, if using JSON output and + // not using -R. The open mode should be "w+". + } + if ((hydra_brains.ofp = fopen(hydra_options.outfile_ptr, outfile_open_type)) == NULL) { perror("[ERROR] Error creating outputfile"); exit(-1); } if (hydra_options.outfile_format == FORMAT_JSONV1) { - fprintf(hydra_brains.ofp, "{ \"generator\": {\n" - "\t\"software\": \"%s\", \"version\": \"%s\", \"built\": \"%s\",\n" - "\t\"server\": \"%s\", \"service\": \"%s\", \"jsonoutputversion\": \"1.00\",\n" - "\t\"commandline\": \"%s", - PROGRAM, VERSION, hydra_build_time(), - hydra_options.server == NULL ? hydra_options.infile_ptr : hydra_options.server, hydra_options.service, prg); - for (i = 1; i < argc; i++) { - char *t = hydra_string_replace(argv[i],"\"","\\\""); - fprintf(hydra_brains.ofp, " %s", t); - free(t); + if (hydra_options.restore != 1) { // No JSON head while using -R + fprintf(hydra_brains.ofp, + "{ \"generator\": {\n" + "\t\"software\": \"%s\", \"version\": \"%s\", \"built\": \"%s\",\n" + "\t\"server\": \"%s\", \"service\": \"%s\", \"jsonoutputversion\": " + "\"1.00\",\n" + "\t\"commandline\": \"%s", + PROGRAM, VERSION, hydra_build_time(), hydra_options.server == NULL ? hydra_options.infile_ptr : hydra_options.server, hydra_options.service, prg); + for (i = 1; i < argc; i++) { + char *t = hydra_string_replace(argv[i], "\"", "\\\""); + fprintf(hydra_brains.ofp, " %s", t); + free(t); + } + fprintf(hydra_brains.ofp, "\"\n\t},\n\"results\": ["); } - fprintf(hydra_brains.ofp, "\"\n\t},\n\"results\": ["); } else { // else default is plain text aka == 0 - fprintf(hydra_brains.ofp, "# %s %s run at %s on %s %s (%s", PROGRAM, VERSION, hydra_build_time(), - hydra_options.server == NULL ? hydra_options.infile_ptr : hydra_options.server, hydra_options.service, prg); + fprintf(hydra_brains.ofp, "# %s %s run at %s on %s %s (%s", PROGRAM, VERSION, hydra_build_time(), hydra_options.server == NULL ? hydra_options.infile_ptr : hydra_options.server, hydra_options.service, prg); for (i = 1; i < argc; i++) fprintf(hydra_brains.ofp, " %s", argv[i]); fprintf(hydra_brains.ofp, ")\n"); @@ -3551,7 +3993,7 @@ int main(int argc, char *argv[]) { #ifdef AF_INET6 ipv6 = NULL; #endif - if ((device = index(hydra_targets[i]->target, '%')) != NULL) + if ((device = strchr(hydra_targets[i]->target, '%')) != NULL) *device++ = 0; if (getaddrinfo(hydra_targets[i]->target, NULL, &hints, &res) != 0) { if (use_proxy == 0) { @@ -3567,30 +4009,36 @@ int main(int argc, char *argv[]) { #ifdef AF_INET6 if (p->ai_family == AF_INET6) { if (ipv6 == NULL) - ipv6 = (struct sockaddr_in6 *) p->ai_addr; + ipv6 = (struct sockaddr_in6 *)p->ai_addr; } else #endif - if (p->ai_family == AF_INET) { + if (p->ai_family == AF_INET) { if (ipv4 == NULL) - ipv4 = (struct sockaddr_in *) p->ai_addr; + ipv4 = (struct sockaddr_in *)p->ai_addr; } } #ifdef AF_INET6 if (ipv6 != NULL && (ipv4 == NULL || prefer_ipv6)) { // IPV6 FIXME if ((strcmp(hydra_options.service, "socks5") == 0) || (strcmp(hydra_options.service, "sip") == 0)) { - fprintf(stderr, "[ERROR] Target %s resolves to an IPv6 address, however module %s does not support this. Maybe try \"-4\" option. Sending in patches helps.\n", + fprintf(stderr, + "[ERROR] Target %s resolves to an IPv6 address, however " + "module %s does not support this. Maybe try \"-4\" option. " + "Sending in patches helps.\n", hydra_targets[i]->target, hydra_options.service); hydra_targets[i]->done = TARGET_UNRESOLVED; hydra_brains.finished++; } else { hydra_targets[i]->ip[0] = 16; - memcpy(&hydra_targets[i]->ip[1], (char *) &ipv6->sin6_addr, 16); + memcpy(&hydra_targets[i]->ip[1], (char *)&ipv6->sin6_addr, 16); if (device != NULL && strlen(device) <= 16) strcpy(&hydra_targets[i]->ip[17], device); if (memcmp(&hydra_targets[i]->ip[17], fe80, 2) == 0) { if (device == NULL) { - fprintf(stderr, "[ERROR] The target %s address is a link local address, link local addresses require the interface being defined like this: fe80::1%%eth0\n", + fprintf(stderr, + "[ERROR] The target %s address is a link local address, " + "link local addresses require the interface being " + "defined like this: fe80::1%%eth0\n", hydra_targets[i]->target); exit(-1); } @@ -3598,9 +4046,9 @@ int main(int argc, char *argv[]) { } } else #endif - if (ipv4 != NULL) { + if (ipv4 != NULL) { hydra_targets[i]->ip[0] = 4; - memcpy(&hydra_targets[i]->ip[1], (char *) &ipv4->sin_addr, 4); + memcpy(&hydra_targets[i]->ip[1], (char *)&ipv4->sin_addr, 4); } else { if (verbose) printf("[failed for %s] ", hydra_targets[i]->target); @@ -3611,10 +4059,12 @@ int main(int argc, char *argv[]) { } freeaddrinfo(res); } - // restore device information if present + // restore device information if present (overwrite null bytes) if (device != NULL) { - *(device - 1) = '%'; - fprintf(stderr, "[WARNING] not all modules support BINDTODEVICE for IPv6 link local addresses, e.g. SSH does not\n"); + char *tmpptr = device - 1; + *tmpptr = '%'; // you can ignore the compiler warning + fprintf(stderr, "[WARNING] not all modules support BINDTODEVICE for IPv6 " + "link local addresses, e.g. SSH does not\n"); } } if (verbose) @@ -3624,12 +4074,16 @@ int main(int argc, char *argv[]) { #ifndef SO_BINDTODEVICE if (device != NULL) { - fprintf(stderr, "[ERROR] your operating system does not support SO_BINDTODEVICE or IP_FORCE_OUT_IFP, dunno how to bind the IPv6 address to the interface %s!\n", device); + fprintf(stderr, + "[ERROR] your operating system does not support SO_BINDTODEVICE or " + "IP_FORCE_OUT_IFP, dunno how to bind the IPv6 address to the " + "interface %s!\n", + device); } #endif if (hydra_options.restore == 0) { - hydra_heads = malloc(sizeof(hydra_head*) * hydra_options.max_use); + hydra_heads = malloc(sizeof(hydra_head *) * hydra_options.max_use); target_no = 0; for (i = 0; i < hydra_options.max_use; i++) { hydra_heads[i] = malloc(sizeof(hydra_head)); @@ -3639,7 +4093,8 @@ int main(int argc, char *argv[]) { // here we call the init function of the relevant service module // should we do the init centrally or should each child do that? // that depends largely on the number of targets and maximum tasks - // if (hydra_brains.targets == 1 || (hydra_brains.targets < 4 && hydra_options.tasks / hydra_brains.targets > 4 && hydra_brains.todo > 15)) + // if (hydra_brains.targets == 1 || (hydra_brains.targets < 4 && + // hydra_options.tasks / hydra_brains.targets > 4 && hydra_brains.todo > 15)) for (i = 0; i < hydra_brains.targets; i++) hydra_service_init(i); @@ -3648,11 +4103,12 @@ int main(int argc, char *argv[]) { fflush(stderr); fflush(hydra_brains.ofp); - #if OPENSSL_VERSION_NUMBER >= 0x10100000L if (hydra_options.ssl) { fprintf(stderr, "[WARNING] *****************************************************\n"); - fprintf(stderr, "[WARNING] OPENSSL v1.1 development changes are active - modules SMB, SNMP, RDP, ORACLE LISTENER and SSL in general might not work properly! Please test and report to vh@thc.org.\n"); + fprintf(stderr, "[WARNING] OPENSSL v1.1 development changes are active - modules " + "SMB, SNMP, RDP, ORACLE LISTENER and SSL in general might not work " + "properly! Please test and report to vh@thc.org.\n"); fprintf(stderr, "[WARNING] *****************************************************\n"); } #endif @@ -3660,7 +4116,8 @@ int main(int argc, char *argv[]) { hydra_debug(0, "attack"); process_restore = 1; - // this is the big function which starts the attacking children, feeds login/password pairs, etc.! + // this is the big function which starts the attacking children, feeds + // login/password pairs, etc.! while (exit_condition == 0) { memset(&fdreadheads, 0, sizeof(fdreadheads)); max_fd = 0; @@ -3678,7 +4135,7 @@ int main(int argc, char *argv[]) { for (head_no = 0; head_no < hydra_options.max_use; head_no++) { if (debug > 1 && hydra_heads[head_no]->active != HEAD_DISABLED) printf("[DEBUG] head_no[%d] to target_no %d active %d\n", head_no, hydra_heads[head_no]->target_no, hydra_heads[head_no]->active); - + switch (hydra_heads[head_no]->active) { case HEAD_DISABLED: break; @@ -3694,10 +4151,12 @@ int main(int argc, char *argv[]) { printf("[DEBUG] child %d got target %d selected\n", head_no, hydra_heads[head_no]->target_no); if (hydra_heads[head_no]->target_no < 0) { if (debug) - printf("[DEBUG] hydra_select_target() reports no more targets left\n"); + printf("[DEBUG] hydra_select_target() reports no more targets " + "left\n"); hydra_kill_head(head_no, 0, 3); } else - hydra_spawn_head(head_no, hydra_heads[head_no]->target_no); // target_no is ignored if head->redo == 1 + hydra_spawn_head(head_no, + hydra_heads[head_no]->target_no); // target_no is ignored if head->redo == 1 } break; case HEAD_ACTIVE: @@ -3705,7 +4164,7 @@ int main(int argc, char *argv[]) { do_switch = 1; if (hydra_options.time_next_attempt > 0) { if (last_attempt + hydra_options.time_next_attempt >= time(NULL)) { - if (recv(hydra_heads[head_no]->sp[0], &rc, 1, MSG_PEEK) == 1 && (rc == 'N' || rc == 'n')) + if (recv(hydra_heads[head_no]->sp[0], &rc, 1, MSG_PEEK) == 1 && (rc == 'N' || rc == 'n')) do_switch = 0; } else last_attempt = time(NULL); @@ -3719,86 +4178,81 @@ int main(int argc, char *argv[]) { printf("[DEBUG] head_no[%d] read %c\n", head_no, rc); switch (rc) { // Valid Results: - // n - mother says to itself that child requests next login/password pair - // N - child requests next login/password pair - // Q - child reports that it is quitting - // C - child reports connect error (and is quitting) - // E - child reports protocol error (and is quitting) - // f - child reports that the username does not exist - // F - child reports that it found a valid login/password pair - // and requests next pair. Sends login/pw pair with next msg! - case 'N': // head wants next pair + // n - mother says to itself that child requests next + // login/password pair N - child requests next login/password + // pair Q - child reports that it is quitting C - child reports + // connect error (and is quitting) E - child reports protocol + // error (and is quitting) f - child reports that the username + // does not exist F - child reports that it found a valid + // login/password pair + // and requests next pair. Sends login/pw pair with next + // msg! + case 'N': // head wants next pair hydra_targets[hydra_heads[head_no]->target_no]->ok = 1; if (hydra_targets[hydra_heads[head_no]->target_no]->fail_count > 0) hydra_targets[hydra_heads[head_no]->target_no]->fail_count--; // no break here - case 'n': // mother sends this to itself initially + case 'n': // mother sends this to itself initially loop_cnt = 0; if (hydra_send_next_pair(hydra_heads[head_no]->target_no, head_no) == -1) hydra_kill_head(head_no, 1, 0); break; - - case 'F': // valid password found + + case 'F': // valid password found hydra_brains.found++; if (colored_output) { if (hydra_heads[head_no]->current_login_ptr == NULL || strlen(hydra_heads[head_no]->current_login_ptr) == 0) { if (hydra_heads[head_no]->current_pass_ptr == NULL || strlen(hydra_heads[head_no]->current_pass_ptr) == 0) - printf("[\e[1;32m%d\e[0m][\e[1;32m%s\e[0m] host: \e[1;32m%s\e[0m\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, - hydra_targets[hydra_heads[head_no]->target_no]->target); + printf("[\e[1;32m%d\e[0m][\e[1;32m%s\e[0m] host: " + "\e[1;32m%s\e[0m\n", + hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target); else - printf("[\e[1;32m%d\e[0m][\e[1;32m%s\e[0m] host: \e[1;32m%s\e[0m password: \e[1;32m%s\e[0m\n", hydra_targets[hydra_heads[head_no]->target_no]->port, - hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_pass_ptr); + printf("[\e[1;32m%d\e[0m][\e[1;32m%s\e[0m] host: " + "\e[1;32m%s\e[0m password: \e[1;32m%s\e[0m\n", + hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_pass_ptr); } else if (hydra_heads[head_no]->current_pass_ptr == NULL || strlen(hydra_heads[head_no]->current_pass_ptr) == 0) { - printf("[\e[1;32m%d\e[0m][\e[1;32m%s\e[0m] host: \e[1;32m%s\e[0m login: \e[1;32m%s\e[0m\n", hydra_targets[hydra_heads[head_no]->target_no]->port, - hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr); + printf("[\e[1;32m%d\e[0m][\e[1;32m%s\e[0m] host: " + "\e[1;32m%s\e[0m login: \e[1;32m%s\e[0m\n", + hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr); } else - printf("[\e[1;32m%d\e[0m][\e[1;32m%s\e[0m] host: \e[1;32m%s\e[0m login: \e[1;32m%s\e[0m password: \e[1;32m%s\e[0m\n", - hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, - hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr); + printf("[\e[1;32m%d\e[0m][\e[1;32m%s\e[0m] host: " + "\e[1;32m%s\e[0m login: \e[1;32m%s\e[0m password: " + "\e[1;32m%s\e[0m\n", + hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr); } else { if (hydra_heads[head_no]->current_login_ptr == NULL || strlen(hydra_heads[head_no]->current_login_ptr) == 0) { if (hydra_heads[head_no]->current_pass_ptr == NULL || strlen(hydra_heads[head_no]->current_pass_ptr) == 0) - printf("[%d][%s] host: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, - hydra_targets[hydra_heads[head_no]->target_no]->target); + printf("[%d][%s] host: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target); else - printf("[%d][%s] host: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, - hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_pass_ptr); + printf("[%d][%s] host: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_pass_ptr); } else if (hydra_heads[head_no]->current_pass_ptr == NULL || strlen(hydra_heads[head_no]->current_pass_ptr) == 0) { - printf("[%d][%s] host: %s login: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, - hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr); + printf("[%d][%s] host: %s login: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr); } else - printf("[%d][%s] host: %s login: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, - hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr); + printf("[%d][%s] host: %s misc: %s login: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_targets[hydra_heads[head_no]->target_no]->miscptr, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr); } if (hydra_options.outfile_format == FORMAT_JSONV1 && hydra_options.outfile_ptr != NULL && hydra_brains.ofp != NULL) { - fprintf(hydra_brains.ofp, "%s\n\t{\"port\": %d, \"service\": \"%s\", \"host\": \"%s\", \"login\": \"%s\", \"password\": \"%s\"}", - hydra_brains.found == 1 ? "" : ",", // prefix a comma if not first finding - hydra_targets[hydra_heads[head_no]->target_no]->port, - hydra_options.service, - hydra_targets[hydra_heads[head_no]->target_no]->target !=NULL ? hydra_targets[hydra_heads[head_no]->target_no]->target : "", - hydra_heads[head_no]->current_login_ptr !=NULL ? hydra_string_replace(hydra_heads[head_no]->current_login_ptr,"\"","\\\"") : "", - hydra_heads[head_no]->current_pass_ptr != NULL ? hydra_string_replace(hydra_heads[head_no]->current_pass_ptr,"\"","\\\"") : "" - ); + fprintf(hydra_brains.ofp, + "%s\n\t{\"port\": %d, \"service\": \"%s\", \"host\": " + "\"%s\", \"login\": \"%s\", \"password\": \"%s\"}", + hydra_brains.found == 1 ? "" : ",", // prefix a comma if not first finding + hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target != NULL ? hydra_targets[hydra_heads[head_no]->target_no]->target : "", hydra_heads[head_no]->current_login_ptr != NULL ? hydra_string_replace(hydra_heads[head_no]->current_login_ptr, "\"", "\\\"") : "", hydra_heads[head_no]->current_pass_ptr != NULL ? hydra_string_replace(hydra_heads[head_no]->current_pass_ptr, "\"", "\\\"") : ""); fflush(hydra_brains.ofp); - } else if (hydra_options.outfile_ptr != NULL && hydra_brains.ofp != NULL) { // else output format == 0 aka text + } else if (hydra_options.outfile_ptr != NULL && hydra_brains.ofp != NULL) { // else output format == 0 aka text if (hydra_heads[head_no]->current_login_ptr == NULL || strlen(hydra_heads[head_no]->current_login_ptr) == 0) { if (hydra_heads[head_no]->current_pass_ptr == NULL || strlen(hydra_heads[head_no]->current_pass_ptr) == 0) - fprintf(hydra_brains.ofp, "[%d][%s] host: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, - hydra_targets[hydra_heads[head_no]->target_no]->target); + fprintf(hydra_brains.ofp, "[%d][%s] host: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target); else - fprintf(hydra_brains.ofp, "[%d][%s] host: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, - hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_pass_ptr); + fprintf(hydra_brains.ofp, "[%d][%s] host: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_pass_ptr); } else if (hydra_heads[head_no]->current_pass_ptr == NULL || strlen(hydra_heads[head_no]->current_pass_ptr) == 0) { - fprintf(hydra_brains.ofp, "[%d][%s] host: %s login: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, - hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr); + fprintf(hydra_brains.ofp, "[%d][%s] host: %s login: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr); } else - fprintf(hydra_brains.ofp, "[%d][%s] host: %s login: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, - hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr); + fprintf(hydra_brains.ofp, "[%d][%s] host: %s login: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr); fflush(hydra_brains.ofp); } - if (hydra_options.exit_found) { // option set says quit target after on valid login/pass pair is found + if (hydra_options.exit_found) { // option set says quit target after on + // valid login/pass pair is found if (hydra_targets[hydra_heads[head_no]->target_no]->done == TARGET_ACTIVE) { - hydra_targets[hydra_heads[head_no]->target_no]->done = TARGET_FINISHED; // mark target as done + hydra_targets[hydra_heads[head_no]->target_no]->done = TARGET_FINISHED; // mark target as done hydra_brains.finished++; printf("[STATUS] attack finished for %s (valid pair found)\n", hydra_targets[hydra_heads[head_no]->target_no]->target); } @@ -3807,7 +4261,7 @@ int main(int argc, char *argv[]) { if (hydra_targets[j]->done == TARGET_ACTIVE) { hydra_targets[j]->done = TARGET_FINISHED; hydra_brains.finished++; - } + } } for (j = 0; j < hydra_options.max_use; j++) if (hydra_heads[j]->active >= 0 && (hydra_heads[j]->target_no == target_no || hydra_options.exit_found == 2)) { @@ -3819,7 +4273,7 @@ int main(int argc, char *argv[]) { continue; } // fall through - case 'f': // username identified as invalid + case 'f': // username identified as invalid hydra_targets[hydra_heads[head_no]->target_no]->ok = 1; if (hydra_targets[hydra_heads[head_no]->target_no]->fail_count > 0) hydra_targets[hydra_heads[head_no]->target_no]->fail_count--; @@ -3828,34 +4282,55 @@ int main(int argc, char *argv[]) { hydra_skip_user(hydra_heads[head_no]->target_no, buf); fck = write(hydra_heads[head_no]->sp[1], "n", 1); // small hack break; - + + case 'D': // disable target, unknown protocol or feature + for (j = 0; j < hydra_brains.targets; j++) + if (hydra_targets[j]->done == TARGET_ACTIVE) { + hydra_targets[j]->done = TARGET_FINISHED; + hydra_brains.finished++; + } + for (j = 0; j < hydra_options.max_use; j++) + if (hydra_heads[j]->active >= 0 && hydra_heads[j]->target_no == target_no) { + if (hydra_brains.targets > hydra_brains.finished) + hydra_kill_head(j, 1, 0); // kill all heads working on the target + else + hydra_kill_head(j, 1, 2); // kill all heads working on the target + } + break; + // we do not make a difference between 'C' and 'E' results - yet - case 'E': // head reports protocol error - case 'C': // head reports connect error + case 'E': // head reports protocol error + case 'C': // head reports connect error fck = write(hydra_heads[head_no]->sp[0], "Q", 1); if (debug) { - printf("[ATTEMPT-ERROR] target %s - login \"%s\" - pass \"%s\" - child %d - %lu of %lu\n", - hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, head_no, - hydra_targets[hydra_heads[head_no]->target_no]->sent, hydra_brains.todo); + printf("[ATTEMPT-ERROR] target %s - login \"%s\" - pass " + "\"%s\" - child %d - %" hPRIu64 " of %" hPRIu64 "\n", + hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, head_no, hydra_targets[hydra_heads[head_no]->target_no]->sent, hydra_brains.todo); } hydra_increase_fail_count(hydra_heads[head_no]->target_no, head_no); break; - case 'Q': // head reports its quitting + case 'Q': // head reports its quitting fck = write(hydra_heads[head_no]->sp[0], "Q", 1); if (debug) printf("[DEBUG] child %d reported it quit\n", head_no); hydra_kill_head(head_no, 1, 0); break; - + default: - fprintf(stderr, "[ERROR] child %d sent nonsense data, killing and restarting it!\n", head_no); + fprintf(stderr, + "[ERROR] child %d sent nonsense data, killing and " + "restarting it!\n", + head_no); hydra_increase_fail_count(hydra_heads[head_no]->target_no, head_no); } // end switch - } // readres + } // readres if (readres == -1) { if (verbose) - fprintf(stderr, "[WARNING] child %d seems to have died, restarting (this only happens if a module is bad) ... \n", head_no); + fprintf(stderr, + "[WARNING] child %d seems to have died, restarting " + "(this only happens if a module is bad) ... \n", + head_no); hydra_increase_fail_count(hydra_heads[head_no]->target_no, head_no); } } // end do_switch @@ -3865,11 +4340,15 @@ int main(int argc, char *argv[]) { if (tmp_time > waittime + hydra_heads[head_no]->last_seen) { if (kill(hydra_heads[head_no]->pid, 0) < 0) { if (verbose) - fprintf(stderr, "[WARNING] child %d seems to be dead, restarting it ...\n", head_no); + fprintf(stderr, + "[WARNING] child %d seems to be dead, restarting it " + "...\n", + head_no); hydra_increase_fail_count(hydra_heads[head_no]->target_no, head_no); } } - // if we do not get to hear anything for a longer time assume its dead + // if we do not get to hear anything for a longer time assume its + // dead if (tmp_time > waittime * 2 + hydra_heads[head_no]->last_seen) { if (verbose) fprintf(stderr, "[WARNING] timeout from child %d, restarting\n", head_no); @@ -3883,10 +4362,11 @@ int main(int argc, char *argv[]) { hydra_increase_fail_count(hydra_heads[head_no]->target_no, head_no); } } - //if (debug) printf("DEBUG: bug hunt: %lu %lu\n", hydra_brains.todo_all, hydra_brains.sent); + // if (debug) printf("DEBUG: bug hunt: %lu %lu\n", hydra_brains.todo_all, + // hydra_brains.sent); usleepn(USLEEP_LOOP); - (void) wait3(NULL, WNOHANG, NULL); + (void)waitpid(-1, NULL, WNOHANG); // write restore file and report status if (process_restore == 1 && time(NULL) - elapsed_restore > 299) { hydra_restore_write(0); @@ -3913,15 +4393,14 @@ int main(int argc, char *argv[]) { for (j = 0; j < hydra_options.max_use; j++) if (hydra_heads[j]->active >= HEAD_UNUSED) k++; - printf("[STATUS] %.2f tries/min, %lu tries in %02lu:%02luh, %lu to do in %02lu:%02luh, %d active\n", (1.0 * hydra_brains.sent) / (((elapsed_status - starttime) * 1.0) / 60), // tries/min - hydra_brains.sent, // tries - (uint64_t) ((elapsed_status - starttime) / 3600), // hours - (uint64_t) (((elapsed_status - starttime) % 3600) / 60), // minutes - (hydra_brains.todo_all + total_redo_count) - hydra_brains.sent != 0 ? (hydra_brains.todo_all + total_redo_count) - hydra_brains.sent : 1, // left todo - (uint64_t) (((double) (hydra_brains.todo_all + total_redo_count) - hydra_brains.sent) / ((double) hydra_brains.sent / (elapsed_status - starttime)) - ) / 3600, // hours - (((uint64_t) (((double) (hydra_brains.todo_all + total_redo_count) - hydra_brains.sent) / ((double) hydra_brains.sent / (elapsed_status - starttime)) - ) % 3600) / 60) + 1, // min + printf("[STATUS] %.2f tries/min, %" hPRIu64 " tries in %02" hPRIu64 ":%02" hPRIu64 "h, %" hPRIu64 " to do in %02" hPRIu64 ":%02" hPRIu64 "h, %d active\n", + (1.0 * hydra_brains.sent) / (((elapsed_status - starttime) * 1.0) / 60), // tries/min + hydra_brains.sent, // tries + (uint64_t)((elapsed_status - starttime) / 3600), // hours + (uint64_t)(((elapsed_status - starttime) % 3600) / 60), // minutes + (hydra_brains.todo_all + total_redo_count) - hydra_brains.sent != 0 ? (hydra_brains.todo_all + total_redo_count) - hydra_brains.sent : 1, // left todo + (uint64_t)(((double)(hydra_brains.todo_all + total_redo_count) - hydra_brains.sent) / ((double)hydra_brains.sent / (elapsed_status - starttime))) / 3600, // hours + (((uint64_t)(((double)(hydra_brains.todo_all + total_redo_count) - hydra_brains.sent) / ((double)hydra_brains.sent / (elapsed_status - starttime))) % 3600) / 60) + 1, // min k); hydra_debug(0, "STATUS"); } @@ -3958,16 +4437,14 @@ int main(int argc, char *argv[]) { fprintf(stderr, "[ERROR] illegal target result value (%d=>%d)\n", i, hydra_targets[i]->done); } - printf("%d of %d target%s%scompleted, %lu valid password", - hydra_brains.targets - j - k - error, hydra_brains.targets, hydra_brains.targets == 1 ? " " : "s ", - hydra_brains.found > 0 ? "successfully " : "", hydra_brains.found); - printf("%s", hydra_brains.found == 1 ? "" : "s"); + printf("%d of %d target%s%scompleted, %" hPRIu64 " valid password", hydra_brains.targets - j - k - error, hydra_brains.targets, hydra_brains.targets == 1 ? " " : "s ", hydra_brains.found > 0 ? "successfully " : "", hydra_brains.found); + printf("%s", hydra_brains.found < 2 ? "" : "s"); printf(" found\n"); error += j; k = 0; - for (j = 0; j < hydra_options.max_use; j++) - if (hydra_heads[j]->active == HEAD_ACTIVE) + for (i = 0; i < hydra_options.max_use; i++) + if (hydra_heads[i]->active == HEAD_ACTIVE) k++; if (error == 0 && k == 0) { @@ -3975,10 +4452,14 @@ int main(int argc, char *argv[]) { unlink(RESTOREFILE); } else { if (hydra_options.cidr == 0 && k == 0) { - printf("[INFO] Writing restore file because %d server scan%s could not be completed\n", j + error, j + error == 1 ? "" : "s"); + printf("[INFO] Writing restore file because %d server scan%s could not " + "be completed\n", + j + error, j + error == 1 ? "" : "s"); hydra_restore_write(1); } else if (k > 0) { - printf("[WARNING] Writing restore file because %d final worker threads did not complete until end.\n", k); + printf("[WARNING] Writing restore file because %d final worker threads " + "did not complete until end.\n", + k); hydra_restore_write(1); } } @@ -3988,53 +4469,52 @@ int main(int argc, char *argv[]) { for (i = 0; i < hydra_options.max_use; i++) if (hydra_heads[i]->active == HEAD_ACTIVE && hydra_heads[i]->pid > 0) hydra_kill_head(i, 1, 3); - (void) wait3(NULL, WNOHANG, NULL); + (void)waitpid(-1, NULL, WNOHANG); -#define STRMAX (10*1024) - char json_error[STRMAX+2], tmp_str[STRMAX+2]; - memset(json_error, 0, STRMAX+2); - memset(tmp_str, 0, STRMAX+2); +#define STRMAX (10 * 1024) + char json_error[STRMAX + 2], tmp_str[STRMAX + 2]; + memset(json_error, 0, STRMAX + 2); + memset(tmp_str, 0, STRMAX + 2); if (error) { snprintf(tmp_str, STRMAX, "[ERROR] %d target%s disabled because of too many errors", error, error == 1 ? " was" : "s were"); fprintf(stderr, "%s\n", tmp_str); - strncat(json_error,"\"",STRMAX); - strncat(json_error,tmp_str,STRMAX); - strncat(json_error,"\"",STRMAX); + strncat(json_error, "\"", STRMAX); + strncat(json_error, tmp_str, STRMAX); + strncat(json_error, "\"", STRMAX); error = 1; } if (k) { snprintf(tmp_str, STRMAX, "[ERROR] %d target%s did not resolve or could not be connected", k, k == 1 ? "" : "s"); fprintf(stderr, "%s\n", tmp_str); if (*json_error) { - strncat(json_error,", ", STRMAX); - } - strncat(json_error,"\"",STRMAX); - strncat(json_error,tmp_str,STRMAX); - strncat(json_error,"\"",STRMAX); - error = 1; - if (*json_error) { - strncat(json_error,", ", STRMAX); + strncat(json_error, ", ", STRMAX); } + strncat(json_error, "\"", STRMAX); + strncat(json_error, tmp_str, STRMAX); + strncat(json_error, "\"", STRMAX); error = 1; } if (error) { - snprintf(tmp_str, STRMAX, "[ERROR] %d target%s did not complete", j, j == 1 ? "" : "s"); + snprintf(tmp_str, STRMAX, "[ERROR] %d target%s did not complete", j, j < 1 ? "" : "s"); fprintf(stderr, "%s\n", tmp_str); if (*json_error) { - strncat(json_error,", ", STRMAX); + strncat(json_error, ", ", STRMAX); } - strncat(json_error,"\"",STRMAX); - strncat(json_error,tmp_str,STRMAX); - strncat(json_error,"\"",STRMAX); + strncat(json_error, "\"", STRMAX); + strncat(json_error, tmp_str, STRMAX); + strncat(json_error, "\"", STRMAX); error = 1; + hydra_restore_write(1); } // yeah we did it printf("%s (%s) finished at %s\n", PROGRAM, RESOURCE, hydra_build_time()); if (hydra_brains.ofp != NULL && hydra_brains.ofp != stdout) { if (hydra_options.outfile_format == FORMAT_JSONV1) { - fprintf(hydra_brains.ofp, "\n\t],\n\"success\": %s,\n\"errormessages\": [ %s ],\n\"quantityfound\": %lu }\n", + fprintf(hydra_brains.ofp, + "\n\t],\n\"success\": %s,\n\"errormessages\": [ %s " + "],\n\"quantityfound\": %" hPRIu64 " }\n", (error ? "false" : "true"), json_error, hydra_brains.found); - } + } fclose(hydra_brains.ofp); } @@ -4043,4 +4523,4 @@ int main(int argc, char *argv[]) { return -1; else return 0; -} +} \ No newline at end of file diff --git a/hydra.h b/hydra.h index d1fcc60..24b63e8 100644 --- a/hydra.h +++ b/hydra.h @@ -2,190 +2,188 @@ #include #ifdef __sun - #include -#elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX) - #include +#include +#elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX) || defined(__APPLE__) +#include #else - #include +#include #endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include + +#if defined(_INTTYPES_H) || defined(__CLANG_INTTYPES_H) +#define hPRIu64 PRIu64 +#else +#define hPRIu64 "lu" +#endif + +#include +#include +#include +#include #include #include -#include -#include -#include +#include +#include +#include +#include +#include #include +#include +#include +#include +#include #include -#include +#include +#include #ifdef HAVE_OPENSSL - #define HYDRA_SSL +#define HYDRA_SSL #endif #ifdef HAVE_SSL - #ifndef HYDRA_SSL - #define HYDRA_SSL - #endif +#ifndef HYDRA_SSL +#define HYDRA_SSL +#endif #endif #ifdef LIBSSH - #include +#include #endif #ifdef HAVE_ZLIB - #include +#include #endif #define OPTION_SSL 1 #ifdef LIBOPENSSL - #ifndef NO_RSA_LEGACY - #if OPENSSL_VERSION_NUMBER >= 0x10100000L - #define NO_RSA_LEGACY - #endif - #endif +#ifndef NO_RSA_LEGACY +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#define NO_RSA_LEGACY +#endif +#endif #endif -#define PORT_NOPORT -1 -#define PORT_FTP 21 -#define PORT_FTP_SSL 990 -#define PORT_TELNET 23 -#define PORT_TELNET_SSL 992 -#define PORT_HTTP 80 -#define PORT_HTTP_SSL 443 +#define PORT_NOPORT -1 +#define PORT_FTP 21 +#define PORT_FTP_SSL 990 +#define PORT_TELNET 23 +#define PORT_TELNET_SSL 992 +#define PORT_HTTP 80 +#define PORT_HTTP_SSL 443 #define PORT_HTTP_PROXY 3128 #define PORT_HTTP_PROXY_SSL 3128 -#define PORT_POP3 110 -#define PORT_POP3_SSL 995 -#define PORT_NNTP 119 -#define PORT_NNTP_SSL 563 -#define PORT_SMB 139 -#define PORT_SMB_SSL 139 -#define PORT_SMBNT 445 -#define PORT_SMBNT_SSL 445 -#define PORT_IMAP 143 -#define PORT_IMAP_SSL 993 -#define PORT_LDAP 389 -#define PORT_LDAP_SSL 636 -#define PORT_REXEC 512 -#define PORT_REXEC_SSL 512 -#define PORT_RLOGIN 513 -#define PORT_RLOGIN_SSL 513 -#define PORT_RSH 514 -#define PORT_RSH_SSL 514 -#define PORT_SOCKS5 1080 +#define PORT_POP3 110 +#define PORT_POP3_SSL 995 +#define PORT_NNTP 119 +#define PORT_NNTP_SSL 563 +#define PORT_SMB 139 +#define PORT_SMB_SSL 139 +#define PORT_SMBNT 445 +#define PORT_SMBNT_SSL 445 +#define PORT_IMAP 143 +#define PORT_IMAP_SSL 993 +#define PORT_LDAP 389 +#define PORT_LDAP_SSL 636 +#define PORT_REXEC 512 +#define PORT_REXEC_SSL 512 +#define PORT_RLOGIN 513 +#define PORT_RLOGIN_SSL 513 +#define PORT_RSH 514 +#define PORT_RSH_SSL 514 +#define PORT_SOCKS5 1080 #define PORT_SOCKS5_SSL 1080 -#define PORT_ICQ 4000 -#define PORT_ICQ_SSL -1 -#define PORT_VNC 5900 -#define PORT_VNC_SSL 5901 -#define PORT_PCNFS 0 -#define PORT_PCNFS_SSL -1 -#define PORT_MYSQL 3306 -#define PORT_MYSQL_SSL 3306 -#define PORT_MSSQL 1433 -#define PORT_MSSQL_SSL 1433 -#define PORT_POSTGRES 5432 +#define PORT_ICQ 4000 +#define PORT_ICQ_SSL -1 +#define PORT_VNC 5900 +#define PORT_VNC_SSL 5901 +#define PORT_PCNFS 0 +#define PORT_PCNFS_SSL -1 +#define PORT_MYSQL 3306 +#define PORT_MYSQL_SSL 3306 +#define PORT_MSSQL 1433 +#define PORT_MSSQL_SSL 1433 +#define PORT_COBALTSTRIKE 50050 +#define PORT_COBALTSTRIKE_SSL 50050 +#define PORT_POSTGRES 5432 #define PORT_POSTGRES_SSL 5432 -#define PORT_ORACLE 1521 +#define PORT_ORACLE 1521 #define PORT_ORACLE_SSL 1521 #define PORT_PCANYWHERE 5631 #define PORT_PCANYWHERE_SSL 5631 -#define PORT_ADAM6500 502 -#define PORT_ADAM6500_SSL 502 -#define PORT_SAPR3 -1 -#define PORT_SAPR3_SSL -1 -#define PORT_SSH 22 -#define PORT_SSH_SSL 22 -#define PORT_SNMP 161 -#define PORT_SNMP_SSL 1993 -#define PORT_CVS 2401 -#define PORT_CVS_SSL 2401 -#define PORT_FIREBIRD 3050 +#define PORT_ADAM6500 502 +#define PORT_ADAM6500_SSL 502 +#define PORT_SAPR3 -1 +#define PORT_SAPR3_SSL -1 +#define PORT_SSH 22 +#define PORT_SSH_SSL 22 +#define PORT_SNMP 161 +#define PORT_SNMP_SSL 1993 +#define PORT_CVS 2401 +#define PORT_CVS_SSL 2401 +#define PORT_FIREBIRD 3050 #define PORT_FIREBIRD_SSL 3050 -#define PORT_AFP 548 -#define PORT_AFP_SSL 548 -#define PORT_NCP 524 -#define PORT_NCP_SSL 524 -#define PORT_SVN 3690 -#define PORT_SVN_SSL 3690 -#define PORT_SMTP 25 +#define PORT_AFP 548 +#define PORT_AFP_SSL 548 +#define PORT_NCP 524 +#define PORT_NCP_SSL 524 +#define PORT_SVN 3690 +#define PORT_SVN_SSL 3690 +#define PORT_SMTP 25 #define PORT_SMTP_SSL 465 -#define PORT_TEAMSPEAK 8767 +#define PORT_TEAMSPEAK 8767 #define PORT_TEAMSPEAK_SSL 8767 -#define PORT_SIP 5060 -#define PORT_SIP_SSL 5061 -#define PORT_VMAUTHD 902 -#define PORT_VMAUTHD_SSL 902 -#define PORT_XMPP 5222 -#define PORT_XMPP_SSL 5223 -#define PORT_IRC 6667 -#define PORT_IRC_SSL 6697 -#define PORT_RDP 3389 -#define PORT_RDP_SSL 3389 -#define PORT_ASTERISK 5038 -#define PORT_ASTERISK_SSL 5038 -#define PORT_S7_300 102 -#define PORT_S7_300_SSL 102 -#define PORT_REDIS 6379 -#define PORT_REDIS_SSL 6379 -#define PORT_RTSP 554 -#define PORT_RTSP_SSL 554 -#define PORT_RPCAP 2002 -#define PORT_RPCAP_SSL 2002 -#define PORT_RADMIN2 4899 +#define PORT_SIP 5060 +#define PORT_SIP_SSL 5061 +#define PORT_VMAUTHD 902 +#define PORT_VMAUTHD_SSL 902 +#define PORT_XMPP 5222 +#define PORT_XMPP_SSL 5223 +#define PORT_IRC 6667 +#define PORT_IRC_SSL 6697 +#define PORT_RDP 3389 +#define PORT_RDP_SSL 3389 +#define PORT_ASTERISK 5038 +#define PORT_ASTERISK_SSL 5038 +#define PORT_S7_300 102 +#define PORT_S7_300_SSL 102 +#define PORT_REDIS 6379 +#define PORT_REDIS_SSL 6379 +#define PORT_RTSP 554 +#define PORT_RTSP_SSL 554 +#define PORT_RPCAP 2002 +#define PORT_RPCAP_SSL 2002 +#define PORT_RADMIN2 4899 +#define PORT_MCACHED 11211 +#define PORT_MCACHED_SSL 11211 +#define PORT_MONGODB 27017 #define False 0 -#define True 1 +#define True 1 #ifndef INET_ADDRSTRLEN - #define INET_ADDRSTRLEN 16 +#define INET_ADDRSTRLEN 16 #endif #define MAX_PROXY_COUNT 64 #ifndef _WIN32 - int32_t sleepn(time_t seconds); - int32_t usleepn(uint64_t useconds); +int32_t sleepn(time_t seconds); +int32_t usleepn(uint64_t useconds); #else - int32_t sleepn(uint32_t seconds); - int32_t usleepn(uint32_t useconds); +int32_t sleepn(uint32_t seconds); +int32_t usleepn(uint32_t useconds); #endif -typedef enum { - MODE_PASSWORD_LIST = 1, - MODE_LOGIN_LIST = 2, - MODE_PASSWORD_BRUTE = 4, - MODE_PASSWORD_REVERSE = 8, - MODE_PASSWORD_NULL = 16, - MODE_PASSWORD_SAME = 32, - MODE_COLON_FILE = 64 -} hydra_mode_t; +typedef enum { MODE_PASSWORD_LIST = 1, MODE_LOGIN_LIST = 2, MODE_PASSWORD_BRUTE = 4, MODE_PASSWORD_REVERSE = 8, MODE_PASSWORD_NULL = 16, MODE_PASSWORD_SAME = 32, MODE_COLON_FILE = 64 } hydra_mode_t; -typedef enum { - FORMAT_PLAIN_TEXT, - FORMAT_JSONV1, - FORMAT_JSONV2, - FORMAT_XMLV1 -} output_format_t; +typedef enum { FORMAT_PLAIN_TEXT, FORMAT_JSONV1, FORMAT_JSONV2, FORMAT_XMLV1 } output_format_t; typedef struct { hydra_mode_t mode; - int32_t loop_mode; // valid modes: 0 = password, 1 = user + int32_t loop_mode; // valid modes: 0 = password, 1 = user int32_t ssl; int32_t restore; - int32_t debug; // is external - for restore - int32_t verbose; // is external - for restore + int32_t debug; // is external - for restore + int32_t verbose; // is external - for restore int32_t showAttempt; int32_t tasks; int32_t try_null_password; @@ -196,6 +194,7 @@ typedef struct { int32_t cidr; int32_t time_next_attempt; output_format_t outfile_format; + char *distributed; // Use distributed computing by splitting user files on the fly char *login; char *loginfile; char *pass; @@ -203,13 +202,14 @@ typedef struct { char *outfile_ptr; char *infile_ptr; char *colonfile; - int32_t waittime; // is external - for restore - int32_t conwait; // is external - for restore - uint32_t port; // is external - for restore + int32_t waittime; // is external - for restore + int32_t conwait; // is external - for restore + uint32_t port; // is external - for restore char *miscptr; char *server; char *service; char bfg; + int32_t skip_redo; } hydra_option; #define _HYDRA_H diff --git a/libpq-fe.h b/libpq-fe.h index d7cce84..28bf70d 100644 --- a/libpq-fe.h +++ b/libpq-fe.h @@ -35,81 +35,81 @@ extern "C" { /* Application-visible enum types */ - typedef enum { - /* - * Although it is okay to add to this list, values which become unused - * should never be removed, nor should constants be redefined - that - * would break compatibility with existing code. - */ - CONNECTION_OK, - CONNECTION_BAD, - /* Non-blocking mode only below here */ +typedef enum { + /* + * Although it is okay to add to this list, values which become unused + * should never be removed, nor should constants be redefined - that + * would break compatibility with existing code. + */ + CONNECTION_OK, + CONNECTION_BAD, + /* Non-blocking mode only below here */ - /* - * The existence of these should never be relied upon - they should - * only be used for user feedback or similar purposes. - */ - CONNECTION_STARTED, /* Waiting for connection to be made. */ - CONNECTION_MADE, /* Connection OK; waiting to send. */ - CONNECTION_AWAITING_RESPONSE, /* Waiting for a response from the - * postmaster. */ - CONNECTION_AUTH_OK, /* Received authentication; waiting for + /* + * The existence of these should never be relied upon - they should + * only be used for user feedback or similar purposes. + */ + CONNECTION_STARTED, /* Waiting for connection to be made. */ + CONNECTION_MADE, /* Connection OK; waiting to send. */ + CONNECTION_AWAITING_RESPONSE, /* Waiting for a response from the + * postmaster. */ + CONNECTION_AUTH_OK, /* Received authentication; waiting for * backend startup. */ - CONNECTION_SETENV, /* Negotiating environment. */ - CONNECTION_SSL_STARTUP, /* Negotiating SSL. */ - CONNECTION_NEEDED /* Internal state: connect() needed */ - } ConnStatusType; + CONNECTION_SETENV, /* Negotiating environment. */ + CONNECTION_SSL_STARTUP, /* Negotiating SSL. */ + CONNECTION_NEEDED /* Internal state: connect() needed */ +} ConnStatusType; - typedef enum { - PGRES_POLLING_FAILED = 0, - PGRES_POLLING_READING, /* These two indicate that one may */ - PGRES_POLLING_WRITING, /* use select before polling again. */ - PGRES_POLLING_OK, - PGRES_POLLING_ACTIVE /* unused; keep for awhile for backwards - * compatibility */ - } PostgresPollingStatusType; +typedef enum { + PGRES_POLLING_FAILED = 0, + PGRES_POLLING_READING, /* These two indicate that one may */ + PGRES_POLLING_WRITING, /* use select before polling again. */ + PGRES_POLLING_OK, + PGRES_POLLING_ACTIVE /* unused; keep for awhile for backwards + * compatibility */ +} PostgresPollingStatusType; - typedef enum { - PGRES_EMPTY_QUERY = 0, /* empty query string was executed */ - PGRES_COMMAND_OK, /* a query command that doesn't return - * anything was executed properly by the - * backend */ - PGRES_TUPLES_OK, /* a query command that returns tuples was - * executed properly by the backend, - * PGresult contains the result tuples */ - PGRES_COPY_OUT, /* Copy Out data transfer in progress */ - PGRES_COPY_IN, /* Copy In data transfer in progress */ - PGRES_BAD_RESPONSE, /* an unexpected response was recv'd from - * the backend */ - PGRES_NONFATAL_ERROR, /* notice or warning message */ - PGRES_FATAL_ERROR /* query failed */ - } ExecStatusType; +typedef enum { + PGRES_EMPTY_QUERY = 0, /* empty query string was executed */ + PGRES_COMMAND_OK, /* a query command that doesn't return + * anything was executed properly by the + * backend */ + PGRES_TUPLES_OK, /* a query command that returns tuples was + * executed properly by the backend, + * PGresult contains the result tuples */ + PGRES_COPY_OUT, /* Copy Out data transfer in progress */ + PGRES_COPY_IN, /* Copy In data transfer in progress */ + PGRES_BAD_RESPONSE, /* an unexpected response was recv'd from + * the backend */ + PGRES_NONFATAL_ERROR, /* notice or warning message */ + PGRES_FATAL_ERROR /* query failed */ +} ExecStatusType; - typedef enum { - PQTRANS_IDLE, /* connection idle */ - PQTRANS_ACTIVE, /* command in progress */ - PQTRANS_INTRANS, /* idle, within transaction block */ - PQTRANS_INERROR, /* idle, within failed transaction */ - PQTRANS_UNKNOWN /* cannot determine status */ - } PGTransactionStatusType; +typedef enum { + PQTRANS_IDLE, /* connection idle */ + PQTRANS_ACTIVE, /* command in progress */ + PQTRANS_INTRANS, /* idle, within transaction block */ + PQTRANS_INERROR, /* idle, within failed transaction */ + PQTRANS_UNKNOWN /* cannot determine status */ +} PGTransactionStatusType; - typedef enum { - PQERRORS_TERSE, /* single-line error messages */ - PQERRORS_DEFAULT, /* recommended style */ - PQERRORS_VERBOSE /* all the facts, ma'am */ - } PGVerbosity; +typedef enum { + PQERRORS_TERSE, /* single-line error messages */ + PQERRORS_DEFAULT, /* recommended style */ + PQERRORS_VERBOSE /* all the facts, ma'am */ +} PGVerbosity; /* PGconn encapsulates a connection to the backend. * The contents of this struct are not supposed to be known to applications. */ - typedef struct pg_conn PGconn; +typedef struct pg_conn PGconn; /* PGresult encapsulates the result of a query (or more precisely, of a single * SQL command --- a query string given to PQsendQuery can contain multiple * commands and thus return multiple PGresult objects). * The contents of this struct are not supposed to be known to applications. */ - typedef struct pg_result PGresult; +typedef struct pg_result PGresult; /* PGnotify represents the occurrence of a NOTIFY message. * Ideally this would be an opaque typedef, but it's so simple that it's @@ -117,33 +117,33 @@ extern "C" { * NOTE: in Postgres 6.4 and later, the be_pid is the notifying backend's, * whereas in earlier versions it was always your own backend's PID. */ - typedef struct pgNotify { - char *relname; /* notification condition name */ - int32_t be_pid; /* process ID of server process */ - char *extra; /* notification parameter */ - } PGnotify; +typedef struct pgNotify { + char *relname; /* notification condition name */ + int32_t be_pid; /* process ID of server process */ + char *extra; /* notification parameter */ +} PGnotify; /* Function types for notice-handling callbacks */ - typedef void (*PQnoticeReceiver) (void *arg, const PGresult * res); - typedef void (*PQnoticeProcessor) (void *arg, const char *message); +typedef void (*PQnoticeReceiver)(void *arg, const PGresult *res); +typedef void (*PQnoticeProcessor)(void *arg, const char *message); /* Print options for PQprint() */ - typedef char pqbool; +typedef char pqbool; - typedef struct _PQprintOpt { - pqbool header; /* print output field headings and row - * count */ - pqbool align; /* fill align the fields */ - pqbool standard; /* old brain dead format */ - pqbool html3; /* output html tables */ - pqbool expanded; /* expand tables */ - pqbool pager; /* use pager for output if needed */ - char *fieldSep; /* field separator */ - char *tableOpt; /* insert to HTML */ - char *caption; /* HTML
*/ - char **fieldName; /* null terminated array of repalcement - * field names */ - } PQprintOpt; +typedef struct _PQprintOpt { + pqbool header; /* print output field headings and row + * count */ + pqbool align; /* fill align the fields */ + pqbool standard; /* old brain dead format */ + pqbool html3; /* output html tables */ + pqbool expanded; /* expand tables */ + pqbool pager; /* use pager for output if needed */ + char *fieldSep; /* field separator */ + char *tableOpt; /* insert to HTML */ + char *caption; /* HTML
*/ + char **fieldName; /* null terminated array of repalcement + * field names */ +} PQprintOpt; /* ---------------- * Structure for the conninfo parameter definitions returned by PQconndefaults @@ -153,32 +153,32 @@ extern "C" { * will release both the val strings and the PQconninfoOption array itself. * ---------------- */ - typedef struct _PQconninfoOption { - char *keyword; /* The keyword of the option */ - char *envvar; /* Fallback environment variable name */ - char *compiled; /* Fallback compiled in default value */ - char *val; /* Option's current value, or NULL */ - char *label; /* Label for field in connect dialog */ - char *dispchar; /* Character to display for this field in - * a connect dialog. Values are: "" - * Display entered value as is "*" - * Password field - hide value "D" Debug - * option - don't show by default */ - int32_t dispsize; /* Field size in characters for dialog */ - } PQconninfoOption; +typedef struct _PQconninfoOption { + char *keyword; /* The keyword of the option */ + char *envvar; /* Fallback environment variable name */ + char *compiled; /* Fallback compiled in default value */ + char *val; /* Option's current value, or NULL */ + char *label; /* Label for field in connect dialog */ + char *dispchar; /* Character to display for this field in + * a connect dialog. Values are: "" + * Display entered value as is "*" + * Password field - hide value "D" Debug + * option - don't show by default */ + int32_t dispsize; /* Field size in characters for dialog */ +} PQconninfoOption; /* ---------------- * PQArgBlock -- structure for PQfn() arguments * ---------------- */ - typedef struct { - int32_t len; - int32_t isint; - union { - int32_t *ptr; /* can't use void (dec compiler barfs) */ - int32_t integer; - } u; - } PQArgBlock; +typedef struct { + int32_t len; + int32_t isint; + union { + int32_t *ptr; /* can't use void (dec compiler barfs) */ + int32_t integer; + } u; +} PQArgBlock; /* ---------------- * Exported functions of libpq @@ -190,24 +190,23 @@ extern "C" { /* make a new client connection to the backend */ /* Asynchronous (non-blocking) */ - extern PGconn *PQconnectStart(const char *conninfo); - extern PostgresPollingStatusType PQconnectPoll(PGconn * conn); +extern PGconn *PQconnectStart(const char *conninfo); +extern PostgresPollingStatusType PQconnectPoll(PGconn *conn); /* Synchronous (blocking) */ - extern PGconn *PQconnectdb(const char *conninfo); - extern PGconn *PQsetdbLogin(const char *pghost, const char *pgport, const char *pgoptions, const char *pgtty, const char *dbName, const char *login, const char *pwd); +extern PGconn *PQconnectdb(const char *conninfo); +extern PGconn *PQsetdbLogin(const char *pghost, const char *pgport, const char *pgoptions, const char *pgtty, const char *dbName, const char *login, const char *pwd); -#define PQsetdb(M_PGHOST,M_PGPORT,M_PGOPT,M_PGTTY,M_DBNAME) \ - PQsetdbLogin(M_PGHOST, M_PGPORT, M_PGOPT, M_PGTTY, M_DBNAME, NULL, NULL) +#define PQsetdb(M_PGHOST, M_PGPORT, M_PGOPT, M_PGTTY, M_DBNAME) PQsetdbLogin(M_PGHOST, M_PGPORT, M_PGOPT, M_PGTTY, M_DBNAME, NULL, NULL) /* close the current connection and free the PGconn data structure */ - extern void PQfinish(PGconn * conn); +extern void PQfinish(PGconn *conn); /* get info about connection options known to PQconnectdb */ - extern PQconninfoOption *PQconndefaults(void); +extern PQconninfoOption *PQconndefaults(void); /* free the data structure returned by PQconndefaults() */ - extern void PQconninfoFree(PQconninfoOption * connOptions); +extern void PQconninfoFree(PQconninfoOption *connOptions); /* * close the current connection and restablish a new one with the same @@ -215,130 +214,124 @@ extern "C" { */ /* Asynchronous (non-blocking) */ - extern int32_t PQresetStart(PGconn * conn); - extern PostgresPollingStatusType PQresetPoll(PGconn * conn); +extern int32_t PQresetStart(PGconn *conn); +extern PostgresPollingStatusType PQresetPoll(PGconn *conn); /* Synchronous (blocking) */ - extern void PQreset(PGconn * conn); +extern void PQreset(PGconn *conn); /* issue a cancel request */ - extern int32_t PQrequestCancel(PGconn * conn); +extern int32_t PQrequestCancel(PGconn *conn); /* Accessor functions for PGconn objects */ - extern char *PQdb(const PGconn * conn); - extern char *PQuser(const PGconn * conn); - extern char *PQpass(const PGconn * conn); - extern char *PQhost(const PGconn * conn); - extern char *PQport(const PGconn * conn); - extern char *PQtty(const PGconn * conn); - extern char *PQoptions(const PGconn * conn); - extern ConnStatusType PQstatus(const PGconn * conn); - extern PGTransactionStatusType PQtransactionStatus(const PGconn * conn); - extern const char *PQparameterStatus(const PGconn * conn, const char *paramName); - extern int32_t PQprotocolVersion(const PGconn * conn); - extern char *PQerrorMessage(const PGconn * conn); - extern int32_t PQsocket(const PGconn * conn); - extern int32_t PQbackendPID(const PGconn * conn); - extern int32_t PQclientEncoding(const PGconn * conn); - extern int32_t PQsetClientEncoding(PGconn * conn, const char *encoding); +extern char *PQdb(const PGconn *conn); +extern char *PQuser(const PGconn *conn); +extern char *PQpass(const PGconn *conn); +extern char *PQhost(const PGconn *conn); +extern char *PQport(const PGconn *conn); +extern char *PQtty(const PGconn *conn); +extern char *PQoptions(const PGconn *conn); +extern ConnStatusType PQstatus(const PGconn *conn); +extern PGTransactionStatusType PQtransactionStatus(const PGconn *conn); +extern const char *PQparameterStatus(const PGconn *conn, const char *paramName); +extern int32_t PQprotocolVersion(const PGconn *conn); +extern char *PQerrorMessage(const PGconn *conn); +extern int32_t PQsocket(const PGconn *conn); +extern int32_t PQbackendPID(const PGconn *conn); +extern int32_t PQclientEncoding(const PGconn *conn); +extern int32_t PQsetClientEncoding(PGconn *conn, const char *encoding); #ifdef USE_SSL /* Get the SSL structure associated with a connection */ - extern SSL *PQgetssl(PGconn * conn); +extern SSL *PQgetssl(PGconn *conn); #endif /* Set verbosity for PQerrorMessage and PQresultErrorMessage */ - extern PGVerbosity PQsetErrorVerbosity(PGconn * conn, PGVerbosity verbosity); +extern PGVerbosity PQsetErrorVerbosity(PGconn *conn, PGVerbosity verbosity); /* Enable/disable tracing */ - extern void PQtrace(PGconn * conn, FILE * debug_port); - extern void PQuntrace(PGconn * conn); +extern void PQtrace(PGconn *conn, FILE *debug_port); +extern void PQuntrace(PGconn *conn); /* Override default notice handling routines */ - extern PQnoticeReceiver PQsetNoticeReceiver(PGconn * conn, PQnoticeReceiver proc, void *arg); - extern PQnoticeProcessor PQsetNoticeProcessor(PGconn * conn, PQnoticeProcessor proc, void *arg); +extern PQnoticeReceiver PQsetNoticeReceiver(PGconn *conn, PQnoticeReceiver proc, void *arg); +extern PQnoticeProcessor PQsetNoticeProcessor(PGconn *conn, PQnoticeProcessor proc, void *arg); /* === in fe-exec.c === */ /* Simple synchronous query */ - extern PGresult *PQexec(PGconn * conn, const char *query); - extern PGresult *PQexecParams(PGconn * conn, - const char *command, - int32_t nParams, const Oid * paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat); - extern PGresult *PQexecPrepared(PGconn * conn, - const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat); +extern PGresult *PQexec(PGconn *conn, const char *query); +extern PGresult *PQexecParams(PGconn *conn, const char *command, int32_t nParams, const Oid *paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat); +extern PGresult *PQexecPrepared(PGconn *conn, const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat); /* Interface for multiple-result or asynchronous queries */ - extern int32_t PQsendQuery(PGconn * conn, const char *query); - extern int32_t PQsendQueryParams(PGconn * conn, - const char *command, - int32_t nParams, const Oid * paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat); - extern int32_t PQsendQueryPrepared(PGconn * conn, - const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat); - extern PGresult *PQgetResult(PGconn * conn); +extern int32_t PQsendQuery(PGconn *conn, const char *query); +extern int32_t PQsendQueryParams(PGconn *conn, const char *command, int32_t nParams, const Oid *paramTypes, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat); +extern int32_t PQsendQueryPrepared(PGconn *conn, const char *stmtName, int32_t nParams, const char *const *paramValues, const int32_t *paramLengths, const int32_t *paramFormats, int32_t resultFormat); +extern PGresult *PQgetResult(PGconn *conn); /* Routines for managing an asynchronous query */ - extern int32_t PQisBusy(PGconn * conn); - extern int32_t PQconsumeInput(PGconn * conn); +extern int32_t PQisBusy(PGconn *conn); +extern int32_t PQconsumeInput(PGconn *conn); /* LISTEN/NOTIFY support */ - extern PGnotify *PQnotifies(PGconn * conn); +extern PGnotify *PQnotifies(PGconn *conn); /* Routines for copy in/out */ - extern int32_t PQputCopyData(PGconn * conn, const char *buffer, int32_t nbytes); - extern int32_t PQputCopyEnd(PGconn * conn, const char *errormsg); - extern int32_t PQgetCopyData(PGconn * conn, char **buffer, int32_t async); +extern int32_t PQputCopyData(PGconn *conn, const char *buffer, int32_t nbytes); +extern int32_t PQputCopyEnd(PGconn *conn, const char *errormsg); +extern int32_t PQgetCopyData(PGconn *conn, char **buffer, int32_t async); /* Deprecated routines for copy in/out */ - extern int32_t PQgetline(PGconn * conn, char *string, int32_t length); - extern int32_t PQputline(PGconn * conn, const char *string); - extern int32_t PQgetlineAsync(PGconn * conn, char *buffer, int32_t bufsize); - extern int32_t PQputnbytes(PGconn * conn, const char *buffer, int32_t nbytes); - extern int32_t PQendcopy(PGconn * conn); +extern int32_t PQgetline(PGconn *conn, char *string, int32_t length); +extern int32_t PQputline(PGconn *conn, const char *string); +extern int32_t PQgetlineAsync(PGconn *conn, char *buffer, int32_t bufsize); +extern int32_t PQputnbytes(PGconn *conn, const char *buffer, int32_t nbytes); +extern int32_t PQendcopy(PGconn *conn); /* Set blocking/nonblocking connection to the backend */ - extern int32_t PQsetnonblocking(PGconn * conn, int32_t arg); - extern int32_t PQisnonblocking(const PGconn * conn); +extern int32_t PQsetnonblocking(PGconn *conn, int32_t arg); +extern int32_t PQisnonblocking(const PGconn *conn); /* Force the write buffer to be written (or at least try) */ - extern int32_t PQflush(PGconn * conn); +extern int32_t PQflush(PGconn *conn); /* * "Fast path" interface --- not really recommended for application * use */ - extern PGresult *PQfn(PGconn * conn, int32_t fnid, int32_t *result_buf, int32_t *result_len, int32_t result_is_int, const PQArgBlock * args, int32_t nargs); +extern PGresult *PQfn(PGconn *conn, int32_t fnid, int32_t *result_buf, int32_t *result_len, int32_t result_is_int, const PQArgBlock *args, int32_t nargs); /* Accessor functions for PGresult objects */ - extern ExecStatusType PQresultStatus(const PGresult * res); - extern char *PQresStatus(ExecStatusType status); - extern char *PQresultErrorMessage(const PGresult * res); - extern char *PQresultErrorField(const PGresult * res, int32_t fieldcode); - extern int32_t PQntuples(const PGresult * res); - extern int32_t PQnfields(const PGresult * res); - extern int32_t PQbinaryTuples(const PGresult * res); - extern char *PQfname(const PGresult * res, int32_t field_num); - extern int32_t PQfnumber(const PGresult * res, const char *field_name); - extern Oid PQftable(const PGresult * res, int32_t field_num); - extern int32_t PQftablecol(const PGresult * res, int32_t field_num); - extern int32_t PQfformat(const PGresult * res, int32_t field_num); - extern Oid PQftype(const PGresult * res, int32_t field_num); - extern int32_t PQfsize(const PGresult * res, int32_t field_num); - extern int32_t PQfmod(const PGresult * res, int32_t field_num); - extern char *PQcmdStatus(PGresult * res); - extern char *PQoidStatus(const PGresult * res); /* old and ugly */ - extern Oid PQoidValue(const PGresult * res); /* new and improved */ - extern char *PQcmdTuples(PGresult * res); - extern char *PQgetvalue(const PGresult * res, int32_t tup_num, int32_t field_num); - extern int32_t PQgetlength(const PGresult * res, int32_t tup_num, int32_t field_num); - extern int32_t PQgetisnull(const PGresult * res, int32_t tup_num, int32_t field_num); +extern ExecStatusType PQresultStatus(const PGresult *res); +extern char *PQresStatus(ExecStatusType status); +extern char *PQresultErrorMessage(const PGresult *res); +extern char *PQresultErrorField(const PGresult *res, int32_t fieldcode); +extern int32_t PQntuples(const PGresult *res); +extern int32_t PQnfields(const PGresult *res); +extern int32_t PQbinaryTuples(const PGresult *res); +extern char *PQfname(const PGresult *res, int32_t field_num); +extern int32_t PQfnumber(const PGresult *res, const char *field_name); +extern Oid PQftable(const PGresult *res, int32_t field_num); +extern int32_t PQftablecol(const PGresult *res, int32_t field_num); +extern int32_t PQfformat(const PGresult *res, int32_t field_num); +extern Oid PQftype(const PGresult *res, int32_t field_num); +extern int32_t PQfsize(const PGresult *res, int32_t field_num); +extern int32_t PQfmod(const PGresult *res, int32_t field_num); +extern char *PQcmdStatus(PGresult *res); +extern char *PQoidStatus(const PGresult *res); /* old and ugly */ +extern Oid PQoidValue(const PGresult *res); /* new and improved */ +extern char *PQcmdTuples(PGresult *res); +extern char *PQgetvalue(const PGresult *res, int32_t tup_num, int32_t field_num); +extern int32_t PQgetlength(const PGresult *res, int32_t tup_num, int32_t field_num); +extern int32_t PQgetisnull(const PGresult *res, int32_t tup_num, int32_t field_num); /* Delete a PGresult */ - extern void PQclear(PGresult * res); +extern void PQclear(PGresult *res); /* For freeing other alloc'd results, such as PGnotify structs */ - extern void PQfreemem(void *ptr); +extern void PQfreemem(void *ptr); /* Exists for backward compatibility. bjm 2003-03-24 */ #define PQfreeNotify(ptr) PQfreemem(ptr) @@ -348,63 +341,56 @@ extern "C" { * useful). If conn is not NULL and status indicates an error, the * conn's errorMessage is copied. */ - extern PGresult *PQmakeEmptyPGresult(PGconn * conn, ExecStatusType status); - +extern PGresult *PQmakeEmptyPGresult(PGconn *conn, ExecStatusType status); /* Quoting strings before inclusion in queries. */ - extern size_t PQescapeString(char *to, const char *from, size_t length); - extern unsigned char *PQescapeBytea(const unsigned char *bintext, size_t binlen, size_t * bytealen); - extern unsigned char *PQunescapeBytea(const unsigned char *strtext, size_t * retbuflen); - - +extern size_t PQescapeString(char *to, const char *from, size_t length); +extern unsigned char *PQescapeBytea(const unsigned char *bintext, size_t binlen, size_t *bytealen); +extern unsigned char *PQunescapeBytea(const unsigned char *strtext, size_t *retbuflen); /* === in fe-print.c === */ - extern void - PQprint(FILE * fout, /* output stream */ - const PGresult * res, const PQprintOpt * ps); /* option structure */ +extern void PQprint(FILE *fout, /* output stream */ + const PGresult *res, const PQprintOpt *ps); /* option structure */ /* * really old printing routines */ - extern void - PQdisplayTuples(const PGresult * res, FILE * fp, /* where to send the output */ - int32_t fillAlign, /* pad the fields with spaces */ - const char *fieldSep, /* field separator */ - int32_t printHeader, /* display headers? */ - int32_t quiet); - - extern void - PQprintTuples(const PGresult * res, FILE * fout, /* output stream */ - int32_t printAttName, /* print attribute names */ - int32_t terseOutput, /* delimiter bars */ - int32_t width); /* width of column, if 0, use variable - * width */ +extern void PQdisplayTuples(const PGresult *res, FILE *fp, /* where to send the output */ + int32_t fillAlign, /* pad the fields with spaces */ + const char *fieldSep, /* field separator */ + int32_t printHeader, /* display headers? */ + int32_t quiet); +extern void PQprintTuples(const PGresult *res, FILE *fout, /* output stream */ + int32_t printAttName, /* print attribute names */ + int32_t terseOutput, /* delimiter bars */ + int32_t width); /* width of column, if 0, use variable + * width */ /* === in fe-lobj.c === */ /* Large-object access routines */ - extern int32_t lo_open(PGconn * conn, Oid lobjId, int32_t mode); - extern int32_t lo_close(PGconn * conn, int32_t fd); - extern int32_t lo_read(PGconn * conn, int32_t fd, char *buf, size_t len); - extern int32_t lo_write(PGconn * conn, int32_t fd, char *buf, size_t len); - extern int32_t lo_lseek(PGconn * conn, int32_t fd, int32_t offset, int32_t whence); - extern Oid lo_creat(PGconn * conn, int32_t mode); - extern int32_t lo_tell(PGconn * conn, int32_t fd); - extern int32_t lo_unlink(PGconn * conn, Oid lobjId); - extern Oid lo_import(PGconn * conn, const char *filename); - extern int32_t lo_export(PGconn * conn, Oid lobjId, const char *filename); +extern int32_t lo_open(PGconn *conn, Oid lobjId, int32_t mode); +extern int32_t lo_close(PGconn *conn, int32_t fd); +extern int32_t lo_read(PGconn *conn, int32_t fd, char *buf, size_t len); +extern int32_t lo_write(PGconn *conn, int32_t fd, char *buf, size_t len); +extern int32_t lo_lseek(PGconn *conn, int32_t fd, int32_t offset, int32_t whence); +extern Oid lo_creat(PGconn *conn, int32_t mode); +extern int32_t lo_tell(PGconn *conn, int32_t fd); +extern int32_t lo_unlink(PGconn *conn, Oid lobjId); +extern Oid lo_import(PGconn *conn, const char *filename); +extern int32_t lo_export(PGconn *conn, Oid lobjId, const char *filename); /* === in fe-misc.c === */ /* Determine length of multibyte encoded char at *s */ - extern int32_t PQmblen(const unsigned char *s, int32_t encoding); +extern int32_t PQmblen(const unsigned char *s, int32_t encoding); /* Get encoding id from environment variable PGCLIENTENCODING */ - extern int32_t PQenv2encoding(void); +extern int32_t PQenv2encoding(void); #ifdef __cplusplus } #endif -#endif /* LIBPQ_FE_H */ +#endif /* LIBPQ_FE_H */ diff --git a/ntlm.c b/ntlm.c index 00df4c8..c8c01ab 100644 --- a/ntlm.c +++ b/ntlm.c @@ -2,10 +2,10 @@ Single file NTLM system to create and parse authentication messages. http://www.reversing.org - ilo-- ilo@reversing.org + ilo-- ilo@reversing.org - I did copy&paste&modify several files to leave independent NTLM code - that compile in cygwin/linux environment. Most of the code was ripped + I did copy&paste&modify several files to leave independent NTLM code + that compile in cygwin/linux environment. Most of the code was ripped from Samba implementation so I left the Copying statement. Samba core code was left unmodified from 1.9 version. @@ -19,41 +19,40 @@ SMB parameters and setup Copyright (C) Andrew Tridgell 1992-1998 Modified by Jeremy Allison 1995. - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ +#include #ifdef WIN32 #else #include #endif -#include -#include -#include -#include -#include #include "ntlm.h" - +#include +#include +#include +#include /* Byte order macros */ #ifndef _BYTEORDER_H #define _BYTEORDER_H /* - This file implements macros for machine independent short and + This file implements macros for machine independent short and int32_t manipulation Here is a description of this file that I emailed to the samba list once: @@ -62,7 +61,7 @@ Here is a description of this file that I emailed to the samba list once: > looked at it, and I would have thought that you might make a distinction > between LE and BE machines, but you only seem to distinguish between 386 > and all other architectures. -> +> > Can you give me a clue? sure. @@ -126,33 +125,87 @@ it also defines lots of intermediate macros, just ignore those :-) /* some switch macros that do both store and read to and from SMB buffers */ -#define RW_PCVAL(read,inbuf,outbuf,len) \ - { if (read) { PCVAL (inbuf,0,outbuf,len); } \ - else { PSCVAL(inbuf,0,outbuf,len); } } +#define RW_PCVAL(read, inbuf, outbuf, len) \ + { \ + if (read) { \ + PCVAL(inbuf, 0, outbuf, len); \ + } else { \ + PSCVAL(inbuf, 0, outbuf, len); \ + } \ + } -#define RW_PIVAL(read,big_endian,inbuf,outbuf,len) \ - { if (read) { if (big_endian) { RPIVAL(inbuf,0,outbuf,len); } else { PIVAL(inbuf,0,outbuf,len); } } \ - else { if (big_endian) { RPSIVAL(inbuf,0,outbuf,len); } else { PSIVAL(inbuf,0,outbuf,len); } } } +#define RW_PIVAL(read, big_endian, inbuf, outbuf, len) \ + { \ + if (read) { \ + if (big_endian) { \ + RPIVAL(inbuf, 0, outbuf, len); \ + } else { \ + PIVAL(inbuf, 0, outbuf, len); \ + } \ + } else { \ + if (big_endian) { \ + RPSIVAL(inbuf, 0, outbuf, len); \ + } else { \ + PSIVAL(inbuf, 0, outbuf, len); \ + } \ + } \ + } -#define RW_PSVAL(read,big_endian,inbuf,outbuf,len) \ - { if (read) { if (big_endian) { RPSVAL(inbuf,0,outbuf,len); } else { PSVAL(inbuf,0,outbuf,len); } } \ - else { if (big_endian) { RPSSVAL(inbuf,0,outbuf,len); } else { PSSVAL(inbuf,0,outbuf,len); } } } +#define RW_PSVAL(read, big_endian, inbuf, outbuf, len) \ + { \ + if (read) { \ + if (big_endian) { \ + RPSVAL(inbuf, 0, outbuf, len); \ + } else { \ + PSVAL(inbuf, 0, outbuf, len); \ + } \ + } else { \ + if (big_endian) { \ + RPSSVAL(inbuf, 0, outbuf, len); \ + } else { \ + PSSVAL(inbuf, 0, outbuf, len); \ + } \ + } \ + } -#define RW_CVAL(read, inbuf, outbuf, offset) \ - { if (read) { (outbuf) = CVAL (inbuf,offset); } \ - else { SCVAL(inbuf,offset,outbuf); } } +#define RW_CVAL(read, inbuf, outbuf, offset) \ + { \ + if (read) { \ + (outbuf) = CVAL(inbuf, offset); \ + } else { \ + SCVAL(inbuf, offset, outbuf); \ + } \ + } -#define RW_IVAL(read, big_endian, inbuf, outbuf, offset) \ - { if (read) { (outbuf) = ((big_endian) ? RIVAL(inbuf,offset) : IVAL (inbuf,offset)); } \ - else { if (big_endian) { RSIVAL(inbuf,offset,outbuf); } else { SIVAL(inbuf,offset,outbuf); } } } +#define RW_IVAL(read, big_endian, inbuf, outbuf, offset) \ + { \ + if (read) { \ + (outbuf) = ((big_endian) ? RIVAL(inbuf, offset) : IVAL(inbuf, offset)); \ + } else { \ + if (big_endian) { \ + RSIVAL(inbuf, offset, outbuf); \ + } else { \ + SIVAL(inbuf, offset, outbuf); \ + } \ + } \ + } -#define RW_SVAL(read, big_endian, inbuf, outbuf, offset) \ - { if (read) { (outbuf) = ((big_endian) ? RSVAL(inbuf,offset) : SVAL (inbuf,offset)); } \ - else { if (big_endian) { RSSVAL(inbuf,offset,outbuf); } else { SSVAL(inbuf,offset,outbuf); } } } +#define RW_SVAL(read, big_endian, inbuf, outbuf, offset) \ + { \ + if (read) { \ + (outbuf) = ((big_endian) ? RSVAL(inbuf, offset) : SVAL(inbuf, offset)); \ + } else { \ + if (big_endian) { \ + RSSVAL(inbuf, offset, outbuf); \ + } else { \ + SSVAL(inbuf, offset, outbuf); \ + } \ + } \ + } #undef CAREFUL_ALIGNMENT -/* we know that the 386 can handle misalignment and has the "right" +/* we know that the 386 can handle misalignment and has the "right" byteorder */ #ifdef __i386__ #define CAREFUL_ALIGNMENT 0 @@ -162,23 +215,22 @@ it also defines lots of intermediate macros, just ignore those :-) #define CAREFUL_ALIGNMENT 1 #endif -#define CVAL(buf,pos) (((unsigned char *)(buf))[pos]) -#define PVAL(buf,pos) ((unsigned)CVAL(buf,pos)) -#define SCVAL(buf,pos,val) (CVAL(buf,pos) = (val)) - +#define CVAL(buf, pos) (((unsigned char *)(buf))[pos]) +#define PVAL(buf, pos) ((unsigned)CVAL(buf, pos)) +#define SCVAL(buf, pos, val) (CVAL(buf, pos) = (val)) #if CAREFUL_ALIGNMENT -#define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8) -#define IVAL(buf,pos) (SVAL(buf,pos)|SVAL(buf,(pos)+2)<<16) -#define SSVALX(buf,pos,val) (CVAL(buf,pos)=(val)&0xFF,CVAL(buf,pos+1)=(val)>>8) -#define SIVALX(buf,pos,val) (SSVALX(buf,pos,val&0xFFFF),SSVALX(buf,pos+2,val>>16)) -#define SVALS(buf,pos) ((int16)SVAL(buf,pos)) -#define IVALS(buf,pos) ((int32)IVAL(buf,pos)) -#define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16)(val))) -#define SIVAL(buf,pos,val) SIVALX((buf),(pos),((uint32)(val))) -#define SSVALS(buf,pos,val) SSVALX((buf),(pos),((int16)(val))) -#define SIVALS(buf,pos,val) SIVALX((buf),(pos),((int32)(val))) +#define SVAL(buf, pos) (PVAL(buf, pos) | PVAL(buf, (pos) + 1) << 8) +#define IVAL(buf, pos) (SVAL(buf, pos) | SVAL(buf, (pos) + 2) << 16) +#define SSVALX(buf, pos, val) (CVAL(buf, pos) = (val)&0xFF, CVAL(buf, pos + 1) = (val) >> 8) +#define SIVALX(buf, pos, val) (SSVALX(buf, pos, val & 0xFFFF), SSVALX(buf, pos + 2, val >> 16)) +#define SVALS(buf, pos) ((int16)SVAL(buf, pos)) +#define IVALS(buf, pos) ((int32)IVAL(buf, pos)) +#define SSVAL(buf, pos, val) SSVALX((buf), (pos), ((uint16)(val))) +#define SIVAL(buf, pos, val) SIVALX((buf), (pos), ((uint32)(val))) +#define SSVALS(buf, pos, val) SSVALX((buf), (pos), ((int16)(val))) +#define SIVALS(buf, pos, val) SIVALX((buf), (pos), ((int32)(val))) #else /* CAREFUL_ALIGNMENT */ @@ -187,147 +239,171 @@ it also defines lots of intermediate macros, just ignore those :-) /* WARNING: This section is dependent on the length of int16 and int32 - being correct + being correct */ /* get single value from an SMB buffer */ -#define SVAL(buf,pos) (*(uint16 *)((char *)(buf) + (pos))) -#define IVAL(buf,pos) (*(uint32 *)((char *)(buf) + (pos))) -#define SVALS(buf,pos) (*(int16 *)((char *)(buf) + (pos))) -#define IVALS(buf,pos) (*(int32 *)((char *)(buf) + (pos))) +#define SVAL(buf, pos) (*(uint16 *)((char *)(buf) + (pos))) +#define IVAL(buf, pos) (*(uint32 *)((char *)(buf) + (pos))) +#define SVALS(buf, pos) (*(int16 *)((char *)(buf) + (pos))) +#define IVALS(buf, pos) (*(int32 *)((char *)(buf) + (pos))) /* store single value in an SMB buffer */ -#define SSVAL(buf,pos,val) SVAL(buf,pos)=((uint16)(val)) -#define SIVAL(buf,pos,val) IVAL(buf,pos)=((uint32)(val)) -#define SSVALS(buf,pos,val) SVALS(buf,pos)=((int16)(val)) -#define SIVALS(buf,pos,val) IVALS(buf,pos)=((int32)(val)) +#define SSVAL(buf, pos, val) SVAL(buf, pos) = ((uint16)(val)) +#define SIVAL(buf, pos, val) IVAL(buf, pos) = ((uint32)(val)) +#define SSVALS(buf, pos, val) SVALS(buf, pos) = ((int16)(val)) +#define SIVALS(buf, pos, val) IVALS(buf, pos) = ((int32)(val)) #endif /* CAREFUL_ALIGNMENT */ /* macros for reading / writing arrays */ -#define SMBMACRO(macro,buf,pos,val,len,size) \ -{ int32_t l; for (l = 0; l < (len); l++) (val)[l] = macro((buf), (pos) + (size)*l); } +#define SMBMACRO(macro, buf, pos, val, len, size) \ + { \ + int32_t l; \ + for (l = 0; l < (len); l++) \ + (val)[l] = macro((buf), (pos) + (size)*l); \ + } -#define SSMBMACRO(macro,buf,pos,val,len,size) \ -{ int32_t l; for (l = 0; l < (len); l++) macro((buf), (pos) + (size)*l, (val)[l]); } +#define SSMBMACRO(macro, buf, pos, val, len, size) \ + { \ + int32_t l; \ + for (l = 0; l < (len); l++) \ + macro((buf), (pos) + (size)*l, (val)[l]); \ + } /* reads multiple data from an SMB buffer */ -#define PCVAL(buf,pos,val,len) SMBMACRO(CVAL,buf,pos,val,len,1) -#define PSVAL(buf,pos,val,len) SMBMACRO(SVAL,buf,pos,val,len,2) -#define PIVAL(buf,pos,val,len) SMBMACRO(IVAL,buf,pos,val,len,4) -#define PCVALS(buf,pos,val,len) SMBMACRO(CVALS,buf,pos,val,len,1) -#define PSVALS(buf,pos,val,len) SMBMACRO(SVALS,buf,pos,val,len,2) -#define PIVALS(buf,pos,val,len) SMBMACRO(IVALS,buf,pos,val,len,4) +#define PCVAL(buf, pos, val, len) SMBMACRO(CVAL, buf, pos, val, len, 1) +#define PSVAL(buf, pos, val, len) SMBMACRO(SVAL, buf, pos, val, len, 2) +#define PIVAL(buf, pos, val, len) SMBMACRO(IVAL, buf, pos, val, len, 4) +#define PCVALS(buf, pos, val, len) SMBMACRO(CVALS, buf, pos, val, len, 1) +#define PSVALS(buf, pos, val, len) SMBMACRO(SVALS, buf, pos, val, len, 2) +#define PIVALS(buf, pos, val, len) SMBMACRO(IVALS, buf, pos, val, len, 4) /* stores multiple data in an SMB buffer */ -#define PSCVAL(buf,pos,val,len) SSMBMACRO(SCVAL,buf,pos,val,len,1) -#define PSSVAL(buf,pos,val,len) SSMBMACRO(SSVAL,buf,pos,val,len,2) -#define PSIVAL(buf,pos,val,len) SSMBMACRO(SIVAL,buf,pos,val,len,4) -#define PSCVALS(buf,pos,val,len) SSMBMACRO(SCVALS,buf,pos,val,len,1) -#define PSSVALS(buf,pos,val,len) SSMBMACRO(SSVALS,buf,pos,val,len,2) -#define PSIVALS(buf,pos,val,len) SSMBMACRO(SIVALS,buf,pos,val,len,4) - +#define PSCVAL(buf, pos, val, len) SSMBMACRO(SCVAL, buf, pos, val, len, 1) +#define PSSVAL(buf, pos, val, len) SSMBMACRO(SSVAL, buf, pos, val, len, 2) +#define PSIVAL(buf, pos, val, len) SSMBMACRO(SIVAL, buf, pos, val, len, 4) +#define PSCVALS(buf, pos, val, len) SSMBMACRO(SCVALS, buf, pos, val, len, 1) +#define PSSVALS(buf, pos, val, len) SSMBMACRO(SSVALS, buf, pos, val, len, 2) +#define PSIVALS(buf, pos, val, len) SSMBMACRO(SIVALS, buf, pos, val, len, 4) /* now the reverse routines - these are used in nmb packets (mostly) */ -#define SREV(x) ((((x)&0xFF)<<8) | (((x)>>8)&0xFF)) -#define IREV(x) ((SREV(x)<<16) | (SREV((x)>>16))) +#define SREV(x) ((((x)&0xFF) << 8) | (((x) >> 8) & 0xFF)) +#define IREV(x) ((SREV(x) << 16) | (SREV((x) >> 16))) -#define RSVAL(buf,pos) SREV(SVAL(buf,pos)) -#define RSVALS(buf,pos) SREV(SVALS(buf,pos)) -#define RIVAL(buf,pos) IREV(IVAL(buf,pos)) -#define RIVALS(buf,pos) IREV(IVALS(buf,pos)) -#define RSSVAL(buf,pos,val) SSVAL(buf,pos,SREV(val)) -#define RSSVALS(buf,pos,val) SSVALS(buf,pos,SREV(val)) -#define RSIVAL(buf,pos,val) SIVAL(buf,pos,IREV(val)) -#define RSIVALS(buf,pos,val) SIVALS(buf,pos,IREV(val)) +#define RSVAL(buf, pos) SREV(SVAL(buf, pos)) +#define RSVALS(buf, pos) SREV(SVALS(buf, pos)) +#define RIVAL(buf, pos) IREV(IVAL(buf, pos)) +#define RIVALS(buf, pos) IREV(IVALS(buf, pos)) +#define RSSVAL(buf, pos, val) SSVAL(buf, pos, SREV(val)) +#define RSSVALS(buf, pos, val) SSVALS(buf, pos, SREV(val)) +#define RSIVAL(buf, pos, val) SIVAL(buf, pos, IREV(val)) +#define RSIVALS(buf, pos, val) SIVALS(buf, pos, IREV(val)) /* reads multiple data from an SMB buffer (big-endian) */ -#define RPSVAL(buf,pos,val,len) SMBMACRO(RSVAL,buf,pos,val,len,2) -#define RPIVAL(buf,pos,val,len) SMBMACRO(RIVAL,buf,pos,val,len,4) -#define RPSVALS(buf,pos,val,len) SMBMACRO(RSVALS,buf,pos,val,len,2) -#define RPIVALS(buf,pos,val,len) SMBMACRO(RIVALS,buf,pos,val,len,4) +#define RPSVAL(buf, pos, val, len) SMBMACRO(RSVAL, buf, pos, val, len, 2) +#define RPIVAL(buf, pos, val, len) SMBMACRO(RIVAL, buf, pos, val, len, 4) +#define RPSVALS(buf, pos, val, len) SMBMACRO(RSVALS, buf, pos, val, len, 2) +#define RPIVALS(buf, pos, val, len) SMBMACRO(RIVALS, buf, pos, val, len, 4) /* stores multiple data in an SMB buffer (big-endian) */ -#define RPSSVAL(buf,pos,val,len) SSMBMACRO(RSSVAL,buf,pos,val,len,2) -#define RPSIVAL(buf,pos,val,len) SSMBMACRO(RSIVAL,buf,pos,val,len,4) -#define RPSSVALS(buf,pos,val,len) SSMBMACRO(RSSVALS,buf,pos,val,len,2) -#define RPSIVALS(buf,pos,val,len) SSMBMACRO(RSIVALS,buf,pos,val,len,4) +#define RPSSVAL(buf, pos, val, len) SSMBMACRO(RSSVAL, buf, pos, val, len, 2) +#define RPSIVAL(buf, pos, val, len) SSMBMACRO(RSIVAL, buf, pos, val, len, 4) +#define RPSSVALS(buf, pos, val, len) SSMBMACRO(RSSVALS, buf, pos, val, len, 2) +#define RPSIVALS(buf, pos, val, len) SSMBMACRO(RSIVALS, buf, pos, val, len, 4) -#define DBG_RW_PCVAL(charmode,string,depth,base,read,inbuf,outbuf,len) \ - { RW_PCVAL(read,inbuf,outbuf,len) \ - DEBUG(5,("%s%04x %s: ", \ - tab_depth(depth), base,string)); \ - if (charmode) print_asc(5, (unsigned char*)(outbuf), (len)); else \ - { int32_t idx; for (idx = 0; idx < len; idx++) { DEBUG(5,("%02x ", (outbuf)[idx])); } } \ - DEBUG(5,("\n")); } +#define DBG_RW_PCVAL(charmode, string, depth, base, read, inbuf, outbuf, len) \ + { \ + RW_PCVAL(read, inbuf, outbuf, len) \ + DEBUG(5, ("%s%04x %s: ", tab_depth(depth), base, string)); \ + if (charmode) \ + print_asc(5, (unsigned char *)(outbuf), (len)); \ + else { \ + int32_t idx; \ + for (idx = 0; idx < len; idx++) { \ + DEBUG(5, ("%02x ", (outbuf)[idx])); \ + } \ + } \ + DEBUG(5, ("\n")); \ + } -#define DBG_RW_PSVAL(charmode,string,depth,base,read,big_endian,inbuf,outbuf,len) \ - { RW_PSVAL(read,big_endian,inbuf,outbuf,len) \ - DEBUG(5,("%s%04x %s: ", \ - tab_depth(depth), base,string)); \ - if (charmode) print_asc(5, (unsigned char*)(outbuf), 2*(len)); else \ - { int32_t idx; for (idx = 0; idx < len; idx++) { DEBUG(5,("%04x ", (outbuf)[idx])); } } \ - DEBUG(5,("\n")); } +#define DBG_RW_PSVAL(charmode, string, depth, base, read, big_endian, inbuf, outbuf, len) \ + { \ + RW_PSVAL(read, big_endian, inbuf, outbuf, len) \ + DEBUG(5, ("%s%04x %s: ", tab_depth(depth), base, string)); \ + if (charmode) \ + print_asc(5, (unsigned char *)(outbuf), 2 * (len)); \ + else { \ + int32_t idx; \ + for (idx = 0; idx < len; idx++) { \ + DEBUG(5, ("%04x ", (outbuf)[idx])); \ + } \ + } \ + DEBUG(5, ("\n")); \ + } -#define DBG_RW_PIVAL(charmode,string,depth,base,read,big_endian,inbuf,outbuf,len) \ - { RW_PIVAL(read,big_endian,inbuf,outbuf,len) \ - DEBUG(5,("%s%04x %s: ", \ - tab_depth(depth), base,string)); \ - if (charmode) print_asc(5, (unsigned char*)(outbuf), 4*(len)); else \ - { int32_t idx; for (idx = 0; idx < len; idx++) { DEBUG(5,("%08x ", (outbuf)[idx])); } } \ - DEBUG(5,("\n")); } +#define DBG_RW_PIVAL(charmode, string, depth, base, read, big_endian, inbuf, outbuf, len) \ + { \ + RW_PIVAL(read, big_endian, inbuf, outbuf, len) \ + DEBUG(5, ("%s%04x %s: ", tab_depth(depth), base, string)); \ + if (charmode) \ + print_asc(5, (unsigned char *)(outbuf), 4 * (len)); \ + else { \ + int32_t idx; \ + for (idx = 0; idx < len; idx++) { \ + DEBUG(5, ("%08x ", (outbuf)[idx])); \ + } \ + } \ + DEBUG(5, ("\n")); \ + } -#define DBG_RW_CVAL(string,depth,base,read,inbuf,outbuf) \ - { RW_CVAL(read,inbuf,outbuf,0) \ - DEBUG(5,("%s%04x %s: %02x\n", \ - tab_depth(depth), base, string, outbuf)); } +#define DBG_RW_CVAL(string, depth, base, read, inbuf, outbuf) \ + { \ + RW_CVAL(read, inbuf, outbuf, 0) \ + DEBUG(5, ("%s%04x %s: %02x\n", tab_depth(depth), base, string, outbuf)); \ + } -#define DBG_RW_SVAL(string,depth,base,read,big_endian,inbuf,outbuf) \ - { RW_SVAL(read,big_endian,inbuf,outbuf,0) \ - DEBUG(5,("%s%04x %s: %04x\n", \ - tab_depth(depth), base, string, outbuf)); } +#define DBG_RW_SVAL(string, depth, base, read, big_endian, inbuf, outbuf) \ + { \ + RW_SVAL(read, big_endian, inbuf, outbuf, 0) \ + DEBUG(5, ("%s%04x %s: %04x\n", tab_depth(depth), base, string, outbuf)); \ + } -#define DBG_RW_IVAL(string,depth,base,read,big_endian,inbuf,outbuf) \ - { RW_IVAL(read,big_endian,inbuf,outbuf,0) \ - DEBUG(5,("%s%04x %s: %08x\n", \ - tab_depth(depth), base, string, outbuf)); } +#define DBG_RW_IVAL(string, depth, base, read, big_endian, inbuf, outbuf) \ + { \ + RW_IVAL(read, big_endian, inbuf, outbuf, 0) \ + DEBUG(5, ("%s%04x %s: %08x\n", tab_depth(depth), base, string, outbuf)); \ + } #endif /* _BYTEORDER_H */ - /* Samba MD4 implementation */ -/* NOTE: This code makes no attempt to be fast! +/* NOTE: This code makes no attempt to be fast! It assumes that a int32_t is at least 32 bits long */ static uint32 A, B, C, D; -static uint32 F(uint32 X, uint32 Y, uint32 Z) { - return (X & Y) | ((~X) & Z); -} +static uint32 F(uint32 X, uint32 Y, uint32 Z) { return (X & Y) | ((~X) & Z); } -static uint32 G(uint32 X, uint32 Y, uint32 Z) { - return (X & Y) | (X & Z) | (Y & Z); -} +static uint32 G(uint32 X, uint32 Y, uint32 Z) { return (X & Y) | (X & Z) | (Y & Z); } -static uint32 H(uint32 X, uint32 Y, uint32 Z) { - return X ^ Y ^ Z; -} +static uint32 H(uint32 X, uint32 Y, uint32 Z) { return X ^ Y ^ Z; } static uint32 lshift(uint32 x, int32_t s) { x &= 0xFFFFFFFF; return ((x << s) & 0xFFFFFFFF) | (x >> (32 - s)); } -#define ROUND1(a,b,c,d,k,s) a = lshift(a + F(b,c,d) + X[k], s) -#define ROUND2(a,b,c,d,k,s) a = lshift(a + G(b,c,d) + X[k] + (uint32)0x5A827999,s) -#define ROUND3(a,b,c,d,k,s) a = lshift(a + H(b,c,d) + X[k] + (uint32)0x6ED9EBA1,s) +#define ROUND1(a, b, c, d, k, s) a = lshift(a + F(b, c, d) + X[k], s) +#define ROUND2(a, b, c, d, k, s) a = lshift(a + G(b, c, d) + X[k] + (uint32)0x5A827999, s) +#define ROUND3(a, b, c, d, k, s) a = lshift(a + H(b, c, d) + X[k] + (uint32)0x6ED9EBA1, s) /* this applies md4 to 64 byte chunks */ -static void mdfour64(uint32 * M) { +static void mdfour64(uint32 *M) { int32_t j; uint32 AA, BB, CC, DD; uint32 X[16]; @@ -405,7 +481,7 @@ static void mdfour64(uint32 * M) { X[j] = 0; } -static void copy64(uint32 * M, unsigned char *in) { +static void copy64(uint32 *M, unsigned char *in) { int32_t i; for (i = 0; i < 16; i++) @@ -471,113 +547,37 @@ void mdfour(unsigned char *out, unsigned char *in, int32_t n) { #define uchar unsigned char #define int16 signed short -static uchar perm1[56] = { 57, 49, 41, 33, 25, 17, 9, - 1, 58, 50, 42, 34, 26, 18, - 10, 2, 59, 51, 43, 35, 27, - 19, 11, 3, 60, 52, 44, 36, - 63, 55, 47, 39, 31, 23, 15, - 7, 62, 54, 46, 38, 30, 22, - 14, 6, 61, 53, 45, 37, 29, - 21, 13, 5, 28, 20, 12, 4 -}; +static uchar perm1[56] = {57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4}; -static uchar perm2[48] = { 14, 17, 11, 24, 1, 5, - 3, 28, 15, 6, 21, 10, - 23, 19, 12, 4, 26, 8, - 16, 7, 27, 20, 13, 2, - 41, 52, 31, 37, 47, 55, - 30, 40, 51, 45, 33, 48, - 44, 49, 39, 56, 34, 53, - 46, 42, 50, 36, 29, 32 -}; +static uchar perm2[48] = {14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32}; -static uchar perm3[64] = { 58, 50, 42, 34, 26, 18, 10, 2, - 60, 52, 44, 36, 28, 20, 12, 4, - 62, 54, 46, 38, 30, 22, 14, 6, - 64, 56, 48, 40, 32, 24, 16, 8, - 57, 49, 41, 33, 25, 17, 9, 1, - 59, 51, 43, 35, 27, 19, 11, 3, - 61, 53, 45, 37, 29, 21, 13, 5, - 63, 55, 47, 39, 31, 23, 15, 7 -}; +static uchar perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7}; -static uchar perm4[48] = { 32, 1, 2, 3, 4, 5, - 4, 5, 6, 7, 8, 9, - 8, 9, 10, 11, 12, 13, - 12, 13, 14, 15, 16, 17, - 16, 17, 18, 19, 20, 21, - 20, 21, 22, 23, 24, 25, - 24, 25, 26, 27, 28, 29, - 28, 29, 30, 31, 32, 1 -}; +static uchar perm4[48] = {32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9, 8, 9, 10, 11, 12, 13, 12, 13, 14, 15, 16, 17, 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24, 25, 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1}; -static uchar perm5[32] = { 16, 7, 20, 21, - 29, 12, 28, 17, - 1, 15, 23, 26, - 5, 18, 31, 10, - 2, 8, 24, 14, - 32, 27, 3, 9, - 19, 13, 30, 6, - 22, 11, 4, 25 -}; +static uchar perm5[32] = {16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25}; +static uchar perm6[64] = {40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23, 63, 31, 38, 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29, 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, 27, 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, 57, 25}; -static uchar perm6[64] = { 40, 8, 48, 16, 56, 24, 64, 32, - 39, 7, 47, 15, 55, 23, 63, 31, - 38, 6, 46, 14, 54, 22, 62, 30, - 37, 5, 45, 13, 53, 21, 61, 29, - 36, 4, 44, 12, 52, 20, 60, 28, - 35, 3, 43, 11, 51, 19, 59, 27, - 34, 2, 42, 10, 50, 18, 58, 26, - 33, 1, 41, 9, 49, 17, 57, 25 -}; +static uchar sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1}; +static uchar sbox[8][4][16] = {{{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7}, {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8}, {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0}, {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}}, -static uchar sc[16] = { 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 }; + {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10}, {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5}, {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15}, {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}}, -static uchar sbox[8][4][16] = { - {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7}, - {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8}, - {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0}, - {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}}, + {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8}, {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1}, {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7}, {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}}, - {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10}, - {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5}, - {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15}, - {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}}, + {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15}, {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9}, {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4}, {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}}, - {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8}, - {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1}, - {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7}, - {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}}, + {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9}, {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6}, {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14}, {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}}, - {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15}, - {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9}, - {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4}, - {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}}, + {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11}, {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8}, {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6}, {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}}, - {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9}, - {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6}, - {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14}, - {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}}, + {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1}, {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6}, {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2}, {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}}, - {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11}, - {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8}, - {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6}, - {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}}, + {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7}, {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2}, {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8}, {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}}; - {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1}, - {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6}, - {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2}, - {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}}, - - {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7}, - {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2}, - {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8}, - {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}} -}; - -static void permute(char *out, char *in, uchar * p, int32_t n) { +static void permute(char *out, char *in, uchar *p, int32_t n) { int32_t i; for (i = 0; i < n; i++) @@ -601,14 +601,15 @@ static void concat(char *out, char *in1, char *in2, int32_t l1, int32_t l2) { *out++ = *in2++; } -void xor(char *out, char *in1, char *in2, int32_t n) { - int32_t i; +void xor + (char *out, char *in1, char *in2, int32_t n) { + int32_t i; - for (i = 0; i < n; i++) - out[i] = in1[i] ^ in2[i]; -} + for (i = 0; i < n; i++) + out[i] = in1[i] ^ in2[i]; + } -static void dohash(char *out, char *in, char *key, int32_t forw) { + static void dohash(char *out, char *in, char *key, int32_t forw) { int32_t i, j, k; char pk1[56]; char c[28]; @@ -703,7 +704,6 @@ static void str_to_key(unsigned char *str, unsigned char *key) { } } - static void smbhash(unsigned char *out, unsigned char *in, unsigned char *key, int32_t forw) { int32_t i; char outb[64]; @@ -732,7 +732,7 @@ static void smbhash(unsigned char *out, unsigned char *in, unsigned char *key, i } void E_P16(unsigned char *p14, unsigned char *p16) { - unsigned char sp8[8] = { 0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 }; + unsigned char sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25}; smbhash(p16, sp8, p14, 1); smbhash(p16 + 8, sp8, p14 + 7, 1); } @@ -785,7 +785,7 @@ void SamOEMhash(unsigned char *data, unsigned char *key, int32_t val) { int32_t ind; for (ind = 0; ind < 256; ind++) { - s_box[ind] = (unsigned char) ind; + s_box[ind] = (unsigned char)ind; } for (ind = 0; ind < 256; ind++) { @@ -815,7 +815,6 @@ void SamOEMhash(unsigned char *data, unsigned char *key, int32_t val) { /* Samba encryption implementation*/ - /**************************************************************************** Like strncpy but always null terminates. Make sure there is room! The variable n should always be one less than the available size. @@ -830,21 +829,19 @@ char *StrnCpy(char *dest, const char *src, size_t n) { *dest = 0; return (dest); } - while (n-- && (*d++ = *src++)); + while (n-- && (*d++ = *src++)) + ; *d = 0; return (dest); } -size_t skip_multibyte_char(char c) { - return 0; -} - +size_t skip_multibyte_char(char c) { return 0; } /******************************************************************* safe string copy into a known length string. maxlength does not include the terminating zero. ********************************************************************/ -#define DEBUG(a,b) ; +#define DEBUG(a, b) ; char *safe_strcpy(char *dest, const char *src, size_t maxlength) { size_t len; @@ -861,7 +858,7 @@ char *safe_strcpy(char *dest, const char *src, size_t maxlength) { len = strlen(src); if (len > maxlength) { - DEBUG(0, ("Error: string overflow by %d in safe_strcpy [%.50s]\n", (int32_t) (len - maxlength), src)); + DEBUG(0, ("Error: string overflow by %d in safe_strcpy [%.50s]\n", (int32_t)(len - maxlength), src)); len = maxlength; } @@ -870,7 +867,6 @@ char *safe_strcpy(char *dest, const char *src, size_t maxlength) { return dest; } - void strupper(char *s) { while (*s) { { @@ -879,44 +875,44 @@ void strupper(char *s) { if (skip != 0) s += skip; else { - if (islower((int32_t) *s)) - *s = toupper((int32_t) *s); + if (islower((int32_t)*s)) + *s = toupper((int32_t)*s); s++; } } } } -extern void SMBOWFencrypt(uchar passwd[16], uchar * c8, uchar p24[24]); +extern void SMBOWFencrypt(uchar passwd[16], uchar *c8, uchar p24[24]); /* This implements the X/Open SMB password encryption - It takes a password, a 8 byte "crypt key" and puts 24 bytes of - encrypted password into p24 + It takes a password, a 8 byte "crypt key" and puts 24 bytes of + encrypted password into p24 */ -void SMBencrypt(uchar * passwd, uchar * c8, uchar * p24) { +void SMBencrypt(uchar *passwd, uchar *c8, uchar *p24) { uchar p14[15], p21[21]; memset(p21, '\0', 21); memset(p14, '\0', 14); - StrnCpy((char *) p14, (char *) passwd, 14); + StrnCpy((char *)p14, (char *)passwd, 14); - strupper((char *) p14); + strupper((char *)p14); E_P16(p14, p21); SMBOWFencrypt(p21, c8, p24); #ifdef DEBUG_PASSWORD DEBUG(100, ("SMBencrypt: lm#, challenge, response\n")); - dump_data(100, (char *) p21, 16); - dump_data(100, (char *) c8, 8); - dump_data(100, (char *) p24, 24); + dump_data(100, (char *)p21, 16); + dump_data(100, (char *)c8, 8); + dump_data(100, (char *)p24, 24); #endif } /* Routines for Windows NT MD4 Hash functions. */ -static int32_t _my_wcslen(int16 * str) { +static int32_t _my_wcslen(int16 *str) { int32_t len = 0; while (*str++ != 0) @@ -926,12 +922,12 @@ static int32_t _my_wcslen(int16 * str) { /* * Convert a string into an NT UNICODE string. - * Note that regardless of processor type + * Note that regardless of processor type * this must be in intel (little-endian) * format. */ -static int32_t _my_mbstowcs(int16 * dst, uchar * src, int32_t len) { +static int32_t _my_mbstowcs(int16 *dst, uchar *src, int32_t len) { int32_t i; int16 val; @@ -946,25 +942,25 @@ static int32_t _my_mbstowcs(int16 * dst, uchar * src, int32_t len) { return i; } -/* +/* * Creates the MD4 Hash of the users password in NT UNICODE. */ -void E_md4hash(uchar * passwd, uchar * p16) { +void E_md4hash(uchar *passwd, uchar *p16) { int32_t len; int16 wpwd[129]; /* Password cannot be longer than 128 characters */ - len = strlen((char *) passwd); + len = strlen((char *)passwd); if (len > 128) len = 128; /* Password must be converted to NT unicode */ _my_mbstowcs(wpwd, passwd, len); - wpwd[len] = 0; /* Ensure string is null terminated */ + wpwd[len] = 0; /* Ensure string is null terminated */ /* Calculate length in bytes */ len = _my_wcslen(wpwd) * sizeof(int16); - mdfour(p16, (unsigned char *) wpwd, len); + mdfour(p16, (unsigned char *)wpwd, len); } /* Does both the NT and LM owfs of a user's password */ @@ -976,12 +972,12 @@ void nt_lm_owf_gen(char *pwd, uchar nt_p16[16], uchar p16[16]) { /* Calculate the MD4 hash (NT compatible) of the password */ memset(nt_p16, '\0', 16); - E_md4hash((uchar *) passwd, nt_p16); + E_md4hash((uchar *)passwd, nt_p16); #ifdef DEBUG_PASSWORD DEBUG(100, ("nt_lm_owf_gen: pwd, nt#\n")); dump_data(120, passwd, strlen(passwd)); - dump_data(100, (char *) nt_p16, 16); + dump_data(100, (char *)nt_p16, 16); #endif /* Mangle the passwords into Lanman format */ @@ -991,19 +987,19 @@ void nt_lm_owf_gen(char *pwd, uchar nt_p16[16], uchar p16[16]) { /* Calculate the SMB (lanman) hash functions of the password */ memset(p16, '\0', 16); - E_P16((uchar *) passwd, (uchar *) p16); + E_P16((uchar *)passwd, (uchar *)p16); #ifdef DEBUG_PASSWORD DEBUG(100, ("nt_lm_owf_gen: pwd, lm#\n")); dump_data(120, passwd, strlen(passwd)); - dump_data(100, (char *) p16, 16); + dump_data(100, (char *)p16, 16); #endif /* clear out local copy of user's password (just being paranoid). */ memset(passwd, '\0', sizeof(passwd)); } /* Does the des encryption from the NT or LM MD4 hash. */ -void SMBOWFencrypt(uchar passwd[16], uchar * c8, uchar p24[24]) { +void SMBOWFencrypt(uchar passwd[16], uchar *c8, uchar p24[24]) { uchar p21[21]; memset(p21, '\0', 21); @@ -1013,7 +1009,7 @@ void SMBOWFencrypt(uchar passwd[16], uchar * c8, uchar p24[24]) { } /* Does the des encryption from the FIRST 8 BYTES of the NT or LM MD4 hash. */ -void NTLMSSPOWFencrypt(uchar passwd[8], uchar * ntlmchalresp, uchar p24[24]) { +void NTLMSSPOWFencrypt(uchar passwd[8], uchar *ntlmchalresp, uchar p24[24]) { uchar p21[21]; memset(p21, '\0', 21); @@ -1023,16 +1019,15 @@ void NTLMSSPOWFencrypt(uchar passwd[8], uchar * ntlmchalresp, uchar p24[24]) { E_P24(p21, ntlmchalresp, p24); #ifdef DEBUG_PASSWORD DEBUG(100, ("NTLMSSPOWFencrypt: p21, c8, p24\n")); - dump_data(100, (char *) p21, 21); - dump_data(100, (char *) ntlmchalresp, 8); - dump_data(100, (char *) p24, 24); + dump_data(100, (char *)p21, 21); + dump_data(100, (char *)ntlmchalresp, 8); + dump_data(100, (char *)p24, 24); #endif } - /* Does the NT MD4 hash then des encryption. */ -void SMBNTencrypt(uchar * passwd, uchar * c8, uchar * p24) { +void SMBNTencrypt(uchar *passwd, uchar *c8, uchar *p24) { uchar p21[21]; memset(p21, '\0', 21); @@ -1042,9 +1037,9 @@ void SMBNTencrypt(uchar * passwd, uchar * c8, uchar * p24) { #ifdef DEBUG_PASSWORD DEBUG(100, ("SMBNTencrypt: nt#, challenge, response\n")); - dump_data(100, (char *) p21, 16); - dump_data(100, (char *) c8, 8); - dump_data(100, (char *) p24, 24); + dump_data(100, (char *)p21, 16); + dump_data(100, (char *)c8, 8); + dump_data(100, (char *)p24, 24); #endif } @@ -1083,7 +1078,8 @@ BOOL make_oem_passwd_hash(char data[516], const char *passwd, uchar old_pw_hash[ #endif -/* libtnlm copyrigth was left here, anyway the interface was slightly modified */ +/* libtnlm copyrigth was left here, anyway the interface was slightly modified + */ /* included libntlm-3.2.9 (c) even if this code is based in 2.1 version*/ @@ -1113,58 +1109,49 @@ Contributed LGPL versions of some of the GPL'd Samba files. * in the structures probably needs to be designed */ -#define AddBytes(ptr, header, buf, count) \ -{ \ -if (buf != NULL && count != 0) \ - { \ - SSVAL(&ptr->header.len,0,count); \ - SSVAL(&ptr->header.maxlen,0,count); \ - SIVAL(&ptr->header.offset,0,((ptr->buffer - ((uint8*)ptr)) + ptr->bufIndex)); \ - memcpy(ptr->buffer+ptr->bufIndex, buf, count); \ - ptr->bufIndex += count; \ - } \ -else \ - { \ - ptr->header.len = \ - ptr->header.maxlen = 0; \ - SIVAL(&ptr->header.offset,0,ptr->bufIndex); \ - } \ -} +#define AddBytes(ptr, header, buf, count) \ + { \ + if (buf != NULL && count != 0) { \ + SSVAL(&ptr->header.len, 0, count); \ + SSVAL(&ptr->header.maxlen, 0, count); \ + SIVAL(&ptr->header.offset, 0, ((ptr->buffer - ((uint8 *)ptr)) + ptr->bufIndex)); \ + memcpy(ptr->buffer + ptr->bufIndex, buf, count); \ + ptr->bufIndex += count; \ + } else { \ + ptr->header.len = ptr->header.maxlen = 0; \ + SIVAL(&ptr->header.offset, 0, ptr->bufIndex); \ + } \ + } -#define AddString(ptr, header, string) \ -{ \ -char *p = string; \ -int32_t len = 0; \ -if (p) len = strlen(p); \ -AddBytes(ptr, header, ((unsigned char*)p), len); \ -} +#define AddString(ptr, header, string) \ + { \ + char *p = string; \ + int32_t len = 0; \ + if (p) \ + len = strlen(p); \ + AddBytes(ptr, header, ((unsigned char *)p), len); \ + } -#define AddUnicodeString(ptr, header, string) \ -{ \ -char *p = string; \ -unsigned char *b = NULL; \ -int32_t len = 0; \ -if (p) \ - { \ - len = strlen(p); \ - b = strToUnicode(p); \ - } \ -AddBytes(ptr, header, b, len*2); \ -} +#define AddUnicodeString(ptr, header, string) \ + { \ + char *p = string; \ + unsigned char *b = NULL; \ + int32_t len = 0; \ + if (p) { \ + len = strlen(p); \ + b = strToUnicode(p); \ + } \ + AddBytes(ptr, header, b, len * 2); \ + } +#define GetUnicodeString(structPtr, header) unicodeToString(((char *)structPtr) + IVAL(&structPtr->header.offset, 0), SVAL(&structPtr->header.len, 0) / 2) +#define GetString(structPtr, header) toString((((char *)structPtr) + IVAL(&structPtr->header.offset, 0)), SVAL(&structPtr->header.len, 0)) +#define DumpBuffer(fp, structPtr, header) dumpRaw(fp, ((unsigned char *)structPtr) + IVAL(&structPtr->header.offset, 0), SVAL(&structPtr->header.len, 0)) -#define GetUnicodeString(structPtr, header) \ -unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) -#define GetString(structPtr, header) \ -toString((((char *)structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) -#define DumpBuffer(fp, structPtr, header) \ -dumpRaw(fp,((unsigned char*)structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) - - -static void dumpRaw(FILE * fp, unsigned char *buf, size_t len) { +static void dumpRaw(FILE *fp, unsigned char *buf, size_t len) { int32_t i; - for (i = 0; i < (int32_t) len; ++i) + for (i = 0; i < (int32_t)len; ++i) fprintf(fp, "%02x ", buf[i]); fprintf(fp, "\n"); @@ -1176,7 +1163,7 @@ static char *unicodeToString(char *p, size_t len) { assert(len + 1 < sizeof buf); - for (i = 0; i < (int32_t) len; ++i) { + for (i = 0; i < (int32_t)len; ++i) { buf[i] = *p & 0x7f; p += 2; } @@ -1210,12 +1197,11 @@ static unsigned char *toString(char *p, size_t len) { return buf; } +void buildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain) { + char *h = NULL; // strdup(host); + char *p = NULL; // strchr(h,'@'); -void buildAuthRequest(tSmbNtlmAuthRequest * request, long flags, char *host, char *domain) { - char *h = NULL; //strdup(host); - char *p = NULL; //strchr(h,'@'); - -//TODO: review default flags + // TODO: review default flags if (host == NULL) host = ""; @@ -1230,7 +1216,7 @@ void buildAuthRequest(tSmbNtlmAuthRequest * request, long flags, char *host, cha *p = '\0'; } if (flags == 0) - flags = 0x0000b207; /* Lowest security options to avoid negotiation */ + flags = 0x0000b207; /* Lowest security options to avoid negotiation */ request->bufIndex = 0; memcpy(request->ident, "NTLMSSP\0\0\0", 8); SIVAL(&request->msgType, 0, 1); @@ -1243,7 +1229,7 @@ void buildAuthRequest(tSmbNtlmAuthRequest * request, long flags, char *host, cha free(h); } -void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse * response, long flags, char *user, char *password, char *domainname, char *host) { +void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *response, long flags, char *user, char *password, char *domainname, char *host) { uint8 lmRespData[24]; uint8 ntRespData[24]; char *u = strdup(user); @@ -1264,8 +1250,8 @@ void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse * *p = '\0'; } - SMBencrypt((unsigned char *) password, challenge->challengeData, lmRespData); - SMBNTencrypt((unsigned char *) password, challenge->challengeData, ntRespData); + SMBencrypt((unsigned char *)password, challenge->challengeData, lmRespData); + SMBNTencrypt((unsigned char *)password, challenge->challengeData, ntRespData); response->bufIndex = 0; memcpy(response->ident, "NTLMSSP\0\0\0", 8); @@ -1284,7 +1270,7 @@ void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse * AddString(response, sessionKey, NULL); if (flags != 0) - challenge->flags = flags; /* Overide flags! */ + challenge->flags = flags; /* Overide flags! */ response->flags = challenge->flags; if (w) @@ -1295,16 +1281,12 @@ void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse * free(u); } - - - - // info functions -void dumpAuthRequest(FILE * fp, tSmbNtlmAuthRequest * request); -void dumpAuthChallenge(FILE * fp, tSmbNtlmAuthChallenge * challenge); -void dumpAuthResponse(FILE * fp, tSmbNtlmAuthResponse * response); +void dumpAuthRequest(FILE *fp, tSmbNtlmAuthRequest *request); +void dumpAuthChallenge(FILE *fp, tSmbNtlmAuthChallenge *challenge); +void dumpAuthResponse(FILE *fp, tSmbNtlmAuthResponse *response); -void dumpAuthRequest(FILE * fp, tSmbNtlmAuthRequest * request) { +void dumpAuthRequest(FILE *fp, tSmbNtlmAuthRequest *request) { fprintf(fp, "NTLM Request:\n"); fprintf(fp, " Ident = %s\n", request->ident); fprintf(fp, " mType = %u\n", IVAL(&request->msgType, 0)); @@ -1313,7 +1295,7 @@ void dumpAuthRequest(FILE * fp, tSmbNtlmAuthRequest * request) { fprintf(fp, " Domain = %s\n", GetString(request, domain)); } -void dumpAuthChallenge(FILE * fp, tSmbNtlmAuthChallenge * challenge) { +void dumpAuthChallenge(FILE *fp, tSmbNtlmAuthChallenge *challenge) { fprintf(fp, "NTLM Challenge:\n"); fprintf(fp, " Ident = %s\n", challenge->ident); fprintf(fp, " mType = %u\n", IVAL(&challenge->msgType, 0)); @@ -1324,7 +1306,7 @@ void dumpAuthChallenge(FILE * fp, tSmbNtlmAuthChallenge * challenge) { fprintf(fp, " Incomplete!! parse optional parameters\n"); } -void dumpAuthResponse(FILE * fp, tSmbNtlmAuthResponse * response) { +void dumpAuthResponse(FILE *fp, tSmbNtlmAuthResponse *response) { fprintf(fp, "NTLM Response:\n"); fprintf(fp, " Ident = %s\n", response->ident); fprintf(fp, " mType = %u\n", IVAL(&response->msgType, 0)); @@ -1340,12 +1322,6 @@ void dumpAuthResponse(FILE * fp, tSmbNtlmAuthResponse * response) { fprintf(fp, " Flags = %08x\n", IVAL(&response->flags, 0)); } - - - - - - /* * base64.c -- base-64 conversion routines. * @@ -1360,22 +1336,13 @@ void dumpAuthResponse(FILE * fp, tSmbNtlmAuthResponse * response) { * This code borrowed from fetchmail sources */ - static const char base64digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; -#define BAD -1 -static const char base64val[] = { - BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, - BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, - BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, 62, BAD, BAD, BAD, 63, - 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, BAD, BAD, BAD, BAD, BAD, BAD, - BAD, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, - 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, BAD, BAD, BAD, BAD, BAD, - BAD, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, - 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, BAD, BAD, BAD, BAD, BAD -}; +#define BAD -1 +static const char base64val[] = {BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, BAD, 62, BAD, BAD, BAD, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, BAD, BAD, BAD, BAD, BAD, BAD, + BAD, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, BAD, BAD, BAD, BAD, BAD, BAD, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, BAD, BAD, BAD, BAD, BAD}; -#define DECODE64(c) (isascii(c) ? base64val[c] : BAD) +#define DECODE64(c) (isascii(c) ? base64val[c] : BAD) void to64frombits(unsigned char *out, const unsigned char *in, int32_t inlen) diff --git a/ntlm.h b/ntlm.h index 85f8f7f..3150536 100644 --- a/ntlm.h +++ b/ntlm.h @@ -2,75 +2,78 @@ Single file NTLM system to create and parse authentication messages. http://www.reversing.org - ilo-- ilo@reversing.org + ilo-- ilo@reversing.org - I did copy&paste&modify several files to leave independent NTLM code - that compile in cygwin/linux environment. Most of the code was ripped + I did copy&paste&modify several files to leave independent NTLM code + that compile in cygwin/linux environment. Most of the code was ripped from Samba implementation so I left the Copying statement. Samba core code was left unmodified from 1.9 version. Also libntlm was ripped but rewrote, due to fixed and useless interface. Copyright and licensing information is in ntlm.c file. - NTLM Interface, just two functions: + NTLM Interface, just two functions: - void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain); - if flags is 0 minimun security level is selected, otherwise new value superseeds. - host and domain are optional, they may be NULLed. + void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, + char *domain); if flags is 0 minimun security level is selected, otherwise + new value superseeds. host and domain are optional, they may be NULLed. - void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *response, long flags, char *user, char *password, char *domain, char *host); + void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse + *response, long flags, char *user, char *password, char *domain, char *host); Given a challenge, generates a response for that user/passwd/host/domain. - flags, host, and domain superseeds given by server. Leave 0 and NULL for server authentication + flags, host, and domain superseeds given by server. Leave 0 and NULL for + server authentication - This is an usage sample: + This is an usage sample: - ... - //beware of fixed sized buffer, asserts may fail, don't use long strings :) - //Yes, I Know, year 2k6 and still with this shit.. - unsigned char buf[4096]; - unsigned char buf2[4096]; + ... + //beware of fixed sized buffer, asserts may fail, don't use long + strings :) + //Yes, I Know, year 2k6 and still with this shit.. + unsigned char buf[4096]; + unsigned char buf2[4096]; - //send auth request: let the server send it's own hostname and domainname - buildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL); - to64frombits(buf, buf2, SmbLength((tSmbNtlmAuthRequest*)buf2)); - send_to_server(buf); + //send auth request: let the server send it's own hostname and + domainname buildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL); + to64frombits(buf, buf2, SmbLength((tSmbNtlmAuthRequest*)buf2)); + send_to_server(buf); - //receive challenge - receive_from_server(buf); + //receive challenge + receive_from_server(buf); - //build response with hostname and domainname from server - buildAuthResponse((tSmbNtlmAuthChallenge*)buf,(tSmbNtlmAuthResponse*)buf2,0,"username","password",NULL,NULL); - to64frombits(buf, buf2, SmbLength((tSmbNtlmAuthResponse*)buf2)); - send_to_server(buf); + //build response with hostname and domainname from server + buildAuthResponse((tSmbNtlmAuthChallenge*)buf,(tSmbNtlmAuthResponse*)buf2,0,"username","password",NULL,NULL); + to64frombits(buf, buf2, SmbLength((tSmbNtlmAuthResponse*)buf2)); + send_to_server(buf); - //get reply and Check if ok - ... + //get reply and Check if ok + ... included bonus!!: Base64 code int32_t from64tobits(char *out, const char *in); - void to64frombits(unsigned char *out, const unsigned char *in, int32_t inlen); + void to64frombits(unsigned char *out, const unsigned char *in, int32_t + inlen); - You don't need to read the rest of the file. + You don't need to read the rest of the file. */ - -/* +/* * These structures are byte-order dependant, and should not * be manipulated except by the use of the routines provided */ #ifdef __sun - #include +#include #elif defined(__FreeBSD__) || defined(__IBMCPP__) || defined(_AIX) - #include +#include #else - #include +#include #endif typedef unsigned short uint16; @@ -105,7 +108,6 @@ typedef struct { uint32 bufIndex; } tSmbNtlmAuthChallenge; - typedef struct { char ident[8]; uint32 msgType; @@ -120,34 +122,33 @@ typedef struct { uint32 bufIndex; } tSmbNtlmAuthResponse; - -extern void buildAuthRequest(tSmbNtlmAuthRequest * request, long flags, char *host, char *domain); +extern void buildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain); /* reversing interface */ /* ntlm functions */ -void BuildAuthRequest(tSmbNtlmAuthRequest * request, long flags, char *host, char *domain); +void BuildAuthRequest(tSmbNtlmAuthRequest *request, long flags, char *host, char *domain); -// if flags is 0 minimun security level is selected, otherwise new value superseeds. -// host and domain are optional, they may be NULLed. +// if flags is 0 minimun security level is selected, otherwise new value +// superseeds. host and domain are optional, they may be NULLed. +void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse *response, long flags, char *user, char *password, char *domain, char *host); -void buildAuthResponse(tSmbNtlmAuthChallenge * challenge, tSmbNtlmAuthResponse * response, long flags, char *user, char *password, char *domain, char *host); - -//Given a challenge, generates a response for that user/passwd/host/domain. -//flags, host, and domain superseeds given by server. Leave 0 and NULL for server authentication +// Given a challenge, generates a response for that user/passwd/host/domain. +// flags, host, and domain superseeds given by server. Leave 0 and NULL for +// server authentication /* Base64 code*/ int32_t from64tobits(char *out, const char *in); void to64frombits(unsigned char *out, const unsigned char *in, int32_t inlen); -void xor(char *out, char *in1, char *in2, int32_t n); +void xor (char *out, char *in1, char *in2, int32_t n); // info functions -void dumpAuthRequest(FILE * fp, tSmbNtlmAuthRequest * request); -void dumpAuthChallenge(FILE * fp, tSmbNtlmAuthChallenge * challenge); -void dumpAuthResponse(FILE * fp, tSmbNtlmAuthResponse * response); +void dumpAuthRequest(FILE *fp, tSmbNtlmAuthRequest *request); +void dumpAuthChallenge(FILE *fp, tSmbNtlmAuthChallenge *challenge); +void dumpAuthResponse(FILE *fp, tSmbNtlmAuthResponse *response); void strupper(char *s); -#define SmbLength(ptr) (((ptr)->buffer - (uint8*)(ptr)) + (ptr)->bufIndex) +#define SmbLength(ptr) (((ptr)->buffer - (uint8 *)(ptr)) + (ptr)->bufIndex) diff --git a/performance.h b/performance.h index 10759f8..8fcced9 100644 --- a/performance.h +++ b/performance.h @@ -1,13 +1,13 @@ -#include -#include #include +#include +#include #include #include #include -#include +#include /* handles select errors */ -int32_t my_select(int32_t fd, fd_set * fdread, fd_set * fdwrite, fd_set * fdex, long sec, long usec) { +int32_t my_select(int32_t fd, fd_set *fdread, fd_set *fdwrite, fd_set *fdex, long sec, long usec) { int32_t ret_val; struct timeval stv; fd_set *fdr2, *fdw2, *fde2; @@ -18,10 +18,12 @@ int32_t my_select(int32_t fd, fd_set * fdread, fd_set * fdwrite, fd_set * fdex, fde2 = fdex; stv.tv_sec = sec; stv.tv_usec = usec; - if (debug > 1) printf("before select\n"); + if (debug > 1) + printf("before select\n"); ret_val = select(fd, fdr2, fdw2, fde2, &stv); - if (debug > 1) printf("after select\n"); - /* XXX select() sometimes returns errno=EINTR (signal found) */ + if (debug > 1) + printf("after select\n"); + /* XXX select() sometimes returns errno=EINTR (signal found) */ } while (ret_val == -1 && errno == EINTR); return ret_val; @@ -43,7 +45,7 @@ ssize_t read_safe(int32_t fd, void *buffer, size_t len) { tv.tv_sec = 0; tv.tv_usec = 250000; ret = select(fd + 1, &fr, 0, 0, &tv); - /* XXX select() sometimes return errno=EINTR (signal found) */ + /* XXX select() sometimes return errno=EINTR (signal found) */ } while (ret == -1 && errno == EINTR); if (ret < 0) { @@ -55,7 +57,7 @@ ssize_t read_safe(int32_t fd, void *buffer, size_t len) { } if (ret > 0) { - while ((r = read(fd, (char*) ((char*)buffer + total), toread))) { + while ((r = read(fd, (char *)((char *)buffer + total), toread))) { if (r == -1) { if (errno == EAGAIN) break; diff --git a/postgres_ext.h b/postgres_ext.h index 16ceadd..e5791d1 100644 --- a/postgres_ext.h +++ b/postgres_ext.h @@ -4,8 +4,9 @@ * postgres_ext.h * * This file contains declarations of things that are visible everywhere - * in PostgreSQL *and* are visible to clients of frontend interface libraries. - * For example, the Oid type is part of the API of libpq and other libraries. + * in PostgreSQL *and* are visible to clients of frontend interface + *libraries. For example, the Oid type is part of the API of libpq and other + *libraries. * * Declarations which are specific to a particular interface should * go in the header file for that interface (such as libpq-fe.h). This @@ -30,16 +31,15 @@ typedef uint32_t Oid; #ifdef __cplusplus -#define InvalidOid (Oid(0)) +#define InvalidOid (Oid(0)) #else -#define InvalidOid ((Oid) 0) +#define InvalidOid ((Oid)0) #endif -#define OID_MAX UINT_MAX +#define OID_MAX UINT_MAX /* you will need to include to use the above #define */ - /* * NAMEDATALEN is the max length for system identifiers (e.g. table names, * attribute names, function names, etc). It must be a multiple of @@ -49,21 +49,20 @@ typedef uint32_t Oid; */ #define NAMEDATALEN 64 - /* * Identifiers of error message fields. Kept here to keep common * between frontend and backend, and also to export them to libpq * applications. */ -#define PG_DIAG_SEVERITY 'S' -#define PG_DIAG_SQLSTATE 'C' -#define PG_DIAG_MESSAGE_PRIMARY 'M' -#define PG_DIAG_MESSAGE_DETAIL 'D' -#define PG_DIAG_MESSAGE_HINT 'H' +#define PG_DIAG_SEVERITY 'S' +#define PG_DIAG_SQLSTATE 'C' +#define PG_DIAG_MESSAGE_PRIMARY 'M' +#define PG_DIAG_MESSAGE_DETAIL 'D' +#define PG_DIAG_MESSAGE_HINT 'H' #define PG_DIAG_STATEMENT_POSITION 'P' -#define PG_DIAG_CONTEXT 'W' -#define PG_DIAG_SOURCE_FILE 'F' -#define PG_DIAG_SOURCE_LINE 'L' -#define PG_DIAG_SOURCE_FUNCTION 'R' +#define PG_DIAG_CONTEXT 'W' +#define PG_DIAG_SOURCE_FILE 'F' +#define PG_DIAG_SOURCE_LINE 'L' +#define PG_DIAG_SOURCE_FUNCTION 'R' #endif diff --git a/pw-inspector.1 b/pw-inspector.1 index 90bff65..c9f228c 100644 --- a/pw-inspector.1 +++ b/pw-inspector.1 @@ -42,7 +42,7 @@ upcase characters (A,B,C,D, etc.) numbers (1,2,3,4, etc.) .TP .B \-p -printable characters (which are not \-l/\-n/\-p, e.g. $,!,/,(,*, etc.) +printable characters (which are not \-l/\-n/\-n, e.g. $,!,/,(,*, etc.) .TP .B \ -s special characters \- all others not withint the sets above diff --git a/pw-inspector.c b/pw-inspector.c index 86eb352..8b87a5a 100644 --- a/pw-inspector.c +++ b/pw-inspector.c @@ -1,38 +1,46 @@ -#include -#include -#include -#include #include #include +#include +#include +#include +#include -#define PROGRAM "PW-Inspector" -#define VERSION "v0.2" -#define EMAIL "vh@thc.org" -#define WEB "https://github.com/vanhauser-thc/thc-hydra" +#define PROGRAM "PW-Inspector" +#define VERSION "v0.2" +#define EMAIL "vh@thc.org" +#define WEB "https://github.com/vanhauser-thc/thc-hydra" -#define MAXLENGTH 256 +#define MAXLENGTH 256 char *prg; void help() { printf("%s %s (c) 2005 by van Hauser / THC %s [%s]\n\n", PROGRAM, VERSION, EMAIL, WEB); - printf("Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s\n\n", prg); + printf("Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] " + "-l -u -n -p -s\n\n", + prg); printf("Options:\n"); printf(" -i FILE file to read passwords from (default: stdin)\n"); printf(" -o FILE file to write valid passwords to (default: stdout)\n"); printf(" -m MINLEN minimum length of a valid password\n"); printf(" -M MAXLEN maximum length of a valid password\n"); - printf(" -c MINSETS the minimum number of sets required (default: all given)\n"); + printf(" -c MINSETS the minimum number of sets required (default: all " + "given)\n"); printf("Sets:\n"); printf(" -l lowcase characters (a,b,c,d, etc.)\n"); printf(" -u upcase characters (A,B,C,D, etc.)\n"); printf(" -n numbers (1,2,3,4, etc.)\n"); - printf(" -p printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)\n"); - printf(" -s special characters - all others not withint the sets above\n"); + printf(" -p printable characters (which are not -l/-u/-n, e.g. " + "$,!,/,(,*, etc.)\n"); + printf(" -s special characters - all others not within the sets " + "above\n"); printf("\n%s reads passwords in and prints those which meet the requirements.\n", PROGRAM); - printf("The return code is the number of valid passwords found, 0 if none was found.\n"); - printf("Use for security: check passwords, if 0 is returned, reject password choice.\n"); - printf("Use for hacking: trim your dictionary file to the pw requirements of the target.\n"); + printf("The return code is the number of valid passwords found, 0 if none " + "was found.\n"); + printf("Use for security: check passwords, if 0 is returned, reject password " + "choice.\n"); + printf("Use for hacking: trim your dictionary file to the pw requirements of " + "the target.\n"); printf("Usage only allowed for legal purposes.\n"); exit(-1); } @@ -42,7 +50,7 @@ int main(int argc, char *argv[]) { int32_t sets = 0, countsets = 0, minlen = 0, maxlen = MAXLENGTH, count = 0; int32_t set_low = 0, set_up = 0, set_no = 0, set_print = 0, set_other = 0; FILE *in = stdin, *out = stdout; - char buf[MAXLENGTH + 1]; + unsigned char buf[MAXLENGTH + 1]; prg = argv[0]; if (argc < 2) @@ -116,47 +124,41 @@ int main(int argc, char *argv[]) { if (countsets == 0) countsets = sets; - while (fgets(buf, sizeof(buf), in) != NULL) { - i = -1; - if (buf[0] == 0) + while (fgets((void *)buf, sizeof(buf), in) != NULL) { + int is_low = 0, is_up = 0, is_no = 0, is_print = 0, is_other = 0; + if (!buf[0]) continue; if (buf[strlen(buf) - 1] == '\n') buf[strlen(buf) - 1] = 0; + if (buf[strlen(buf) - 1] == '\r') + buf[strlen(buf) - 1] = 0; if (strlen(buf) >= minlen && strlen(buf) <= maxlen) { i = 0; - if (countsets > 0) { - if (set_low) - if (strpbrk(buf, "abcdefghijklmnopqrstuvwxyz") != NULL) - i++; - if (set_up) - if (strpbrk(buf, "ABCDEFGHIJKLMNOPQRSTUVWXYZ") != NULL) - i++; - if (set_no) - if (strpbrk(buf, "0123456789") != NULL) - i++; - if (set_print) { - j = 0; - for (k = 0; k < strlen(buf); k++) - if (isprint((int32_t) buf[k]) != 0 && isalnum((int32_t) buf[k]) == 0) - j = 1; - if (j) - i++; - } - if (set_other) { - j = 0; - for (k = 0; k < strlen(buf); k++) - if (isprint((int32_t) buf[k]) == 0 && isalnum((int32_t) buf[k]) == 0) - j = 1; - if (j) - i++; + j = 1; + for (i = 0; i < strlen(buf) && j; i++) { + j = 0; + if (set_low && islower(buf[i])) { + j = 1; + is_low = 1; + } else if (set_up && isupper(buf[i])) { + j = 1; + is_up = 1; + } else if (set_no && isdigit(buf[i])) { + j = 1; + is_no = 1; + } else if (set_print && isprint(buf[i]) && !isalnum(buf[i])) { + j = 1; + is_print = 1; + } else if (set_other && !isprint(buf[i])) { + j = 1; + is_other = 1; } } - if (i >= countsets) { + if (j && countsets <= is_low + is_up + is_no + is_print + is_other) { fprintf(out, "%s\n", buf); count++; } } - /* fprintf(stderr, "[DEBUG] i: %d minlen: %d maxlen: %d len: %d\n", i, minlen, maxlen, strlen(buf)); */ } fclose(in); fclose(out); diff --git a/rdp.h b/rdp.h deleted file mode 100644 index 1d3c7c4..0000000 --- a/rdp.h +++ /dev/null @@ -1,634 +0,0 @@ -/* - david: this file is based on header files from rdesktop project - - rdesktop: A Remote Desktop Protocol client. - Master include file - Copyright (C) Matthew Chapman 1999-2008 - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . - -*/ - -#include "hydra-mod.h" - -#include -#include -#include -#ifdef _WIN32 -#define WINVER 0x0400 -#include -#include -#include -#define DIR int32_t -#else -#include -#include -#ifdef HAVE_SYS_SELECT_H -#include -#else -#include -#include -#endif -#endif -#include /* PATH_MAX */ -#ifdef HAVE_SYSEXITS_H -#include -#endif - -#include /* stat */ -#include /* gettimeofday */ -#include /* times */ -#include -#include - -//fixme - -/* The system could not log you on. Make sure your User name and domain are correct [FAILED] */ -#define LOGON_MESSAGE_FAILED_XP "\x00\x00\x01\x06\x02\x06\x04\x09\x05\x05\x04\x06\x06\x05\x02\x04\x07\x06" -#define LOGON_MESSAGE_FAILED_2K3 "\x00\x00\x01\x08\x02\x07\x03\x07\x04\x07\x05\x05\x01\x05\x04\x07\x03\x05" -#define LOGON_MESSAGE_FAILED_2K8 "not needed" - -#define LOGON_MESSAGE_2K "\x00\x00\x01\x06\x02\x07\x04\x0a\x05\x08\x06\x0a\x01\x05\x07\x0a\x08\x0b\x05\x03\x09\x07\x01\x07\x0a\x07\x0b\x09\xff\x00\x1c" - -/* The local policy of this system does not permit you to logon interactively. [SUCCESS] */ -#define LOGON_MESSAGE_NO_INTERACTIVE_XP "\x00\x00\x01\x06\x02\x06\x04\x09\x05\x02\x06\x06\x07\x05\x04\x06\x08\x05" -#define LOGON_MESSAGE_NO_INTERACTIVE_2K3 "??" - -/* Unable to log you on because your account has been locked out [FAILED] */ -#define LOGON_MESSAGE_LOCKED_XP "\x00\x00\x01\x07\x02\x06\x03\x06\x04\x06\x05\x02\x07\x09\x08\x04\x04\x09" -#define LOGON_MESSAGE_LOCKED_2K3 "??" - -/* Your account has been disabled. Please see your system administrator. [ERROR] */ -/* Your account has expired. Please see your system administrator. [ERROR] */ -#define LOGON_MESSAGE_DISABLED_XP "\x00\x00\x01\x06\x02\x06\x03\x06\x05\x07\x06\x06\x06\x05\x01\x05\x02\x06" -#define LOGON_MESSAGE_DISABLED_2K3 "??" - -/* Your password has expired and must be changed. [SUCCESS] */ -#define LOGON_MESSAGE_EXPIRED_XP "\x00\x00\x01\x06\x02\x06\x03\x06\x05\x07\x06\x06\x07\x06\x07\x05\x08\x05" -#define LOGON_MESSAGE_EXPIRED_2K3 "??" - -/* You are required to change your password at first logon. [SUCCESS] */ -#define LOGON_MESSAGE_MUST_CHANGE_XP "\x00\x00\x01\x06\x02\x06\x04\x09\x05\x06\x06\x04\x05\x09\x06\x04\x07\x06" -#define LOGON_MESSAGE_MUST_CHANGE_2K3 "??" - -/* The terminal server has exceeded the maximum number of allowed connections. [SUCCESS] */ -#define LOGON_MESSAGE_MSTS_MAX_2K3 "\x00\x00\x01\x06\x02\x07\x01\x07\x05\x07\x24\x0a\x25\x0a\x0b\x07\x0b\x06\x26" - - -#define DEBUG(args) { if (debug) {hydra_report(stderr, "[DEBUG] "); printf args; }} -#define DEBUG_RDP5(args){ if (debug) {hydra_report(stderr, "[DEBUG] RDP5 "); printf args; }} - -#define STRNCPY(dst,src,n) { strncpy(dst,src,n-1); dst[n-1] = 0; } - -#ifndef MIN -#define MIN(x,y) (((x) < (y)) ? (x) : (y)) -#endif - -#ifndef MAX -#define MAX(x,y) (((x) > (y)) ? (x) : (y)) -#endif - -/* timeval macros */ -#ifndef timerisset -#define timerisset(tvp)\ - ((tvp)->tv_sec || (tvp)->tv_usec) -#endif -#ifndef timercmp -#define timercmp(tvp, uvp, cmp)\ - ((tvp)->tv_sec cmp (uvp)->tv_sec ||\ - (tvp)->tv_sec == (uvp)->tv_sec &&\ - (tvp)->tv_usec cmp (uvp)->tv_usec) -#endif -#ifndef timerclear -#define timerclear(tvp)\ - ((tvp)->tv_sec = (tvp)->tv_usec = 0) -#endif - -/* If configure does not define the endianess, try - to find it out */ -#if !defined(L_ENDIAN) && !defined(B_ENDIAN) -#if __BYTE_ORDER == __LITTLE_ENDIAN -#define L_ENDIAN -#elif __BYTE_ORDER == __BIG_ENDIAN -#define B_ENDIAN -#else -#error Unknown endianness. Edit rdp.h. -#endif -#endif /* B_ENDIAN, L_ENDIAN from configure */ - -/* No need for alignment on x86 and amd64 */ -#if !defined(NEED_ALIGN) -#if !(defined(__x86__) || defined(__x86_64__) || \ - defined(__AMD64__) || defined(_M_IX86) || \ - defined(__i386__)) -#define NEED_ALIGN -#endif -#endif - -/* Parser state */ -typedef struct stream -{ - unsigned char *p; - unsigned char *end; - unsigned char *data; - uint32_t size; - - /* Offsets of various headers */ - unsigned char *iso_hdr; - unsigned char *mcs_hdr; - unsigned char *sec_hdr; - unsigned char *rdp_hdr; - unsigned char *channel_hdr; - -} - *STREAM; - -#define s_push_layer(s,h,n) { (s)->h = (s)->p; (s)->p += n; } -#define s_pop_layer(s,h) (s)->p = (s)->h; -#define s_mark_end(s) (s)->end = (s)->p; -#define s_check(s) ((s)->p <= (s)->end) -#define s_check_rem(s,n) ((s)->p + n <= (s)->end) -#define s_check_end(s) ((s)->p == (s)->end) - -#if defined(L_ENDIAN) && !defined(NEED_ALIGN) -#define in_uint16_le(s,v) { v = *(uint16 *)((s)->p); (s)->p += 2; } -#define in_uint32_le(s,v) { v = *(uint32 *)((s)->p); (s)->p += 4; } -#define out_uint16_le(s,v) { *(uint16 *)((s)->p) = v; (s)->p += 2; } -#define out_uint32_le(s,v) { *(uint32 *)((s)->p) = v; (s)->p += 4; } - -#else -#define in_uint16_le(s,v) { v = *((s)->p++); v += *((s)->p++) << 8; } -#define in_uint32_le(s,v) { in_uint16_le(s,v) \ - v += *((s)->p++) << 16; v += *((s)->p++) << 24; } -#define out_uint16_le(s,v) { *((s)->p++) = (v) & 0xff; *((s)->p++) = ((v) >> 8) & 0xff; } -#define out_uint32_le(s,v) { out_uint16_le(s, (v) & 0xffff); out_uint16_le(s, ((v) >> 16) & 0xffff); } -#endif - -#if defined(B_ENDIAN) && !defined(NEED_ALIGN) -#define in_uint16_be(s,v) { v = *(uint16 *)((s)->p); (s)->p += 2; } -#define in_uint32_be(s,v) { v = *(uint32 *)((s)->p); (s)->p += 4; } -#define out_uint16_be(s,v) { *(uint16 *)((s)->p) = v; (s)->p += 2; } -#define out_uint32_be(s,v) { *(uint32 *)((s)->p) = v; (s)->p += 4; } - -#define B_ENDIAN_PREFERRED -#define in_uint16(s,v) in_uint16_be(s,v) -#define in_uint32(s,v) in_uint32_be(s,v) -#define out_uint16(s,v) out_uint16_be(s,v) -#define out_uint32(s,v) out_uint32_be(s,v) - -#else -#define in_uint16_be(s,v) { v = *((s)->p++); next_be(s,v); } -#define in_uint32_be(s,v) { in_uint16_be(s,v); next_be(s,v); next_be(s,v); } -#define out_uint16_be(s,v) { *((s)->p++) = ((v) >> 8) & 0xff; *((s)->p++) = (v) & 0xff; } -#define out_uint32_be(s,v) { out_uint16_be(s, ((v) >> 16) & 0xffff); out_uint16_be(s, (v) & 0xffff); } -#endif - -#ifndef B_ENDIAN_PREFERRED -#define in_uint16(s,v) in_uint16_le(s,v) -#define in_uint32(s,v) in_uint32_le(s,v) -#define out_uint16(s,v) out_uint16_le(s,v) -#define out_uint32(s,v) out_uint32_le(s,v) -#endif - -#define in_uint8(s,v) v = *((s)->p++); -#define in_uint8p(s,v,n) { v = (s)->p; (s)->p += n; } -#define in_uint8a(s,v,n) { memcpy(v,(s)->p,n); (s)->p += n; } -#define in_uint8s(s,n) (s)->p += n; -#define out_uint8(s,v) *((s)->p++) = v; -#define out_uint8p(s,v,n) { memcpy((s)->p,v,n); (s)->p += n; } -#define out_uint8a(s,v,n) out_uint8p(s,v,n); -#define out_uint8s(s,n) { memset((s)->p,0,n); (s)->p += n; } - -#define next_be(s,v) v = ((v) << 8) + *((s)->p++); - -typedef unsigned char uint8; -typedef signed char sint8; -typedef unsigned short uint16; -typedef signed short sint16; -typedef uint32_t uint32; -typedef int32_t sint32; - -typedef struct _BOUNDS -{ - sint16 left; - sint16 top; - sint16 right; - sint16 bottom; - -} -BOUNDS; - -/* PSTCACHE */ -typedef uint8 HASH_KEY[8]; - -#ifndef PATH_MAX -#define PATH_MAX 256 -#endif - -#define RDP_ORDER_STANDARD 0x01 -#define RDP_ORDER_SECONDARY 0x02 -#define RDP_ORDER_BOUNDS 0x04 -#define RDP_ORDER_CHANGE 0x08 -#define RDP_ORDER_DELTA 0x10 -#define RDP_ORDER_LASTBOUNDS 0x20 -#define RDP_ORDER_SMALL 0x40 -#define RDP_ORDER_TINY 0x80 - -enum RDP_ORDER_TYPE -{ - RDP_ORDER_DESTBLT = 0, - RDP_ORDER_PATBLT = 1, - RDP_ORDER_SCREENBLT = 2, - RDP_ORDER_LINE = 9, - RDP_ORDER_RECT = 10, - RDP_ORDER_DESKSAVE = 11, - RDP_ORDER_MEMBLT = 13, - RDP_ORDER_TRIBLT = 14, - RDP_ORDER_POLYGON = 20, - RDP_ORDER_POLYGON2 = 21, - RDP_ORDER_POLYLINE = 22, - RDP_ORDER_ELLIPSE = 25, - RDP_ORDER_ELLIPSE2 = 26, - RDP_ORDER_TEXT2 = 27 -}; - -enum RDP_SECONDARY_ORDER_TYPE -{ - RDP_ORDER_RAW_BMPCACHE = 0, - RDP_ORDER_COLCACHE = 1, - RDP_ORDER_BMPCACHE = 2, - RDP_ORDER_FONTCACHE = 3, - RDP_ORDER_RAW_BMPCACHE2 = 4, - RDP_ORDER_BMPCACHE2 = 5, - RDP_ORDER_BRUSHCACHE = 7 -}; - -typedef struct _RECT_ORDER -{ - sint16 x; - sint16 y; - sint16 cx; - sint16 cy; - uint32 colour; - -} -RECT_ORDER; - -typedef struct _DESKSAVE_ORDER -{ - uint32 offset; - sint16 left; - sint16 top; - sint16 right; - sint16 bottom; - uint8 action; - -} -DESKSAVE_ORDER; - -typedef struct _MEMBLT_ORDER -{ - uint8 colour_table; - uint8 cache_id; - sint16 x; - sint16 y; - sint16 cx; - sint16 cy; - uint8 opcode; - sint16 srcx; - sint16 srcy; - uint16 cache_idx; - -} -MEMBLT_ORDER; - -#define MAX_DATA 256 -#define MAX_TEXT 256 - -typedef struct _TEXT2_ORDER -{ - uint8 font; - uint8 flags; - uint8 opcode; - uint8 mixmode; - uint32 bgcolour; - uint32 fgcolour; - sint16 clipleft; - sint16 cliptop; - sint16 clipright; - sint16 clipbottom; - sint16 boxleft; - sint16 boxtop; - sint16 boxright; - sint16 boxbottom; - sint16 x; - sint16 y; - uint8 length; - uint8 text[MAX_TEXT]; - -} -TEXT2_ORDER; - -typedef struct _RDP_ORDER_STATE -{ - uint8 order_type; - BOUNDS bounds; - - RECT_ORDER rect; - DESKSAVE_ORDER desksave; - MEMBLT_ORDER memblt; - TEXT2_ORDER text2; -} -RDP_ORDER_STATE; - -#define WINDOWS_CODEPAGE "UTF-16LE" - -/* ISO PDU codes */ -enum ISO_PDU_CODE -{ - ISO_PDU_CR = 0xE0, /* Connection Request */ - ISO_PDU_CC = 0xD0, /* Connection Confirm */ - ISO_PDU_DR = 0x80, /* Disconnect Request */ - ISO_PDU_DT = 0xF0, /* Data */ - ISO_PDU_ER = 0x70 /* Error */ -}; - -/* MCS PDU codes */ -enum MCS_PDU_TYPE -{ - MCS_EDRQ = 1, /* Erect Domain Request */ - MCS_DPUM = 8, /* Disconnect Provider Ultimatum */ - MCS_AURQ = 10, /* Attach User Request */ - MCS_AUCF = 11, /* Attach User Confirm */ - MCS_CJRQ = 14, /* Channel Join Request */ - MCS_CJCF = 15, /* Channel Join Confirm */ - MCS_SDRQ = 25, /* Send Data Request */ - MCS_SDIN = 26 /* Send Data Indication */ -}; - -#define MCS_CONNECT_INITIAL 0x7f65 -#define MCS_CONNECT_RESPONSE 0x7f66 - -#define BER_TAG_BOOLEAN 1 -#define BER_TAG_INTEGER 2 -#define BER_TAG_OCTET_STRING 4 -#define BER_TAG_RESULT 10 -#define MCS_TAG_DOMAIN_PARAMS 0x30 - -#define MCS_GLOBAL_CHANNEL 1003 -#define MCS_USERCHANNEL_BASE 1001 - -/* RDP secure transport constants */ -#define SEC_RANDOM_SIZE 32 -#define SEC_MODULUS_SIZE 64 -#define SEC_MAX_MODULUS_SIZE 256 -#define SEC_PADDING_SIZE 8 -#define SEC_EXPONENT_SIZE 4 - -#define SEC_CLIENT_RANDOM 0x0001 -#define SEC_ENCRYPT 0x0008 -#define SEC_LOGON_INFO 0x0040 -#define SEC_LICENCE_NEG 0x0080 -#define SEC_REDIRECT_ENCRYPT 0x0C00 - -#define SEC_TAG_SRV_INFO 0x0c01 -#define SEC_TAG_SRV_CRYPT 0x0c02 -#define SEC_TAG_SRV_CHANNELS 0x0c03 - -#define SEC_TAG_CLI_INFO 0xc001 -#define SEC_TAG_CLI_CRYPT 0xc002 -#define SEC_TAG_CLI_CHANNELS 0xc003 -#define SEC_TAG_CLI_4 0xc004 - -#define SEC_TAG_PUBKEY 0x0006 -#define SEC_TAG_KEYSIG 0x0008 - -#define SEC_RSA_MAGIC 0x31415352 /* RSA1 */ - -/* RDP PDU codes */ -enum RDP_PDU_TYPE -{ - RDP_PDU_DEMAND_ACTIVE = 1, - RDP_PDU_CONFIRM_ACTIVE = 3, - RDP_PDU_REDIRECT = 4, /* MS Server 2003 Session Redirect */ - RDP_PDU_DEACTIVATE = 6, - RDP_PDU_DATA = 7 -}; - -enum RDP_DATA_PDU_TYPE -{ - RDP_DATA_PDU_UPDATE = 2, - RDP_DATA_PDU_CONTROL = 20, - RDP_DATA_PDU_POINTER = 27, - RDP_DATA_PDU_INPUT = 28, - RDP_DATA_PDU_SYNCHRONISE = 31, - RDP_DATA_PDU_BELL = 34, - RDP_DATA_PDU_CLIENT_WINDOW_STATUS = 35, - RDP_DATA_PDU_LOGON = 38, /* PDUTYPE2_SAVE_SESSION_INFO */ - RDP_DATA_PDU_FONT2 = 39, - RDP_DATA_PDU_KEYBOARD_INDICATORS = 41, - RDP_DATA_PDU_DISCONNECT = 47 -}; - -enum RDP_SAVE_SESSION_PDU_TYPE -{ - INFOTYPE_LOGON = 0, - INFOTYPE_LOGON_LONG = 1, - INFOTYPE_LOGON_PLAINNOTIFY = 2, - INFOTYPE_LOGON_EXTENDED_INF = 3 -}; - -enum RDP_LOGON_INFO_EXTENDED_TYPE -{ - LOGON_EX_AUTORECONNECTCOOKIE = 1, - LOGON_EX_LOGONERRORS = 2 -}; - -enum RDP_CONTROL_PDU_TYPE -{ - RDP_CTL_REQUEST_CONTROL = 1, - RDP_CTL_GRANT_CONTROL = 2, - RDP_CTL_DETACH = 3, - RDP_CTL_COOPERATE = 4 -}; - -enum RDP_UPDATE_PDU_TYPE -{ - RDP_UPDATE_ORDERS = 0, - RDP_UPDATE_BITMAP = 1, - RDP_UPDATE_PALETTE = 2, - RDP_UPDATE_SYNCHRONIZE = 3 -}; - -/* RDP bitmap cache (version 2) constants */ -#define BMPCACHE2_C0_CELLS 0x78 -#define BMPCACHE2_C1_CELLS 0x78 -#define BMPCACHE2_C2_CELLS 0x150 -#define BMPCACHE2_NUM_PSTCELLS 0x9f6 - -#define PDU_FLAG_FIRST 0x01 -#define PDU_FLAG_LAST 0x02 - -/* RDP capabilities */ -#define RDP_CAPSET_GENERAL 1 /* Maps to generalCapabilitySet in T.128 page 138 */ -#define RDP_CAPLEN_GENERAL 0x18 -#define OS_MAJOR_TYPE_UNIX 4 -#define OS_MINOR_TYPE_XSERVER 7 - -#define RDP_CAPSET_BITMAP 2 -#define RDP_CAPLEN_BITMAP 0x1C - -#define RDP_CAPSET_ORDER 3 -#define RDP_CAPLEN_ORDER 0x58 - -#define RDP_CAPSET_BMPCACHE 4 -#define RDP_CAPLEN_BMPCACHE 0x28 - -#define RDP_CAPSET_CONTROL 5 -#define RDP_CAPLEN_CONTROL 0x0C - -#define RDP_CAPSET_ACTIVATE 7 -#define RDP_CAPLEN_ACTIVATE 0x0C - -#define RDP_CAPSET_POINTER 8 -#define RDP_CAPLEN_POINTER 0x08 -#define RDP_CAPLEN_NEWPOINTER 0x0a - -#define RDP_CAPSET_SHARE 9 -#define RDP_CAPLEN_SHARE 0x08 - -#define RDP_CAPSET_COLCACHE 10 -#define RDP_CAPLEN_COLCACHE 0x08 - -#define RDP_CAPSET_BRUSHCACHE 15 -#define RDP_CAPLEN_BRUSHCACHE 0x08 - -#define RDP_CAPSET_BMPCACHE2 19 -#define RDP_CAPLEN_BMPCACHE2 0x28 - -#define RDP_SOURCE "MSTSC" - -/* Logon flags */ -#define RDP_LOGON_AUTO 0x0008 -#define RDP_LOGON_NORMAL 0x0033 -#define RDP_LOGON_COMPRESSION 0x0080 /* mppc compression with 8kB histroy buffer */ -#define RDP_LOGON_BLOB 0x0100 -#define RDP_LOGON_COMPRESSION2 0x0200 /* rdp5 mppc compression with 64kB history buffer */ -#define RDP_LOGON_LEAVE_AUDIO 0x2000 - -#define RDP5_DISABLE_NOTHING 0x00 -#define RDP5_NO_WALLPAPER 0x01 -#define RDP5_NO_FULLWINDOWDRAG 0x02 -#define RDP5_NO_MENUANIMATIONS 0x04 -#define RDP5_NO_THEMING 0x08 -#define RDP5_NO_CURSOR_SHADOW 0x20 -#define RDP5_NO_CURSORSETTINGS 0x40 /* disables cursor blinking */ - -/* compression types */ -#define RDP_MPPC_BIG 0x01 -#define RDP_MPPC_COMPRESSED 0x20 -#define RDP_MPPC_RESET 0x40 -#define RDP_MPPC_FLUSH 0x80 -#define RDP_MPPC_DICT_SIZE 65536 - -#define RDP5_COMPRESSED 0x80 - -#ifndef _SSL_H -#define _SSL_H - -#include -#include -#include -#include -#include -#include -#include - -#if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x0090800f) -#define D2I_X509_CONST const -#else -#define D2I_X509_CONST -#endif - -#define SSL_RC4 RC4_KEY -#define SSL_SHA1 SHA_CTX -#define SSL_MD5 MD5_CTX -#define SSL_CERT X509 -#define SSL_RKEY RSA -#endif - -/* for win8 */ -#define KBD_FLAG_DOWN 0x4000 -#define KBD_FLAG_UP 0x8000 -#define RDP_KEYRELEASE (KBD_FLAG_DOWN | KBD_FLAG_UP) -#define FASTPATH_INPUT_KBDFLAGS_RELEASE 1 -#define FASTPATH_INPUT_EVENT_SCANCODE 0 -#define FASTPATH_INPUT_EVENT_MOUSE 1 -#define RDP_INPUT_MOUSE 0x8001 -#define RDP_INPUT_SCANCODE 4 - -/* iso.c */ -STREAM iso_init(int32_t length); -void iso_send(STREAM s); -STREAM iso_recv(uint8 * rdpver); -BOOL iso_connect(char *server, char *username, BOOL reconnect); -void iso_disconnect(void); -void iso_reset_state(void); -/* mcs.c */ -STREAM mcs_init(int32_t length); -void mcs_send_to_channel(STREAM s, uint16 channel); -void mcs_send(STREAM s); -STREAM mcs_recv(uint16 * channel, uint8 * rdpver); -BOOL mcs_connect(char *server, STREAM mcs_data, char *username, BOOL reconnect); -void mcs_disconnect(void); -void mcs_reset_state(void); -/* orders.c */ -void process_orders(STREAM s, uint16 num_orders); -void reset_order_state(void); -/* rdesktop.c */ -void generate_random(uint8 * random); -void *xmalloc(int32_t size); -void exit_if_null(void *ptr); -char *xstrdup(const char *s); -void *xrealloc(void *oldmem, size_t size); -void error(char *format, ...); -void warning(char *format, ...); -void unimpl(char *format, ...); -void hexdump(unsigned char *p, uint32_t len); -/* rdp.c */ -static void process_demand_active(STREAM s); -static BOOL process_data_pdu(STREAM s, uint32 * ext_disc_reason); -/* secure.c */ -void sec_hash_48(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2, uint8 salt); -void sec_hash_16(uint8 * out, uint8 * in, uint8 * salt1, uint8 * salt2); -void buf_out_uint32(uint8 * buffer, uint32 value); -void sec_sign(uint8 * signature, int32_t siglen, uint8 * session_key, int32_t keylen, uint8 * data, - int32_t datalen); -void sec_decrypt(uint8 * data, int32_t length); -STREAM sec_init(uint32 flags, int32_t maxlen); -void sec_send_to_channel(STREAM s, uint32 flags, uint16 channel); -void sec_send(STREAM s, uint32 flags); -void sec_process_mcs_data(STREAM s); -STREAM sec_recv(uint8 * rdpver); -BOOL sec_connect(char *server, char *username, BOOL reconnect); -void sec_disconnect(void); -void sec_reset_state(void); -/* tcp.c */ -STREAM tcp_init(uint32 maxlen); -void tcp_send(STREAM s); -STREAM tcp_recv(STREAM s, uint32 length); -BOOL tcp_connect(char *server); -void tcp_disconnect(void); -char *tcp_get_address(void); -void tcp_reset_state(void); diff --git a/sasl.c b/sasl.c index ba08978..4fbad43 100644 --- a/sasl.c +++ b/sasl.c @@ -68,29 +68,30 @@ sasl_plain computes the plain authentication from strings login and password and stored the value in variable result the first parameter result must be able to hold at least 255 bytes! */ -void sasl_plain(char *result, char *login, char *pass) { +char *sasl_plain(char *result, char *login, char *pass) { char *preplogin; char *preppasswd; int32_t rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { result = NULL; - return; + return result; } rc = sasl_saslprep(pass, 0, &preppasswd); if (rc) { free(preplogin); result = NULL; - return; + return result; } if (2 * strlen(preplogin) + 3 + strlen(preppasswd) < 180) { strcpy(result, preplogin); strcpy(result + strlen(preplogin) + 1, preplogin); strcpy(result + 2 * strlen(preplogin) + 2, preppasswd); - hydra_tobase64((unsigned char *) result, strlen(preplogin) * 2 + strlen(preppasswd) + 2, 250); + hydra_tobase64((unsigned char *)result, strlen(preplogin) * 2 + strlen(preppasswd) + 2, 250); } free(preplogin); free(preppasswd); + return result; } #ifdef LIBOPENSSL @@ -102,7 +103,7 @@ and the challenge sent by the server, and stored the value in variable result the parameter result must be able to hold at least 100 bytes! */ -void sasl_cram_md5(char *result, char *pass, char *challenge) { +char *sasl_cram_md5(char *result, char *pass, char *challenge) { char ipad[64]; char opad[64]; unsigned char md5_raw[MD5_DIGEST_LENGTH]; @@ -112,12 +113,12 @@ void sasl_cram_md5(char *result, char *pass, char *challenge) { if (challenge == NULL) { result = NULL; - return; + return result; } rc = sasl_saslprep(pass, 0, &preppasswd); if (rc) { result = NULL; - return; + return result; } memset(ipad, 0, sizeof(ipad)); memset(opad, 0, sizeof(opad)); @@ -128,8 +129,8 @@ void sasl_cram_md5(char *result, char *pass, char *challenge) { memcpy(ipad, md5_raw, MD5_DIGEST_LENGTH); memcpy(opad, md5_raw, MD5_DIGEST_LENGTH); } else { - strcpy(ipad, preppasswd); // safe - strcpy(opad, preppasswd); // safe + strcpy(ipad, preppasswd); // safe + strcpy(opad, preppasswd); // safe } for (i = 0; i < 64; i++) { ipad[i] ^= 0x36; @@ -148,6 +149,7 @@ void sasl_cram_md5(char *result, char *pass, char *challenge) { result += 2; } free(preppasswd); + return result; } /* @@ -156,7 +158,7 @@ and the challenge sent by the server, and stored the value in variable result the parameter result must be able to hold at least 100 bytes! */ -void sasl_cram_sha1(char *result, char *pass, char *challenge) { +char *sasl_cram_sha1(char *result, char *pass, char *challenge) { char ipad[64]; char opad[64]; unsigned char sha1_raw[SHA_DIGEST_LENGTH]; @@ -166,12 +168,12 @@ void sasl_cram_sha1(char *result, char *pass, char *challenge) { if (challenge == NULL) { result = NULL; - return; + return result; } rc = sasl_saslprep(pass, 0, &preppasswd); if (rc) { result = NULL; - return; + return result; } memset(ipad, 0, sizeof(ipad)); memset(opad, 0, sizeof(opad)); @@ -182,8 +184,8 @@ void sasl_cram_sha1(char *result, char *pass, char *challenge) { memcpy(ipad, sha1_raw, SHA_DIGEST_LENGTH); memcpy(opad, sha1_raw, SHA_DIGEST_LENGTH); } else { - strcpy(ipad, preppasswd); // safe - strcpy(opad, preppasswd); // safe + strcpy(ipad, preppasswd); // safe + strcpy(opad, preppasswd); // safe } for (i = 0; i < 64; i++) { ipad[i] ^= 0x36; @@ -202,6 +204,7 @@ void sasl_cram_sha1(char *result, char *pass, char *challenge) { result += 2; } free(preppasswd); + return result; } /* @@ -210,7 +213,7 @@ and the challenge sent by the server, and stored the value in variable result the parameter result must be able to hold at least 100 bytes! */ -void sasl_cram_sha256(char *result, char *pass, char *challenge) { +char *sasl_cram_sha256(char *result, char *pass, char *challenge) { char ipad[64]; char opad[64]; unsigned char sha256_raw[SHA256_DIGEST_LENGTH]; @@ -220,14 +223,14 @@ void sasl_cram_sha256(char *result, char *pass, char *challenge) { if (challenge == NULL) { result = NULL; - return; + return result; } memset(ipad, 0, sizeof(ipad)); memset(opad, 0, sizeof(opad)); rc = sasl_saslprep(pass, 0, &preppasswd); if (rc) { result = NULL; - return; + return result; } if (strlen(preppasswd) >= 64) { SHA256_Init(&sha256c); @@ -236,8 +239,8 @@ void sasl_cram_sha256(char *result, char *pass, char *challenge) { memcpy(ipad, sha256_raw, SHA256_DIGEST_LENGTH); memcpy(opad, sha256_raw, SHA256_DIGEST_LENGTH); } else { - strcpy(ipad, preppasswd); // safe - strcpy(opad, preppasswd); // safe + strcpy(ipad, preppasswd); // safe + strcpy(opad, preppasswd); // safe } for (i = 0; i < 64; i++) { ipad[i] ^= 0x36; @@ -256,18 +259,19 @@ void sasl_cram_sha256(char *result, char *pass, char *challenge) { result += 2; } free(preppasswd); + return result; } /* RFC 2831: Using Digest Authentication as a SASL Mechanism the parameter result must be able to hold at least 500 bytes!! */ -void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *miscptr, char *type, char *webtarget, int32_t webport, char *header) { +char *sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *miscptr, char *type, char *webtarget, int32_t webport, char *header) { char *pbuffer = NULL; int32_t array_size = 10; unsigned char response[MD5_DIGEST_LENGTH]; char *array[array_size]; - char buffer2[500], buffer3[500], nonce[200], realm[50], algo[20]; + char buffer2[500], buffer3[500], nonce[200], realm[200], algo[20]; int32_t i = 0, ind = 0, lastpos = 0, currentpos = 0, intq = 0, auth_find = 0; MD5_CTX md5c; char *preplogin; @@ -277,18 +281,20 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char * memset(realm, 0, sizeof(realm)); if (rc) { result = NULL; - return; + return result; } rc = sasl_saslprep(pass, 0, &preppasswd); if (rc) { free(preplogin); result = NULL; - return; + return result; } -//DEBUG S: nonce="HB3HGAk+hxKpijy/ichq7Wob3Zo17LPM9rr4kMX7xRM=",realm="tida",qop="auth",maxbuf=4096,charset=utf-8,algorithm=md5-sess -//DEBUG S: nonce="1Mr6c8WjOd/x5r8GUnGeQIRNUtOVtItu3kQOGAmsZfM=",realm="test.com",qop="auth,auth-int32_t,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=4096,charset=utf-8,algorithm=md5-sess -//warning some not well configured xmpp server is sending no realm -//DEBUG S: nonce="3448160828",qop="auth",charset=utf-8,algorithm=md5-sess + // DEBUG S: + // nonce="HB3HGAk+hxKpijy/ichq7Wob3Zo17LPM9rr4kMX7xRM=",realm="tida",qop="auth",maxbuf=4096,charset=utf-8,algorithm=md5-sess + // DEBUG S: + // nonce="1Mr6c8WjOd/x5r8GUnGeQIRNUtOVtItu3kQOGAmsZfM=",realm="test.com",qop="auth,auth-int32_t,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=4096,charset=utf-8,algorithm=md5-sess + // warning some not well configured xmpp server is sending no realm + // DEBUG S: nonce="3448160828",qop="auth",charset=utf-8,algorithm=md5-sess pbuffer = buffer; do { currentpos++; @@ -309,7 +315,7 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char * } pbuffer++; } while ((pbuffer[0] > 31) && (ind < array_size)); -//save the latest one + // save the latest one if (ind < array_size) { array[ind] = malloc(currentpos + 1); strncpy(array[ind], buffer + lastpos, currentpos); @@ -317,18 +323,18 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char * ind++; } for (i = 0; i < ind; i++) { -//removing space chars between comma separated value if any + // removing space chars between comma separated value if any while ((array[i] != NULL) && (array[i][0] == ' ')) { char *tmp = strdup(array[i]); - //memset(array[i], 0, sizeof(array[i])); + // memset(array[i], 0, sizeof(array[i])); strcpy(array[i], tmp + 1); free(tmp); } if (strstr(array[i], "nonce=") != NULL) { -//check if it contains double-quote + // check if it contains double-quote if (strstr(array[i], "\"") != NULL) { -//assume last char is also a double-quote + // assume last char is also a double-quote int32_t nonce_string_len = strlen(array[i]) - strlen("nonce=\"") - 1; if ((nonce_string_len > 0) && (nonce_string_len <= sizeof(nonce) - 1)) { @@ -342,7 +348,7 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char * free(array[j]); hydra_report(stderr, "Error: DIGEST-MD5 nonce from server could not be extracted\n"); result = NULL; - return; + return result; } } else { strncpy(nonce, strstr(array[i], "nonce=") + strlen("nonce="), sizeof(nonce) - 1); @@ -351,7 +357,7 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char * } if (strstr(array[i], "realm=") != NULL) { if (strstr(array[i], "\"") != NULL) { -//assume last char is also a double-quote + // assume last char is also a double-quote int32_t realm_string_len = strlen(array[i]) - strlen("realm=\"") - 1; if ((realm_string_len > 0) && (realm_string_len <= sizeof(realm) - 1)) { @@ -365,7 +371,7 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char * free(array[i]); hydra_report(stderr, "Error: DIGEST-MD5 realm from server could not be extracted\n"); result = NULL; - return; + return result; } } else { strncpy(realm, strstr(array[i], "realm=") + strlen("realm="), sizeof(realm) - 1); @@ -373,12 +379,11 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char * } } if (strstr(array[i], "qop=") != NULL) { - -/* -The value "auth" indicates authentication; the value "auth-int32_t" indicates -authentication with integrity protection; the value "auth-conf" -indicates authentication with integrity protection and encryption. -*/ + /* + The value "auth" indicates authentication; the value "auth-int32_t" + indicates authentication with integrity protection; the value "auth-conf" + indicates authentication with integrity protection and encryption. + */ auth_find = 1; if ((strstr(array[i], "\"auth\"") == NULL) && (strstr(array[i], "\"auth,") == NULL) && (strstr(array[i], ",auth\"") == NULL)) { int32_t j; @@ -386,14 +391,15 @@ indicates authentication with integrity protection and encryption. for (j = 0; j < ind; j++) if (array[j] != NULL) free(array[j]); - hydra_report(stderr, "Error: DIGEST-MD5 quality of protection only authentication is not supported by server\n"); + hydra_report(stderr, "Error: DIGEST-MD5 quality of protection only " + "authentication is not supported by server\n"); result = NULL; - return; + return result; } } if (strstr(array[i], "algorithm=") != NULL) { if (strstr(array[i], "\"") != NULL) { -//assume last char is also a double-quote + // assume last char is also a double-quote int32_t algo_string_len = strlen(array[i]) - strlen("algorithm=\"") - 1; if ((algo_string_len > 0) && (algo_string_len <= sizeof(algo) - 1)) { @@ -405,9 +411,10 @@ indicates authentication with integrity protection and encryption. for (j = 0; j < ind; j++) if (array[j] != NULL) free(array[j]); - hydra_report(stderr, "Error: DIGEST-MD5 algorithm from server could not be extracted\n"); + hydra_report(stderr, "Error: DIGEST-MD5 algorithm from server could " + "not be extracted\n"); result = NULL; - return; + return result; } } else { strncpy(algo, strstr(array[i], "algorithm=") + strlen("algorithm="), sizeof(algo) - 1); @@ -421,31 +428,32 @@ indicates authentication with integrity protection and encryption. free(array[j]); hydra_report(stderr, "Error: DIGEST-MD5 algorithm not based on md5, based on %s\n", algo); result = NULL; - return; + return result; } } free(array[i]); array[i] = NULL; } if (!strlen(algo)) { -//assuming by default algo is MD5 + // assuming by default algo is MD5 memset(algo, 0, sizeof(algo)); strcpy(algo, "MD5"); } -//xmpp case, some xmpp server is not sending the realm so we have to set it up + // xmpp case, some xmpp server is not sending the realm so we have to set it + // up if ((strlen(realm) == 0) && (strstr(type, "xmpp") != NULL)) snprintf(realm, sizeof(realm), "%s", miscptr); -//compute ha1 -//support for algo = MD5 + // compute ha1 + // support for algo = MD5 snprintf(buffer, 500, "%s:%s:%s", preplogin, realm, preppasswd); MD5_Init(&md5c); MD5_Update(&md5c, buffer, strlen(buffer)); MD5_Final(response, &md5c); -//for MD5-sess + // for MD5-sess if (strstr(algo, "5-sess") != NULL) { - buffer[0] = 0; //memset(buffer, 0, sizeof(buffer)); => buffer is char*! + buffer[0] = 0; // memset(buffer, 0, sizeof(buffer)); => buffer is char*! -/* per RFC 2617 Errata ID 1649 */ + /* per RFC 2617 Errata ID 1649 */ if ((strstr(type, "proxy") != NULL) || (strstr(type, "GET") != NULL) || (strstr(type, "HEAD") != NULL)) { memset(buffer3, 0, sizeof(buffer3)); pbuffer = buffer3; @@ -453,10 +461,10 @@ indicates authentication with integrity protection and encryption. sprintf(pbuffer, "%02x", response[i]); pbuffer += 2; } - sprintf(buffer, "%s:%s:%s", buffer3, nonce, "hydra"); + snprintf(buffer, 500, "%s:%s:%s", buffer3, nonce, "hydra"); } else { memcpy(buffer, response, sizeof(response)); - sprintf(buffer + sizeof(response), ":%s:%s", nonce, "hydra"); + snprintf(buffer + sizeof(response), 50 - sizeof(response), ":%s:%s", nonce, "hydra"); } MD5_Init(&md5c); MD5_Update(&md5c, buffer, strlen(buffer)); @@ -468,25 +476,25 @@ indicates authentication with integrity protection and encryption. sprintf(pbuffer, "%02x", response[i]); pbuffer += 2; } -//compute ha2 -//proxy case + // compute ha2 + // proxy case if (strstr(type, "proxy") != NULL) - sprintf(buffer, "%s:%s", "HEAD", miscptr); + snprintf(buffer, 500, "%s:%s", "HEAD", miscptr); else -//http case - if ((strstr(type, "GET") != NULL) || (strstr(type, "HEAD") != NULL)) - sprintf(buffer, "%s:%s", type, miscptr); + // http case + if ((strstr(type, "GET") != NULL) || (strstr(type, "HEAD") != NULL)) + snprintf(buffer, 500, "%s:%s", type, miscptr); else -//sip case - if (strstr(type, "sip") != NULL) - sprintf(buffer, "REGISTER:%s:%s", type, miscptr); + // sip case + if (strstr(type, "sip") != NULL) + snprintf(buffer, 500, "REGISTER:%s:%s", type, miscptr); else -//others - if (strstr(type, "rtsp") != NULL) - sprintf(buffer, "DESCRIBE:%s://%s:%i", type, webtarget, port); + // others + if (strstr(type, "rtsp") != NULL) + snprintf(buffer, 500, "DESCRIBE:%s://%s:%i", type, webtarget, port); else -//others - sprintf(buffer, "AUTHENTICATE:%s/%s", type, realm); + // others + snprintf(buffer, 500, "AUTHENTICATE:%s/%s", type, realm); MD5_Init(&md5c); MD5_Update(&md5c, buffer, strlen(buffer)); @@ -496,7 +504,7 @@ indicates authentication with integrity protection and encryption. sprintf(pbuffer, "%02x", response[i]); pbuffer += 2; } -//compute response + // compute response if (!auth_find) snprintf(buffer, 500, "%s:%s", nonce, buffer2); else @@ -511,35 +519,58 @@ indicates authentication with integrity protection and encryption. sprintf(pbuffer, "%02x", response[i]); pbuffer += 2; } -//create the auth response + // create the auth response if (strstr(type, "proxy") != NULL) { snprintf(result, 500, - "HEAD %s HTTP/1.0\r\n%sProxy-Authorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", + "HEAD %s HTTP/1.0\r\n%sProxy-Authorization: Digest username=\"%s\", " + "realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", " + "nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: " + "Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, header); } else { - if ((strstr(type, "imap") != NULL) || (strstr(type, "pop") != NULL) || (strstr(type, "smtp") != NULL) || - (strstr(type, "ldap") != NULL) || (strstr(type, "xmpp") != NULL) || (strstr(type, "nntp") != NULL)) { - snprintf(result, 500, "username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"hydra\",nc=00000001,algorithm=%s,qop=\"auth\",digest-uri=\"%s/%s\",response=%s", preplogin, realm, - nonce, algo, type, realm, buffer); + if ((strstr(type, "imap") != NULL) || (strstr(type, "pop") != NULL) || (strstr(type, "smtp") != NULL) || (strstr(type, "ldap") != NULL) || (strstr(type, "xmpp") != NULL) || (strstr(type, "nntp") != NULL)) { + snprintf(result, 500, + "username=\"%s\",realm=\"%s\",nonce=\"%s\",cnonce=\"hydra\",nc=" + "00000001,algorithm=%s,qop=\"auth\",digest-uri=\"%s/%s\",response=%s", + preplogin, realm, nonce, algo, type, realm, buffer); } else { if (strstr(type, "sip") != NULL) { - snprintf(result, 500, "username=\"%s\",realm=\"%s\",nonce=\"%s\",uri=\"%s:%s\",response=%s", preplogin, realm, nonce, type, realm, buffer); + snprintf(result, 500, + "username=\"%s\",realm=\"%s\",nonce=\"%s\",uri=\"%s:%s\"," + "response=%s", + preplogin, realm, nonce, type, realm, buffer); } else { if (strstr(type, "rtsp") != NULL) { - snprintf(result, 500, "username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s://%s:%i\", response=\"%s\"\r\n", preplogin, realm, nonce, type, webtarget, port, buffer); + snprintf(result, 500, + "username=\"%s\", realm=\"%s\", nonce=\"%s\", " + "uri=\"%s://%s:%i\", response=\"%s\"\r\n", + preplogin, realm, nonce, type, webtarget, port, buffer); } else { if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) snprintf(result, 500, - "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", + "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: " + "Digest username=\"%s\", realm=\"%s\", response=\"%s\", " + "nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, " + "qop=auth, uri=\"%s\"\r\nProxy-Authorization: Basic " + "%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: " + "keep-alive\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, proxy_authentication[selected_proxy], header); else { if (use_proxy == 1) snprintf(result, 500, - "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", + "%s http://%s:%d%s HTTP/1.0\r\nHost: %s\r\nAuthorization: " + "Digest username=\"%s\", realm=\"%s\", response=\"%s\", " + "nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, " + "qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 " + "(Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, webtarget, webport, miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, header); else snprintf(result, 500, - "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest username=\"%s\", realm=\"%s\", response=\"%s\", nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nConnection: keep-alive\r\n%s\r\n", + "%s %s HTTP/1.0\r\nHost: %s\r\nAuthorization: Digest " + "username=\"%s\", realm=\"%s\", response=\"%s\", " + "nonce=\"%s\", cnonce=\"hydra\", nc=00000001, algorithm=%s, " + "qop=auth, uri=\"%s\"\r\nUser-Agent: Mozilla/4.0 " + "(Hydra)\r\nConnection: keep-alive\r\n%s\r\n", type, miscptr, webtarget, preplogin, realm, buffer, nonce, algo, miscptr, header); } } @@ -548,6 +579,7 @@ indicates authentication with integrity protection and encryption. } free(preplogin); free(preppasswd); + return result; } /* @@ -557,7 +589,7 @@ I want to thx Simon Josefsson for his public server test, and my girlfriend that let me work on that 2 whole nights ;) clientfirstmessagebare must be at least 500 bytes in size! */ -void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, char *serverfirstmessage) { +char *sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, char *serverfirstmessage) { int32_t saltlen = 0; int32_t iter = 4096; char *salt, *nonce, *ic; @@ -576,23 +608,23 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha if (rc) { result = NULL; - return; + return result; } -/*client-final-message */ + /*client-final-message */ if (debug) hydra_report(stderr, "DEBUG S: %s\n", serverfirstmessage); -//r=hydra28Bo7kduPpAZLzhRQiLxc8Y9tiwgw+yP,s=ldDgevctH+Kg7b8RnnA3qA==,i=4096 + // r=hydra28Bo7kduPpAZLzhRQiLxc8Y9tiwgw+yP,s=ldDgevctH+Kg7b8RnnA3qA==,i=4096 if (strstr(serverfirstmessage, "r=") == NULL) { hydra_report(stderr, "Error: Can't understand server message\n"); free(preppasswd); result = NULL; - return; + return result; } strncpy(buffer, serverfirstmessage, sizeof(buffer) - 1); buffer[sizeof(buffer) - 1] = '\0'; nonce = strtok(buffer, ","); -//continue to search from the previous successful call + // continue to search from the previous successful call salt = strtok(NULL, ","); ic = strtok(NULL, ","); iter = atoi(ic + 2); @@ -600,7 +632,7 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha hydra_report(stderr, "Error: Can't understand server response\n"); free(preppasswd); result = NULL; - return; + return result; } if ((nonce != NULL) && (strlen(nonce) > 2)) snprintf(clientfinalmessagewithoutproof, sizeof(clientfinalmessagewithoutproof), "c=biws,%s", nonce); @@ -608,44 +640,45 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha hydra_report(stderr, "Error: Could not identify server nonce value\n"); free(preppasswd); result = NULL; - return; + return result; } if ((salt != NULL) && (strlen(salt) > 2) && (strlen(salt) <= sizeof(buffer))) -//s=ghgIAfLl1+yUy/Xl1WD5Tw== remove the header s= + // s=ghgIAfLl1+yUy/Xl1WD5Tw== remove the header s= strcpy(buffer, salt + 2); else { hydra_report(stderr, "Error: Could not identify server salt value\n"); free(preppasswd); result = NULL; - return; + return result; } -/* SaltedPassword := Hi(Normalize(password), salt, i) */ - saltlen = from64tobits((char *) salt, buffer); - if (PKCS5_PBKDF2_HMAC_SHA1(preppasswd, strlen(preppasswd), (unsigned char *) salt, saltlen, iter, SHA_DIGEST_LENGTH, SaltedPassword) != 1) { + /* SaltedPassword := Hi(Normalize(password), salt, i) */ + saltlen = from64tobits((char *)salt, buffer); + if (PKCS5_PBKDF2_HMAC_SHA1(preppasswd, strlen(preppasswd), (unsigned char *)salt, saltlen, iter, SHA_DIGEST_LENGTH, SaltedPassword) != 1) { hydra_report(stderr, "Error: Failed to generate PBKDF2\n"); free(preppasswd); result = NULL; - return; + return result; } /* ClientKey := HMAC(SaltedPassword, "Client Key") */ #define CLIENT_KEY "Client Key" - HMAC(EVP_sha1(), SaltedPassword, SHA_DIGEST_LENGTH, (const unsigned char *) CLIENT_KEY, strlen(CLIENT_KEY), ClientKey, &resultlen); + HMAC(EVP_sha1(), SaltedPassword, SHA_DIGEST_LENGTH, (const unsigned char *)CLIENT_KEY, strlen(CLIENT_KEY), ClientKey, &resultlen); -/* StoredKey := H(ClientKey) */ - SHA1((const unsigned char *) ClientKey, SHA_DIGEST_LENGTH, StoredKey); + /* StoredKey := H(ClientKey) */ + SHA1((const unsigned char *)ClientKey, SHA_DIGEST_LENGTH, StoredKey); -/* ClientSignature := HMAC(StoredKey, AuthMessage) */ + /* ClientSignature := HMAC(StoredKey, AuthMessage) */ snprintf(AuthMessage, 500, "%s,%s,%s", clientfirstmessagebare, serverfirstmessage, clientfinalmessagewithoutproof); - HMAC(EVP_sha1(), StoredKey, SHA_DIGEST_LENGTH, (const unsigned char *) AuthMessage, strlen(AuthMessage), ClientSignature, &resultlen); + HMAC(EVP_sha1(), StoredKey, SHA_DIGEST_LENGTH, (const unsigned char *)AuthMessage, strlen(AuthMessage), ClientSignature, &resultlen); -/* ClientProof := ClientKey XOR ClientSignature */ - xor(ClientProof, (char *) ClientKey, (char *) ClientSignature, 20); - to64frombits(clientproof_b64, (const unsigned char *) ClientProof, 20); + /* ClientProof := ClientKey XOR ClientSignature */ + xor(ClientProof, (char *)ClientKey, (char *)ClientSignature, 20); + to64frombits(clientproof_b64, (const unsigned char *)ClientProof, 20); snprintf(result, 500, "%s,p=%s", clientfinalmessagewithoutproof, clientproof_b64); if (debug) hydra_report(stderr, "DEBUG C: %s\n", result); free(preppasswd); + return result; } #endif diff --git a/sasl.h b/sasl.h index 29622d7..4e12e31 100644 --- a/sasl.h +++ b/sasl.h @@ -1,8 +1,8 @@ +#include "hydra-mod.h" +#include "ntlm.h" #include #include -#include "ntlm.h" -#include "hydra-mod.h" #define AUTH_ERROR -1 #define AUTH_CLEAR 0 @@ -19,6 +19,7 @@ #define AUTH_BASIC 11 #define AUTH_LM 12 #define AUTH_LMv2 13 +#define AUTH_UNASSIGNED 14 #if LIBIDN #include @@ -27,24 +28,21 @@ #endif #endif -typedef enum { - SASL_ALLOW_UNASSIGNED = 1 -} sasl_saslprep_flags; - +typedef enum { SASL_ALLOW_UNASSIGNED = 1 } sasl_saslprep_flags; int32_t print_hex(unsigned char *buf, int32_t len); -void sasl_plain(char *result, char *login, char *pass); +char *sasl_plain(char *result, char *login, char *pass); int32_t sasl_saslprep(const char *in, sasl_saslprep_flags flags, char **out); #ifdef LIBOPENSSL +#include #include #include -#include -void sasl_cram_md5(char *result, char *pass, char *challenge); -void sasl_cram_sha1(char *result, char *pass, char *challenge); -void sasl_cram_sha256(char *result, char *pass, char *challenge); -void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *miscptr, char *type, char *webtarget, int32_t webport, char *header); -void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, char *serverfirstmessage); +char *sasl_cram_md5(char *result, char *pass, char *challenge); +char *sasl_cram_sha1(char *result, char *pass, char *challenge); +char *sasl_cram_sha256(char *result, char *pass, char *challenge); +char *sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char *miscptr, char *type, char *webtarget, int32_t webport, char *header); +char *sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, char *serverfirstmessage); #endif diff --git a/web/CHANGES b/web/CHANGES deleted file mode 100644 index 76354e3..0000000 --- a/web/CHANGES +++ /dev/null @@ -1,814 +0,0 @@ -Changelog for hydra -------------------- - - -Release 8.8 -* New web page: https://github.com/vanhauser-thc/thc-hydra -* added PROBLEMS file with known issues -* rdp: disabled the module as it does not support the current protocol. If you want to add it contact me -* ldap: fixed a dumb strlen on a potential null pointer -* http-get/http-post: - - now supports H=/h= parameters same as http-form (thanks to mathewmarcus@github for the patch) - - 403/404 errors are now always registered as failed attempts -* mysql module: a non-default port was not working, fixed -* added -w timeout support to ssh module -* fixed various memory leaks in http-form module -* corrected hydra return code to be 0 on success -* added patch from debian maintainers which fixes spellings -* fixed weird crash on x64 systems -* many warning fixes by crondaemon - - -Release 8.6 -* added radmin2 module by catatonic prime - great work! -* smb module now checks if SMBv1 is supported by the server and if signing is required -* http-form module now supports URLs up to 6000 bytes (thanks to petrock6@github for the patch) -* Fix for SSL connections that failed with error:00000000:lib(0):func(0):reason(0) (thanks gaia@github for reporting) -* Added new command line option: - -c TIME: seconds between login attempts (over all threads, so -t 1 is recommended) -* Options put after -R (for loading a restore file) are now honored (and were disallowed before) -* merged several patches by Diadlo@github to make the code easier readable. thanks for that! -* merged a patch by Diadlo@github that moves the help output to the invididual module - - -Release 8.5 -* New command line option: - -b : format option for -o output file (json only so far, happy for patches supporting others :) ) - thanks to veggiespam for the patch -* ./configure now honors the CC enviroment variable if present -* Fix for the restore file crash on some x64 platforms (finally! thanks to lukas227!) -* Changed the format of the restore file to detect cross platform copies -* Fixed a bug in the NCP module -* Favor strrchr() over rindex() -* Added refactoring patch by diadlo -* Updated man page with missing command line options - - -Release 8.4 -! Reports came in that the rdp module is not working reliable sometimes, most likely against new Windows versions. please test, report and if possible send a fix -* Proxy support re-implemented: - - HYDRA_PROXY[_HTTP] environment can be a text file with up to 64 entries - - HYDRA_PROXY_AUTH was deprecated, set login/password in HTTP_PROXY[_HTTP] -* New protocol: adam6500 - this one is work in progress, please test and report -* New protocol: rpcap - thanks to Petar Kaleychev -* New command line options: - -y : disables -x 1aA interpretation, thanks to crondaemon for the patch - -I : ignore an existing hydra.restore file (don't wait for 10 seconds) -* hydra-svn: works now with the current libsvn version -* hydra-ssh: initial check for password auth support now uses login supplied -* Fixed dpl4hydra to be able to update from the web again -* Fixed crash when -U was used without any service (thanks to thecarterb for reporting) -* Updated default password lists -* The protocols vnc, xmpp, telnet, imap, nntp and pcanywhere got accidentially long sleep commands due a patch in 8.2, fixed -* Added special error message for clueless users :) - - -Release 8.3 -* Support for upcoming OpenSSL 1.1 added. needs testing. -* Fixed hydra redo bug (issue #113) -* Updated xhydra for new hydra features and options -* Some more command line error checking -* Ensured unneeded sockets are closed - -Release 8.2 -* Added RTSP module, thanks to jjavi89 for supplying! -* Added patch for ssh that fixes hydra stopping to connect, thanks to ShantonRU for the patch -* Added new -O option to hydra to support SSL servers that do not suport TLS -* Added xhydra gtk patche by Petar Kaleychev to support modules that do not use usernames -* Added patch to redis for initial service checking by Petar Kaleychev - thanks a lot! -* Added support in hydra-http for http-post (content length 0) -* Fixed important bug in http-*://server/url command line processing -* Added SSL SNI support -* Fixed bug in HTTP Form redirection following - thanks for everyone who reported and especially to Hayden Young for setting up a test page for debugging -* Better library finding in ./configure for SVN + support for Darwin Homebrew (and further enhanced) -* Fixed http-form module crash that only occurs on *BSD/OSX systems. Thanks to zdk for reporting! -* Fixed for SSL connection to support TLSv1.2 etc. -* Support for different RSA keylengths, thanks to fann95 for the patch -* Fixed a bug where the cisco-enable module was not working with the password-only logon mode -* Fixed an out of memory bug in http-form -* Fixed imap PLAIN method -* Fixed -x option to bail if it would generate too many passwords (more than 4 billion) -* Added warning if HYDRA_PROXY_CONNECT environment is detected, that is an outdated setting -* Added --fhs switch to configure (for Linux distribution usage) -* ... your patch? - - -Release 8.1 -* David Maciejak, my co-maintainer moved to a different job and country and can not help with Hydra anymore - sadly! Wish you all the best! -* Added patch from Ander Juaristi which adds h/H header options for http-form-*, great work, thanks! -* Fixed the -M option, works now with many many targets :-) -* -M option now supports ports, add a colon in between: "host:port", or, if IPv6, "[ipv6ipaddress]:port" -* Found login:password combinations are now printed with the name specified (hostname or IP), not always IP -* Fixed for cisco-enable if an intial Login/Password is used (thanks to joswr1te for reporting) -* Added patch by tux-mind for better MySQL compilation and an Android patches and Makefile. Thanks! -* Added xhydra gtk patches by Petar Kaleychev to support -h, -U, -f, -F, -q and -e r options, thanks! -* Added patch for teamspeak to better identify server errors and auth failures (thanks to Petar Kaleychev) -* Fixed a crash in the cisco module (thanks to Anatoly Mamaev for reporting) -* Small fix for HTTP form module for redirect pages where a S= string match would not work (thanks to mkosmach for reporting) -* Updated configure to detect subversion packages on current Cygwin -* Fixed RDP module to support the port option (thanks to and.enshin(at)gmail.com) - - -Release 8.0 -! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra -* Added module for redis (submitted by Alejandro Ramos, thanks!) -* Added patch which adds Unicode support for the SMB module (thanks to Max Kosmach) -* Added initial interactive password authentication test for ssh (thanks to Joshua Houghton) -* Added patch for xhydra that adds bruteforce generator to the GUI (thanks to Petar Kaleychev) -* Target on the command line can now be a CIDR definition, e.g. 192.168.0.0/24 -* with -M , you can now specify a port for each entry (use "target:port" per line) -* Verified that hydra compiles cleanly on QNX / Blackberry 10 :-) -* Bugfixes for -x option: - - password tries were lost when connection errors happened (thanks to Vineet Kumar for reporting) - - fixed crash when used together with -e option -* Fixed a bug that hydra would not compile without libssh (introduced in v7.6) -* Various bugfixes if many targets where attacked in parallel -* Cygwin's Postgresql is working again, hence configure detection re-enabled -* Added gcc compilation security options (if detected to be supported by configure script) -* Enhancements to the secure compilation options -* Checked code with cppcheck and fixed some minor issues. -* Checked code with Coverity. Fixed a lot of small and medium issues. - - -Release 7.6 -* Added a wizard script for hydra based on a script by Shivang Desai -* Added module for Siemens S7-300 (submitted by Alexander Timorin and Sergey Gordeychik, thanks!) -* HTTP HEAD/GET: MD5 digest auth was not working, fixed (thanks to Paul Kenyon) -* SMTP Enum: HELO is now always sent, better 500 error detection -* hydra main: - - fixed a bug in the IPv6 address parsing when a port was supplied - - added info message for pop3, imap and smtp protocol usage -* hydra GTK: missed some services, added -* dpl4hydra.sh: - - added Siemens S7-300 common passwords to default password list - - more broad searching in the list -* Performed code indention on all C files :-) -* Makefile patch to ensure .../etc directory is there (thanks to vonnyfly) - - -Release 7.5 -* Moved the license from GPLv3 to AGPLv3 (see LICENSE file) -* Added module for Asterisk Call Manager -* Added support for Android where some functions are not available -* hydra main: - - reduced the screen output if run without -h, full screen with -h - - fix for IPv6 and port parsing with service://[ipv6address]:port/OPTIONS - - fixed -o output (thanks to www417) - - warning if HYDRA_PROXY is defined but the module does not use it - - fixed an issue with large input files and long entries -* hydra library: - - SSL connections are now fixed to SSLv3 as some SSL servers fail otherwise, report if this gives you problems - - removed support for old OPENSSL libraries -* HTTP Form module: - - login and password values are now encoded if special characters are present - - ^USER^ and ^PASS^ are now also supported in H= header values - - if you the colon as a value in your option string, you can now escape it with \: - but do not encode a \ with \\ -* Mysql module: protocol 10 is now supported -* SMTP, POP3, IMAP modules: Disabled the TLS in default. TLS must now be - defined as an option "TLS" if required. This increases performance. -* Cisco module: fixed a small bug (thanks to Vitaly McLain) -* Postgres module: libraries on Cygwin are buggy at the moment, module is therefore - disabled on Cygwin - - -Release 7.4.3 FIX RELEASES for bugs introduced in 7.4 -* Quickfix for people who do not have libssh installed (won't compile otherwise) -* Quickfix for http-get/http-head and irc module which would not run due a new feature. -* Fix for the ssh module that breaks an endless loop if a service becomes unavailable (thanks to shark0der(at)gmail(dot)com for reporting) - - -Release 7.4 -* New module: SSHKEY - for testing for ssh private keys (thanks to deadbyte(at)toucan-system(dot)com!) -* Added support for win8 and win2012 server to the RDP module -* Better target distribution if -M is used -* Added colored output (needs libcurses) -* Better library detection for current Cygwin and OS X -* Fixed the -W option -* Fixed a bug when the -e option was used without -u, -l, -L or -C, only half of the logins were tested -* Fixed HTTP Form module false positive when no answer was received from the server -* Fixed SMB module return code for invalid hours logon and LM auth disabled -* Fixed http-{get|post-form} from xhydra -* Added OS/390 mainframe 64bit support (thanks to dan(at)danny(dot)cz) -* Added limits to input files for -L, -P, -C and -M - people were using unhealthy large files! ;-) -* Added debug mode option to usage (thanks to Anold Black) - - -Release 7.3 -* Hydra main: - - Added -F switch to quit all targets if one pair was found (for -M) - - Fixed a bug where hydra would terminate after reporting a successful - login when an account would accept any password - - Fixed a bug with very large wordlists (thanks to sheepdestroyer for reporting!) - - Enhanced the module help -* configure script: - - Added fix Oracle library inclusion, thanks to Brandon Archer! - - Added --nostrip option to prevent binary stripping (requested by Fedora - maintainer) -* Added a Makefile patch by the Debian maintainers to support their - SecurityHardeningBuildFlags for the wheezy build as requested -* dpl4hydra: added install directory support -* All code: message cleanups -* SNMP module - - originally already supported write and v2 although this was not in the - module help output. Added :-) - - added SNMPv3 MD5/SHA1 authentication support, though beta still -* HTTP module: - - fixed HTTP NTLM auth session - - implemented errata fix for HTTP digest md5-sess algorithm - - set default path to / -* HTTP Form module: - - set default path to / - - support HTTP/1.0 redirects - - fix failed condition check when pcre is not used -* IMAP module: fixed auth detection -* POP3 module: Updated auth and capability detection -* Oracle module: fixed bad handling -* Oracle listener module: fixed hash size handling -* Telnet/Cisco/Cisco-enable modules: support "press ENTER" prompts -* FTP module: - - Fixed a bug where 530 messages were incorrectly handled - - Clarification for the usage of ftps -* Mysql module: added patch from Redhat/Fedora that fixes compile problems -* Added IDN and PCRE support for Cygwin - - -Release 7.2 -* Speed-up http modules auth mechanism detection -* Fixed -C colonfile mode when empty login/passwords were used (thanks to - will(at)configitnow(dot)com for reporting) -* The -f switch was not working for postgres, afp, socks5, firebird and ncp, - thanks to Richard Whitcroft for reporting! -* Fixed NTLM auth in http-proxy/http-proxy-url module -* Fixed URL when being redirected in http-form module, thanks to gash(at)chaostreff(dot)at -* Fix MSSQL success login condition, thanks to whistle_master(at)live(dot)com -* Fix http form module: optional headers and 3xx status redirect, thx to Gash -* Fix in configure script for --prefix option, thanks to dazzlepod -* Update of the dpl4hydra script by Roland Kessler, thanks! -* Small fix for hydra man page, thanks to brad(at)comstyle(dot)com - - -Release 7.1 -* Added HTTP Proxy URL enumeration module -* Added SOCKS4/SOCKS5 proxy support with authentication -* Added IPv6 support for SOCKS5 module -* Added -e r option to try the reversed login as password -* Rewrote -x functionality as the code caused too much trouble (thanks to - murder.net7(at)gmail.com for reporting one of the issues) -* Fixed a bug with multiple hosts (-M) and http modules against targets that - are virtual servers. Well spotted by Tyler Krpata! -* Fixed SVN IPv6 support and updated deprecated calls -* Fixed RDP failed child connection returned value and false positive issues - reported by Wangchaohui, thanks! -* Fixed restore file functionality, was not working together with -o option -* Fix in http-form module for bug introduced in 7.0 -* Fixed xhydra specific parameter value for http-proxy module -* minor enhancements - - -Release 7.0 -* New main engine for hydra: better performance, flexibility and stability -* New option -u - loop around users, not passwords -* Option -e now also works with -x and -C -* Added RDP module, domain can be passed as argument -* Added other_domain option to smb module to test trusted domains -* Small enhancement for http and http-proxy module for standard ignoring servers -* Lots of bugfixes, especially with many tasks, multiple targets and restore file -* Fixes for a few http-form issues -* Fix smb module NTLM hash use -* Fixed Firebird module deprecated API call -* Fixed for dpl4hydra to work on old sed implementations (OS/X ...) -* Fixed makefile to install dpl4hydra (thx @sitecrea) -* Fixed local buffer overflow in debug output function (required -d to be used) -* Fixed xhydra running warnings and correct quit action event - - -Release 6.5 -* Improved HTTP form module: getting cookie, fail or success condition, follow - multiple redirections, support cookie gathering URL, multiple user defined - headers -* Added interface support for IPv6, needed for connecting to link local fe80:: - addresses. Works only on Linux and OS/X. Information for Solaris and *BSD welcome -* Added -W waittime between connects option -* The -x bruteforce mode now allows for generated password amounts > 2 billion -* Fix if -L was used together with -x -* Fixes for http- modules when the http-...://target/options format was used -* Fixed a bug in the restore file write function that could lead to a crash -* Fixed XMPP module jabber init request and challenge response check, thx "F e L o R e T" -* Fix: if a proxy was used, unresolveable targets were disabled. now its fine -* Fix for service://host/ usage if a colon was used after the URI without a - port defined - - -Release 6.4 -* Update SIP module to extract and use external IP addr return from server error to bypass NAT -* Update SIP module to use SASL lib -* Update email modules to check clear mode when TLS mode failed -* Update Oracle Listener module to work with Oracle DB 9.2 -* Update LDAP module to support Windows 2008 active directory simple auth -* Fix to the connection adaptation engine which would loose planned attempts -* Fix make script for CentOS, reported by ya0wei -* Print error when a service limits connections and few pairs have to be tested -* Improved Mysql module to only init/close when needed -* Added patch from the FreeBSD maintainers -* Module usage help does not need a target to be specified anymore -* Configure script now honors /etc/ld.so.conf.d/ directory -* Add more SMB dialects - - -Release 6.3 -* Added patch by Petar Kaleychev which adds nice icons to cygwin hydra files -* Added patch by Gauillaume Rousse which fixes a warning display -* New Oracle module (for databases via OCI, for TNS Listener passwd, for SID enumeration) -* New SMTP user enum module (using VRFY, EXPN or RCPT command) -* Memory leak fix for -x bruteforcing option reported by Alex Lau -* Fix for svn module, for some versions it needs one more lib, thanks to the - Debian team for reporting! -* Fix ssh module, on connection refused a credential could be lost -* Fix http-form module, a redirect was not always followed -* QA on all modules for memory leaks -* Better gtk detection (to not even try xhydra compilation when its useless) -* First blant attempt for configuring to x64 systems (Linux and *BSD) -* Updated network password cracker comparison on the web page (for hydra and new ncrack) -* Indented all source code - - -Release 6.2 -* Added a patch by Jan Dlabal which adds password generation bruteforcing (no more password files :-) ) -* Forgot to rename ssh2 to ssh in xhydra, fixed -* Add support for CRAM-MD5 and DIGEST-MD5 auth to ldap module -* Fix SASL PLAIN auth method issue -* Add TLS negotiation support for smtp-auth, pop3, imap, ftp and ldap -* Added man pages from Debian maintainers -* Checked Teamspeak module, works on TS2 protocol -* Add support for SCRAM-SHA1 (RFC 5802), first auth cracker to support it, yeah ! -* New module: XMPP with TLS negotiation and LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1 support -* Add SCRAM-SHA1 auth to IMAP module -* Add module usage help (-U) -* Add support for RFC 4013: Internationalized Strings in SASL ("SASLPrep") -* Rename smtpauth module to smtp -* Add SASL + TLS support for NNTP -* Bugfix SASL DIGEST-MD5, response could be wrong sometime, mainly on 64bits systems -* Bugfix rlogin module, some auth failure could not be detected accurately -* Bugfix rsh module, some auth failure could not be detected accurately -* New module: IRC is not dead ! use to find general server password and /oper credential -* Add SSL support for VMware Authentication Daemon module -* Bugfix CVS module, should work now, why does nobody report this ?? -* Bugfix Telnet module, when line mode is not available -* Add support for new syntax ://[:][/] -* Add TLS support for SIP -* STILL OPEN: Fixed a problem in hydra where a login+pw test was lost when an arm/child was quitting - - -Release 6.1 -* More license updates for the files for the Debian guys -* Fix for the configure script to correctly detect postgresql -* Add checks for libssh v0.4 and support for ssh v1 -* Merge all latest crypto code in sasl files -* Fix SVN compilation issue on openSUSE (tested with v11.3) - - -Release 6.0 -* Added GPL exception clause to license to allow linking to OpenSSL - Debian people need this -* IPv6 support finally added. Note: sip and socks5 modules do not support IPv6 yet -* Changes to code and configure script to ensure clean compile on Solaris 11, - OSX, FreeBSD 8.1, Cygwin and Linux -* Bugfix for SIP module, thanks to yori(at)counterhackchallenges(dot)com -* Compile fixes for systems without OpenSSL or old OpenSSL installations -* Eliminated compile time warnings -* xhydra updates to support the new features (david@) -* Added CRAM-MD5, DIGEST-MD5 auth mechanism to the smtp-auth module (david@) -* Added LOGIN, PLAIN, CRAM-(MD5,SHA1,SHA256) and DIGEST-MD5 auth mechanisms to the imap and pop3 modules (david@) -* Added APOP auth to POP3 module (david@) -* Added NTLM and DIGEST-MD5 to http-auth module and DIGEST-MD5 to http-proxy module (david@) -* Fixed VNC module for None and VLC auth (david@) -* Fixes for LDAP module (david@) -* Bugfix Telnet module linemode option negotiation using win7 (david@) -* Bugfix SSH module when max auth connection is reached (david@) - - -Release 5.9 -* Update for the subversion module for newer SVN versions (thanks to David Maciejak @ GMAIL dot com) -* Another patch by David to add the PLAIN auth mechanism to the smtp-auth module -* mysql module now has two implementations and uses a library when found (again - thanks to David Maciejak @ GMAIL dot com - what would hydra be without him) -* camiloculpian @ gmail dot com submitted a logo for hydra - looks cool, thanks! -* better FTP 530 error code detection -* bugfix for the SVN module for non-standard ports (again david@) - - -Release 5.8 -* Added Apple Filing Protocol (thank to "never tired" David Maciejak @ GMAIL dot com) -* Fixed a big bug in the SSL option (-S) - - -Release 5.7 -* Added ncp support plus minor fixes (by David Maciejak @ GMAIL dot com) -* Added an old patch to fix a memory from SSL and speed it up too from kan(at)dcit.cz -* Removed unnecessary compiler warnings -* Enhanced the SSH2 module based on an old patch from aris(at)0xbadc0de.be -* Fixed small local defined overflow in the teamspeak module. Does it still work anyway?? - - -Release 5.6 PRIVATE VERSION -########### -* Moved to GPLv3 License (lots of people wanted that) -* Upgraded ssh2 module to libssh-0.4.x (thanks to aris (at) 0xbadc0de.be for - the 0.2 basis) -* Added firebird support (by David Maciejak @ GMAIL dot com) -* Added SIP MD5 auth patch (by Jean-Baptiste Aviat 100 -! Soon to come: v5.0 - some cool new features to arrive on your pentest - machine! - - -Release 4.6 -########### -* Snakebyte delivered a module for Teamspeak -* Snakebyte updated the rexec module for the Hydra Palm version -* Snakebyte updated xhydra to support the new Telnet success response option -* Clarified the Licence -* Updated the ldap module to support v3, note that "ldap" is now specified as - "ldap2" or "ldap3". Added wrong version detection. - - -Release 4.5 -########### -* The configure script now detects Cygwin automatically :-) -* The telnet module now handles the OPT special input. Specify the string - which is displayed after successfully a login. Use this if you have false - positives. -* Made smtp-auth module more flexible in EHLO/HELO handling -* Fixed some glitches in the SAP/R3 module (correct sysnr, better port - handling) thanks to ngregoire@exaprobe.com ! -* Fixed some glitches in the http/https module -* Fixed a big bug in snakebyte's snmp module -* Warning msg is now displayed if the deprecated icq module is used -* Added warning message to the ssh2 module during compilation as many people - use the newest libssh version which is broken. - - -Release 4.4 -########### -* Fixed another floating point exception *sigh* -* Fixed -C colon mode -* Added EHLO support for the smtp-auth module, required for some smtpd - - -Release 4.3 -########### -* Fixed a divide by zero bug in the status report function -* Added functionality for skipping accounts (cvs is so nice to report this) -* Snakebyte sent in a patch for cvs for skipping nonexisting accounts -* sent in a patch to fix proxy support for the HTTP module - without proxy authentication - - -Release 4.2 -########### -* Snakebyte sent in modules for SNMP and CVS - great work! -* Snakebyte also expanded the gtk gui to support the two new modules -* Justin sent in a module for smtp-auth ... thanks! -* master_up@post.cz sent in some few patches to fix small glitches -* Incorporated a check from the openbsd port - - -Release 4.1 -########### -* Snakebyte wrote a very nice GTK GUI for hydra! enjoy! -* due a bug, sometimes hydra would kill process -1 ... baaaad boy! -* found passwords are now also printed to stdout if -o option is used -* reported that hydra wouldn't complain on ssh2 option if - compiled without support, fixed -* made an official port for FreeBSD and sent me a - diff to exchange the MD4 of libdes to openssl -* noticed that hydra will crash on big wordlists as - the result of the mallocs there were not checked, fixed -* Snakebyte expanded his PalmOS Version of hydra to nntp and fixed vnc -* Increased the wait time for children from 5 to 15 seconds, as e.g. - snakebyte reported detection problems -* Fixed some display glitches - - -Release v4.0 -############ -# -# This is a summary of changes of the D1 to D5 beta releases and shows -# what makes v4.0 different from 3.1. -# Have fun. Lots of it. -# -# By the way: I need someone to program a nice GTK frontend for hydra, -# would YOU like to do that and receive the fame? Send an email to vh@thc.org ! -# -* For the first time there is not only a UNIX/source release but additionally: - ! Windows release (cygwin compile with dll's) - ! PalmPilot release - ! ARM processor release (for all your Zaurus, iPaq etc. running Linux) -* There are new service attack modules: - ! ms-sql - ! sap r/3 (requires a library) - ! ssh v2 (requires a library) -* Enhancements/Fixes to service attack modules: - ! vnc module didnt work correctly, fixed - ! mysql module supports newer versions now - ! http module received a minor fix and has better virtual host support now - ! http-proxy supports now an optional URL - ! socks5 checks now for false positives and daemons without authentication -* The core code (hydra.c) was rewritten from scratch - ! rewrote the internal distribution functions from scratch. code is now - safer, less error prone, easier to read. - ! multiple target support rewritten which now includes intelligent load - balancing based on success, error and load rate - ! intelligently detect maximum connect numbers for services (per server if - multiple targets are used) - ! intelligent restore file writing - ! Faster (up to 15%) - ! Full Cygwin and Cygwin IPv6 support -* added new tool: pw-inspector - it can be used to just try passwords which - matches the target's password policy -# -# This should be more than enough! :-) -# - -... the rest below is history ... - -########################################################################### -# -# New Hydra v4.0 code branch -# -Release D5 -* added patches by kan@dcit.cz which enhance the proxy module and provide - a small fix for the http module -* small beautifcations to make the compiler happy -! This is the final beta version before public release - - please test everything! - -Release D4 -* Tick made an update to his configure-arm -* snakebyte@gmx.de added imap, vnc and cisco module support to PalmPilot -* fixed VNC module -* enhanced mysql module to work also with 4.0.x (and all future protocol 10 - mysql protocol types) -* enhanced socks5 module to identify daemons which do not require - authentication, and false positive check (otherwise dante would report all - tries as successful) -* fixed a bug in configure for D3 which resulted in compile problems on - several platforms requiring libcrypto - -Release D3 -* added sapr3 attack module (requires libsdk.a and saprfc.h) -* added ssh2 attack module (requires libssh) -* snakebyte@gmx.de added telnet module support for PalmPilot -* fixed the mssql module, should work now -* fixed -e option bug -* fixed -C option bug (didnt work at all!!) -* fixed double detection (with -e option) plus added simple dictionary - double detection -* target port is now displayed on start - -Release D2 -* added better virtual host support to the www/http/https/ssl module - (based on a patch from alla@scanit.be) -* added ARM support (does not work for libdes yet, ssl works), done by - Tick -* added Palm support (well, in reality it is more a rewrite which can use - the hydra-modules), done by snakebyte -* added ms-sql attack module (code based on perl script form HD Moore - , thanks for contributing) - -Release D1 (3 March 2003) -* rewrote the internal distribution functions from scratch. code is now - safer, less error prone, easier to read. -* multiple target support rewritten which now includes intelligent load - balancing based on success, error and load rate -* intelligently detect maximum connect numbers for services (per server if - multiple targets are used) -* intelligent restore file writing -* Faster (up to 15%) -* Full Cygwin and Cygwin IPv6 support -* added new tool: pw-inspector - it can be used to just try passwords which - matches the target's password policy - -########################################################################### - -v3.0 (FEBRUARY 2004) PUBLIC RELEASE -* added a restore function to enable you to continue aborted/crashed - sessions. Just type "hydra -R" to continue a session. - NOTE: this does not work with the -M option! This feature is then disabled! -* added a module for http proxy authentication cracking ("http-proxy") :-) -* added HTTP and SSL/CONNECT proxy support. SSL/CONNECT proxy support works - for *all* TCP protocols, you just need to find a proxy which allows you to - CONNECT on port 23 ... - The environment variable HYDRA_PROXY_HTTP defines the web proxy. The - following syntax is valid: HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" - Same for HYDRA_PROXY_CONNECT. - If you require authentication for the proxy, use the HYDRA_PROXY_AUTH - environment variable: - HYDRA_PROXY_AUTH="login:password" -* fixed parallel host scanning engine (thanks to m0j0.j0j0 for reporting) -* A status, speed and time to completion report is now printed every minute. -* finally updated the README - -v2.9 (FEBRUARY 2004) PRIVATE RELEASE -... - -v2.8 (JANUARY 2004) PRIVATE RELEASE -... - -v2.7 (JANUARY 2004) PUBLIC RELEASE -* small fix for the parallel host code (thanks to m0j0@foofus.net) - -v2.6 (DECEMBER 2003) PUBLIC RELEASE -* fixed a compiling problem for picky compilers. - -v2.5 (NOVEMBER 2003) PUBLIC RELEASE -* added a big patch from m0j0@foofus.net which adds: - - AAA authentication to the cisco-enable module - - Running the attacks on hosts in parallel - - new smbnt module, which uses lanman hashes for authentication, needs libdes - ! great work and thanks ! -* changed code to compile easily on FreeBSD -* changed configure to compile easily on MacOS X - Panther (cool OS btw ...) - -v2.4 (AUGUST 2003) PUBLIC RELEASE -* public release -=== 2.3 stuff=== -* added mysql module (thanks to mcbethh@u-n-f.com) -* small fix in vnc (thanks to the Nessus team) -* added credits for vnc-module (FX/Phenolite) -* new ./configure script for better Solaris and *BSD support (copied from amap) -* updated to new email/www addresses => www.thc.org - -v2.2 (OCTOBER 2002) PUBLIC RELEASE -* fixed a bug in the -P passwordfile handling ... uhhh ... thanks to all - the many people who reported that bug! -* added check if a password in -P passwordfile was already done via the - -e n|s switch - -v2.1 (APRIL 2002) PUBLIC RELEASE -* added ldap cracking mode (thanks to myself, eh ;-) -* added -e option to try null passwords ("-e n") and passwords equal to the - login ("-e s"). When specifying -e, -p/-P is optional (and vice versa) -* when a login is found, hydra will now go on with the next login - -v2.0 (APRIL 2002) PRIVATE RELEASE -! with v1.1.14 of Nessus, Hydra is a Nessus plugin! -* incorporated code to make hydra a nessus plugin (thanks to deraison@cvs.nessus.org !) -* added smb/samba/CIFS cracking mode (thanks to deraison@cvs.nessus.org !) -* added cisco-enable cracking mode (thanks to J.Marx@secunet.de !) -* minor enhancements and fixes - -v1.7 (MARCH 2002) PRIVATE RELEASE -* configure change to better detect OpenSSL -* ported to Solaris - -v1.6 (FEBRUARY 2002) PUBLIC RELEASE -* added socks5 support (thanks to bigbud@weed.tc !) - -v1.5 (DECEMBER 2001) PRIVATE RELEASE -* added -S option for SSL support (for all TCP based protocols) -* added -f option to stop attacking once a valid login/pw has been discovered -* made modules more hydra-mod compliant -* configure stuff thrown out - was not really used and too complicated, - wrote my own, lets hope it works everywhere ;-) - -v1.4 (DECEMBER 2001) PUBLIC RELEASE -* added REXEC cracking module -* added NNTP cracking module -* added VNC cracking module (plus the 3DES library, which is needed) - some - of the code ripped from FX/Phenolite :-) thanks a lot -* added PCNFS cracking module -* added ICQ cracking module (thanks to ocsic !!) -* for the pcnfs cracking module, I had to add the hydra_connect_udp function -* added several compactibility stuff to work with all the M$ crap - -v1.3 (September 2001) PUBLIC RELEASE -* uh W2K telnetd sends null bytes in negotiation mode. workaround implemented. -* Rewrote the finish functions which would sometimes hang. Shutdowns are faster - now as well. -* Fixed the line count (it was always one to much) -* Put more information in the outpufile (-o) -* Removed some configure crap. - -v1.2 (August 2001) PRIVATE RELEASE -* Fixed a BIG bug which resulted in accounts being checked serveral times. ugh -* Fixed the bug which showed the wrong password for a telnet hack. Works for - me. please test. -* Added http basic authentication cracking. Works for me. please test. -* Fixed the ftp cracker module for occasions where a long welcome message was - displayed for ftp. -* Removed some compiler warnings. - -v1.1 (May 2001) PUBLIC RELEASE -* Added wait+reconnect functionality to hydra-mod -* Additional wait+reconnect for cisco module -* Added small waittimes to all attack modules to prevent too fast reconnects -* Added cisco Username/Password support to the telnet module -* Fixed a deadlock in the modules, plus an additional one in the telnet module - -v1.0 (April 2001) PUBLIC RELEASE -* Verified that all service modules really work, no fix necessary ;-) - ... so let's make it public -* Changed the LICENCE - -v0.6 (April 2001) PRIVATE RELEASE -* Added hydra-cisco.c for the cisco 3 times "Password:" type -* Added hydra-imap.c for the imap service -* Fixed a bug in hydra-mod.c: empty logins resulted in an empty - hydra_get_next_password() :-(, additionally the blocking/recv works better - now. (no, not better - perfect ;-) -* Fixed a bug in hydra-telnet.c: too many false alarms for success due some - mis-thinking on my side and I also implemented a more flexible checking -* Fixed hydra-ftp.c to allow more weird reactions -* Fixed all ;-) memory leaks - -v0.5 (December 2000) PUBLIC RELEASE -* NOTE WE HAVE GOT A NEW WWW ADDRESS -> www.thehackerschoice.com -* added telnet protocol -* exchanged snprintf with sprintf(%.250s) to let it compile on more platforms - but still have buffer overflow protection. -* fixed a bug in Makefile.in (introduced by Plasmo ,-) - -v0.4 (August 2000) PUBLIC RELEASE -* Plasmoid added a ./configure script. thanks! - -v0.3 (August 2000) -* first release diff --git a/web/README b/web/README deleted file mode 100644 index 3847215..0000000 --- a/web/README +++ /dev/null @@ -1,530 +0,0 @@ - - H Y D R A - - (c) 2001-2019 by van Hauser / THC - https://github.com/vanhauser-thc/thc-hydra - many modules were written by David (dot) Maciejak @ gmail (dot) com - BFG code by Jan Dlabal - - Licensed under AGPLv3 (see LICENSE file) - - Please do not use in military or secret service organizations, - or for illegal purposes. - - - -INTRODUCTION ------------- -Number one of the biggest security holes are passwords, as every password -security study shows. -This tool is a proof of concept code, to give researchers and security -consultants the possibility to show how easy it would be to gain unauthorized -access from remote to a system. - -THIS TOOL IS FOR LEGAL PURPOSES ONLY! - -There are already several login hacker tools available, however, none does -either support more than one protocol to attack or support parallized -connects. - -It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, -FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS. - -Currently this tool supports the following protocols: - Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, - HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, - HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, - HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, - Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, - Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, - SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, - VNC and XMPP. - -However the module engine for new services is very easy so it won't take a -long time until even more services are supported. -Your help in writing, enhancing or fixing modules is highly appreciated!! :-) - - - -WHERE TO GET ------------- -You can always find the newest release/production version of hydra at its -project page at https://github.com/vanhauser-thc/thc-hydra/releases -If you are interested in the current development state, the public development -repository is at Github: - svn co https://github.com/vanhauser-thc/thc-hydra - or - git clone https://github.com/vanhauser-thc/thc-hydra -Use the development version at your own risk. It contains new features and -new bugs. Things might not work! - - - -HOW TO COMPILE --------------- -To configure, compile and install hydra, just type: - -``` -./configure -make -make install -``` - -If you want the ssh module, you have to setup libssh (not libssh2!) on your -system, get it from http://www.libssh.org, for ssh v1 support you also need -to add "-DWITH_SSH1=On" option in the cmake command line. -IMPORTANT: If you compile on MacOS then you must do this - do not install libssh via brew! - -If you use Ubuntu/Debian, this will install supplementary libraries needed -for a few optional modules (note that some might not be available on your distribution): - -``` -apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ - libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \ - firebird-dev -``` - -This enables all optional modules and features with the exception of Oracle, -SAP R/3, NCP and the apple filing protocol - which you will need to download and -install from the vendor's web sites. - -For all other Linux derivates and BSD based systems, use the system -software installer and look for similarly named libraries like in the -command above. In all other cases, you have to download all source libraries -and compile them manually. - - - -SUPPORTED PLATFORMS -------------------- -- All UNIX platforms (Linux, *BSD, Solaris, etc.) -- MacOS (basically a BSD clone) -- Windows with Cygwin (both IPv4 and IPv6) -- Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq) - - - -HOW TO USE ----------- -If you just enter `hydra`, you will see a short summary of the important -options available. -Type `./hydra -h` to see all available command line options. - -Note that NO login/password file is included. Generate them yourself. -A default password list is however present, use "dpl4hydra.sh" to generate -a list. - -For Linux users, a GTK GUI is available, try `./xhydra` - -For the command line usage, the syntax is as follows: - For attacking one target or a network, you can use the new "://" style: - hydra [some command line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS - The old mode can be used for these too, and additionally if you want to - specify your targets from a text file, you *must* use this one: - -``` -hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS] -``` - -Via the command line options you specify which logins to try, which passwords, -if SSL should be used, how many parallel tasks to use for attacking, etc. - -PROTOCOL is the protocol you want to use for attacking, e.g. ftp, smtp, -http-get or many others are available -TARGET is the target you want to attack -MODULE-OPTIONS are optional values which are special per PROTOCOL module - -FIRST - select your target - you have three options on how to specify the target you want to attack: - 1. a single target on the command line: just put the IP or DNS address in - 2. a network range on the command line: CIDR specification like "192.168.0.0/24" - 3. a list of hosts in a text file: one line per entry (see below) - -SECOND - select your protocol - Try to avoid telnet, as it is unreliable to detect a correct or false login attempt. - Use a port scanner to see which protocols are enabled on the target. - -THIRD - check if the module has optional parameters - hydra -U PROTOCOL - e.g. hydra -U smtp - -FOURTH - the destination port - this is optional! if no port is supplied the default common port for the - PROTOCOL is used. - If you specify SSL to use ("-S" option), the SSL common port is used by default. - - -If you use "://" notation, you must use "[" "]" brackets if you want to supply -IPv6 addresses or CIDR ("192.168.0.0/24") notations to attack: - hydra [some command line options] ftp://[192.168.0.0/24]/ - hydra [some command line options] -6 smtps://[2001:db8::1]/NTLM - -Note that everything hydra does is IPv4 only! -If you want to attack IPv6 addresses, you must add the "-6" command line option. -All attacks are then IPv6 only! - -If you want to supply your targets via a text file, you can not use the :// -notation but use the old style and just supply the protocol (and module options): - hydra [some command line options] -M targets.txt ftp -You can supply also the port for each target entry by adding ":" after a -target entry in the file, e.g.: - -``` -foo.bar.com -target.com:21 -unusual.port.com:2121 -default.used.here.com -127.0.0.1 -127.0.0.1:2121 -``` - -Note that if you want to attach IPv6 targets, you must supply the -6 option -and *must* put IPv6 addresses in brackets in the file(!) like this: - -``` -foo.bar.com -target.com:21 -[fe80::1%eth0] -[2001::1] -[2002::2]:8080 -[2a01:24a:133:0:00:123:ff:1a] -``` - -LOGINS AND PASSWORDS --------------------- -You have many options on how to attack with logins and passwords -With -l for login and -p for password you tell hydra that this is the only -login and/or password to try. -With -L for logins and -P for passwords you supply text files with entries. -e.g.: - -``` -hydra -l admin -p password ftp://localhost/ -hydra -L default_logins.txt -p test ftp://localhost/ -hydra -l admin -P common_passwords.txt ftp://localhost/ -hydra -L logins.txt -P passwords.txt ftp://localhost/ -``` - -Additionally, you can try passwords based on the login via the "-e" option. -The "-e" option has three parameters: - -``` -s - try the login as password -n - try an empty password -r - reverse the login and try it as password -``` - -If you want to, e.g. try "try login as password and "empty password", you -specify "-e sn" on the command line. - -But there are two more modes for trying passwords than -p/-P: -You can use text file which where a login and password pair is separated by a colon, -e.g.: - -``` -admin:password -test:test -foo:bar -``` - -This is a common default account style listing, that is also generated by the -dpl4hydra.sh default account file generator supplied with hydra. -You use such a text file with the -C option - note that in this mode you -can not use -l/-L/-p/-P options (-e nsr however you can). -Example: - -``` -hydra -C default_accounts.txt ftp://localhost/ -``` - -And finally, there is a bruteforce mode with the -x option (which you can not -use with -p/-P/-C): - -``` --x minimum_length:maximum_length:charset -``` - -the charset definition is `a` for lowercase letters, `A` for uppercase letters, -`1` for numbers and for anything else you supply it is their real representation. -Examples: - -``` --x 1:3:a generate passwords from length 1 to 3 with all lowercase letters --x 2:5:/ generate passwords from length 2 to 5 containing only slashes --x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers -``` - -Example: - -``` -hydra -l ftp -x 3:3:a ftp://localhost/ -``` - -SPECIAL OPTIONS FOR MODULES ---------------------------- -Via the third command line parameter (TARGET SERVICE OPTIONAL) or the -m -command line option, you can pass one option to a module. -Many modules use this, a few require it! - -To see the special option of a module, type: - - hydra -U - -e.g. - - ./hydra -U http-post-form - -The special options can be passed via the -m parameter, as 3rd command line -option or in the service://target/option format. - -Examples (they are all equal): - -``` -./hydra -l test -p test -m PLAIN 127.0.0.1 imap -./hydra -l test -p test 127.0.0.1 imap PLAIN -./hydra -l test -p test imap://127.0.0.1/PLAIN -``` - -RESTORING AN ABORTED/CRASHED SESSION ------------------------------------- -When hydra is aborted with Control-C, killed or crashes, it leaves a -"hydra.restore" file behind which contains all necessary information to -restore the session. This session file is written every 5 minutes. -NOTE: the hydra.restore file can NOT be copied to a different platform (e.g. -from little endian to big endian, or from Solaris to AIX) - -HOW TO SCAN/CRACK OVER A PROXY ------------------------------- -The environment variable HYDRA_PROXY_HTTP defines the web proxy (this works -just for the http services!). -The following syntax is valid: - -``` -HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" -HYDRA_PROXY_HTTP="http://login:password@123.45.67.89:8080/" -HYDRA_PROXY_HTTP="proxylist.txt" -``` - -The last example is a text file containing up to 64 proxies (in the same -format definition as the other examples). - -For all other services, use the HYDRA_PROXY variable to scan/crack. -It uses the same syntax. eg: - -``` -HYDRA_PROXY=[connect|socks4|socks5]://[login:password@]proxy_addr:proxy_port -``` - -for example: - -``` -HYDRA_PROXY=connect://proxy.anonymizer.com:8000 -HYDRA_PROXY=socks4://auth:pw@127.0.0.1:1080 -HYDRA_PROXY=socksproxylist.txt -``` - -ADDITIONAL HINTS ----------------- -* sort your password files by likelihood and use the -u option to find - passwords much faster! -* uniq your dictionary files! this can save you a lot of time :-) - cat words.txt | sort | uniq > dictionary.txt -* if you know that the target is using a password policy (allowing users - only to choose a password with a minimum length of 6, containing a least one - letter and one number, etc. use the tool pw-inspector which comes along - with the hydra package to reduce the password list: - cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt - - -RESULTS OUTPUT --------------- - -The results are output to stdio along with the other information. Via the -o -command line option, the results can also be written to a file. Using -b, -the format of the output can be specified. Currently, these are supported: - -* `text` - plain text format -* `jsonv1` - JSON data using version 1.x of the schema (defined below). -* `json` - JSON data using the latest version of the schema, currently there - is only version 1. - -If using JSON output, the results file may not be valid JSON if there are -serious errors in booting Hydra. - - -JSON Schema ------------ -Here is an example of the JSON output. Notes on some of the fields: - -* `errormessages` - an array of zero or more strings that are normally printed - to stderr at the end of the Hydra's run. The text is very free form. -* `success` - indication if Hydra ran correctly without error (**NOT** if - passwords were detected). This parameter is either the JSON value `true` - or `false` depending on completion. -* `quantityfound` - How many username+password combinations discovered. -* `jsonoutputversion` - Version of the schema, 1.00, 1.01, 1.11, 2.00, - 2.03, etc. Hydra will make second tuple of the version to always be two - digits to make it easier for downstream processors (as opposed to v1.1 vs - v1.10). The minor-level versions are additive, so 1.02 will contain more - fields than version 1.00 and will be backward compatible. Version 2.x will - break something from version 1.x output. - -Version 1.00 example: -``` -{ - "errormessages": [ - "[ERROR] Error Message of Something", - "[ERROR] Another Message", - "These are very free form" - ], - "generator": { - "built": "2019-03-01 14:44:22", - "commandline": "hydra -b jsonv1 -o results.json ... ...", - "jsonoutputversion": "1.00", - "server": "127.0.0.1", - "service": "http-post-form", - "software": "Hydra", - "version": "v8.5" - }, - "quantityfound": 2, - "results": [ - { - "host": "127.0.0.1", - "login": "bill@example.com", - "password": "bill", - "port": 9999, - "service": "http-post-form" - }, - { - "host": "127.0.0.1", - "login": "joe@example.com", - "password": "joe", - "port": 9999, - "service": "http-post-form" - } - ], - "success": false -} -``` - - -SPEED ------ -through the parallelizing feature, this password cracker tool can be very -fast, however it depends on the protocol. The fastest are generally POP3 -and FTP. -Experiment with the task option (-t) to speed things up! The higher - the -faster ;-) (but too high - and it disables the service) - - - -STATISTICS ----------- -Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing -295 entries (294 tries invalid logins, 1 valid). Every test was run three -times (only for "1 task" just once), and the average noted down. - -``` - P A R A L L E L T A S K S -SERVICE 1 4 8 16 32 50 64 100 128 -------- -------------------------------------------------------------------- -telnet 23:20 5:58 2:58 1:34 1:05 0:33 0:45* 0:25* 0:55* -ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0:32 -pop3 92:10 27:16 13:56 6:42 2:55 1:57 1:24 1:14 0:50 -imap 31:05 7:41 3:51 1:58 1:01 0:39 0:32 0:25 0:21 -``` - -(*) -Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with -128 tasks, running four times resulted in timings between 28 and 97 seconds! -The reason for this is unknown... - -guesses per task (rounded up): - - 295 74 38 19 10 6 5 3 3 - -guesses possible per connect (depends on the server software and config): - - telnet 4 - ftp 6 - pop3 1 - imap 3 - - - -BUGS & FEATURES ---------------- -Hydra: -Email me or David if you find bugs or if you have written a new module. -vh@thc.org (and put "antispam" in the subject line) - - -You should use PGP to encrypt emails to vh@thc.org : - -``` ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v3.3.3 (vh@thc.org) - -mQINBFIp+7QBEADQcJctjohuYjBxq7MELAlFDvXRTeIqqh8kqHPOR018xKL09pZT -KiBWFBkU48xlR3EtV5fC1yEt8gDEULe5o0qtK1aFlYBtAWkflVNjDrs+Y2BpjITQ -FnAPHw0SOOT/jfcvmhNOZMzMU8lIubAVC4cVWoSWJbLTv6e0DRIPiYgXNT5Quh6c -vqhnI1C39pEo/W/nh3hSa16oTc5dtTLbi5kEbdzml78TnT0OASmWLI+xtYKnP+5k -Xv4xrXRMVk4L1Bv9WpCY/Jb6J8K8SJYdXPtbaIi4VjgVr5gvg9QC/d/QP2etmw3p -lJ1Ldv63x6nXsxnPq6MSOOw8+QqKc1dAgIA43k6SU4wLq9TB3x0uTKnnB8pA3ACI -zPeRN9LFkr7v1KUMeKKEdu8jUut5iKUJVu63lVYxuM5ODb6Owt3+UXgsSaQLu9nI -DZqnp/M6YTCJTJ+cJANN+uQzESI4Z2m9ITg/U/cuccN/LIDg8/eDXW3VsCqJz8Bf -lBSwMItMhs/Qwzqc1QCKfY3xcNGc4aFlJz4Bq3zSdw3mUjHYJYv1UkKntCtvvTCN -DiomxyBEKB9J7KNsOLI/CSst3MQWSG794r9ZjcfA0EWZ9u6929F2pGDZ3LiS7Jx5 -n+gdBDMe0PuuonLIGXzyIuMrkfoBeW/WdnOxh+27eemcdpCb68XtQCw6UQARAQAB -tB52YW4gSGF1c2VyICgyMDEzKSA8dmhAdGhjLm9yZz6JAjkEEwECACMCGwMCHgEC -F4AFAlIp/QcGCwkIAwcCBhUKCQgLAgUWAwIBAAAKCRDI8AEqhCFiv2R9D/9qTCJJ -xCH4BUbWIUhw1zRkn9iCVSwZMmfaAhz5PdVTjeTelimMh5qwK2MNAjpR7vCCd3BH -Z2VLB2Eoz9MOgSCxcMOnCDJjtCdCOeaxiASJt8qLeRMwdMOtznM8MnKCIO8X4oo4 -qH8eNj83KgpI50ERBCj/EMsgg07vSyZ9i1UXjFofFnbHRWSW9yZO16qD4F6r4SGz -dsfXARcO3QRI5lbjdGqm+g+HOPj1EFLAOxJAQOygz7ZN5fj+vPp+G/drONxNyVKp -QFtENpvqPdU9CqYh8ssazXTWeBi/TIs0q0EXkzqo7CQjfNb6tlRsg18FxnJDK/ga -V/1umTg41bQuVP9gGmycsiNI8Atr5DWqaF+O4uDmQxcxS0kX2YXQ4CSQJFi0pml5 -slAGL8HaAUbV7UnQEqpayPyyTEx1i0wK5ZCHYjLBfJRZCbmHX7SbviSAzKdo5JIl -Atuk+atgW3vC3hDTrBu5qlsFCZvbxS21PJ+9zmK7ySjAEFH/NKFmx4B8kb7rPAOM -0qCTv0pD/e4ogJCxVrqQ2XcCSJWxJL31FNAMnBZpVzidudNURG2v61h3ckkSB/fP -JnkRy/yxYWrdFBYkURImxD8iFD1atj1n3EI5HBL7p/9mHxf1DVJWz7rYQk+3czvs -IhBz7xGBz4nhpCi87VDEYttghYlJanbiRfNh3okCOAQTAQIAIgUCUin7tAIbAwYL -CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQyPABKoQhYr8OIA//cvkhoKay88yS -AjMQypach8C5CvP7eFCT11pkCt1DMAO/8Dt6Y/Ts10dPjohGdIX4PkoLTkQDwBDJ -HoLO75oqj0CYLlqDI4oHgf2uzd0Zv8f/11CQQCtut5oEK72mGNzv3GgVqg60z2KR -2vpxvGQmDwpDOPP620tf/LuRQgBpks7uazcbkAE2Br09YrUQSCBNHy8kirHW5m5C -nupMrcvuFx7mHKW1z3FuhM8ijG7oRmcBWfVoneQgIT3l2WBniXg1mKFhuUSV8Erc -XIcc11qsKshyqh0GWb2JfeXbAcTW8/4IwrCP+VfAyLO9F9khP6SnCmcNF9EVJyR6 -Aw+JMNRin7PgvsqbFhpkq9N+gVBAufz3DZoMTEbsMTtW4lYG6HMWhza2+8G9XyaL -ARAWhkNVsmQQ5T6qGkI19thB6E/T6ZorTxqeopNVA7VNK3RVlKpkmUu07w5bTD6V -l3Ti6XfcSQqzt6YX2/WUE8ekEG3rSesuJ5fqjuTnIIOjBxr+pPxkzdoazlu2zJ9F -n24fHvlU20TccEWXteXj9VFzV/zbPEQbEqmE16lV+bO8U7UHqCOdE83OMrbNKszl -7LSCbFhCDtflUsyClBt/OPnlLEHgEE1j9QkqdFFy90l4HqGwKvx7lUFDnuF8LYsb -/hcP4XhqjiGcjTPYBDK254iYrpOSMZSIRgQQEQIABgUCUioGfQAKCRBDlBVOdiii -tuddAJ4zMrge4qzajScIQcXYgIWMXVenCQCfYTNQPGkHVyp3dMhJ0NR21TYoYMC5 -Ag0EUin7tAEQAK5/AEIBLlA/TTgjUF3im6nu/rkWTM7/gs5H4W0a04kF4UPhaJUR -gCNlDfUnBFA0QD7Jja5LHYgLdoHXiFelPhGrbZel/Sw6sH2gkGCBtFMrVkm3u7tt -x3AZlprqqRH68Y5xTCEjGRncCAmaDgd2apgisJqXpu0dRDroFYpJFNH3vw9N2a62 -0ShNakYP4ykVG3jTDC4MSl2q3BO5dzn8GYFHU0CNz6nf3gZR+48BG+zmAT77peTS -+C4Mbd6LmMmB0cuS2kYiFRwE2B69UWguLHjpXFcu9/85JJVCl2CIab7l5hpqGmgw -G/yW8HFK04Yhew7ZJOXJfUYlv1EZzR5bOsZ8Z9inC6hvFmxuCYCFnvkiEI+pOxPA -oeNOkMaT/W4W+au0ZVt3Hx+oD0pkJb5if0jrCaoAD4gpWOte6LZA8mAbKTxkHPBr -rA9/JFis5CVNI688O6eDiJqCCJjPOQA+COJI+0V+tFa6XyHPB4LxA46RxtumUZMC -v/06sDJlXMNpZbSd5Fq95YfZd4l9Vr9VrvKXfbomn+akwUymP8RDyc6Z8BzjF4Y5 -02m6Ts0J0MnSYfEDqJPPZbMGB+GAgAqLs7FrZJQzOZTiOXOSIJsKMYsPIDWE8lXv -s77rs0rGvgvQfWzPsJlMIx6ryrMnAsfOkzM2GChGNX9+pABpgOdYII4bABEBAAGJ -Ah8EGAECAAkFAlIp+7QCGwwACgkQyPABKoQhYr+hrg/9Er0+HN78y6UWGFHu/KVK -d8M6ekaqjQndQXmzQaPQwsOHOvWdC+EtBoTdR3VIjAtX96uvzCRV3sb0XPB9S9eP -gRrO/t5+qTVTtjua1zzjZsMOr1SxhBgZ5+0U2aoY1vMhyIjUuwpKKNqj2uf+uj5Y -ZQbCNklghf7EVDHsYQ4goB9gsNT7rnmrzSc6UUuJOYI2jjtHp5BPMBHh2WtUVfYP -8JqDfQ+eJQr5NCFB24xMW8OxMJit3MGckUbcZlUa1wKiTb0b76fOjt0y/+9u1ykd -X+i27DAM6PniFG8BfqPq/E3iU20IZGYtaAFBuhhDWR3vGY4+r3OxdlFAJfBG9XDD -aEDTzv1XF+tEBo69GFaxXZGdk9//7qxcgiya4LL9Kltuvs82+ZzQhC09p8d3YSQN -cfaYObm4EwbINdKP7cr4anGFXvsLC9urhow/RNBLiMbRX/5qBzx2DayXtxEnDlSC -Mh7wCkNDYkSIZOrPVUFOCGxu7lloRgPxEetM5x608HRa3hDHoe5KvUBmmtavB/aR -zlGuZP1S6Y7S13ytiULSzTfUxJmyGYgNo+4ygh0i6Dudf9NLmV+i9aEIbLbd6bni -1B/y8hBSx3SVb4sQVRe3clBkfS1/mYjlldtYjzOwcd02x599KJlcChf8HnWFB7qT -zB3yrr+vYBT0uDWmxwPjiJs= -=ytEf ------END PGP PUBLIC KEY BLOCK----- -``` diff --git a/web/index.html b/web/index.html deleted file mode 100644 index 6786d7f..0000000 --- a/web/index.html +++ /dev/null @@ -1,206 +0,0 @@ - - -THC-HYDRA - fast and flexible network login hacker - -
-
-
-
-
-
-
-

-
-
-
-
 THC-Hydra

-

- A very fast network logon cracker which support many different services.
- See feature sets and services coverage page - incl. a speed comparison against ncrack and medusa

-

- Current Version: 8.6
- Last update 2017-07-21
-

-

-

-
-
- [0x00] News and Changelog
-
-
-        Check out the feature sets and services coverage page - including a speed comparison against ncrack and medusa (yes, we win :-) )
-        Development code is available at a public github repository: https://github.com/vanhauser-thc/thc-hydra
-        There is a new section below for online tutorials.
-        Read below for Linux compilation notes.
-        
-
-        CHANGELOG for 8.6
-        ===================
-        ! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra
-        
-        ! Reports came in that the rdp module is not working reliable sometimes, most likely against new Windows versions. please test, report and if possible send a fix
-        * added radmin2 module by catatonic prime - great work!
-        * smb module now checks if SMBv1 is supported by the server and if signing is required
-        * http-form module now supports URLs up to 6000 bytes (thanks to petrock6@github for the patch)
-        * Fix for SSL connections that failed with error:00000000:lib(0):func(0):reason(0) (thanks gaia@github for reporting)
-        * Added new command line option:
-          -c TIME: seconds between login attempts (over all threads, so -t 1 is recommended)
-        * Options put after -R (for loading a restore file) are now honored (and were disallowed before)
-        * merged several patches by Diadlo@github to make the code easier readable. thanks for that!
-        * merged a patch by Diadlo@github that moves the help output to the invididual module
-
-	You can also take a look at the full CHANGES file
-
-
- [0x01] Introduction
-
-	Welcome to the mini website of the THC Hydra project.
-
-	Number one of the biggest security holes are passwords, as every password security study shows.
-	Hydra is a parallized login cracker which supports numerous protocols to attack. New modules
-	are easy to add, beside that, it is flexible and very fast.
-
-        Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1, OpenBSD, OSX,
-        QNX/Blackberry, and is made available under GPLv3 with a special OpenSSL license expansion.
-
-	Currently this tool supports:
-	  Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST,
-	  HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-POST, HTTPS-HEAD,
-	  HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle,
-	  PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, S7-300, SAP/R3, SIP, SMB, SMTP,
-	  SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
-
-        For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported.
-
-	This tool is a proof of concept code, to give researchers and security consultants the 
-	possiblity to show how easy it would be to gain unauthorized access from remote to a system.
-
-        The program was written van Hauser and is additiionally supported by David Maciejak.
-
-
- [0x02] Screenshots
-
-	
-	(1) Target selection
-
-	
-	(2) Login/Password setup
-
-	
-	(3) Hydra start and output
-
-
- [0x03] Documentation 
- 
-	Hydra comes with a rather long README file that describes the
-	details about the usage and special options.
-	
-	But sometimes detailed online help can vastly improve your efficency.
-	The following links on the global internet are a recommended read.
-	
-          General usage and options: http://www.aldeid.com/wiki/Thc-hydra
-                                     http://resources.infosecinstitute.com/online-dictionary-attack-with-hydra/
-
-          HTTP basic auth: https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29
-                           http://www.sillychicken.co.nz/Security/how-to-brute-force-your-router-in-windows.html
-
-          HTTP form based auth: http://www.art0.org/security/performing-a-dictionary-attack-on-an-http-login-form-using-hydra
-                                http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html
-                                http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html
-                                https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29
-
-          Multiple protocols: http://wiki.bywire.org/Hydra
-                              http://www.attackvector.org/brute-force-with-thc-hydra/
-                              http://www.madirish.net/content/hydra-brute-force-utility
-          
-          Telnet: http://www.theprohack.com/2009/04/basics-of-cracking-ftp-and-telnet.html
-                  http://www.adeptus-mechanicus.com/codex/bflog/bflog.html
-	
-        For those people testing with DVWA, this is what you want:
-          hydra -l admin -p password   http-get-form "/dvwa/login.php:username=^USER^&password=^PASS^&submit=Login:Login failed"
-
-	If you find other good ones, just email them in ( vh(at)thc(dot)org ).
-
-
- [0x04] Disclaimer
-
-	1. Please do not use in military or secret service organizations or for illegal purposes.
-	2. The Affero General Public License Version 3 (AGPLv3) applies to this code.
-	3. A special license expansion for OpenSSL is included which is required for the Debian people
-
-
- [0x05] The Art of Downloading: Source and Binaries
- 
-	1. PRODUCTION/RELEASE VERSION:
-	   The source code of state-of-the-art Hydra: hydra-8.6.tar.gz
-	   (compiles on all UNIX based platforms - even MacOS X, Cygwin on Windows, ARM-Linux, Android, iPhone, Blackberry 10, etc.)
-
-        2. DEVELOPMENT VERSION:
-           You can download and compile the current development version of hydra always in its public GITHUB repository:
-           https://github.com/vanhauser-thc/thc-hydra by either
-             svn co https://github.com/vanhauser-thc/thc-hydra
-           or
-             git clone https://github.com/vanhauser-thc/thc-hydra.git
-           Note that this is the development state! New features - and new bugs. Things might not work!
-
-	3. The source code of an old, deprecated version of Hydra ONLY in case v7.x gives you problems on unusual and old platforms:
-	   hydra-5.9.1-src.tar.gz
-
-	4. The Win32/Cywin binary release: --- not anymore ---
-	   Install cygwin from http://www.cygwin.com
-	   and compile it yourself. If you do not have cygwin installed - how
-	   do you think you will do proper securiy testing? duh ...
-
-        5. ARM and Palm binaries here are old and not longer maintained:
-	     ARM:  hydra-5.0-arm.tar.gz
-             Palm: hydra-4.6-palm.zip
-
-
- [0x06] Compilation Help
-
-        Hydra compiles fine on all platforms that have gcc - Linux, all BSD, Mac OS/X, Cygwin on Windows, Solaris, etc.
-        It should even compile on historical SunOS, Ultrix etc. platforms :-)
-        
-        There are many optional modules for network protocols like SSH, SVN etc. that require libraries.
-        If they are not found, these optional libraries will not be supported in your binary.
-        
-        If you are on Linux, the following commands install all necessary libraries:
- 
-        Ubuntu/Debian:  apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird2.1-dev libncp-dev libncurses5-dev
-        Redhat/Fedora:  yum install openssl-devel pcre-devel ncpfs-devel postgresql-devel libssh-devel subversion-devel libncurses-devel
-        OpenSuSE:       zypper install libopenssl-devel pcre-devel libidn-devel ncpfs-devel libssh-devel postgresql-devel subversion-devel libncurses-devel
-        
-        This enables all optional modules and features with the exception of Oracle, SAP R/3 and the
-        Apple filing protocol - which you will need to download and install from the vendor's web sites.
-        For Oracle this is (install the basic and SDK packages): http://www.oracle.com/technetwork/database/features/instant-client/index.html
-
-        For all other Linux derivates and BSD based systems, use the system software installer and look for
-        similar named libraries like in the command above.
-        In all other cases you have to download all source libraries and compile them manually; 
-        the configure script output tells you what is missing and where to get it from.
-        
-
- [0x07] Development & Contributions
-
-	Your contributions are more than welcomed!
-	
-	If you find bugs, coded enhancements or wrote a new attack module for a service,
-	please send them to vh (at) thc (dot) org
-
-	Interesting attack modules would be:
-	OSPF, BGP, PIM, PPTP, ...
-	(or anything else you might be able to do (and is not there yet))
-	
-	Please note that you can also download and commit via github: https://github.com/vanhauser-thc/thc-hydra
-
- 
- Comments and suggestions are welcome.
-
- Yours sincerly,
-
- van Hauser
- The Hackers Choice
- http://www.thc.org/thc-hydra
-
-
- diff --git a/web/network_password_cracker_comparison.html b/web/network_password_cracker_comparison.html deleted file mode 100644 index ac3aa69..0000000 --- a/web/network_password_cracker_comparison.html +++ /dev/null @@ -1,917 +0,0 @@ - - - - - - - - - - - - State of network password cracker art - Comparison Of Features and Services - hydra - - - - - - - -
-
-
- -

Comparison of Features and Services Coverage

- - - -
-
-

Contents

- -
-

Introduction

-

Hydra is born more than 10 years ago, this page is used as a recap of the functionalities it provides, but also -the differences in feature sets, services coverage and code between the most -popular network authentication cracker tools available. Each feature is compared against -Hydra as of the current version. This table is updated as new -features are added to the project. If you find any inaccuracies - on this page please do not hesitate to contact us. -

Below, Yes means it is supported, No means it is not supported, Unknown means the support is partial -

-

- -

Code Comparison

-

This table just lists latest available versions and platforms compatibility.

- - - - - - - - - - -
Code - Hydra - Medusa - Ncrack -
Version - 8.6 - 2.2 - 0.4 alpha -
Last Update - July 2017 - November 2015 - April 2011 -
Supported Platforms - Linux, *BSD, Solaris, Mac OS X, any Unix, Windows (Cygwin) - Linux, *BSD, Solaris and Mac OS X - Linux, *BSD, Mac OS X, Windows -

- -

Features Table

-

This table lists the feature sets of each tools. -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Feature - Hydra - Medusa - Ncrack -
License - AGPLv3 - GPLv2 - GPLv2 + Nmap terms -
IPv6 Support -Yes -No -Yes -
Graphic User Interface -Yes -Yes -No -
Internationalized support (RFC 4013) -Yes -No -No -
HTTP proxy support -Yes -Yes -No -
SOCKS proxy support -Yes -No -No -
# of supported protocols - 51 - 22 - 7 -

- -

Services Coverage

-

This table lists the services coverage of each tools. For each services, many authentication methods are possible. If you require other ways or find issues in Hydra, please -contact us as the service depends on RFC implementations, some adjustements may be needed. -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Service - Details - Hydra - Medusa - Ncrack -
ADAM-6500 - -Yes -No -No -
AFP - -Yes -Yes -No -
Asterisk - -Yes -No -No -
Cisco Password - -Yes -No -No -
Cisco Enable - -Yes -No -No -
CVS - -Yes -Yes -No -
Firebird - -Yes -No -No -
FTP -Yes -Yes -Yes -
SSL supportAUTH TLS & FTP over SSL -AUTH TLS & FTP over SSL -No -
HTTP -Method(s)GET, HEAD, POST -GET -GET -
Basic AuthYes -Yes -Yes -
DIGEST-MD5 AuthYes -Yes -No -
NTLM AuthYes -Yes -No -
SSL supportHTTPS -HTTPS -HTTPS -
HTTP Form -Method(s)GET, POST -GET, POST -No -
SSL supportHTTPS -HTTPS -No -
HTTP Proxy -Basic AuthYes -No -No -
DIGEST-MD5 AuthYes -No -No -
NTLM AuthYes -No -No -
SSL supportHTTPS -No -No -
HTTP PROXY URL Enumeration - -Yes -No -No -
ICQ -v5 -Yes 1 -No -No -
IMAP -LOGIN supportYes -Yes -No -
AUTH LOGIN supportYes -No -No -
AUTH PLAIN supportYes -Yes -No -
AUTH CRAM-MD5 supportYes -No -No -
AUTH CRAM-SHA1 supportYes -No -No -
AUTH CRAM-SHA256 supportYes -No -No -
AUTH DIGEST-MD5 supportYes -No -No -
AUTH NTLM supportYes -Yes -No -
AUTH SCRAM-SHA1 supportYes -No -No -
SSL supportIMAPS & STARTTLS -IMAPS & STARTTLS -No -
IRC -General server password -Yes -No -No -
OPER mode password -Yes -No -No -
LDAP -v2, Simple supportYes -No -No -
v3, Simple supportYes -No -No -
v3, AUTH CRAM-MD5 supportYes -No -No -
v3, AUTH DIGEST-MD5 supportYes -No -No -
MS-SQL - -Yes -Yes -No -
MySQL -v3.x -Yes -Yes -No -
v4.x -Yes -Yes -No -
v5.x -Yes -Yes -No -
NCP - -Yes -Yes -No -
NNTP -USER support -Yes -Yes -No -
AUTH LOGIN support -Yes -No -No -
AUTH PLAIN support -Yes -No -No -
AUTH CRAM-MD5 support -Yes -No -No -
AUTH DIGEST-MD5 support -Yes -No -No -
AUTH NTLM support -Yes -No -No -
SSL support -STARTTLS & NNTP over SSL -No -No -
Oracle -DatabaseYes -Yes 2 -No -
TNS ListenerYes -No -No -
SID EnumerationYes -No -No -
PC-NFS -Yes -No -No -
pcAnywhere -Native Authentication -Yes 1 -Yes -No -
OS Based Authentication (MS) -No -Yes -No -
POP3 -USER supportYes -Yes -Yes -
APOP supportYes -No -No -
AUTH LOGIN supportYes -Yes -No -
AUTH PLAIN supportYes -Yes -No -
AUTH CRAM-MD5 supportYes -No -No -
AUTH CRAM-SHA1 supportYes -No -No -
AUTH CRAM-SHA256 supportYes -No -No -
AUTH DIGEST-MD5 supportYes -No -No -
AUTH NTLM supportYes -Yes -No -
SSL SupportPOP3S & STARTTLS -POP3S & STARTTLS -POP3S -
PostgreSQL - -Yes -Yes -No -
Asterisk - -Yes -No -No -
RDP -Windows Workstation -Yes -Yes 2 -Yes -
Windows Server -Yes -Yes 2 -Partial -
Domain Auth -Yes -Yes 2 -No -
REDIS - -Yes -No -No -
REXEC - -Yes -Yes -No -
RLOGIN - -Yes -Yes -No -
RPCAP - -Yes -No -No -
RSH - -Yes -Yes -No -
RTSP - -Yes -No -No -
SAP R/3 - -Yes 1 -No -No -
Siemens S7-300 - -Yes -No -No -
SIP -Yes 1 -No -No -
SSL supportSIP over SSL -No -No -
SMB -NetBIOS ModeYes -Yes -No -
W2K Native ModeYes -Yes -Yes -
Hash modeYes -Yes -No -
Clear Text AuthYes -Yes -No -
LMv1 AuthYes -Yes -Yes -
LMv2 AuthYes -Yes -Yes -
NTLMv1 AuthYes -Yes -Yes -
NTLMv2 AuthYes -Yes -Yes -
SMTP -AUTH LOGIN supportYes -Yes -No -
AUTH PLAIN supportYes -Yes -No -
AUTH CRAM-MD5 supportYes -No -No -
AUTH DIGEST-MD5 supportYes -No -No -
AUTH NTLM supportYes -Yes -No -
SSL supportSMTPS & STARTTLS -SMTPS & STARTTLS -No -
SMTP User Enum -VRFY cmdYes -Yes -No -
EXPN cmdYes -Yes -No -
RCPT TO cmdYes -Yes -No -
SNMP -v1 -Yes -Yes -No -
v2c -Yes -Yes -No -
v3 -Partial (MD5/SHA1 auth only)(MD5/SHA1 auth only) -No -No -
SOCKS -v5, Password Auth -Yes -No -No -
SSH -v1Yes -No -No -
v2Yes -Yes -Yes -
SSH Keys -v1, v2 -Yes -No -No -
Subversion (SVN) - -Yes -Yes -No -
TeamSpeak -TS2 -Yes 1 -No -No -
Telnet - -Yes -Yes -Yes -
XMPP -AUTH LOGIN supportYes -No -No -
AUTH PLAIN supportYes -No -No -
AUTH CRAM-MD5 supportYes -No -No -
AUTH DIGEST-MD5 supportYes -No -No -
AUTH SCRAM-SHA1 supportYes -No -No -
VMware Auth Daemon -v1.00 / v1.10 -Yes -Yes -No -
SSL support -Yes -Yes -No -
VNC -RFB 3.x password support -Yes -Yes -No -
RFB 3.x user+password support -No -Partial(UltraVNC only) -No -
RFB 4.x password support -Yes -Yes -No -
RFB 4.x user+password support -No -Partial(UltraVNC only) -No -

- -

Speed Comparison

-

This table gives some speed data (in second) for 2 popular services supported by each cracking tool (as of September 2011). The value displayed is the min value of 3 consecutive runs. -Each tool was configured to run 1, 4 and 16 task(s)/job(s) at a time. A login and password lists corresponding to 20 attempts was used. The smaller the value the better.

- - - - - - - - - - - - - - - - -
Speed (in s) - Hydra - Medusa - Ncrack -
1 Task / FTP module - 11.93 - 12.97 - 18.01 -
4 Tasks / FTP module - 4.20 - 5.24 - 9.01 -
16 Tasks / FTP module - 2.44 - 2.71 - 12.01 -
1 Task / SSH v2 module - 32.56 - 33.84 - 45.02 -
4 Tasks / SSH v2 module - 10.95 - Broken - Missed -
16 Tasks / SSH v2 module - 5.14 - Broken - Missed -

- - -

Notes

-
  1. These Hydra modules have not been checked with latest version of softwares/protocols available. -
    2. -
  2. Medusa support is relying on a script or a wrapper. -
- -
- -
-
-
-
- -
- -
- - diff --git a/web/webfiles/css/commonPrint.css b/web/webfiles/css/commonPrint.css deleted file mode 100644 index ecf146d..0000000 --- a/web/webfiles/css/commonPrint.css +++ /dev/null @@ -1,267 +0,0 @@ -/* -** MediaWiki Print style sheet for CSS2-capable browsers. -** Copyright Gabriel Wicke, http://www.aulinx.de/ -** -** Derived from the plone (http://plone.org/) styles -** Copyright Alexander Limi -*/ - -/* Thanks to A List Apart (http://alistapart.com/) for useful extras */ -a.stub, -a.new{ color:#ba0000; text-decoration:none; } - -#toc { - /*border:1px solid #2f6fab;*/ - border:1px solid #aaaaaa; - background-color:#f9f9f9; - padding:5px; -} -.tocindent { - margin-left: 2em; -} -.tocline { - margin-bottom: 0px; -} - -/* images */ -div.floatright { - float: right; - clear: right; - margin: 0; - position:relative; - border: 0.5em solid White; - border-width: 0.5em 0 0.8em 1.4em; -} -div.floatright p { font-style: italic;} -div.floatleft { - float: left; - margin: 0.3em 0.5em 0.5em 0; - position:relative; - border: 0.5em solid White; - border-width: 0.5em 1.4em 0.8em 0; -} -div.floatleft p { font-style: italic; } -/* thumbnails */ -div.thumb { - margin-bottom: 0.5em; - border-style: solid; border-color: White; - width: auto; - overflow: hidden; -} -div.thumb div { - border:1px solid #cccccc; - padding: 3px !important; - background-color:#f9f9f9; - font-size: 94%; - text-align: center; -} -div.thumb div a img { - border:1px solid #cccccc; -} -div.thumb div div.thumbcaption { - border: none; - padding: 0.3em 0 0.1em 0; -} -div.magnify { display: none; } -div.tright { - float: right; - clear: right; - border-width: 0.5em 0 0.8em 1.4em; -} -div.tleft { - float: left; - margin-right:0.5em; - border-width: 0.5em 1.4em 0.8em 0; -} -img.thumbborder { - border: 1px solid #dddddd; -} - -/* table standards */ -table.rimage { - float:right; - width:1pt; - position:relative; - margin-left:1em; - margin-bottom:1em; - text-align:center; -} - -body { - background: White; - /*font-size: 11pt !important;*/ - color: Black; - margin: 0; - padding: 0; -} - -.noprint, -div#jump-to-nav, -div.top, -div#column-one, -#colophon, -.editsection, -.toctoggle, -.tochidden, -div#f-poweredbyico, -div#f-copyrightico, -li#viewcount, -li#about, -li#disclaimer, -li#privacy { - /* Hides all the elements irrelevant for printing */ - display: none; -} - -ul { - list-style-type: square; -} - -#content { - background: none; - border: none ! important; - padding: 0 ! important; - margin: 0 ! important; -} -#footer { - background : white; - color : black; - border-top: 1px solid black; -} - -h1, h2, h3, h4, h5, h6 { - font-weight: bold; -} - -p, .documentDescription { - margin: 1em 0 ! important; - line-height: 1.2em; -} - -.tocindent p { - margin: 0 0 0 0 ! important; -} - -pre { - border: 1pt dashed black; - white-space: pre; - font-size: 8pt; - overflow: auto; - padding: 1em 0; - background : white; - color : black; -} - -table.listing, -table.listing td { - border: 1pt solid black; - border-collapse: collapse; -} - -a { - color: Black !important; - background: none !important; - padding: 0 !important; -} - -a:link, a:visited { - color: #520; - background: transparent; - text-decoration: underline; -} - -#content a.external.text:after, #content a.external.autonumber:after { - /* Expand URLs for printing */ - content: " (" attr(href) ") "; -} - -#globalWrapper { - width: 100% !important; - min-width: 0 !important; -} - -#content { - background : white; - color : black; -} - -#column-content { - margin: 0 !important; -} - -#column-content #content { - padding: 1em; - margin: 0 !important; -} -/* MSIE/Win doesn't understand 'inherit' */ -a, a.external, a.new, a.stub { - color: black ! important; - text-decoration: none ! important; -} - -/* Continue ... */ -a, a.external, a.new, a.stub { - color: inherit ! important; - text-decoration: inherit ! important; -} - -img { border: none; } -img.tex { vertical-align: middle; } -span.texhtml { font-family: serif; } - -#siteNotice { display: none; } - -table.gallery { - border: 1px solid #cccccc; - margin: 2px; - padding: 2px; - background-color:#ffffff; -} - -table.gallery tr { - vertical-align:top; -} - -div.gallerybox { - border: 1px solid #cccccc; - margin: 2px; - background-color:#f9f9f9; - width: 150px; -} - -div.gallerybox div.thumb { - text-align: center; - border: 1px solid #cccccc; - margin: 2px; -} - -div.gallerytext { - font-size: 94%; - padding: 2px 4px; -} - -/* -** Diff rendering -*/ -table.diff { background:white; } -td.diff-otitle { background:#ffffff; } -td.diff-ntitle { background:#ffffff; } -td.diff-addedline { - background:#ccffcc; - font-size: smaller; - border: solid 2px black; -} -td.diff-deletedline { - background:#ffffaa; - font-size: smaller; - border: dotted 2px black; -} -td.diff-context { - background:#eeeeee; - font-size: smaller; -} -.diffchange { - color: silver; - font-weight: bold; - text-decoration: underline; -} diff --git a/web/webfiles/css/index.css b/web/webfiles/css/index.css deleted file mode 100644 index f010367..0000000 --- a/web/webfiles/css/index.css +++ /dev/null @@ -1,2 +0,0 @@ -/* generated user stylesheet */ -a.new, #quickbar a.new { color: #CC2200; } diff --git a/web/webfiles/css/index_002.css b/web/webfiles/css/index_002.css deleted file mode 100644 index aba5a86..0000000 --- a/web/webfiles/css/index_002.css +++ /dev/null @@ -1 +0,0 @@ -/* CSS placed here will affect the print output */ \ No newline at end of file diff --git a/web/webfiles/css/index_003.css b/web/webfiles/css/index_003.css deleted file mode 100644 index bf5c91c..0000000 --- a/web/webfiles/css/index_003.css +++ /dev/null @@ -1 +0,0 @@ -/** CSS placed here will be applied to all skins */ \ No newline at end of file diff --git a/web/webfiles/css/index_004.css b/web/webfiles/css/index_004.css deleted file mode 100644 index 3b97146..0000000 --- a/web/webfiles/css/index_004.css +++ /dev/null @@ -1,20 +0,0 @@ -/** 
 */
-#footer { text-align: center; border: none; padding: 0; }
-#p-cactions li.selected { border-color: #708090; padding: 0 0 .2em 0; font-weight: bold; }
-pre
-{
-    generic-family: "Envy Code R", "Liberation Mono", Consolas, "Lucida Console", monospace;
-
-    /* border: 1px solid #dbdbdb; */
-
-    border: 1px solid #cfcfcf;
-    background-color: #fefefe;
-    line-height: 1.1em;
-    padding: 0.55em;
-/*
-    -moz-border-radius-topright: 0.5em;
-    -webkit-border-top-right-radius: 0.5em;
-    border-radius-topright: 0.5em;
-*/
-}
-/**
*/ \ No newline at end of file diff --git a/web/webfiles/css/main.css b/web/webfiles/css/main.css deleted file mode 100644 index a864cc9..0000000 --- a/web/webfiles/css/main.css +++ /dev/null @@ -1,1461 +0,0 @@ -/* -** MediaWiki 'monobook' style sheet for CSS2-capable browsers. -** Copyright Gabriel Wicke - http://wikidev.net/ -** License: GPL (http://www.gnu.org/copyleft/gpl.html) -** -** Loosely based on http://www.positioniseverything.net/ordered-floats.html by Big John -** and the Plone 2.0 styles, see http://plone.org/ (Alexander Limi,Joe Geldart & Tom Croucher, -** Michael Zeltner and Geir Bækholt) -** All you guys rock :) -*/ - -#column-content { - width: 100%; - float: right; - margin: 0 0 .6em -12.2em; - padding: 0; -} - -#content { - margin: 2.2em 0 0 2.2em; - padding: 0 1em 1.5em 1em; - background: white; - color: black; - border: 1px solid #aaa; - border-right: none; - line-height: 1.5em; - position: relative; - z-index: 2; -} - -#column-one { - padding-top: 30px; -} - -#content { - background: white; - color: black; - border: 1px solid #aaa; - border-right: none; - line-height: 1.5em; -} - -/* Font size: -** We take advantage of keyword scaling- browsers won't go below 9px -** More at http://www.w3.org/2003/07/30-font-size -** http://style.cleverchimp.com/font_size_intervals/altintervals.html -*/ - -body { - font: x-small sans-serif; - background-color: #ffffff; - font-family: Verdana, helvetica, sans-serif; - font-size: 10px; - color: black; - margin: 0; - padding: 0; -} - -/* scale back up to a sane default */ -#globalWrapper { - font-size: 127%; - width: 100%; - margin: 0; - padding: 0; -} -.visualClear { - clear: both; -} - -/* general styles */ - -table { - font-size: 100%; - color: black; - /* we don't want the bottom borders of

s to be visible through - floated tables */ - background-color: white; -} -fieldset table { - /* but keep table layouts in forms clean... */ - background: none; -} - -a:link, a:visited, a:active { text-decoration: underline; color: #173F99 } -a:hover { color: #505050 } - -a.stub { - color: #772233; -} -a.new, #p-personal a.new { - color: #ba0000; -} -a.new:visited, #p-personal a.new:visited { - color: #a55858; -} - -img { - border: none; - vertical-align: middle; -} -p { - margin: .4em 0 .5em 0; - line-height: 1.5em; -} -p img { - margin: 0; -} - -hr { - height: 1px; - color: #aaa; - background-color: #aaa; - border: 0; - margin: .2em 0 .2em 0; -} - -h1, h2, h3, h4, h5, h6 { - color: black; - background: none; - font-weight: normal; - margin: 0; - padding-top: .5em; - padding-bottom: .17em; - border-bottom: 1px solid #aaa; -} -h1 { font-size: 188%; } -h1 .editsection { font-size: 53%; } -h2 { font-size: 150%; } -h2 .editsection { font-size: 67%; } -h3, h4, h5, h6 { - border-bottom: none; - font-weight: bold; -} -h3 { font-size: 132%; } -h3 .editsection { font-size: 76%; font-weight: normal; } -h4 { font-size: 116%; } -h4 .editsection { font-size: 86%; font-weight: normal; } -h5 { font-size: 100%; } -h5 .editsection { font-weight: normal; } -h6 { font-size: 80%; } -h6 .editsection { font-size: 125%; font-weight: normal; } - -ul { - line-height: 1.5em; - list-style-type: square; - margin: .3em 0 0 1.5em; - padding: 0; - list-style-image: url(bullet.gif); -} -ol { - line-height: 1.5em; - margin: .3em 0 0 3.2em; - padding: 0; - list-style-image: none; -} -li { - margin-bottom: .1em; -} -dt { - font-weight: bold; - margin-bottom: .1em; -} -dl { - margin-top: .2em; - margin-bottom: .5em; -} -dd { - line-height: 1.5em; - margin-left: 2em; - margin-bottom: .1em; -} - -fieldset { - border: 1px solid #2f6fab; - margin: 1em 0 1em 0; - padding: 0 1em 1em; - line-height: 1.5em; -} -fieldset.nested { - margin: 0 0 0.5em 0; - padding: 0 0.5em 0.5em; -} -legend { - padding: .5em; - font-size: 95%; -} -form { - border: none; - margin: 0; -} - -textarea { - width: 100%; - padding: .1em; -} - -input.historysubmit { - padding: 0 .3em .3em .3em !important; - font-size: 94%; - cursor: pointer; - height: 1.7em !important; - margin-left: 1.6em; -} -select { - vertical-align: top; -} -abbr, acronym, .explain { - border-bottom: 1px dotted black; - color: black; - background: none; - cursor: help; -} -q { - font-family: Times, "Times New Roman", serif; - font-style: italic; -} -/* disabled for now -blockquote { - font-family: Times, "Times New Roman", serif; - font-style: italic; -}*/ -code { - background-color: #f9f9f9; -} -pre { - padding: 1em; - border: 1px dashed #2f6fab; - color: black; - background-color: #f9f9f9; - line-height: 1.1em; -} - -/* -** the main content area -*/ - -#siteSub { - display: none; -} -#jump-to-nav { - display: none; -} - -#contentSub, #contentSub2 { - font-size: 84%; - line-height: 1.2em; - margin: 0 0 1.4em 1em; - color: #7d7d7d; - width: auto; -} -span.subpages { - display: block; -} - -/* Some space under the headers in the content area */ -#bodyContent h1, #bodyContent h2 { - margin-bottom: .6em; -} -#bodyContent h3, #bodyContent h4, #bodyContent h5 { - margin-bottom: .3em; -} -.firstHeading { - margin-bottom: .1em; - /* These two rules hack around bug 2013 (fix for more limited bug 11325). - When bug 2013 is fixed properly, they should be removed. */ - line-height: 1.2em; - padding-bottom: 0; -} - -/* user notification thing */ -.usermessage { - background-color: #ffce7b; - border: 1px solid #ffa500; - color: black; - font-weight: bold; - margin: 2em 0 1em; - padding: .5em 1em; - vertical-align: middle; -} -#siteNotice { - text-align: center; - font-size: 95%; - padding: 0 .9em; -} -#siteNotice p { - margin: 0; - padding: 0; -} -.success { - color: green; - font-size: larger; -} -.error { - color: red; - font-size: larger; -} -.errorbox, .successbox { - font-size: larger; - border: 2px solid; - padding: .5em 1em; - float: left; - margin-bottom: 2em; - color: #000; -} -.errorbox { - border-color: red; - background-color: #fff2f2; -} -.successbox { - border-color: green; - background-color: #dfd; -} -.errorbox h2, .successbox h2 { - font-size: 1em; - font-weight: bold; - display: inline; - margin: 0 .5em 0 0; - border: none; -} - -.catlinks { - border: 1px solid #aaa; - background-color: #f9f9f9; - padding: 5px; - margin-top: 1em; - clear: both; -} -/* currently unused, intended to be used by a metadata box -in the bottom-right corner of the content area */ -.documentDescription { - /* The summary text describing the document */ - font-weight: bold; - display: block; - margin: 1em 0; - line-height: 1.5em; -} -.documentByLine { - text-align: right; - font-size: 90%; - clear: both; - font-weight: normal; - color: #76797c; -} - -/* emulate center */ -.center { - width: 100%; - text-align: center; -} -*.center * { - margin-left: auto; - margin-right: auto; -} -/* small for tables and similar */ -.small, .small * { - font-size: 94%; -} -table.small { - font-size: 100%; -} - -/* -** content styles -*/ - -#toc, -.toc, -.mw-warning { - border: 1px solid #aaa; - background-color: #f9f9f9; - padding: 5px; - font-size: 95%; -} -#toc h2, -.toc h2 { - display: inline; - border: none; - padding: 0; - font-size: 100%; - font-weight: bold; -} -#toc #toctitle, -.toc #toctitle, -#toc .toctitle, -.toc .toctitle { - text-align: center; -} -#toc ul, -.toc ul { - list-style-type: none; - list-style-image: none; - margin-left: 0; - padding-left: 0; - text-align: left; -} -#toc ul ul, -.toc ul ul { - margin: 0 0 0 2em; -} -#toc .toctoggle, -.toc .toctoggle { - font-size: 94%; -} - -.mw-warning { - margin-left: 50px; - margin-right: 50px; - text-align: center; -} - -/* images */ -div.floatright, table.floatright { - clear: right; - float: right; - position: relative; - margin: 0 0 .5em .5em; - border: 0; -/* - border: .5em solid white; - border-width: .5em 0 .8em 1.4em; -*/ -} -div.floatright p { font-style: italic; } -div.floatleft, table.floatleft { - float: left; - clear: left; - position: relative; - margin: 0 .5em .5em 0; - border: 0; -/* - margin: .3em .5em .5em 0; - border: .5em solid white; - border-width: .5em 1.4em .8em 0; -*/ -} -div.floatleft p { font-style: italic; } -/* thumbnails */ -div.thumb { - margin-bottom: .5em; - border-style: solid; - border-color: white; - width: auto; -} -div.thumbinner { - border: 1px solid #ccc; - padding: 3px !important; - background-color: #f9f9f9; - font-size: 94%; - text-align: center; - overflow: hidden; -} -html .thumbimage { - border: 1px solid #ccc; -} -html .thumbcaption { - border: none; - text-align: left; - line-height: 1.4em; - padding: 3px !important; - font-size: 94%; -} -div.magnify { - float: right; - border: none !important; - background: none !important; -} -div.magnify a, div.magnify img { - display: block; - border: none !important; - background: none !important; -} -div.tright { - clear: right; - float: right; - border-width: .5em 0 .8em 1.4em; -} -div.tleft { - float: left; - clear: left; - margin-right: .5em; - border-width: .5em 1.4em .8em 0; -} -img.thumbborder { - border: 1px solid #dddddd; -} -.hiddenStructure { - display: none; -} - -/* -** classes for special content elements like town boxes -** intended to be referenced directly from the wiki src -*/ - -/* -** User styles -*/ -/* table standards */ -table.rimage { - float: right; - position: relative; - margin-left: 1em; - margin-bottom: 1em; - text-align: center; -} -.toccolours { - border: 1px solid #aaa; - background-color: #f9f9f9; - padding: 5px; - font-size: 95%; -} - -/* -** edit views etc -*/ -.special li { - line-height: 1.4em; - margin: 0; - padding: 0; -} - -/* -** keep the whitespace in front of the ^=, hides rule from konqueror -** this is css3, the validator doesn't like it when validating as css2 -*/ -#bodyContent a.external, -#bodyContent a[href ^="gopher://"] { - background: url(external.png) center right no-repeat; - padding-right: 13px; -} -#bodyContent a[href ^="https://"], -.link-https { - background: url(lock_icon.gif) center right no-repeat; - padding-right: 16px; -} -#bodyContent a[href ^="mailto:"], -.link-mailto { - background: url(mail_icon.gif) center right no-repeat; - padding-right: 18px; -} -#bodyContent a[href ^="news://"] { - background: url(news_icon.png) center right no-repeat; - padding-right: 18px; -} -#bodyContent a[href ^="ftp://"], -.link-ftp { - background: url(file_icon.gif) center right no-repeat; - padding-right: 18px; -} -#bodyContent a[href ^="irc://"], -#bodyContent a.extiw[href ^="irc://"], -.link-irc { - background: url(discussionitem_icon.gif) center right no-repeat; - padding-right: 18px; -} -#bodyContent a.external[href $=".ogg"], #bodyContent a.external[href $=".OGG"], -#bodyContent a.external[href $=".mid"], #bodyContent a.external[href $=".MID"], -#bodyContent a.external[href $=".midi"], #bodyContent a.external[href $=".MIDI"], -#bodyContent a.external[href $=".mp3"], #bodyContent a.external[href $=".MP3"], -#bodyContent a.external[href $=".wav"], #bodyContent a.external[href $=".WAV"], -#bodyContent a.external[href $=".wma"], #bodyContent a.external[href $=".WMA"], -.link-audio { - background: url("audio.png") center right no-repeat; - padding-right: 13px; -} -#bodyContent a.external[href $=".ogm"], #bodyContent a.external[href $=".OGM"], -#bodyContent a.external[href $=".avi"], #bodyContent a.external[href $=".AVI"], -#bodyContent a.external[href $=".mpeg"], #bodyContent a.external[href $=".MPEG"], -#bodyContent a.external[href $=".mpg"], #bodyContent a.external[href $=".MPG"], -.link-video { - background: url("video.png") center right no-repeat; - padding-right: 13px; -} -#bodyContent a.external[href $=".pdf"], #bodyContent a.external[href $=".PDF"], -#bodyContent a.external[href *=".pdf#"], #bodyContent a.external[href *=".PDF#"], -#bodyContent a.external[href *=".pdf?"], #bodyContent a.external[href *=".PDF?"], -.link-document { - background: url("document.png") center right no-repeat; - padding-right: 12px; -} - -/* disable interwiki styling */ -#bodyContent a.extiw, -#bodyContent a.extiw:active { - color: #36b; - background: none; - padding: 0; -} -#bodyContent a.external { - color: #36b; -} -/* this can be used in the content area to switch off -special external link styling */ -#bodyContent .plainlinks a { - background: none !important; - padding: 0 !important; -} - -/* -** the personal toolbar -*/ - -#p-personal { - width: 100%; - white-space: nowrap; - padding: 0; - margin: 0; - position: absolute; - top: 9.2em; - z-index: 0; - border: none; - background: none; - overflow: visible; - line-height: 1.2em; -} - -#p-personal h5 { - display: none; -} -#p-personal .portlet, -#p-personal .pBody { - padding: 0; - margin: 0; - border: none; - z-index: 0; - overflow: visible; - background: none; -} -/* this is the ul contained in the portlet */ -#p-personal ul { - border: none; - line-height: 1.4em; - color: #2f6fab; - padding: 0 2em 0 3em; - margin: 0; - text-align: right; - text-transform: lowercase; - list-style: none; - z-index: 0; - background: none; - cursor: default; -} -#p-personal li { - z-index: 0; - border: none; - padding: 0; - display: inline; - color: #2f6fab; - margin-left: 1em; - line-height: 1.2em; - background: none; -} -#p-personal li.active { - font-weight: bold; -} -#p-personal li a { - text-decoration: none; - color: #005896; - padding-bottom: 0.2em; - background: none; -} -#p-personal li a:hover { - background-color: white; - padding-bottom: 0.2em; - text-decoration: none; -} - - -/* the icon in front of the user name, single quotes -in bg url to hide it from iemac */ -li#pt-userpage, -li#pt-anonuserpage, -li#pt-login { - background: url(user.gif) top left no-repeat; - padding-left: 20px; - text-transform: none; -} -#p-personal ul { - text-transform: lowercase; -} -#p-personal li.active { - font-weight: bold; -} -/* -** the page-related actions- page/talk, edit etc -*/ - -/* -** the page-related actions- page/talk, edit etc -*/ -#p-cactions { - position: absolute; - top: 10.5em; - left: 12.2em; - margin: 0; - white-space: nowrap; - width: 76%; - line-height: 1.1em; - overflow: visible; - background: none; - border-collapse: collapse; - padding-left: 1em; - list-style: none; - font-size: 95%; -} -#p-cactions .hiddenStructure { - display: none; -} -#p-cactions ul { - list-style: none; -} -#p-cactions li { - display: inline; - border: 1px solid #aaa; - border-bottom: none; - padding: 0 0 .1em 0; - margin: 0 .3em 0 0; - overflow: visible; - background: white; -} -#p-cactions li.selected { - border-color: #fabd23; - padding: 0 0 .2em 0; - font-weight: bold; -} -#p-cactions li a { - background-color: #fbfbfb; - color: #002bb8; - border: none; - padding: 0 .8em .3em; - text-decoration: none; - text-transform: lowercase; - position: relative; - z-index: 0; - margin: 0; -} -#p-cactions li.selected a { - z-index: 3; - background-color: #fff; - padding: 0 1em .2em!important; -} -#p-cactions .new a { - color: #ba0000; -} -#p-cactions li a:hover { - z-index: 3; - text-decoration: none; - background-color: #fff; -} -#p-cactions h5 { - display: none; -} -#p-cactions li.istalk { - margin-right: 0; -} -#p-cactions li.istalk a { - padding-right: .5em; -} -#p-cactions #ca-addsection a { - padding-left: .4em; - padding-right: .4em; -} -/* offsets to distinguish the tab groups */ -li#ca-talk { - margin-right: 1.6em; -} -li#ca-watch, li#ca-unwatch, li#ca-varlang-0, li#ca-print { - margin-left: 1.6em; -} - - -#p-cactions .pBody { - font-size: 1em; - background-color: transparent; - color: inherit; - border-collapse: inherit; - border: 0; - padding: 0; -} -#p-cactions .hiddenStructure { - display: none; -} -#p-cactions li a { - text-transform: lowercase; -} - -#p-lang { - position: relative; - z-index: 3; -} - -/* TODO: #t-iscite is only used by the Cite extension, come up with some - * system which allows extensions to add to this file on the fly - */ -#t-ispermalink, #t-iscite { - color: #999; -} -/* -** footer -*/ -#footer { - background-color: white; - border-top: 1px solid #fabd23; - border-bottom: 1px solid #fabd23; - margin: .6em 0 1em 0; - padding: .4em 0 1.2em 0; - text-align: center; - font-size: 90%; - margin-left: 20px; -} -#footer li { - display: inline; - margin: 0 1.3em; -} -#f-poweredbyico, #f-copyrightico { - margin: 0 8px; - position: relative; - top: -2px; /* Bump it up just a tad */ -} -#f-poweredbyico { - float: right; - height: 1%; -} -#f-copyrightico { - float: left; - height: 1%; -} - -/* js pref toc */ -#preftoc { - margin: 0; - padding: 0; - width: 100%; - clear: both; -} -#preftoc li { - background-color: #f0f0f0; - color: #000; -} -#preftoc li { - margin: 1px -2px 1px 2px; - float: left; - padding: 2px 0 3px 0; - border: 1px solid #fff; - border-right-color: #716f64; - border-bottom: 0; - position: relative; - white-space: nowrap; - list-style-type: none; - list-style-image: none; - z-index: 3; -} -#preftoc li.selected { - font-weight: bold; - background-color: #f9f9f9; - border: 1px solid #aaa; - border-bottom: none; - cursor: default; - top: 1px; - padding-top: 2px; - margin-right: -3px; -} -#preftoc > li.selected { - top: 2px; -} -#preftoc a, -#preftoc a:active { - display: block; - color: #000; - padding: 0 .7em; - position: relative; - text-decoration: none; -} -#preftoc li.selected a { - cursor: default; - text-decoration: none; -} -#prefcontrol { - padding-top: 2em; - clear: both; -} -#preferences { - margin: 0; - border: 1px solid #aaa; - clear: both; - padding: 1.5em; - background-color: #F9F9F9; -} -.prefsection { - border: none; - padding: 0; - margin: 0; -} -.prefsection fieldset { - border: 1px solid #aaa; - float: left; - margin-right: 2em; -} -.prefsection legend { - font-weight: bold; -} -.prefsection table, .prefsection legend { - background-color: #F9F9F9; -} -.mainLegend { - display: none; -} -div.prefsectiontip { - font-size: x-small; - padding: .2em 2em; - color: #666; -} -.btnSavePrefs { - font-weight: bold; - padding-left: .3em; - padding-right: .3em; -} - -.preferences-login { - clear: both; - margin-bottom: 1.5em; -} - -.prefcache { - font-size: 90%; - margin-top: 2em; -} - -div#userloginForm form, -div#userlogin form#userlogin2 { - margin: 0 3em 1em 0; - border: 1px solid #aaa; - clear: both; - padding: 1.5em 2em; - background-color: #f9f9f9; - float: left; -} -.rtl div#userloginForm form, -.rtl div#userlogin form#userlogin2 { - float: right; -} - -div#userloginForm table, -div#userlogin form#userlogin2 table { - background-color: #f9f9f9; -} - -div#userloginForm h2, -div#userlogin form#userlogin2 h2 { - padding-top: 0; -} - -div#userlogin .captcha, -div#userloginForm .captcha { - border: 1px solid #bbb; - padding: 1.5em 2em; - background-color: white; -} - -#loginend, #signupend { - clear: both; -} - -#userloginprompt, #languagelinks { - font-size: 85%; -} - -#login-sectiontip { - font-size: 85%; - line-height: 1.2; - padding-top: 2em; -} - -#userlogin .loginText, #userlogin .loginPassword { - width: 12em; -} - -#userloginlink a, #wpLoginattempt, #wpCreateaccount { - font-weight: bold; -} - -/* -** IE/Mac fixes, hope to find a validating way to move this -** to a separate stylesheet. This would work but doesn't validate: -** @import("IEMacFixes.css"); -*/ -/* tabs: border on the a, not the div */ -* > html #p-cactions li { border: none; } -* > html #p-cactions li a { - border: 1px solid #aaa; - border-bottom: none; -} -* > html #p-cactions li.selected a { border-color: #fabd23; } -/* footer icons need a fixed width */ -* > html #f-poweredbyico, -* > html #f-copyrightico { width: 88px; } -* > html #bodyContent, -* > html #bodyContent pre { - overflow-x: auto; - width: 100%; - padding-bottom: 25px; -} - -/* more IE fixes */ -/* float/negative margin brokenness */ -* html #footer {margin-top: 0;} -* html #column-content { - display: inline; - margin-bottom: 0; -} -* html div.editsection { font-size: smaller; } -#pagehistory li.selected { position: relative; } - -/* Mac IE 5.0 fix; floated content turns invisible */ -* > html #column-content { - float: none; -} -* > html #column-one { - position: absolute; - left: 0; - top: 0; -} -* > html #footer { - margin-left: 13.2em; -} -.redirectText { - font-size: 150%; - margin: 5px; -} - -.printfooter { - display: none; -} - -.not-patrolled { - background-color: #ffa; -} -div.patrollink { - clear: both; - font-size: 75%; - text-align: right; -} -span.newpage, span.minor, span.bot { - font-weight: bold; -} -span.unpatrolled { - font-weight: bold; - color: red; -} - -.sharedUploadNotice { - font-style: italic; -} - -span.updatedmarker { - color: black; - background-color: #0f0; -} - -table.gallery { - border: 1px solid #ccc; - margin: 2px; - padding: 2px; - background-color: white; -} - -table.gallery tr { - vertical-align: top; -} - -table.gallery td { - vertical-align: top; - background-color: #f9f9f9; - border: solid 2px white; -} -/* Keep this temporarily so that cached pages will display right */ -table.gallery td.galleryheader { - text-align: center; - font-weight: bold; -} -table.gallery caption { - font-weight: bold; -} - -div.gallerybox { - margin: 2px; -} - -div.gallerybox div.thumb { - text-align: center; - border: 1px solid #ccc; - margin: 2px; -} - -div.gallerytext { - overflow: hidden; - font-size: 94%; - padding: 2px 4px; -} - -span.comment { - font-style: italic; -} - -span.changedby { - font-size: 95%; -} - -.previewnote { - text-indent: 3em; - color: #c00; - border-bottom: 1px solid #aaa; - padding-bottom: 1em; - margin-bottom: 1em; -} - -.previewnote p { - margin: 0; - padding: 0; -} - -.editExternally { - border: 1px solid gray; - background-color: #ffffff; - padding: 3px; - margin-top: 0.5em; - float: left; - font-size: small; - text-align: center; -} -.editExternallyHelp { - font-style: italic; - color: gray; -} - -.toggle { - margin-left: 2em; - text-indent: -2em; -} - -/* Classes for EXIF data display */ -table.mw_metadata { - font-size: 0.8em; - margin-left: 0.5em; - margin-bottom: 0.5em; - width: 300px; -} - -table.mw_metadata caption { - font-weight: bold; -} - -table.mw_metadata th { - font-weight: normal; -} - -table.mw_metadata td { - padding: 0.1em; -} - -table.mw_metadata { - border: none; - border-collapse: collapse; -} - -table.mw_metadata td, table.mw_metadata th { - text-align: center; - border: 1px solid #aaaaaa; - padding-left: 0.1em; - padding-right: 0.1em; -} - -table.mw_metadata th { - background-color: #f9f9f9; -} - -table.mw_metadata td { - background-color: #fcfcfc; -} - -table.collapsed tr.collapsable { - display: none; -} - - -/* filetoc */ -ul#filetoc { - text-align: center; - border: 1px solid #aaaaaa; - background-color: #f9f9f9; - padding: 5px; - font-size: 95%; - margin-bottom: 0.5em; - margin-left: 0; - margin-right: 0; -} - -#filetoc li { - display: inline; - list-style-type: none; - padding-right: 2em; -} - -input#wpSummary { - width: 80%; -} - -/* @bug 1714 */ -input#wpSave, input#wpDiff { - margin-right: 0.33em; -} - -#wpSave { - font-weight: bold; -} - -/* Classes for article validation */ - -table.revisionform_default { - border: 1px solid #000000; -} - -table.revisionform_focus { - border: 1px solid #000000; - background-color:#00BBFF; -} - -tr.revision_tr_default { - background-color:#EEEEEE; -} - -tr.revision_tr_first { - background-color:#DDDDDD; -} - -p.revision_saved { - color: green; - font-weight:bold; -} - -#mw_trackbacks { - border: solid 1px #bbbbff; - background-color: #eeeeff; - padding: 0.2em; -} - - -/* Allmessages table */ - -#allmessagestable th { - background-color: #b2b2ff; -} - -#allmessagestable tr.orig { - background-color: #ffe2e2; -} - -#allmessagestable tr.new { - background-color: #e2ffe2; -} - -#allmessagestable tr.def { - background-color: #f0f0ff; -} - - -/* noarticletext */ -div.noarticletext { - border: 1px solid #ccc; - background: #fff; - padding: .2em 1em; - color: #000; -} - -div#searchTargetContainer { - left: 10px; - top: 10px; - width: 90%; - background: white; -} - -div#searchTarget { - padding: 3px; - margin: 5px; - background: #F0F0F0; - border: solid 1px blue; -} - -div#searchTarget ul li { - list-style: none; -} - -div#searchTarget ul li:before { - color: orange; - content: "\00BB \0020"; -} - -div#searchTargetHide { - float:right; - border:solid 1px black; - background:#DCDCDC; - padding:2px; -} - -#powersearch p { - margin-top:0px; -} - -div.multipageimagenavbox { - border: solid 1px silver; - padding: 4px; - margin: 1em; - background: #f0f0f0; -} - -div.multipageimagenavbox div.thumb { - border: none; - margin-left: 2em; - margin-right: 2em; -} - -div.multipageimagenavbox hr { - margin: 6px; -} - -table.multipageimage td { - text-align: center; -} - -/** Special:Version */ - -table#sv-ext, table#sv-hooks, table#sv-software { - margin: 1em; - padding:0em; -} - -#sv-ext td, #sv-hooks td, #sv-software td, -#sv-ext th, #sv-hooks th, #sv-software th { - border: 1px solid #A0A0A0; - padding: 0 0.15em 0 0.15em; -} -#sv-ext th, #sv-hooks th, #sv-software th { - background-color: #F0F0F0; - color: black; - padding: 0 0.15em 0 0.15em; -} -tr.sv-space{ - height: 0.8em; - border:none; -} -tr.sv-space td { display: none; } - -/* - Table pager (e.g. Special:Imagelist) - - remove underlines from the navigation link - - collapse borders - - set the borders to outsets (similar to Special:Allmessages) - - remove line wrapping for all td and th, set background color - - restore line wrapping for the last two table cells (description and size) -*/ -.TablePager { min-width: 80%; } -.TablePager_nav a { text-decoration: none; } -.TablePager { border-collapse: collapse; } -.TablePager, .TablePager td, .TablePager th { - border: 1px solid #aaaaaa; - padding: 0 0.15em 0 0.15em; -} -.TablePager th { background-color: #eeeeff } -.TablePager td { background-color: #ffffff } -.TablePager tr:hover td { background-color: #eeeeff } - -.imagelist td, .imagelist th { white-space: nowrap } -.imagelist .TablePager_col_links { background-color: #eeeeff } -.imagelist .TablePager_col_img_description { white-space: normal } -.imagelist th.TablePager_sort { background-color: #ccccff } - -.templatesUsed { margin-top: 1.5em; } - -.mw-summary-preview { - margin: 0.1em 0; -} - -/* Friendlier slave lag warnings */ -div.mw-lag-warn-normal, -div.mw-lag-warn-high { - padding: 3px; - text-align: center; - margin: 3px auto; -} -div.mw-lag-warn-normal { - border: 1px solid #FFCC66; - background-color: #FFFFCC; -} -div.mw-lag-warn-high { - font-weight: bold; - border: 2px solid #FF0033; - background-color: #FFCCCC; -} - -.MediaTransformError { - background-color: #ccc; - padding: 0.1em; -} -.MediaTransformError td { - text-align: center; - vertical-align: middle; - font-size: 90%; -} - -/** Special:Search stuff */ -div#mw-search-interwiki-caption { - text-align: center; - font-weight: bold; - font-size: 95%; -} - -.mw-search-interwiki-project { - font-size: 97%; - text-align: left; - padding-left: 0.2em; - padding-right: 0.15em; - padding-bottom: 0.2em; - padding-top: 0.15em; - background: #cae8ff; -} - -/* God-damned hack for the crappy layout */ -.os-suggest { - font-size: 127%; -} - - -.top { vertical-align: middle; text-align: center; padding: 0px; font-family: Verdana, helvitica, sans-serif; font-size: 12px; } - -.sidebar { - position: absolute; - padding-left: 3px; - top: 11.5em; -} - -.inspbox { - margin-left: 5px; - margin-top: 5px; - margin-bottom: 5px; - width: 145px; -} - -#footer { text-align: center; border: none; padding: 0; } -#p-cactions li.selected { border-color: #708090; padding: 0 0 .2em 0; font-weight: bold; } -pre -{ - generic-family: "Envy Code R", "Liberation Mono", Consolas, "Lucida Console", monospace; - - /* border: 1px solid #dbdbdb; */ - - border: 1px solid #cfcfcf; - background-color: #fefefe; - line-height: 1.1em; - padding: 0.55em; - -} diff --git a/web/webfiles/css/shared.css b/web/webfiles/css/shared.css deleted file mode 100644 index 7404a15..0000000 --- a/web/webfiles/css/shared.css +++ /dev/null @@ -1,320 +0,0 @@ -/** - * CSS in this file is used by *all* skins (that have any CSS at all). Be - * careful what you put in here, since what looks good in one skin may not in - * another, but don't ignore the poor non-Monobook users either. - */ -.mw-plusminus-null { color: #aaa; } - -.texvc { direction: ltr; unicode-bidi: embed; } -img.tex { vertical-align: middle; } -span.texhtml { font-family: serif; } - -/* add a bit of margin space between the preview and the toolbar */ -/* this replaces the ugly


we used to insert into the page source */ -#wikiPreview.ontop { margin-bottom: 1em; } - -/* Stop floats from intruding into edit area in previews */ -#toolbar, #wpTextbox1 { clear: both; } - -div#mw-js-message { - margin: 1em 5%; - padding: 0.5em 2.5%; - border: solid 1px #ddd; - background-color: #fcfcfc; -} - -/* Edit section links */ -.editsection { - float: right; - margin-left: 5px; -} - -/** - * File histories - */ -table.filehistory { - border:1px solid #ccc; - border-collapse:collapse; -} - -table.filehistory th, -table.filehistory td { - padding: 0 0.2em 0 0.2em; - vertical-align:top; - border:1px solid #ccc; -} -table.filehistory th { - text-align: left; -} -table.filehistory td.mw-imagepage-filesize, -table.filehistory th.mw-imagepage-filesize { - white-space:nowrap; -} - -table.filehistory td.filehistory-selected { - font-weight: bold; -} - -/* - * rev_deleted stuff - */ -li span.deleted, span.history-deleted { - text-decoration: line-through; - color: #888; - font-style: italic; -} - -/** - * Forms - */ -body.ltr td.mw-label { text-align: right; } -body.ltr td.mw-input { text-align: left; } -body.ltr td.mw-submit { text-align: left; } -body.rtl td.mw-label { text-align: left; } -body.rtl td.mw-input { text-align: right; } -body.rtl td.mw-submit { text-align: right; } - -td.mw-label { vertical-align: top; } -td.mw-submit { white-space: nowrap; } - -/** - * Image captions - */ -body.rtl .thumbcaption { text-align:right; } -body.rtl .magnify { float:left; } - -body.ltr .thumbcaption { text-align:left; } -body.ltr .magnify { float:right; } - -/** - * Hidden categories - */ -.mw-hidden-cats-hidden { display: none; } -.catlinks-allhidden { display: none; } - -/* Convenience links to edit block, delete and protect reasons */ -p.mw-ipb-conveniencelinks, p.mw-protect-editreasons, -p.mw-filedelete-editreasons, p.mw-delete-editreasons { - font-size: 90%; - float: right; -} - -/* Search results */ -div.searchresult { - font-size: 95%; - width:38em; -} -.mw-search-results li { - padding-bottom: 1em; - list-style:none; -} -.mw-search-result-data { - color: green; - font-size: 97%; -} - -td#mw-search-menu { - padding-left:6em; - font-size:85%; -} - -div#mw-search-interwiki { - float: right; - width: 18em; - border-style: solid; - border-color: #AAAAAA; - border-width: 1px; - margin-top: 2ex; -} - -div#mw-search-interwiki li { - font-size: 95%; -} - -.mw-search-interwiki-more { - float: right; - font-size: 90%; -} - -span.searchalttitle { - font-size: 95%; -} - -div.searchdidyoumean { - font-size: 127%; - margin-bottom: 1ex; - margin-top: 1ex; - /* Note that this color won't affect the link, as desired. */ - color: #c00; -} - -div.searchdidyoumean em { - font-weight: bold; -} - -.searchmatch { - font-weight: bold; -} - -div.searchresults { - border:1px solid darkblue; - padding-top: 10px; - padding-bottom: 10px; - padding-left: 20px; - padding-right: 20px; -} - -/* - * UserRights stuff - */ -.mw-userrights-disabled { - color: #888; -} - -table.mw-userrights-groups * td,table.mw-userrights-groups * th { - padding-right: 1.5em; -} - -/* - * OpenSearch ajax suggestions - */ -.os-suggest { - overflow: auto; - overflow-x: hidden; - position: absolute; - top: 0px; - left: 0px; - width: 0px; - background-color: white; - background-color: Window; - border-style: solid; - border-color: #AAAAAA; - border-width: 1px; - z-index:99; - visibility:hidden; - font-size:95%; -} - -table.os-suggest-results { - font-size: 95%; - cursor: pointer; - border: 0; - border-collapse: collapse; - width: 100%; -} - -td.os-suggest-result, td.os-suggest-result-hl { - white-space: nowrap; - background-color: white; - background-color: Window; - color: black; - color: WindowText; - padding: 2px; -} -td.os-suggest-result-hl, -td.os-suggest-result-hl-webkit { - background-color: #4C59A6; - color: white; -} -td.os-suggest-result-hl { - /* System colors are misimplemented in Safari 3.0 and earlier, - making highlighted text illegible... */ - background-color: Highlight; - color: HighlightText; -} - -.os-suggest-toggle { - position: relative; - left: 1ex; - font-size: 65%; -} -.os-suggest-toggle-def { - position: absolute; - top: 0px; - left: 0px; - font-size: 65%; - visibility: hidden; -} - -/* Page history styling */ -/* the auto-generated edit comments */ -.autocomment { color: gray; } -#pagehistory .history-user { - margin-left: 0.4em; - margin-right: 0.2em; -} -#pagehistory span.minor { font-weight: bold; } -#pagehistory li { border: 1px solid white; } -#pagehistory li.selected { - background-color: #f9f9f9; - border: 1px dashed #aaa; -} - -/* - * Special:ListGroupRights styling - * Special:Statistics styling -*/ - -table.mw-listgrouprights-table, -table.mw-statistics-table { - border: 1px solid #ccc; - border-collapse: collapse; -} - -table.mw-listgrouprights-table tr { - vertical-align: top; -} - -table.mw-listgrouprights-table td, table.mw-listgrouprights-table th, -table.mw-statistics-table td, table.mw-statistics-table th { - padding: 0.5em 0.2em 0.5em 0.2em; - border: 1px solid #ccc; -} - -td.mw-statistics-numbers { - text-align: right; -} - -/* Special:SpecialPages styling */ -h4.mw-specialpagesgroup { - background-color: #dcdcdc; - padding: 2px; - margin: .3em 0em 0em 0em; -} -.mw-specialpagerestricted { - font-weight: bold; -} - -#shared-image-dup, #shared-image-conflict { - font-style: italic; -} - -/* Special:EmailUser styling */ -table.mw-emailuser-table { - width: 98%; -} -td#mw-emailuser-sender, td#mw-emailuser-recipient { - font-weight: bold; -} - -/* - * Recreating deleted page warning - * Reupload file warning - * Page protection warning - * incl. log entries for these warnings - */ -div.mw-warning-with-logexcerpt { - padding: 3px; - margin-bottom: 3px; - border: 2px solid #2F6FAB; -} -div.mw-warning-with-logexcerpt ul li { - font-size: 90%; -} - -/* (show/hide) revision deletion links */ -span.mw-revdelundel-link, -strong.mw-revdelundel-link { - font-family: monospace; - font-size: smaller -} \ No newline at end of file diff --git a/web/webfiles/img/Cross.png b/web/webfiles/img/Cross.png deleted file mode 100644 index e006129..0000000 Binary files a/web/webfiles/img/Cross.png and /dev/null differ diff --git a/web/webfiles/img/Tick.png b/web/webfiles/img/Tick.png deleted file mode 100644 index d5f75ba..0000000 Binary files a/web/webfiles/img/Tick.png and /dev/null differ diff --git a/web/webfiles/img/Unknown.png b/web/webfiles/img/Unknown.png deleted file mode 100644 index c67c7a6..0000000 Binary files a/web/webfiles/img/Unknown.png and /dev/null differ diff --git a/web/webfiles/img/gnu-fdl.png b/web/webfiles/img/gnu-fdl.png deleted file mode 100644 index 1371aba..0000000 Binary files a/web/webfiles/img/gnu-fdl.png and /dev/null differ diff --git a/web/webfiles/img/hydra_pass.jpg b/web/webfiles/img/hydra_pass.jpg deleted file mode 100644 index 35b15b0..0000000 Binary files a/web/webfiles/img/hydra_pass.jpg and /dev/null differ diff --git a/web/webfiles/img/hydra_start.jpg b/web/webfiles/img/hydra_start.jpg deleted file mode 100644 index 841d780..0000000 Binary files a/web/webfiles/img/hydra_start.jpg and /dev/null differ diff --git a/web/webfiles/img/hydra_target.jpg b/web/webfiles/img/hydra_target.jpg deleted file mode 100644 index 9670bff..0000000 Binary files a/web/webfiles/img/hydra_target.jpg and /dev/null differ diff --git a/web/xhydra.png b/web/xhydra.png deleted file mode 100644 index 39f2704..0000000 Binary files a/web/xhydra.png and /dev/null differ diff --git a/xhydra.desktop b/xhydra.desktop new file mode 100644 index 0000000..69debb5 --- /dev/null +++ b/xhydra.desktop @@ -0,0 +1,10 @@ +[Desktop Entry] +Name=XHydra +GenericName=Hydra very fast network log-on cracker +Comment=GUI frontend for Hydra network log-on cracker +Version=1.0 +Exec=xhydra +Icon=xhydra +Terminal=false +Type=Application +Categories=System;Security;GTK; diff --git a/xhydra.jpg b/xhydra.jpg index 008d256..b0ed22e 100644 Binary files a/xhydra.jpg and b/xhydra.jpg differ diff --git a/web/webfiles/img/xhydra.png b/xhydra.png similarity index 100% rename from web/webfiles/img/xhydra.png rename to xhydra.png