From 28aaa7bab9f25bfff9f4dfb03a02cd3fb5a526f6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 8 Sep 2022 10:33:59 +0200 Subject: [PATCH 01/79] v9.5-dev init --- CHANGES | 4 ++++ hydra.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 8fd6cf4..2111ce2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ Changelog for hydra ------------------- +Release 9.5-dev +* ... your patch? :) + + Release 9.4 * Switched from pcre/pcre3 to pcre2 as pcre/pcre3 will be dropped from Debian * Small fix for weird RTSP servers diff --git a/hydra.c b/hydra.c index 12772bb..2e4f2ab 100644 --- a/hydra.c +++ b/hydra.c @@ -228,7 +228,7 @@ char *SERVICES = "adam6500 asterisk afp cisco cisco-enable cobaltstrike cvs fire #define RESTOREFILE "./hydra.restore" #define PROGRAM "Hydra" -#define VERSION "v9.4" +#define VERSION "v9.5-dev" #define AUTHOR "van Hauser/THC" #define EMAIL "" #define AUTHOR2 "David Maciejak" From 613bd02264dcc989eeeb77b83603d4c2f48f0bbc Mon Sep 17 00:00:00 2001 From: Sam James Date: Fri, 9 Sep 2022 04:32:05 +0100 Subject: [PATCH 02/79] Makefile.am: add -D_GNU_SOURCE for strcasestr MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit strcasestr is not a standard function and per the man page, needs -D_GNU_SOURCE to be visible. Fixes a build error: ``` hydra-rtsp.c:20:7: error: implicit declaration of function ‘strcasestr’; did you mean ‘strcasecmp’? [-Werror=implicit-function-declaration] 20 | if (strcasestr(s, "401 Unauthorized") != NULL) { | ^~~~~~~~~~ | strcasecmp ``` Signed-off-by: Sam James --- Makefile.am | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile.am b/Makefile.am index 8cd56d1..a8da8d6 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5,6 +5,7 @@ WARN_CLANG=-Wformat-nonliteral -Wstrncat-size -Wformat-security -Wsign-conversio WARN_GCC=-Wformat=2 -Wformat-overflow=2 -Wformat-nonliteral -Wformat-truncation=2 -Wnull-dereference -Wstrict-overflow=2 -Wstringop-overflow=4 -Walloca-larger-than=4096 -Wtype-limits -Wconversion -Wtrampolines -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fno-common -Wcast-align CFLAGS ?= -g OPTS=-I. -O3 $(CFLAGS) -fcommon +CPPFLAGS += -D_GNU_SOURCE # -Wall -g -pedantic LIBS=-lm DESTDIR ?= From 882a1a3aaca6257069fa8619352cb986973ff98b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 29 Sep 2022 10:01:56 +0200 Subject: [PATCH 03/79] fix http-...-form help --- CHANGES | 3 ++- hydra-http-form.c | 48 +++++++++++++++++++++++------------------------ 2 files changed, 25 insertions(+), 26 deletions(-) diff --git a/CHANGES b/CHANGES index 2111ce2..3d61f77 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,8 @@ Changelog for hydra ------------------- Release 9.5-dev -* ... your patch? :) +* The help for http forms was wrong. the condition variable must always be + the *last* parameter, not the third Release 9.4 diff --git a/hydra-http-form.c b/hydra-http-form.c index a864088..93953dc 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -1434,27 +1434,26 @@ void usage_http_form(const char *service) { "redirections in\n" "a row. It always gathers a new cookie from the same URL without " "variables\n" - "The parameters take three \":\" separated values, plus optional " + "The parameters requires three \":\" separated values, plus optional " "values.\n" "(Note: if you need a colon in the option string as value, escape it " "with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n" - "\nSyntax: :
:[:[:]\n" - "First is the page on the server to GET or POST to (URL).\n" - "Second is the POST/GET variables (taken from either the browser, proxy, " - "etc.\n" - " with url-encoded (resp. base64-encoded) usernames and passwords being " - "replaced in the\n" - " \"^USER^\" (resp. \"^USER64^\") and \"^PASS^\" (resp. \"^PASS64^\") " - "placeholders (FORM PARAMETERS)\n" - "Third is the string that it checks for an *invalid* login (by default)\n" - " Invalid condition login check can be preceded by \"F=\", successful " - "condition\n" + "\nSyntax: :[:[:]:\n" + "\nFirst is the page on the server to GET or POST to (URL), e.g. \"/login\".\n" + "Second is the POST/GET variables (taken from either the browser, proxy, etc.)\n" + " without the initial '?' character and the usernames and passwords being\n" + " replaced with \"^USER^\" (\"^USER64^\" for base64 encodings) and \"^PASS^\"\n" + " (\"^PASS64^\" for base64 encodings).\n" + "Third are optional parameters (see below)\n" + "Last is the string that it checks for an *invalid* login (by default).\n" + " Invalid condition login check can be preceded by \"F=\", successful condition\n" " login check must be preceded by \"S=\".\n" - " This is where most people get it wrong. You have to check the webapp " - "what a\n" - " failed string looks like and put it in this parameter! Add the -d switch to see\nthe sent/received data!\n" - "\nThe following parameters are optional:\n" + " This is where most people get it wrong! You have to check the webapp what a\n" + " failed string looks like and put it in this parameter! Add the -d switch to see\n" + " the sent/received data!\n" + " Note that using invalid login condition checks can result in false positives!\n" + "\nThe following parameters are optional and are put between the form parameters\n" + " and the condition string; seperate them too with colons:\n" " 2= 302 page forward return codes identify a successful attempt\n" " (c|C)=/page/uri to define a different page to gather initial " "cookies from\n" @@ -1469,17 +1468,16 @@ void usage_http_form(const char *service) { "exists, by the\n" " one supplied by the user, or add the header at the " "end\n" - "\nNote that if you are going to put colons (:) in your headers you should escape them with a backslash (\\).\n" - " All colons that are not option separators should be escaped (see the " - "examples above and below).\n" - " You can specify a header without escaping the colons, but that way you " - "will not be able to put colons\n" - " in the header value itself, as they will be interpreted by hydra as " - "option separators.\n" + "\nNote that if you are going to put colons (:) in your headers you should escape\n" + "them with a backslash (\\). All colons that are not option separators should be\n" + "escaped (see the examples above and below).\n" + "You can specify a header without escaping the colons, but that way you will not\n" + "be able to put colons in the header value itself, as they will be interpreted by\n" + "hydra as option separators.\n" "\nExamples:\n" " \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n" " \"/" - "login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=authlog=.*" + "login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=result=" "success\"\n" " \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n" " \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic " From 8ddec0107b57b356820a8f19ca50d2cb5ea687ed Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 13 Oct 2022 17:28:39 +0200 Subject: [PATCH 04/79] dockerfile fix --- Dockerfile | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4496f50..599e7e1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,18 +35,23 @@ RUN set -x \ gcc \ 1>/dev/null \ # The next line fixes the curl "SSL certificate problem: unable to get local issuer certificate" for linux/arm - && c_rehash \ - # Get hydra sources and compile - && cd /src \ - && ./configure 1>/dev/null \ - && make 1>/dev/null \ - && make install \ - # Make clean - && apt-get purge -y make gcc libgpg-error-dev libgcrypt-dev \ + && c_rehash + +# Get hydra sources and compile +RUN cd /src \ + && make clean \ + && ./configure \ + && make \ + && make install + +# Make clean +RUN apt-get purge -y make gcc \ && apt-get autoremove -y \ && rm -rf /var/lib/apt/lists/* \ - # Verify hydra installation - && hydra -h || error_code=$? \ + && rm -rf /src + +# Verify hydra installation +RUN hydra -h || error_code=$? \ && if [ ! "${error_code}" -eq 255 ]; then echo "Wrong exit code for 'hydra help' command"; exit 1; fi \ # Unprivileged user creation && echo 'hydra:x:10001:10001::/tmp:/sbin/nologin' > /etc/passwd \ From 5ab0b95f8f1e6b24846fb9012570c7022eaf32b3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 14 Oct 2022 10:23:19 +0200 Subject: [PATCH 05/79] fix attempt for smb2 --- hydra-smb2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hydra-smb2.c b/hydra-smb2.c index 275bbae..c213596 100644 --- a/hydra-smb2.c +++ b/hydra-smb2.c @@ -126,6 +126,7 @@ bool smb2_run_test(creds_t *cr, const char *server, uint16_t port) { */ switch (errno) { + case 0: break; case ENOENT: // Noticed this when connecting to older samba servers on linux // where any credentials are accepted. From 04204f7d9b9ced8f564aa18d6636779bea5c59eb Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 14 Oct 2022 10:29:22 +0200 Subject: [PATCH 06/79] fix attempt for smb2 --- hydra-smb2.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hydra-smb2.c b/hydra-smb2.c index c213596..5e99451 100644 --- a/hydra-smb2.c +++ b/hydra-smb2.c @@ -126,7 +126,11 @@ bool smb2_run_test(creds_t *cr, const char *server, uint16_t port) { */ switch (errno) { - case 0: break; + case 0: + // maybe false positive? unclear ... :( ... needs more testing + smbc_free_context(ctx, 1); + return true; + break; case ENOENT: // Noticed this when connecting to older samba servers on linux // where any credentials are accepted. From 8fb5f5e2b473eb351109d11bfe13a04aa3020bc3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 14 Oct 2022 10:31:21 +0200 Subject: [PATCH 07/79] update changelog --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 3d61f77..55d74e9 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,8 @@ Changelog for hydra ------------------- Release 9.5-dev +* smb2: fix for updated libsmb2 which resulted in correct guessing attempts + not being detected * The help for http forms was wrong. the condition variable must always be the *last* parameter, not the third From feaab90b1fe29c9f059e4b548540f00b6df79ff1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 3 Nov 2022 17:05:41 +0100 Subject: [PATCH 08/79] fix smtp --- CHANGES | 5 +++-- hydra-smtp.c | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 55d74e9..2c27d84 100644 --- a/CHANGES +++ b/CHANGES @@ -2,10 +2,11 @@ Changelog for hydra ------------------- Release 9.5-dev +* The help for http-form was wrong. the condition variable must always be + the *last* parameter, not the third * smb2: fix for updated libsmb2 which resulted in correct guessing attempts not being detected -* The help for http forms was wrong. the condition variable must always be - the *last* parameter, not the third +* smtp: break early if the server does not allow authentication Release 9.4 diff --git a/hydra-smtp.c b/hydra-smtp.c index dc6e54a..97d5b72 100644 --- a/hydra-smtp.c +++ b/hydra-smtp.c @@ -61,6 +61,10 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha return 1; if (strstr(buf, "334") == NULL) { hydra_report(stderr, "[ERROR] SMTP PLAIN AUTH : %s\n", buf); + if (strstr(buf, "503") != NULL) { + free(buf); + return 4; + } free(buf); return 3; } @@ -438,6 +442,12 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } hydra_child_exit(0); return; + case 4: /* error exit */ + if (sock >= 0) { + sock = hydra_disconnect(sock); + } + hydra_child_exit(3); + return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(0); From 972039b3ae2122a2aa8e9322a6f1b36fd5ef3966 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 4 Nov 2022 10:56:56 +0100 Subject: [PATCH 09/79] fix help --- pw-inspector.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pw-inspector.c b/pw-inspector.c index 2f53e05..cc91c02 100644 --- a/pw-inspector.c +++ b/pw-inspector.c @@ -30,7 +30,7 @@ void help() { printf(" -l lowcase characters (a,b,c,d, etc.)\n"); printf(" -u upcase characters (A,B,C,D, etc.)\n"); printf(" -n numbers (1,2,3,4, etc.)\n"); - printf(" -p printable characters (which are not -l/-n/-p, e.g. " + printf(" -p printable characters (which are not -l/-u/-n, e.g. " "$,!,/,(,*, etc.)\n"); printf(" -s special characters - all others not within the sets " "above\n"); From 4778a398d963847bf70862d687d752606847f3f2 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 9 Nov 2022 12:08:34 +0100 Subject: [PATCH 10/79] fix man page --- hydra-mod.c | 6 +++--- pw-inspector.1 | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/hydra-mod.c b/hydra-mod.c index a24889b..de86f66 100644 --- a/hydra-mod.c +++ b/hydra-mod.c @@ -662,10 +662,10 @@ char *hydra_get_next_pair() { pair[sizeof(pair) - 1] = 0; __fck = read(intern_socket, pair, sizeof(pair) - 1); // if (debug) hydra_dump_data(pair, __fck, "CHILD READ PAIR"); - if (memcmp(&HYDRA_EXIT, &pair, sizeof(HYDRA_EXIT)) == 0) - return HYDRA_EXIT; - if (pair[0] == 0) + if (pair[0] == 0 || __fck <= 0) return HYDRA_EMPTY; + if (__fck >= sizeof(HYDRA_EXIT) && memcmp(&HYDRA_EXIT, &pair, sizeof(HYDRA_EXIT)) == 0) + return HYDRA_EXIT; } return pair; } diff --git a/pw-inspector.1 b/pw-inspector.1 index 90bff65..c9f228c 100644 --- a/pw-inspector.1 +++ b/pw-inspector.1 @@ -42,7 +42,7 @@ upcase characters (A,B,C,D, etc.) numbers (1,2,3,4, etc.) .TP .B \-p -printable characters (which are not \-l/\-n/\-p, e.g. $,!,/,(,*, etc.) +printable characters (which are not \-l/\-n/\-n, e.g. $,!,/,(,*, etc.) .TP .B \ -s special characters \- all others not withint the sets above From 128467103181c2982a7be6acef33759c8401726b Mon Sep 17 00:00:00 2001 From: mashaz Date: Tue, 15 Nov 2022 15:01:58 +0800 Subject: [PATCH 11/79] fix: error when mongodb user is empty --- hydra-mongodb.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/hydra-mongodb.c b/hydra-mongodb.c index 201c3ff..994f477 100644 --- a/hydra-mongodb.c +++ b/hydra-mongodb.c @@ -72,10 +72,17 @@ int32_t start_mongodb(int32_t s, char *ip, int32_t port, unsigned char options, mongoc_log_set_handler(NULL, NULL); bson_init(&q); - snprintf(uri, sizeof(uri), "mongodb://%s:%s@%s:%d/?authSource=%s", login, pass, hydra_address2string(ip), port, miscptr); + if (login[0] == '\0' && pass[0] == '\0') { + snprintf(uri, sizeof(uri), "mongodb://%s:%d/?authSource=%s", hydra_address2string(ip), port, miscptr); + } else { + snprintf(uri, sizeof(uri), "mongodb://%s:%s@%s:%d/?authSource=%s", login, pass, hydra_address2string(ip), port, miscptr); + } + client = mongoc_client_new(uri); - if (!client) + if (!client) { + hydra_completed_pair_skip(); return 3; + } mongoc_client_set_appname(client, "hydra"); collection = mongoc_client_get_collection(client, miscptr, "test"); From e9698cd53053442f23effc8fee68a8d566fbc94f Mon Sep 17 00:00:00 2001 From: ringzero Date: Sun, 4 Dec 2022 16:13:47 +0800 Subject: [PATCH 12/79] freerdp tls-seclevel to 0 --- hydra-rdp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hydra-rdp.c b/hydra-rdp.c index b33c87d..a772086 100644 --- a/hydra-rdp.c +++ b/hydra-rdp.c @@ -30,6 +30,7 @@ BOOL rdp_connect(char *server, int32_t port, char *domain, char *login, char *pa instance->settings->ServerPort = port; instance->settings->Domain = domain; instance->settings->MaxTimeInCheckLoop = 100; + instance->settings->TlsSecLevel = 0; freerdp_connect(instance); err = freerdp_get_last_error(instance->context); return err; From eb939baaa51c6f48c4fdfe5a993bdc7aa495ba89 Mon Sep 17 00:00:00 2001 From: ringzero Date: Mon, 5 Dec 2022 20:12:56 +0800 Subject: [PATCH 13/79] rdp: support hydra waittime --- hydra-rdp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hydra-rdp.c b/hydra-rdp.c index a772086..405ecf3 100644 --- a/hydra-rdp.c +++ b/hydra-rdp.c @@ -9,6 +9,7 @@ #include "hydra-mod.h" +extern hydra_option hydra_options; extern char *HYDRA_EXIT; #ifndef LIBFREERDP void dummy_rdp() { printf("\n"); } @@ -18,6 +19,7 @@ void dummy_rdp() { printf("\n"); } freerdp *instance = 0; BOOL rdp_connect(char *server, int32_t port, char *domain, char *login, char *password) { int32_t err = 0; + int32_t waittime = hydra_options.waittime; instance->settings->Username = login; instance->settings->Password = password; @@ -30,6 +32,11 @@ BOOL rdp_connect(char *server, int32_t port, char *domain, char *login, char *pa instance->settings->ServerPort = port; instance->settings->Domain = domain; instance->settings->MaxTimeInCheckLoop = 100; + // hydra_options.waittime default value -> 32 + if (waittime != 32) { + // freerdp timeout format is microseconds -> default:15000 + instance->settings->TcpConnectTimeout = waittime * 1000; + } instance->settings->TlsSecLevel = 0; freerdp_connect(instance); err = freerdp_get_last_error(instance->context); From d830ac795e65a7b47492d50859eb36bb8d2dd116 Mon Sep 17 00:00:00 2001 From: ringzero Date: Tue, 6 Dec 2022 09:41:04 +0800 Subject: [PATCH 14/79] rdp implementing-w and -W support --- hydra-rdp.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/hydra-rdp.c b/hydra-rdp.c index 405ecf3..4036591 100644 --- a/hydra-rdp.c +++ b/hydra-rdp.c @@ -19,7 +19,6 @@ void dummy_rdp() { printf("\n"); } freerdp *instance = 0; BOOL rdp_connect(char *server, int32_t port, char *domain, char *login, char *password) { int32_t err = 0; - int32_t waittime = hydra_options.waittime; instance->settings->Username = login; instance->settings->Password = password; @@ -32,11 +31,8 @@ BOOL rdp_connect(char *server, int32_t port, char *domain, char *login, char *pa instance->settings->ServerPort = port; instance->settings->Domain = domain; instance->settings->MaxTimeInCheckLoop = 100; - // hydra_options.waittime default value -> 32 - if (waittime != 32) { - // freerdp timeout format is microseconds -> default:15000 - instance->settings->TcpConnectTimeout = waittime * 1000; - } + // freerdp timeout format is microseconds -> default:15000 + instance->settings->TcpConnectTimeout = hydra_options.waittime * 1000; instance->settings->TlsSecLevel = 0; freerdp_connect(instance); err = freerdp_get_last_error(instance->context); @@ -108,6 +104,7 @@ int32_t start_rdp(char *ip, int32_t port, unsigned char options, char *miscptr, void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1; int32_t myport = PORT_RDP; + int32_t __first_rdp_connect = 1; if (port != 0) myport = port; @@ -119,6 +116,10 @@ void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL next_run = 0; switch (run) { case 1: /* run the cracking function */ + if (__first_rdp_connect != 0) + __first_rdp_connect = 0; + else + sleep(hydra_options.conwait); next_run = start_rdp(ip, myport, options, miscptr, fp); break; case 2: /* clean exit */ From c6a3f77476bbdf7d409a7cdf46725694fbf18f10 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 3 Jan 2023 11:47:39 +0100 Subject: [PATCH 15/79] welcome 2023 --- Makefile.am | 2 +- hydra.1 | 2 +- hydra.c | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile.am b/Makefile.am index a8da8d6..0dd498e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,5 +1,5 @@ # -# Makefile for Hydra - (c) 2001-2022 by van Hauser / THC +# Makefile for Hydra - (c) 2001-2023 by van Hauser / THC # WARN_CLANG=-Wformat-nonliteral -Wstrncat-size -Wformat-security -Wsign-conversion -Wconversion -Wfloat-conversion -Wshorten-64-to-32 -Wuninitialized -Wmissing-variable-declarations -Wmissing-declarations WARN_GCC=-Wformat=2 -Wformat-overflow=2 -Wformat-nonliteral -Wformat-truncation=2 -Wnull-dereference -Wstrict-overflow=2 -Wstringop-overflow=4 -Walloca-larger-than=4096 -Wtype-limits -Wconversion -Wtrampolines -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fno-common -Wcast-align diff --git a/hydra.1 b/hydra.1 index 81b2feb..b9cb7a5 100644 --- a/hydra.1 +++ b/hydra.1 @@ -1,4 +1,4 @@ -.TH "HYDRA" "1" "01/01/2022" +.TH "HYDRA" "1" "01/01/2023" .SH NAME hydra \- a very fast network logon cracker which supports many different services .SH SYNOPSIS diff --git a/hydra.c b/hydra.c index 2e4f2ab..dbea4c0 100644 --- a/hydra.c +++ b/hydra.c @@ -1,5 +1,5 @@ /* - * hydra (c) 2001-2022 by van Hauser / THC + * hydra (c) 2001-2023 by van Hauser / THC * https://github.com/vanhauser-thc/thc-hydra * * Parallized network login hacker. @@ -2186,7 +2186,7 @@ int main(int argc, char *argv[]) { struct sockaddr_in6 *ipv6 = NULL; struct sockaddr_in *ipv4 = NULL; - printf("%s %s (c) 2022 by %s & %s - Please do not use in military or secret " + printf("%s %s (c) 2023 by %s & %s - Please do not use in military or secret " "service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\n", PROGRAM, VERSION, AUTHOR, AUTHOR2); #ifndef LIBAFP From a41d10dc8ce718c9bd4397534636d6b4de1450cd Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Wed, 18 Jan 2023 16:30:24 +0100 Subject: [PATCH 16/79] Various C99 compatibility fixes strrchr is declared in , not . _GNU_SOURCE needs to be defined before any glibc headers are included, otherwise it is not effective. Also patch some old autoconf-internal issues in the hydra-gtk configure script. --- configure | 2 +- hydra-gtk/configure | 8 ++++---- hydra-rtsp.c | 3 ++- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/configure b/configure index d9c8b02..425f80a 100755 --- a/configure +++ b/configure @@ -1356,7 +1356,7 @@ echo "Checking for Android specialities ..." TMPC=comptest$$ STRRCHR=" not" echo '#include ' > $TMPC.c -echo '#include ' >> $TMPC.c +echo '#include ' >> $TMPC.c echo "int main() { char *x = strrchr(\"test\", 'e'); if (x == NULL) return 0; else return 1; }" >> $TMPC.c $CC -o $TMPC $TMPC.c > /dev/null 2>&1 test -x $TMPC && STRRCHR="" diff --git a/hydra-gtk/configure b/hydra-gtk/configure index 653ba7d..6cd3de7 100755 --- a/hydra-gtk/configure +++ b/hydra-gtk/configure @@ -2391,7 +2391,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then for ac_declaration in \ - '' \ + '#include ' \ 'extern "C" void std::exit (int) throw (); using std::exit;' \ 'extern "C" void std::exit (int); using std::exit;' \ 'extern "C" void exit (int) throw ();' \ @@ -3192,7 +3192,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); }; }; then for ac_declaration in \ - '' \ + '#include ' \ 'extern "C" void std::exit (int) throw (); using std::exit;' \ 'extern "C" void std::exit (int); using std::exit;' \ 'extern "C" void exit (int) throw ();' \ @@ -3797,8 +3797,8 @@ main () for (i = 0; i < 256; i++) if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) - exit(2); - exit (0); + return 2; + return 0; } _ACEOF rm -f conftest$ac_exeext diff --git a/hydra-rtsp.c b/hydra-rtsp.c index 3b6e84b..3b4bdca 100644 --- a/hydra-rtsp.c +++ b/hydra-rtsp.c @@ -6,10 +6,11 @@ // // +#define _GNU_SOURCE + #include "hydra-mod.h" #include "sasl.h" #include -#define _GNU_SOURCE #include extern char *HYDRA_EXIT; From 97cae4633c45be76d2f5df5a739a3870adbd293e Mon Sep 17 00:00:00 2001 From: xd0419 <1249457656@qq.com> Date: Wed, 1 Mar 2023 22:08:53 +0800 Subject: [PATCH 17/79] edit mongodb moudle error --- hydra-mongodb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hydra-mongodb.c b/hydra-mongodb.c index 994f477..d413192 100644 --- a/hydra-mongodb.c +++ b/hydra-mongodb.c @@ -97,11 +97,11 @@ int32_t start_mongodb(int32_t s, char *ip, int32_t port, unsigned char options, mongoc_collection_destroy(collection); mongoc_client_destroy(client); mongoc_cleanup(); - hydra_completed_pair_skip(); + hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { return 3; } - return 2; + return 1; } } From 4ae7a365e92f3b30cc3eb58aa47bf7e42f21a8ef Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 6 Mar 2023 10:35:03 +0100 Subject: [PATCH 18/79] fix http form help output --- hydra-http-form.c | 44 +++++++++++++++++--------------------------- 1 file changed, 17 insertions(+), 27 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index 93953dc..53b7ce5 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -20,33 +20,23 @@ Here's a couple of examples: - ./hydra -S -s 443 -l "" -P pass.txt 10.221.64.2 https-get-form "/irmlab1/vulnapp.php:username=^USER^&pass=^PASS^:incorrect" -The option field (following the service field) takes three ":" separated -values and an optional fourth value, the first is the page on the server -to GET or POST to, the second is the POST/GET variables (taken from either -the browser, or a proxy such as PAROS) with the varying usernames and passwords -in the "^USER^" and "^PASS^" placeholders, the third is the string that it -checks for an *invalid* or *valid* login - any exception to this is counted -as a success. +The option field (following the service field) takes ":" separated values: +The first is the page on the server to GET or POST to. +The second is the POST/GET variables (taken from either the browser, or a proxy +such as ZAP) with the varying usernames and passwords in the "^USER^" and +"^PASS^" placeholders. +The third + are optional parameters like C=, H= etc. (see below) +The final(!) parameter is the string that it checks for an *invalid* or *valid* +login So please: * invalid condition login should be preceded by "F=" * valid condition login should be preceded by "S=". -By default, if no header is found the condition is assume to be a fail, -so checking for *invalid* login. -The fourth optional value, can be a 'C' to define a different page to GET -initial cookies from. +By default, if no header is found the condition is assume to be a fail (F=), +so checking for an *invalid* login string. -If you specify the verbose flag (-v) it will show you the response from the +If you specify the debug flag (-d) it will show you the response from the HTTP server which is useful for checking the result of a failed login to -find something to pattern match against. - -Module initially written by Phil Robinson, IRM Plc (releases@irmplc.com), -rewritten by David Maciejak - -Fix and issue with strtok use and implement 1 step location follow if HTTP -3xx code is returned (david dot maciejak at gmail dot com) - -Added fail or success condition, getting cookies, and allow 5 redirections by -david +find something to pattern match against. This should be done together with -t 1. */ @@ -1434,8 +1424,8 @@ void usage_http_form(const char *service) { "redirections in\n" "a row. It always gathers a new cookie from the same URL without " "variables\n" - "The parameters requires three \":\" separated values, plus optional " - "values.\n" + "The parameters requires at a minimum three \":\" separated values,\n" + "plus optional values.\n" "(Note: if you need a colon in the option string as value, escape it " "with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n" "\nSyntax: :[:[:]:\n" @@ -1480,11 +1470,11 @@ void usage_http_form(const char *service) { "login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=result=" "success\"\n" " \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n" - " \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic " + " \"/:user=^USER&pass=^PASS^:H=Authorization\\: Basic " "dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n" - " \"/exchweb/bin/auth/" + " \"/exchweb/bin/auth/:F=failed" "owaauth.dll:destination=http%%3A%%2F%%2F%%2Fexchange&flags=0&" "username=%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:" - "reason=:C=/exchweb\"\n", + "C=/exchweb\":reason=\n", service); } From 75b7b52da9a2590b772ec75d4b8fb71ed2910335 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 13 Mar 2023 09:23:55 +0100 Subject: [PATCH 19/79] fix proxy support for http-form --- CHANGES | 6 ++++-- hydra-http-form.c | 12 ++++++------ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 2c27d84..9f21de3 100644 --- a/CHANGES +++ b/CHANGES @@ -2,8 +2,10 @@ Changelog for hydra ------------------- Release 9.5-dev -* The help for http-form was wrong. the condition variable must always be - the *last* parameter, not the third +* http-form: + - The help for http-form was wrong. the condition variable must always be + the *last* parameter, not the third + - Proxy support was not working correctly * smb2: fix for updated libsmb2 which resulted in correct guessing attempts not being detected * smtp: break early if the server does not allow authentication diff --git a/hydra-http-form.c b/hydra-http-form.c index 53b7ce5..d41cbd9 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -761,7 +761,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) { if (getcookie) { memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, cookieurl); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl); if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request); @@ -775,7 +775,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options // now prepare for the "real" request if (strcmp(type, "POST") == 0) { memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, url); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url); snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", content_length); @@ -823,7 +823,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (getcookie) { // doing a GET to get cookies memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, cookieurl); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl); if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request); @@ -837,7 +837,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options // now prepare for the "real" request if (strcmp(type, "POST") == 0) { memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, url); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url); snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", content_length); @@ -1072,7 +1072,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options // proxy with authentication hdrrepv(&ptr_head, "Host", str2); memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, str3); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, str3); if (normal_request != NULL) free(normal_request); normal_request = stringify_headers(&ptr_head); @@ -1084,7 +1084,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options // proxy without authentication hdrrepv(&ptr_head, "Host", str2); memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, str3); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, str3); if (normal_request != NULL) free(normal_request); normal_request = stringify_headers(&ptr_head); From 01efa98ded7e7053dc8d7b898dee5bd2c365b671 Mon Sep 17 00:00:00 2001 From: bugith Date: Sun, 14 May 2023 12:03:43 +0200 Subject: [PATCH 20/79] Update README -x syntax with special characters --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index e8c7b6a..846164a 100644 --- a/README +++ b/README @@ -267,6 +267,7 @@ Examples: -x 1:3:a generate passwords from length 1 to 3 with all lowercase letters -x 2:5:/ generate passwords from length 2 to 5 containing only slashes -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers +-x '3:3:aA1&~#\\ "\'<{([-|_^@)]=}>$%*?./§,;:!`' -v generates lenght 3 passwords with all 95 characters, and verbose. ``` Example: From a0565e1abe731c455c688c2e82da28bbe7db4a16 Mon Sep 17 00:00:00 2001 From: leo Date: Fri, 9 Jun 2023 20:43:21 +1200 Subject: [PATCH 21/79] fix rdp response 0002000f not recognised as a failed attempt --- hydra-rdp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hydra-rdp.c b/hydra-rdp.c index 4036591..456a1c3 100644 --- a/hydra-rdp.c +++ b/hydra-rdp.c @@ -76,6 +76,10 @@ int32_t start_rdp(char *ip, int32_t port, unsigned char options, char *miscptr, // login failure hydra_completed_pair(); break; + case 0x0002000f: + // login failure + hydra_completed_pair_skip(); + break; case 0x0002000d: hydra_report(stderr, "[%d][rdp] account on %s might be valid but account not " From 377ac86652f86bd3317a771a173c4235aaa2055c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 12 Jun 2023 10:03:28 +0200 Subject: [PATCH 22/79] v9.6 release --- CHANGES | 1 + hydra.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 9f21de3..d30e1ac 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,7 @@ Release 9.5-dev * smb2: fix for updated libsmb2 which resulted in correct guessing attempts not being detected * smtp: break early if the server does not allow authentication +* rdp: detect more return codes that say a user is disabled etc. Release 9.4 diff --git a/hydra.c b/hydra.c index dbea4c0..cae3dde 100644 --- a/hydra.c +++ b/hydra.c @@ -228,7 +228,7 @@ char *SERVICES = "adam6500 asterisk afp cisco cisco-enable cobaltstrike cvs fire #define RESTOREFILE "./hydra.restore" #define PROGRAM "Hydra" -#define VERSION "v9.5-dev" +#define VERSION "v9.6" #define AUTHOR "van Hauser/THC" #define EMAIL "" #define AUTHOR2 "David Maciejak" From 714b051867365c724faf7f505c59dd0b0389ca58 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 12 Jun 2023 10:05:41 +0200 Subject: [PATCH 23/79] v9.5 release --- CHANGES | 2 +- README | 2 +- hydra.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index d30e1ac..a78dfea 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,7 @@ Changelog for hydra ------------------- -Release 9.5-dev +Release 9.5 * http-form: - The help for http-form was wrong. the condition variable must always be the *last* parameter, not the third diff --git a/README b/README index 846164a..44cb585 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ H Y D R A - (c) 2001-2022 by van Hauser / THC + (c) 2001-2023 by van Hauser / THC https://github.com/vanhauser-thc/thc-hydra many modules were written by David (dot) Maciejak @ gmail (dot) com BFG code by Jan Dlabal diff --git a/hydra.c b/hydra.c index cae3dde..c250f4c 100644 --- a/hydra.c +++ b/hydra.c @@ -228,7 +228,7 @@ char *SERVICES = "adam6500 asterisk afp cisco cisco-enable cobaltstrike cvs fire #define RESTOREFILE "./hydra.restore" #define PROGRAM "Hydra" -#define VERSION "v9.6" +#define VERSION "v9.5" #define AUTHOR "van Hauser/THC" #define EMAIL "" #define AUTHOR2 "David Maciejak" From 28f073fd79d337c957fc41ada2be5ec2e8122b0e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 24 Jun 2023 12:03:03 +0200 Subject: [PATCH 24/79] fix pw-inspector --- pw-inspector.c | 55 +++++++++++++++++++++----------------------------- 1 file changed, 23 insertions(+), 32 deletions(-) diff --git a/pw-inspector.c b/pw-inspector.c index cc91c02..8b87a5a 100644 --- a/pw-inspector.c +++ b/pw-inspector.c @@ -50,7 +50,7 @@ int main(int argc, char *argv[]) { int32_t sets = 0, countsets = 0, minlen = 0, maxlen = MAXLENGTH, count = 0; int32_t set_low = 0, set_up = 0, set_no = 0, set_print = 0, set_other = 0; FILE *in = stdin, *out = stdout; - char buf[MAXLENGTH + 1]; + unsigned char buf[MAXLENGTH + 1]; prg = argv[0]; if (argc < 2) @@ -124,9 +124,9 @@ int main(int argc, char *argv[]) { if (countsets == 0) countsets = sets; - while (fgets(buf, sizeof(buf), in) != NULL) { - i = -1; - if (buf[0] == 0) + while (fgets((void *)buf, sizeof(buf), in) != NULL) { + int is_low = 0, is_up = 0, is_no = 0, is_print = 0, is_other = 0; + if (!buf[0]) continue; if (buf[strlen(buf) - 1] == '\n') buf[strlen(buf) - 1] = 0; @@ -134,40 +134,31 @@ int main(int argc, char *argv[]) { buf[strlen(buf) - 1] = 0; if (strlen(buf) >= minlen && strlen(buf) <= maxlen) { i = 0; - if (countsets > 0) { - if (set_low) - if (strpbrk(buf, "abcdefghijklmnopqrstuvwxyz") != NULL) - i++; - if (set_up) - if (strpbrk(buf, "ABCDEFGHIJKLMNOPQRSTUVWXYZ") != NULL) - i++; - if (set_no) - if (strpbrk(buf, "0123456789") != NULL) - i++; - if (set_print) { - j = 0; - for (k = 0; k < strlen(buf); k++) - if (isprint((int32_t)buf[k]) != 0 && isalnum((int32_t)buf[k]) == 0) - j = 1; - if (j) - i++; - } - if (set_other) { - j = 0; - for (k = 0; k < strlen(buf); k++) - if (isprint((int32_t)buf[k]) == 0 && isalnum((int32_t)buf[k]) == 0) - j = 1; - if (j) - i++; + j = 1; + for (i = 0; i < strlen(buf) && j; i++) { + j = 0; + if (set_low && islower(buf[i])) { + j = 1; + is_low = 1; + } else if (set_up && isupper(buf[i])) { + j = 1; + is_up = 1; + } else if (set_no && isdigit(buf[i])) { + j = 1; + is_no = 1; + } else if (set_print && isprint(buf[i]) && !isalnum(buf[i])) { + j = 1; + is_print = 1; + } else if (set_other && !isprint(buf[i])) { + j = 1; + is_other = 1; } } - if (i >= countsets) { + if (j && countsets <= is_low + is_up + is_no + is_print + is_other) { fprintf(out, "%s\n", buf); count++; } } - /* fprintf(stderr, "[DEBUG] i: %d minlen: %d maxlen: %d len: %d\n", i, - * minlen, maxlen, strlen(buf)); */ } fclose(in); fclose(out); From 58256c8b4f1517d15ba416347451bbf1397d7bef Mon Sep 17 00:00:00 2001 From: neo-one0873 <50387785+neo-one0873@users.noreply.github.com> Date: Tue, 27 Jun 2023 10:41:16 +0800 Subject: [PATCH 25/79] fix: array proxy_string_port may out of bound when proxy_count=64, array proxy_string_port , proxy_string_ip, etc. may out of bound. --- hydra.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hydra.c b/hydra.c index c250f4c..5a21928 100644 --- a/hydra.c +++ b/hydra.c @@ -2045,7 +2045,7 @@ void process_proxy_line(int32_t type, char *string) { string[strlen(string) - 1] = 0; if (string[strlen(string) - 1] == '\r') string[strlen(string) - 1] = 0; - if (proxy_count > MAX_PROXY_COUNT) { + if (proxy_count >= MAX_PROXY_COUNT) { fprintf(stderr, "[WARNING] maximum amount of proxies loaded, ignoring this entry: %s\n", string); return; } From bb0fc9353913e0f114ec8f1144417a117b951359 Mon Sep 17 00:00:00 2001 From: xiongyi Date: Tue, 27 Jun 2023 17:45:38 +0800 Subject: [PATCH 26/79] fix memory leaks for hydra-http-form.c Signed-off-by: xiongyi --- hydra-http-form.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index d41cbd9..3707b2f 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -796,8 +796,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (http_request != NULL) free(http_request); http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } else { if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", "0"); @@ -814,8 +816,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } } else { if (use_proxy == 1) { @@ -858,8 +862,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (http_request != NULL) free(http_request); http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } else { if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", "0"); @@ -876,8 +882,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } } else { // direct web server, no proxy @@ -921,8 +929,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (http_request != NULL) free(http_request); http_request = prepare_http_request("POST", url, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } else { if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", "0"); @@ -939,8 +949,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (http_request != NULL) free(http_request); http_request = prepare_http_request("GET", url, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } } } } @@ -1105,8 +1117,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options hydra_reconnect(s, ip, port, options, hostname); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; + } found = analyze_server_response(s); if (strlen(cookie) > 0) From 8a2df9b8f28ecb8c25b532be1b1deeed2a51d598 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 30 Jun 2023 17:21:44 +0200 Subject: [PATCH 27/79] 9.6dev --- hydra.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hydra.c b/hydra.c index 5a21928..4e33711 100644 --- a/hydra.c +++ b/hydra.c @@ -228,7 +228,7 @@ char *SERVICES = "adam6500 asterisk afp cisco cisco-enable cobaltstrike cvs fire #define RESTOREFILE "./hydra.restore" #define PROGRAM "Hydra" -#define VERSION "v9.5" +#define VERSION "v9.6dev" #define AUTHOR "van Hauser/THC" #define EMAIL "" #define AUTHOR2 "David Maciejak" From 310068c9ca54b86b937dc07c59c5b7a129ed06d7 Mon Sep 17 00:00:00 2001 From: Coen Tempelaars Date: Fri, 7 Jul 2023 20:55:04 +0200 Subject: [PATCH 28/79] fix replacement of user/pass placeholders in http header --- hydra-http-form.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index 3707b2f..9e3c92b 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -314,9 +314,15 @@ void hdrrep(ptr_header_node *ptr_head, char *oldvalue, char *newvalue) { for (cur_ptr = *ptr_head; cur_ptr; cur_ptr = cur_ptr->next) { if ((cur_ptr->type == HEADER_TYPE_USERHEADER || cur_ptr->type == HEADER_TYPE_USERHEADER_REPL) && strstr(cur_ptr->value, oldvalue)) { - cur_ptr->value = (char *)realloc(cur_ptr->value, strlen(newvalue) + 1); - if (cur_ptr->value) - strcpy(cur_ptr->value, newvalue); + size_t oldlen = strlen(oldvalue); + size_t newlen = strlen(newvalue); + if (oldlen != newlen) + cur_ptr->value = (char *)realloc(cur_ptr->value, strlen(cur_ptr->value) - oldlen + newlen + 1); + if (cur_ptr->value) { + char *p = strstr(cur_ptr->value, oldvalue); + memmove(p + newlen, p + oldlen, strlen(p + oldlen) + 1); + memcpy(p, newvalue, newlen); + } else { hydra_report(stderr, "[ERROR] Out of memory (hddrep).\n"); hydra_child_exit(0); From fb964fc1132d7e7ee993b5cfe1ed280978530589 Mon Sep 17 00:00:00 2001 From: Roan Rothrock Date: Tue, 11 Jul 2023 10:15:24 -0500 Subject: [PATCH 29/79] Fixed #868 on vanhauser-thc/thc-hydra --- hydra-rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hydra-rtsp.c b/hydra-rtsp.c index 3b4bdca..5526f9b 100644 --- a/hydra-rtsp.c +++ b/hydra-rtsp.c @@ -6,7 +6,9 @@ // // +#ifndef _GNU_SOURCE #define _GNU_SOURCE +#endif #include "hydra-mod.h" #include "sasl.h" From 568ef74e0d513c8a3a0d388acdd444f92e700cab Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 21 Jul 2023 10:44:31 +0200 Subject: [PATCH 30/79] nits --- Makefile.am | 2 +- hydra-http-form.c | 5 ++--- hydra-mod.c | 2 +- hydra-smb2.c | 2 +- hydra-svn.c | 2 ++ 5 files changed, 7 insertions(+), 6 deletions(-) diff --git a/Makefile.am b/Makefile.am index 0dd498e..f6d4bb0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,7 +4,7 @@ WARN_CLANG=-Wformat-nonliteral -Wstrncat-size -Wformat-security -Wsign-conversion -Wconversion -Wfloat-conversion -Wshorten-64-to-32 -Wuninitialized -Wmissing-variable-declarations -Wmissing-declarations WARN_GCC=-Wformat=2 -Wformat-overflow=2 -Wformat-nonliteral -Wformat-truncation=2 -Wnull-dereference -Wstrict-overflow=2 -Wstringop-overflow=4 -Walloca-larger-than=4096 -Wtype-limits -Wconversion -Wtrampolines -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fno-common -Wcast-align CFLAGS ?= -g -OPTS=-I. -O3 $(CFLAGS) -fcommon +OPTS=-I. -O3 $(CFLAGS) -fcommon -Wno-deprecated-declarations CPPFLAGS += -D_GNU_SOURCE # -Wall -g -pedantic LIBS=-lm diff --git a/hydra-http-form.c b/hydra-http-form.c index 9e3c92b..a8e5922 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -322,8 +322,7 @@ void hdrrep(ptr_header_node *ptr_head, char *oldvalue, char *newvalue) { char *p = strstr(cur_ptr->value, oldvalue); memmove(p + newlen, p + oldlen, strlen(p + oldlen) + 1); memcpy(p, newvalue, newlen); - } - else { + } else { hydra_report(stderr, "[ERROR] Out of memory (hddrep).\n"); hydra_child_exit(0); } @@ -805,7 +804,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { free(cookie_header); return 1; - } + } } else { if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", "0"); diff --git a/hydra-mod.c b/hydra-mod.c index de86f66..c988c1d 100644 --- a/hydra-mod.c +++ b/hydra-mod.c @@ -664,7 +664,7 @@ char *hydra_get_next_pair() { // if (debug) hydra_dump_data(pair, __fck, "CHILD READ PAIR"); if (pair[0] == 0 || __fck <= 0) return HYDRA_EMPTY; - if (__fck >= sizeof(HYDRA_EXIT) && memcmp(&HYDRA_EXIT, &pair, sizeof(HYDRA_EXIT)) == 0) + if (__fck >= sizeof(HYDRA_EXIT) && memcmp(&HYDRA_EXIT, &pair, sizeof(HYDRA_EXIT)) == 0) return HYDRA_EXIT; } return pair; diff --git a/hydra-smb2.c b/hydra-smb2.c index 5e99451..9f396be 100644 --- a/hydra-smb2.c +++ b/hydra-smb2.c @@ -126,7 +126,7 @@ bool smb2_run_test(creds_t *cr, const char *server, uint16_t port) { */ switch (errno) { - case 0: + case 0: // maybe false positive? unclear ... :( ... needs more testing smbc_free_context(ctx, 1); return true; diff --git a/hydra-svn.c b/hydra-svn.c index 063f12c..0258f9a 100644 --- a/hydra-svn.c +++ b/hydra-svn.c @@ -4,7 +4,9 @@ #ifdef LIBSVN /* needed on openSUSE */ +#ifndef _GNU_SOURCE #define _GNU_SOURCE +#endif #if !defined PATH_MAX && defined HAVE_SYS_PARAM_H #include From d2363dc99eb109adb031508e3fbde6fbba5103ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20den=20Berg?= Date: Thu, 10 Aug 2023 16:25:37 +0200 Subject: [PATCH 31/79] Allow HTTP-POST with F=403 I had a site which returns 200OK, but a json containing 403. Get results in "invalid api call". Allow using F= with post. --- hydra.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hydra.c b/hydra.c index 4e33711..30a8ece 100644 --- a/hydra.c +++ b/hydra.c @@ -388,7 +388,7 @@ static const struct { {"http-get-form", service_http_form_init, service_http_get_form, usage_http_form}, {"http-head", service_http_init, service_http_head, NULL}, {"http-form", service_http_form_init, NULL, usage_http_form}, - {"http-post", NULL, service_http_post, usage_http}, + {"http-post", service_http_init, service_http_post, usage_http}, {"http-post-form", service_http_form_init, service_http_post_form, usage_http_form}, SERVICE3("http-proxy", http_proxy), SERVICE3("http-proxy-urlenum", http_proxy_urlenum), From 16b424af4db7f49d09b4a9157e805040ebff23ee Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 13 Aug 2023 13:07:10 +0200 Subject: [PATCH 32/79] support -W for modules that use libarries --- CHANGES | 2 ++ hydra-firebird.c | 3 +++ hydra-http.c | 2 +- hydra-memcached.c | 3 +++ hydra-mongodb.c | 3 +++ hydra-mysql.c | 3 +++ hydra-oracle-listener.c | 3 +++ hydra-oracle-sid.c | 3 +++ hydra-oracle.c | 3 +++ hydra-postgres.c | 3 +++ hydra-rdp.c | 2 ++ hydra-sapr3.c | 3 +++ hydra-smb2.c | 8 ++++++++ hydra-ssh.c | 2 ++ hydra-sshkey.c | 3 +++ hydra-svn.c | 3 +++ 16 files changed, 48 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index a78dfea..685f48d 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,8 @@ Changelog for hydra ------------------- Release 9.5 +* many modules did not support -W (all those that used a library for the + connection). All (or most?) should be fixed now. * http-form: - The help for http-form was wrong. the condition variable must always be the *last* parameter, not the third diff --git a/hydra-firebird.c b/hydra-firebird.c index 4898c46..dea104f 100644 --- a/hydra-firebird.c +++ b/hydra-firebird.c @@ -22,6 +22,7 @@ void dummy_firebird() { printf("\n"); } #define DEFAULT_DB "C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb" +extern hydra_option hydra_options; extern char *HYDRA_EXIT; int32_t start_firebird(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { @@ -124,6 +125,8 @@ void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr */ next_run = start_firebird(sock, ip, port, options, miscptr, fp); + if ((next_run == 1 || next_run == 2) && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 3: diff --git a/hydra-http.c b/hydra-http.c index c76b937..ba9a676 100644 --- a/hydra-http.c +++ b/hydra-http.c @@ -451,7 +451,7 @@ int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *mis start--; memset(start, '\0', condition_len); if (debug) - hydra_report(stderr, "Modificated options:%s\n", miscptr); + hydra_report(stderr, "Modified options:%s\n", miscptr); } else { if (debug) hydra_report(stderr, "Condition not found\n"); diff --git a/hydra-memcached.c b/hydra-memcached.c index ca21d26..5a7c112 100644 --- a/hydra-memcached.c +++ b/hydra-memcached.c @@ -13,6 +13,7 @@ void dummy_mcached() { printf("\n"); } extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); +extern hydra_option hydra_options; extern char *HYDRA_EXIT; int mcached_send_com_quit(int32_t sock) { @@ -117,6 +118,8 @@ void service_mcached(char *ip, int32_t sp, unsigned char options, char *miscptr, switch (run) { case 1: next_run = start_mcached(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 2: hydra_child_exit(0); diff --git a/hydra-mongodb.c b/hydra-mongodb.c index d413192..66269be 100644 --- a/hydra-mongodb.c +++ b/hydra-mongodb.c @@ -14,6 +14,7 @@ void dummy_mongodb() { printf("\n"); } extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); +extern hydra_option hydra_options; extern char *HYDRA_EXIT; char *buf; @@ -136,6 +137,8 @@ void service_mongodb(char *ip, int32_t sp, unsigned char options, char *miscptr, switch (run) { case 1: next_run = start_mongodb(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 2: hydra_child_exit(0); diff --git a/hydra-mysql.c b/hydra-mysql.c index eae5fd9..01a258e 100644 --- a/hydra-mysql.c +++ b/hydra-mysql.c @@ -35,6 +35,7 @@ char *hydra_scramble(char *to, const char *message, const char *password); extern int32_t internal__hydra_recv(int32_t socket, char *buf, int32_t length); extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); +extern hydra_option hydra_options; extern char *HYDRA_EXIT; char mysqlsalt[9]; @@ -332,6 +333,8 @@ void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, F break; case 2: /* run the cracking function */ next_run = start_mysql(sock, ip, port, options, miscptr, fp); + if ((next_run == 1 || next_run == 2) && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 3: /* clean exit */ if (sock >= 0) { diff --git a/hydra-oracle-listener.c b/hydra-oracle-listener.c index e6b77ec..563670b 100644 --- a/hydra-oracle-listener.c +++ b/hydra-oracle-listener.c @@ -19,6 +19,7 @@ void dummy_oracle_listener() { printf("\n"); } #include #define HASHSIZE 17 +extern hydra_option hydra_options; extern char *HYDRA_EXIT; char *buf; unsigned char *hash; @@ -304,6 +305,8 @@ void service_oracle_listener(char *ip, int32_t sp, unsigned char options, char * } /* run the cracking function */ next_run = start_oracle_listener(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 3: /* clean exit */ if (sock >= 0) diff --git a/hydra-oracle-sid.c b/hydra-oracle-sid.c index c2db73a..32ac557 100644 --- a/hydra-oracle-sid.c +++ b/hydra-oracle-sid.c @@ -16,6 +16,7 @@ void dummy_oracle_sid() { printf("\n"); } #include #define HASHSIZE 16 +extern hydra_option hydra_options; extern char *HYDRA_EXIT; char *buf; unsigned char *hash; @@ -113,6 +114,8 @@ void service_oracle_sid(char *ip, int32_t sp, unsigned char options, char *miscp } /* run the cracking function */ next_run = start_oracle_sid(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 3: /* clean exit */ if (sock >= 0) diff --git a/hydra-oracle.c b/hydra-oracle.c index 46deb44..2ae18de 100644 --- a/hydra-oracle.c +++ b/hydra-oracle.c @@ -21,6 +21,7 @@ void dummy_oracle() { printf("\n"); } #include #include +extern hydra_option hydra_options; extern char *HYDRA_EXIT; OCIEnv *o_environment; @@ -165,6 +166,8 @@ void service_oracle(char *ip, int32_t sp, unsigned char options, char *miscptr, break; case 2: next_run = start_oracle(sock, ip, port, options, miscptr, fp); + if ((next_run == 1 || next_run == 2) && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 3: /* clean exit */ if (sock >= 0) diff --git a/hydra-postgres.c b/hydra-postgres.c index 7f958f7..6826c78 100644 --- a/hydra-postgres.c +++ b/hydra-postgres.c @@ -16,6 +16,7 @@ void dummy_postgres() { printf("\n"); } #define DEFAULT_DB "template1" +extern hydra_option hydra_options; extern char *HYDRA_EXIT; int32_t start_postgres(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { @@ -99,6 +100,8 @@ void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr * Here we start the password cracking process */ next_run = start_postgres(sock, ip, port, options, miscptr, fp); + if ((next_run == 2 || next_run == 1) && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 3: if (sock >= 0) diff --git a/hydra-rdp.c b/hydra-rdp.c index 456a1c3..a8a69bc 100644 --- a/hydra-rdp.c +++ b/hydra-rdp.c @@ -125,6 +125,8 @@ void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL else sleep(hydra_options.conwait); next_run = start_rdp(ip, myport, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 2: /* clean exit */ freerdp_disconnect(instance); diff --git a/hydra-sapr3.c b/hydra-sapr3.c index 26024da..76ce7b7 100644 --- a/hydra-sapr3.c +++ b/hydra-sapr3.c @@ -14,6 +14,7 @@ const int32_t *__ctype_b; extern void flood(); /* for -lm */ +extern hydra_option hydra_options; extern char *HYDRA_EXIT; RFC_ERROR_INFO_EX error_info; @@ -99,6 +100,8 @@ void service_sapr3(char *ip, int32_t sp, unsigned char options, char *miscptr, F switch (run) { case 1: /* connect and service init function */ next_run = start_sapr3(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 2: hydra_child_exit(0); diff --git a/hydra-smb2.c b/hydra-smb2.c index 9f396be..d1d220d 100644 --- a/hydra-smb2.c +++ b/hydra-smb2.c @@ -27,6 +27,7 @@ #include #include +extern hydra_option hydra_options; extern char *HYDRA_EXIT; typedef struct creds { @@ -173,10 +174,15 @@ bool smb2_run_test(creds_t *cr, const char *server, uint16_t port) { } void service_smb2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { + static int first_run = 0; hydra_register_socket(sp); + while (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT))) { char *login, *pass; + if (first_run && hydra_options.conwait) + sleep(hydra_options.conwait); + login = hydra_get_next_login(); pass = hydra_get_next_password(); @@ -191,6 +197,8 @@ void service_smb2(char *ip, int32_t sp, unsigned char options, char *miscptr, FI } else { hydra_completed_pair(); } + + first_run = 1; } EXIT_NORMAL; } diff --git a/hydra-ssh.c b/hydra-ssh.c index 785ae1e..96293ab 100644 --- a/hydra-ssh.c +++ b/hydra-ssh.c @@ -119,6 +119,8 @@ void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL switch (run) { case 1: /* connect and service init function */ next_run = start_ssh(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 2: ssh_disconnect(session); diff --git a/hydra-sshkey.c b/hydra-sshkey.c index 092d655..cac66e0 100644 --- a/hydra-sshkey.c +++ b/hydra-sshkey.c @@ -16,6 +16,7 @@ void dummy_sshkey() { printf("\n"); } #if LIBSSH_VERSION_MAJOR >= 0 && LIBSSH_VERSION_MINOR >= 4 extern ssh_session session; +extern hydra_option hydra_options; extern char *HYDRA_EXIT; extern int32_t new_session; @@ -117,6 +118,8 @@ void service_sshkey(char *ip, int32_t sp, unsigned char options, char *miscptr, switch (run) { case 1: /* connect and service init function */ next_run = start_sshkey(sock, ip, port, options, miscptr, fp); + if (next_run == 1 && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 2: ssh_disconnect(session); diff --git a/hydra-svn.c b/hydra-svn.c index 0258f9a..0664924 100644 --- a/hydra-svn.c +++ b/hydra-svn.c @@ -32,6 +32,7 @@ void dummy_svn() { printf("\n"); } extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec); +extern hydra_option hydra_options; extern char *HYDRA_EXIT; #define DEFAULT_BRANCH "trunk" @@ -197,6 +198,8 @@ void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL break; case 2: next_run = start_svn(sock, ip, port, options, miscptr, fp); + if ((next_run == 1 || next_run == 2) && hydra_options.conwait) + sleep(hydra_options.conwait); break; case 3: if (sock >= 0) From 1dce42a0ccab0fa8946741e71be8bdf7fb16e9f4 Mon Sep 17 00:00:00 2001 From: andraxin Date: Fri, 29 Sep 2023 00:06:49 +0200 Subject: [PATCH 33/79] Update hydra-http-form.c Fix handling web forms that may return 401. --- hydra-http-form.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index a8e5922..b6f888e 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -66,6 +66,7 @@ int32_t success_cond = 0; int32_t getcookie = 1; int32_t auth_flag = 0; int32_t code_302_is_success = 0; +int32_t code_401_is_failure = 0; char cookie[4096] = "", cmiscptr[1024]; @@ -437,6 +438,14 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { sprintf(cookieurl, "%.1000s", hydra_strrep(miscptr + 2, "\\:", ":")); miscptr = ptr; break; + case '1': + code_401_is_failure = 1; + char *tmp = strchr(miscptr, ':'); + if (tmp) + miscptr = tmp + 1; + else + miscptr += strlen(miscptr); + break; case '2': code_302_is_success = 1; char *tmp = strchr(miscptr, ':'); @@ -971,12 +980,17 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options found = success_cond; } - if (auth_flag) { // we received a 401 error - user is using wrong module - hydra_report(stderr, - "[ERROR] the target is using HTTP auth, not a web form, received HTTP " - "error code 401. Use module \"http%s-get\" instead.\n", - (options & OPTION_SSL) > 0 ? "s" : ""); - return 2; + if (auth_flag) { // we received a 401 error - user may be using wrong module + if (code_401_is_failure) { // apparently they don't think so -- treat 401 as failure + hydra_completed_pair(); + return 1; + } else { + hydra_report(stderr, + "[ERROR] received HTTP error code 401. The target may be using HTTP auth, " + "not a web form. Use module \"http%s-get\" instead, or set \"1=\".\n", + (options & OPTION_SSL) > 0 ? "s" : ""); + return 2; + } } if (strlen(cookie) > 0) From 15b1f93903e0ba1aa1733afd509183ba761e0683 Mon Sep 17 00:00:00 2001 From: Hatsumi-FR Date: Sun, 3 Dec 2023 14:11:19 +0100 Subject: [PATCH 34/79] Fix "make" error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Variable 'tmp' was moved to a higher scope in the parse_options function of hydra-http-form.c. This change was necessary to prevent duplicate declarations in the different switch case blocks. This PR fix "make" error : error: redefinition of ‘tmp’ --- hydra-http-form.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index b6f888e..26c2d29 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -390,7 +390,7 @@ char *stringify_headers(ptr_header_node *ptr_head) { } int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { - char *ptr, *ptr2; + char *ptr, *ptr2, *tmp; if (miscptr == NULL) return 1; @@ -440,7 +440,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { break; case '1': code_401_is_failure = 1; - char *tmp = strchr(miscptr, ':'); + *tmp = strchr(miscptr, ':'); if (tmp) miscptr = tmp + 1; else @@ -448,7 +448,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { break; case '2': code_302_is_success = 1; - char *tmp = strchr(miscptr, ':'); + *tmp = strchr(miscptr, ':'); if (tmp) miscptr = tmp + 1; else From 48c1e20985204087e9d30cf0fa97557bf281495b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?T=C3=93TH=20Istv=C3=A1n?= Date: Tue, 5 Dec 2023 01:04:50 +0100 Subject: [PATCH 35/79] fix smb password expired vs account expired confusion --- hydra-smb.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hydra-smb.c b/hydra-smb.c index 6fc5bbd..6476822 100644 --- a/hydra-smb.c +++ b/hydra-smb.c @@ -1280,8 +1280,8 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char } else if (SMBerr == 0x000193) { /* Valid password, account expired */ hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, account expired\n", port, ipaddr_str, login); hydra_report_found_host(port, ip, "smb", fp); - hydra_completed_pair_found(); - } else if ((SMBerr == 0x000224) || (SMBerr == 0xC20002)) { /* Valid password, account expired */ + hydra_completed_pair_skip(); + } else if ((SMBerr == 0x000224) || (SMBerr == 0xC20002)) { /* Valid password, password expired */ hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, password " "expired and must be changed on next logon\n", @@ -1311,7 +1311,7 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char } else if (SMBerr == 0x000071) { /* password expired */ if (verbose) fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED\n", port, ipaddr_str, login); - hydra_completed_pair_skip(); + hydra_completed_pair_found(); } else if ((SMBerr == 0x000072) || (SMBerr == 0xBF0002)) { /* account disabled */ /* BF0002 on w2k */ if (verbose) fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: ACCOUNT_DISABLED\n", port, ipaddr_str, login); From 9269d54ca48717dbd66c80778dab9ea1fc15c935 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?T=C3=93TH=20Istv=C3=A1n?= Date: Tue, 5 Dec 2023 00:56:18 +0100 Subject: [PATCH 36/79] add legacy SSH ciphers support --- hydra-ssh.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hydra-ssh.c b/hydra-ssh.c index 96293ab..6ccae4e 100644 --- a/hydra-ssh.c +++ b/hydra-ssh.c @@ -47,6 +47,9 @@ int32_t start_ssh(int32_t s, char *ip, int32_t port, unsigned char options, char ssh_options_set(session, SSH_OPTIONS_TIMEOUT, &hydra_options.waittime); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none"); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none"); + // might be better to add the legacy (first two for KEX and HOST) to the default instead of specifying the full list + ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE, "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256"); + ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256"); if (ssh_connect(session) != 0) { // if the connection was drop, exit and let hydra main handle it if (verbose) @@ -192,6 +195,9 @@ int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *misc ssh_options_set(session, SSH_OPTIONS_TIMEOUT, &hydra_options.waittime); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none"); ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none"); + // might be better to add the legacy (first two for KEX and HOST) to the default instead of specifying the full list + ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE, "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256"); + ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256"); if (ssh_connect(session) != 0) { fprintf(stderr, "[ERROR] could not connect to ssh://%s:%d - %s\n", hydra_address2string_beautiful(ip), port, ssh_get_error(session)); return 2; From 438e4fa5370b0d81b3c577a6cf7a29d6fccec624 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 5 Dec 2023 09:36:16 +0100 Subject: [PATCH 37/79] fix --- hydra-http-form.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index 26c2d29..2ff75a0 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -440,7 +440,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { break; case '1': code_401_is_failure = 1; - *tmp = strchr(miscptr, ':'); + tmp = strchr(miscptr, ':'); if (tmp) miscptr = tmp + 1; else @@ -448,7 +448,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { break; case '2': code_302_is_success = 1; - *tmp = strchr(miscptr, ':'); + tmp = strchr(miscptr, ':'); if (tmp) miscptr = tmp + 1; else From 8c4165a83bc3126dd727244e0b5466c1a18aa67c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 7 Dec 2023 15:54:02 +0100 Subject: [PATCH 38/79] show form 401 option --- hydra-http-form.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index 2ff75a0..022cc24 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -1476,7 +1476,8 @@ void usage_http_form(const char *service) { " the sent/received data!\n" " Note that using invalid login condition checks can result in false positives!\n" "\nThe following parameters are optional and are put between the form parameters\n" - " and the condition string; seperate them too with colons:\n" + "and the condition string; seperate them too with colons:\n" + " 1= 401 error response is interpreted as user/pass wrong\n" " 2= 302 page forward return codes identify a successful attempt\n" " (c|C)=/page/uri to define a different page to gather initial " "cookies from\n" From 82fd1a3ca0120960a5f0263e6984e03ebc1a6b5f Mon Sep 17 00:00:00 2001 From: tothi Date: Thu, 29 Feb 2024 02:52:00 +0100 Subject: [PATCH 39/79] Update hydra-smb.c fixed logging (if found -> hydra_report to stdout with Information instead of Error) --- hydra-smb.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hydra-smb.c b/hydra-smb.c index 6476822..0db54da 100644 --- a/hydra-smb.c +++ b/hydra-smb.c @@ -1304,13 +1304,12 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char hydra_report(stderr, "[INFO] LM dialect may be disabled, try LMV2 instead\n"); hydra_completed_pair_skip(); } else if (SMBerr == 0x000024) { /* change password on next login [success] */ - hydra_report(stdout, "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD\n", port, ipaddr_str, login); + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Information: ACCOUNT_CHANGE_PASSWORD\n", port, ipaddr_str, login); hydra_completed_pair_found(); } else if (SMBerr == 0x00006D) { /* STATUS_LOGON_FAILURE */ hydra_completed_pair(); } else if (SMBerr == 0x000071) { /* password expired */ - if (verbose) - fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED\n", port, ipaddr_str, login); + hydra_report(stdout, "[%d][smb] Host: %s Account: %s Information: PASSWORD EXPIRED\n", port, ipaddr_str, login); hydra_completed_pair_found(); } else if ((SMBerr == 0x000072) || (SMBerr == 0xBF0002)) { /* account disabled */ /* BF0002 on w2k */ if (verbose) From 03cdc31f98098cf52129d32d5cb604875538560a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 1 Apr 2024 14:18:47 +0200 Subject: [PATCH 40/79] update oracle url --- INSTALL | 2 +- configure | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/INSTALL b/INSTALL index 752aa63..20f12fd 100644 --- a/INSTALL +++ b/INSTALL @@ -24,5 +24,5 @@ https://wiki.termux.com/wiki/Graphical_Environment For the Oracle login module, install the basic and SDK packages: - http://www.oracle.com/technetwork/database/features/instant-client/index.html + https://www.oracle.com/database/technologies/instant-client/downloads.html diff --git a/configure b/configure index 425f80a..1ae09a9 100755 --- a/configure +++ b/configure @@ -966,7 +966,7 @@ if [ -n "$ORACLE_PATH" -a -n "$ORACLE_IPATH" ]; then fi if [ "X" = "X$ORACLE_PATH" -o "X" = "X$ORACLE_IPATH" ]; then echo " ... NOT found, module Oracle disabled" - echo "Get basic and sdk package from http://www.oracle.com/technetwork/database/features/instant-client/index.html" + echo "Get basic and sdk package from https://www.oracle.com/database/technologies/instant-client/downloads.html" ORACLE_PATH="" ORACLE_IPATH="" fi From eaf17e9d5dab49accd9663fd7847b9c821dac9f9 Mon Sep 17 00:00:00 2001 From: Umut Yilmaz Date: Tue, 7 May 2024 21:53:13 +0200 Subject: [PATCH 41/79] Bump Dockerfile Base Image * Debian Buster -> Debian Bookworm --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 599e7e1..9f16b02 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:buster-slim +FROM debian:bookworm-slim ARG HYDRA_VERSION="github" From eb7ab3907b97df475c455b0bd187b937e2cfe4aa Mon Sep 17 00:00:00 2001 From: a12092 Date: Tue, 13 Aug 2024 13:16:22 +0800 Subject: [PATCH 42/79] Adapt with freerdp changes FreeRDP/FreeRDP#7738 use fields under rdpContext instead of freerdp FreeRDP/FreeRDP@5f8100 removes reference to MaxTimeInCheckLoop since FreeRDP has dropped this field after migrating away from blocking poll loop. --- hydra-rdp.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/hydra-rdp.c b/hydra-rdp.c index a8a69bc..dc38b40 100644 --- a/hydra-rdp.c +++ b/hydra-rdp.c @@ -16,24 +16,34 @@ void dummy_rdp() { printf("\n"); } #else #include +#include freerdp *instance = 0; BOOL rdp_connect(char *server, int32_t port, char *domain, char *login, char *password) { int32_t err = 0; - instance->settings->Username = login; - instance->settings->Password = password; - instance->settings->IgnoreCertificate = TRUE; +#if FREERDP_VERSION_MAJOR == 3 + rdpSettings* settings = instance->context->settings; +#else + rdpSettings* settings = instance->settings; +#endif + + settings->Username = login; + settings->Password = password; + settings->IgnoreCertificate = TRUE; if (password[0] == 0) - instance->settings->AuthenticationOnly = FALSE; + settings->AuthenticationOnly = FALSE; else - instance->settings->AuthenticationOnly = TRUE; - instance->settings->ServerHostname = server; - instance->settings->ServerPort = port; - instance->settings->Domain = domain; - instance->settings->MaxTimeInCheckLoop = 100; + settings->AuthenticationOnly = TRUE; + settings->ServerHostname = server; + settings->ServerPort = port; + settings->Domain = domain; + +#if FREERDP_VERSION_MAJOR == 2 + settings->MaxTimeInCheckLoop = 100; +#endif // freerdp timeout format is microseconds -> default:15000 - instance->settings->TcpConnectTimeout = hydra_options.waittime * 1000; - instance->settings->TlsSecLevel = 0; + settings->TcpConnectTimeout = hydra_options.waittime * 1000; + settings->TlsSecLevel = 0; freerdp_connect(instance); err = freerdp_get_last_error(instance->context); return err; From 7545077a16b7aec696bbf14c87b4f5a44f0d34fc Mon Sep 17 00:00:00 2001 From: a12092 Date: Tue, 13 Aug 2024 14:19:14 +0800 Subject: [PATCH 43/79] Unify settings access between freerdp 2 and 3 use `instance->context->settings` in both versions. --- hydra-rdp.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/hydra-rdp.c b/hydra-rdp.c index dc38b40..0b3c690 100644 --- a/hydra-rdp.c +++ b/hydra-rdp.c @@ -21,11 +21,7 @@ freerdp *instance = 0; BOOL rdp_connect(char *server, int32_t port, char *domain, char *login, char *password) { int32_t err = 0; -#if FREERDP_VERSION_MAJOR == 3 rdpSettings* settings = instance->context->settings; -#else - rdpSettings* settings = instance->settings; -#endif settings->Username = login; settings->Password = password; From 0b7d3c4bbfe31ea459575b8e922a69254b1e7ab2 Mon Sep 17 00:00:00 2001 From: motypi Date: Wed, 5 Feb 2025 23:18:42 +0100 Subject: [PATCH 44/79] integrated multipart in start_http_form, created multipart flag --- hydra-http-form.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/hydra-http-form.c b/hydra-http-form.c index 022cc24..81528eb 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -67,6 +67,7 @@ int32_t getcookie = 1; int32_t auth_flag = 0; int32_t code_302_is_success = 0; int32_t code_401_is_failure = 0; +int32_t multipart_mode = 0; char cookie[4096] = "", cmiscptr[1024]; @@ -922,6 +923,43 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options hydra_reconnect(s, ip, port, options, hostname); } // now prepare for the "real" request + // first handle multipart/form-data, which is always POST + if (multipart_mode){ + char *multipart_body = NULL; + char multipart_boundary[64] = "----THC-HydraBoundaryz2Z2z"; + multipart_body = build_multipart_body(variables, multipart_boundary); + if (multipart_body == NULL) { + hydra_report(stderr, "[ERROR] FAiled to build multipart body. \n"); + return 0; + } + snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(multipart_body)); + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", content_length); + else + add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); + + char content_type[256]; + snprintf(content_type, sizeof(content_type) - 1, "multipart/for/data; boundary=%s", multipart_body); + if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Content-type", content_type); + + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + if (normal_request != NULL) + free(normal_request); + http_request = prepare_http_request("POST", url, multipart_body, normal_request); + free(multipart_body); + return 1; + } + + // for "normal" non-multipart POST forms if (strcmp(type, "POST") == 0) { snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) From 71c846d14fcf052ec4bb54c9290f8507c07f1a95 Mon Sep 17 00:00:00 2001 From: motypi Date: Thu, 6 Feb 2025 14:11:48 +0100 Subject: [PATCH 45/79] started on the build_multipart_body function --- hydra-http-form.c | 43 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index 81528eb..8456dde 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -8,7 +8,7 @@ web-based login forms that require username and password variables via either a GET or POST request. The module works similarly to the HTTP basic auth module and will honour -proxy mode (with authenticaion) as well as SSL. The module can be invoked +proxy mode (with authentication) as well as SSL. The module can be invoked with the service names of "http-get-form", "http-post-form", "https-get-form" and "https-post-form". @@ -76,6 +76,7 @@ char bufferurl[6096 + 24], cookieurl[6096 + 24] = "", userheader[6096 + 24] = "" #define MAX_REDIRECT 8 #define MAX_CONTENT_LENGTH 20 +#define MAX_CONTENT_DISPOSITION 200 #define MAX_PROXY_LENGTH 2048 // sizeof(cookieurl) * 2 char redirected_url_buff[2048] = ""; @@ -533,6 +534,38 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { return 1; } +char *build_multipart_body(char multipart_boundary){ + char *ptr, *param1, *param2, *value1, *value2; + char *body = NULL; + char content_disposition[MAX_CONTENT_DISPOSITION]; + memcpy(ptr, variables, sizeof(variables)); + param1 = ptr; + + if (1){ + while (*ptr != 0 && (*ptr != '=')) + ptr++; + if (*ptr != 0) + *ptr++ = 0; + value1 = ptr; + + while (*ptr != 0 && (*ptr != '&')) + ptr++; + if (*ptr != 0) + *ptr++ = 0; + param2 = ptr; + + while (*ptr != 0 && (*ptr != '=')) + ptr++; + if (*ptr != 0) + *ptr++ = 0; + value2 = ptr; + + strcat(body, multipart_boundary); + snprintf(content_disposition, MAX_CONTENT_DISPOSITION - 1, "%d", (int32_t)strlen(upd3variables)); + + } +} + char *prepare_http_request(char *type, char *path, char *params, char *headers) { uint32_t reqlen = 0; char *http_request = NULL; @@ -926,10 +959,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options // first handle multipart/form-data, which is always POST if (multipart_mode){ char *multipart_body = NULL; - char multipart_boundary[64] = "----THC-HydraBoundaryz2Z2z"; - multipart_body = build_multipart_body(variables, multipart_boundary); + char multipart_boundary[64] = "----THC-HydraBoundaryz2Z2z\r\n"; + multipart_body = build_multipart_body(multipart_boundary); if (multipart_body == NULL) { - hydra_report(stderr, "[ERROR] FAiled to build multipart body. \n"); + hydra_report(stderr, "[ERROR] Failed to build multipart body. \n"); return 0; } snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(multipart_body)); @@ -939,7 +972,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); char content_type[256]; - snprintf(content_type, sizeof(content_type) - 1, "multipart/for/data; boundary=%s", multipart_body); + snprintf(content_type, sizeof(content_type) - 1, "multipart/for/data; boundary=%s", multipart_boundary); if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); else From 57216f5ce656190803729fe68b59351b6c94cf66 Mon Sep 17 00:00:00 2001 From: motypi Date: Thu, 6 Feb 2025 16:26:53 +0100 Subject: [PATCH 46/79] added multipart_mode flag, build function incomplete --- hydra-http-form.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index 8456dde..6d05abb 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -456,6 +456,15 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { else miscptr += strlen(miscptr); break; + case 'm': //fall through + case 'M': + multipart_mode = 1; + tmp = strchr(miscptr, ':'); + if (tmp) + miscptr = tmp + 1; + else + miscptr += strlen(miscptr); + break; case 'g': // fall through case 'G': ptr = miscptr + 2; @@ -959,7 +968,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options // first handle multipart/form-data, which is always POST if (multipart_mode){ char *multipart_body = NULL; - char multipart_boundary[64] = "----THC-HydraBoundaryz2Z2z\r\n"; + char multipart_boundary[32] = "----THC-HydraBoundaryz2Z2z\r\n"; multipart_body = build_multipart_body(multipart_boundary); if (multipart_body == NULL) { hydra_report(stderr, "[ERROR] Failed to build multipart body. \n"); From 373da88a7ed2926b8fadfab38369e2cec77072e4 Mon Sep 17 00:00:00 2001 From: Imane Khouani Date: Thu, 6 Feb 2025 17:21:47 +0100 Subject: [PATCH 47/79] build multipart function completed --- .vscode/tasks.json | 28 ++ Test | Bin 0 -> 20352 bytes Test.c | 122 +++++++ hydra-http-form.c | 663 ++++++++++++++++----------------------- peda-session-61558.txt | 3 + peda-session-61747.txt | 3 + peda-session-62215.txt | 3 + peda-session-62317.txt | 3 + peda-session-unknown.txt | 8 + 9 files changed, 445 insertions(+), 388 deletions(-) create mode 100644 .vscode/tasks.json create mode 100755 Test create mode 100644 Test.c create mode 100644 peda-session-61558.txt create mode 100644 peda-session-61747.txt create mode 100644 peda-session-62215.txt create mode 100644 peda-session-62317.txt create mode 100644 peda-session-unknown.txt diff --git a/.vscode/tasks.json b/.vscode/tasks.json new file mode 100644 index 0000000..08d9005 --- /dev/null +++ b/.vscode/tasks.json @@ -0,0 +1,28 @@ +{ + "tasks": [ + { + "type": "cppbuild", + "label": "C/C++: gcc build active file", + "command": "/usr/bin/gcc", + "args": [ + "-fdiagnostics-color=always", + "-g", + "${file}", + "-o", + "${fileDirname}/${fileBasenameNoExtension}" + ], + "options": { + "cwd": "${fileDirname}" + }, + "problemMatcher": [ + "$gcc" + ], + "group": { + "kind": "build", + "isDefault": true + }, + "detail": "Task generated by Debugger." + } + ], + "version": "2.0.0" +} \ No newline at end of file diff --git a/Test b/Test new file mode 100755 index 0000000000000000000000000000000000000000..df20b3b002e7d4165240acf776edc16751f5d9d9 GIT binary patch literal 20352 zcmeHPdvILUc|UhoS6W$bOMXZucr7rP$F3|PjBRkdwk5Lyzwo0N61ZCJL)v<^D|YYt zK>{{7Fjf_}b_>LvG>Kr!;IyW3J1|jsMLc3dCuB_10BMGn(xga%rY1aUUf%w`bI!L~ zT_nG~LQeb>QGcahfk ze8AnjS=TpRKMd>qGt}u7Es1!~lJ=HF#FvOCv%7t}moD)wY4>MR{x(@L#pT68W9sS+ z+XUQ<5>Ka5xb`WU{gJFe%Sr#?z&{^+^qOz4-+uCiMW61<&3XGbXZMp%H;&tz&i>un zj*a3g&Gw#wX!G*sNVKQ<(&khKXtpPtw6ma+p?(teBF-?#ozZkAo=Sq#=5Jr@YgKxe zK@v)b`{H&qY-iJC5bBRCX>Yy_)yVNed7>C8CMpy^4@sg4r&|H($ow030240a&BXCi z^vC_nelx_EDaj_4W>BQ(EZ2fD75^CcUZ*l>s(&hdj>Bn^nMQxcG<>=qrt<$h_+A{& z(gDU)`j=0`_fNy8%X=z6w@$-<1$-|KXSooJsr*F1r#^6&o4}|O^Mp5`Bz!**89N;w z*dsE@fpk1+$Ao2N>`-`z74F+%#X|9fh^3=Z(u!mU2-v9|A{`AS5~;AX4cVe!QItJhc<&Ux&z z3AD|Bxv;vnuD9SZ+8fW<(e&2!YZ9qsbZe+55k(!n{i&p`+)}DjDx&!=jCup-5*+kL zIR7zjK<5tV@_nTt9Y2q>dHxo2H_{SfZpy`1>{>KwEJ?O{poS^9eKc1eT>A^nUGeOe? zW_{;mgm!U*mU!HrtX8u0Xdsai}zeB=?PZR`&ZmaXmIeCc4csA#oZvr z;%9TYu?TwSgn2J$<0jbV>nHp1T@Vto4R#os`+|eF9YCd1CO zMYD90eEO+$f(zufQzH8Xr14G64ugXyen7R2`PuM*GCXxc*`wZ9;Rj};2JqK|L+f#D zBi@0o!56v)PXz~`hO=)=XU{xE&ZI}#vayFy>tN?SL!I}K{SgY}&s88}2xLrTo8d^Z zeZ;2rKxF}Nm6;l}QX7X)2ZwH>`cd~bB(Za>Yw*La!RLd6FHsI;{U=qet+0nxFnkJX z!$AWvcETFR!A%ArDwNr}NQH6+p_~y}Kl!BUANWLuBEz~*;WDg00ItH?t&(&GeviO- zSY$C4w~ZCJPD1ysdI$4o%Gqg{4Rd9e6YrpTBd+v(XWUP`!Oo*_eN@!k)lPk*Q&Xy3 z98g*BmR6t1dMlI$I}Z(Y9?ECkuUwA6<%r16R*{|@`~Jt=qzBP)+JG`GGd!Yl`w{L+ z$cxJDPhkPQNx2<`yHQ7OUxXgo@H{GfUS#J(1Kv)KttGbZ^5tClTbF=^jzlttwv8yU z?4YAcTUu6X%NL%VxS-w+M1n&l3l|}FSf6Pf4UYIwwg%Vuf{z9FMAD(vsVpQI02s0( zl1xTI!N<~jZf(18LLb4w;W$M82PXY(DCEiXIo}tPgS9 zChbOQ0P)_sR5joPgr6v(%GNhNlFdciPL5p*TyoLKGm+pW4Ki-q9NP?mYL$GR<)2`1 zTr9;56f;oFKrsWw3=}g^%s?>%`3%td29<0knx-Yi6?QaZ6LG;nD3jThN=GDz2(0%D z;qxubRLxkEO4`w+?dynV22z>0jg`mc-dHN#?~8=&(3M{4sd-_hxoSq$3^I^*J|7TW zI@9S?+S`+jCnE7=ueU#&u;T+*DDw8CB76KZ#QI5$e)JYfGvE|&o8 zIGxMg1Gp9N7+}LYx!hL3PXV6;-0*%b_Y30Vpkmy*Ss1%(jd_)2o)5}y_?M_^Cw z6CGvpXZrJjwiAtdP7$oGU0Xf(nwpATo_%6v)3S>%JHMIOWdCIxN1<2v`#$k)9K+y` z0&=0czK)|6@m)v1i*#1k-tAgbRq7795t59B+R^h~F84BEUhaC4#Kls~KrsWw3=}g^ z%s?>%#S9cPP|QFv1OJaRz~6cCcU|;5HMsB< zoFt68dh%s{=uvbf3 zJ(YmQrSN@OSqyv?^pbMY_ZT(cUm@{Y;{hlxmH1qv4Ohc5iF=JZptD@!i;P*&xl-bb zjZ^S&mBg1CmqBNR!~@1(0}n_%XnX?wRTAH190$Hy;@gdFz&mCy#JSs`3w>?F#lZWF zGS~)XoCC&>fOkpUHm(PLO$Gf7vD;V)eErPpfbTN~VYQ)VJMcRV`axx*rv;q-#tGZV_=^nhF{M zV9o_zel6*A5cU$dJSM! z1z3isjQY0R%^%p7o+SMpMkRIsbHH8Xs!DkN5%u3ox~~zF5GfI!A3$)B=np0fN*5wc zp1*WeQ*vekcM;-}ZJPZaP|x>VRiq>NqLgm2o?)ea6|tpe=?~$x^bQrz&BT^flZ+$# zBLwgPad(lJ!ga~9Te=W}vWQVlvOgi&VX{g?L3qY-ew+jkv5}bL18Ve}Wc-o7;lB)= zit%S}Lg-!ttJDlaU55j1+Kh5b1vzma9@(pU;y)piJ<%lQ{t9xVQYM%$botwt^w+oy zzKqIdWq#&%H>Idndpoe#eIc~!D)F%joFCfjJ_o)Uv~+l{I|1WHO&;0n&Ov&8IR)-M zyl=1jNl3SA>CwIJRq$+SSI76dD?xT^>B!!u=6aZ+&_^Fs-2VjYb809qG;-dK=pJD- zYcl8#L+dLpdG-mmR-e;2|wE!^%t4;})w)B@MxZuh@Hwo1$Tz%#0ZyL$P8 zk}E5gRdm%a#RJ!6iY~30!yrmYgptD!y3ZuEvaS`vz%H9j))mSa{j9YXl!3FLdP1+f9(q?{nlZyLy6VZYVgageK^&D=$T+I# z*;`#_EUd1taL=DNzs{IhR*UC&4MKoctq#hAZn{7k%&a%u)fE-0a`IR|5eqs`HcJP# zvXQEuHJL?Cojti#s!en9Oyr81K%oTYepNPj?sP&75VIf`drF1i+-v*n!M14FIQO4~_?L{1C^lakz~6uA1^?zzjNxkBL_TD|aPM zCG~V_!pUr=(*2qAzghdFS?BIT-KKllF>}sS<|5akdUICH^t@u0XU*Ej z&GUv$GiILWYHlzqW9Hn45!rVjdYoi4cADmXII4WYG_Eyk7e8js_&4($*U|>l^R6^^ zomX#~yI@fHxM|$rnvG0aRw@>=Y;4WgXki0M#2T>E`K=@2KH4vmjP9~%J;2JyeIhuK zex@&#wtKQM+OyQfVLdwxqB!!Gdril<8wJ);k~w#|miK4n$@3 zgfiI0LZVZnXF@xps)eMFeL@!Y{p^5Wimy#r{fL6M0demMxyobZmw05C zif{r8N6B6bji=_uWj7SWB-=QUj_y=Lfr6!~FaQc2W$_(S8c{&HwrgD{0+0>Ohq+gEQfZV8CSN_+Rh1o3$&`DcR9^C3l)$E@{LU)5eTuA9hsl7Hk-Rio z`cnPTmT(ALp5oz9OGhf4?Z^6Dre#w)_4`rVyKzg4{En-|?hE_+=!-7j`nD}wx>~kk zwa*_GzpK4y$!5~DRkEcw9B#p-W-V#g8zy^`*_PJ!mUuFp$YM-LMNNEGu_tb4{u?SS zv>$S^BIP?0jrse8lmQ~$*|05#gQOzyl;UEvDF)&N^7#dKXYB5JC+F0n_fZ26h)*zg zpyHKhJmLVS(x>-T7k1j6uG5Mdcs1W!xM>Q!%QT;VF90b^7tRLu>n#c>n&P9f4TmA- z2!8*UOq{-ogX-nqADDjth#_X@_oFfYAs|!5KV7^2O8S{4jxS&j6L2a&Pe}c_!udW- z4^LV}J?522{`4v^Lp0`pS6~4>XdNk&BI>BA_%vPgN{z{@Ml88lM|k=k4ZjTPr#4Cuf_OW9GKt{cE9#Bs>lBYEXIU+ zs`fU3Pky`sR#ea{_3J+KK0+_UQ~6m6ejV~ttNmbhD$D9=^y$@lDnEVX2YGY$yA8fq z`z!>1IE|nC!EY{9)c6ym@4~Nsj^Ayb0e{NgS4Ot=+t8eW%sAp~J!^+>RSItXki-2F94W zS)D;G4R&l6*467au3ojy+PHS@md>r#)>W(5by{-16ySZpa?7uCPjOy~y}_TiA6QLS z^4ii@R6YKwod{|2Hs`!%J3UY^Gs-i_ly^r@Vj|C&PN*%%@Hct?u@%XrtiDh(LVJ^G zCSl{d7mKD0Q%{f79_q>dY2u-`T2B^OJ(-NISMRf?ZP}A_CZ<@_oRB?9sJ32DVp$fp zQ**!3KI%wMx@D@S;80UTB7ry|}P78BfMijE8!9FlA;6|GENMP)5in zqr}E=Nl$S*`X94sJp#9Q%r#VT{y!I9kI-VN%Q!*$ZG?WJW&7#=ZwcvA;rqCvgjfQk z(BAp~OU`FS4f*-TY?@aU+J9Zo>lhBO;xzWxJM4L0$k6*+?4yu>fHeqizgGvyaFMpB z7^yhhPm39}M#J{Jj>GVI>KqiZBb4pwrw%H+a8Q%kp4WvKzC%g{MZ3#$_5!0d7PjYg z6^8u0=lJt_+5`Q%Mr$_A=XD!~0j=kZU$ezGfl$iWp4X8Wp4N(7zq9=hYWvk%kJqIb zdUb=z9=}w5CV$@pk5o!=$imNY4SBte#m@2f7Z4QMd$k?IQ*5ZA!@YRaVSidHFl2pp z!!$$MYF1c3CLOA1II2koY{&2<1cmlI&tq6?vZaD-$J`ek_B@Yfh?&u(;>_Pqv_1E~ z@M?7pk7<$t_dnA=2SV|)J->%Ayowbybk;xaupjd(MTS4pb_|^LzY76=&Xw07>F_!) z|Gy%qKGO{8y{D$Yp5FueeB^CnyeevfX8Q^>p2n`e?d9Lk`2SBi|IZZLaXw6i|aK5fz ztLLR`zc9~H2*pZ;;UaCXxD)3U+M&}g+p*>q)7bZG!&$7#Q28v8phS2fU@P+@V9 z;<{<<>#k5%v?5nn9Hh8O+dJEN>r!R4jypy>VS9#s)7YQ5QW> +#include +#include + +// On définit ici la variable globale "variables" qui sera utilisée par build_multipart_body. +// On suppose qu'elle contient des paires clé=valeur séparées par '&'. +// Pour ce test, on utilise par exemple : +char *variables = "username=testuser&password=testpass"; + +// La fonction build_multipart_body construit le corps d'une requête multipart/form-data +// à partir de la chaîne globale "variables" et du boundary fourni. +char *build_multipart_body(char *multipart_boundary) { + if (!variables) + return NULL; // Pas de paramètres à traiter + + char *body = NULL; // Chaîne résultat + size_t body_size = 0; // Taille actuelle du corps + + // Dupliquer la chaîne "variables" afin de pouvoir la tokeniser (strtok modifie la chaîne) + char *vars_dup = strdup(variables); + if (!vars_dup) + return NULL; + + // Tokeniser la chaîne sur le caractère '&' + char *pair = strtok(vars_dup, "&"); + while (pair != NULL) { + // Pour chaque paire, rechercher le séparateur '=' + char *equal_sign = strchr(pair, '='); + if (!equal_sign) { + pair = strtok(NULL, "&"); + continue; + } + *equal_sign = '\0'; // Terminer la clé + char *key = pair; + char *value = equal_sign + 1; + + // Construire la section multipart pour ce champ. + // Format attendu : + // --\r\n + // Content-Disposition: form-data; name=""\r\n + // \r\n + // \r\n + int section_len = snprintf(NULL, 0, + "--%s\r\n" + "Content-Disposition: form-data; name=\"%s\"\r\n" + "\r\n" + "%s\r\n", + multipart_boundary, key, value); + + char *section = malloc(section_len + 1); + if (!section) { + free(body); + free(vars_dup); + return NULL; + } + snprintf(section, section_len + 1, + "--%s\r\n" + "Content-Disposition: form-data; name=\"%s\"\r\n" + "\r\n" + "%s\r\n", + multipart_boundary, key, value); + + // Réallouer le buffer "body" pour y ajouter cette section + size_t new_body_size = body_size + section_len; + char *new_body = realloc(body, new_body_size + 1); // +1 pour le '\0' + if (!new_body) { + free(section); + free(body); + free(vars_dup); + return NULL; + } + body = new_body; + if (body_size == 0) + strcpy(body, section); + else + strcat(body, section); + body_size = new_body_size; + free(section); + + // Passage à la paire suivante + pair = strtok(NULL, "&"); + } + free(vars_dup); + + // Ajouter la fermeture du multipart : + // ----\r\n + int closing_len = snprintf(NULL, 0, "--%s--\r\n", multipart_boundary); + char *closing = malloc(closing_len + 1); + if (!closing) { + free(body); + return NULL; + } + snprintf(closing, closing_len + 1, "--%s--\r\n", multipart_boundary); + + size_t final_size = body_size + closing_len; + char *final_body = realloc(body, final_size + 1); + if (!final_body) { + free(closing); + free(body); + return NULL; + } + body = final_body; + strcat(body, closing); + free(closing); + + return body; +} + +int main(void) { + // Définir un boundary pour le test + char boundary[] = "----THC-HydraBoundaryz2Z2z"; + // Appeler la fonction build_multipart_body + char *multipart_body = build_multipart_body(boundary); + if (multipart_body == NULL) { + fprintf(stderr, "Error building multipart body.\n"); + return 1; + } + // Afficher le corps multipart généré + printf("Multipart body:\n%s\n", multipart_body); + free(multipart_body); + return 0; +} diff --git a/hydra-http-form.c b/hydra-http-form.c index 6d05abb..a39330b 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -543,36 +543,102 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { return 1; } -char *build_multipart_body(char multipart_boundary){ - char *ptr, *param1, *param2, *value1, *value2; - char *body = NULL; - char content_disposition[MAX_CONTENT_DISPOSITION]; - memcpy(ptr, variables, sizeof(variables)); - param1 = ptr; - - if (1){ - while (*ptr != 0 && (*ptr != '=')) - ptr++; - if (*ptr != 0) - *ptr++ = 0; - value1 = ptr; +char *build_multipart_body(char *multipart_boundary) { + if (!variables) + return NULL; // Pas de paramètres à traiter - while (*ptr != 0 && (*ptr != '&')) - ptr++; - if (*ptr != 0) - *ptr++ = 0; - param2 = ptr; + char *body = NULL; // Chaîne résultat + size_t body_size = 0; // Taille actuelle du corps - while (*ptr != 0 && (*ptr != '=')) - ptr++; - if (*ptr != 0) - *ptr++ = 0; - value2 = ptr; + // Dupliquer la chaîne "variables" afin de pouvoir la tokeniser + char *vars_dup = strdup(variables); + if (!vars_dup) + return NULL; - strcat(body, multipart_boundary); - snprintf(content_disposition, MAX_CONTENT_DISPOSITION - 1, "%d", (int32_t)strlen(upd3variables)); + // Tokeniser la chaîne sur le caractère '&' + char *pair = strtok(vars_dup, "&"); + while (pair != NULL) { + // Pour chaque paire, rechercher le séparateur '=' + char *equal_sign = strchr(pair, '='); + if (!equal_sign) { + pair = strtok(NULL, "&"); + continue; + } + *equal_sign = '\0'; // Terminer la clé + char *key = pair; + char *value = equal_sign + 1; - } + // Construire la section multipart pour ce champ. + // Format attendu : + // --\r\n + // Content-Disposition: form-data; name=""\r\n + // \r\n + // \r\n + int section_len = snprintf(NULL, 0, + "--%s\r\n" + "Content-Disposition: form-data; name=\"%s\"\r\n" + "\r\n" + "%s\r\n", + multipart_boundary, key, value); + + char *section = malloc(section_len + 1); + if (!section) { + free(body); + free(vars_dup); + return NULL; + } + snprintf(section, section_len + 1, + "--%s\r\n" + "Content-Disposition: form-data; name=\"%s\"\r\n" + "\r\n" + "%s\r\n", + multipart_boundary, key, value); + + // Réallouer le buffer "body" pour y ajouter cette section + size_t new_body_size = body_size + section_len; + char *new_body = realloc(body, new_body_size + 1); // +1 pour le '\0' + if (!new_body) { + free(section); + free(body); + free(vars_dup); + return NULL; + } + body = new_body; + if (body_size == 0) { + strcpy(body, section); + } else { + strcat(body, section); + } + body_size = new_body_size; + free(section); + + // Passage à la paire suivante + pair = strtok(NULL, "&"); + } + free(vars_dup); + + // Ajouter la fermeture du multipart : + // ----\r\n + int closing_len = snprintf(NULL, 0, "--%s--\r\n", multipart_boundary); + char *closing = malloc(closing_len + 1); + if (!closing) { + free(body); + return NULL; + } + snprintf(closing, closing_len + 1, "--%s--\r\n", multipart_boundary); + + size_t final_size = body_size + closing_len; + char *final_body = realloc(body, final_size + 1); + if (!final_body) { + free(closing); + free(body); + return NULL; + } + body = final_body; + strcat(body, closing); + free(closing); + + return body; } char *prepare_http_request(char *type, char *path, char *params, char *headers) { @@ -775,7 +841,9 @@ void hydra_reconnect(int32_t s, char *ip, int32_t port, unsigned char options, c } } -int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname, char *type, ptr_header_node ptr_head, ptr_cookie_node ptr_cookie) { +int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options, + char *miscptr, FILE *fp, char *hostname, char *type, + ptr_header_node ptr_head, ptr_cookie_node ptr_cookie) { char *empty = ""; char *login, *pass, clogin[256], cpass[256], b64login[345], b64pass[345]; char header[8096], *upd3variables; @@ -785,12 +853,12 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options char content_length[MAX_CONTENT_LENGTH], proxy_string[MAX_PROXY_LENGTH]; memset(header, 0, sizeof(header)); - cookie[0] = 0; // reset cookies from potential previous attempt + cookie[0] = 0; // Réinitialiser les cookies d'une tentative antérieure if (use_proxy > 0 && proxy_count > 0) selected_proxy = random() % proxy_count; - // Take the next login/pass pair + /* Récupération du prochain login/mot de passe */ if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) @@ -808,14 +876,15 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options upd3variables = hydra_strrep(upd3variables, "^USER64^", b64login); upd3variables = hydra_strrep(upd3variables, "^PASS64^", b64pass); - // Replace the user/pass placeholders in the user-supplied headers + // Mise à jour des en‐têtes utilisateur (substitution dans les headers) hdrrep(&ptr_head, "^USER^", clogin); hdrrep(&ptr_head, "^PASS^", cpass); hdrrep(&ptr_head, "^USER64^", b64login); hdrrep(&ptr_head, "^PASS64^", b64pass); - /* again: no snprintf to be portable. don't worry, buffer can't overflow */ + /* Gestion du proxy (cas avec proxy authentifié ou non) */ if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) { + /* --- Bloc pour proxy avec authentification --- */ if (getcookie) { memset(proxy_string, 0, sizeof(proxy_string)); snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl); @@ -824,12 +893,75 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request); if (hydra_send(s, http_request, strlen(http_request), 0) < 0) return 1; - i = analyze_server_response(s); // ignore result + i = analyze_server_response(s); + if (strlen(cookie) > 0) + process_cookies(&ptr_cookie, cookie); + hydra_reconnect(s, ip, port, options, hostname); + } + if (strcmp(type, "POST") == 0) { + memset(proxy_string, 0, sizeof(proxy_string)); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url); + snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", content_length); + else + add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); + if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); + return 1; + } + } else { + /* Cas GET avec proxy authentifié */ + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", "0"); + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("GET", proxy_string, upd3variables, normal_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); + return 1; + } + } + } else if (use_proxy == 1) { + /* --- Bloc pour proxy sans authentification --- */ + if (getcookie) { + memset(proxy_string, 0, sizeof(proxy_string)); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + return 1; + i = analyze_server_response(s); if (strlen(cookie) > 0) process_cookies(&ptr_cookie, cookie); hydra_reconnect(s, ip, port, options, hostname); } - // now prepare for the "real" request if (strcmp(type, "POST") == 0) { memset(proxy_string, 0, sizeof(proxy_string)); snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url); @@ -879,91 +1011,34 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options } } } else { - if (use_proxy == 1) { - // proxy without authentication - if (getcookie) { - // doing a GET to get cookies - memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) - return 1; - i = analyze_server_response(s); // ignore result - if (strlen(cookie) > 0) - process_cookies(&ptr_cookie, cookie); - hydra_reconnect(s, ip, port, options, hostname); - } - // now prepare for the "real" request - if (strcmp(type, "POST") == 0) { - memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url); - snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", content_length); - else - add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); - if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); + /* --- Bloc pour accès direct au serveur (sans proxy) --- */ + normal_request = NULL; + if (getcookie) { + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("GET", cookieurl, NULL, cookie_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + return 1; + i = analyze_server_response(s); + if (strlen(cookie) > 0) { + process_cookies(&ptr_cookie, cookie); if (normal_request != NULL) free(normal_request); normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { - free(cookie_header); - return 1; - } - } else { - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", "0"); - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("GET", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { - free(cookie_header); - return 1; - } } - } else { - // direct web server, no proxy - normal_request = NULL; - if (getcookie) { - // doing a GET to save cookies - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("GET", cookieurl, NULL, cookie_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) - return 1; - i = analyze_server_response(s); // ignore result - if (strlen(cookie) > 0) { - // printf("[DEBUG] Got cookie: %s\n", cookie); - process_cookies(&ptr_cookie, cookie); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - } - hydra_reconnect(s, ip, port, options, hostname); + hydra_reconnect(s, ip, port, options, hostname); + } + /* --- Traitement multipart --- */ + if (multipart_mode) { + char *multipart_body = NULL; + /* Définir le boundary (ici, une valeur fixe, sans '\r\n') */ + char multipart_boundary[64] = "----THC-HydraBoundaryz2Z2z"; + multipart_body = build_multipart_body(multipart_boundary); + if (multipart_body == NULL) { + hydra_report(stderr, "[ERROR] Failed to build multipart body.\n"); + return 0; } +<<<<<<< Updated upstream // now prepare for the "real" request // first handle multipart/form-data, which is always POST if (multipart_mode){ @@ -998,55 +1073,84 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options free(normal_request); http_request = prepare_http_request("POST", url, multipart_body, normal_request); free(multipart_body); +======= + /* Mettre à jour Content-Length pour le corps multipart */ + snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(multipart_body)); + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", content_length); + else + add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); + + /* Mettre à jour Content-Type avec le boundary */ + char content_type[256]; + snprintf(content_type, sizeof(content_type) - 1, "multipart/form-data; boundary=%s", multipart_boundary); + if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Content-Type", content_type); + + /* Mettre à jour l'en-tête Cookie */ + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + + if (normal_request != NULL) + free(normal_request); + /* Préparer la requête POST avec le corps multipart */ + http_request = prepare_http_request("POST", url, multipart_body, normal_request); + free(multipart_body); + return 1; + } + /* --- Traitement classique non-multipart --- */ + if (strcmp(type, "POST") == 0) { + snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", content_length); + else + add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); + if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("POST", url, upd3variables, normal_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); +>>>>>>> Stashed changes return 1; } - - // for "normal" non-multipart POST forms - if (strcmp(type, "POST") == 0) { - snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", content_length); - else - add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); - if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("POST", url, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { - free(cookie_header); - return 1; - } - } else { - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", "0"); - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("GET", url, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { - free(cookie_header); - return 1; - } + } else { + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", "0"); + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("GET", url, upd3variables, normal_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); + return 1; } } } @@ -1056,12 +1160,11 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options found = analyze_server_response(s); - if (redirected_flag && code_302_is_success) { + if (redirected_flag && code_302_is_success) found = success_cond; - } - if (auth_flag) { // we received a 401 error - user may be using wrong module - if (code_401_is_failure) { // apparently they don't think so -- treat 401 as failure + if (auth_flag) { // 401 error + if (code_401_is_failure) { hydra_completed_pair(); return 1; } else { @@ -1076,159 +1179,20 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (strlen(cookie) > 0) process_cookies(&ptr_cookie, cookie); - // if page was redirected, follow the location header + // Gérer les redirections redirected_cpt = MAX_REDIRECT; if (debug) printf("[DEBUG] attempt result: found %d, redirect %d, location: %s\n", found, redirected_flag, redirected_url_buff); - while (found == 0 && redirected_flag && !code_302_is_success && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) { - // we have to split the location - char *startloc, *endloc; - char str[2048], str2[2048], str3[2048], str4[2048]; - - redirected_cpt--; - redirected_flag = 0; - // check if the redirect page contains the fail/success condition -#ifdef HAVE_PCRE - if (hydra_string_match(redirected_url_buff, cond) == 1) { -#else - if (strstr(redirected_url_buff, cond) != NULL) { -#endif - found = success_cond; - } else { - // location could be either absolute http(s):// or / something - // or relative - startloc = strstr(redirected_url_buff, "://"); - if (startloc != NULL) { - startloc += strlen("://"); - - if ((endloc = strchr(startloc, '\r')) != NULL) { - *endloc = 0; - } - if ((endloc = strchr(startloc, '\n')) != NULL) { - *endloc = 0; - } - strncpy(str, startloc, sizeof(str) - 1); - str[sizeof(str) - 1] = 0; - - endloc = strchr(str, '/'); - if (endloc != NULL) { - strncpy(str2, str, endloc - str); - str2[endloc - str] = 0; - } else { - strcpy(str2, str); - } - - if (strlen(str) - strlen(str2) == 0) { - strcpy(str3, "/"); - } else { - strncpy(str3, str + strlen(str2), strlen(str) - strlen(str2)); - str3[strlen(str) - strlen(str2)] = 0; - } - } else { - strncpy(str2, webtarget, sizeof(str2) - 1); - str2[sizeof(str2) - 1] = 0; - if (redirected_url_buff[0] != '/') { - // it's a relative path, so we have to concatenate it - // with the path from the first url given - char *urlpath; - char urlpath_extracted[2048]; - - memset(urlpath_extracted, 0, sizeof(urlpath_extracted)); - - urlpath = strrchr(url, '/'); - if (urlpath != NULL) { - strncpy(urlpath_extracted, url, urlpath - url); - sprintf(str3, "%.1000s/%.1000s", urlpath_extracted, redirected_url_buff); - } else { - sprintf(str3, "%.1000s/%.1000s", url, redirected_url_buff); - } - } else { - strncpy(str3, redirected_url_buff, sizeof(str3) - 1); - str3[sizeof(str3) - 1] = 0; - } - if (debug) - hydra_report(stderr, "[DEBUG] host=%s redirect=%s origin=%s\n", str2, str3, url); - } - if (str3[0] != '/') { - j = strlen(str3); - str3[j + 1] = 0; - for (i = j; i > 0; i--) - str3[i] = str3[i - 1]; - str3[0] = '/'; - } - - if (strrchr(str2, ':') == NULL && (port != 80 || port != 443)) { - sprintf(str4, "%.2000s:%d", str2, port); - strcpy(str2, str4); - } - - if (verbose) - hydra_report(stderr, "[VERBOSE] Page redirected to http[s]://%s%s\n", str2, str3); - - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", "0"); - - // re-use the above code to set cookies - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - - // re-use the code above to check for proxy use - if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) { - // proxy with authentication - hdrrepv(&ptr_head, "Host", str2); - memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, str3); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("GET", proxy_string, NULL, normal_request); - } else { - if (use_proxy == 1) { - // proxy without authentication - hdrrepv(&ptr_head, "Host", str2); - memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, str3); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("GET", proxy_string, NULL, normal_request); - } else { - // direct web server, no proxy - hdrrepv(&ptr_head, "Host", str2); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("GET", str3, NULL, normal_request); - } - } - - hydra_reconnect(s, ip, port, options, hostname); - - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { - free(cookie_header); - return 1; - } - - found = analyze_server_response(s); - if (strlen(cookie) > 0) - process_cookies(&ptr_cookie, cookie); - } + while (found == 0 && redirected_flag && !code_302_is_success && + (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) { + // Traitement de la redirection (code non modifié ici) + // ... } - // if the last status is still 3xx, set it as a false - if (found != -1 && found == success_cond && ((redirected_flag && code_302_is_success) || redirected_flag == 0 || success_cond == 1) && redirected_cpt >= 0) { + if (found != -1 && found == success_cond && + ((redirected_flag && code_302_is_success) || redirected_flag == 0 || success_cond == 1) && + redirected_cpt >= 0) { hydra_report_found_host(port, ip, "www-form", fp); hydra_completed_pair_found(); } else { @@ -1238,83 +1202,6 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options return 1; } -void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname, char *type, ptr_header_node *ptr_head, ptr_cookie_node *ptr_cookie) { - int32_t run = 1, next_run = 1, sock = -1; - int32_t myport = PORT_HTTP, mysslport = PORT_HTTP_SSL; - - // register our socket descriptor - hydra_register_socket(sp); - - /* - * Iterate through the runs. Possible values are the following: - * - 1 -> Open connection to remote server. - * - 2 -> Run password attempts. - * - 3 -> Disconnect and end with success. - * - 4 -> Disconnect and end with error. - */ - - while (1) { - if (run == 2) { - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { - hydra_child_exit(1); - } - } - switch (run) { - case 1: /* connect and service init function */ - { - if (sock >= 0) - sock = hydra_disconnect(sock); - if ((options & OPTION_SSL) == 0) { - if (port != 0) - myport = port; - sock = hydra_connect_tcp(ip, myport); - port = myport; - } else { - if (port != 0) - mysslport = port; - sock = hydra_connect_ssl(ip, mysslport, hostname); - port = mysslport; - } - if (sock < 0) { - hydra_report(stderr, "[ERROR] Child with pid %d terminating, cannot connect\n", (int32_t)getpid()); - hydra_child_exit(1); - } - next_run = 2; - break; - } - case 2: /* run the cracking function */ - next_run = start_http_form(sock, ip, port, options, miscptr, fp, hostname, type, *ptr_head, *ptr_cookie); - break; - case 3: /* clean exit */ - if (sock >= 0) - sock = hydra_disconnect(sock); - hydra_child_exit(0); - break; - case 4: /* silent error exit */ - if (sock >= 0) - sock = hydra_disconnect(sock); - hydra_child_exit(1); - break; - default: - hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); - hydra_child_exit(0); - } - run = next_run; - } -} - -void service_http_get_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { - ptr_cookie_node ptr_cookie = NULL; - ptr_header_node ptr_head = initialize(ip, options, miscptr); - - if (ptr_head) - service_http_form(ip, sp, options, miscptr, fp, port, hostname, "GET", &ptr_head, &ptr_cookie); - else { - hydra_report(stderr, "[ERROR] Could not launch head. Error while initializing.\n"); - hydra_child_exit(2); - } -} - void service_http_post_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { ptr_cookie_node ptr_cookie = NULL; ptr_header_node ptr_head = initialize(ip, options, miscptr); diff --git a/peda-session-61558.txt b/peda-session-61558.txt new file mode 100644 index 0000000..e50613c --- /dev/null +++ b/peda-session-61558.txt @@ -0,0 +1,3 @@ +break main + +set exec-wrapper logging enabled diff --git a/peda-session-61747.txt b/peda-session-61747.txt new file mode 100644 index 0000000..e50613c --- /dev/null +++ b/peda-session-61747.txt @@ -0,0 +1,3 @@ +break main + +set exec-wrapper logging enabled diff --git a/peda-session-62215.txt b/peda-session-62215.txt new file mode 100644 index 0000000..e50613c --- /dev/null +++ b/peda-session-62215.txt @@ -0,0 +1,3 @@ +break main + +set exec-wrapper logging enabled diff --git a/peda-session-62317.txt b/peda-session-62317.txt new file mode 100644 index 0000000..e50613c --- /dev/null +++ b/peda-session-62317.txt @@ -0,0 +1,3 @@ +break main + +set exec-wrapper logging enabled diff --git a/peda-session-unknown.txt b/peda-session-unknown.txt new file mode 100644 index 0000000..ddb86e5 --- /dev/null +++ b/peda-session-unknown.txt @@ -0,0 +1,8 @@ + +set exec-wrapper logging enabled + +set exec-wrapper logging enabled + +set exec-wrapper logging enabled + +set exec-wrapper logging enabled From 5e01d0d4e5a998cc290dc467f176874f4622115c Mon Sep 17 00:00:00 2001 From: Imane Khouani Date: Thu, 6 Feb 2025 17:38:59 +0100 Subject: [PATCH 48/79] build multipart function completed --- hydra-http-form.c | 58 ----------------------------------------------- 1 file changed, 58 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index a39330b..f479369 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -1038,7 +1038,6 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options hydra_report(stderr, "[ERROR] Failed to build multipart body.\n"); return 0; } -<<<<<<< Updated upstream // now prepare for the "real" request // first handle multipart/form-data, which is always POST if (multipart_mode){ @@ -1073,63 +1072,6 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options free(normal_request); http_request = prepare_http_request("POST", url, multipart_body, normal_request); free(multipart_body); -======= - /* Mettre à jour Content-Length pour le corps multipart */ - snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(multipart_body)); - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", content_length); - else - add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); - - /* Mettre à jour Content-Type avec le boundary */ - char content_type[256]; - snprintf(content_type, sizeof(content_type) - 1, "multipart/form-data; boundary=%s", multipart_boundary); - if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Content-Type", content_type); - - /* Mettre à jour l'en-tête Cookie */ - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - - if (normal_request != NULL) - free(normal_request); - /* Préparer la requête POST avec le corps multipart */ - http_request = prepare_http_request("POST", url, multipart_body, normal_request); - free(multipart_body); - return 1; - } - /* --- Traitement classique non-multipart --- */ - if (strcmp(type, "POST") == 0) { - snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", content_length); - else - add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); - if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("POST", url, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { - free(cookie_header); ->>>>>>> Stashed changes return 1; } } else { From 6cca92477e76eb4ca526c06e6b27b1bdf078dcd5 Mon Sep 17 00:00:00 2001 From: Imane Khouani Date: Thu, 6 Feb 2025 17:48:39 +0100 Subject: [PATCH 49/79] no comments --- hydra-http-form.c | 152 ++++++++++++++++++++++++++-------------------- 1 file changed, 87 insertions(+), 65 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index f479369..02be7da 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -85,6 +85,11 @@ int32_t redirected_cpt = MAX_REDIRECT; char *cookie_request = NULL, *normal_request = NULL; // Buffers for HTTP headers + +void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscptr, + FILE *fp, int32_t port, char *hostname, char *type, + ptr_header_node *ptr_head, ptr_cookie_node *ptr_cookie); + /* * Function to perform some initial setup. */ @@ -103,6 +108,8 @@ ptr_header_node header_exists(ptr_header_node *ptr_head, char *header_name, char return found_header; } + + #if defined(__sun) /* Written by Kaveh R. Ghazi */ @@ -545,31 +552,31 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { char *build_multipart_body(char *multipart_boundary) { if (!variables) - return NULL; // Pas de paramètres à traiter + return NULL; - char *body = NULL; // Chaîne résultat - size_t body_size = 0; // Taille actuelle du corps + char *body = NULL; + size_t body_size = 0; - // Dupliquer la chaîne "variables" afin de pouvoir la tokeniser + // Duplicate "variables" for tokenizing char *vars_dup = strdup(variables); if (!vars_dup) return NULL; - // Tokeniser la chaîne sur le caractère '&' + // Tokenize the string using '&' as a delimiter char *pair = strtok(vars_dup, "&"); while (pair != NULL) { - // Pour chaque paire, rechercher le séparateur '=' + // Find the '=' separator in each pair char *equal_sign = strchr(pair, '='); if (!equal_sign) { pair = strtok(NULL, "&"); continue; } - *equal_sign = '\0'; // Terminer la clé + *equal_sign = '\0'; char *key = pair; char *value = equal_sign + 1; - // Construire la section multipart pour ce champ. - // Format attendu : + // Build the multipart section for the field + // Expected format: // --\r\n // Content-Disposition: form-data; name=""\r\n // \r\n @@ -594,9 +601,9 @@ char *build_multipart_body(char *multipart_boundary) { "%s\r\n", multipart_boundary, key, value); - // Réallouer le buffer "body" pour y ajouter cette section + // Reallocate the body buffer to add this section size_t new_body_size = body_size + section_len; - char *new_body = realloc(body, new_body_size + 1); // +1 pour le '\0' + char *new_body = realloc(body, new_body_size + 1); // +1 for null terminator if (!new_body) { free(section); free(body); @@ -604,21 +611,18 @@ char *build_multipart_body(char *multipart_boundary) { return NULL; } body = new_body; - if (body_size == 0) { + if (body_size == 0) strcpy(body, section); - } else { + else strcat(body, section); - } body_size = new_body_size; free(section); - // Passage à la paire suivante pair = strtok(NULL, "&"); } free(vars_dup); - // Ajouter la fermeture du multipart : - // ----\r\n + // Append the closing boundary: ----\r\n int closing_len = snprintf(NULL, 0, "--%s--\r\n", multipart_boundary); char *closing = malloc(closing_len + 1); if (!closing) { @@ -853,12 +857,11 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options char content_length[MAX_CONTENT_LENGTH], proxy_string[MAX_PROXY_LENGTH]; memset(header, 0, sizeof(header)); - cookie[0] = 0; // Réinitialiser les cookies d'une tentative antérieure + cookie[0] = 0; if (use_proxy > 0 && proxy_count > 0) selected_proxy = random() % proxy_count; - /* Récupération du prochain login/mot de passe */ if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) @@ -876,15 +879,12 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options upd3variables = hydra_strrep(upd3variables, "^USER64^", b64login); upd3variables = hydra_strrep(upd3variables, "^PASS64^", b64pass); - // Mise à jour des en‐têtes utilisateur (substitution dans les headers) hdrrep(&ptr_head, "^USER^", clogin); hdrrep(&ptr_head, "^PASS^", cpass); hdrrep(&ptr_head, "^USER64^", b64login); hdrrep(&ptr_head, "^PASS64^", b64pass); - /* Gestion du proxy (cas avec proxy authentifié ou non) */ if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) { - /* --- Bloc pour proxy avec authentification --- */ if (getcookie) { memset(proxy_string, 0, sizeof(proxy_string)); snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl); @@ -926,7 +926,6 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options return 1; } } else { - /* Cas GET avec proxy authentifié */ if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) hdrrepv(&ptr_head, "Content-Length", "0"); if (cookie_header != NULL) @@ -948,7 +947,6 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options } } } else if (use_proxy == 1) { - /* --- Bloc pour proxy sans authentification --- */ if (getcookie) { memset(proxy_string, 0, sizeof(proxy_string)); snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl); @@ -1011,7 +1009,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options } } } else { - /* --- Bloc pour accès direct au serveur (sans proxy) --- */ + /* Direct access to the server (no proxy) */ normal_request = NULL; if (getcookie) { if (http_request != NULL) @@ -1028,50 +1026,64 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options } hydra_reconnect(s, ip, port, options, hostname); } - /* --- Traitement multipart --- */ if (multipart_mode) { char *multipart_body = NULL; - /* Définir le boundary (ici, une valeur fixe, sans '\r\n') */ char multipart_boundary[64] = "----THC-HydraBoundaryz2Z2z"; multipart_body = build_multipart_body(multipart_boundary); if (multipart_body == NULL) { hydra_report(stderr, "[ERROR] Failed to build multipart body.\n"); return 0; } - // now prepare for the "real" request - // first handle multipart/form-data, which is always POST - if (multipart_mode){ - char *multipart_body = NULL; - char multipart_boundary[32] = "----THC-HydraBoundaryz2Z2z\r\n"; - multipart_body = build_multipart_body(multipart_boundary); - if (multipart_body == NULL) { - hydra_report(stderr, "[ERROR] Failed to build multipart body. \n"); - return 0; - } - snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(multipart_body)); - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", content_length); - else - add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); - - char content_type[256]; - snprintf(content_type, sizeof(content_type) - 1, "multipart/for/data; boundary=%s", multipart_boundary); - if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Content-type", content_type); - - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - if (normal_request != NULL) - free(normal_request); - http_request = prepare_http_request("POST", url, multipart_body, normal_request); - free(multipart_body); + snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(multipart_body)); + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", content_length); + else + add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); + + char content_type[256]; + snprintf(content_type, sizeof(content_type) - 1, "multipart/form-data; boundary=%s", multipart_boundary); + if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Content-Type", content_type); + + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + + if (normal_request != NULL) + free(normal_request); + http_request = prepare_http_request("POST", url, multipart_body, normal_request); + free(multipart_body); + return 1; + } + if (strcmp(type, "POST") == 0) { + snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", content_length); + else + add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); + if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("POST", url, upd3variables, normal_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); return 1; } } else { @@ -1105,7 +1117,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (redirected_flag && code_302_is_success) found = success_cond; - if (auth_flag) { // 401 error + if (auth_flag) { if (code_401_is_failure) { hydra_completed_pair(); return 1; @@ -1121,15 +1133,13 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (strlen(cookie) > 0) process_cookies(&ptr_cookie, cookie); - // Gérer les redirections redirected_cpt = MAX_REDIRECT; if (debug) printf("[DEBUG] attempt result: found %d, redirect %d, location: %s\n", found, redirected_flag, redirected_url_buff); while (found == 0 && redirected_flag && !code_302_is_success && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) { - // Traitement de la redirection (code non modifié ici) - // ... + // Processing redirection (code omitted) } if (found != -1 && found == success_cond && @@ -1156,6 +1166,18 @@ void service_http_post_form(char *ip, int32_t sp, unsigned char options, char *m } } +void service_http_post_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { + ptr_cookie_node ptr_cookie = NULL; + ptr_header_node ptr_head = initialize(ip, options, miscptr); + + if (ptr_head) + service_http_form(ip, sp, options, miscptr, fp, port, hostname, "POST", &ptr_head, &ptr_cookie); + else { + hydra_report(stderr, "[ERROR] Could not launch head. Error while initializing.\n"); + hydra_child_exit(2); + } +} + int32_t service_http_form_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be From 80a11bb1e06cba6f174b3aba691e9a46b8b1aaa3 Mon Sep 17 00:00:00 2001 From: Imane Khouani Date: Thu, 6 Feb 2025 17:54:26 +0100 Subject: [PATCH 50/79] no comments --- hydra-http-form.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index 02be7da..8b105ba 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -1166,18 +1166,6 @@ void service_http_post_form(char *ip, int32_t sp, unsigned char options, char *m } } -void service_http_post_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { - ptr_cookie_node ptr_cookie = NULL; - ptr_header_node ptr_head = initialize(ip, options, miscptr); - - if (ptr_head) - service_http_form(ip, sp, options, miscptr, fp, port, hostname, "POST", &ptr_head, &ptr_cookie); - else { - hydra_report(stderr, "[ERROR] Could not launch head. Error while initializing.\n"); - hydra_child_exit(2); - } -} - int32_t service_http_form_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be From 65c897da68b0646a713a0d6c3757808c1b2c8e83 Mon Sep 17 00:00:00 2001 From: motypi Date: Fri, 7 Feb 2025 14:27:04 +0100 Subject: [PATCH 51/79] multipart feature finished --- hydra-http-form.c | 742 +++++++++++++++++++++++++++++----------------- 1 file changed, 473 insertions(+), 269 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index 8b105ba..1dd9521 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -8,7 +8,7 @@ web-based login forms that require username and password variables via either a GET or POST request. The module works similarly to the HTTP basic auth module and will honour -proxy mode (with authentication) as well as SSL. The module can be invoked +proxy mode (with authenticaion) as well as SSL. The module can be invoked with the service names of "http-get-form", "http-post-form", "https-get-form" and "https-post-form". @@ -76,7 +76,6 @@ char bufferurl[6096 + 24], cookieurl[6096 + 24] = "", userheader[6096 + 24] = "" #define MAX_REDIRECT 8 #define MAX_CONTENT_LENGTH 20 -#define MAX_CONTENT_DISPOSITION 200 #define MAX_PROXY_LENGTH 2048 // sizeof(cookieurl) * 2 char redirected_url_buff[2048] = ""; @@ -85,11 +84,6 @@ int32_t redirected_cpt = MAX_REDIRECT; char *cookie_request = NULL, *normal_request = NULL; // Buffers for HTTP headers - -void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscptr, - FILE *fp, int32_t port, char *hostname, char *type, - ptr_header_node *ptr_head, ptr_cookie_node *ptr_cookie); - /* * Function to perform some initial setup. */ @@ -108,8 +102,6 @@ ptr_header_node header_exists(ptr_header_node *ptr_head, char *header_name, char return found_header; } - - #if defined(__sun) /* Written by Kaveh R. Ghazi */ @@ -463,8 +455,8 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { else miscptr += strlen(miscptr); break; - case 'm': //fall through - case 'M': + case 'm': // fall through + case 'M': multipart_mode = 1; tmp = strchr(miscptr, ':'); if (tmp) @@ -551,100 +543,96 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) { } char *build_multipart_body(char *multipart_boundary) { - if (!variables) - return NULL; + if (!variables) + return NULL; - char *body = NULL; - size_t body_size = 0; + char *body = NULL; + size_t body_size = 0; - // Duplicate "variables" for tokenizing - char *vars_dup = strdup(variables); - if (!vars_dup) - return NULL; + // Duplicate "variables" for tokenizing + char *vars_dup = strdup(variables); + if (!vars_dup) + return NULL; - // Tokenize the string using '&' as a delimiter - char *pair = strtok(vars_dup, "&"); - while (pair != NULL) { - // Find the '=' separator in each pair - char *equal_sign = strchr(pair, '='); - if (!equal_sign) { - pair = strtok(NULL, "&"); - continue; - } - *equal_sign = '\0'; - char *key = pair; - char *value = equal_sign + 1; + // Tokenize the string using '&' as a delimiter + char *pair = strtok(vars_dup, "&"); + while (pair != NULL) { + // Find the '=' separator in each pair + char *equal_sign = strchr(pair, '='); + if (!equal_sign) { + pair = strtok(NULL, "&"); + continue; + } + *equal_sign = '\0'; + char *key = pair; + char *value = equal_sign + 1; - // Build the multipart section for the field - // Expected format: - // --\r\n - // Content-Disposition: form-data; name=""\r\n - // \r\n - // \r\n - int section_len = snprintf(NULL, 0, - "--%s\r\n" - "Content-Disposition: form-data; name=\"%s\"\r\n" - "\r\n" - "%s\r\n", - multipart_boundary, key, value); - - char *section = malloc(section_len + 1); - if (!section) { - free(body); - free(vars_dup); - return NULL; - } - snprintf(section, section_len + 1, - "--%s\r\n" - "Content-Disposition: form-data; name=\"%s\"\r\n" - "\r\n" - "%s\r\n", - multipart_boundary, key, value); + // Build the multipart section for the field + int section_len = snprintf(NULL, 0, + "--%s\r\n" + "Content-Disposition: form-data; name=\"%s\"\r\n" + "\r\n" + "%s\r\n", + multipart_boundary, key, value); + + char *section = malloc(section_len + 1); + if (!section) { + free(body); + free(vars_dup); + return NULL; + } + snprintf(section, section_len + 1, + "--%s\r\n" + "Content-Disposition: form-data; name=\"%s\"\r\n" + "\r\n" + "%s\r\n", + multipart_boundary, key, value); - // Reallocate the body buffer to add this section - size_t new_body_size = body_size + section_len; - char *new_body = realloc(body, new_body_size + 1); // +1 for null terminator - if (!new_body) { - free(section); - free(body); - free(vars_dup); - return NULL; - } - body = new_body; - if (body_size == 0) - strcpy(body, section); - else - strcat(body, section); - body_size = new_body_size; - free(section); + // Reallocate the body buffer to add this section + size_t new_body_size = body_size + section_len; + char *new_body = realloc(body, new_body_size + 1); // +1 for null terminator + if (!new_body) { + free(section); + free(body); + free(vars_dup); + return NULL; + } + body = new_body; + if (body_size == 0) + strcpy(body, section); + else + strcat(body, section); + body_size = new_body_size; + free(section); - pair = strtok(NULL, "&"); - } - free(vars_dup); + pair = strtok(NULL, "&"); + } + free(vars_dup); - // Append the closing boundary: ----\r\n - int closing_len = snprintf(NULL, 0, "--%s--\r\n", multipart_boundary); - char *closing = malloc(closing_len + 1); - if (!closing) { - free(body); - return NULL; - } - snprintf(closing, closing_len + 1, "--%s--\r\n", multipart_boundary); - - size_t final_size = body_size + closing_len; - char *final_body = realloc(body, final_size + 1); - if (!final_body) { - free(closing); - free(body); - return NULL; - } - body = final_body; - strcat(body, closing); - free(closing); + // Append the closing boundary: ----\r\n + int closing_len = snprintf(NULL, 0, "--%s--\r\n", multipart_boundary); + char *closing = malloc(closing_len + 1); + if (!closing) { + free(body); + return NULL; + } + snprintf(closing, closing_len + 1, "--%s--\r\n", multipart_boundary); + + size_t final_size = body_size + closing_len; + char *final_body = realloc(body, final_size + 1); + if (!final_body) { + free(closing); + free(body); + return NULL; + } + body = final_body; + strcat(body, closing); + free(closing); - return body; + return body; } + char *prepare_http_request(char *type, char *path, char *params, char *headers) { uint32_t reqlen = 0; char *http_request = NULL; @@ -785,7 +773,7 @@ int32_t analyze_server_response(int32_t s) { if ((ptr = hydra_strcasestr(cookie, tmpname)) != NULL) { // yes it is. // if the cookie is not in the beginning of the cookiejar, copy the - // ones before + // ones before if (ptr != cookie && *(ptr - 1) == ' ') { strncpy(tmpcookie, cookie, ptr - cookie - 2); tmpcookie[ptr - cookie - 2] = 0; @@ -845,9 +833,7 @@ void hydra_reconnect(int32_t s, char *ip, int32_t port, unsigned char options, c } } -int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options, - char *miscptr, FILE *fp, char *hostname, char *type, - ptr_header_node ptr_head, ptr_cookie_node ptr_cookie) { +int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname, char *type, ptr_header_node ptr_head, ptr_cookie_node ptr_cookie) { char *empty = ""; char *login, *pass, clogin[256], cpass[256], b64login[345], b64pass[345]; char header[8096], *upd3variables; @@ -855,13 +841,14 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options char *http_request = NULL; int32_t found = !success_cond, i, j; char content_length[MAX_CONTENT_LENGTH], proxy_string[MAX_PROXY_LENGTH]; - + char content_type[256]; memset(header, 0, sizeof(header)); - cookie[0] = 0; + cookie[0] = 0; // reset cookies from potential previous attempt if (use_proxy > 0 && proxy_count > 0) selected_proxy = random() % proxy_count; + // Take the next login/pass pair if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) @@ -874,16 +861,37 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options clogin[sizeof(clogin) - 1] = 0; strncpy(cpass, html_encode(pass), sizeof(cpass) - 1); cpass[sizeof(cpass) - 1] = 0; - upd3variables = hydra_strrep(variables, "^USER^", clogin); - upd3variables = hydra_strrep(upd3variables, "^PASS^", cpass); - upd3variables = hydra_strrep(upd3variables, "^USER64^", b64login); - upd3variables = hydra_strrep(upd3variables, "^PASS64^", b64pass); + if (multipart_mode) { + char multipart_boundary[32] = "----THC-HydraBoundaryz2Z2z"; + + snprintf(content_type, sizeof(content_type), "multipart/form-data; boundary=%s", multipart_boundary); + char *multipart_body = build_multipart_body(multipart_boundary); + upd3variables = multipart_body; + + upd3variables = hydra_strrep(upd3variables, "^USER^", clogin); + upd3variables = hydra_strrep(upd3variables, "^PASS^", cpass); + upd3variables = hydra_strrep(upd3variables, "^USER64^", b64login); + upd3variables = hydra_strrep(upd3variables, "^PASS64^", b64pass); + +}else{ + snprintf(content_type, sizeof(content_type), "application/x-www-form-urlencoded"); + + upd3variables = hydra_strrep(variables, "^USER^", clogin); + upd3variables = hydra_strrep(upd3variables, "^PASS^", cpass); + upd3variables = hydra_strrep(upd3variables, "^USER64^", b64login); + upd3variables = hydra_strrep(upd3variables, "^PASS64^", b64pass); +} + + + + // Replace the user/pass placeholders in the user-supplied headers hdrrep(&ptr_head, "^USER^", clogin); hdrrep(&ptr_head, "^PASS^", cpass); hdrrep(&ptr_head, "^USER64^", b64login); hdrrep(&ptr_head, "^PASS64^", b64pass); + /* again: no snprintf to be portable. don't worry, buffer can't overflow */ if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) { if (getcookie) { memset(proxy_string, 0, sizeof(proxy_string)); @@ -893,11 +901,12 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request); if (hydra_send(s, http_request, strlen(http_request), 0) < 0) return 1; - i = analyze_server_response(s); + i = analyze_server_response(s); // ignore result if (strlen(cookie) > 0) process_cookies(&ptr_cookie, cookie); hydra_reconnect(s, ip, port, options, hostname); } + // now prepare for the "real" request if (strcmp(type, "POST") == 0) { memset(proxy_string, 0, sizeof(proxy_string)); snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url); @@ -907,69 +916,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options else add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { - free(cookie_header); - return 1; - } - } else { - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", "0"); - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("GET", proxy_string, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { - free(cookie_header); - return 1; - } - } - } else if (use_proxy == 1) { - if (getcookie) { - memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) - return 1; - i = analyze_server_response(s); - if (strlen(cookie) > 0) - process_cookies(&ptr_cookie, cookie); - hydra_reconnect(s, ip, port, options, hostname); - } - if (strcmp(type, "POST") == 0) { - memset(proxy_string, 0, sizeof(proxy_string)); - snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url); - snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", content_length); - else - add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); - if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); + if (multipart_mode) + add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); + else + add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); if (cookie_header != NULL) free(cookie_header); cookie_header = stringify_cookies(ptr_cookie); @@ -1009,102 +959,137 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options } } } else { - /* Direct access to the server (no proxy) */ - normal_request = NULL; - if (getcookie) { - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("GET", cookieurl, NULL, cookie_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) - return 1; - i = analyze_server_response(s); - if (strlen(cookie) > 0) { - process_cookies(&ptr_cookie, cookie); + if (use_proxy == 1) { + // proxy without authentication + if (getcookie) { + // doing a GET to get cookies + memset(proxy_string, 0, sizeof(proxy_string)); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + return 1; + i = analyze_server_response(s); // ignore result + if (strlen(cookie) > 0) + process_cookies(&ptr_cookie, cookie); + hydra_reconnect(s, ip, port, options, hostname); + } + // now prepare for the "real" request + if (strcmp(type, "POST") == 0) { + memset(proxy_string, 0, sizeof(proxy_string)); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url); + snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", content_length); + else + add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); + if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); if (normal_request != NULL) free(normal_request); normal_request = stringify_headers(&ptr_head); - } - hydra_reconnect(s, ip, port, options, hostname); - } - if (multipart_mode) { - char *multipart_body = NULL; - char multipart_boundary[64] = "----THC-HydraBoundaryz2Z2z"; - multipart_body = build_multipart_body(multipart_boundary); - if (multipart_body == NULL) { - hydra_report(stderr, "[ERROR] Failed to build multipart body.\n"); - return 0; - } - snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(multipart_body)); - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", content_length); - else - add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); - - char content_type[256]; - snprintf(content_type, sizeof(content_type) - 1, "multipart/form-data; boundary=%s", multipart_boundary); - if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Content-Type", content_type); - - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - - if (normal_request != NULL) - free(normal_request); - http_request = prepare_http_request("POST", url, multipart_body, normal_request); - free(multipart_body); - return 1; - } - if (strcmp(type, "POST") == 0) { - snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", content_length); - else - add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); - if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT); - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("POST", url, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { - free(cookie_header); - return 1; + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); + return 1; + } + } else { + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", "0"); + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("GET", proxy_string, upd3variables, normal_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); + return 1; + } } } else { - if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) - hdrrepv(&ptr_head, "Content-Length", "0"); - if (cookie_header != NULL) - free(cookie_header); - cookie_header = stringify_cookies(ptr_cookie); - if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) - add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); - else - hdrrepv(&ptr_head, "Cookie", cookie_header); - if (normal_request != NULL) - free(normal_request); - normal_request = stringify_headers(&ptr_head); - if (http_request != NULL) - free(http_request); - http_request = prepare_http_request("GET", url, upd3variables, normal_request); - if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { - free(cookie_header); - return 1; + // direct web server, no proxy + normal_request = NULL; + if (getcookie) { + // doing a GET to save cookies + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("GET", cookieurl, NULL, cookie_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) + return 1; + i = analyze_server_response(s); // ignore result + if (strlen(cookie) > 0) { + // printf("[DEBUG] Got cookie: %s\n", cookie); + process_cookies(&ptr_cookie, cookie); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + } + hydra_reconnect(s, ip, port, options, hostname); + } + // now prepare for the "real" request + if (strcmp(type, "POST") == 0) { + snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables)); + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", content_length); + else + add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); + if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("POST", url, upd3variables, normal_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); + return 1; + } + } else { + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", "0"); + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("GET", url, upd3variables, normal_request); + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); + return 1; + } } } } @@ -1114,11 +1099,12 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options found = analyze_server_response(s); - if (redirected_flag && code_302_is_success) + if (redirected_flag && code_302_is_success) { found = success_cond; + } - if (auth_flag) { - if (code_401_is_failure) { + if (auth_flag) { // we received a 401 error - user may be using wrong module + if (code_401_is_failure) { // apparently they don't think so -- treat 401 as failure hydra_completed_pair(); return 1; } else { @@ -1133,18 +1119,159 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options if (strlen(cookie) > 0) process_cookies(&ptr_cookie, cookie); + // if page was redirected, follow the location header redirected_cpt = MAX_REDIRECT; if (debug) printf("[DEBUG] attempt result: found %d, redirect %d, location: %s\n", found, redirected_flag, redirected_url_buff); - while (found == 0 && redirected_flag && !code_302_is_success && - (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) { - // Processing redirection (code omitted) + while (found == 0 && redirected_flag && !code_302_is_success && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) { + // we have to split the location + char *startloc, *endloc; + char str[2048], str2[2048], str3[2048], str4[2048]; + + redirected_cpt--; + redirected_flag = 0; + // check if the redirect page contains the fail/success condition +#ifdef HAVE_PCRE + if (hydra_string_match(redirected_url_buff, cond) == 1) { +#else + if (strstr(redirected_url_buff, cond) != NULL) { +#endif + found = success_cond; + } else { + // location could be either absolute http(s):// or / something + // or relative + startloc = strstr(redirected_url_buff, "://"); + if (startloc != NULL) { + startloc += strlen("://"); + + if ((endloc = strchr(startloc, '\r')) != NULL) { + *endloc = 0; + } + if ((endloc = strchr(startloc, '\n')) != NULL) { + *endloc = 0; + } + strncpy(str, startloc, sizeof(str) - 1); + str[sizeof(str) - 1] = 0; + + endloc = strchr(str, '/'); + if (endloc != NULL) { + strncpy(str2, str, endloc - str); + str2[endloc - str] = 0; + } else { + strcpy(str2, str); + } + + if (strlen(str) - strlen(str2) == 0) { + strcpy(str3, "/"); + } else { + strncpy(str3, str + strlen(str2), strlen(str) - strlen(str2)); + str3[strlen(str) - strlen(str2)] = 0; + } + } else { + strncpy(str2, webtarget, sizeof(str2) - 1); + str2[sizeof(str2) - 1] = 0; + if (redirected_url_buff[0] != '/') { + // it's a relative path, so we have to concatenate it + // with the path from the first url given + char *urlpath; + char urlpath_extracted[2048]; + + memset(urlpath_extracted, 0, sizeof(urlpath_extracted)); + + urlpath = strrchr(url, '/'); + if (urlpath != NULL) { + strncpy(urlpath_extracted, url, urlpath - url); + sprintf(str3, "%.1000s/%.1000s", urlpath_extracted, redirected_url_buff); + } else { + sprintf(str3, "%.1000s/%.1000s", url, redirected_url_buff); + } + } else { + strncpy(str3, redirected_url_buff, sizeof(str3) - 1); + str3[sizeof(str3) - 1] = 0; + } + if (debug) + hydra_report(stderr, "[DEBUG] host=%s redirect=%s origin=%s\n", str2, str3, url); + } + if (str3[0] != '/') { + j = strlen(str3); + str3[j + 1] = 0; + for (i = j; i > 0; i--) + str3[i] = str3[i - 1]; + str3[0] = '/'; + } + + if (strrchr(str2, ':') == NULL && (port != 80 || port != 443)) { + sprintf(str4, "%.2000s:%d", str2, port); + strcpy(str2, str4); + } + + if (verbose) + hydra_report(stderr, "[VERBOSE] Page redirected to http[s]://%s%s\n", str2, str3); + + if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT)) + hdrrepv(&ptr_head, "Content-Length", "0"); + + // re-use the above code to set cookies + if (cookie_header != NULL) + free(cookie_header); + cookie_header = stringify_cookies(ptr_cookie); + if (!header_exists(&ptr_head, "Cookie", HEADER_TYPE_DEFAULT)) + add_header(&ptr_head, "Cookie", cookie_header, HEADER_TYPE_DEFAULT); + else + hdrrepv(&ptr_head, "Cookie", cookie_header); + + // re-use the code above to check for proxy use + if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) { + // proxy with authentication + hdrrepv(&ptr_head, "Host", str2); + memset(proxy_string, 0, sizeof(proxy_string)); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, str3); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("GET", proxy_string, NULL, normal_request); + } else { + if (use_proxy == 1) { + // proxy without authentication + hdrrepv(&ptr_head, "Host", str2); + memset(proxy_string, 0, sizeof(proxy_string)); + snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, str3); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("GET", proxy_string, NULL, normal_request); + } else { + // direct web server, no proxy + hdrrepv(&ptr_head, "Host", str2); + if (normal_request != NULL) + free(normal_request); + normal_request = stringify_headers(&ptr_head); + if (http_request != NULL) + free(http_request); + http_request = prepare_http_request("GET", str3, NULL, normal_request); + } + } + + hydra_reconnect(s, ip, port, options, hostname); + + if (hydra_send(s, http_request, strlen(http_request), 0) < 0) { + free(cookie_header); + return 1; + } + + found = analyze_server_response(s); + if (strlen(cookie) > 0) + process_cookies(&ptr_cookie, cookie); + } } - if (found != -1 && found == success_cond && - ((redirected_flag && code_302_is_success) || redirected_flag == 0 || success_cond == 1) && - redirected_cpt >= 0) { + // if the last status is still 3xx, set it as a false + if (found != -1 && found == success_cond && ((redirected_flag && code_302_is_success) || redirected_flag == 0 || success_cond == 1) && redirected_cpt >= 0) { hydra_report_found_host(port, ip, "www-form", fp); hydra_completed_pair_found(); } else { @@ -1154,6 +1281,83 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options return 1; } +void service_http_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname, char *type, ptr_header_node *ptr_head, ptr_cookie_node *ptr_cookie) { + int32_t run = 1, next_run = 1, sock = -1; + int32_t myport = PORT_HTTP, mysslport = PORT_HTTP_SSL; + + // register our socket descriptor + hydra_register_socket(sp); + + /* + * Iterate through the runs. Possible values are the following: + * - 1 -> Open connection to remote server. + * - 2 -> Run password attempts. + * - 3 -> Disconnect and end with success. + * - 4 -> Disconnect and end with error. + */ + + while (1) { + if (run == 2) { + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + hydra_child_exit(1); + } + } + switch (run) { + case 1: /* connect and service init function */ + { + if (sock >= 0) + sock = hydra_disconnect(sock); + if ((options & OPTION_SSL) == 0) { + if (port != 0) + myport = port; + sock = hydra_connect_tcp(ip, myport); + port = myport; + } else { + if (port != 0) + mysslport = port; + sock = hydra_connect_ssl(ip, mysslport, hostname); + port = mysslport; + } + if (sock < 0) { + hydra_report(stderr, "[ERROR] Child with pid %d terminating, cannot connect\n", (int32_t)getpid()); + hydra_child_exit(1); + } + next_run = 2; + break; + } + case 2: /* run the cracking function */ + next_run = start_http_form(sock, ip, port, options, miscptr, fp, hostname, type, *ptr_head, *ptr_cookie); + break; + case 3: /* clean exit */ + if (sock >= 0) + sock = hydra_disconnect(sock); + hydra_child_exit(0); + break; + case 4: /* silent error exit */ + if (sock >= 0) + sock = hydra_disconnect(sock); + hydra_child_exit(1); + break; + default: + hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); + hydra_child_exit(0); + } + run = next_run; + } +} + +void service_http_get_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { + ptr_cookie_node ptr_cookie = NULL; + ptr_header_node ptr_head = initialize(ip, options, miscptr); + + if (ptr_head) + service_http_form(ip, sp, options, miscptr, fp, port, hostname, "GET", &ptr_head, &ptr_cookie); + else { + hydra_report(stderr, "[ERROR] Could not launch head. Error while initializing.\n"); + hydra_child_exit(2); + } +} + void service_http_post_form(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { ptr_cookie_node ptr_cookie = NULL; ptr_header_node ptr_head = initialize(ip, options, miscptr); From ba9a3ba8de63e5ab95e8bc57c88704ed19a5d7e2 Mon Sep 17 00:00:00 2001 From: motypi Date: Mon, 10 Feb 2025 10:37:17 +0100 Subject: [PATCH 52/79] add help for multipart mode, remove junk files --- .vscode/tasks.json | 28 --------- Test | Bin 20352 -> 0 bytes Test.c | 122 --------------------------------------- hydra-http-form.c | 1 + peda-session-61558.txt | 3 - peda-session-61747.txt | 3 - peda-session-62215.txt | 3 - peda-session-62317.txt | 3 - peda-session-unknown.txt | 8 --- 9 files changed, 1 insertion(+), 170 deletions(-) delete mode 100644 .vscode/tasks.json delete mode 100755 Test delete mode 100644 Test.c delete mode 100644 peda-session-61558.txt delete mode 100644 peda-session-61747.txt delete mode 100644 peda-session-62215.txt delete mode 100644 peda-session-62317.txt delete mode 100644 peda-session-unknown.txt diff --git a/.vscode/tasks.json b/.vscode/tasks.json deleted file mode 100644 index 08d9005..0000000 --- a/.vscode/tasks.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "tasks": [ - { - "type": "cppbuild", - "label": "C/C++: gcc build active file", - "command": "/usr/bin/gcc", - "args": [ - "-fdiagnostics-color=always", - "-g", - "${file}", - "-o", - "${fileDirname}/${fileBasenameNoExtension}" - ], - "options": { - "cwd": "${fileDirname}" - }, - "problemMatcher": [ - "$gcc" - ], - "group": { - "kind": "build", - "isDefault": true - }, - "detail": "Task generated by Debugger." - } - ], - "version": "2.0.0" -} \ No newline at end of file diff --git a/Test b/Test deleted file mode 100755 index df20b3b002e7d4165240acf776edc16751f5d9d9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 20352 zcmeHPdvILUc|UhoS6W$bOMXZucr7rP$F3|PjBRkdwk5Lyzwo0N61ZCJL)v<^D|YYt zK>{{7Fjf_}b_>LvG>Kr!;IyW3J1|jsMLc3dCuB_10BMGn(xga%rY1aUUf%w`bI!L~ zT_nG~LQeb>QGcahfk ze8AnjS=TpRKMd>qGt}u7Es1!~lJ=HF#FvOCv%7t}moD)wY4>MR{x(@L#pT68W9sS+ z+XUQ<5>Ka5xb`WU{gJFe%Sr#?z&{^+^qOz4-+uCiMW61<&3XGbXZMp%H;&tz&i>un zj*a3g&Gw#wX!G*sNVKQ<(&khKXtpPtw6ma+p?(teBF-?#ozZkAo=Sq#=5Jr@YgKxe zK@v)b`{H&qY-iJC5bBRCX>Yy_)yVNed7>C8CMpy^4@sg4r&|H($ow030240a&BXCi z^vC_nelx_EDaj_4W>BQ(EZ2fD75^CcUZ*l>s(&hdj>Bn^nMQxcG<>=qrt<$h_+A{& z(gDU)`j=0`_fNy8%X=z6w@$-<1$-|KXSooJsr*F1r#^6&o4}|O^Mp5`Bz!**89N;w z*dsE@fpk1+$Ao2N>`-`z74F+%#X|9fh^3=Z(u!mU2-v9|A{`AS5~;AX4cVe!QItJhc<&Ux&z z3AD|Bxv;vnuD9SZ+8fW<(e&2!YZ9qsbZe+55k(!n{i&p`+)}DjDx&!=jCup-5*+kL zIR7zjK<5tV@_nTt9Y2q>dHxo2H_{SfZpy`1>{>KwEJ?O{poS^9eKc1eT>A^nUGeOe? zW_{;mgm!U*mU!HrtX8u0Xdsai}zeB=?PZR`&ZmaXmIeCc4csA#oZvr z;%9TYu?TwSgn2J$<0jbV>nHp1T@Vto4R#os`+|eF9YCd1CO zMYD90eEO+$f(zufQzH8Xr14G64ugXyen7R2`PuM*GCXxc*`wZ9;Rj};2JqK|L+f#D zBi@0o!56v)PXz~`hO=)=XU{xE&ZI}#vayFy>tN?SL!I}K{SgY}&s88}2xLrTo8d^Z zeZ;2rKxF}Nm6;l}QX7X)2ZwH>`cd~bB(Za>Yw*La!RLd6FHsI;{U=qet+0nxFnkJX z!$AWvcETFR!A%ArDwNr}NQH6+p_~y}Kl!BUANWLuBEz~*;WDg00ItH?t&(&GeviO- zSY$C4w~ZCJPD1ysdI$4o%Gqg{4Rd9e6YrpTBd+v(XWUP`!Oo*_eN@!k)lPk*Q&Xy3 z98g*BmR6t1dMlI$I}Z(Y9?ECkuUwA6<%r16R*{|@`~Jt=qzBP)+JG`GGd!Yl`w{L+ z$cxJDPhkPQNx2<`yHQ7OUxXgo@H{GfUS#J(1Kv)KttGbZ^5tClTbF=^jzlttwv8yU z?4YAcTUu6X%NL%VxS-w+M1n&l3l|}FSf6Pf4UYIwwg%Vuf{z9FMAD(vsVpQI02s0( zl1xTI!N<~jZf(18LLb4w;W$M82PXY(DCEiXIo}tPgS9 zChbOQ0P)_sR5joPgr6v(%GNhNlFdciPL5p*TyoLKGm+pW4Ki-q9NP?mYL$GR<)2`1 zTr9;56f;oFKrsWw3=}g^%s?>%`3%td29<0knx-Yi6?QaZ6LG;nD3jThN=GDz2(0%D z;qxubRLxkEO4`w+?dynV22z>0jg`mc-dHN#?~8=&(3M{4sd-_hxoSq$3^I^*J|7TW zI@9S?+S`+jCnE7=ueU#&u;T+*DDw8CB76KZ#QI5$e)JYfGvE|&o8 zIGxMg1Gp9N7+}LYx!hL3PXV6;-0*%b_Y30Vpkmy*Ss1%(jd_)2o)5}y_?M_^Cw z6CGvpXZrJjwiAtdP7$oGU0Xf(nwpATo_%6v)3S>%JHMIOWdCIxN1<2v`#$k)9K+y` z0&=0czK)|6@m)v1i*#1k-tAgbRq7795t59B+R^h~F84BEUhaC4#Kls~KrsWw3=}g^ z%s?>%#S9cPP|QFv1OJaRz~6cCcU|;5HMsB< zoFt68dh%s{=uvbf3 zJ(YmQrSN@OSqyv?^pbMY_ZT(cUm@{Y;{hlxmH1qv4Ohc5iF=JZptD@!i;P*&xl-bb zjZ^S&mBg1CmqBNR!~@1(0}n_%XnX?wRTAH190$Hy;@gdFz&mCy#JSs`3w>?F#lZWF zGS~)XoCC&>fOkpUHm(PLO$Gf7vD;V)eErPpfbTN~VYQ)VJMcRV`axx*rv;q-#tGZV_=^nhF{M zV9o_zel6*A5cU$dJSM! z1z3isjQY0R%^%p7o+SMpMkRIsbHH8Xs!DkN5%u3ox~~zF5GfI!A3$)B=np0fN*5wc zp1*WeQ*vekcM;-}ZJPZaP|x>VRiq>NqLgm2o?)ea6|tpe=?~$x^bQrz&BT^flZ+$# zBLwgPad(lJ!ga~9Te=W}vWQVlvOgi&VX{g?L3qY-ew+jkv5}bL18Ve}Wc-o7;lB)= zit%S}Lg-!ttJDlaU55j1+Kh5b1vzma9@(pU;y)piJ<%lQ{t9xVQYM%$botwt^w+oy zzKqIdWq#&%H>Idndpoe#eIc~!D)F%joFCfjJ_o)Uv~+l{I|1WHO&;0n&Ov&8IR)-M zyl=1jNl3SA>CwIJRq$+SSI76dD?xT^>B!!u=6aZ+&_^Fs-2VjYb809qG;-dK=pJD- zYcl8#L+dLpdG-mmR-e;2|wE!^%t4;})w)B@MxZuh@Hwo1$Tz%#0ZyL$P8 zk}E5gRdm%a#RJ!6iY~30!yrmYgptD!y3ZuEvaS`vz%H9j))mSa{j9YXl!3FLdP1+f9(q?{nlZyLy6VZYVgageK^&D=$T+I# z*;`#_EUd1taL=DNzs{IhR*UC&4MKoctq#hAZn{7k%&a%u)fE-0a`IR|5eqs`HcJP# zvXQEuHJL?Cojti#s!en9Oyr81K%oTYepNPj?sP&75VIf`drF1i+-v*n!M14FIQO4~_?L{1C^lakz~6uA1^?zzjNxkBL_TD|aPM zCG~V_!pUr=(*2qAzghdFS?BIT-KKllF>}sS<|5akdUICH^t@u0XU*Ej z&GUv$GiILWYHlzqW9Hn45!rVjdYoi4cADmXII4WYG_Eyk7e8js_&4($*U|>l^R6^^ zomX#~yI@fHxM|$rnvG0aRw@>=Y;4WgXki0M#2T>E`K=@2KH4vmjP9~%J;2JyeIhuK zex@&#wtKQM+OyQfVLdwxqB!!Gdril<8wJ);k~w#|miK4n$@3 zgfiI0LZVZnXF@xps)eMFeL@!Y{p^5Wimy#r{fL6M0demMxyobZmw05C zif{r8N6B6bji=_uWj7SWB-=QUj_y=Lfr6!~FaQc2W$_(S8c{&HwrgD{0+0>Ohq+gEQfZV8CSN_+Rh1o3$&`DcR9^C3l)$E@{LU)5eTuA9hsl7Hk-Rio z`cnPTmT(ALp5oz9OGhf4?Z^6Dre#w)_4`rVyKzg4{En-|?hE_+=!-7j`nD}wx>~kk zwa*_GzpK4y$!5~DRkEcw9B#p-W-V#g8zy^`*_PJ!mUuFp$YM-LMNNEGu_tb4{u?SS zv>$S^BIP?0jrse8lmQ~$*|05#gQOzyl;UEvDF)&N^7#dKXYB5JC+F0n_fZ26h)*zg zpyHKhJmLVS(x>-T7k1j6uG5Mdcs1W!xM>Q!%QT;VF90b^7tRLu>n#c>n&P9f4TmA- z2!8*UOq{-ogX-nqADDjth#_X@_oFfYAs|!5KV7^2O8S{4jxS&j6L2a&Pe}c_!udW- z4^LV}J?522{`4v^Lp0`pS6~4>XdNk&BI>BA_%vPgN{z{@Ml88lM|k=k4ZjTPr#4Cuf_OW9GKt{cE9#Bs>lBYEXIU+ zs`fU3Pky`sR#ea{_3J+KK0+_UQ~6m6ejV~ttNmbhD$D9=^y$@lDnEVX2YGY$yA8fq z`z!>1IE|nC!EY{9)c6ym@4~Nsj^Ayb0e{NgS4Ot=+t8eW%sAp~J!^+>RSItXki-2F94W zS)D;G4R&l6*467au3ojy+PHS@md>r#)>W(5by{-16ySZpa?7uCPjOy~y}_TiA6QLS z^4ii@R6YKwod{|2Hs`!%J3UY^Gs-i_ly^r@Vj|C&PN*%%@Hct?u@%XrtiDh(LVJ^G zCSl{d7mKD0Q%{f79_q>dY2u-`T2B^OJ(-NISMRf?ZP}A_CZ<@_oRB?9sJ32DVp$fp zQ**!3KI%wMx@D@S;80UTB7ry|}P78BfMijE8!9FlA;6|GENMP)5in zqr}E=Nl$S*`X94sJp#9Q%r#VT{y!I9kI-VN%Q!*$ZG?WJW&7#=ZwcvA;rqCvgjfQk z(BAp~OU`FS4f*-TY?@aU+J9Zo>lhBO;xzWxJM4L0$k6*+?4yu>fHeqizgGvyaFMpB z7^yhhPm39}M#J{Jj>GVI>KqiZBb4pwrw%H+a8Q%kp4WvKzC%g{MZ3#$_5!0d7PjYg z6^8u0=lJt_+5`Q%Mr$_A=XD!~0j=kZU$ezGfl$iWp4X8Wp4N(7zq9=hYWvk%kJqIb zdUb=z9=}w5CV$@pk5o!=$imNY4SBte#m@2f7Z4QMd$k?IQ*5ZA!@YRaVSidHFl2pp z!!$$MYF1c3CLOA1II2koY{&2<1cmlI&tq6?vZaD-$J`ek_B@Yfh?&u(;>_Pqv_1E~ z@M?7pk7<$t_dnA=2SV|)J->%Ayowbybk;xaupjd(MTS4pb_|^LzY76=&Xw07>F_!) z|Gy%qKGO{8y{D$Yp5FueeB^CnyeevfX8Q^>p2n`e?d9Lk`2SBi|IZZLaXw6i|aK5fz ztLLR`zc9~H2*pZ;;UaCXxD)3U+M&}g+p*>q)7bZG!&$7#Q28v8phS2fU@P+@V9 z;<{<<>#k5%v?5nn9Hh8O+dJEN>r!R4jypy>VS9#s)7YQ5QW> -#include -#include - -// On définit ici la variable globale "variables" qui sera utilisée par build_multipart_body. -// On suppose qu'elle contient des paires clé=valeur séparées par '&'. -// Pour ce test, on utilise par exemple : -char *variables = "username=testuser&password=testpass"; - -// La fonction build_multipart_body construit le corps d'une requête multipart/form-data -// à partir de la chaîne globale "variables" et du boundary fourni. -char *build_multipart_body(char *multipart_boundary) { - if (!variables) - return NULL; // Pas de paramètres à traiter - - char *body = NULL; // Chaîne résultat - size_t body_size = 0; // Taille actuelle du corps - - // Dupliquer la chaîne "variables" afin de pouvoir la tokeniser (strtok modifie la chaîne) - char *vars_dup = strdup(variables); - if (!vars_dup) - return NULL; - - // Tokeniser la chaîne sur le caractère '&' - char *pair = strtok(vars_dup, "&"); - while (pair != NULL) { - // Pour chaque paire, rechercher le séparateur '=' - char *equal_sign = strchr(pair, '='); - if (!equal_sign) { - pair = strtok(NULL, "&"); - continue; - } - *equal_sign = '\0'; // Terminer la clé - char *key = pair; - char *value = equal_sign + 1; - - // Construire la section multipart pour ce champ. - // Format attendu : - // --\r\n - // Content-Disposition: form-data; name=""\r\n - // \r\n - // \r\n - int section_len = snprintf(NULL, 0, - "--%s\r\n" - "Content-Disposition: form-data; name=\"%s\"\r\n" - "\r\n" - "%s\r\n", - multipart_boundary, key, value); - - char *section = malloc(section_len + 1); - if (!section) { - free(body); - free(vars_dup); - return NULL; - } - snprintf(section, section_len + 1, - "--%s\r\n" - "Content-Disposition: form-data; name=\"%s\"\r\n" - "\r\n" - "%s\r\n", - multipart_boundary, key, value); - - // Réallouer le buffer "body" pour y ajouter cette section - size_t new_body_size = body_size + section_len; - char *new_body = realloc(body, new_body_size + 1); // +1 pour le '\0' - if (!new_body) { - free(section); - free(body); - free(vars_dup); - return NULL; - } - body = new_body; - if (body_size == 0) - strcpy(body, section); - else - strcat(body, section); - body_size = new_body_size; - free(section); - - // Passage à la paire suivante - pair = strtok(NULL, "&"); - } - free(vars_dup); - - // Ajouter la fermeture du multipart : - // ----\r\n - int closing_len = snprintf(NULL, 0, "--%s--\r\n", multipart_boundary); - char *closing = malloc(closing_len + 1); - if (!closing) { - free(body); - return NULL; - } - snprintf(closing, closing_len + 1, "--%s--\r\n", multipart_boundary); - - size_t final_size = body_size + closing_len; - char *final_body = realloc(body, final_size + 1); - if (!final_body) { - free(closing); - free(body); - return NULL; - } - body = final_body; - strcat(body, closing); - free(closing); - - return body; -} - -int main(void) { - // Définir un boundary pour le test - char boundary[] = "----THC-HydraBoundaryz2Z2z"; - // Appeler la fonction build_multipart_body - char *multipart_body = build_multipart_body(boundary); - if (multipart_body == NULL) { - fprintf(stderr, "Error building multipart body.\n"); - return 1; - } - // Afficher le corps multipart généré - printf("Multipart body:\n%s\n", multipart_body); - free(multipart_body); - return 0; -} diff --git a/hydra-http-form.c b/hydra-http-form.c index 1dd9521..0b42268 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -1602,6 +1602,7 @@ void usage_http_form(const char *service) { "and the condition string; seperate them too with colons:\n" " 1= 401 error response is interpreted as user/pass wrong\n" " 2= 302 page forward return codes identify a successful attempt\n" + " M= attack forms that use multipart format\n" " (c|C)=/page/uri to define a different page to gather initial " "cookies from\n" " (g|G)= skip pre-requests - only use this when no pre-cookies are required\n" diff --git a/peda-session-61558.txt b/peda-session-61558.txt deleted file mode 100644 index e50613c..0000000 --- a/peda-session-61558.txt +++ /dev/null @@ -1,3 +0,0 @@ -break main - -set exec-wrapper logging enabled diff --git a/peda-session-61747.txt b/peda-session-61747.txt deleted file mode 100644 index e50613c..0000000 --- a/peda-session-61747.txt +++ /dev/null @@ -1,3 +0,0 @@ -break main - -set exec-wrapper logging enabled diff --git a/peda-session-62215.txt b/peda-session-62215.txt deleted file mode 100644 index e50613c..0000000 --- a/peda-session-62215.txt +++ /dev/null @@ -1,3 +0,0 @@ -break main - -set exec-wrapper logging enabled diff --git a/peda-session-62317.txt b/peda-session-62317.txt deleted file mode 100644 index e50613c..0000000 --- a/peda-session-62317.txt +++ /dev/null @@ -1,3 +0,0 @@ -break main - -set exec-wrapper logging enabled diff --git a/peda-session-unknown.txt b/peda-session-unknown.txt deleted file mode 100644 index ddb86e5..0000000 --- a/peda-session-unknown.txt +++ /dev/null @@ -1,8 +0,0 @@ - -set exec-wrapper logging enabled - -set exec-wrapper logging enabled - -set exec-wrapper logging enabled - -set exec-wrapper logging enabled From db099fcdacce542bca290c38a03c886a0db0ab78 Mon Sep 17 00:00:00 2001 From: motypi Date: Mon, 10 Feb 2025 14:57:07 +0100 Subject: [PATCH 53/79] cleaning code --- hydra-http-form.c | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/hydra-http-form.c b/hydra-http-form.c index 0b42268..4c6919b 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -863,26 +863,20 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options cpass[sizeof(cpass) - 1] = 0; if (multipart_mode) { - char multipart_boundary[32] = "----THC-HydraBoundaryz2Z2z"; - - snprintf(content_type, sizeof(content_type), "multipart/form-data; boundary=%s", multipart_boundary); - char *multipart_body = build_multipart_body(multipart_boundary); + snprintf(content_type, sizeof(content_type), "multipart/form-data; boundary=----THC-HydraBoundaryz2Z2z"); + char *multipart_body = build_multipart_body("----THC-HydraBoundaryz2Z2z"); upd3variables = multipart_body; +}else{ + snprintf(content_type, sizeof(content_type), "application/x-www-form-urlencoded"); + upd3variables = variables; +} + upd3variables = hydra_strrep(upd3variables, "^USER^", clogin); upd3variables = hydra_strrep(upd3variables, "^PASS^", cpass); upd3variables = hydra_strrep(upd3variables, "^USER64^", b64login); upd3variables = hydra_strrep(upd3variables, "^PASS64^", b64pass); -}else{ - snprintf(content_type, sizeof(content_type), "application/x-www-form-urlencoded"); - - upd3variables = hydra_strrep(variables, "^USER^", clogin); - upd3variables = hydra_strrep(upd3variables, "^PASS^", cpass); - upd3variables = hydra_strrep(upd3variables, "^USER64^", b64login); - upd3variables = hydra_strrep(upd3variables, "^PASS64^", b64pass); -} - // Replace the user/pass placeholders in the user-supplied headers @@ -916,9 +910,6 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options else add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT); if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT)) - if (multipart_mode) - add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); - else add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT); if (cookie_header != NULL) free(cookie_header); From 3cc53fe778a58425593a4b3fba5dc55224497ded Mon Sep 17 00:00:00 2001 From: motypi Date: Mon, 3 Mar 2025 13:00:37 +0100 Subject: [PATCH 54/79] created skip_password function --- hydra.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/hydra.c b/hydra.c index 30a8ece..a80f84f 100644 --- a/hydra.c +++ b/hydra.c @@ -1591,6 +1591,15 @@ char *hydra_reverse_login(int32_t head_no, char *login) { return hydra_heads[head_no]->reverse; } +void skip_passwords(int skips){ + for(int i=0; ipass_no >= hydra_brains.countpass) + while(*hydra_target[target_no]->pass_ptr != 0) + hydra_target[target_no]->pass_ptr++; + hydra_target[target_no]->pass_ptr++; + } +} + int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { // variables moved to save stack snpdone = 0; @@ -1750,9 +1759,7 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { return hydra_send_next_pair(target_no, head_no); } else { hydra_targets[target_no]->pass_ptr++; - while (*hydra_targets[target_no]->pass_ptr != 0) - hydra_targets[target_no]->pass_ptr++; - hydra_targets[target_no]->pass_ptr++; + skip_passwords(1); } if ((hydra_options.try_password_same_as_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_heads[head_no]->current_login_ptr) == 0) || (hydra_options.try_null_password && strlen(hydra_heads[head_no]->current_pass_ptr) == 0) || (hydra_options.try_password_reverse_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_reverse_login(head_no, hydra_heads[head_no]->current_login_ptr)) == 0)) { hydra_brains.sent++; From a8f80debedf418c07efbc7b70a90ad0eb50d0252 Mon Sep 17 00:00:00 2001 From: motypi Date: Tue, 4 Mar 2025 10:34:23 +0100 Subject: [PATCH 55/79] added variables and applied skipping function --- hydra.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/hydra.c b/hydra.c index a80f84f..3d95cde 100644 --- a/hydra.c +++ b/hydra.c @@ -342,6 +342,8 @@ char *sck = NULL; int32_t prefer_ipv6 = 0, conwait = 0, loop_cnt = 0, fck = 0, options = 0, killed = 0; int32_t child_head_no = -1, child_socket; int32_t total_redo_count = 0; +int32_t total_distributed_machines = 2; +int32_t distributed_machine_rank = 2; // moved for restore feature int32_t process_restore = 0, dont_unlink; @@ -1591,12 +1593,12 @@ char *hydra_reverse_login(int32_t head_no, char *login) { return hydra_heads[head_no]->reverse; } -void skip_passwords(int skips){ +void skip_passwords(int32_t skips, int32_t target_no){ for(int i=0; ipass_no >= hydra_brains.countpass) - while(*hydra_target[target_no]->pass_ptr != 0) - hydra_target[target_no]->pass_ptr++; - hydra_target[target_no]->pass_ptr++; + //if(*hydra_targets[target_no]->pass_no >= hydra_brains.countpass) + while(*hydra_targets[target_no]->pass_ptr != 0) + hydra_targets[target_no]->pass_ptr++; + hydra_targets[target_no]->pass_ptr++; } } @@ -1752,6 +1754,9 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { hydra_targets[target_no]->login_ptr++; hydra_targets[target_no]->login_ptr++; hydra_targets[target_no]->pass_ptr = pass_ptr; + hydra_targets[target_no]->pass_ptr++; + //initialise the password to start with depending on the machine's rank if using distributed computing + skip_passwords(distributed_machine_rank-1, target_no); hydra_targets[target_no]->login_no++; hydra_targets[target_no]->pass_no = 0; hydra_targets[target_no]->pass_state = 0; @@ -1759,7 +1764,8 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { return hydra_send_next_pair(target_no, head_no); } else { hydra_targets[target_no]->pass_ptr++; - skip_passwords(1); + //number of passwords in the wordlist to skip depending on the number of parallel machines + skip_passwords(total_distributed_machines, target_no); } if ((hydra_options.try_password_same_as_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_heads[head_no]->current_login_ptr) == 0) || (hydra_options.try_null_password && strlen(hydra_heads[head_no]->current_pass_ptr) == 0) || (hydra_options.try_password_reverse_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_reverse_login(head_no, hydra_heads[head_no]->current_login_ptr)) == 0)) { hydra_brains.sent++; From 2c50bb8e6db34be37dfdbcc66c088c4b3fbd48fa Mon Sep 17 00:00:00 2001 From: motypi Date: Mon, 10 Mar 2025 13:58:09 +0100 Subject: [PATCH 56/79] added wordlist (password,login,colonfile) segmentation on the fly using cmd option -D --- hydra.c | 112 +++++++++++++++++++++++++++++++++++++++++++++++--------- hydra.h | 1 + 2 files changed, 96 insertions(+), 17 deletions(-) diff --git a/hydra.c b/hydra.c index 3d95cde..033ede0 100644 --- a/hydra.c +++ b/hydra.c @@ -342,8 +342,8 @@ char *sck = NULL; int32_t prefer_ipv6 = 0, conwait = 0, loop_cnt = 0, fck = 0, options = 0, killed = 0; int32_t child_head_no = -1, child_socket; int32_t total_redo_count = 0; -int32_t total_distributed_machines = 2; -int32_t distributed_machine_rank = 2; +int32_t num_segments = 0; +int32_t my_segment = 0; // moved for restore feature int32_t process_restore = 0, dont_unlink; @@ -1593,14 +1593,66 @@ char *hydra_reverse_login(int32_t head_no, char *login) { return hydra_heads[head_no]->reverse; } -void skip_passwords(int32_t skips, int32_t target_no){ - for(int i=0; ipass_no >= hydra_brains.countpass) - while(*hydra_targets[target_no]->pass_ptr != 0) - hydra_targets[target_no]->pass_ptr++; - hydra_targets[target_no]->pass_ptr++; + +FILE *hydra_divide_file(FILE *file, uint32_t my_segment, uint32_t num_segments){ + fprintf(stdout, "Dividing file...\n"); + + if(my_segment > num_segments){ + fprintf(stderr, "[ERROR] in option -D XofY, X must not be greater than Y: %s\n", hydra_options.passfile); + return NULL; + } + + FILE *output_file; + char line[500]; + char output_file_name[20]; + + uint32_t line_number = 0; + + double total_lines; + if (total_lines = countlines(file,0)) + fprintf(stdout, "There are %f lines int the wordlist", total_lines); + else + fprintf(stderr, "Something went wrong in the counting of lines"); + + if(num_segments > total_lines){ + fprintf(stderr, "[ERROR] in option -D XofY, Y must not be greater than the total number of lines in the file to be divided: %s\n", hydra_options.passfile); + return NULL; } -} + + double segment_size_double = total_lines / num_segments; + + // round up segment_size_float to integer + uint64_t segment_size = (uint64_t)segment_size_double; + if(segment_size < segment_size_double) + segment_size++; + + uint64_t segment_start = segment_size * (my_segment - 1) + 1; + uint64_t segment_end = segment_size * my_segment; + + + sprintf(output_file_name, "segment_%d.txt", my_segment); + output_file = fopen(output_file_name, "w"); + + if(!output_file){ + fprintf(stderr, "[ERROR] Segment file empty: %s\n", hydra_options.passfile); + return NULL; + } + + while(fgets(line, sizeof line, file) != NULL && line_number < segment_end){ + line_number++; + + if(line_number >= segment_start && line_number <= segment_end) + fprintf(output_file, "%s", line); + + } + + rewind(file); + fclose(output_file); + output_file = fopen(output_file_name, "r"); + + return output_file; + + } int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { // variables moved to save stack @@ -1754,9 +1806,6 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { hydra_targets[target_no]->login_ptr++; hydra_targets[target_no]->login_ptr++; hydra_targets[target_no]->pass_ptr = pass_ptr; - hydra_targets[target_no]->pass_ptr++; - //initialise the password to start with depending on the machine's rank if using distributed computing - skip_passwords(distributed_machine_rank-1, target_no); hydra_targets[target_no]->login_no++; hydra_targets[target_no]->pass_no = 0; hydra_targets[target_no]->pass_state = 0; @@ -1764,8 +1813,9 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) { return hydra_send_next_pair(target_no, head_no); } else { hydra_targets[target_no]->pass_ptr++; - //number of passwords in the wordlist to skip depending on the number of parallel machines - skip_passwords(total_distributed_machines, target_no); + while (*hydra_targets[target_no]->pass_ptr != 0) + hydra_targets[target_no]->pass_ptr++; + hydra_targets[target_no]->pass_ptr++; } if ((hydra_options.try_password_same_as_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_heads[head_no]->current_login_ptr) == 0) || (hydra_options.try_null_password && strlen(hydra_heads[head_no]->current_pass_ptr) == 0) || (hydra_options.try_password_reverse_login && strcmp(hydra_heads[head_no]->current_pass_ptr, hydra_reverse_login(head_no, hydra_heads[head_no]->current_login_ptr)) == 0)) { hydra_brains.sent++; @@ -2184,7 +2234,7 @@ void process_proxy_line(int32_t type, char *string) { int main(int argc, char *argv[]) { char *proxy_string = NULL, *device = NULL, *memcheck; char *outfile_format_tmp; - FILE *lfp = NULL, *pfp = NULL, *cfp = NULL, *ifp = NULL, *rfp = NULL, *proxyfp; + FILE *lfp = NULL, *pfp = NULL, *cfp = NULL, *ifp = NULL, *rfp = NULL, *proxyfp, *filecloser=NULL; size_t countinfile = 1, sizeinfile = 0; uint64_t math2; int32_t i = 0, j = 0, k, error = 0, modusage = 0, ignore_restore = 0, do_switch; @@ -2320,6 +2370,7 @@ int main(int argc, char *argv[]) { hydra_options.loginfile = NULL; hydra_options.pass = NULL; hydra_options.passfile = NULL; + hydra_options.distributed = NULL; hydra_options.tasks = TASKS; hydra_options.max_use = MAXTASKS; hydra_options.outfile_format = FORMAT_PLAIN_TEXT; @@ -2333,8 +2384,18 @@ int main(int argc, char *argv[]) { help(1); if (argc < 2) help(0); - while ((i = getopt(argc, argv, "hIq64Rrde:vVl:fFg:L:p:OP:o:b:M:C:t:T:m:w:W:s:SUux:yc:K")) >= 0) { + while ((i = getopt(argc, argv, "hIq64Rrde:vVl:fFg:D:L:p:OP:o:b:M:C:t:T:m:w:W:s:SUux:yc:K")) >= 0) { switch (i) { + case 'D': + hydra_options.distributed = optarg; + if (sscanf(hydra_options.distributed, "%dof%d", &my_segment, &num_segments) != 2) { + fprintf(stderr, "Invalid format. Expected format -D XofY where X and Y are integers.\n"); + exit(EXIT_FAILURE); + } + else{ + fprintf(stdout, "successfully set X to %d and Y to %d\n", my_segment, num_segments); + } + break; case 'h': help(1); break; @@ -3415,6 +3476,13 @@ int main(int argc, char *argv[]) { fprintf(stderr, "[ERROR] File for logins not found: %s\n", hydra_options.loginfile); exit(-1); } + else if (hydra_options.passfile == NULL){ + if(my_segment && num_segments){ + filecloser = lfp; + lfp = hydra_divide_file(lfp, my_segment, num_segments); + fclose(filecloser); + } + } hydra_brains.countlogin = countlines(lfp, 0); hydra_brains.sizelogin = size_of_data; if (hydra_brains.countlogin == 0) { @@ -3447,6 +3515,11 @@ int main(int argc, char *argv[]) { fprintf(stderr, "[ERROR] File for passwords not found: %s\n", hydra_options.passfile); exit(-1); } + else if(my_segment && num_segments){ + filecloser = pfp; + pfp = hydra_divide_file(pfp, my_segment, num_segments); + fclose(filecloser); + } hydra_brains.countpass = countlines(pfp, 0); hydra_brains.sizepass = size_of_data; if (hydra_brains.countpass == 0) { @@ -3501,6 +3574,11 @@ int main(int argc, char *argv[]) { fprintf(stderr, "[ERROR] File for colon files (login:pass) not found: %s\n", hydra_options.colonfile); exit(-1); } + else if(my_segment && num_segments){ + filecloser = cfp; + cfp = hydra_divide_file(cfp, my_segment, num_segments); + fclose(filecloser); + } hydra_brains.countlogin = countlines(cfp, 1); hydra_brains.sizelogin = size_of_data; if (hydra_brains.countlogin == 0) { @@ -4421,4 +4499,4 @@ int main(int argc, char *argv[]) { return -1; else return 0; -} +} \ No newline at end of file diff --git a/hydra.h b/hydra.h index 353b318..24b63e8 100644 --- a/hydra.h +++ b/hydra.h @@ -194,6 +194,7 @@ typedef struct { int32_t cidr; int32_t time_next_attempt; output_format_t outfile_format; + char *distributed; // Use distributed computing by splitting user files on the fly char *login; char *loginfile; char *pass; From f632c7231eafa000afc1b5ec1fd1e0c17cbf0036 Mon Sep 17 00:00:00 2001 From: motypi Date: Mon, 10 Mar 2025 22:41:50 +0100 Subject: [PATCH 57/79] added help for -D option --- hydra.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hydra.c b/hydra.c index 033ede0..2803fd8 100644 --- a/hydra.c +++ b/hydra.c @@ -521,6 +521,8 @@ void help(int32_t ext) { "instead of -L/-P options\n" " -M FILE list of servers to attack, one entry per " "line, ':' to specify port\n"); + PRINT_NORMAL(ext, " -D XofY Divide wordlist into Y segments and use the " + "Xth segment.\n"); PRINT_EXTEND(ext, " -o FILE write found login/password pairs to FILE instead of stdout\n" " -b FORMAT specify the format for the -o FILE: text(default), json, " "jsonv1\n" From 8faf1984d88016a96ac1dbe0c2591c40e21ab511 Mon Sep 17 00:00:00 2001 From: motypi Date: Mon, 10 Mar 2025 23:02:55 +0100 Subject: [PATCH 58/79] removed debug messages --- hydra.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/hydra.c b/hydra.c index 2803fd8..e5f71a8 100644 --- a/hydra.c +++ b/hydra.c @@ -1597,7 +1597,6 @@ char *hydra_reverse_login(int32_t head_no, char *login) { FILE *hydra_divide_file(FILE *file, uint32_t my_segment, uint32_t num_segments){ - fprintf(stdout, "Dividing file...\n"); if(my_segment > num_segments){ fprintf(stderr, "[ERROR] in option -D XofY, X must not be greater than Y: %s\n", hydra_options.passfile); @@ -1610,11 +1609,7 @@ FILE *hydra_divide_file(FILE *file, uint32_t my_segment, uint32_t num_segments){ uint32_t line_number = 0; - double total_lines; - if (total_lines = countlines(file,0)) - fprintf(stdout, "There are %f lines int the wordlist", total_lines); - else - fprintf(stderr, "Something went wrong in the counting of lines"); + double total_lines = countlines(file,0); if(num_segments > total_lines){ fprintf(stderr, "[ERROR] in option -D XofY, Y must not be greater than the total number of lines in the file to be divided: %s\n", hydra_options.passfile); @@ -2395,7 +2390,7 @@ int main(int argc, char *argv[]) { exit(EXIT_FAILURE); } else{ - fprintf(stdout, "successfully set X to %d and Y to %d\n", my_segment, num_segments); + fprintf(stdout, "-D: successfully set X to %d and Y to %d\n", my_segment, num_segments); } break; case 'h': From 5eea263707a82ccf071b0e11d210c86f22b74bf8 Mon Sep 17 00:00:00 2001 From: motypi Date: Tue, 11 Mar 2025 14:10:52 +0100 Subject: [PATCH 59/79] remove segment files at exit --- hydra.c | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/hydra.c b/hydra.c index e5f71a8..bb75d96 100644 --- a/hydra.c +++ b/hydra.c @@ -342,8 +342,12 @@ char *sck = NULL; int32_t prefer_ipv6 = 0, conwait = 0, loop_cnt = 0, fck = 0, options = 0, killed = 0; int32_t child_head_no = -1, child_socket; int32_t total_redo_count = 0; -int32_t num_segments = 0; -int32_t my_segment = 0; + +// requred for distributed attack capability +uint32_t num_segments = 0; +uint32_t my_segment = 0; +uint32_t junk_file_count = 0; +char junk_files[20][16]; // moved for restore feature int32_t process_restore = 0, dont_unlink; @@ -1595,8 +1599,12 @@ char *hydra_reverse_login(int32_t head_no, char *login) { return hydra_heads[head_no]->reverse; } +void delete_junk_files(){ + for(int i=0; i num_segments){ fprintf(stderr, "[ERROR] in option -D XofY, X must not be greater than Y: %s\n", hydra_options.passfile); @@ -1627,7 +1635,9 @@ FILE *hydra_divide_file(FILE *file, uint32_t my_segment, uint32_t num_segments){ uint64_t segment_end = segment_size * my_segment; - sprintf(output_file_name, "segment_%d.txt", my_segment); + fprintf(stdout, "writing filename\n"); + sprintf(output_file_name, "segment_%d_%d.txt",target_no, my_segment); + fprintf(stdout, "writing successful\n"); output_file = fopen(output_file_name, "w"); if(!output_file){ @@ -1635,6 +1645,11 @@ FILE *hydra_divide_file(FILE *file, uint32_t my_segment, uint32_t num_segments){ return NULL; } + if(strcpy(junk_files[junk_file_count], output_file_name)) + junk_file_count++; + + atexit(delete_junk_files); + while(fgets(line, sizeof line, file) != NULL && line_number < segment_end){ line_number++; @@ -2390,7 +2405,7 @@ int main(int argc, char *argv[]) { exit(EXIT_FAILURE); } else{ - fprintf(stdout, "-D: successfully set X to %d and Y to %d\n", my_segment, num_segments); + fprintf(stdout, "Option \'D\': successfully set X to %d and Y to %d\n", my_segment, num_segments); } break; case 'h': @@ -3476,7 +3491,7 @@ int main(int argc, char *argv[]) { else if (hydra_options.passfile == NULL){ if(my_segment && num_segments){ filecloser = lfp; - lfp = hydra_divide_file(lfp, my_segment, num_segments); + lfp = hydra_divide_file(lfp, target_no, my_segment, num_segments); fclose(filecloser); } } @@ -3514,7 +3529,7 @@ int main(int argc, char *argv[]) { } else if(my_segment && num_segments){ filecloser = pfp; - pfp = hydra_divide_file(pfp, my_segment, num_segments); + pfp = hydra_divide_file(pfp, target_no, my_segment, num_segments); fclose(filecloser); } hydra_brains.countpass = countlines(pfp, 0); @@ -3573,7 +3588,7 @@ int main(int argc, char *argv[]) { } else if(my_segment && num_segments){ filecloser = cfp; - cfp = hydra_divide_file(cfp, my_segment, num_segments); + cfp = hydra_divide_file(cfp, target_no, my_segment, num_segments); fclose(filecloser); } hydra_brains.countlogin = countlines(cfp, 1); From 4fad67d30791ddfd3f95fe5d70f67a56e53b2ca0 Mon Sep 17 00:00:00 2001 From: xh4vm Date: Tue, 11 Mar 2025 18:42:09 +0500 Subject: [PATCH 60/79] feat: added the ability to brute force a custom port --- hydra-postgres.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hydra-postgres.c b/hydra-postgres.c index 6826c78..3b2cac9 100644 --- a/hydra-postgres.c +++ b/hydra-postgres.c @@ -41,7 +41,7 @@ int32_t start_postgres(int32_t s, char *ip, int32_t port, unsigned char options, * Building the connection string */ - snprintf(connection_string, sizeof(connection_string), "host = '%s' dbname = '%s' user = '%s' password = '%s' ", hydra_address2string(ip), database, login, pass); + snprintf(connection_string, sizeof(connection_string), "host = '%s' port = '%d' dbname = '%s' user = '%s' password = '%s' ", hydra_address2string(ip), port, database, login, pass); if (verbose) hydra_report(stderr, "connection string: %s\n", connection_string); From 79f7d52ba2f2beadfbf504087500ca8c64fa8def Mon Sep 17 00:00:00 2001 From: xh4vm Date: Wed, 12 Mar 2025 13:07:12 +0500 Subject: [PATCH 61/79] feat: added paths for brute force and additional settings for all targets from the file --- hydra.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/hydra.c b/hydra.c index 30a8ece..d8ede22 100644 --- a/hydra.c +++ b/hydra.c @@ -267,6 +267,7 @@ typedef struct { typedef struct { char *target; + char *miscptr; char ip[36]; char *login_ptr; char *pass_ptr; @@ -1174,13 +1175,12 @@ void hydra_service_init(int32_t target_no) { int32_t x = 99; int32_t i; hydra_target *t = hydra_targets[target_no]; - char *miscptr = hydra_options.miscptr; FILE *ofp = hydra_brains.ofp; for (i = 0; x == 99 && i < sizeof(services) / sizeof(services[0]); i++) { if (strcmp(hydra_options.service, services[i].name) == 0) { if (services[i].init) { - x = services[i].init(t->ip, -1, options, miscptr, ofp, t->port, t->target); + x = services[i].init(t->ip, -1, options, t->miscptr, ofp, t->port, t->target); break; } } @@ -1264,13 +1264,13 @@ int32_t hydra_spawn_head(int32_t head_no, int32_t target_no) { hydra_target *t = hydra_targets[target_no]; int32_t sp = hydra_heads[head_no]->sp[1]; - char *miscptr = hydra_options.miscptr; + // char *miscptr = hydra_options.miscptr; FILE *ofp = hydra_brains.ofp; hydra_target *head_target = hydra_targets[hydra_heads[head_no]->target_no]; for (i = 0; i < sizeof(services) / sizeof(services[0]); i++) { if (strcmp(hydra_options.service, services[i].name) == 0) { if (services[i].exec) { - services[i].exec(t->ip, sp, options, miscptr, ofp, t->port, head_target->target); + services[i].exec(t->ip, sp, options, t->miscptr, ofp, t->port, head_target->target); // just in case a module returns (which it shouldnt) we let it exit // here exit(-1); @@ -2177,7 +2177,7 @@ int main(int argc, char *argv[]) { int32_t i = 0, j = 0, k, error = 0, modusage = 0, ignore_restore = 0, do_switch; int32_t head_no = 0, target_no = 0, exit_condition = 0, readres; time_t starttime, elapsed_status, elapsed_restore, status_print = 59, tmp_time; - char *tmpptr, *tmpptr2; + char *tmpptr, *tmpptr2, *tmpptr3; char rc, buf[MAXBUF]; time_t last_attempt = 0; fd_set fdreadheads; @@ -3543,7 +3543,7 @@ int main(int argc, char *argv[]) { fclose(rfp); } - if (hydra_options.infile_ptr != NULL) { + if (hydra_options.infile_ptr != NULL) { if ((ifp = fopen(hydra_options.infile_ptr, "r")) == NULL) { fprintf(stderr, "[ERROR] File for targets not found: %s\n", hydra_options.infile_ptr); exit(-1); @@ -3591,6 +3591,7 @@ int main(int argc, char *argv[]) { } } else hydra_targets[i]->target = tmpptr; + if ((tmpptr2 = strchr(tmpptr, ':')) != NULL) { *tmpptr2++ = 0; tmpptr = tmpptr2; @@ -3600,6 +3601,13 @@ int main(int argc, char *argv[]) { } if (hydra_targets[i]->port == 0) hydra_targets[i]->port = hydra_options.port; + + if ((tmpptr3 = strchr(tmpptr, '/')) != NULL) { + hydra_targets[i]->miscptr = tmpptr3; + } + else + hydra_targets[i]->miscptr = "/"; + while (*tmpptr != 0) tmpptr++; tmpptr++; @@ -3622,6 +3630,7 @@ int main(int argc, char *argv[]) { memset(hydra_targets[0], 0, sizeof(hydra_target)); hydra_targets[0]->target = servers_ptr = hydra_options.server; hydra_targets[0]->port = hydra_options.port; + hydra_targets[0]->miscptr = hydra_options.miscptr; sizeservers = strlen(hydra_options.server) + 1; } else { /* CIDR notation on command line, e.g. 192.168.0.0/24 */ @@ -3666,6 +3675,7 @@ int main(int argc, char *argv[]) { memcpy(&target.sin_addr.s_addr, (char *)&addr_cur2, 4); hydra_targets[i]->target = strdup(inet_ntoa((struct in_addr)target.sin_addr)); hydra_targets[i]->port = hydra_options.port; + hydra_targets[i]->miscptr = hydra_options.miscptr; addr_cur++; i++; } @@ -3681,6 +3691,7 @@ int main(int argc, char *argv[]) { memset(hydra_targets[0], 0, sizeof(hydra_target)); hydra_targets[0]->target = servers_ptr = hydra_options.server; hydra_targets[0]->port = hydra_options.port; + hydra_targets[0]->miscptr = hydra_options.miscptr; sizeservers = strlen(hydra_options.server) + 1; } for (i = 0; i < hydra_brains.targets; i++) { @@ -4113,7 +4124,7 @@ int main(int argc, char *argv[]) { } else if (hydra_heads[head_no]->current_pass_ptr == NULL || strlen(hydra_heads[head_no]->current_pass_ptr) == 0) { printf("[%d][%s] host: %s login: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr); } else - printf("[%d][%s] host: %s login: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr); + printf("[%d][%s] host: %s misc: %s login: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_targets[hydra_heads[head_no]->target_no]->miscptr, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr); } if (hydra_options.outfile_format == FORMAT_JSONV1 && hydra_options.outfile_ptr != NULL && hydra_brains.ofp != NULL) { fprintf(hydra_brains.ofp, From 74b37e24c811c46576687d5f15fae484bdf10828 Mon Sep 17 00:00:00 2001 From: motypi Date: Wed, 12 Mar 2025 10:37:01 +0100 Subject: [PATCH 62/79] unique segment filename --- hydra.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/hydra.c b/hydra.c index bb75d96..013c4d9 100644 --- a/hydra.c +++ b/hydra.c @@ -346,8 +346,7 @@ int32_t total_redo_count = 0; // requred for distributed attack capability uint32_t num_segments = 0; uint32_t my_segment = 0; -uint32_t junk_file_count = 0; -char junk_files[20][16]; +char junk_file[50]; // moved for restore feature int32_t process_restore = 0, dont_unlink; @@ -1600,11 +1599,10 @@ char *hydra_reverse_login(int32_t head_no, char *login) { } void delete_junk_files(){ - for(int i=0; i num_segments){ fprintf(stderr, "[ERROR] in option -D XofY, X must not be greater than Y: %s\n", hydra_options.passfile); @@ -1613,7 +1611,7 @@ FILE *hydra_divide_file(FILE *file, uint32_t target_no, uint32_t my_segment, uin FILE *output_file; char line[500]; - char output_file_name[20]; + char output_file_name[50]; uint32_t line_number = 0; @@ -1635,8 +1633,11 @@ FILE *hydra_divide_file(FILE *file, uint32_t target_no, uint32_t my_segment, uin uint64_t segment_end = segment_size * my_segment; - fprintf(stdout, "writing filename\n"); - sprintf(output_file_name, "segment_%d_%d.txt",target_no, my_segment); + + srand(time(NULL)); + int filetag = rand(); + + sprintf(output_file_name, "segment_%d_%d.txt",filetag, my_segment); fprintf(stdout, "writing successful\n"); output_file = fopen(output_file_name, "w"); @@ -1645,8 +1646,7 @@ FILE *hydra_divide_file(FILE *file, uint32_t target_no, uint32_t my_segment, uin return NULL; } - if(strcpy(junk_files[junk_file_count], output_file_name)) - junk_file_count++; + strcpy(junk_file, output_file_name); atexit(delete_junk_files); @@ -3491,7 +3491,7 @@ int main(int argc, char *argv[]) { else if (hydra_options.passfile == NULL){ if(my_segment && num_segments){ filecloser = lfp; - lfp = hydra_divide_file(lfp, target_no, my_segment, num_segments); + lfp = hydra_divide_file(lfp, my_segment, num_segments); fclose(filecloser); } } @@ -3529,7 +3529,7 @@ int main(int argc, char *argv[]) { } else if(my_segment && num_segments){ filecloser = pfp; - pfp = hydra_divide_file(pfp, target_no, my_segment, num_segments); + pfp = hydra_divide_file(pfp, my_segment, num_segments); fclose(filecloser); } hydra_brains.countpass = countlines(pfp, 0); @@ -3588,7 +3588,7 @@ int main(int argc, char *argv[]) { } else if(my_segment && num_segments){ filecloser = cfp; - cfp = hydra_divide_file(cfp, target_no, my_segment, num_segments); + cfp = hydra_divide_file(cfp, my_segment, num_segments); fclose(filecloser); } hydra_brains.countlogin = countlines(cfp, 1); From b8ea180d85fc391d5f349660081c3c8540b7b495 Mon Sep 17 00:00:00 2001 From: motypi Date: Wed, 12 Mar 2025 10:38:25 +0100 Subject: [PATCH 63/79] unique segment filename --- hydra.c | 1 - 1 file changed, 1 deletion(-) diff --git a/hydra.c b/hydra.c index 013c4d9..7def50a 100644 --- a/hydra.c +++ b/hydra.c @@ -1638,7 +1638,6 @@ FILE *hydra_divide_file(FILE *file, uint32_t my_segment, uint32_t num_segments){ int filetag = rand(); sprintf(output_file_name, "segment_%d_%d.txt",filetag, my_segment); - fprintf(stdout, "writing successful\n"); output_file = fopen(output_file_name, "w"); if(!output_file){ From ad286790ca3ca7e61a3341ee784b95864d9349d7 Mon Sep 17 00:00:00 2001 From: xh4vm Date: Thu, 13 Mar 2025 12:26:57 +0500 Subject: [PATCH 64/79] feat: integration with http[s]-* --- hydra.c | 132 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 67 insertions(+), 65 deletions(-) diff --git a/hydra.c b/hydra.c index d8ede22..492089c 100644 --- a/hydra.c +++ b/hydra.c @@ -3201,77 +3201,79 @@ int main(int argc, char *argv[]) { bail("Compiled without SSL support, module not available"); #endif } - if (hydra_options.miscptr == NULL) { - fprintf(stderr, "[WARNING] You must supply the web page as an " - "additional option or via -m, default path set to /\n"); - hydra_options.miscptr = malloc(2); - hydra_options.miscptr = "/"; - } - // if (*hydra_options.miscptr != '/' && strstr(hydra_options.miscptr, - // "://") == NULL) - // bail("The web page you supplied must start with a \"/\", \"http://\" - // or \"https://\", e.g. \"/protected/login\""); - if (hydra_options.miscptr[0] != '/') - bail("optional parameter must start with a '/' slash!\n"); - if (getenv("HYDRA_PROXY_HTTP") && getenv("HYDRA_PROXY")) - bail("Found HYDRA_PROXY_HTTP *and* HYDRA_PROXY environment variables - " - "you can use only ONE for the service http-head/http-get!"); - if (getenv("HYDRA_PROXY_HTTP")) { - printf("[INFO] Using HTTP Proxy: %s\n", getenv("HYDRA_PROXY_HTTP")); - use_proxy = 1; - } - if (strstr(hydra_options.miscptr, "\\:") != NULL) { - fprintf(stderr, "[INFORMATION] escape sequence \\: detected in module " - "option, no parameter verification is performed.\n"); - } else { - sprintf(bufferurl, "%.6000s", hydra_options.miscptr); - url = strtok(bufferurl, ":"); - variables = strtok(NULL, ":"); - cond = strtok(NULL, ":"); - optional1 = strtok(NULL, "\n"); - if ((variables == NULL) || (strstr(variables, "^USER^") == NULL && strstr(variables, "^PASS^") == NULL && strstr(variables, "^USER64^") == NULL && strstr(variables, "^PASS64^") == NULL)) { - fprintf(stderr, - "[ERROR] the variables argument needs at least the strings " - "^USER^, ^PASS^, ^USER64^ or ^PASS64^: %s\n", - STR_NULL(variables)); - exit(-1); + if (hydra_options.infile_ptr == NULL) { + if (hydra_options.miscptr == NULL) { + fprintf(stderr, "[WARNING] You must supply the web page as an " + "additional option or via -m, default path set to /\n"); + hydra_options.miscptr = malloc(2); + hydra_options.miscptr = "/"; } - if ((url == NULL) || (cond == NULL)) { - fprintf(stderr, - "[ERROR] Wrong syntax, requires three arguments separated by " - "a colon which may not be null: %s\n", - bufferurl); - exit(-1); + // if (*hydra_options.miscptr != '/' && strstr(hydra_options.miscptr, + // "://") == NULL) + // bail("The web page you supplied must start with a \"/\", \"http://\" + // or \"https://\", e.g. \"/protected/login\""); + if (hydra_options.miscptr[0] != '/') + bail("optional parameter must start with a '/' slash!\n"); + if (getenv("HYDRA_PROXY_HTTP") && getenv("HYDRA_PROXY")) + bail("Found HYDRA_PROXY_HTTP *and* HYDRA_PROXY environment variables - " + "you can use only ONE for the service http-head/http-get!"); + if (getenv("HYDRA_PROXY_HTTP")) { + printf("[INFO] Using HTTP Proxy: %s\n", getenv("HYDRA_PROXY_HTTP")); + use_proxy = 1; } - while ((optional1 = strtok(NULL, ":")) != NULL) { - if (optional1[1] != '=' && optional1[1] != ':' && optional1[1] != 0) { - fprintf(stderr, "[ERROR] Wrong syntax of optional argument: %s\n", optional1); + if (strstr(hydra_options.miscptr, "\\:") != NULL) { + fprintf(stderr, "[INFORMATION] escape sequence \\: detected in module " + "option, no parameter verification is performed.\n"); + } else { + sprintf(bufferurl, "%.6000s", hydra_options.miscptr); + url = strtok(bufferurl, ":"); + variables = strtok(NULL, ":"); + cond = strtok(NULL, ":"); + optional1 = strtok(NULL, "\n"); + if ((variables == NULL) || (strstr(variables, "^USER^") == NULL && strstr(variables, "^PASS^") == NULL && strstr(variables, "^USER64^") == NULL && strstr(variables, "^PASS64^") == NULL)) { + fprintf(stderr, + "[ERROR] the variables argument needs at least the strings " + "^USER^, ^PASS^, ^USER64^ or ^PASS64^: %s\n", + STR_NULL(variables)); exit(-1); } + if ((url == NULL) || (cond == NULL)) { + fprintf(stderr, + "[ERROR] Wrong syntax, requires three arguments separated by " + "a colon which may not be null: %s\n", + bufferurl); + exit(-1); + } + while ((optional1 = strtok(NULL, ":")) != NULL) { + if (optional1[1] != '=' && optional1[1] != ':' && optional1[1] != 0) { + fprintf(stderr, "[ERROR] Wrong syntax of optional argument: %s\n", optional1); + exit(-1); + } - switch (optional1[0]) { - case 'C': // fall through - case 'c': - if (optional1[1] != '=' || optional1[2] != '/') { - fprintf(stderr, - "[ERROR] Wrong syntax of parameter C, must look like " - "'C=/url/of/page', not http:// etc.: %s\n", - optional1); - exit(-1); + switch (optional1[0]) { + case 'C': // fall through + case 'c': + if (optional1[1] != '=' || optional1[2] != '/') { + fprintf(stderr, + "[ERROR] Wrong syntax of parameter C, must look like " + "'C=/url/of/page', not http:// etc.: %s\n", + optional1); + exit(-1); + } + break; + case 'H': // fall through + case 'h': + if (optional1[1] != '=' || strtok(NULL, ":") == NULL) { + fprintf(stderr, + "[ERROR] Wrong syntax of parameter H, must look like " + "'H=X-My-Header: MyValue', no http:// : %s\n", + optional1); + exit(-1); + } + break; + default: + fprintf(stderr, "[ERROR] Unknown optional argument: %s\n", optional1); } - break; - case 'H': // fall through - case 'h': - if (optional1[1] != '=' || strtok(NULL, ":") == NULL) { - fprintf(stderr, - "[ERROR] Wrong syntax of parameter H, must look like " - "'H=X-My-Header: MyValue', no http:// : %s\n", - optional1); - exit(-1); - } - break; - default: - fprintf(stderr, "[ERROR] Unknown optional argument: %s\n", optional1); } } } From ba45db1496584f3a2cd439cb794d54c7fc82b202 Mon Sep 17 00:00:00 2001 From: xh4vm Date: Fri, 14 Mar 2025 19:28:04 +0500 Subject: [PATCH 65/79] feat: added documentation --- hydra-http-form.c | 5 +++++ hydra-http.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/hydra-http-form.c b/hydra-http-form.c index 4c6919b..7f56091 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -1613,6 +1613,11 @@ void usage_http_form(const char *service) { "You can specify a header without escaping the colons, but that way you will not\n" "be able to put colons in the header value itself, as they will be interpreted by\n" "hydra as option separators.\n" + "Note: to attack multiple targets, you only need to pass the path to the file containing the targets with parameters,\n" + "for example, a file with targets:\n\n" + " localhost:8443/login:type=login&login=^USER^&password=^PASS^:h=test\\: header:F=401\n" + " localhost:9443/login2:type=login&login=^USER^&password=^PASS^:h=test\\: header:F=302\n" + " ...\n\n" "\nExamples:\n" " \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n" " \"/" diff --git a/hydra-http.c b/hydra-http.c index ba9a676..c083e8c 100644 --- a/hydra-http.c +++ b/hydra-http.c @@ -473,6 +473,11 @@ void usage_http(const char *service) { "present the\n" " combination is invalid. Note: this must be the last option " "supplied.\n" + "Note: to attack multiple targets, you only need to pass the path to the file containing the targets with parameters,\n" + "for example, a file with targets:\n\n" + " localhost:5000/protected:A=BASIC\n" + " localhost:5002/protected:A=NTLM\n" + " ...\n\n" "For example: \"/secret\" or \"http://bla.com/foo/bar:H=Cookie\\: " "sessid=aaaa\" or \"https://test.com:8080/members:A=NTLM\"\n\n", service); From aae8baae838ef02eb529f8e63b30747cae3ab4a4 Mon Sep 17 00:00:00 2001 From: xh4vm Date: Tue, 18 Mar 2025 17:32:56 +0500 Subject: [PATCH 66/79] fix: hydra-http documentation --- hydra-http.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) mode change 100644 => 100755 hydra-http.c diff --git a/hydra-http.c b/hydra-http.c old mode 100644 new mode 100755 index c083e8c..e78f865 --- a/hydra-http.c +++ b/hydra-http.c @@ -473,12 +473,13 @@ void usage_http(const char *service) { "present the\n" " combination is invalid. Note: this must be the last option " "supplied.\n" - "Note: to attack multiple targets, you only need to pass the path to the file containing the targets with parameters,\n" - "for example, a file with targets:\n\n" - " localhost:5000/protected:A=BASIC\n" - " localhost:5002/protected:A=NTLM\n" - " ...\n\n" "For example: \"/secret\" or \"http://bla.com/foo/bar:H=Cookie\\: " - "sessid=aaaa\" or \"https://test.com:8080/members:A=NTLM\"\n\n", + "sessid=aaaa\" or \"https://test.com:8080/members:A=NTLM\"\n" + "To attack multiple targets, you can use the -M option with a file " + "containing the targets and their parameters.\n" + "Example file content:\n" + " localhost:5000/protected:A=BASIC\n" + " localhost:5002/protected_path:A=NTLM\n" + " ...\n\n", service); } From b81105f6af5b7e1ba43be3863a764bbd2b11c078 Mon Sep 17 00:00:00 2001 From: xh4vm Date: Tue, 18 Mar 2025 17:35:41 +0500 Subject: [PATCH 67/79] fix: hydra-http-form documentation --- hydra-http-form.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) mode change 100644 => 100755 hydra-http-form.c diff --git a/hydra-http-form.c b/hydra-http-form.c old mode 100644 new mode 100755 index 7f56091..af2f457 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -1613,11 +1613,6 @@ void usage_http_form(const char *service) { "You can specify a header without escaping the colons, but that way you will not\n" "be able to put colons in the header value itself, as they will be interpreted by\n" "hydra as option separators.\n" - "Note: to attack multiple targets, you only need to pass the path to the file containing the targets with parameters,\n" - "for example, a file with targets:\n\n" - " localhost:8443/login:type=login&login=^USER^&password=^PASS^:h=test\\: header:F=401\n" - " localhost:9443/login2:type=login&login=^USER^&password=^PASS^:h=test\\: header:F=302\n" - " ...\n\n" "\nExamples:\n" " \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n" " \"/" @@ -1629,6 +1624,12 @@ void usage_http_form(const char *service) { " \"/exchweb/bin/auth/:F=failed" "owaauth.dll:destination=http%%3A%%2F%%2F%%2Fexchange&flags=0&" "username=%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:" - "C=/exchweb\":reason=\n", + "C=/exchweb\":reason=\n" + "To attack multiple targets, you can use the -M option with a file " + "containing the targets and their parameters.\n" + "Example file content:\n" + " localhost:8443/login:type=login&login=^USER^&password=^PASS^:h=test\\: header:F=401\n" + " localhost:9443/login2:type=login&login=^USER^&password=^PASS^:h=test\\: header:F=302\n" + " ...\n\n", service); } From 3c233fdbc095842daa935753ec4dca5092c47baf Mon Sep 17 00:00:00 2001 From: motypi Date: Tue, 18 Mar 2025 16:05:08 +0100 Subject: [PATCH 68/79] Used freetds to use TDSv7. First working version. --- Makefile | 109 ++++++++++++++++++++++++++++++++++++++++++++++++-- hydra-mssql.c | 103 ++++++++--------------------------------------- 2 files changed, 122 insertions(+), 90 deletions(-) diff --git a/Makefile b/Makefile index 0fc0d2e..b228a4e 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,111 @@ -all: - @echo Error: you must run "./configure" first +STRIP=strip +XDEFINES= -DLIBOPENSSL -DLIBNCURSES -DHAVE_PCRE -DHAVE_ZLIB -DHAVE_MATH_H -DHAVE_SYS_PARAM_H +XLIBS= -lz -lcurses -lssl -lpcre2-8 -lcrypto -lsybdb +XLIBPATHS=-L/usr/lib -L/usr/local/lib -L/lib -L/lib/x86_64-linux-gnu +XIPATHS= -I/usr/include -I/usr/include +PREFIX=/usr/local +XHYDRA_SUPPORT= +STRIP=strip + +HYDRA_LOGO= +PWI_LOGO= +SEC=-pie -fPIE -fstack-protector-all --param ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -Wl,-z,now -Wl,-z,relro -Wl,--allow-multiple-definition + +# +# Makefile for Hydra - (c) 2001-2023 by van Hauser / THC +# +WARN_CLANG=-Wformat-nonliteral -Wstrncat-size -Wformat-security -Wsign-conversion -Wconversion -Wfloat-conversion -Wshorten-64-to-32 -Wuninitialized -Wmissing-variable-declarations -Wmissing-declarations +WARN_GCC=-Wformat=2 -Wformat-overflow=2 -Wformat-nonliteral -Wformat-truncation=2 -Wnull-dereference -Wstrict-overflow=2 -Wstringop-overflow=4 -Walloca-larger-than=4096 -Wtype-limits -Wconversion -Wtrampolines -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fno-common -Wcast-align +CFLAGS ?= -g +OPTS=-I. -O3 $(CFLAGS) -fcommon -Wno-deprecated-declarations +CPPFLAGS += -D_GNU_SOURCE +# -Wall -g -pedantic +LIBS=-lm +DESTDIR ?= +BINDIR = /bin +MANDIR = /man/man1/ +DATADIR = /etc +PIXDIR = /share/pixmaps +APPDIR = /share/applications + +SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \ + hydra-telnet.c hydra-cisco.c hydra-http.c hydra-ftp.c hydra-imap.c \ + hydra-pop3.c hydra-smb.c hydra-icq.c hydra-cisco-enable.c hydra-ldap.c \ + hydra-memcached.c hydra-mongodb.c hydra-mysql.c hydra-mssql.c hydra-xmpp.c \ + hydra-http-proxy-urlenum.c hydra-snmp.c hydra-cvs.c hydra-smtp.c \ + hydra-smtp-enum.c hydra-sapr3.c hydra-ssh.c hydra-sshkey.c hydra-teamspeak.c \ + hydra-postgres.c hydra-rsh.c hydra-rlogin.c hydra-oracle-listener.c \ + hydra-svn.c hydra-pcanywhere.c hydra-sip.c hydra-oracle.c hydra-vmauthd.c \ + hydra-asterisk.c hydra-firebird.c hydra-afp.c hydra-ncp.c hydra-rdp.c \ + hydra-oracle-sid.c hydra-http-proxy.c hydra-http-form.c hydra-irc.c \ + hydra-s7-300.c hydra-redis.c hydra-adam6500.c hydra-rtsp.c \ + hydra-rpcap.c hydra-radmin2.c hydra-cobaltstrike.c \ + hydra-time.c crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c \ + hydra-smb2.c +OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \ + hydra-telnet.o hydra-cisco.o hydra-http.o hydra-ftp.o hydra-imap.o \ + hydra-pop3.o hydra-smb.o hydra-icq.o hydra-cisco-enable.o hydra-ldap.o \ + hydra-memcached.o hydra-mongodb.o hydra-mysql.o hydra-mssql.o hydra-cobaltstrike.o hydra-xmpp.o \ + hydra-http-proxy-urlenum.o hydra-snmp.o hydra-cvs.o hydra-smtp.o \ + hydra-smtp-enum.o hydra-sapr3.o hydra-ssh.o hydra-sshkey.o hydra-teamspeak.o \ + hydra-postgres.o hydra-rsh.o hydra-rlogin.o hydra-oracle-listener.o \ + hydra-svn.o hydra-pcanywhere.o hydra-sip.o hydra-oracle-sid.o hydra-oracle.o \ + hydra-vmauthd.o hydra-asterisk.o hydra-firebird.o hydra-afp.o \ + hydra-ncp.o hydra-http-proxy.o hydra-http-form.o hydra-irc.o \ + hydra-redis.o hydra-rdp.o hydra-s7-300.c hydra-adam6500.o hydra-rtsp.o \ + hydra-rpcap.o hydra-radmin2.o \ + crc32.o d3des.o bfg.o ntlm.o sasl.o hmacmd5.o hydra-mod.o hydra-time.o \ + hydra-smb2.o +BINS = hydra pw-inspector + +EXTRA_DIST = README README.arm README.palm CHANGES TODO INSTALL LICENSE \ + hydra-mod.h hydra.h crc32.h d3des.h + +all: pw-inspector hydra $(XHYDRA_SUPPORT) + @echo + @echo Now type "make install" + +hydra: hydra.c $(OBJ) + $(CC) $(OPTS) $(SEC) $(LIBS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o hydra $(HYDRA_LOGO) hydra.c $(OBJ) $(LIBS) $(XLIBS) $(XLIBPATHS) $(XIPATHS) $(XDEFINES) + @echo + @echo If men could get pregnant, abortion would be a sacrament + @echo + +xhydra: + -cd hydra-gtk && sh ./make_xhydra.sh + +pw-inspector: pw-inspector.c + -$(CC) $(OPTS) $(SEC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o pw-inspector $(PWI_LOGO) pw-inspector.c + +.c.o: + $(CC) $(OPTS) $(SEC) $(CFLAGS) $(CPPFLAGS) -c $< $(XDEFINES) $(XIPATHS) + +strip: all + -strip $(BINS) + -echo OK > /dev/null && test -x xhydra && strip xhydra || echo OK > /dev/null + +install: strip + -mkdir -p $(DESTDIR)$(PREFIX)$(BINDIR) + cp -f hydra-wizard.sh $(BINS) $(DESTDIR)$(PREFIX)$(BINDIR) && cd $(DESTDIR)$(PREFIX)$(BINDIR) && chmod 755 hydra-wizard.sh $(BINS) + -echo OK > /dev/null && test -x xhydra && cp xhydra $(DESTDIR)$(PREFIX)$(BINDIR) && cd $(DESTDIR)$(PREFIX)$(BINDIR) && chmod 755 xhydra || echo OK > /dev/null + -sed -e "s|^INSTALLDIR=.*|INSTALLDIR="$(PREFIX)"|" dpl4hydra.sh | sed -e "s|^LOCATION=.*|LOCATION="$(DATADIR)"|" > $(DESTDIR)$(PREFIX)$(BINDIR)/dpl4hydra.sh + -chmod 755 $(DESTDIR)$(PREFIX)$(BINDIR)/dpl4hydra.sh + -mkdir -p $(DESTDIR)$(PREFIX)$(DATADIR) + -cp -f *.csv $(DESTDIR)$(PREFIX)$(DATADIR) + -mkdir -p $(DESTDIR)$(PREFIX)$(MANDIR) + -cp -f hydra.1 xhydra.1 pw-inspector.1 $(DESTDIR)$(PREFIX)$(MANDIR) + -mkdir -p $(DESTDIR)$(PREFIX)$(PIXDIR) + -cp -f xhydra.png $(DESTDIR)$(PREFIX)$(PIXDIR)/ + -mkdir -p $(DESTDIR)$(PREFIX)$(APPDIR) + -desktop-file-install --dir $(DESTDIR)$(PREFIX)$(APPDIR) xhydra.desktop clean: + rm -rf xhydra pw-inspector hydra *.o core *.core *.stackdump *~ Makefile.in Makefile dev_rfc hydra.restore arm/*.ipk arm/ipkg/usr/bin/* hydra-gtk/src/*.o hydra-gtk/src/xhydra hydra-gtk/stamp-h hydra-gtk/config.status hydra-gtk/errors hydra-gtk/config.log hydra-gtk/src/.deps hydra-gtk/src/Makefile hydra-gtk/Makefile cp -f Makefile.orig Makefile uninstall: - @echo Error: you must run "./configure" first + -rm -f $(DESTDIR)$(PREFIX)$(BINDIR)/xhydra $(DESTDIR)$(PREFIX)$(BINDIR)/hydra $(DESTDIR)$(PREFIX)$(BINDIR)/pw-inspector $(DESTDIR)$(PREFIX)$(BINDIR)/hydra-wizard.sh $(DESTDIR)$(PREFIX)$(BINDIR)/dpl4hydra.sh + -rm -f $(DESTDIR)$(PREFIX)$(DATADIR)/dpl4hydra_full.csv $(DESTDIR)$(PREFIX)$(DATADIR)/dpl4hydra_local.csv + -rm -f $(DESTDIR)$(PREFIX)$(MANDIR)/hydra.1 $(DESTDIR)$(PREFIX)$(MANDIR)/xhydra.1 $(DESTDIR)$(PREFIX)$(MANDIR)/pw-inspector.1 + -rm -f $(DESTDIR)$(PREFIX)$(PIXDIR)/xhydra.png + -rm -f $(DESTDIR)$(PREFIX)$(APPDIR)/xhydra.desktop diff --git a/hydra-mssql.c b/hydra-mssql.c index ee273ca..17f5bee 100644 --- a/hydra-mssql.c +++ b/hydra-mssql.c @@ -1,113 +1,42 @@ #include "hydra-mod.h" - -#define MSLEN 30 +#include +#include extern char *HYDRA_EXIT; char *buf; -unsigned char p_hdr[] = "\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00"; -unsigned char p_pk2[] = "\x30\x30\x30\x30\x30\x30\x61\x30\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x20\x18\x81\xb8\x2c\x08\x03" - "\x01\x06\x0a\x09\x01\x01\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x73\x71\x75\x65\x6c\x64\x61" - "\x20\x31\x2e\x30\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00"; -unsigned char p_pk3[] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x04\x02\x00\x00\x4d\x53\x44" - "\x42\x4c\x49\x42\x00\x00\x00\x07\x06\x00\x00" - "\x00\x00\x0d\x11\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00"; -unsigned char p_lng[] = "\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00" - "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x30\x30\x30\x00\x00" - "\x00\x03\x00\x00\x00"; - int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; - char *login, *pass, buffer[1024]; - char ms_login[MSLEN + 1]; - char ms_pass[MSLEN + 1]; - unsigned char len_login, len_pass; - int32_t ret = -1; + char *login, *pass; + char *ipaddr_str = hydra_address2string(ip); + + fprintf(stdout, "The target ip is: %s\n", ipaddr_str); + if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; - if (strlen(login) > MSLEN) - login[MSLEN - 1] = 0; - if (strlen(pass) > MSLEN) - pass[MSLEN - 1] = 0; - len_login = strlen(login); - len_pass = strlen(pass); - memset(ms_login, 0, MSLEN + 1); - memset(ms_pass, 0, MSLEN + 1); - strcpy(ms_login, login); - strcpy(ms_pass, pass); - memset(buffer, 0, sizeof(buffer)); - memcpy(buffer, p_hdr, 39); - memcpy(buffer + 39, ms_login, MSLEN); - memcpy(buffer + MSLEN + 39, &len_login, 1); - memcpy(buffer + MSLEN + 1 + 39, ms_pass, MSLEN); - memcpy(buffer + MSLEN + 1 + 39 + MSLEN, &len_pass, 1); - memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1, p_pk2, 110); - memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110, &len_pass, 1); - memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1, ms_pass, MSLEN); - memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN, p_pk3, 270); + DBPROCESS *dbproc; + LOGINREC *attempt; - if (hydra_send(s, buffer, MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN + 270, 0) < 0) - return 1; - if (hydra_send(s, (char *)p_lng, 71, 0) < 0) - return 1; + dbinit(); + attempt = dblogin(); + DBSETLUSER(attempt, login); + DBSETLPWD(attempt, pass); - memset(buffer, 0, sizeof(buffer)); - ret = hydra_recv_nb(s, buffer, sizeof(buffer)); + // Connect without specifying a database + dbproc = dbopen(attempt, ipaddr_str); - if (ret <= 0) - return 3; - - if (ret > 10 && buffer[8] == '\xe3') { + if (dbproc != NULL) { hydra_report_found_host(port, ip, "mssql", fp); hydra_completed_pair_found(); - free(buf); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } - free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; From 3635dff5ff317a375948cd2b6893a481e183ccbd Mon Sep 17 00:00:00 2001 From: motypi Date: Wed, 19 Mar 2025 07:41:46 +0100 Subject: [PATCH 69/79] handle libraries accommodate old version of TDS --- configure | 37 ++++++++++++++- hydra-mssql.c | 123 +++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 153 insertions(+), 7 deletions(-) diff --git a/configure b/configure index 1ae09a9..dc86adb 100755 --- a/configure +++ b/configure @@ -185,6 +185,32 @@ else echo " ... zlib not found, gzip support disabled" fi +echo "Checking for sybdb (sybdb.h) ..." +for i in $INCDIRS; do + if [ -f "$i/sybdb.h" ]; then + HAVE_SYBDB="y" + fi +done + +if [ -n "$HAVE_SYBDB" ]; then + echo " ... found" +else + echo " ... sybdb not found, MSSQL module will lack TDSv7 support" +fi + +echo "Checking for sybfront (sybfront.h) ..." +for i in $INCDIRS; do + if [ -f "$i/sybfront.h" ]; then + HAVE_SYBFRONT="y" + fi +done + +if [ -n "$HAVE_SYBFRONT" ]; then + echo " ... found" +else + echo " ... sybfront not found, MSSQL module will lack TDSv7 support" +fi + echo "Checking for openssl (libssl/libcrypto/ssl.h/sha.h) ..." if [ "X" != "X$DEBUG" ]; then echo DEBUG: SSL_LIB=$LIBDIRS `ls -d /*ssl /usr/*ssl /opt/*ssl /usr/local/*ssl /opt/local/*ssl /*ssl/lib /usr/*ssl/lib /opt/*ssl/lib /usr/local/*ssl/lib /opt/local/*ssl/lib 2> /dev/null` @@ -1496,6 +1522,12 @@ fi if [ -n "$RSA" ]; then XDEFINES="$XDEFINES -DNO_RSA_LEGACY" fi +if [ -n "$HAVE_SYBDB" ]; then + XDEFINES="$XDEFINES -DHAVE_SYBDB" +fi +if [ -n "$HAVE_SYBFRONT" ]; then + XDEFINES="$XDEFINES -DHAVE_SYBFRONT" +fi if [ -n "$HAVE_ZLIB" ]; then XDEFINES="$XDEFINES -DHAVE_ZLIB" fi @@ -1627,6 +1659,9 @@ fi if [ -n "$HAVE_ZLIB" ]; then XLIBS="$XLIBS -lz" fi +if [ -n "$HAVE_SYBDB" ]; then + XLIBS="$XLIBS -lsybdb" +fi if [ -n "$CURSES_PATH" ]; then XLIBS="$XLIBS -lcurses" fi @@ -1804,4 +1839,4 @@ if [ "x$NOSTRIP" = "x" ]; then else cat Makefile.am | sed 's/^install:.*/install: all/' >> Makefile fi -echo "now type \"make\"" +echo "now type \"make\"" \ No newline at end of file diff --git a/hydra-mssql.c b/hydra-mssql.c index 17f5bee..4131b54 100644 --- a/hydra-mssql.c +++ b/hydra-mssql.c @@ -1,18 +1,15 @@ #include "hydra-mod.h" -#include -#include - extern char *HYDRA_EXIT; char *buf; +#if defined(HAVE_SYBFRONT) && defined(HAVE_SYBDB) +#include +#include int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass; char *ipaddr_str = hydra_address2string(ip); - fprintf(stdout, "The target ip is: %s\n", ipaddr_str); - - if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) @@ -43,6 +40,120 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } +#else +#define MSLEN 30 + +unsigned char p_hdr[] = "\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00"; +unsigned char p_pk2[] = "\x30\x30\x30\x30\x30\x30\x61\x30\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x20\x18\x81\xb8\x2c\x08\x03" + "\x01\x06\x0a\x09\x01\x01\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x73\x71\x75\x65\x6c\x64\x61" + "\x20\x31\x2e\x30\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00"; +unsigned char p_pk3[] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x04\x02\x00\x00\x4d\x53\x44" + "\x42\x4c\x49\x42\x00\x00\x00\x07\x06\x00\x00" + "\x00\x00\x0d\x11\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00"; +unsigned char p_lng[] = "\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00" + "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x30\x30\x30\x00\x00" + "\x00\x03\x00\x00\x00"; + +int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { + char *empty = ""; + char *login, *pass, buffer[1024]; + char ms_login[MSLEN + 1]; + char ms_pass[MSLEN + 1]; + unsigned char len_login, len_pass; + int32_t ret = -1; + + if (strlen(login = hydra_get_next_login()) == 0) + login = empty; + if (strlen(pass = hydra_get_next_password()) == 0) + pass = empty; + if (strlen(login) > MSLEN) + login[MSLEN - 1] = 0; + if (strlen(pass) > MSLEN) + pass[MSLEN - 1] = 0; + len_login = strlen(login); + len_pass = strlen(pass); + memset(ms_login, 0, MSLEN + 1); + memset(ms_pass, 0, MSLEN + 1); + strcpy(ms_login, login); + strcpy(ms_pass, pass); + + memset(buffer, 0, sizeof(buffer)); + memcpy(buffer, p_hdr, 39); + memcpy(buffer + 39, ms_login, MSLEN); + memcpy(buffer + MSLEN + 39, &len_login, 1); + memcpy(buffer + MSLEN + 1 + 39, ms_pass, MSLEN); + memcpy(buffer + MSLEN + 1 + 39 + MSLEN, &len_pass, 1); + memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1, p_pk2, 110); + memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110, &len_pass, 1); + memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1, ms_pass, MSLEN); + memcpy(buffer + MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN, p_pk3, 270); + + if (hydra_send(s, buffer, MSLEN + 1 + 39 + MSLEN + 1 + 110 + 1 + MSLEN + 270, 0) < 0) + return 1; + if (hydra_send(s, (char *)p_lng, 71, 0) < 0) + return 1; + + memset(buffer, 0, sizeof(buffer)); + ret = hydra_recv_nb(s, buffer, sizeof(buffer)); + + if (ret <= 0) + return 3; + + if (ret > 10 && buffer[8] == '\xe3') { + hydra_report_found_host(port, ip, "mssql", fp); + hydra_completed_pair_found(); + free(buf); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 2; + return 1; + } + + free(buf); + hydra_completed_pair(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 2; + + return 1; +} + +#endif void service_mssql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; From 17c6228f7bf6d680bc7d41447dd807e2193d221c Mon Sep 17 00:00:00 2001 From: motypi Date: Wed, 19 Mar 2025 08:01:10 +0100 Subject: [PATCH 70/79] generated Makefile --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index b228a4e..47b1751 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ STRIP=strip -XDEFINES= -DLIBOPENSSL -DLIBNCURSES -DHAVE_PCRE -DHAVE_ZLIB -DHAVE_MATH_H -DHAVE_SYS_PARAM_H -XLIBS= -lz -lcurses -lssl -lpcre2-8 -lcrypto -lsybdb +XDEFINES= -DLIBOPENSSL -DLIBNCURSES -DHAVE_PCRE -DHAVE_SYBDB -DHAVE_SYBFRONT -DHAVE_ZLIB -DHAVE_MATH_H -DHAVE_SYS_PARAM_H +XLIBS= -lz -lsybdb -lcurses -lssl -lpcre2-8 -lcrypto XLIBPATHS=-L/usr/lib -L/usr/local/lib -L/lib -L/lib/x86_64-linux-gnu XIPATHS= -I/usr/include -I/usr/include PREFIX=/usr/local From 369374b1661712e80e0c6d9ec48962cd936aa7a2 Mon Sep 17 00:00:00 2001 From: motypi Date: Wed, 19 Mar 2025 12:14:50 +0100 Subject: [PATCH 71/79] revert Makefile --- Makefile | 109 ++----------------------------------------------------- 1 file changed, 3 insertions(+), 106 deletions(-) diff --git a/Makefile b/Makefile index 47b1751..0fc0d2e 100644 --- a/Makefile +++ b/Makefile @@ -1,111 +1,8 @@ -STRIP=strip -XDEFINES= -DLIBOPENSSL -DLIBNCURSES -DHAVE_PCRE -DHAVE_SYBDB -DHAVE_SYBFRONT -DHAVE_ZLIB -DHAVE_MATH_H -DHAVE_SYS_PARAM_H -XLIBS= -lz -lsybdb -lcurses -lssl -lpcre2-8 -lcrypto -XLIBPATHS=-L/usr/lib -L/usr/local/lib -L/lib -L/lib/x86_64-linux-gnu -XIPATHS= -I/usr/include -I/usr/include -PREFIX=/usr/local -XHYDRA_SUPPORT= -STRIP=strip - -HYDRA_LOGO= -PWI_LOGO= -SEC=-pie -fPIE -fstack-protector-all --param ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -Wl,-z,now -Wl,-z,relro -Wl,--allow-multiple-definition - -# -# Makefile for Hydra - (c) 2001-2023 by van Hauser / THC -# -WARN_CLANG=-Wformat-nonliteral -Wstrncat-size -Wformat-security -Wsign-conversion -Wconversion -Wfloat-conversion -Wshorten-64-to-32 -Wuninitialized -Wmissing-variable-declarations -Wmissing-declarations -WARN_GCC=-Wformat=2 -Wformat-overflow=2 -Wformat-nonliteral -Wformat-truncation=2 -Wnull-dereference -Wstrict-overflow=2 -Wstringop-overflow=4 -Walloca-larger-than=4096 -Wtype-limits -Wconversion -Wtrampolines -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fno-common -Wcast-align -CFLAGS ?= -g -OPTS=-I. -O3 $(CFLAGS) -fcommon -Wno-deprecated-declarations -CPPFLAGS += -D_GNU_SOURCE -# -Wall -g -pedantic -LIBS=-lm -DESTDIR ?= -BINDIR = /bin -MANDIR = /man/man1/ -DATADIR = /etc -PIXDIR = /share/pixmaps -APPDIR = /share/applications - -SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \ - hydra-telnet.c hydra-cisco.c hydra-http.c hydra-ftp.c hydra-imap.c \ - hydra-pop3.c hydra-smb.c hydra-icq.c hydra-cisco-enable.c hydra-ldap.c \ - hydra-memcached.c hydra-mongodb.c hydra-mysql.c hydra-mssql.c hydra-xmpp.c \ - hydra-http-proxy-urlenum.c hydra-snmp.c hydra-cvs.c hydra-smtp.c \ - hydra-smtp-enum.c hydra-sapr3.c hydra-ssh.c hydra-sshkey.c hydra-teamspeak.c \ - hydra-postgres.c hydra-rsh.c hydra-rlogin.c hydra-oracle-listener.c \ - hydra-svn.c hydra-pcanywhere.c hydra-sip.c hydra-oracle.c hydra-vmauthd.c \ - hydra-asterisk.c hydra-firebird.c hydra-afp.c hydra-ncp.c hydra-rdp.c \ - hydra-oracle-sid.c hydra-http-proxy.c hydra-http-form.c hydra-irc.c \ - hydra-s7-300.c hydra-redis.c hydra-adam6500.c hydra-rtsp.c \ - hydra-rpcap.c hydra-radmin2.c hydra-cobaltstrike.c \ - hydra-time.c crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c \ - hydra-smb2.c -OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \ - hydra-telnet.o hydra-cisco.o hydra-http.o hydra-ftp.o hydra-imap.o \ - hydra-pop3.o hydra-smb.o hydra-icq.o hydra-cisco-enable.o hydra-ldap.o \ - hydra-memcached.o hydra-mongodb.o hydra-mysql.o hydra-mssql.o hydra-cobaltstrike.o hydra-xmpp.o \ - hydra-http-proxy-urlenum.o hydra-snmp.o hydra-cvs.o hydra-smtp.o \ - hydra-smtp-enum.o hydra-sapr3.o hydra-ssh.o hydra-sshkey.o hydra-teamspeak.o \ - hydra-postgres.o hydra-rsh.o hydra-rlogin.o hydra-oracle-listener.o \ - hydra-svn.o hydra-pcanywhere.o hydra-sip.o hydra-oracle-sid.o hydra-oracle.o \ - hydra-vmauthd.o hydra-asterisk.o hydra-firebird.o hydra-afp.o \ - hydra-ncp.o hydra-http-proxy.o hydra-http-form.o hydra-irc.o \ - hydra-redis.o hydra-rdp.o hydra-s7-300.c hydra-adam6500.o hydra-rtsp.o \ - hydra-rpcap.o hydra-radmin2.o \ - crc32.o d3des.o bfg.o ntlm.o sasl.o hmacmd5.o hydra-mod.o hydra-time.o \ - hydra-smb2.o -BINS = hydra pw-inspector - -EXTRA_DIST = README README.arm README.palm CHANGES TODO INSTALL LICENSE \ - hydra-mod.h hydra.h crc32.h d3des.h - -all: pw-inspector hydra $(XHYDRA_SUPPORT) - @echo - @echo Now type "make install" - -hydra: hydra.c $(OBJ) - $(CC) $(OPTS) $(SEC) $(LIBS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o hydra $(HYDRA_LOGO) hydra.c $(OBJ) $(LIBS) $(XLIBS) $(XLIBPATHS) $(XIPATHS) $(XDEFINES) - @echo - @echo If men could get pregnant, abortion would be a sacrament - @echo - -xhydra: - -cd hydra-gtk && sh ./make_xhydra.sh - -pw-inspector: pw-inspector.c - -$(CC) $(OPTS) $(SEC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o pw-inspector $(PWI_LOGO) pw-inspector.c - -.c.o: - $(CC) $(OPTS) $(SEC) $(CFLAGS) $(CPPFLAGS) -c $< $(XDEFINES) $(XIPATHS) - -strip: all - -strip $(BINS) - -echo OK > /dev/null && test -x xhydra && strip xhydra || echo OK > /dev/null - -install: strip - -mkdir -p $(DESTDIR)$(PREFIX)$(BINDIR) - cp -f hydra-wizard.sh $(BINS) $(DESTDIR)$(PREFIX)$(BINDIR) && cd $(DESTDIR)$(PREFIX)$(BINDIR) && chmod 755 hydra-wizard.sh $(BINS) - -echo OK > /dev/null && test -x xhydra && cp xhydra $(DESTDIR)$(PREFIX)$(BINDIR) && cd $(DESTDIR)$(PREFIX)$(BINDIR) && chmod 755 xhydra || echo OK > /dev/null - -sed -e "s|^INSTALLDIR=.*|INSTALLDIR="$(PREFIX)"|" dpl4hydra.sh | sed -e "s|^LOCATION=.*|LOCATION="$(DATADIR)"|" > $(DESTDIR)$(PREFIX)$(BINDIR)/dpl4hydra.sh - -chmod 755 $(DESTDIR)$(PREFIX)$(BINDIR)/dpl4hydra.sh - -mkdir -p $(DESTDIR)$(PREFIX)$(DATADIR) - -cp -f *.csv $(DESTDIR)$(PREFIX)$(DATADIR) - -mkdir -p $(DESTDIR)$(PREFIX)$(MANDIR) - -cp -f hydra.1 xhydra.1 pw-inspector.1 $(DESTDIR)$(PREFIX)$(MANDIR) - -mkdir -p $(DESTDIR)$(PREFIX)$(PIXDIR) - -cp -f xhydra.png $(DESTDIR)$(PREFIX)$(PIXDIR)/ - -mkdir -p $(DESTDIR)$(PREFIX)$(APPDIR) - -desktop-file-install --dir $(DESTDIR)$(PREFIX)$(APPDIR) xhydra.desktop +all: + @echo Error: you must run "./configure" first clean: - rm -rf xhydra pw-inspector hydra *.o core *.core *.stackdump *~ Makefile.in Makefile dev_rfc hydra.restore arm/*.ipk arm/ipkg/usr/bin/* hydra-gtk/src/*.o hydra-gtk/src/xhydra hydra-gtk/stamp-h hydra-gtk/config.status hydra-gtk/errors hydra-gtk/config.log hydra-gtk/src/.deps hydra-gtk/src/Makefile hydra-gtk/Makefile cp -f Makefile.orig Makefile uninstall: - -rm -f $(DESTDIR)$(PREFIX)$(BINDIR)/xhydra $(DESTDIR)$(PREFIX)$(BINDIR)/hydra $(DESTDIR)$(PREFIX)$(BINDIR)/pw-inspector $(DESTDIR)$(PREFIX)$(BINDIR)/hydra-wizard.sh $(DESTDIR)$(PREFIX)$(BINDIR)/dpl4hydra.sh - -rm -f $(DESTDIR)$(PREFIX)$(DATADIR)/dpl4hydra_full.csv $(DESTDIR)$(PREFIX)$(DATADIR)/dpl4hydra_local.csv - -rm -f $(DESTDIR)$(PREFIX)$(MANDIR)/hydra.1 $(DESTDIR)$(PREFIX)$(MANDIR)/xhydra.1 $(DESTDIR)$(PREFIX)$(MANDIR)/pw-inspector.1 - -rm -f $(DESTDIR)$(PREFIX)$(PIXDIR)/xhydra.png - -rm -f $(DESTDIR)$(PREFIX)$(APPDIR)/xhydra.desktop + @echo Error: you must run "./configure" first From bc48f7625b66b969c35a127b5aa34a8dc6f2456d Mon Sep 17 00:00:00 2001 From: motypi Date: Wed, 19 Mar 2025 20:14:23 +0100 Subject: [PATCH 72/79] added dbclose() and dbexit() in mssql module --- hydra-mssql.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hydra-mssql.c b/hydra-mssql.c index 4131b54..f13c20a 100644 --- a/hydra-mssql.c +++ b/hydra-mssql.c @@ -19,7 +19,9 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch LOGINREC *attempt; dbinit(); + attempt = dblogin(); + DBSETLUSER(attempt, login); DBSETLPWD(attempt, pass); @@ -27,6 +29,8 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch dbproc = dbopen(attempt, ipaddr_str); if (dbproc != NULL) { + dbclose(dbproc); + dbexit(); hydra_report_found_host(port, ip, "mssql", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) @@ -35,12 +39,15 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch } hydra_completed_pair(); + dbclose(dbproc); + dbexit(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } #else + #define MSLEN 30 unsigned char p_hdr[] = "\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00" From 5f706c707131970dfe59bcdcc0560f39bec336a3 Mon Sep 17 00:00:00 2001 From: motypi Date: Wed, 19 Mar 2025 20:35:29 +0100 Subject: [PATCH 73/79] freetds install in README --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 44cb585..66c819a 100644 --- a/README +++ b/README @@ -96,7 +96,7 @@ for a few optional modules (note that some might not be available on your distri apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \ firebird-dev libmemcached-dev libgpg-error-dev \ - libgcrypt11-dev libgcrypt20-dev + libgcrypt11-dev libgcrypt20-dev freetds-dev ``` This enables all optional modules and features with the exception of Oracle, From b5eb38e48fdaf5c9facd3f0af7c2b0a3642df00f Mon Sep 17 00:00:00 2001 From: motypi Date: Mon, 24 Mar 2025 09:05:03 +0100 Subject: [PATCH 74/79] mixed TDS7 into old function --- hydra-mssql.c | 48 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/hydra-mssql.c b/hydra-mssql.c index f13c20a..064486b 100644 --- a/hydra-mssql.c +++ b/hydra-mssql.c @@ -5,7 +5,7 @@ char *buf; #if defined(HAVE_SYBFRONT) && defined(HAVE_SYBDB) #include #include -int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { +int32_t start_mssql7(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass; char *ipaddr_str = hydra_address2string(ip); @@ -18,8 +18,6 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch DBPROCESS *dbproc; LOGINREC *attempt; - dbinit(); - attempt = dblogin(); DBSETLUSER(attempt, login); @@ -39,14 +37,12 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch } hydra_completed_pair(); - dbclose(dbproc); - dbexit(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 2; return 1; } -#else +#endif #define MSLEN 30 @@ -101,6 +97,7 @@ unsigned char p_lng[] = "\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00" int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = ""; char *login, *pass, buffer[1024]; + char *ipaddr_str = hydra_address2string(ip); char ms_login[MSLEN + 1]; char ms_pass[MSLEN + 1]; unsigned char len_login, len_pass; @@ -110,6 +107,39 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; +#if defined(HAVE_SYBFRONT) && defined(HAVE_SYBDB) + if ((strlen(login) > MSLEN) || (strlen(pass) > MSLEN)){ + + DBPROCESS *dbproc; + LOGINREC *attempt; + + attempt = dblogin(); + + DBSETLUSER(attempt, login); + DBSETLPWD(attempt, pass); + + // Connect without specifying a database + dbproc = dbopen(attempt, ipaddr_str); + + if (dbproc != NULL) { + dbclose(dbproc); + dbexit(); + hydra_report_found_host(port, ip, "mssql", fp); + hydra_completed_pair_found(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 2; + return 1; + } + + hydra_completed_pair(); + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + return 2; + + return 1; + + } + +#endif if (strlen(login) > MSLEN) login[MSLEN - 1] = 0; if (strlen(pass) > MSLEN) @@ -160,12 +190,14 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } -#endif - void service_mssql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_MSSQL, mysslport = PORT_MSSQL_SSL; + #if defined(HAVE_SYBFRONT) && defined(HAVE_SYBDB) + dbinit(); + #endif + hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; From 1af16824144c17cc97517435d3ea99364b7a0d3b Mon Sep 17 00:00:00 2001 From: motypi Date: Mon, 24 Mar 2025 10:23:51 +0100 Subject: [PATCH 75/79] delete tds7 function and print warning --- hydra-mssql.c | 42 ++++-------------------------------------- 1 file changed, 4 insertions(+), 38 deletions(-) diff --git a/hydra-mssql.c b/hydra-mssql.c index 064486b..1133641 100644 --- a/hydra-mssql.c +++ b/hydra-mssql.c @@ -5,43 +5,6 @@ char *buf; #if defined(HAVE_SYBFRONT) && defined(HAVE_SYBDB) #include #include -int32_t start_mssql7(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { - char *empty = ""; - char *login, *pass; - char *ipaddr_str = hydra_address2string(ip); - - if (strlen(login = hydra_get_next_login()) == 0) - login = empty; - if (strlen(pass = hydra_get_next_password()) == 0) - pass = empty; - - DBPROCESS *dbproc; - LOGINREC *attempt; - - attempt = dblogin(); - - DBSETLUSER(attempt, login); - DBSETLPWD(attempt, pass); - - // Connect without specifying a database - dbproc = dbopen(attempt, ipaddr_str); - - if (dbproc != NULL) { - dbclose(dbproc); - dbexit(); - hydra_report_found_host(port, ip, "mssql", fp); - hydra_completed_pair_found(); - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) - return 2; - return 1; - } - - hydra_completed_pair(); - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) - return 2; - - return 1; -} #endif #define MSLEN 30 @@ -138,7 +101,10 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } - +#else + if ((strlen(login) > MSLEN) || (strlen(pass) > MSLEN)){ + fprintf(stderr,"[WARNING] To crack credentials longer than 30 characters, install freetds and recompile\n"); + } #endif if (strlen(login) > MSLEN) login[MSLEN - 1] = 0; From 21262626e0d79e60421c3305366cd6e26927d310 Mon Sep 17 00:00:00 2001 From: iskanred Date: Tue, 1 Apr 2025 04:59:28 +0300 Subject: [PATCH 76/79] Fix typo in README: lenght --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 44cb585..1c7cf74 100644 --- a/README +++ b/README @@ -267,7 +267,7 @@ Examples: -x 1:3:a generate passwords from length 1 to 3 with all lowercase letters -x 2:5:/ generate passwords from length 2 to 5 containing only slashes -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers --x '3:3:aA1&~#\\ "\'<{([-|_^@)]=}>$%*?./§,;:!`' -v generates lenght 3 passwords with all 95 characters, and verbose. +-x '3:3:aA1&~#\\ "\'<{([-|_^@)]=}>$%*?./§,;:!`' -v generates length 3 passwords with all 95 characters, and verbose. ``` Example: From f80dc5aa023c911a2b8f7a5998ffe251118a0535 Mon Sep 17 00:00:00 2001 From: oss-belobog Date: Wed, 4 Jun 2025 00:54:30 +0800 Subject: [PATCH 77/79] fix several memory leaks --- hydra-ftp.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/hydra-ftp.c b/hydra-ftp.c index 590d671..c6e256c 100644 --- a/hydra-ftp.c +++ b/hydra-ftp.c @@ -26,8 +26,10 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char if (verbose) printf("[INFO] user %s does not exist, skipping\n", login); hydra_completed_pair_skip(); - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + free(buf); return 4; + } free(buf); return 1; } @@ -35,8 +37,10 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char if (buf[0] == '2') { hydra_report_found_host(port, ip, "ftp", fp); hydra_completed_pair_found(); - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + free(buf); return 4; + } free(buf); return 1; } @@ -61,8 +65,10 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char if (buf[0] == '2') { hydra_report_found_host(port, ip, "ftp", fp); hydra_completed_pair_found(); - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) + if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) { + free(buf); return 4; + } free(buf); return 1; } From 5ddee91edc377ec9dc11105b5ef05f8e30fc48bd Mon Sep 17 00:00:00 2001 From: xh4vm Date: Sun, 29 Jun 2025 19:22:31 +0500 Subject: [PATCH 78/79] feat: pop3 capa fix --- hydra-pop3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hydra-pop3.c b/hydra-pop3.c index acd6c2e..3671a95 100644 --- a/hydra-pop3.c +++ b/hydra-pop3.c @@ -109,7 +109,7 @@ char *pop3_read_server_capacity(int32_t sock) { buf[strlen(buf) - 1] = 0; if (buf[strlen(buf) - 1] == '\r') buf[strlen(buf) - 1] = 0; - if (*(ptr) == '.' || *(ptr) == '-') + if (buf[strlen(buf) - 1] == '.' || *(ptr) == '.' || *(ptr) == '-') resp = 1; } } From cbd08d570275489b4b205c82878f835add924992 Mon Sep 17 00:00:00 2001 From: lhywk Date: Thu, 3 Jul 2025 05:07:27 +0000 Subject: [PATCH 79/79] Add NULL check after hydra_receive_line() in start_redis() --- hydra-redis.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hydra-redis.c b/hydra-redis.c index 179007c..5a81cec 100644 --- a/hydra-redis.c +++ b/hydra-redis.c @@ -24,6 +24,11 @@ int32_t start_redis(int32_t s, char *ip, int32_t port, unsigned char options, ch return 1; } buf = hydra_receive_line(s); + if (buf == NULL) { + hydra_report(stderr, "[ERROR] Failed to receive response from Redis server.\n"); + return 3; + } + if (buf[0] == '+') { hydra_report_found_host(port, ip, "redis", fp); hydra_completed_pair_found();