github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-08-19 21:03:52 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: github:master
Branches Tags
github:master
github:add-license-1
github:v9.5
github:v9.4
github:v9.3
github:v9.2
github:v9.1
github:v9.0
github:v8.9.1
github:v8.8
github:8.6
github:v8.5
github:v8.4
github:8.3
github:v8.2
..
compare: github:v9.3
Branches Tags
github:master
github:add-license-1
github:v9.5
github:v9.4
github:v9.3
github:v9.2
github:v9.1
github:v9.0
github:v8.9.1
github:v8.8
github:8.6
github:v8.5
github:v8.4
github:8.3
github:v8.2

No commits in common. "master" and "v9.3" have entirely different histories.
master ... v9.3

42 changed files with 378 additions and 973 deletions
Download patch file Download diff file Expand all files Collapse all files

38
.github/workflows/release.yml vendored
View file

@ -1,38 +0,0 @@
name: release
on:
push:
branches: [master, main]
tags-ignore: ['**']
paths-ignore: [README, TODO, PROBLEMS]
pull_request:
paths-ignore: [README, TODO, PROBLEMS]
jobs:
docker-image:
name: Build the docker image
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- uses: docker/setup-qemu-action@v2
- uses: docker/setup-buildx-action@v2
- uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- uses: gacts/github-slug@v1 # Action page: <https://github.com/gacts/github-slug>
id: slug
- uses: docker/build-push-action@v3 # Action page: <https://github.com/docker/build-push-action>
with:
context: .
file: Dockerfile
push: true
platforms: linux/amd64, linux/arm64
# ,linux/arm/v6, linux/arm/v7
tags: vanhauser/hydra:latest

21
CHANGES
View file

@ -1,27 +1,6 @@
Changelog for hydra
-------------------
Release 9.5
* many modules did not support -W (all those that used a library for the
connection). All (or most?) should be fixed now.
* http-form:
- The help for http-form was wrong. the condition variable must always be
the *last* parameter, not the third
- Proxy support was not working correctly
* smb2: fix for updated libsmb2 which resulted in correct guessing attempts
not being detected
* smtp: break early if the server does not allow authentication
* rdp: detect more return codes that say a user is disabled etc.
Release 9.4
* Switched from pcre/pcre3 to pcre2 as pcre/pcre3 will be dropped from Debian
* Small fix for weird RTSP servers
* Added "2=" optional parameter to http-post-form module to tell hydra that
a "302" HTTP return code means success
* replaced wait3 with waitpid for better compatability
Release 9.3
* support Xcode compilation
* new module: cobaltstrike by ultimaiiii, thank you!

77
Dockerfile
View file

@ -1,77 +0,0 @@
FROM debian:bookworm-slim
ARG HYDRA_VERSION="github"
LABEL \
org.opencontainers.image.url="https://github.com/vanhauser-thc/thc-hydra" \
org.opencontainers.image.source="https://github.com/vanhauser-thc/thc-hydra" \
org.opencontainers.image.version="$HYDRA_VERSION" \
org.opencontainers.image.vendor="vanhauser-thc" \
org.opencontainers.image.title="hydra" \
org.opencontainers.image.licenses="GNU AFFERO GENERAL PUBLIC LICENSE"
COPY . /src
RUN set -x \
&& apt-get update \
&& apt-get -y install \
#libmysqlclient-dev \
default-libmysqlclient-dev \
libgpg-error-dev \
#libmemcached-dev \
#libgcrypt11-dev \
libgcrypt-dev \
#libgcrypt20-dev \
#libgtk2.0-dev \
libpcre3-dev \
#firebird-dev \
libidn11-dev \
libssh-dev \
#libsvn-dev \
libssl-dev \
#libpq-dev \
make \
curl \
gcc \
1>/dev/null \
# The next line fixes the curl "SSL certificate problem: unable to get local issuer certificate" for linux/arm
&& c_rehash
# Get hydra sources and compile
RUN cd /src \
&& make clean \
&& ./configure \
&& make \
&& make install
# Make clean
RUN apt-get purge -y make gcc \
&& apt-get autoremove -y \
&& rm -rf /var/lib/apt/lists/* \
&& rm -rf /src
# Verify hydra installation
RUN hydra -h || error_code=$? \
&& if [ ! "${error_code}" -eq 255 ]; then echo "Wrong exit code for 'hydra help' command"; exit 1; fi \
# Unprivileged user creation
&& echo 'hydra:x:10001:10001::/tmp:/sbin/nologin' > /etc/passwd \
&& echo 'hydra:x:10001:' > /etc/group
ARG INCLUDE_SECLISTS="true"
RUN set -x \
&& if [ "${INCLUDE_SECLISTS}" = "true" ]; then \
mkdir /tmp/seclists \
&& curl -SL "https://api.github.com/repos/danielmiessler/SecLists/tarball" -o /tmp/seclists/src.tar.gz \
&& tar xzf /tmp/seclists/src.tar.gz -C /tmp/seclists \
&& mv /tmp/seclists/*SecLists*/Passwords /opt/passwords \
&& mv /tmp/seclists/*SecLists*/Usernames /opt/usernames \
&& chmod -R u+r /opt/passwords /opt/usernames \
&& rm -Rf /tmp/seclists \
&& ls -la /opt/passwords /opt/usernames \
;fi
# Use an unprivileged user
USER 10001:10001
ENTRYPOINT ["hydra"]

2
INSTALL
View file

@ -24,5 +24,5 @@ https://wiki.termux.com/wiki/Graphical_Environment
For the Oracle login module, install the basic and SDK packages:
https://www.oracle.com/database/technologies/instant-client/downloads.html
http://www.oracle.com/technetwork/database/features/instant-client/index.html

32
LICENSE
View file

@ -1,7 +1,12 @@
[see the end of the file for the special exception for linking with OpenSSL
- debian people need this]
GNU AFFERO GENERAL PUBLIC LICENSE
Version 3, 19 November 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
@ -633,8 +638,8 @@ the "copyright" line and a pointer to where the full notice is found.
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
@ -643,7 +648,7 @@ the "copyright" line and a pointer to where the full notice is found.
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
along with this program. If not, see <http://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
@ -658,4 +663,21 @@ specific requirements.
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU AGPL, see
<https://www.gnu.org/licenses/>.
<http://www.gnu.org/licenses/>.
Special Exception
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU Affero General Public License in all respects
* for all of the code used other than OpenSSL. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you
* do not wish to do so, delete this exception statement from your
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.

0
LICENSE_OPENSSL → LICENSE.OPENSSL
View file

5
Makefile.am
View file

@ -1,11 +1,10 @@
#
# Makefile for Hydra - (c) 2001-2023 by van Hauser / THC <vh@thc.org>
# Makefile for Hydra - (c) 2001-2022 by van Hauser / THC <vh@thc.org>
#
WARN_CLANG=-Wformat-nonliteral -Wstrncat-size -Wformat-security -Wsign-conversion -Wconversion -Wfloat-conversion -Wshorten-64-to-32 -Wuninitialized -Wmissing-variable-declarations -Wmissing-declarations
WARN_GCC=-Wformat=2 -Wformat-overflow=2 -Wformat-nonliteral -Wformat-truncation=2 -Wnull-dereference -Wstrict-overflow=2 -Wstringop-overflow=4 -Walloca-larger-than=4096 -Wtype-limits -Wconversion -Wtrampolines -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fno-common -Wcast-align
CFLAGS ?= -g
OPTS=-I. -O3 $(CFLAGS) -fcommon -Wno-deprecated-declarations
CPPFLAGS += -D_GNU_SOURCE
OPTS=-I. -O3 $(CFLAGS) -fcommon
# -Wall -g -pedantic
LIBS=-lm
DESTDIR ?=

16
README
View file

@ -1,7 +1,7 @@
H Y D R A
(c) 2001-2023 by van Hauser / THC
(c) 2001-2022 by van Hauser / THC
<vh@thc.org> https://github.com/vanhauser-thc/thc-hydra
many modules were written by David (dot) Maciejak @ gmail (dot) com
BFG code by Jan Dlabal <dlabaljan@gmail.com>
@ -14,13 +14,6 @@
in these organizations do not care for laws and ethics anyways.
You are not one of the "good" ones if you ignore this.)
NOTE: no this is not meant to be a markdown doc! old school!
Hydra in the most current github state can be directly downloaded via docker:
```
docker pull vanhauser/hydra
```
INTRODUCTION
@ -68,10 +61,6 @@ repository is at Github:
Use the development version at your own risk. It contains new features and
new bugs. Things might not work!
Alternatively (and easier) to can pull it as a docker container:
```
docker pull vanhauser/hydra
```
HOW TO COMPILE
@ -96,7 +85,7 @@ for a few optional modules (note that some might not be available on your distri
apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \
libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \
firebird-dev libmemcached-dev libgpg-error-dev \
libgcrypt11-dev libgcrypt20-dev freetds-dev
libgcrypt11-dev libgcrypt20-dev
```
This enables all optional modules and features with the exception of Oracle,
@ -267,7 +256,6 @@ Examples:
-x 1:3:a generate passwords from length 1 to 3 with all lowercase letters
-x 2:5:/ generate passwords from length 2 to 5 containing only slashes
-x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers
-x '3:3:aA1&~#\\ "\'<{([-|_^@)]=}>$%*?./§,;:!`' -v generates length 3 passwords with all 95 characters, and verbose.
```
Example:

59
configure vendored
View file

@ -185,32 +185,6 @@ else
echo " ... zlib not found, gzip support disabled"
fi
echo "Checking for sybdb (sybdb.h) ..."
for i in $INCDIRS; do
if [ -f "$i/sybdb.h" ]; then
HAVE_SYBDB="y"
fi
done
if [ -n "$HAVE_SYBDB" ]; then
echo " ... found"
else
echo " ... sybdb not found, MSSQL module will lack TDSv7 support"
fi
echo "Checking for sybfront (sybfront.h) ..."
for i in $INCDIRS; do
if [ -f "$i/sybfront.h" ]; then
HAVE_SYBFRONT="y"
fi
done
if [ -n "$HAVE_SYBFRONT" ]; then
echo " ... found"
else
echo " ... sybfront not found, MSSQL module will lack TDSv7 support"
fi
echo "Checking for openssl (libssl/libcrypto/ssl.h/sha.h) ..."
if [ "X" != "X$DEBUG" ]; then
echo DEBUG: SSL_LIB=$LIBDIRS `ls -d /*ssl /usr/*ssl /opt/*ssl /usr/local/*ssl /opt/local/*ssl /*ssl/lib /usr/*ssl/lib /opt/*ssl/lib /usr/local/*ssl/lib /opt/local/*ssl/lib 2> /dev/null`
@ -406,21 +380,21 @@ if [ "X" = "X$CURSES_PATH" -o "X" = "X$CURSES_IPATH" ]; then
CURSES_IPATH=""
fi
echo "Checking for pcre2 (libpcre/pcre.h) ..."
echo "Checking for pcre (libpcre/pcre.h) ..."
for i in $LIBDIRS ; do
if [ "X" = "X$PCRE_PATH" ]; then
if [ -f "$i/libpcre2-8.so" -o -f "$i/libpcre2-8.dylib" -o -f "$i/libpcre2-8.a" ]; then
if [ -f "$i/libpcre.so" -o -f "$i/libpcre.dylib" -o -f "$i/libpcre.a" ]; then
PCRE_PATH="$i"
fi
fi
if [ "X" = "X$PCRE_PATH" ]; then
TMP_LIB=`/bin/ls $i/libpcre2*.so* 2> /dev/null | grep libpcre.`
TMP_LIB=`/bin/ls $i/libpcre.so* 2> /dev/null | grep libpcre.`
if [ -n "$TMP_LIB" ]; then
PCRE_PATH="$i"
fi
fi
if [ "X" = "X$PCRE_PATH" ]; then
TMP_LIB=`/bin/ls $i/libpcre2*.dll* 2> /dev/null | grep libpcre.`
TMP_LIB=`/bin/ls $i/libpcre.dll* 2> /dev/null | grep libpcre.`
if [ -n "$TMP_LIB" ]; then
PCRE_PATH="$i"
fi
@ -428,20 +402,20 @@ for i in $LIBDIRS ; do
done
for i in $INCDIRS ; do
if [ "X" != "X$PCRE_PATH" ]; then
if [ -f "$i/pcre2.h" ]; then
if [ -f "$i/pcre.h" ]; then
PCRE_IPATH="$i"
fi
fi
done
if [ "X" != "X$DEBUG" ]; then
echo DEBUG: PCRE_PATH=$PCRE_PATH/libpcre
echo DEBUG: PCRE_IPATH=$PCRE_IPATH/pcre2.h
echo DEBUG: PCRE_IPATH=$PCRE_IPATH/pcre.h
fi
if [ -n "$PCRE_PATH" -a -n "$PCRE_IPATH" ]; then
echo " ... found"
echo " ... found"
fi
if [ "X" = "X$PCRE_PATH" -o "X" = "X$PCRE_IPATH" ]; then
echo " ... NOT found, server response checks will be less reliable"
echo " ... NOT found, server response checks will be less reliable"
PCRE_PATH=""
PCRE_IPATH=""
fi
@ -992,7 +966,7 @@ if [ -n "$ORACLE_PATH" -a -n "$ORACLE_IPATH" ]; then
fi
if [ "X" = "X$ORACLE_PATH" -o "X" = "X$ORACLE_IPATH" ]; then
echo " ... NOT found, module Oracle disabled"
echo "Get basic and sdk package from https://www.oracle.com/database/technologies/instant-client/downloads.html"
echo "Get basic and sdk package from http://www.oracle.com/technetwork/database/features/instant-client/index.html"
ORACLE_PATH=""
ORACLE_IPATH=""
fi
@ -1382,7 +1356,7 @@ echo "Checking for Android specialities ..."
TMPC=comptest$$
STRRCHR=" not"
echo '#include <stdio.h>' > $TMPC.c
echo '#include <string.h>' >> $TMPC.c
echo '#include <strings.h>' >> $TMPC.c
echo "int main() { char *x = strrchr(\"test\", 'e'); if (x == NULL) return 0; else return 1; }" >> $TMPC.c
$CC -o $TMPC $TMPC.c > /dev/null 2>&1
test -x $TMPC && STRRCHR=""
@ -1522,12 +1496,6 @@ fi
if [ -n "$RSA" ]; then
XDEFINES="$XDEFINES -DNO_RSA_LEGACY"
fi
if [ -n "$HAVE_SYBDB" ]; then
XDEFINES="$XDEFINES -DHAVE_SYBDB"
fi
if [ -n "$HAVE_SYBFRONT" ]; then
XDEFINES="$XDEFINES -DHAVE_SYBFRONT"
fi
if [ -n "$HAVE_ZLIB" ]; then
XDEFINES="$XDEFINES -DHAVE_ZLIB"
fi
@ -1659,9 +1627,6 @@ fi
if [ -n "$HAVE_ZLIB" ]; then
XLIBS="$XLIBS -lz"
fi
if [ -n "$HAVE_SYBDB" ]; then
XLIBS="$XLIBS -lsybdb"
fi
if [ -n "$CURSES_PATH" ]; then
XLIBS="$XLIBS -lcurses"
fi
@ -1684,7 +1649,7 @@ if [ -n "$IDN_PATH" ]; then
XLIBS="$XLIBS -lidn"
fi
if [ -n "$PCRE_PATH" ]; then
XLIBS="$XLIBS -lpcre2-8"
XLIBS="$XLIBS -lpcre"
fi
if [ -n "$MYSQL_PATH" ]; then
XLIBS="$XLIBS -lmysqlclient"
@ -1839,4 +1804,4 @@ if [ "x$NOSTRIP" = "x" ]; then
else
cat Makefile.am | sed 's/^install:.*/install: all/' >> Makefile
fi
echo "now type \"make\""
echo "now type \"make\""

3
hydra-firebird.c
View file

@ -22,7 +22,6 @@ void dummy_firebird() { printf("\n"); }
#define DEFAULT_DB "C:\\Program Files\\Firebird\\Firebird_1_5\\security.fdb"
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
int32_t start_firebird(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
@ -125,8 +124,6 @@ void service_firebird(char *ip, int32_t sp, unsigned char options, char *miscptr
*/
next_run = start_firebird(sock, ip, port, options, miscptr, fp);
if ((next_run == 1 || next_run == 2) && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 3:

12
hydra-ftp.c
View file

@ -26,10 +26,8 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char
if (verbose)
printf("[INFO] user %s does not exist, skipping\n", login);
hydra_completed_pair_skip();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 4;
}
free(buf);
return 1;
}
@ -37,10 +35,8 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char
if (buf[0] == '2') {
hydra_report_found_host(port, ip, "ftp", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 4;
}
free(buf);
return 1;
}
@ -65,10 +61,8 @@ int32_t start_ftp(int32_t s, char *ip, int32_t port, unsigned char options, char
if (buf[0] == '2') {
hydra_report_found_host(port, ip, "ftp", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 4;
}
free(buf);
return 1;
}

8
hydra-gtk/configure vendored
View file

@ -2391,7 +2391,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
for ac_declaration in \
'#include <stdlib.h>' \
'' \
'extern "C" void std::exit (int) throw (); using std::exit;' \
'extern "C" void std::exit (int); using std::exit;' \
'extern "C" void exit (int) throw ();' \
@ -3192,7 +3192,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
for ac_declaration in \
'#include <stdlib.h>' \
'' \
'extern "C" void std::exit (int) throw (); using std::exit;' \
'extern "C" void std::exit (int); using std::exit;' \
'extern "C" void exit (int) throw ();' \
@ -3797,8 +3797,8 @@ main ()
for (i = 0; i < 256; i++)
if (XOR (islower (i), ISLOWER (i))
|| toupper (i) != TOUPPER (i))
return 2;
return 0;
exit(2);
exit (0);
}
_ACEOF
rm -f conftest$ac_exeext

6
hydra-gtk/src/main.c
View file

@ -17,8 +17,6 @@
char *hydra_path1 = "./hydra";
char *hydra_path2 = "/usr/local/bin/hydra";
char *hydra_path3 = "/usr/bin/hydra";
char *hydra_path4 = "/data/data/com.termux/files/usr/bin/hydra";
char *hydra_path5 = "/data/data/com.termux/files/usr/local/bin/hydra";
GtkWidget *wndMain;
char *HYDRA_BIN;
@ -55,10 +53,6 @@ int main(int argc, char *argv[]) {
HYDRA_BIN = hydra_path2;
} else if (g_file_test(hydra_path3, G_FILE_TEST_IS_EXECUTABLE)) {
HYDRA_BIN = hydra_path3;
} else if (g_file_test(hydra_path4, G_FILE_TEST_IS_EXECUTABLE)) {
HYDRA_BIN = hydra_path4;
} else if (g_file_test(hydra_path5, G_FILE_TEST_IS_EXECUTABLE)) {
HYDRA_BIN = hydra_path5;
} else {
g_error("Please tell me where hydra is, use --hydra-path\n");
return -1;

400
hydra-http-form.c Executable file → Normal file
View file

@ -20,23 +20,33 @@ Here's a couple of examples: -
./hydra -S -s 443 -l "<username>" -P pass.txt 10.221.64.2 https-get-form
"/irmlab1/vulnapp.php:username=^USER^&pass=^PASS^:incorrect"
The option field (following the service field) takes ":" separated values:
The first is the page on the server to GET or POST to.
The second is the POST/GET variables (taken from either the browser, or a proxy
such as ZAP) with the varying usernames and passwords in the "^USER^" and
"^PASS^" placeholders.
The third + are optional parameters like C=, H= etc. (see below)
The final(!) parameter is the string that it checks for an *invalid* or *valid*
login
The option field (following the service field) takes three ":" separated
values and an optional fourth value, the first is the page on the server
to GET or POST to, the second is the POST/GET variables (taken from either
the browser, or a proxy such as PAROS) with the varying usernames and passwords
in the "^USER^" and "^PASS^" placeholders, the third is the string that it
checks for an *invalid* or *valid* login - any exception to this is counted
as a success.
So please:
* invalid condition login should be preceded by "F="
* valid condition login should be preceded by "S=".
By default, if no header is found the condition is assume to be a fail (F=),
so checking for an *invalid* login string.
By default, if no header is found the condition is assume to be a fail,
so checking for *invalid* login.
The fourth optional value, can be a 'C' to define a different page to GET
initial cookies from.
If you specify the debug flag (-d) it will show you the response from the
If you specify the verbose flag (-v) it will show you the response from the
HTTP server which is useful for checking the result of a failed login to
find something to pattern match against. This should be done together with -t 1.
find something to pattern match against.
Module initially written by Phil Robinson, IRM Plc (releases@irmplc.com),
rewritten by David Maciejak
Fix and issue with strtok use and implement 1 step location follow if HTTP
3xx code is returned (david dot maciejak at gmail dot com)
Added fail or success condition, getting cookies, and allow 5 redirections by
david
*/
@ -65,9 +75,6 @@ typedef struct cookie_node {
int32_t success_cond = 0;
int32_t getcookie = 1;
int32_t auth_flag = 0;
int32_t code_302_is_success = 0;
int32_t code_401_is_failure = 0;
int32_t multipart_mode = 0;
char cookie[4096] = "", cmiscptr[1024];
@ -252,7 +259,7 @@ int32_t add_header(ptr_header_node *ptr_head, char *header, char *value, char ty
ptr_header_node existing_hdr, new_ptr;
if (!header || !value || !strlen(header) || !strlen(value))
return 0;
return;
// get to the last header
for (cur_ptr = *ptr_head; cur_ptr && cur_ptr->next; cur_ptr = cur_ptr->next)
@ -316,15 +323,10 @@ void hdrrep(ptr_header_node *ptr_head, char *oldvalue, char *newvalue) {
for (cur_ptr = *ptr_head; cur_ptr; cur_ptr = cur_ptr->next) {
if ((cur_ptr->type == HEADER_TYPE_USERHEADER || cur_ptr->type == HEADER_TYPE_USERHEADER_REPL) && strstr(cur_ptr->value, oldvalue)) {
size_t oldlen = strlen(oldvalue);
size_t newlen = strlen(newvalue);
if (oldlen != newlen)
cur_ptr->value = (char *)realloc(cur_ptr->value, strlen(cur_ptr->value) - oldlen + newlen + 1);
if (cur_ptr->value) {
char *p = strstr(cur_ptr->value, oldvalue);
memmove(p + newlen, p + oldlen, strlen(p + oldlen) + 1);
memcpy(p, newvalue, newlen);
} else {
cur_ptr->value = (char *)realloc(cur_ptr->value, strlen(newvalue) + 1);
if (cur_ptr->value)
strcpy(cur_ptr->value, newvalue);
else {
hydra_report(stderr, "[ERROR] Out of memory (hddrep).\n");
hydra_child_exit(0);
}
@ -391,7 +393,7 @@ char *stringify_headers(ptr_header_node *ptr_head) {
}
int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) {
char *ptr, *ptr2, *tmp;
char *ptr, *ptr2;
if (miscptr == NULL)
return 1;
@ -401,7 +403,7 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) {
* Beware of the backslashes (\)!
*/
while (*miscptr != 0) {
if (strlen(miscptr) < 2 || miscptr[1] != '=') {
if (strlen(miscptr) < 3 || miscptr[1] != '=') {
hydra_report(stderr, "[ERROR] optional parameters must have the format X=value: %s\n", miscptr);
return 0;
}
@ -439,31 +441,6 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) {
sprintf(cookieurl, "%.1000s", hydra_strrep(miscptr + 2, "\\:", ":"));
miscptr = ptr;
break;
case '1':
code_401_is_failure = 1;
tmp = strchr(miscptr, ':');
if (tmp)
miscptr = tmp + 1;
else
miscptr += strlen(miscptr);
break;
case '2':
code_302_is_success = 1;
tmp = strchr(miscptr, ':');
if (tmp)
miscptr = tmp + 1;
else
miscptr += strlen(miscptr);
break;
case 'm': // fall through
case 'M':
multipart_mode = 1;
tmp = strchr(miscptr, ':');
if (tmp)
miscptr = tmp + 1;
else
miscptr += strlen(miscptr);
break;
case 'g': // fall through
case 'G':
ptr = miscptr + 2;
@ -542,97 +519,6 @@ int32_t parse_options(char *miscptr, ptr_header_node *ptr_head) {
return 1;
}
char *build_multipart_body(char *multipart_boundary) {
if (!variables)
return NULL;
char *body = NULL;
size_t body_size = 0;
// Duplicate "variables" for tokenizing
char *vars_dup = strdup(variables);
if (!vars_dup)
return NULL;
// Tokenize the string using '&' as a delimiter
char *pair = strtok(vars_dup, "&");
while (pair != NULL) {
// Find the '=' separator in each pair
char *equal_sign = strchr(pair, '=');
if (!equal_sign) {
pair = strtok(NULL, "&");
continue;
}
*equal_sign = '\0';
char *key = pair;
char *value = equal_sign + 1;
// Build the multipart section for the field
int section_len = snprintf(NULL, 0,
"--%s\r\n"
"Content-Disposition: form-data; name=\"%s\"\r\n"
"\r\n"
"%s\r\n",
multipart_boundary, key, value);
char *section = malloc(section_len + 1);
if (!section) {
free(body);
free(vars_dup);
return NULL;
}
snprintf(section, section_len + 1,
"--%s\r\n"
"Content-Disposition: form-data; name=\"%s\"\r\n"
"\r\n"
"%s\r\n",
multipart_boundary, key, value);
// Reallocate the body buffer to add this section
size_t new_body_size = body_size + section_len;
char *new_body = realloc(body, new_body_size + 1); // +1 for null terminator
if (!new_body) {
free(section);
free(body);
free(vars_dup);
return NULL;
}
body = new_body;
if (body_size == 0)
strcpy(body, section);
else
strcat(body, section);
body_size = new_body_size;
free(section);
pair = strtok(NULL, "&");
}
free(vars_dup);
// Append the closing boundary: --<boundary>--\r\n
int closing_len = snprintf(NULL, 0, "--%s--\r\n", multipart_boundary);
char *closing = malloc(closing_len + 1);
if (!closing) {
free(body);
return NULL;
}
snprintf(closing, closing_len + 1, "--%s--\r\n", multipart_boundary);
size_t final_size = body_size + closing_len;
char *final_body = realloc(body, final_size + 1);
if (!final_body) {
free(closing);
free(body);
return NULL;
}
body = final_body;
strcat(body, closing);
free(closing);
return body;
}
char *prepare_http_request(char *type, char *path, char *params, char *headers) {
uint32_t reqlen = 0;
char *http_request = NULL;
@ -773,7 +659,7 @@ int32_t analyze_server_response(int32_t s) {
if ((ptr = hydra_strcasestr(cookie, tmpname)) != NULL) {
// yes it is.
// if the cookie is not in the beginning of the cookiejar, copy the
// ones before
// ones before
if (ptr != cookie && *(ptr - 1) == ' ') {
strncpy(tmpcookie, cookie, ptr - cookie - 2);
tmpcookie[ptr - cookie - 2] = 0;
@ -841,7 +727,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
char *http_request = NULL;
int32_t found = !success_cond, i, j;
char content_length[MAX_CONTENT_LENGTH], proxy_string[MAX_PROXY_LENGTH];
char content_type[256];
memset(header, 0, sizeof(header));
cookie[0] = 0; // reset cookies from potential previous attempt
@ -861,23 +747,10 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
clogin[sizeof(clogin) - 1] = 0;
strncpy(cpass, html_encode(pass), sizeof(cpass) - 1);
cpass[sizeof(cpass) - 1] = 0;
if (multipart_mode) {
snprintf(content_type, sizeof(content_type), "multipart/form-data; boundary=----THC-HydraBoundaryz2Z2z");
char *multipart_body = build_multipart_body("----THC-HydraBoundaryz2Z2z");
upd3variables = multipart_body;
}else{
snprintf(content_type, sizeof(content_type), "application/x-www-form-urlencoded");
upd3variables = variables;
}
upd3variables = hydra_strrep(upd3variables, "^USER^", clogin);
upd3variables = hydra_strrep(upd3variables, "^PASS^", cpass);
upd3variables = hydra_strrep(upd3variables, "^USER64^", b64login);
upd3variables = hydra_strrep(upd3variables, "^PASS64^", b64pass);
upd3variables = hydra_strrep(variables, "^USER^", clogin);
upd3variables = hydra_strrep(upd3variables, "^PASS^", cpass);
upd3variables = hydra_strrep(upd3variables, "^USER64^", b64login);
upd3variables = hydra_strrep(upd3variables, "^PASS64^", b64pass);
// Replace the user/pass placeholders in the user-supplied headers
hdrrep(&ptr_head, "^USER^", clogin);
@ -889,7 +762,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) {
if (getcookie) {
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl);
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, cookieurl);
if (http_request != NULL)
free(http_request);
http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request);
@ -903,14 +776,14 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
// now prepare for the "real" request
if (strcmp(type, "POST") == 0) {
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url);
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, url);
snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables));
if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT))
hdrrepv(&ptr_head, "Content-Length", content_length);
else
add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT);
if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT))
add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT);
add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT);
if (cookie_header != NULL)
free(cookie_header);
cookie_header = stringify_cookies(ptr_cookie);
@ -924,10 +797,8 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
if (http_request != NULL)
free(http_request);
http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0) {
free(cookie_header);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
}
} else {
if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT))
hdrrepv(&ptr_head, "Content-Length", "0");
@ -944,10 +815,8 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
if (http_request != NULL)
free(http_request);
http_request = prepare_http_request("GET", proxy_string, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0) {
free(cookie_header);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
}
}
} else {
if (use_proxy == 1) {
@ -955,7 +824,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
if (getcookie) {
// doing a GET to get cookies
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, cookieurl);
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, cookieurl);
if (http_request != NULL)
free(http_request);
http_request = prepare_http_request("GET", proxy_string, NULL, cookie_request);
@ -969,14 +838,14 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
// now prepare for the "real" request
if (strcmp(type, "POST") == 0) {
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, url);
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, url);
snprintf(content_length, MAX_CONTENT_LENGTH - 1, "%d", (int32_t)strlen(upd3variables));
if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT))
hdrrepv(&ptr_head, "Content-Length", content_length);
else
add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT);
if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT))
add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT);
add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT);
if (cookie_header != NULL)
free(cookie_header);
cookie_header = stringify_cookies(ptr_cookie);
@ -990,10 +859,8 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
if (http_request != NULL)
free(http_request);
http_request = prepare_http_request("POST", proxy_string, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0) {
free(cookie_header);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
}
} else {
if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT))
hdrrepv(&ptr_head, "Content-Length", "0");
@ -1010,10 +877,8 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
if (http_request != NULL)
free(http_request);
http_request = prepare_http_request("GET", proxy_string, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0) {
free(cookie_header);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
}
}
} else {
// direct web server, no proxy
@ -1043,7 +908,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
else
add_header(&ptr_head, "Content-Length", content_length, HEADER_TYPE_DEFAULT);
if (!header_exists(&ptr_head, "Content-Type", HEADER_TYPE_DEFAULT))
add_header(&ptr_head, "Content-Type", content_type, HEADER_TYPE_DEFAULT);
add_header(&ptr_head, "Content-Type", "application/x-www-form-urlencoded", HEADER_TYPE_DEFAULT);
if (cookie_header != NULL)
free(cookie_header);
cookie_header = stringify_cookies(ptr_cookie);
@ -1057,10 +922,8 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
if (http_request != NULL)
free(http_request);
http_request = prepare_http_request("POST", url, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0) {
free(cookie_header);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
}
} else {
if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT))
hdrrepv(&ptr_head, "Content-Length", "0");
@ -1077,10 +940,8 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
if (http_request != NULL)
free(http_request);
http_request = prepare_http_request("GET", url, upd3variables, normal_request);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0) {
free(cookie_header);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
}
}
}
}
@ -1090,21 +951,12 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
found = analyze_server_response(s);
if (redirected_flag && code_302_is_success) {
found = success_cond;
}
if (auth_flag) { // we received a 401 error - user may be using wrong module
if (code_401_is_failure) { // apparently they don't think so -- treat 401 as failure
hydra_completed_pair();
return 1;
} else {
hydra_report(stderr,
"[ERROR] received HTTP error code 401. The target may be using HTTP auth, "
"not a web form. Use module \"http%s-get\" instead, or set \"1=\".\n",
(options & OPTION_SSL) > 0 ? "s" : "");
return 2;
}
if (auth_flag) { // we received a 401 error - user is using wrong module
hydra_report(stderr,
"[ERROR] the target is using HTTP auth, not a web form, received HTTP "
"error code 401. Use module \"http%s-get\" instead.\n",
(options & OPTION_SSL) > 0 ? "s" : "");
return 4;
}
if (strlen(cookie) > 0)
@ -1115,10 +967,12 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
if (debug)
printf("[DEBUG] attempt result: found %d, redirect %d, location: %s\n", found, redirected_flag, redirected_url_buff);
while (found == 0 && redirected_flag && !code_302_is_success && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) {
while (found == 0 && redirected_flag && (redirected_url_buff[0] != 0) && (redirected_cpt > 0)) {
// we have to split the location
char *startloc, *endloc;
char str[2048], str2[2048], str3[2048], str4[2048];
char str[2048];
char str2[2048];
char str3[2048];
redirected_cpt--;
redirected_flag = 0;
@ -1137,21 +991,19 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
startloc += strlen("://");
if ((endloc = strchr(startloc, '\r')) != NULL) {
*endloc = 0;
startloc[endloc - startloc] = 0;
}
if ((endloc = strchr(startloc, '\n')) != NULL) {
*endloc = 0;
startloc[endloc - startloc] = 0;
}
strncpy(str, startloc, sizeof(str) - 1);
str[sizeof(str) - 1] = 0;
strcpy(str, startloc);
endloc = strchr(str, '/');
if (endloc != NULL) {
strncpy(str2, str, endloc - str);
str2[endloc - str] = 0;
} else {
strcpy(str2, str);
}
} else
strncpy(str2, str, sizeof(str));
if (strlen(str) - strlen(str2) == 0) {
strcpy(str3, "/");
@ -1160,8 +1012,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
str3[strlen(str) - strlen(str2)] = 0;
}
} else {
strncpy(str2, webtarget, sizeof(str2) - 1);
str2[sizeof(str2) - 1] = 0;
strncpy(str2, webtarget, sizeof(str2));
if (redirected_url_buff[0] != '/') {
// it's a relative path, so we have to concatenate it
// with the path from the first url given
@ -1177,10 +1028,8 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
} else {
sprintf(str3, "%.1000s/%.1000s", url, redirected_url_buff);
}
} else {
strncpy(str3, redirected_url_buff, sizeof(str3) - 1);
str3[sizeof(str3) - 1] = 0;
}
} else
strncpy(str3, redirected_url_buff, sizeof(str3));
if (debug)
hydra_report(stderr, "[DEBUG] host=%s redirect=%s origin=%s\n", str2, str3, url);
}
@ -1192,13 +1041,12 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
str3[0] = '/';
}
if (strrchr(str2, ':') == NULL && (port != 80 || port != 443)) {
sprintf(str4, "%.2000s:%d", str2, port);
strcpy(str2, str4);
if (strrchr(url, ':') == NULL && port != 80) {
sprintf(str2, "%.2040s:%d", str2, port);
}
if (verbose)
hydra_report(stderr, "[VERBOSE] Page redirected to http[s]://%s%s\n", str2, str3);
hydra_report(stderr, "[VERBOSE] Page redirected to http://%s%s\n", str2, str3);
if (header_exists(&ptr_head, "Content-Length", HEADER_TYPE_DEFAULT))
hdrrepv(&ptr_head, "Content-Length", "0");
@ -1217,7 +1065,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
// proxy with authentication
hdrrepv(&ptr_head, "Host", str2);
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, str3);
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, str3);
if (normal_request != NULL)
free(normal_request);
normal_request = stringify_headers(&ptr_head);
@ -1229,7 +1077,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
// proxy without authentication
hdrrepv(&ptr_head, "Host", str2);
memset(proxy_string, 0, sizeof(proxy_string));
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s%.600s", webtarget, str3);
snprintf(proxy_string, MAX_PROXY_LENGTH - 1, "http://%s:%d%.600s", webtarget, webport, str3);
if (normal_request != NULL)
free(normal_request);
normal_request = stringify_headers(&ptr_head);
@ -1250,10 +1098,8 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
hydra_reconnect(s, ip, port, options, hostname);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0) {
free(cookie_header);
if (hydra_send(s, http_request, strlen(http_request), 0) < 0)
return 1;
}
found = analyze_server_response(s);
if (strlen(cookie) > 0)
@ -1262,7 +1108,7 @@ int32_t start_http_form(int32_t s, char *ip, int32_t port, unsigned char options
}
// if the last status is still 3xx, set it as a false
if (found != -1 && found == success_cond && ((redirected_flag && code_302_is_success) || redirected_flag == 0 || success_cond == 1) && redirected_cpt >= 0) {
if (found != -1 && found == success_cond && (redirected_flag == 0 || success_cond == 1) && redirected_cpt >= 0) {
hydra_report_found_host(port, ip, "www-form", fp);
hydra_completed_pair_found();
} else {
@ -1427,7 +1273,8 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
ptr = ptr2 = NULL;
sprintf(bufferurl, "%.6096s", miscptr);
ptr = url = bufferurl;
url = bufferurl;
ptr = url;
while (*ptr != 0 && (*ptr != ':' || *(ptr - 1) == '\\'))
ptr++;
@ -1440,41 +1287,39 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
if (*ptr != 0)
*ptr++ = 0;
optional1 = cond = ptr;
cond = ptr;
ptr2 = ptr + strlen(ptr);
while (ptr2 > ptr && (*ptr2 != ':' || *(ptr2 - 1) == '\\'))
ptr2--;
if (*ptr2 == ':') {
if ((ptr2 = strchr(ptr, ':')) != NULL) {
*ptr2++ = 0;
cond = ptr2;
}
if (optional1 == cond)
if (*ptr2)
optional1 = ptr2;
else
optional1 = NULL;
} else
optional1 = NULL;
if (strstr(url, "\\:") != NULL) {
if ((ptr = malloc(strlen(url) + 1)) != NULL) {
if ((ptr = malloc(strlen(url))) != NULL) {
strcpy(ptr, hydra_strrep(url, "\\:", ":"));
url = ptr;
}
}
if (strstr(variables, "\\:") != NULL) {
if ((ptr = malloc(strlen(variables) + 1)) != NULL) {
if ((ptr = malloc(strlen(variables))) != NULL) {
strcpy(ptr, hydra_strrep(variables, "\\:", ":"));
variables = ptr;
}
}
if (strstr(cond, "\\:") != NULL) {
if ((ptr = malloc(strlen(cond) + 1)) != NULL) {
if ((ptr = malloc(strlen(cond))) != NULL) {
strcpy(ptr, hydra_strrep(cond, "\\:", ":"));
cond = ptr;
}
}
// printf("ptr: %s ptr2: %s cond: %s url: %s variables: %s optional1: %s\n", ptr, ptr2, cond, url, variables, optional1 == NULL ? "null" : optional1);
// printf("ptr: %s ptr2: %s cond: %s url: %s variables: %s optional1:
// %s\n", ptr, ptr2, cond, url, variables, optional1 == NULL ? "null" :
// optional1);
if (url == NULL || variables == NULL || cond == NULL /*|| optional1 == NULL */)
hydra_child_exit(2);
@ -1498,7 +1343,8 @@ ptr_header_node initialize(char *ip, unsigned char options, char *miscptr) {
success_cond = 0;
}
// printf("miscptr: %s, url=%s, variables=%s, ptr=%s, optional1: %s, cond: %s (%d)\n", miscptr, url, variables, ptr, optional1, cond, success_cond);
// printf("miscptr: %s, url=%s, variables=%s, ptr=%s, optional1: %s, cond: %s
// (%d)\n", miscptr, url, variables, ptr, optional1, cond, success_cond);
/*
* Parse the user-supplied options.
@ -1571,29 +1417,27 @@ void usage_http_form(const char *service) {
"redirections in\n"
"a row. It always gathers a new cookie from the same URL without "
"variables\n"
"The parameters requires at a minimum three \":\" separated values,\n"
"plus optional values.\n"
"The parameters take three \":\" separated values, plus optional "
"values.\n"
"(Note: if you need a colon in the option string as value, escape it "
"with \"\\:\", but do not escape a \"\\\" with \"\\\\\".)\n"
"\nSyntax: <url>:<form parameters>[:<optional>[:<optional>]:<condition string>\n"
"\nFirst is the page on the server to GET or POST to (URL), e.g. \"/login\".\n"
"Second is the POST/GET variables (taken from either the browser, proxy, etc.)\n"
" without the initial '?' character and the usernames and passwords being\n"
" replaced with \"^USER^\" (\"^USER64^\" for base64 encodings) and \"^PASS^\"\n"
" (\"^PASS64^\" for base64 encodings).\n"
"Third are optional parameters (see below)\n"
"Last is the string that it checks for an *invalid* login (by default).\n"
" Invalid condition login check can be preceded by \"F=\", successful condition\n"
"\nSyntax: <url>:<form parameters>:<condition "
"string>[:<optional>[:<optional>]\n"
"First is the page on the server to GET or POST to (URL).\n"
"Second is the POST/GET variables (taken from either the browser, proxy, "
"etc.\n"
" with url-encoded (resp. base64-encoded) usernames and passwords being "
"replaced in the\n"
" \"^USER^\" (resp. \"^USER64^\") and \"^PASS^\" (resp. \"^PASS64^\") "
"placeholders (FORM PARAMETERS)\n"
"Third is the string that it checks for an *invalid* login (by default)\n"
" Invalid condition login check can be preceded by \"F=\", successful "
"condition\n"
" login check must be preceded by \"S=\".\n"
" This is where most people get it wrong! You have to check the webapp what a\n"
" failed string looks like and put it in this parameter! Add the -d switch to see\n"
" the sent/received data!\n"
" Note that using invalid login condition checks can result in false positives!\n"
"\nThe following parameters are optional and are put between the form parameters\n"
"and the condition string; separate them too with colons:\n"
" 1= 401 error response is interpreted as user/pass wrong\n"
" 2= 302 page forward return codes identify a successful attempt\n"
" M= attack forms that use multipart format\n"
" This is where most people get it wrong. You have to check the webapp "
"what a\n"
" failed string looks like and put it in this parameter!\n"
"The following parameters are optional:\n"
" (c|C)=/page/uri to define a different page to gather initial "
"cookies from\n"
" (g|G)= skip pre-requests - only use this when no pre-cookies are required\n"
@ -1607,29 +1451,25 @@ void usage_http_form(const char *service) {
"exists, by the\n"
" one supplied by the user, or add the header at the "
"end\n"
"\nNote that if you are going to put colons (:) in your headers you should escape\n"
"them with a backslash (\\). All colons that are not option separators should be\n"
"escaped (see the examples above and below).\n"
"You can specify a header without escaping the colons, but that way you will not\n"
"be able to put colons in the header value itself, as they will be interpreted by\n"
"hydra as option separators.\n"
"Note that if you are going to put colons (:) in your headers you should "
"escape them with a backslash (\\).\n"
" All colons that are not option separators should be escaped (see the "
"examples above and below).\n"
" You can specify a header without escaping the colons, but that way you "
"will not be able to put colons\n"
" in the header value itself, as they will be interpreted by hydra as "
"option separators.\n"
"\nExamples:\n"
" \"/login.php:user=^USER^&pass=^PASS^:incorrect\"\n"
" \"/"
"login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=result="
"login.php:user=^USER64^&pass=^PASS64^&colon=colon\\:escape:S=authlog=.*"
"success\"\n"
" \"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed\"\n"
" \"/:user=^USER&pass=^PASS^:H=Authorization\\: Basic "
" \"/:user=^USER&pass=^PASS^:failed:H=Authorization\\: Basic "
"dT1w:H=Cookie\\: sessid=aaaa:h=X-User\\: ^USER^:H=User-Agent\\: wget\"\n"
" \"/exchweb/bin/auth/:F=failed"
" \"/exchweb/bin/auth/"
"owaauth.dll:destination=http%%3A%%2F%%2F<target>%%2Fexchange&flags=0&"
"username=<domain>%%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:"
"C=/exchweb\":reason=\n"
"To attack multiple targets, you can use the -M option with a file "
"containing the targets and their parameters.\n"
"Example file content:\n"
" localhost:8443/login:type=login&login=^USER^&password=^PASS^:h=test\\: header:F=401\n"
" localhost:9443/login2:type=login&login=^USER^&password=^PASS^:h=test\\: header:F=302\n"
" ...\n\n",
"reason=:C=/exchweb\"\n",
service);
}

10
hydra-http.c Executable file → Normal file
View file

@ -451,7 +451,7 @@ int32_t service_http_init(char *ip, int32_t sp, unsigned char options, char *mis
start--;
memset(start, '\0', condition_len);
if (debug)
hydra_report(stderr, "Modified options:%s\n", miscptr);
hydra_report(stderr, "Modificated options:%s\n", miscptr);
} else {
if (debug)
hydra_report(stderr, "Condition not found\n");
@ -474,12 +474,6 @@ void usage_http(const char *service) {
" combination is invalid. Note: this must be the last option "
"supplied.\n"
"For example: \"/secret\" or \"http://bla.com/foo/bar:H=Cookie\\: "
"sessid=aaaa\" or \"https://test.com:8080/members:A=NTLM\"\n"
"To attack multiple targets, you can use the -M option with a file "
"containing the targets and their parameters.\n"
"Example file content:\n"
" localhost:5000/protected:A=BASIC\n"
" localhost:5002/protected_path:A=NTLM\n"
" ...\n\n",
"sessid=aaaa\" or \"https://test.com:8080/members:A=NTLM\"\n\n",
service);
}

3
hydra-memcached.c
View file

@ -13,7 +13,6 @@ void dummy_mcached() { printf("\n"); }
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
int mcached_send_com_quit(int32_t sock) {
@ -118,8 +117,6 @@ void service_mcached(char *ip, int32_t sp, unsigned char options, char *miscptr,
switch (run) {
case 1:
next_run = start_mcached(sock, ip, port, options, miscptr, fp);
if (next_run == 1 && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 2:
hydra_child_exit(0);

27
hydra-mod.c
View file

@ -7,8 +7,7 @@
#include <openssl/ssl.h>
#endif
#ifdef HAVE_PCRE
#define PCRE2_CODE_UNIT_WIDTH 8
#include <pcre2.h>
#include <pcre.h>
#endif
#define MAX_CONNECT_RETRY 1
@ -662,10 +661,10 @@ char *hydra_get_next_pair() {
pair[sizeof(pair) - 1] = 0;
__fck = read(intern_socket, pair, sizeof(pair) - 1);
// if (debug) hydra_dump_data(pair, __fck, "CHILD READ PAIR");
if (pair[0] == 0 || __fck <= 0)
return HYDRA_EMPTY;
if (__fck >= sizeof(HYDRA_EXIT) && memcmp(&HYDRA_EXIT, &pair, sizeof(HYDRA_EXIT)) == 0)
if (memcmp(&HYDRA_EXIT, &pair, sizeof(HYDRA_EXIT)) == 0)
return HYDRA_EXIT;
if (pair[0] == 0)
return HYDRA_EMPTY;
}
return pair;
}
@ -1292,23 +1291,19 @@ void hydra_set_srcport(int32_t port) { src_port = port; }
#ifdef HAVE_PCRE
int32_t hydra_string_match(char *str, const char *regex) {
pcre2_code *re = NULL;
int32_t error_code = 0;
PCRE2_SIZE error_offset;
pcre *re = NULL;
int32_t offset_error = 0;
const char *error = NULL;
int32_t rc = 0;
re = pcre2_compile(regex, PCRE2_ZERO_TERMINATED, PCRE2_CASELESS | PCRE2_DOTALL, &error_code, &error_offset, NULL);
re = pcre_compile(regex, PCRE_CASELESS | PCRE_DOTALL, &error, &offset_error, NULL);
if (re == NULL) {
fprintf(stderr, "[ERROR] PCRE compilation failed at offset %d: %d\n", error_offset, error_code);
fprintf(stderr, "[ERROR] PCRE compilation failed at offset %d: %s\n", offset_error, error);
return 0;
}
pcre2_match_data *match_data = pcre2_match_data_create_from_pattern(re, NULL);
rc = pcre2_match(re, str, PCRE2_ZERO_TERMINATED, 0, 0, match_data, NULL);
pcre2_match_data_free(match_data);
pcre2_code_free(re);
if (rc >= 1) {
rc = pcre_exec(re, NULL, str, strlen(str), 0, 0, NULL, 0);
if (rc >= 0) {
return 1;
}
return 0;

18
hydra-mongodb.c
View file

@ -14,7 +14,6 @@ void dummy_mongodb() { printf("\n"); }
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
char *buf;
@ -73,17 +72,10 @@ int32_t start_mongodb(int32_t s, char *ip, int32_t port, unsigned char options,
mongoc_log_set_handler(NULL, NULL);
bson_init(&q);
if (login[0] == '\0' && pass[0] == '\0') {
snprintf(uri, sizeof(uri), "mongodb://%s:%d/?authSource=%s", hydra_address2string(ip), port, miscptr);
} else {
snprintf(uri, sizeof(uri), "mongodb://%s:%s@%s:%d/?authSource=%s", login, pass, hydra_address2string(ip), port, miscptr);
}
snprintf(uri, sizeof(uri), "mongodb://%s:%s@%s:%d/?authSource=%s", login, pass, hydra_address2string(ip), port, miscptr);
client = mongoc_client_new(uri);
if (!client) {
hydra_completed_pair_skip();
if (!client)
return 3;
}
mongoc_client_set_appname(client, "hydra");
collection = mongoc_client_get_collection(client, miscptr, "test");
@ -98,11 +90,11 @@ int32_t start_mongodb(int32_t s, char *ip, int32_t port, unsigned char options,
mongoc_collection_destroy(collection);
mongoc_client_destroy(client);
mongoc_cleanup();
hydra_completed_pair();
hydra_completed_pair_skip();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
return 3;
}
return 1;
return 2;
}
}
@ -137,8 +129,6 @@ void service_mongodb(char *ip, int32_t sp, unsigned char options, char *miscptr,
switch (run) {
case 1:
next_run = start_mongodb(sock, ip, port, options, miscptr, fp);
if (next_run == 1 && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 2:
hydra_child_exit(0);

51
hydra-mssql.c
View file

@ -1,14 +1,10 @@
#include "hydra-mod.h"
extern char *HYDRA_EXIT;
char *buf;
#if defined(HAVE_SYBFRONT) && defined(HAVE_SYBDB)
#include <sybdb.h>
#include <sybfront.h>
#endif
#define MSLEN 30
extern char *HYDRA_EXIT;
char *buf;
unsigned char p_hdr[] = "\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
@ -60,7 +56,6 @@ unsigned char p_lng[] = "\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00"
int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";
char *login, *pass, buffer[1024];
char *ipaddr_str = hydra_address2string(ip);
char ms_login[MSLEN + 1];
char ms_pass[MSLEN + 1];
unsigned char len_login, len_pass;
@ -70,42 +65,6 @@ int32_t start_mssql(int32_t s, char *ip, int32_t port, unsigned char options, ch
login = empty;
if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
#if defined(HAVE_SYBFRONT) && defined(HAVE_SYBDB)
if ((strlen(login) > MSLEN) || (strlen(pass) > MSLEN)){
DBPROCESS *dbproc;
LOGINREC *attempt;
attempt = dblogin();
DBSETLUSER(attempt, login);
DBSETLPWD(attempt, pass);
// Connect without specifying a database
dbproc = dbopen(attempt, ipaddr_str);
if (dbproc != NULL) {
dbclose(dbproc);
dbexit();
hydra_report_found_host(port, ip, "mssql", fp);
hydra_completed_pair_found();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}
#else
if ((strlen(login) > MSLEN) || (strlen(pass) > MSLEN)){
fprintf(stderr,"[WARNING] To crack credentials longer than 30 characters, install freetds and recompile\n");
}
#endif
if (strlen(login) > MSLEN)
login[MSLEN - 1] = 0;
if (strlen(pass) > MSLEN)
@ -160,10 +119,6 @@ void service_mssql(char *ip, int32_t sp, unsigned char options, char *miscptr, F
int32_t run = 1, next_run = 1, sock = -1;
int32_t myport = PORT_MSSQL, mysslport = PORT_MSSQL_SSL;
#if defined(HAVE_SYBFRONT) && defined(HAVE_SYBDB)
dbinit();
#endif
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;

3
hydra-mysql.c
View file

@ -35,7 +35,6 @@ char *hydra_scramble(char *to, const char *message, const char *password);
extern int32_t internal__hydra_recv(int32_t socket, char *buf, int32_t length);
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
char mysqlsalt[9];
@ -333,8 +332,6 @@ void service_mysql(char *ip, int32_t sp, unsigned char options, char *miscptr, F
break;
case 2: /* run the cracking function */
next_run = start_mysql(sock, ip, port, options, miscptr, fp);
if ((next_run == 1 || next_run == 2) && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 3: /* clean exit */
if (sock >= 0) {

3
hydra-oracle-listener.c
View file

@ -19,7 +19,6 @@ void dummy_oracle_listener() { printf("\n"); }
#include <openssl/des.h>
#define HASHSIZE 17
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
char *buf;
unsigned char *hash;
@ -305,8 +304,6 @@ void service_oracle_listener(char *ip, int32_t sp, unsigned char options, char *
}
/* run the cracking function */
next_run = start_oracle_listener(sock, ip, port, options, miscptr, fp);
if (next_run == 1 && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 3: /* clean exit */
if (sock >= 0)

3
hydra-oracle-sid.c
View file

@ -16,7 +16,6 @@ void dummy_oracle_sid() { printf("\n"); }
#include <openssl/des.h>
#define HASHSIZE 16
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
char *buf;
unsigned char *hash;
@ -114,8 +113,6 @@ void service_oracle_sid(char *ip, int32_t sp, unsigned char options, char *miscp
}
/* run the cracking function */
next_run = start_oracle_sid(sock, ip, port, options, miscptr, fp);
if (next_run == 1 && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 3: /* clean exit */
if (sock >= 0)

3
hydra-oracle.c
View file

@ -21,7 +21,6 @@ void dummy_oracle() { printf("\n"); }
#include <stdbool.h>
#include <sys/types.h>
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
OCIEnv *o_environment;
@ -166,8 +165,6 @@ void service_oracle(char *ip, int32_t sp, unsigned char options, char *miscptr,
break;
case 2:
next_run = start_oracle(sock, ip, port, options, miscptr, fp);
if ((next_run == 1 || next_run == 2) && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 3: /* clean exit */
if (sock >= 0)

2
hydra-pop3.c
View file

@ -109,7 +109,7 @@ char *pop3_read_server_capacity(int32_t sock) {
buf[strlen(buf) - 1] = 0;
if (buf[strlen(buf) - 1] == '\r')
buf[strlen(buf) - 1] = 0;
if (buf[strlen(buf) - 1] == '.' || *(ptr) == '.' || *(ptr) == '-')
if (*(ptr) == '.' || *(ptr) == '-')
resp = 1;
}
}

5
hydra-postgres.c
View file

@ -16,7 +16,6 @@ void dummy_postgres() { printf("\n"); }
#define DEFAULT_DB "template1"
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
int32_t start_postgres(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
@ -41,7 +40,7 @@ int32_t start_postgres(int32_t s, char *ip, int32_t port, unsigned char options,
* Building the connection string
*/
snprintf(connection_string, sizeof(connection_string), "host = '%s' port = '%d' dbname = '%s' user = '%s' password = '%s' ", hydra_address2string(ip), port, database, login, pass);
snprintf(connection_string, sizeof(connection_string), "host = '%s' dbname = '%s' user = '%s' password = '%s' ", hydra_address2string(ip), database, login, pass);
if (verbose)
hydra_report(stderr, "connection string: %s\n", connection_string);
@ -100,8 +99,6 @@ void service_postgres(char *ip, int32_t sp, unsigned char options, char *miscptr
* Here we start the password cracking process
*/
next_run = start_postgres(sock, ip, port, options, miscptr, fp);
if ((next_run == 2 || next_run == 1) && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 3:
if (sock >= 0)

1
hydra-radmin2.c
View file

@ -366,7 +366,6 @@ void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr,
hydra_report(stderr, "Error: Child with pid %d terminating, protocol error\n", (int32_t)getpid());
hydra_child_exit(2);
}
free(msg);
}
#endif
}

42
hydra-rdp.c
View file

@ -9,37 +9,27 @@
#include "hydra-mod.h"
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
#ifndef LIBFREERDP
void dummy_rdp() { printf("\n"); }
#else
#include <freerdp/freerdp.h>
#include <freerdp/version.h>
freerdp *instance = 0;
BOOL rdp_connect(char *server, int32_t port, char *domain, char *login, char *password) {
int32_t err = 0;
rdpSettings* settings = instance->context->settings;
settings->Username = login;
settings->Password = password;
settings->IgnoreCertificate = TRUE;
instance->settings->Username = login;
instance->settings->Password = password;
instance->settings->IgnoreCertificate = TRUE;
if (password[0] == 0)
settings->AuthenticationOnly = FALSE;
instance->settings->AuthenticationOnly = FALSE;
else
settings->AuthenticationOnly = TRUE;
settings->ServerHostname = server;
settings->ServerPort = port;
settings->Domain = domain;
#if FREERDP_VERSION_MAJOR == 2
settings->MaxTimeInCheckLoop = 100;
#endif
// freerdp timeout format is microseconds -> default:15000
settings->TcpConnectTimeout = hydra_options.waittime * 1000;
settings->TlsSecLevel = 0;
instance->settings->AuthenticationOnly = TRUE;
instance->settings->ServerHostname = server;
instance->settings->ServerPort = port;
instance->settings->Domain = domain;
instance->settings->MaxTimeInCheckLoop = 100;
freerdp_connect(instance);
err = freerdp_get_last_error(instance->context);
return err;
@ -68,8 +58,7 @@ int32_t start_rdp(char *ip, int32_t port, unsigned char options, char *miscptr,
}
login_result = rdp_connect(server, port, domain, login, pass);
if (debug)
hydra_report(stderr, "[DEBUG] rdp reported %08x\n", login_result);
if (debug) hydra_report(stderr, "[DEBUG] rdp reported %08x\n", login_result);
switch (login_result) {
case 0:
// login success
@ -82,10 +71,6 @@ int32_t start_rdp(char *ip, int32_t port, unsigned char options, char *miscptr,
// login failure
hydra_completed_pair();
break;
case 0x0002000f:
// login failure
hydra_completed_pair_skip();
break;
case 0x0002000d:
hydra_report(stderr,
"[%d][rdp] account on %s might be valid but account not "
@ -114,7 +99,6 @@ int32_t start_rdp(char *ip, int32_t port, unsigned char options, char *miscptr,
void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
int32_t run = 1, next_run = 1;
int32_t myport = PORT_RDP;
int32_t __first_rdp_connect = 1;
if (port != 0)
myport = port;
@ -126,13 +110,7 @@ void service_rdp(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
next_run = 0;
switch (run) {
case 1: /* run the cracking function */
if (__first_rdp_connect != 0)
__first_rdp_connect = 0;
else
sleep(hydra_options.conwait);
next_run = start_rdp(ip, myport, options, miscptr, fp);
if (next_run == 1 && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 2: /* clean exit */
freerdp_disconnect(instance);

5
hydra-redis.c
View file

@ -24,11 +24,6 @@ int32_t start_redis(int32_t s, char *ip, int32_t port, unsigned char options, ch
return 1;
}
buf = hydra_receive_line(s);
if (buf == NULL) {
hydra_report(stderr, "[ERROR] Failed to receive response from Redis server.\n");
return 3;
}
if (buf[0] == '+') {
hydra_report_found_host(port, ip, "redis", fp);
hydra_completed_pair_found();

71
hydra-rtsp.c
View file

@ -6,10 +6,6 @@
//
//
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include "hydra-mod.h"
#include "sasl.h"
#include <stdio.h>
@ -20,7 +16,7 @@ char packet[500];
char packet2[500];
int32_t is_Unauthorized(char *s) {
if (strcasestr(s, "401 Unauthorized") != NULL) {
if (strstr(s, "401 Unauthorized") != NULL) {
return 1;
} else {
return 0;
@ -28,7 +24,7 @@ int32_t is_Unauthorized(char *s) {
}
int32_t is_NotFound(char *s) {
if (strcasestr(s, "404 Stream") != NULL || strcasestr(s, "404 Not") != NULL) {
if (strstr(s, "404 Stream Not Found") != NULL) {
return 1;
} else {
return 0;
@ -36,7 +32,7 @@ int32_t is_NotFound(char *s) {
}
int32_t is_Authorized(char *s) {
if (strcasestr(s, "200 OK") != NULL) {
if (strstr(s, "200 OK") != NULL) {
return 1;
} else {
return 0;
@ -44,7 +40,7 @@ int32_t is_Authorized(char *s) {
}
int32_t use_Basic_Auth(char *s) {
if (strcasestr(s, "WWW-Authenticate: Basic") != NULL) {
if (strstr(s, "WWW-Authenticate: Basic") != NULL) {
return 1;
} else {
return 0;
@ -52,7 +48,7 @@ int32_t use_Basic_Auth(char *s) {
}
int32_t use_Digest_Auth(char *s) {
if (strcasestr(s, "WWW-Authenticate: Digest") != NULL) {
if (strstr(s, "WWW-Authenticate: Digest") != NULL) {
return 1;
} else {
return 0;
@ -108,37 +104,42 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha
} else {
create_core_packet(1, ip, port);
if (use_Digest_Auth(lresp) == 1) {
char aux[500] = "", dbuf[500] = "", *result = NULL;
char *pbuffer = hydra_strcasestr(lresp, "WWW-Authenticate: Digest ");
strncpy(aux, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(aux));
aux[sizeof(aux) - 1] = '\0';
free(lresp);
#ifdef LIBOPENSSL
result = sasl_digest_md5(dbuf, login, pass, aux, miscptr, "rtsp", hydra_address2string(ip), port, "");
#else
hydra_report(stderr, "[ERROR] Digest auth required but compiled "
"without OpenSSL/MD5 support\n");
return 3;
#endif
if (result == NULL) {
hydra_report(stderr, "[ERROR] digest generation failed\n");
return 3;
}
sprintf(buffer, "%.500sAuthorization: Digest %.500s\r\n\r\n", packet2, dbuf);
if (debug)
hydra_report(stderr, "C:%s\n", buffer);
} else if (use_Basic_Auth(lresp) == 1) {
if (use_Basic_Auth(lresp) == 1) {
free(lresp);
sprintf(buffer2, "%.249s:%.249s", login, pass);
hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2));
sprintf(buffer, "%.500sAuthorization: : Basic %.500s\r\n\r\n", packet2, buffer2);
if (debug)
if (debug) {
hydra_report(stderr, "C:%s\n", buffer);
}
} else {
hydra_report(stderr, "[ERROR] unknown authentication protocol\n");
return 1;
if (use_Digest_Auth(lresp) == 1) {
char aux[500] = "", dbuf[500] = "", *result = NULL;
char *pbuffer = hydra_strcasestr(lresp, "WWW-Authenticate: Digest ");
strncpy(aux, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(aux));
aux[sizeof(aux) - 1] = '\0';
free(lresp);
#ifdef LIBOPENSSL
result = sasl_digest_md5(dbuf, login, pass, aux, miscptr, "rtsp", hydra_address2string(ip), port, "");
#else
hydra_report(stderr, "[ERROR] Digest auth required but compiled "
"without OpenSSL/MD5 support\n");
return 3;
#endif
if (result == NULL) {
hydra_report(stderr, "[ERROR] digest generation failed\n");
return 3;
}
sprintf(buffer, "%.500sAuthorization: Digest %.500s\r\n\r\n", packet2, dbuf);
if (debug) {
hydra_report(stderr, "C:%s\n", buffer);
}
}
}
if (strlen(buffer) == 0) {
@ -158,7 +159,7 @@ int32_t start_rtsp(int32_t s, char *ip, int32_t port, unsigned char options, cha
return 1;
}
if (is_NotFound(lresp) || is_Authorized(lresp)) {
if ((is_NotFound(lresp))) {
free(lresp);
hydra_completed_pair_found();

3
hydra-sapr3.c
View file

@ -14,7 +14,6 @@ const int32_t *__ctype_b;
extern void flood(); /* for -lm */
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
RFC_ERROR_INFO_EX error_info;
@ -100,8 +99,6 @@ void service_sapr3(char *ip, int32_t sp, unsigned char options, char *miscptr, F
switch (run) {
case 1: /* connect and service init function */
next_run = start_sapr3(sock, ip, port, options, miscptr, fp);
if (next_run == 1 && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 2:
hydra_child_exit(0);

11
hydra-smb.c
View file

@ -1280,8 +1280,8 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char
} else if (SMBerr == 0x000193) { /* Valid password, account expired */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Valid password, account expired\n", port, ipaddr_str, login);
hydra_report_found_host(port, ip, "smb", fp);
hydra_completed_pair_skip();
} else if ((SMBerr == 0x000224) || (SMBerr == 0xC20002)) { /* Valid password, password expired */
hydra_completed_pair_found();
} else if ((SMBerr == 0x000224) || (SMBerr == 0xC20002)) { /* Valid password, account expired */
hydra_report(stdout,
"[%d][smb] Host: %s Account: %s Valid password, password "
"expired and must be changed on next logon\n",
@ -1304,13 +1304,14 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char
hydra_report(stderr, "[INFO] LM dialect may be disabled, try LMV2 instead\n");
hydra_completed_pair_skip();
} else if (SMBerr == 0x000024) { /* change password on next login [success] */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Information: ACCOUNT_CHANGE_PASSWORD\n", port, ipaddr_str, login);
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD\n", port, ipaddr_str, login);
hydra_completed_pair_found();
} else if (SMBerr == 0x00006D) { /* STATUS_LOGON_FAILURE */
hydra_completed_pair();
} else if (SMBerr == 0x000071) { /* password expired */
hydra_report(stdout, "[%d][smb] Host: %s Account: %s Information: PASSWORD EXPIRED\n", port, ipaddr_str, login);
hydra_completed_pair_found();
if (verbose)
fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED\n", port, ipaddr_str, login);
hydra_completed_pair_skip();
} else if ((SMBerr == 0x000072) || (SMBerr == 0xBF0002)) { /* account disabled */ /* BF0002 on w2k */
if (verbose)
fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: ACCOUNT_DISABLED\n", port, ipaddr_str, login);

13
hydra-smb2.c
View file

@ -27,7 +27,6 @@
#include <stdio.h>
#include <string.h>
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
typedef struct creds {
@ -127,11 +126,6 @@ bool smb2_run_test(creds_t *cr, const char *server, uint16_t port) {
*/
switch (errno) {
case 0:
// maybe false positive? unclear ... :( ... needs more testing
smbc_free_context(ctx, 1);
return true;
break;
case ENOENT:
// Noticed this when connecting to older samba servers on linux
// where any credentials are accepted.
@ -174,15 +168,10 @@ bool smb2_run_test(creds_t *cr, const char *server, uint16_t port) {
}
void service_smb2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
static int first_run = 0;
hydra_register_socket(sp);
while (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT))) {
char *login, *pass;
if (first_run && hydra_options.conwait)
sleep(hydra_options.conwait);
login = hydra_get_next_login();
pass = hydra_get_next_password();
@ -197,8 +186,6 @@ void service_smb2(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
} else {
hydra_completed_pair();
}
first_run = 1;
}
EXIT_NORMAL;
}

10
hydra-smtp.c
View file

@ -61,10 +61,6 @@ int32_t start_smtp(int32_t s, char *ip, int32_t port, unsigned char options, cha
return 1;
if (strstr(buf, "334") == NULL) {
hydra_report(stderr, "[ERROR] SMTP PLAIN AUTH : %s\n", buf);
if (strstr(buf, "503") != NULL) {
free(buf);
return 4;
}
free(buf);
return 3;
}
@ -442,12 +438,6 @@ void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FI
}
hydra_child_exit(0);
return;
case 4: /* error exit */
if (sock >= 0) {
sock = hydra_disconnect(sock);
}
hydra_child_exit(3);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(0);

8
hydra-ssh.c
View file

@ -47,9 +47,6 @@ int32_t start_ssh(int32_t s, char *ip, int32_t port, unsigned char options, char
ssh_options_set(session, SSH_OPTIONS_TIMEOUT, &hydra_options.waittime);
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
// might be better to add the legacy (first two for KEX and HOST) to the default instead of specifying the full list
ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE, "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256");
ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256");
if (ssh_connect(session) != 0) {
// if the connection was drop, exit and let hydra main handle it
if (verbose)
@ -122,8 +119,6 @@ void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
switch (run) {
case 1: /* connect and service init function */
next_run = start_ssh(sock, ip, port, options, miscptr, fp);
if (next_run == 1 && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 2:
ssh_disconnect(session);
@ -195,9 +190,6 @@ int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *misc
ssh_options_set(session, SSH_OPTIONS_TIMEOUT, &hydra_options.waittime);
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
// might be better to add the legacy (first two for KEX and HOST) to the default instead of specifying the full list
ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE, "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256");
ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256");
if (ssh_connect(session) != 0) {
fprintf(stderr, "[ERROR] could not connect to ssh://%s:%d - %s\n", hydra_address2string_beautiful(ip), port, ssh_get_error(session));
return 2;

3
hydra-sshkey.c
View file

@ -16,7 +16,6 @@ void dummy_sshkey() { printf("\n"); }
#if LIBSSH_VERSION_MAJOR >= 0 && LIBSSH_VERSION_MINOR >= 4
extern ssh_session session;
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
extern int32_t new_session;
@ -118,8 +117,6 @@ void service_sshkey(char *ip, int32_t sp, unsigned char options, char *miscptr,
switch (run) {
case 1: /* connect and service init function */
next_run = start_sshkey(sock, ip, port, options, miscptr, fp);
if (next_run == 1 && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 2:
ssh_disconnect(session);

5
hydra-svn.c
View file

@ -4,9 +4,7 @@
#ifdef LIBSVN
/* needed on openSUSE */
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#if !defined PATH_MAX && defined HAVE_SYS_PARAM_H
#include <sys/param.h>
@ -32,7 +30,6 @@ void dummy_svn() { printf("\n"); }
extern int32_t hydra_data_ready_timed(int32_t socket, long sec, long usec);
extern hydra_option hydra_options;
extern char *HYDRA_EXIT;
#define DEFAULT_BRANCH "trunk"
@ -198,8 +195,6 @@ void service_svn(char *ip, int32_t sp, unsigned char options, char *miscptr, FIL
break;
case 2:
next_run = start_svn(sock, ip, port, options, miscptr, fp);
if ((next_run == 1 || next_run == 2) && hydra_options.conwait)
sleep(hydra_options.conwait);
break;
case 3:
if (sock >= 0)

4
hydra-wizard.sh
View file

@ -33,10 +33,10 @@ test -e "$pass" && passs="-P $pass"
test -e "$pass" || passs="-p $pass"
test -n "$port" && ports="-s $port"
test -n "$pw" && pws="-e $pw"
test -n "$opt" && { opts="-m $opt" ; dopts="-m '$opt'" ; }
test -n "$opt" && opts="-m '$opt'"
echo The following command will be executed now:
echo " hydra $users $passs -u $pws $ports $dopts $targets $service"
echo " hydra $users $passs -u $pws $ports $opts $targets $service"
echo
read -p "Do you want to run the command now? [Y/n] " yn
test "$yn" = "n" -o "$yn" = "N" && { echo Exiting. ; exit 0 ; }

2
hydra.1
View file

@ -1,4 +1,4 @@
.TH "HYDRA" "1" "01/01/2023"
.TH "HYDRA" "1" "01/01/2022"
.SH NAME
hydra \- a very fast network logon cracker which supports many different services
.SH SYNOPSIS

306
hydra.c
View file

@ -1,5 +1,5 @@
/*
* hydra (c) 2001-2023 by van Hauser / THC <vh@thc.org>
* hydra (c) 2001-2022 by van Hauser / THC <vh@thc.org>
* https://github.com/vanhauser-thc/thc-hydra
*
* Parallized network login hacker.
@ -228,7 +228,7 @@ char *SERVICES = "adam6500 asterisk afp cisco cisco-enable cobaltstrike cvs fire
#define RESTOREFILE "./hydra.restore"
#define PROGRAM "Hydra"
#define VERSION "v9.6dev"
#define VERSION "v9.3"
#define AUTHOR "van Hauser/THC"
#define EMAIL "<vh@thc.org>"
#define AUTHOR2 "David Maciejak"
@ -267,7 +267,6 @@ typedef struct {
typedef struct {
char *target;
char *miscptr;
char ip[36];
char *login_ptr;
char *pass_ptr;
@ -344,11 +343,6 @@ int32_t prefer_ipv6 = 0, conwait = 0, loop_cnt = 0, fck = 0, options = 0, killed
int32_t child_head_no = -1, child_socket;
int32_t total_redo_count = 0;
// requred for distributed attack capability
uint32_t num_segments = 0;
uint32_t my_segment = 0;
char junk_file[50];
// moved for restore feature
int32_t process_restore = 0, dont_unlink;
char *login_ptr = NULL, *pass_ptr = "", *csv_ptr = NULL, *servers_ptr = NULL;
@ -394,7 +388,7 @@ static const struct {
{"http-get-form", service_http_form_init, service_http_get_form, usage_http_form},
{"http-head", service_http_init, service_http_head, NULL},
{"http-form", service_http_form_init, NULL, usage_http_form},
{"http-post", service_http_init, service_http_post, usage_http},
{"http-post", NULL, service_http_post, usage_http},
{"http-post-form", service_http_form_init, service_http_post_form, usage_http_form},
SERVICE3("http-proxy", http_proxy),
SERVICE3("http-proxy-urlenum", http_proxy_urlenum),
@ -525,8 +519,6 @@ void help(int32_t ext) {
"instead of -L/-P options\n"
" -M FILE list of servers to attack, one entry per "
"line, ':' to specify port\n");
PRINT_NORMAL(ext, " -D XofY Divide wordlist into Y segments and use the "
"Xth segment.\n");
PRINT_EXTEND(ext, " -o FILE write found login/password pairs to FILE instead of stdout\n"
" -b FORMAT specify the format for the -o FILE: text(default), json, "
"jsonv1\n"
@ -1034,7 +1026,7 @@ void killed_childs(int32_t signo) {
int32_t pid, i;
killed++;
pid = waitpid(-1, NULL, WNOHANG);
pid = wait3(NULL, WNOHANG, NULL);
for (i = 0; i < hydra_options.max_use; i++) {
if (pid == hydra_heads[i]->pid) {
hydra_heads[i]->pid = -1;
@ -1182,12 +1174,13 @@ void hydra_service_init(int32_t target_no) {
int32_t x = 99;
int32_t i;
hydra_target *t = hydra_targets[target_no];
char *miscptr = hydra_options.miscptr;
FILE *ofp = hydra_brains.ofp;
for (i = 0; x == 99 && i < sizeof(services) / sizeof(services[0]); i++) {
if (strcmp(hydra_options.service, services[i].name) == 0) {
if (services[i].init) {
x = services[i].init(t->ip, -1, options, t->miscptr, ofp, t->port, t->target);
x = services[i].init(t->ip, -1, options, miscptr, ofp, t->port, t->target);
break;
}
}
@ -1271,13 +1264,13 @@ int32_t hydra_spawn_head(int32_t head_no, int32_t target_no) {
hydra_target *t = hydra_targets[target_no];
int32_t sp = hydra_heads[head_no]->sp[1];
// char *miscptr = hydra_options.miscptr;
char *miscptr = hydra_options.miscptr;
FILE *ofp = hydra_brains.ofp;
hydra_target *head_target = hydra_targets[hydra_heads[head_no]->target_no];
for (i = 0; i < sizeof(services) / sizeof(services[0]); i++) {
if (strcmp(hydra_options.service, services[i].name) == 0) {
if (services[i].exec) {
services[i].exec(t->ip, sp, options, t->miscptr, ofp, t->port, head_target->target);
services[i].exec(t->ip, sp, options, miscptr, ofp, t->port, head_target->target);
// just in case a module returns (which it shouldnt) we let it exit
// here
exit(-1);
@ -1454,7 +1447,7 @@ void hydra_kill_head(int32_t head_no, int32_t killit, int32_t fail) {
// hydra_targets[hydra_heads[head_no]->target_no]->bfg_ptr[head_no] =
// NULL;
}
(void)waitpid(-1, NULL, WNOHANG);
(void)wait3(NULL, WNOHANG, NULL);
}
void hydra_increase_fail_count(int32_t target_no, int32_t head_no) {
@ -1527,13 +1520,13 @@ void hydra_increase_fail_count(int32_t target_no, int32_t head_no) {
hydra_heads[head_no]->current_login_ptr = empty_login;
hydra_heads[head_no]->current_pass_ptr = empty_login;
}
/*
hydra_targets[target_no]->fail_count--;
if (k < 5 && hydra_targets[target_no]->ok)
hydra_targets[target_no]->fail_count--;
if (k == 2 && hydra_targets[target_no]->ok)
hydra_targets[target_no]->fail_count--;
*/
/*
hydra_targets[target_no]->fail_count--;
if (k < 5 && hydra_targets[target_no]->ok)
hydra_targets[target_no]->fail_count--;
if (k == 2 && hydra_targets[target_no]->ok)
hydra_targets[target_no]->fail_count--;
*/
if (hydra_brains.targets <= hydra_brains.finished)
hydra_kill_head(head_no, 1, 0);
else {
@ -1598,80 +1591,13 @@ char *hydra_reverse_login(int32_t head_no, char *login) {
return hydra_heads[head_no]->reverse;
}
void delete_junk_files(){
remove(junk_file);
}
FILE *hydra_divide_file(FILE *file, uint32_t my_segment, uint32_t num_segments){
if(my_segment > num_segments){
fprintf(stderr, "[ERROR] in option -D XofY, X must not be greater than Y: %s\n", hydra_options.passfile);
return NULL;
}
FILE *output_file;
char line[500];
char output_file_name[50];
uint32_t line_number = 0;
double total_lines = countlines(file,0);
if(num_segments > total_lines){
fprintf(stderr, "[ERROR] in option -D XofY, Y must not be greater than the total number of lines in the file to be divided: %s\n", hydra_options.passfile);
return NULL;
}
double segment_size_double = total_lines / num_segments;
// round up segment_size_float to integer
uint64_t segment_size = (uint64_t)segment_size_double;
if(segment_size < segment_size_double)
segment_size++;
uint64_t segment_start = segment_size * (my_segment - 1) + 1;
uint64_t segment_end = segment_size * my_segment;
srand(time(NULL));
int filetag = rand();
sprintf(output_file_name, "segment_%d_%d.txt",filetag, my_segment);
output_file = fopen(output_file_name, "w");
if(!output_file){
fprintf(stderr, "[ERROR] Segment file empty: %s\n", hydra_options.passfile);
return NULL;
}
strcpy(junk_file, output_file_name);
atexit(delete_junk_files);
while(fgets(line, sizeof line, file) != NULL && line_number < segment_end){
line_number++;
if(line_number >= segment_start && line_number <= segment_end)
fprintf(output_file, "%s", line);
}
rewind(file);
fclose(output_file);
output_file = fopen(output_file_name, "r");
return output_file;
}
int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) {
// variables moved to save stack
snpdone = 0;
snp_is_redo = 0;
snpdont = 0;
loop_cnt++;
if (hydra_heads[head_no]->redo == 1 && hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL) {
if (hydra_heads[head_no]->redo && hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL) {
hydra_heads[head_no]->redo = 0;
snp_is_redo = 1;
snpdone = 1;
@ -1703,7 +1629,7 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) {
return -1;
}
if (hydra_heads[head_no]->redo == 1 && hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL) {
if (hydra_heads[head_no]->redo && hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL) {
hydra_heads[head_no]->redo = 0;
snp_is_redo = 1;
snpdone = 1;
@ -1712,7 +1638,7 @@ int32_t hydra_send_next_pair(int32_t target_no, int32_t head_no) {
printf("[COMPLETED] target %s - login \"%s\" - pass \"%s\" - child %d - "
"%" hPRIu64 " of %" hPRIu64 "\n",
hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, head_no, hydra_targets[target_no]->sent, hydra_brains.todo + hydra_targets[target_no]->redo);
// hydra_heads[head_no]->redo = 0;
hydra_heads[head_no]->redo = 0;
if (hydra_targets[target_no]->redo_state > 0) {
if (hydra_targets[target_no]->redo_state <= hydra_targets[target_no]->redo) {
hydra_heads[head_no]->current_pass_ptr = hydra_targets[target_no]->redo_pass[hydra_targets[target_no]->redo_state - 1];
@ -2119,7 +2045,7 @@ void process_proxy_line(int32_t type, char *string) {
string[strlen(string) - 1] = 0;
if (string[strlen(string) - 1] == '\r')
string[strlen(string) - 1] = 0;
if (proxy_count >= MAX_PROXY_COUNT) {
if (proxy_count > MAX_PROXY_COUNT) {
fprintf(stderr, "[WARNING] maximum amount of proxies loaded, ignoring this entry: %s\n", string);
return;
}
@ -2245,13 +2171,13 @@ void process_proxy_line(int32_t type, char *string) {
int main(int argc, char *argv[]) {
char *proxy_string = NULL, *device = NULL, *memcheck;
char *outfile_format_tmp;
FILE *lfp = NULL, *pfp = NULL, *cfp = NULL, *ifp = NULL, *rfp = NULL, *proxyfp, *filecloser=NULL;
FILE *lfp = NULL, *pfp = NULL, *cfp = NULL, *ifp = NULL, *rfp = NULL, *proxyfp;
size_t countinfile = 1, sizeinfile = 0;
uint64_t math2;
int32_t i = 0, j = 0, k, error = 0, modusage = 0, ignore_restore = 0, do_switch;
int32_t head_no = 0, target_no = 0, exit_condition = 0, readres;
time_t starttime, elapsed_status, elapsed_restore, status_print = 59, tmp_time;
char *tmpptr, *tmpptr2, *tmpptr3;
char *tmpptr, *tmpptr2;
char rc, buf[MAXBUF];
time_t last_attempt = 0;
fd_set fdreadheads;
@ -2260,7 +2186,7 @@ int main(int argc, char *argv[]) {
struct sockaddr_in6 *ipv6 = NULL;
struct sockaddr_in *ipv4 = NULL;
printf("%s %s (c) 2023 by %s & %s - Please do not use in military or secret "
printf("%s %s (c) 2022 by %s & %s - Please do not use in military or secret "
"service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\n",
PROGRAM, VERSION, AUTHOR, AUTHOR2);
#ifndef LIBAFP
@ -2381,7 +2307,6 @@ int main(int argc, char *argv[]) {
hydra_options.loginfile = NULL;
hydra_options.pass = NULL;
hydra_options.passfile = NULL;
hydra_options.distributed = NULL;
hydra_options.tasks = TASKS;
hydra_options.max_use = MAXTASKS;
hydra_options.outfile_format = FORMAT_PLAIN_TEXT;
@ -2395,18 +2320,8 @@ int main(int argc, char *argv[]) {
help(1);
if (argc < 2)
help(0);
while ((i = getopt(argc, argv, "hIq64Rrde:vVl:fFg:D:L:p:OP:o:b:M:C:t:T:m:w:W:s:SUux:yc:K")) >= 0) {
while ((i = getopt(argc, argv, "hIq64Rrde:vVl:fFg:L:p:OP:o:b:M:C:t:T:m:w:W:s:SUux:yc:K")) >= 0) {
switch (i) {
case 'D':
hydra_options.distributed = optarg;
if (sscanf(hydra_options.distributed, "%dof%d", &my_segment, &num_segments) != 2) {
fprintf(stderr, "Invalid format. Expected format -D XofY where X and Y are integers.\n");
exit(EXIT_FAILURE);
}
else{
fprintf(stdout, "Option \'D\': successfully set X to %d and Y to %d\n", my_segment, num_segments);
}
break;
case 'h':
help(1);
break;
@ -3286,79 +3201,77 @@ int main(int argc, char *argv[]) {
bail("Compiled without SSL support, module not available");
#endif
}
if (hydra_options.infile_ptr == NULL) {
if (hydra_options.miscptr == NULL) {
fprintf(stderr, "[WARNING] You must supply the web page as an "
"additional option or via -m, default path set to /\n");
hydra_options.miscptr = malloc(2);
hydra_options.miscptr = "/";
if (hydra_options.miscptr == NULL) {
fprintf(stderr, "[WARNING] You must supply the web page as an "
"additional option or via -m, default path set to /\n");
hydra_options.miscptr = malloc(2);
hydra_options.miscptr = "/";
}
// if (*hydra_options.miscptr != '/' && strstr(hydra_options.miscptr,
// "://") == NULL)
// bail("The web page you supplied must start with a \"/\", \"http://\"
// or \"https://\", e.g. \"/protected/login\"");
if (hydra_options.miscptr[0] != '/')
bail("optional parameter must start with a '/' slash!\n");
if (getenv("HYDRA_PROXY_HTTP") && getenv("HYDRA_PROXY"))
bail("Found HYDRA_PROXY_HTTP *and* HYDRA_PROXY environment variables - "
"you can use only ONE for the service http-head/http-get!");
if (getenv("HYDRA_PROXY_HTTP")) {
printf("[INFO] Using HTTP Proxy: %s\n", getenv("HYDRA_PROXY_HTTP"));
use_proxy = 1;
}
if (strstr(hydra_options.miscptr, "\\:") != NULL) {
fprintf(stderr, "[INFORMATION] escape sequence \\: detected in module "
"option, no parameter verification is performed.\n");
} else {
sprintf(bufferurl, "%.6000s", hydra_options.miscptr);
url = strtok(bufferurl, ":");
variables = strtok(NULL, ":");
cond = strtok(NULL, ":");
optional1 = strtok(NULL, "\n");
if ((variables == NULL) || (strstr(variables, "^USER^") == NULL && strstr(variables, "^PASS^") == NULL && strstr(variables, "^USER64^") == NULL && strstr(variables, "^PASS64^") == NULL)) {
fprintf(stderr,
"[ERROR] the variables argument needs at least the strings "
"^USER^, ^PASS^, ^USER64^ or ^PASS64^: %s\n",
STR_NULL(variables));
exit(-1);
}
// if (*hydra_options.miscptr != '/' && strstr(hydra_options.miscptr,
// "://") == NULL)
// bail("The web page you supplied must start with a \"/\", \"http://\"
// or \"https://\", e.g. \"/protected/login\"");
if (hydra_options.miscptr[0] != '/')
bail("optional parameter must start with a '/' slash!\n");
if (getenv("HYDRA_PROXY_HTTP") && getenv("HYDRA_PROXY"))
bail("Found HYDRA_PROXY_HTTP *and* HYDRA_PROXY environment variables - "
"you can use only ONE for the service http-head/http-get!");
if (getenv("HYDRA_PROXY_HTTP")) {
printf("[INFO] Using HTTP Proxy: %s\n", getenv("HYDRA_PROXY_HTTP"));
use_proxy = 1;
if ((url == NULL) || (cond == NULL)) {
fprintf(stderr,
"[ERROR] Wrong syntax, requires three arguments separated by "
"a colon which may not be null: %s\n",
bufferurl);
exit(-1);
}
if (strstr(hydra_options.miscptr, "\\:") != NULL) {
fprintf(stderr, "[INFORMATION] escape sequence \\: detected in module "
"option, no parameter verification is performed.\n");
} else {
sprintf(bufferurl, "%.6000s", hydra_options.miscptr);
url = strtok(bufferurl, ":");
variables = strtok(NULL, ":");
cond = strtok(NULL, ":");
optional1 = strtok(NULL, "\n");
if ((variables == NULL) || (strstr(variables, "^USER^") == NULL && strstr(variables, "^PASS^") == NULL && strstr(variables, "^USER64^") == NULL && strstr(variables, "^PASS64^") == NULL)) {
fprintf(stderr,
"[ERROR] the variables argument needs at least the strings "
"^USER^, ^PASS^, ^USER64^ or ^PASS64^: %s\n",
STR_NULL(variables));
while ((optional1 = strtok(NULL, ":")) != NULL) {
if (optional1[1] != '=' && optional1[1] != ':' && optional1[1] != 0) {
fprintf(stderr, "[ERROR] Wrong syntax of optional argument: %s\n", optional1);
exit(-1);
}
if ((url == NULL) || (cond == NULL)) {
fprintf(stderr,
"[ERROR] Wrong syntax, requires three arguments separated by "
"a colon which may not be null: %s\n",
bufferurl);
exit(-1);
}
while ((optional1 = strtok(NULL, ":")) != NULL) {
if (optional1[1] != '=' && optional1[1] != ':' && optional1[1] != 0) {
fprintf(stderr, "[ERROR] Wrong syntax of optional argument: %s\n", optional1);
switch (optional1[0]) {
case 'C': // fall through
case 'c':
if (optional1[1] != '=' || optional1[2] != '/') {
fprintf(stderr,
"[ERROR] Wrong syntax of parameter C, must look like "
"'C=/url/of/page', not http:// etc.: %s\n",
optional1);
exit(-1);
}
switch (optional1[0]) {
case 'C': // fall through
case 'c':
if (optional1[1] != '=' || optional1[2] != '/') {
fprintf(stderr,
"[ERROR] Wrong syntax of parameter C, must look like "
"'C=/url/of/page', not http:// etc.: %s\n",
optional1);
exit(-1);
}
break;
case 'H': // fall through
case 'h':
if (optional1[1] != '=' || strtok(NULL, ":") == NULL) {
fprintf(stderr,
"[ERROR] Wrong syntax of parameter H, must look like "
"'H=X-My-Header: MyValue', no http:// : %s\n",
optional1);
exit(-1);
}
break;
default:
fprintf(stderr, "[ERROR] Unknown optional argument: %s\n", optional1);
break;
case 'H': // fall through
case 'h':
if (optional1[1] != '=' || strtok(NULL, ":") == NULL) {
fprintf(stderr,
"[ERROR] Wrong syntax of parameter H, must look like "
"'H=X-My-Header: MyValue', no http:// : %s\n",
optional1);
exit(-1);
}
break;
default:
fprintf(stderr, "[ERROR] Unknown optional argument: %s\n", optional1);
}
}
}
@ -3408,7 +3321,8 @@ int main(int argc, char *argv[]) {
hydra_options.port = port;
}
if (hydra_options.login == NULL && hydra_options.loginfile == NULL && hydra_options.colonfile == NULL)
if (hydra_options.login == NULL && hydra_options.loginfile == NULL &&
hydra_options.colonfile == NULL)
hydra_options.exit_found = 1;
if (hydra_options.ssl == 0 && hydra_options.port == 443)
@ -3489,13 +3403,6 @@ int main(int argc, char *argv[]) {
fprintf(stderr, "[ERROR] File for logins not found: %s\n", hydra_options.loginfile);
exit(-1);
}
else if (hydra_options.passfile == NULL){
if(my_segment && num_segments){
filecloser = lfp;
lfp = hydra_divide_file(lfp, my_segment, num_segments);
fclose(filecloser);
}
}
hydra_brains.countlogin = countlines(lfp, 0);
hydra_brains.sizelogin = size_of_data;
if (hydra_brains.countlogin == 0) {
@ -3528,11 +3435,6 @@ int main(int argc, char *argv[]) {
fprintf(stderr, "[ERROR] File for passwords not found: %s\n", hydra_options.passfile);
exit(-1);
}
else if(my_segment && num_segments){
filecloser = pfp;
pfp = hydra_divide_file(pfp, my_segment, num_segments);
fclose(filecloser);
}
hydra_brains.countpass = countlines(pfp, 0);
hydra_brains.sizepass = size_of_data;
if (hydra_brains.countpass == 0) {
@ -3587,11 +3489,6 @@ int main(int argc, char *argv[]) {
fprintf(stderr, "[ERROR] File for colon files (login:pass) not found: %s\n", hydra_options.colonfile);
exit(-1);
}
else if(my_segment && num_segments){
filecloser = cfp;
cfp = hydra_divide_file(cfp, my_segment, num_segments);
fclose(filecloser);
}
hydra_brains.countlogin = countlines(cfp, 1);
hydra_brains.sizelogin = size_of_data;
if (hydra_brains.countlogin == 0) {
@ -3647,7 +3544,7 @@ int main(int argc, char *argv[]) {
fclose(rfp);
}
if (hydra_options.infile_ptr != NULL) {
if (hydra_options.infile_ptr != NULL) {
if ((ifp = fopen(hydra_options.infile_ptr, "r")) == NULL) {
fprintf(stderr, "[ERROR] File for targets not found: %s\n", hydra_options.infile_ptr);
exit(-1);
@ -3695,7 +3592,6 @@ int main(int argc, char *argv[]) {
}
} else
hydra_targets[i]->target = tmpptr;
if ((tmpptr2 = strchr(tmpptr, ':')) != NULL) {
*tmpptr2++ = 0;
tmpptr = tmpptr2;
@ -3705,13 +3601,6 @@ int main(int argc, char *argv[]) {
}
if (hydra_targets[i]->port == 0)
hydra_targets[i]->port = hydra_options.port;
if ((tmpptr3 = strchr(tmpptr, '/')) != NULL) {
hydra_targets[i]->miscptr = tmpptr3;
}
else
hydra_targets[i]->miscptr = "/";
while (*tmpptr != 0)
tmpptr++;
tmpptr++;
@ -3734,7 +3623,6 @@ int main(int argc, char *argv[]) {
memset(hydra_targets[0], 0, sizeof(hydra_target));
hydra_targets[0]->target = servers_ptr = hydra_options.server;
hydra_targets[0]->port = hydra_options.port;
hydra_targets[0]->miscptr = hydra_options.miscptr;
sizeservers = strlen(hydra_options.server) + 1;
} else {
/* CIDR notation on command line, e.g. 192.168.0.0/24 */
@ -3779,7 +3667,6 @@ int main(int argc, char *argv[]) {
memcpy(&target.sin_addr.s_addr, (char *)&addr_cur2, 4);
hydra_targets[i]->target = strdup(inet_ntoa((struct in_addr)target.sin_addr));
hydra_targets[i]->port = hydra_options.port;
hydra_targets[i]->miscptr = hydra_options.miscptr;
addr_cur++;
i++;
}
@ -3795,7 +3682,6 @@ int main(int argc, char *argv[]) {
memset(hydra_targets[0], 0, sizeof(hydra_target));
hydra_targets[0]->target = servers_ptr = hydra_options.server;
hydra_targets[0]->port = hydra_options.port;
hydra_targets[0]->miscptr = hydra_options.miscptr;
sizeservers = strlen(hydra_options.server) + 1;
}
for (i = 0; i < hydra_brains.targets; i++) {
@ -4062,7 +3948,7 @@ int main(int argc, char *argv[]) {
// restore device information if present (overwrite null bytes)
if (device != NULL) {
char *tmpptr = device - 1;
*tmpptr = '%'; // you can ignore the compiler warning
*tmpptr = '%'; // you can ignore the compiler warning
fprintf(stderr, "[WARNING] not all modules support BINDTODEVICE for IPv6 "
"link local addresses, e.g. SSH does not\n");
}
@ -4228,7 +4114,7 @@ int main(int argc, char *argv[]) {
} else if (hydra_heads[head_no]->current_pass_ptr == NULL || strlen(hydra_heads[head_no]->current_pass_ptr) == 0) {
printf("[%d][%s] host: %s login: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr);
} else
printf("[%d][%s] host: %s misc: %s login: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_targets[hydra_heads[head_no]->target_no]->miscptr, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr);
printf("[%d][%s] host: %s login: %s password: %s\n", hydra_targets[hydra_heads[head_no]->target_no]->port, hydra_options.service, hydra_targets[hydra_heads[head_no]->target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr);
}
if (hydra_options.outfile_format == FORMAT_JSONV1 && hydra_options.outfile_ptr != NULL && hydra_brains.ofp != NULL) {
fprintf(hydra_brains.ofp,
@ -4366,7 +4252,7 @@ int main(int argc, char *argv[]) {
// hydra_brains.sent);
usleepn(USLEEP_LOOP);
(void)waitpid(-1, NULL, WNOHANG);
(void)wait3(NULL, WNOHANG, NULL);
// write restore file and report status
if (process_restore == 1 && time(NULL) - elapsed_restore > 299) {
hydra_restore_write(0);
@ -4469,7 +4355,7 @@ int main(int argc, char *argv[]) {
for (i = 0; i < hydra_options.max_use; i++)
if (hydra_heads[i]->active == HEAD_ACTIVE && hydra_heads[i]->pid > 0)
hydra_kill_head(i, 1, 3);
(void)waitpid(-1, NULL, WNOHANG);
(void)wait3(NULL, WNOHANG, NULL);
#define STRMAX (10 * 1024)
char json_error[STRMAX + 2], tmp_str[STRMAX + 2];
@ -4523,4 +4409,4 @@ int main(int argc, char *argv[]) {
return -1;
else
return 0;
}
}

1
hydra.h
View file

@ -194,7 +194,6 @@ typedef struct {
int32_t cidr;
int32_t time_next_attempt;
output_format_t outfile_format;
char *distributed; // Use distributed computing by splitting user files on the fly
char *login;
char *loginfile;
char *pass;

2
pw-inspector.1
View file

@ -42,7 +42,7 @@ upcase characters (A,B,C,D, etc.)
numbers (1,2,3,4, etc.)
.TP
.B \-p
printable characters (which are not \-l/\-n/\-n, e.g. $,!,/,(,*, etc.)
printable characters (which are not \-l/\-n/\-p, e.g. $,!,/,(,*, etc.)
.TP
.B \ -s
special characters \- all others not withint the sets above

57
pw-inspector.c
View file

@ -30,7 +30,7 @@ void help() {
printf(" -l lowcase characters (a,b,c,d, etc.)\n");
printf(" -u upcase characters (A,B,C,D, etc.)\n");
printf(" -n numbers (1,2,3,4, etc.)\n");
printf(" -p printable characters (which are not -l/-u/-n, e.g. "
printf(" -p printable characters (which are not -l/-n/-p, e.g. "
"$,!,/,(,*, etc.)\n");
printf(" -s special characters - all others not within the sets "
"above\n");
@ -50,7 +50,7 @@ int main(int argc, char *argv[]) {
int32_t sets = 0, countsets = 0, minlen = 0, maxlen = MAXLENGTH, count = 0;
int32_t set_low = 0, set_up = 0, set_no = 0, set_print = 0, set_other = 0;
FILE *in = stdin, *out = stdout;
unsigned char buf[MAXLENGTH + 1];
char buf[MAXLENGTH + 1];
prg = argv[0];
if (argc < 2)
@ -124,9 +124,9 @@ int main(int argc, char *argv[]) {
if (countsets == 0)
countsets = sets;
while (fgets((void *)buf, sizeof(buf), in) != NULL) {
int is_low = 0, is_up = 0, is_no = 0, is_print = 0, is_other = 0;
if (!buf[0])
while (fgets(buf, sizeof(buf), in) != NULL) {
i = -1;
if (buf[0] == 0)
continue;
if (buf[strlen(buf) - 1] == '\n')
buf[strlen(buf) - 1] = 0;
@ -134,31 +134,40 @@ int main(int argc, char *argv[]) {
buf[strlen(buf) - 1] = 0;
if (strlen(buf) >= minlen && strlen(buf) <= maxlen) {
i = 0;
j = 1;
for (i = 0; i < strlen(buf) && j; i++) {
j = 0;
if (set_low && islower(buf[i])) {
j = 1;
is_low = 1;
} else if (set_up && isupper(buf[i])) {
j = 1;
is_up = 1;
} else if (set_no && isdigit(buf[i])) {
j = 1;
is_no = 1;
} else if (set_print && isprint(buf[i]) && !isalnum(buf[i])) {
j = 1;
is_print = 1;
} else if (set_other && !isprint(buf[i])) {
j = 1;
is_other = 1;
if (countsets > 0) {
if (set_low)
if (strpbrk(buf, "abcdefghijklmnopqrstuvwxyz") != NULL)
i++;
if (set_up)
if (strpbrk(buf, "ABCDEFGHIJKLMNOPQRSTUVWXYZ") != NULL)
i++;
if (set_no)
if (strpbrk(buf, "0123456789") != NULL)
i++;
if (set_print) {
j = 0;
for (k = 0; k < strlen(buf); k++)
if (isprint((int32_t)buf[k]) != 0 && isalnum((int32_t)buf[k]) == 0)
j = 1;
if (j)
i++;
}
if (set_other) {
j = 0;
for (k = 0; k < strlen(buf); k++)
if (isprint((int32_t)buf[k]) == 0 && isalnum((int32_t)buf[k]) == 0)
j = 1;
if (j)
i++;
}
}
if (j && countsets <= is_low + is_up + is_no + is_print + is_other) {
if (i >= countsets) {
fprintf(out, "%s\n", buf);
count++;
}
}
/* fprintf(stderr, "[DEBUG] i: %d minlen: %d maxlen: %d len: %d\n", i,
* minlen, maxlen, strlen(buf)); */
}
fclose(in);
fclose(out);