#include "hydra-mod.h" #include "sasl.h" extern char *HYDRA_EXIT; char *buf; int32_t counter; int32_t imap_auth_mechanism = AUTH_CLEAR; char *imap_read_server_capacity(int32_t sock) { char *ptr = NULL; int32_t resp = 0; char *buf = NULL; do { if (buf != NULL) free(buf); ptr = buf = hydra_receive_line(sock); if (buf != NULL) { if (strstr(buf, "CAPABILITY") != NULL && buf[0] == '*') { resp = 1; usleepn(300); /* we got the capability info then get the completed warning info from * server */ while (hydra_data_ready(sock)) { free(buf); buf = hydra_receive_line(sock); } } else { if (buf[strlen(buf) - 1] == '\n') buf[strlen(buf) - 1] = 0; if (buf[strlen(buf) - 1] == '\r') buf[strlen(buf) - 1] = 0; if (isdigit((int32_t)*ptr) && *(ptr + 1) == ' ') { resp = 1; } } } } while (buf != NULL && resp == 0); return buf; } int32_t start_imap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { char *empty = "", *result = NULL; char *login, *pass, buffer[500], buffer2[500], *fooptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; while (hydra_data_ready(s)) { if ((buf = hydra_receive_line(s)) == NULL) return (1); free(buf); } switch (imap_auth_mechanism) { case AUTH_LOGIN: sprintf(buffer, "%d AUTHENTICATE LOGIN\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) { hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, login); hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) { hydra_report(stderr, "[ERROR] IMAP LOGIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); strcpy(buffer2, pass); hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%.250s\r\n", buffer2); break; case AUTH_PLAIN: sprintf(buffer, "%d AUTHENTICATE PLAIN\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL) { hydra_report(stderr, "[ERROR] IMAP PLAIN AUTH : %s\n", buf); free(buf); return 3; } free(buf); memset(buffer2, 0, sizeof(buffer2)); result = sasl_plain(buffer2, login, pass); if (result == NULL) return 3; sprintf(buffer, "%.250s\r\n", buffer2); break; #ifdef LIBOPENSSL case AUTH_CRAMMD5: case AUTH_CRAMSHA1: case AUTH_CRAMSHA256: { int32_t rc = 0; char *preplogin; rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } switch (imap_auth_mechanism) { case AUTH_CRAMMD5: sprintf(buffer, "%d AUTHENTICATE CRAM-MD5\r\n", counter); break; case AUTH_CRAMSHA1: sprintf(buffer, "%d AUTHENTICATE CRAM-SHA1\r\n", counter); break; case AUTH_CRAMSHA256: sprintf(buffer, "%d AUTHENTICATE CRAM-SHA256\r\n", counter); break; } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } // get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { switch (imap_auth_mechanism) { case AUTH_CRAMMD5: hydra_report(stderr, "[ERROR] IMAP CRAM-MD5 AUTH : %s\n", buf); break; case AUTH_CRAMSHA1: hydra_report(stderr, "[ERROR] IMAP CRAM-SHA1 AUTH : %s\n", buf); break; case AUTH_CRAMSHA256: hydra_report(stderr, "[ERROR] IMAP CRAM-SHA256 AUTH : %s\n", buf); break; } free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *)buffer, buf + 2); free(buf); memset(buffer2, 0, sizeof(buffer2)); switch (imap_auth_mechanism) { case AUTH_CRAMMD5: { result = sasl_cram_md5(buffer2, pass, buffer); if (result == NULL) return 3; sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; case AUTH_CRAMSHA1: { result = sasl_cram_sha1(buffer2, pass, buffer); if (result == NULL) return 3; sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; case AUTH_CRAMSHA256: { result = sasl_cram_sha256(buffer2, pass, buffer); if (result == NULL) return 3; sprintf(buffer, "%s %.250s", preplogin, buffer2); } break; } hydra_tobase64((unsigned char *)buffer, strlen(buffer), sizeof(buffer)); char tmp_buffer[sizeof(buffer)]; sprintf(tmp_buffer, "%.250s\r\n", buffer); strcpy(buffer, tmp_buffer); free(preplogin); } break; case AUTH_DIGESTMD5: { sprintf(buffer, "%d AUTHENTICATE DIGEST-MD5\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; // receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { hydra_report(stderr, "[ERROR] IMAP DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; } memset(buffer, 0, sizeof(buffer)); from64tobits((char *)buffer, buf); free(buf); if (debug) hydra_report(stderr, "DEBUG S: %s\n", buffer); fooptr = buffer2; result = sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "imap", NULL, 0, NULL); if (result == NULL) return 3; if (debug) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } break; case AUTH_SCRAMSHA1: { char clientfirstmessagebare[200]; char serverfirstmessage[200]; char *preplogin; int32_t rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { return 3; } sprintf(buffer, "%d AUTHENTICATE SCRAM-SHA-1\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { hydra_report(stderr, "[ERROR] IMAP SCRAM-SHA1 AUTH : %s\n", buf); free(buf); return 3; } free(buf); snprintf(clientfirstmessagebare, sizeof(clientfirstmessagebare), "n=%s,r=hydra", preplogin); free(preplogin); memset(buffer2, 0, sizeof(buffer2)); sprintf(buffer2, "n,,%.200s", clientfirstmessagebare); hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); snprintf(buffer, sizeof(buffer), "%s\r\n", buffer2); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } buf = hydra_receive_line(s); if (buf == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { if (verbose || debug) hydra_report(stderr, "[ERROR] Not a valid server challenge\n"); free(buf); return 1; } else { /* recover server challenge */ memset(buffer, 0, sizeof(buffer)); //+ cj1oeWRyYU9VNVZqcHQ5RjNqcmVXRVFWTCxzPWhGbTNnRGw0akdidzJVVHosaT00MDk2 from64tobits((char *)buffer, buf + 2); free(buf); strncpy(serverfirstmessage, buffer, sizeof(serverfirstmessage) - 1); serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0'; memset(buffer2, 0, sizeof(buffer2)); fooptr = buffer2; result = sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage); if (result == NULL) { hydra_report(stderr, "[ERROR] Can't compute client response\n"); return 1; } hydra_tobase64((unsigned char *)buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s\r\n", buffer2); } } break; #endif case AUTH_NTLM: { unsigned char buf1[4096]; unsigned char buf2[4096]; // Send auth request sprintf(buffer, "%d AUTHENTICATE NTLM\r\n", counter); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; // receive if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { hydra_report(stderr, "[ERROR] IMAP NTLM AUTH : %s\n", buf); free(buf); return 3; } free(buf); // send auth and receive challenge // send auth request: lst the server send it's own hostname and domainname buildAuthRequest((tSmbNtlmAuthRequest *)buf2, 0, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthRequest *)buf2)); sprintf(buffer, "%s\r\n", buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; if ((buf = hydra_receive_line(s)) == NULL) return 1; if (strlen(buf) < 6) { free(buf); return 1; } // recover challenge from64tobits((char *)buf1, buf + 2); free(buf); // Send response buildAuthResponse((tSmbNtlmAuthChallenge *)buf1, (tSmbNtlmAuthResponse *)buf2, 0, login, pass, NULL, NULL); to64frombits(buf1, buf2, SmbLength((tSmbNtlmAuthResponse *)buf2)); sprintf(buffer, "%s\r\n", buf1); } break; default: // clear authentication sprintf(buffer, "%d LOGIN \"%.100s\" \"%.100s\"\r\n", counter, login, pass); } if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } if ((buf = hydra_receive_line(s)) == NULL) return (1); if (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL || strstr(buf, "BYE") != NULL) { if (verbose) hydra_report(stderr, "[ERROR] %s\n", buf); free(buf); hydra_completed_pair(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; if (counter == 4) return 1; return (2); } free(buf); hydra_report_found_host(port, ip, "imap", fp); hydra_completed_pair_found(); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; } void service_imap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { int32_t run = 1, next_run = 1, sock = -1; int32_t myport = PORT_IMAP, mysslport = PORT_IMAP_SSL, disable_tls = 1; char *buffer1 = "1 CAPABILITY\r\n"; hydra_register_socket(sp); if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return; while (1) { switch (run) { case 1: /* connect and service init function */ if (sock >= 0) sock = hydra_disconnect(sock); // usleepn(275); if ((options & OPTION_SSL) == 0) { if (port != 0) myport = port; sock = hydra_connect_tcp(ip, myport); port = myport; } else { if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport, hostname); port = mysslport; } if (sock < 0) { if (verbose || debug) hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); hydra_child_exit(1); } buf = hydra_receive_line(sock); if ((buf == NULL) || (strstr(buf, "OK") == NULL && buf[0] != '*')) { /* check the first line */ if (verbose || debug) hydra_report(stderr, "[ERROR] Not an IMAP protocol or service shutdown:\n"); if (buf != NULL) free(buf); hydra_child_exit(2); } free(buf); /* send capability request */ if (hydra_send(sock, buffer1, strlen(buffer1), 0) < 0) exit(-1); counter = 2; buf = imap_read_server_capacity(sock); if (buf == NULL) { hydra_child_exit(2); } if ((miscptr != NULL) && (strlen(miscptr) > 0)) { int32_t i; for (i = 0; i < strlen(miscptr); i++) miscptr[i] = (char)toupper((int32_t)miscptr[i]); if (strstr(miscptr, "TLS") || strstr(miscptr, "SSL") || strstr(miscptr, "STARTTLS")) { disable_tls = 0; } } #ifdef LIBOPENSSL if (!disable_tls) { /* check for STARTTLS, if available we may have access to more basic * auth methods */ if (strstr(buf, "STARTTLS") != NULL) { hydra_send(sock, "2 STARTTLS\r\n", strlen("2 STARTTLS\r\n"), 0); counter++; free(buf); buf = hydra_receive_line(sock); if (buf == NULL || (strstr(buf, " NO ") != NULL || strstr(buf, "failed") != NULL || strstr(buf, " BAD ") != NULL)) { hydra_report(stderr, "[ERROR] TLS negotiation failed, no answer " "received from STARTTLS request\n"); } else { free(buf); if ((hydra_connect_to_ssl(sock, hostname) == -1)) { if (verbose) hydra_report(stderr, "[ERROR] Can't use TLS\n"); disable_tls = 1; run = 1; break; } else { if (verbose) hydra_report(stderr, "[VERBOSE] TLS connection done\n"); } /* ask again capability request but in TLS mode */ if (hydra_send(sock, "3 CAPABILITY\r\n", strlen("3 CAPABILITY\r\n"), 0) < 0) hydra_child_exit(2); buf = imap_read_server_capacity(sock); counter++; if (buf == NULL) hydra_child_exit(2); } } else hydra_report(stderr, "[ERROR] option to use TLS/SSL failed as it is " "not supported by the server\n"); } #endif if (verbose) hydra_report(stderr, "[VERBOSE] CAPABILITY: %s", buf); // authentication should be listed AUTH= like in the extract below // STARTTLS LOGINDISABLED AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=NTLM") != NULL)) { imap_auth_mechanism = AUTH_NTLM; } #ifdef LIBOPENSSL if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=SCRAM-SHA-1") != NULL)) { imap_auth_mechanism = AUTH_SCRAMSHA1; } if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=DIGEST-MD5") != NULL)) { imap_auth_mechanism = AUTH_DIGESTMD5; } if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=CRAM-SHA256") != NULL)) { imap_auth_mechanism = AUTH_CRAMSHA256; } if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=CRAM-SHA1") != NULL)) { imap_auth_mechanism = AUTH_CRAMSHA1; } if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=CRAM-MD5") != NULL)) { imap_auth_mechanism = AUTH_CRAMMD5; } #endif if ((strstr(buf, "=LOGIN") == NULL) && (strstr(buf, "=PLAIN") != NULL)) { imap_auth_mechanism = AUTH_PLAIN; } if (strstr(buf, "=LOGIN") != NULL) { imap_auth_mechanism = AUTH_LOGIN; } free(buf); if ((miscptr != NULL) && (strlen(miscptr) > 0)) { if (strstr(miscptr, "CLEAR")) imap_auth_mechanism = AUTH_CLEAR; if (strstr(miscptr, "LOGIN")) imap_auth_mechanism = AUTH_LOGIN; if (strstr(miscptr, "PLAIN")) imap_auth_mechanism = AUTH_PLAIN; #ifdef LIBOPENSSL if (strstr(miscptr, "CRAM-MD5")) imap_auth_mechanism = AUTH_CRAMMD5; if (strstr(miscptr, "CRAM-SHA1")) imap_auth_mechanism = AUTH_CRAMSHA1; if (strstr(miscptr, "CRAM-SHA256")) imap_auth_mechanism = AUTH_CRAMSHA256; if (strstr(miscptr, "DIGEST-MD5")) imap_auth_mechanism = AUTH_DIGESTMD5; if (strstr(miscptr, "SCRAM-SHA1")) imap_auth_mechanism = AUTH_SCRAMSHA1; #endif if (strstr(miscptr, "NTLM")) imap_auth_mechanism = AUTH_NTLM; } if (verbose) { switch (imap_auth_mechanism) { case AUTH_CLEAR: hydra_report(stderr, "[VERBOSE] using IMAP CLEAR LOGIN mechanism\n"); break; case AUTH_LOGIN: hydra_report(stderr, "[VERBOSE] using IMAP LOGIN AUTH mechanism\n"); break; case AUTH_PLAIN: hydra_report(stderr, "[VERBOSE] using IMAP PLAIN AUTH mechanism\n"); break; #ifdef LIBOPENSSL case AUTH_CRAMMD5: hydra_report(stderr, "[VERBOSE] using IMAP CRAM-MD5 AUTH mechanism\n"); break; case AUTH_CRAMSHA1: hydra_report(stderr, "[VERBOSE] using IMAP CRAM-SHA1 AUTH mechanism\n"); break; case AUTH_CRAMSHA256: hydra_report(stderr, "[VERBOSE] using IMAP CRAM-SHA256 AUTH mechanism\n"); break; case AUTH_DIGESTMD5: hydra_report(stderr, "[VERBOSE] using IMAP DIGEST-MD5 AUTH mechanism\n"); break; case AUTH_SCRAMSHA1: hydra_report(stderr, "[VERBOSE] using IMAP SCRAM-SHA1 AUTH mechanism\n"); break; #endif case AUTH_NTLM: hydra_report(stderr, "[VERBOSE] using IMAP NTLM AUTH mechanism\n"); break; } } next_run = 2; break; case 2: /* run the cracking function */ next_run = start_imap(sock, ip, port, options, miscptr, fp); counter++; break; case 3: /* clean exit */ if (sock >= 0) sock = hydra_disconnect(sock); hydra_child_exit(0); return; default: hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); hydra_child_exit(2); } run = next_run; } } int32_t service_imap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { // called before the childrens are forked off, so this is the function // which should be filled if initial connections and service setup has to be // performed once only. // // fill if needed. // // return codes: // 0 all OK // -1 error, hydra will exit, so print a good error message here return 0; } void usage_imap(const char *service) { printf("Module imap is optionally taking one authentication type of:\n" " CLEAR or APOP (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1,\n" " CRAM-SHA256, DIGEST-MD5, NTLM\n" "Additionally TLS encryption via STARTTLS can be enforced with the " "TLS option.\n\n" "Example: imap://target/TLS:PLAIN\n"); }