forked from vanhauser-thc/thc-hydra
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hydra-radmin2.c
385 lines (346 loc) · 11.3 KB
/
hydra-radmin2.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
#include "hydra-mod.h"
#include <arpa/inet.h>
#include <unistd.h>
#ifdef HAVE_GCRYPT
#include <gcrypt.h>
#endif
extern char *HYDRA_EXIT;
// RAdmin 2.x
struct rmessage {
uint8_t magic; // Indicates version, probably?
uint32_t length; // Total message size of data.
uint32_t checksum; // Checksum from type to end of data.
uint8_t type; // Command type, table below.
unsigned char data[32]; // data to be sent.
};
/*
* Usage: sum = checksum(message);
* Function: Returns a 4 byte little endian sum of the messages typecode+data.
* This data is zero padded for alignment. Example message (big endian):
* [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9
* 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)]) Sum: is 0f43d461 (big endian)
*/
uint32_t checksum(struct rmessage *msg) {
int32_t blen;
uint8_t *stream;
uint32_t sum;
blen = msg->length; // Get the real length.
blen += (4 - (blen % 4));
// Allocate a worksapce.
stream = calloc(blen, sizeof(uint8_t));
memcpy(stream, &msg->type, sizeof(uint8_t));
memcpy(stream + 1, msg->data, blen - 1);
sum = 0;
for (blen -= sizeof(uint32_t); blen > 0; blen -= sizeof(uint32_t)) {
sum += *(uint32_t *)(stream + blen);
}
sum += *(uint32_t *)stream;
// Free the workspace.
free(stream);
return sum;
}
/*
* Usage: challenge_request(message);
* Function: Modifies message to reflect a request for a challenge. Updates the
* checksum as appropriate.
*/
void challenge_request(struct rmessage *msg) {
msg->magic = 0x01;
msg->length = 0x01;
msg->type = 0x1b;
msg->checksum = checksum(msg);
}
/*
* Usage: challenge_request(message);
* Function: Modifies message to reflect a response to a challenge. Updates the
* checksum as appropriate.
*/
void challenge_response(struct rmessage *msg, unsigned char *solution) {
msg->magic = 0x01;
msg->length = 0x21;
msg->type = 0x09;
memcpy(msg->data, solution, 0x20);
msg->checksum = checksum(msg);
}
/*
* Usage: buffer = message2buffer(message); send(buffer, message->length + 10);
* free(buffer) Function: Allocates a buffer for transmission and fills the
* buffer with message data such that it is ready to transmit.
*/
// TODO: conver to a sendMessage() function?
char *message2buffer(struct rmessage *msg) {
char *data;
if (msg == NULL) {
hydra_report(stderr, "rmessage is null\n");
hydra_child_exit(0);
return NULL;
}
switch (msg->type) {
case 0x1b: // Challenge request
data = (char *)calloc(10, sizeof(char));
if (data == NULL) {
hydra_report(stderr, "calloc failure\n");
hydra_child_exit(0);
}
memcpy(data, &msg->magic, sizeof(char));
*((int32_t *)(data + 1)) = htonl(msg->length);
*((int32_t *)(data + 5)) = htonl(msg->checksum);
memcpy((data + 9), &msg->type, sizeof(char));
break;
case 0x09:
data = (char *)calloc(42, sizeof(char));
if (data == NULL) {
hydra_report(stderr, "calloc failure\n");
hydra_child_exit(0);
}
memcpy(data, &msg->magic, sizeof(char));
*((int32_t *)(data + 1)) = htonl(msg->length);
*((int32_t *)(data + 5)) = htonl(msg->checksum);
memcpy((data + 9), &msg->type, sizeof(char));
memcpy((data + 10), msg->data, sizeof(char) * 32);
break;
default:
hydra_report(stderr, "unknown rmessage type\n");
hydra_child_exit(0);
return NULL;
}
return data;
}
struct rmessage *buffer2message(char *buffer) {
struct rmessage *msg;
msg = calloc(1, sizeof(struct rmessage));
if (msg == NULL) {
hydra_report(stderr, "calloc failure\n");
hydra_child_exit(0);
}
// Start parsing...
msg->magic = buffer[0];
buffer += sizeof(char);
msg->length = ntohl(*((uint32_t *)(buffer)));
buffer += sizeof(uint32_t);
msg->checksum = ntohl(*((uint32_t *)(buffer)));
buffer += sizeof(uint32_t);
msg->type = buffer[0];
buffer += sizeof(char);
// Verify known fields...
if (msg->magic != 0x01) {
hydra_report(stderr, "Bad magic\n");
hydra_child_exit(0);
return NULL;
}
switch (msg->type) {
case 0x1b:
if (msg->length != 0x21) {
hydra_report(stderr, "Bad length...%08x\n", msg->length);
hydra_child_exit(0);
return NULL;
}
memcpy(msg->data, buffer, 32);
break;
case 0x0a:
// Win!
case 0x0b:
// Lose!
break;
default:
hydra_report(stderr, "unknown rmessage type");
hydra_child_exit(0);
return NULL;
}
return msg;
}
int32_t start_radmin2(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { return 0; }
void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
#ifdef HAVE_GCRYPT
int32_t sock = -1;
int32_t index;
int32_t bytecount;
char *request;
struct rmessage *msg;
int32_t myport = PORT_RADMIN2;
char buffer[42];
char password[101];
uint8_t rawkey[16];
uint8_t *IV = "\xFE\xDC\xBA\x98\x76\x54\x32\x10\xA3\x9D\x4A\x18\xF8\x5B\x4A\x52";
uint8_t encrypted[32];
gcry_error_t err;
gcry_cipher_hd_t cipher;
gcry_md_hd_t md;
if (port != 0) {
myport = port;
}
gcry_check_version(NULL);
memset(buffer, 0x00, sizeof(buffer));
// Phone the mother ship
hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
return;
}
while (1) {
/* Typical conversation goes as follows...
0) connect to server
1) request challenge
2) receive 32 byte challenge response
3) send 32 byte challenge solution
4) receive 1 byte auth success/fail message
*/
// 0) Connect to the server
sock = hydra_connect_tcp(ip, myport);
if (sock < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
// 1) request challenge (working)
msg = calloc(1, sizeof(struct rmessage));
challenge_request(msg);
request = message2buffer(msg);
hydra_send(sock, request, 10, 0);
free(msg);
free(request);
// 2) receive response (working)
index = 0;
while (index < 42) { // We're always expecting back a 42 byte buffer from a
// challenge request.
switch (hydra_data_ready(sock)) {
case -1:
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
break;
case 0:
// keep waiting...
break;
default:
bytecount = hydra_recv(sock, buffer + index, 42 - index);
if (bytecount < 0) {
hydra_report(stderr,
"Error: Child with pid %d terminating, receive "
"error\nerror:\t%s\n",
(int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;
}
}
// 3) Send challenge solution.
// Get a password to work with.
memset(password, 0x00, sizeof(password));
memset(encrypted, 0x00, sizeof(encrypted));
hydra_get_next_pair();
strncpy(password, hydra_get_next_password(), sizeof(password) - 1);
// MD5 the password to generate the password key, this is used with twofish
// below.
err = gcry_md_open(&md, GCRY_MD_MD5, 0);
if (err) {
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_md_open error "
"(%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
gcry_md_reset(md);
gcry_md_write(md, password, 100);
if (gcry_md_read(md, 0) == NULL) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_md_read error (%08x)\n", (int32_t)getpid(), index);
hydra_child_exit(1);
}
memcpy(rawkey, gcry_md_read(md, 0), 16);
gcry_md_close(md);
// 3.a) generate a new message from the buffer
msg = buffer2message(buffer);
// 3.b) encrypt data received using pkey & known IV
err = gcry_cipher_open(&cipher, GCRY_CIPHER_TWOFISH128, GCRY_CIPHER_MODE_CBC, 0);
if (err) {
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_open "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_setiv(cipher, IV, 16);
if (err) {
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_setiv "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_setkey(cipher, rawkey, 16);
if (err) {
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_setkey "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_encrypt(cipher, encrypted, 32, msg->data, 32);
if (err) {
hydra_report(stderr,
"Error: Child with pid %d terminating, gcry_cipher_encrypt "
"error (%08x)\n%s/%s",
(int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
gcry_cipher_close(cipher);
// 3.c) half sum - this is the solution to the challenge.
for (index = 0; index < 16; index++) {
*(encrypted + index) += *(encrypted + index + 16);
}
memset((encrypted + 16), 0x00, 16);
// 3.d) send half sum
challenge_response(msg, encrypted);
request = message2buffer(msg);
hydra_send(sock, request, 42, 0);
free(msg);
free(request);
// 4) receive auth success/failure
index = 0;
while (index < 10) { // We're always expecting back a 42 byte buffer from a
// challenge request.
switch (hydra_data_ready(sock)) {
case -1:
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
break;
case 0:
// keep waiting...
break;
default:
bytecount = hydra_recv(sock, buffer + index, 10 - index);
if (bytecount < 0) {
hydra_report(stderr,
"Error: Child with pid %d terminating, receive "
"error\nerror:\t%s\n",
(int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;
}
}
msg = buffer2message(buffer);
switch (msg->type) {
case 0x0a:
hydra_completed_pair_found();
break;
case 0x0b:
hydra_completed_pair();
hydra_disconnect(sock);
break;
default:
hydra_report(stderr, "Error: Child with pid %d terminating, protocol error\n", (int32_t)getpid());
hydra_child_exit(2);
}
}
#endif
}
int32_t service_radmin2_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
// return codes:
// 0 all OK
// -1 error, hydra will exit, so print a good error message here
return 0;
}