thc-hydra/CHANGES

Changelog for hydra
-------------------

Release 9.5
* many modules did not support -W (all those that used a library for the
  connection). All (or most?) should be fixed now.
* http-form:
  - The help for http-form was wrong. the condition variable must always be
    the *last* parameter, not the third
  - Proxy support was not working correctly
* smb2: fix for updated libsmb2 which resulted in correct guessing attempts
  not being detected
* smtp: break early if the server does not allow authentication
* rdp: detect more return codes that say a user is disabled etc.


Release 9.4
* Switched from pcre/pcre3 to pcre2 as pcre/pcre3 will be dropped from Debian
* Small fix for weird RTSP servers
* Added "2=" optional parameter to http-post-form module to tell hydra that
  a "302" HTTP return code means success
* replaced wait3 with waitpid for better compatability


Release 9.3
* support Xcode compilation
* new module: cobaltstrike by ultimaiiii, thank you!
* fix for ssh to support -M or ip/range
* fix for rdp to detect empty passwords
* fix for http-form to no send empty headers
* fix for http on non-default ports when using with a proxy
* for vnc/cisco/... protocols that only check for a password, skip host
  after the password is found
* fix to support IPv6 addresses in -M
* fix to test all entries in -C files, not exiting after the first found
* make disappearing targets faster to terminate on
* added "make uninstall"


Release 9.2
* fix for http-post-form optional parameters
* enable gcc 10 support for xhydra too :)
* msys support
* removed rain mode (-r) because of inefficiency
* IPv6 support for Host: header for http based modules


Release 9.1
* rdb: support for libfreerdp3 (thanks to animetauren)
* new module: smb2 which also supports smb3 (uses libsmbclient-dev) (thanks to Karim Kanso for the module!)
* oracle: added success condition (thanks to kazkansouh), compile on Cygwin (thanks to maaaaz)
* rtsp: fixed crash in MD5 auth
* svn: updated to support past and new API
* http: now supports F=/S= string matching conditions (thanks to poucz@github)
* http-proxy: buffer fix, 404 success condition (thanks to kazkansouh)
* mysql: changed not to use mysql db as a default. if the user has not access to this db auth fails ...
* sasl: buffer fix (thanks to TenGbps)
* fixed help for https modules (thanks to Jab2870)
* added -K command line switch to disable redo attempts (good for mass scanning)
* forgot to have the -m option in the hydra help output
* gcc-10 support and various cleanups by Jeroen Roovers, thanks!
* added .clang-format and formatted all code


Release 9.0
* rdp: Revamped rdp module to use FreeRDP library (thanks to loianhtuan@github for the patch!)
* Added memcached module
* Added mongodb module
* http: http module now supports a= option to select http authentication type
* JSON output does now truncate the file if exists.
* Fixed svn module memory leaks
* Fixed rtsp module potential buffer overflow
* Fixed http module DIGEST-MD5 mode


Release 8.9.1
* Clarification for rdp error message
* CIDR notation (hydra -l test -p test 192.168.0.0/24 ftp) was not detected, fixed


Release 8.8
* New web page: https://github.com/vanhauser-thc/thc-hydra
* added PROBLEMS file with known issues
* rdp: disabled the module as it does not support the current protocol. If you want to add it contact me
* ldap: fixed a dumb strlen on a potential null pointer
* http-get/http-post:
   - now supports H=/h= parameters same as http-form (thanks to mathewmarcus@github for the patch)
   - 403/404 errors are now always registered as failed attempts
* mysql module: a non-default port was not working, fixed
* added -w timeout support to ssh module
* fixed various memory leaks in http-form module
* corrected hydra return code to be 0 on success
* added patch from debian maintainers which fixes spellings
* fixed weird crash on x64 systems
* many warning fixes by crondaemon


Release 8.6
* added radmin2 module by catatonic prime - great work!
* smb module now checks if SMBv1 is supported by the server and if signing is required
* http-form module now supports URLs up to 6000 bytes (thanks to petrock6@github for the patch)
* Fix for SSL connections that failed with error:00000000:lib(0):func(0):reason(0) (thanks gaia@github for reporting)
* Added new command line option:
   -c TIME: seconds between login attempts (over all threads, so -t 1 is recommended)
* Options put after -R (for loading a restore file) are now honored (and were disallowed before)
* merged several patches by Diadlo@github to make the code easier readable. thanks for that!
* merged a patch by Diadlo@github that moves the help output to the invididual module


Release 8.5
* New command line option:
   -b : format option for -o output file (json only so far, happy for patches supporting others :) ) - thanks to veggiespam for the patch
* ./configure now honors the CC enviroment variable if present
* Fix for the restore file crash on some x64 platforms (finally! thanks to lukas227!)
* Changed the format of the restore file to detect cross platform copies
* Fixed a bug in the NCP module
* Favor strrchr() over rindex()
* Added refactoring patch by diadlo
* Updated man page with missing command line options


Release 8.4
! Reports came in that the rdp module is not working reliable sometimes, most likely against new Windows versions. please test, report and if possible send a fix
* Proxy support re-implemented:
  - HYDRA_PROXY[_HTTP] environment can be a text file with up to 64 entries
  - HYDRA_PROXY_AUTH was deprecated, set login/password in HTTP_PROXY[_HTTP]
* New protocol: adam6500 - this one is work in progress, please test and report
* New protocol: rpcap - thanks to Petar Kaleychev <petar.kaleychev@gmail.com>
* New command line options:
   -y : disables -x 1aA interpretation, thanks to crondaemon for the patch
   -I : ignore an existing hydra.restore file (don't wait for 10 seconds)
* hydra-svn: works now with the current libsvn version
* hydra-ssh: initial check for password auth support now uses login supplied
* Fixed dpl4hydra to be able to update from the web again
* Fixed crash when -U was used without any service (thanks to thecarterb for reporting)
* Updated default password lists
* The protocols vnc, xmpp, telnet, imap, nntp and pcanywhere got accidentially long sleep commands due a patch in 8.2, fixed
* Added special error message for clueless users :)


Release 8.3
* Support for upcoming OpenSSL 1.1 added. needs testing.
* Fixed hydra redo bug (issue #113)
* Updated xhydra for new hydra features and options
* Some more command line error checking
* Ensured unneeded sockets are closed

Release 8.2
* Added RTSP module, thanks to jjavi89 for supplying!
* Added patch for ssh that fixes hydra stopping to connect, thanks to ShantonRU for the patch
* Added new -O option to hydra to support SSL servers that do not suport TLS
* Added xhydra gtk patche by Petar Kaleychev to support modules that do not use usernames
* Added patch to redis for initial service checking by Petar Kaleychev - thanks a lot!
* Added support in hydra-http for http-post (content length 0)
* Fixed important bug in http-*://server/url command line processing
* Added SSL SNI support
* Fixed bug in HTTP Form redirection following - thanks for everyone who reported and especially to Hayden Young for setting up a test page for debugging
* Better library finding in ./configure for SVN + support for Darwin Homebrew (and further enhanced)
* Fixed http-form module crash that only occurs on *BSD/OSX systems. Thanks to zdk for reporting!
* Fixed for SSL connection to support TLSv1.2 etc.
* Support for different RSA keylengths, thanks to fann95 for the patch
* Fixed a bug where the cisco-enable module was not working with the password-only logon mode
* Fixed an out of memory bug in http-form
* Fixed imap PLAIN method
* Fixed -x option to bail if it would generate too many passwords (more than 4 billion)
* Added warning if HYDRA_PROXY_CONNECT environment is detected, that is an outdated setting
* Added --fhs switch to configure (for Linux distribution usage)
* ... your patch?


Release 8.1
* David Maciejak, my co-maintainer moved to a different job and country and can not help with Hydra anymore - sadly! Wish you all the best!
* Added patch from Ander Juaristi which adds h/H header options for http-form-*, great work, thanks!
* Fixed the -M option, works now with many many targets :-)
* -M option now supports ports, add a colon in between: "host:port", or, if IPv6, "[ipv6ipaddress]:port"
* Found login:password combinations are now printed with the name specified (hostname or IP), not always IP
* Fixed for cisco-enable if an intial Login/Password is used (thanks to joswr1te for reporting)
* Added patch by tux-mind for better MySQL compilation and an Android patches and Makefile. Thanks!
* Added xhydra gtk patches by Petar Kaleychev to support -h, -U, -f, -F, -q and -e r options, thanks!
* Added patch for teamspeak to better identify server errors and auth failures (thanks to Petar Kaleychev)
* Fixed a crash in the cisco module (thanks to Anatoly Mamaev for reporting)
* Small fix for HTTP form module for redirect pages where a S= string match would not work (thanks to mkosmach for reporting)
* Updated configure to detect subversion packages on current Cygwin
* Fixed RDP module to support the port option (thanks to and.enshin(at)gmail.com)


Release 8.0
! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra
* Added module for redis (submitted by Alejandro Ramos, thanks!)
* Added patch which adds Unicode support for the SMB module (thanks to Max Kosmach)
* Added initial interactive password authentication test for ssh (thanks to Joshua Houghton)
* Added patch for xhydra that adds bruteforce generator to the GUI (thanks to Petar Kaleychev)
* Target on the command line can now be a CIDR definition, e.g. 192.168.0.0/24
* with -M <targetfile>, you can now specify a port for each entry (use "target:port" per line)
* Verified that hydra compiles cleanly on QNX / Blackberry 10 :-)
* Bugfixes for -x option:
  - password tries were lost when connection errors happened (thanks to Vineet Kumar for reporting)
  - fixed crash when used together with -e option 
* Fixed a bug that hydra would not compile without libssh (introduced in v7.6)
* Various bugfixes if many targets where attacked in parallel
* Cygwin's Postgresql is working again, hence configure detection re-enabled
* Added gcc compilation security options (if detected to be supported by configure script)
* Enhancements to the secure compilation options
* Checked code with cppcheck and fixed some minor issues.
* Checked code with Coverity. Fixed a lot of small and medium issues.


Release 7.6
* Added a wizard script for hydra based on a script by Shivang Desai <shivang.ice.2010@gmail.com>
* Added module for Siemens S7-300 (submitted by Alexander Timorin and Sergey Gordeychik, thanks!)
* HTTP HEAD/GET: MD5 digest auth was not working, fixed (thanks to Paul Kenyon)
* SMTP Enum: HELO is now always sent, better 500 error detection
* hydra main:
   - fixed a bug in the IPv6 address parsing when a port was supplied
   - added info message for pop3, imap and smtp protocol usage
* hydra GTK: missed some services, added
* dpl4hydra.sh:
   - added Siemens S7-300 common passwords to default password list
   - more broad searching in the list
* Performed code indention on all C files :-)
* Makefile patch to ensure .../etc directory is there (thanks to vonnyfly)


Release 7.5
* Moved the license from GPLv3 to AGPLv3 (see LICENSE file)
* Added module for Asterisk Call Manager
* Added support for Android where some functions are not available
* hydra main:
   - reduced the screen output if run without -h, full screen with -h
   - fix for IPv6 and port parsing with service://[ipv6address]:port/OPTIONS
   - fixed -o output (thanks to www417)
   - warning if HYDRA_PROXY is defined but the module does not use it
   - fixed an issue with large input files and long entries
* hydra library:
   - SSL connections are now fixed to SSLv3 as some SSL servers fail otherwise, report if this gives you problems
   - removed support for old OPENSSL libraries
* HTTP Form module:
   - login and password values are now encoded if special characters are present
   - ^USER^ and ^PASS^ are now also supported in H= header values
   - if you the colon as a value in your option string, you can now escape it with \: - but do not encode a \ with \\
* Mysql module: protocol 10 is now supported
* SMTP, POP3, IMAP modules: Disabled the TLS in default. TLS must now be
  defined as an option "TLS" if required. This increases performance.
* Cisco module: fixed a small bug (thanks to Vitaly McLain)
* Postgres module: libraries on Cygwin are buggy at the moment, module is therefore
  disabled on Cygwin


Release 7.4.3 FIX RELEASES for bugs introduced in 7.4
* Quickfix for people who do not have libssh installed (won't compile otherwise)
* Quickfix for http-get/http-head and irc module which would not run due a new feature.
* Fix for the ssh module that breaks an endless loop if a service becomes unavailable (thanks to shark0der(at)gmail(dot)com for reporting)


Release 7.4
* New module: SSHKEY - for testing for ssh private keys (thanks to deadbyte(at)toucan-system(dot)com!)
* Added support for win8 and win2012 server to the RDP module
* Better target distribution if -M is used
* Added colored output (needs libcurses)
* Better library detection for current Cygwin and OS X
* Fixed the -W option
* Fixed a bug when the -e option was used without -u, -l, -L or -C, only half of the logins were tested
* Fixed HTTP Form module false positive when no answer was received from the server 
* Fixed SMB module return code for invalid hours logon and LM auth disabled
* Fixed http-{get|post-form} from xhydra
* Added OS/390 mainframe 64bit support (thanks to dan(at)danny(dot)cz)
* Added limits to input files for -L, -P, -C and -M - people were using unhealthy large files! ;-)
* Added debug mode option to usage (thanks to Anold Black)


Release 7.3
* Hydra main:
    - Added -F switch to quit all targets if one pair was found (for -M)
    - Fixed a bug where hydra would terminate after reporting a successful
      login when an account would accept any password
    - Fixed a bug with very large wordlists (thanks to sheepdestroyer for reporting!)
    - Enhanced the module help
* configure script:
    - Added fix Oracle library inclusion, thanks to Brandon Archer!
    - Added --nostrip option to prevent binary stripping (requested by Fedora
      maintainer)
* Added a Makefile patch by the Debian maintainers to support their
  SecurityHardeningBuildFlags for the wheezy build as requested
* dpl4hydra: added install directory support
* All code: message cleanups
* SNMP module
    - originally already supported write and v2 although this was not in the
      module help output. Added :-)
    - added SNMPv3 MD5/SHA1 authentication support, though beta still
* HTTP module:
    - fixed HTTP NTLM auth session
    - implemented errata fix for HTTP digest md5-sess algorithm
    - set default path to /
* HTTP Form module:
    - set default path to /
    - support HTTP/1.0 redirects
    - fix failed condition check when pcre is not used
* IMAP module: fixed auth detection
* POP3 module: Updated auth and capability detection
* Oracle module: fixed bad handling
* Oracle listener module: fixed hash size handling
* Telnet/Cisco/Cisco-enable modules: support "press ENTER" prompts
* FTP module:
    - Fixed a bug where 530 messages were incorrectly handled
    - Clarification for the usage of ftps
* Mysql module: added patch from Redhat/Fedora that fixes compile problems
* Added IDN and PCRE support for Cygwin


Release 7.2
* Speed-up http modules auth mechanism detection
* Fixed -C colonfile mode when empty login/passwords were used (thanks to
  will(at)configitnow(dot)com for reporting)
* The -f switch was not working for postgres, afp, socks5, firebird and ncp,
  thanks to Richard Whitcroft for reporting!
* Fixed NTLM auth in http-proxy/http-proxy-url module
* Fixed URL when being redirected in http-form module, thanks to gash(at)chaostreff(dot)at
* Fix MSSQL success login condition, thanks to whistle_master(at)live(dot)com
* Fix http form module: optional headers and 3xx status redirect, thx to Gash
* Fix in configure script for --prefix option, thanks to dazzlepod
* Update of the dpl4hydra script by Roland Kessler, thanks!
* Small fix for hydra man page, thanks to brad(at)comstyle(dot)com


Release 7.1
* Added HTTP Proxy URL enumeration module
* Added SOCKS4/SOCKS5 proxy support with authentication
* Added IPv6 support for SOCKS5 module
* Added -e r option to try the reversed login as password
* Rewrote -x functionality as the code caused too much trouble (thanks to
  murder.net7(at)gmail.com for reporting one of the issues)
* Fixed a bug with multiple hosts (-M) and http modules against targets that
  are virtual servers. Well spotted by Tyler Krpata!
* Fixed SVN IPv6 support and updated deprecated calls
* Fixed RDP failed child connection returned value and false positive issues
  reported by Wangchaohui, thanks!
* Fixed restore file functionality, was not working together with -o option
* Fix in http-form module for bug introduced in 7.0
* Fixed xhydra specific parameter value for http-proxy module
* minor enhancements


Release 7.0
* New main engine for hydra: better performance, flexibility and stability
* New option -u - loop around users, not passwords
* Option -e now also works with -x and -C
* Added RDP module, domain can be passed as argument
* Added other_domain option to smb module to test trusted domains
* Small enhancement for http and http-proxy module for standard ignoring servers
* Lots of bugfixes, especially with many tasks, multiple targets and restore file
* Fixes for a few http-form issues
* Fix smb module NTLM hash use
* Fixed Firebird module deprecated API call
* Fixed for dpl4hydra to work on old sed implementations (OS/X ...)
* Fixed makefile to install dpl4hydra (thx @sitecrea)
* Fixed local buffer overflow in debug output function (required -d to be used)
* Fixed xhydra running warnings and correct quit action event


Release 6.5
* Improved HTTP form module: getting cookie, fail or success condition, follow
  multiple redirections, support cookie gathering URL, multiple user defined
  headers
* Added interface support for IPv6, needed for connecting to link local fe80::
  addresses. Works only on Linux and OS/X. Information for Solaris and *BSD welcome
* Added -W waittime between connects option
* The -x bruteforce mode now allows for generated password amounts > 2 billion
* Fix if -L was used together with -x
* Fixes for http- modules when the http-...://target/options format was used
* Fixed a bug in the restore file write function that could lead to a crash
* Fixed XMPP module jabber init request and challenge response check,  thx "F e L o R e T"
* Fix: if a proxy was used, unresolveable targets were disabled. now its fine
* Fix for service://host/ usage if a colon was used after the URI without a
  port defined
 

Release 6.4
* Update SIP module to extract and use external IP addr return from server error to bypass NAT
* Update SIP module to use SASL lib
* Update email modules to check clear mode when TLS mode failed
* Update Oracle Listener module to work with Oracle DB 9.2
* Update LDAP module to support Windows 2008 active directory simple auth
* Fix to the connection adaptation engine which would loose planned attempts
* Fix make script for CentOS, reported by ya0wei
* Print error when a service limits connections and few pairs have to be tested
* Improved Mysql module to only init/close when needed
* Added patch from the FreeBSD maintainers
* Module usage help does not need a target to be specified anymore
* Configure script now honors /etc/ld.so.conf.d/ directory
* Add more SMB dialects


Release 6.3
* Added patch by Petar Kaleychev which adds nice icons to cygwin hydra files
* Added patch by Gauillaume Rousse which fixes a warning display
* New Oracle module (for databases via OCI, for TNS Listener passwd, for SID enumeration)
* New SMTP user enum module (using VRFY, EXPN or RCPT command)
* Memory leak fix for -x bruteforcing option reported by Alex Lau
* Fix for svn module, for some versions it needs one more lib, thanks to the
  Debian team for reporting!
* Fix ssh module, on connection refused a credential could be lost 
* Fix http-form module, a redirect was not always followed
* QA on all modules for memory leaks
* Better gtk detection (to not even try xhydra compilation when its useless)
* First blant attempt for configuring to x64 systems (Linux and *BSD)
* Updated network password cracker comparison on the web page (for hydra and new ncrack)
* Indented all source code


Release 6.2
* Added a patch by Jan Dlabal which adds password generation bruteforcing (no more password files :-) )
* Forgot to rename ssh2 to ssh in xhydra, fixed
* Add support for CRAM-MD5 and DIGEST-MD5 auth to ldap module
* Fix SASL PLAIN auth method issue
* Add TLS negotiation support for smtp-auth, pop3, imap, ftp and ldap
* Added man pages from Debian maintainers
* Checked Teamspeak module, works on TS2 protocol
* Add support for SCRAM-SHA1 (RFC 5802), first auth cracker to support it, yeah !
* New module: XMPP with TLS negotiation and LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1 support
* Add SCRAM-SHA1 auth to IMAP module
* Add module usage help (-U)
* Add support for RFC 4013: Internationalized Strings in SASL ("SASLPrep") 
* Rename smtpauth module to smtp
* Add SASL + TLS support for NNTP
* Bugfix SASL DIGEST-MD5, response could be wrong sometime, mainly on 64bits systems
* Bugfix rlogin module, some auth failure could not be detected accurately
* Bugfix rsh module, some auth failure could not be detected accurately
* New module: IRC is not dead ! use to find general server password and /oper credential
* Add SSL support for VMware Authentication Daemon module
* Bugfix CVS module, should work now, why does nobody report this ??
* Bugfix Telnet module, when line mode is not available
* Add support for new syntax <service-name>://<target>[:<port-number>][/<parameters>]
* Add TLS support for SIP
* STILL OPEN: Fixed a problem in hydra where a login+pw test was lost when an arm/child was quitting


Release 6.1
* More license updates for the files for the Debian guys
* Fix for the configure script to correctly detect postgresql
* Add checks for libssh v0.4 and support for ssh v1
* Merge all latest crypto code in sasl files
* Fix SVN compilation issue on openSUSE (tested with v11.3)


Release 6.0
* Added GPL exception clause to license to allow linking to OpenSSL - Debian people need this
* IPv6 support finally added. Note: sip and socks5 modules do not support IPv6 yet
* Changes to code and configure script to ensure clean compile on Solaris 11,
  OSX, FreeBSD 8.1, Cygwin and Linux
* Bugfix for SIP module, thanks to yori(at)counterhackchallenges(dot)com
* Compile fixes for systems without OpenSSL or old OpenSSL installations
* Eliminated compile time warnings
* xhydra updates to support the new features (david@)
* Added CRAM-MD5, DIGEST-MD5 auth mechanism to the smtp-auth module (david@)
* Added LOGIN, PLAIN, CRAM-(MD5,SHA1,SHA256) and DIGEST-MD5 auth mechanisms to the imap and pop3 modules (david@)
* Added APOP auth to POP3 module (david@)
* Added NTLM and DIGEST-MD5 to http-auth module and DIGEST-MD5 to http-proxy module (david@)
* Fixed VNC module for None and VLC auth (david@)
* Fixes for LDAP module (david@)
* Bugfix Telnet module linemode option negotiation using win7 (david@)
* Bugfix SSH module when max auth connection is reached (david@)


Release 5.9
* Update for the subversion module for newer SVN versions (thanks to David Maciejak @ GMAIL dot com)
* Another patch by David to add the PLAIN auth mechanism to the smtp-auth module
* mysql module now has two implementations and uses a library when found (again
  thanks to David Maciejak @ GMAIL dot com - what would hydra be without him)
* camiloculpian @ gmail dot com submitted a logo for hydra - looks cool, thanks!
* better FTP 530 error code detection
* bugfix for the SVN module for non-standard ports (again david@)


Release 5.8
* Added Apple Filing Protocol (thank to "never tired" David Maciejak @ GMAIL dot com)
* Fixed a big bug in the SSL option (-S)


Release 5.7 
* Added ncp support plus minor fixes (by David Maciejak @ GMAIL dot com)
* Added an old patch to fix a memory from SSL and speed it up too from kan(at)dcit.cz
* Removed unnecessary compiler warnings
* Enhanced the SSH2 module based on an old patch from aris(at)0xbadc0de.be
* Fixed small local defined overflow in the teamspeak module. Does it still work anyway??


Release 5.6  PRIVATE VERSION
###########
* Moved to GPLv3 License (lots of people wanted that)
* Upgraded ssh2 module to libssh-0.4.x (thanks to aris (at) 0xbadc0de.be for
  the 0.2 basis)
* Added firebird support (by David Maciejak @ GMAIL dot com)
* Added SIP MD5 auth patch (by Jean-Baptiste Aviat <jba [at] hsc [dot] `french tld`)
* Removed Palm and ARM support
* Fix for cygwin which falsely detected postgres library when there was none.
* Several small bugfixes


Release 5.4
###########
* Fixes to the http modules as some Apache installations are picky
* The MySQL module also works with mysqld-5.0, updated
* Added AS/400 return code checks to pop3 module
* Fixed memory leaks in the http-form module.
* Implemented a proposal by Jean-Baptiste.BEAUFRETON (at) turbomeca.fr to
  check for "530 user unknown" message in the ftp module
* Added a performance patch by alejandro.mendiondo (at) baicom.com. This one
  needs stability testing!
* Beautification to remove compiler warnings of modern gcc


Release 5.3
###########
* Added NTLM support modules for pop3, imap, smtp-auth and http-proxy.
  Work done by ilo (at) reversing.org. THANKS!
* Added a http form module, thanks to phil (at) irmplc.com
* Fixed a bug in the vnc module (thanks to kan (at) dcit.cz)
* Input files may *not* contain null bytes. I might fix that in the future
  but currently I have enough other things on my todo sheet.
  Thanks to didiln (at) gmail.com for reporting.


Release 5.2
###########
* Again again some fixes for the ssh2 module. This is the last try. If it
  finally does not work reliable, I am throwing out that library!
  Thanks to bykhe@mymail.ch for the patch
* Added a new module: VMWare-Auth! Thanks to david.maciejak@gmail.com!


Release 5.1
###########
* Again some fixed for the ssh2 module. Sorry. And still it might not work
  in all occasions. The libssh is not as mature as we all wish it would be :-(
* HYDRA_PROXY_AUTH was never used ... weird that nobody reported that. fixed.
* Fixed bug in the base64 encoding function
* Added an md5.h include which is needed since openssl 0.9.8
* Added an enhacement to the FTP module, thanks to piotr_sobolewski@o2.pl
* Fixed a bug when not using passwords and just -e n/s


Release 5.0
###########
! THIS IS A THC - TAX - 10TH ANNIVERSARY RELEASE ! HAVE FUN !
* Increadible speed-up for most modules :-)
* Added module for PC-Anywhere, thanks to david.maciejak(at)kyxar.fr!
* Added module for SVN, thanks to david.maciejak(at)kyxar.fr!
* Added --disable-xhydra option to configure, thanks to david.maciejak(at)kyxar.fr!
  - he is becoming the top supporter :-)
* Added module for SIP (VoIP), thanks to gh0st(at)staatsfeind.org
* Added support for newer sap r/3 rfcsdk
* Added check to the telnet module to work with Cisco AAA
* Fix for the VNC module, thanks to xmag
* Small enhancement to the mysql plugin by pjohnson(at)bosconet.org


Release 4.7
###########
* Updated ssh2 support to libssh v0.11 - you *must* use this version if
  you want to use ssh2! download from http://www.0xbadc0de.be/?part=libssh
  This hopefully fixes problems on/against Sun machines.
  After fixing, I also received a patch from david maciejak - thanks :-)
* Added an attack module for rlogin and rsh, thanks to
  david.maciejak(at)kyxar.fr!
* Added an attack module for the postgres database, thanks to
  diaul(at)devilopers.org! (and again: david maciejak sent on in as well)
* JoMo-Kun sent in an update for his smbnt module. cool new features:
  win2k native mode, xp anonymous account detection, machine name as password
* Hopefully made VNC 3.7 protocol versions to work. please report.
* Switched http and https service module to http-head, http-get and
  https-get, https-head. Some web servers want HEAD, others only GET
* An initial password for cisco-enable is now not required anymore. Some
  people had console access without password, so this was necessary.
* Fixed a bug in xhydra which did not allow custom ports > 100
! Soon to come: v5.0 - some cool new features to arrive on your pentest
  machine!


Release 4.6
###########
* Snakebyte delivered a module for Teamspeak
* Snakebyte updated the rexec module for the Hydra Palm version
* Snakebyte updated xhydra to support the new Telnet success response option
* Clarified the Licence
* Updated the ldap module to support v3, note that "ldap" is now specified as
  "ldap2" or "ldap3". Added wrong version detection.


Release 4.5
###########
* The configure script now detects Cygwin automatically :-)
* The telnet module now handles the OPT special input. Specify the string
  which is displayed after successfully a login. Use this if you have false
  positives.
* Made smtp-auth module more flexible in EHLO/HELO handling
* Fixed some glitches in the SAP/R3 module (correct sysnr, better port
  handling) thanks to ngregoire@exaprobe.com !
* Fixed some glitches in the http/https module
* Fixed a big bug in snakebyte's snmp module 
* Warning msg is now displayed if the deprecated icq module is used
* Added warning message to the ssh2 module during compilation as many people
  use the newest libssh version which is broken.


Release 4.4
###########
* Fixed another floating point exception *sigh*
* Fixed -C colon mode
* Added EHLO support for the smtp-auth module, required for some smtpd


Release 4.3
###########
* Fixed a divide by zero bug in the status report function
* Added functionality for skipping accounts (cvs is so nice to report this)
* Snakebyte sent in a patch for cvs for skipping nonexisting accounts
* <lerrahn@syss.de> sent in a patch to fix proxy support for the HTTP module
  without proxy authentication


Release 4.2
###########
* Snakebyte sent in modules for SNMP and CVS - great work!
* Snakebyte also expanded the gtk gui to support the two new modules
* Justin <connectjunkie@gmail.com> sent in a module for smtp-auth ... thanks!
* master_up@post.cz sent in some few patches to fix small glitches
* Incorporated a check from the openbsd port


Release 4.1
###########
* Snakebyte wrote a very nice GTK GUI for hydra! enjoy!
* due a bug, sometimes hydra would kill process -1 ... baaaad boy!
* found passwords are now also printed to stdout if -o option is used
* <je@sekure.net> reported that hydra wouldn't complain on ssh2 option if
  compiled without support, fixed
* <llevier@argosnet.com> made an official port for FreeBSD and sent me a
  diff to exchange the MD4 of libdes to openssl
* <vh@helith.net> noticed that hydra will crash on big wordlists as
  the result of the mallocs there were not checked, fixed
* Snakebyte expanded his PalmOS Version of hydra to nntp and fixed vnc
* Increased the wait time for children from 5 to 15 seconds, as e.g.
  snakebyte reported detection problems
* Fixed some display glitches


Release v4.0
############
#
# This is a summary of changes of the D1 to D5 beta releases and shows
# what makes v4.0 different from 3.1.
# Have fun. Lots of it.
#
# By the way: I need someone to program a nice GTK frontend for hydra,
# would YOU like to do that and receive the fame? Send an email to vh@thc.org !
#
* For the first time there is not only a UNIX/source release but additionally:
   ! Windows release (cygwin compile with dll's)
   ! PalmPilot release
   ! ARM processor release (for all your Zaurus, iPaq etc. running Linux)
* There are new service attack modules:
   ! ms-sql
   ! sap r/3 (requires a library)
   ! ssh v2 (requires a library)
* Enhancements/Fixes to service attack modules:
   ! vnc module didnt work correctly, fixed
   ! mysql module supports newer versions now
   ! http module received a minor fix and has better virtual host support now
   ! http-proxy supports now an optional URL
   ! socks5 checks now for false positives and daemons without authentication
* The core code (hydra.c) was rewritten from scratch
   ! rewrote the internal distribution functions from scratch. code is now
     safer, less error prone, easier to read.
   ! multiple target support rewritten which now includes intelligent load
     balancing based on success, error and load rate
   ! intelligently detect maximum connect numbers for services (per server if
     multiple targets are used)
   ! intelligent restore file writing
   ! Faster (up to 15%)
   ! Full Cygwin and Cygwin IPv6 support
* added new tool: pw-inspector - it can be used to just try passwords which
  matches the target's password policy
#
# This should be more than enough! :-)
#

... the rest below is history ...

###########################################################################
#
# New Hydra v4.0 code branch
#
Release D5
* added patches by kan@dcit.cz which enhance the proxy module and provide
  a small fix for the http module
* small beautifcations to make the compiler happy
! This is the final beta version before public release
  - please test everything!

Release D4
* Tick made an update to his configure-arm
* snakebyte@gmx.de added imap, vnc and cisco module support to PalmPilot
* fixed VNC module
* enhanced mysql module to work also with 4.0.x (and all future protocol 10
  mysql protocol types)
* enhanced socks5 module to identify daemons which do not require
  authentication, and false positive check (otherwise dante would report all
  tries as successful)
* fixed a bug in configure for D3 which resulted in compile problems on
  several platforms requiring libcrypto

Release D3
* added sapr3 attack module (requires libsdk.a and saprfc.h)
* added ssh2 attack module (requires libssh)
* snakebyte@gmx.de added telnet module support for PalmPilot
* fixed the mssql module, should work now
* fixed -e option bug
* fixed -C option bug (didnt work at all!!)
* fixed double detection (with -e option) plus added simple dictionary
  double detection
* target port is now displayed on start

Release D2
* added better virtual host support to the www/http/https/ssl module
  (based on a patch from alla@scanit.be)
* added ARM support (does not work for libdes yet, ssl works), done by
  Tick <tick@thc.org>
* added Palm support (well, in reality it is more a rewrite which can use
  the hydra-modules), done by snakebyte <snakebyte@gmx.de>
* added ms-sql attack module (code based on perl script form HD Moore
  <hdm@digitaloffense.net>, thanks for contributing)

Release D1 (3 March 2003)
* rewrote the internal distribution functions from scratch. code is now
  safer, less error prone, easier to read.
* multiple target support rewritten which now includes intelligent load
  balancing based on success, error and load rate
* intelligently detect maximum connect numbers for services (per server if
  multiple targets are used)
* intelligent restore file writing
* Faster (up to 15%)
* Full Cygwin and Cygwin IPv6 support
* added new tool: pw-inspector - it can be used to just try passwords which
  matches the target's password policy

###########################################################################

v3.0 (FEBRUARY 2004)		PUBLIC RELEASE
* added a restore function to enable you to continue aborted/crashed
  sessions. Just type "hydra -R" to continue a session.
  NOTE: this does not work with the -M option! This feature is then disabled!
* added a module for http proxy authentication cracking ("http-proxy") :-)
* added HTTP and SSL/CONNECT proxy support. SSL/CONNECT proxy support works
  for *all* TCP protocols, you just need to find a proxy which allows you to
  CONNECT on port 23 ...
  The environment variable HYDRA_PROXY_HTTP defines the web proxy. The
  following syntax is valid: HYDRA_PROXY_HTTP="http://123.45.67.89:8080/"
  Same for HYDRA_PROXY_CONNECT.
  If you require authentication for the proxy, use the HYDRA_PROXY_AUTH
  environment variable:
    HYDRA_PROXY_AUTH="login:password"
* fixed parallel host scanning engine (thanks to m0j0.j0j0 for reporting)
* A status, speed and time to completion report is now printed every minute.
* finally updated the README

v2.9 (FEBRUARY 2004)		PRIVATE RELEASE
...

v2.8 (JANUARY 2004)		PRIVATE RELEASE
...

v2.7 (JANUARY 2004)		PUBLIC RELEASE
* small fix for the parallel host code (thanks to m0j0@foofus.net)

v2.6 (DECEMBER 2003)		PUBLIC RELEASE
* fixed a compiling problem for picky compilers.

v2.5 (NOVEMBER 2003)		PUBLIC RELEASE
* added a big patch from m0j0@foofus.net which adds:
    - AAA authentication to the cisco-enable module
    - Running the attacks on hosts in parallel
    - new smbnt module, which uses lanman hashes for authentication, needs libdes
  ! great work and thanks !
* changed code to compile easily on FreeBSD
* changed configure to compile easily on MacOS X - Panther (cool OS btw ...)

v2.4 (AUGUST 2003)		PUBLIC RELEASE
* public release
=== 2.3 stuff===
* added mysql module (thanks to mcbethh@u-n-f.com)
* small fix in vnc (thanks to the Nessus team)
* added credits for vnc-module (FX/Phenolite)
* new ./configure script for better Solaris and *BSD support (copied from amap)
* updated to new email/www addresses => www.thc.org

v2.2 (OCTOBER 2002)		PUBLIC RELEASE
* fixed a bug in the -P passwordfile handling ... uhhh ... thanks to all
  the many people who reported that bug!
* added check if a password in -P passwordfile was already done via the
  -e n|s switch

v2.1 (APRIL 2002)		PUBLIC RELEASE
* added ldap cracking mode (thanks to myself, eh ;-)
* added -e option to try null passwords ("-e n") and passwords equal to the
  login ("-e s"). When specifying -e, -p/-P is optional (and vice versa)
* when a login is found, hydra will now go on with the next login

v2.0 (APRIL 2002)		PRIVATE RELEASE
! with v1.1.14 of Nessus, Hydra is a Nessus plugin!
* incorporated code to make hydra a nessus plugin (thanks to deraison@cvs.nessus.org !)
* added smb/samba/CIFS cracking mode (thanks to deraison@cvs.nessus.org !)
* added cisco-enable cracking mode (thanks to J.Marx@secunet.de !)
* minor enhancements and fixes

v1.7 (MARCH 2002)		PRIVATE RELEASE
* configure change to better detect OpenSSL
* ported to Solaris

v1.6 (FEBRUARY 2002)		PUBLIC RELEASE
* added socks5 support (thanks to bigbud@weed.tc !)

v1.5 (DECEMBER 2001)		PRIVATE RELEASE
* added -S option for SSL support (for all TCP based protocols)
* added -f option to stop attacking once a valid login/pw has been discovered
* made modules more hydra-mod compliant
* configure stuff thrown out - was not really used and too complicated,
  wrote my own, lets hope it works everywhere ;-)

v1.4 (DECEMBER 2001)		PUBLIC RELEASE
* added REXEC cracking module
* added NNTP cracking module
* added VNC cracking module (plus the 3DES library, which is needed) - some
  of the code ripped from FX/Phenolite :-) thanks a lot
* added PCNFS cracking module
* added ICQ cracking module (thanks to ocsic <pisco@private.as>!!)
* for the pcnfs cracking module, I had to add the hydra_connect_udp function
* added several compactibility stuff to work with all the M$ crap

v1.3 (September 2001)		PUBLIC RELEASE
* uh W2K telnetd sends null bytes in negotiation mode. workaround implemented.
* Rewrote the finish functions which would sometimes hang. Shutdowns are faster
  now as well.
* Fixed the line count (it was always one to much)
* Put more information in the outpufile (-o)
* Removed some configure crap.

v1.2 (August 2001)		PRIVATE RELEASE
* Fixed a BIG bug which resulted in accounts being checked serveral times. ugh
* Fixed the bug which showed the wrong password for a telnet hack. Works for
  me. please test.
* Added http basic authentication cracking. Works for me. please test.
* Fixed the ftp cracker module for occasions where a long welcome message was
  displayed for ftp.
* Removed some compiler warnings.

v1.1 (May 2001)			PUBLIC RELEASE
* Added wait+reconnect functionality to hydra-mod
* Additional wait+reconnect for cisco module
* Added small waittimes to all attack modules to prevent too fast reconnects
* Added cisco Username/Password support to the telnet module
* Fixed a deadlock in the modules, plus an additional one in the telnet module

v1.0 (April 2001)		PUBLIC RELEASE
* Verified that all service modules really work, no fix necessary ;-)
  ... so let's make it public
* Changed the LICENCE

v0.6 (April 2001)		PRIVATE RELEASE
* Added hydra-cisco.c for the cisco 3 times "Password:" type
* Added hydra-imap.c for the imap service
* Fixed a bug in hydra-mod.c: empty logins resulted in an empty
  hydra_get_next_password() :-(, additionally the blocking/recv works better
  now. (no, not better - perfect ;-)
* Fixed a bug in hydra-telnet.c: too many false alarms for success due some
  mis-thinking on my side and I also implemented a more flexible checking
* Fixed hydra-ftp.c to allow more weird reactions
* Fixed all ;-) memory leaks

v0.5 (December 2000)		PUBLIC RELEASE
* NOTE WE HAVE GOT A NEW WWW ADDRESS -> www.thehackerschoice.com
* added telnet protocol
* exchanged snprintf with sprintf(%.250s) to let it compile on more platforms
  but still have buffer overflow protection.
* fixed a bug in Makefile.in (introduced by Plasmo ,-)

v0.4 (August 2000)		PUBLIC RELEASE
* Plasmoid added a ./configure script. thanks!

v0.3 (August 2000)
* first release