thc-hydra/hydra-ldap.c

#include "hydra-mod.h"
#include "sasl.h"

extern char *HYDRA_EXIT;

unsigned char *buf;
int32_t counter;
int32_t tls_required = 0;

int32_t start_ldap(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp, char *hostname, char version, int32_t auth_method) {
  char *empty = "", *result = NULL;
  char *login = "", *pass, *fooptr = "";
  unsigned char buffer[512];
  int32_t length = 0;
  int32_t ldap_auth_mechanism = auth_method;

  /*
     The LDAP "simple" method has three modes of operation:
     * anonymous= no user no pass
     * unauthenticated= user but no pass
     * user/password authenticated= user and pass
   */

  if ((miscptr != NULL) && (ldap_auth_mechanism == AUTH_CLEAR)) {
    login = miscptr;
  } else {
    if (strlen(login = hydra_get_next_login()) == 0)
      login = empty;
  }
  if (miscptr == NULL)
    miscptr = fooptr;

  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  switch (ldap_auth_mechanism) {
  case AUTH_CLEAR:
    length = 14 + strlen(login) + strlen(pass);
    break;
#ifdef LIBOPENSSL
  case AUTH_CRAMMD5:
    length = 14 + strlen(miscptr) + strlen("CRAM-MD5") + 2;
    break;
  case AUTH_DIGESTMD5:
    length = 14 + strlen(miscptr) + strlen("DIGEST-MD5") + 2;
    break;
#endif
  }

  memset(buffer, 0, sizeof(buffer));
  buffer[0] = 48;
  buffer[1] = length - 2;

  buffer[2] = 2;
  buffer[3] = 1;
  buffer[4] = counter % 256;

  buffer[5] = 96;
  buffer[6] = length - 7;
  buffer[7] = 2;
  buffer[8] = 1;
  buffer[9] = version;
  buffer[10] = 4;

  if (ldap_auth_mechanism == AUTH_CLEAR) {
    buffer[11] = strlen(login); /* DN */
    memcpy(&buffer[12], login, strlen(login));
    buffer[12 + strlen(login)] = (unsigned char)128;
    buffer[13 + strlen(login)] = strlen(pass);
    memcpy(&buffer[14 + strlen(login)], pass, strlen(pass)); /* PASS */
  } else {
    char *authm = "DIGEST-MD5";

    if (ldap_auth_mechanism == AUTH_CRAMMD5) {
      authm = "CRAM-MD5";
    }

    if ((strlen(miscptr)) > sizeof(buffer) - 16 - strlen(authm)) {
      miscptr[sizeof(buffer) - 16 - strlen(authm)] = '\0';
    }

    buffer[11] = strlen(miscptr); /* DN */
    memcpy(&buffer[12], miscptr, strlen(miscptr));
    buffer[12 + strlen(miscptr)] = 163;
    buffer[13 + strlen(miscptr)] = 2 + strlen(authm);
    buffer[14 + strlen(miscptr)] = 4;
    buffer[15 + strlen(miscptr)] = strlen(authm);
    memcpy(&buffer[16 + strlen(miscptr)], authm, strlen(authm));
  }
  if (hydra_send(s, (char *)buffer, length, 0) < 0)
    return 1;
  if ((buf = (unsigned char *)hydra_receive_line(s)) == NULL)
    return 1;

  if (buf[0] != 0 && buf[0] != 32 && buf[9] == 2) {
    if (verbose)
      hydra_report(stderr, "[VERBOSE] Protocol invalid\n");
    free(buf);
    return 3;
  }

  if (buf[0] != 0 && buf[0] != 32 && buf[9] == 13) {
    if (verbose)
      hydra_report(stderr, "[VERBOSE] Confidentiality required, TLS has to be enabled\n");
    tls_required = 1;
    free(buf);
    return 1;
  }

  if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 34) {
    hydra_report(stderr, "[ERROR] Invalid DN Syntax\n");
    hydra_child_exit(2);
    free(buf);
    return 3;
  }
#ifdef LIBOPENSSL

  /* one more step auth for CRAM and DIGEST */
  if (ldap_auth_mechanism == AUTH_CRAMMD5) {
    /* get the challenge, need to extract it */
    char *ptr;
    char buf2[32];

    ptr = strstr((char *)buf, "<");
    fooptr = buf2;
    result = sasl_cram_md5(fooptr, pass, ptr);
    if (result == NULL)
      return 1;
    counter++;
    if (strstr(miscptr, "^USER^") != NULL) {
      miscptr = hydra_strrep(miscptr, "^USER^", login);
    }

    length = 12 + strlen(miscptr) + 4 + strlen("CRAM-MD5") + 2 + strlen(login) + 1 + strlen(buf2);

    memset(buffer, 0, sizeof(buffer));
    buffer[0] = 48;
    buffer[1] = length - 2;

    buffer[2] = 2;
    buffer[3] = 1;
    buffer[4] = counter % 256;

    buffer[5] = 96;
    buffer[6] = length - 7;
    buffer[7] = 2;
    buffer[8] = 1;
    buffer[9] = version;
    buffer[10] = 4;

    buffer[11] = strlen(miscptr); /* DN */
    memcpy(&buffer[12], miscptr, strlen(miscptr));
    buffer[12 + strlen(miscptr)] = 163;
    buffer[13 + strlen(miscptr)] = 2 + strlen("CRAM-MD5") + 2 + strlen(login) + 1 + strlen(buf2);
    buffer[14 + strlen(miscptr)] = 4;
    buffer[15 + strlen(miscptr)] = strlen("CRAM-MD5");
    memcpy(&buffer[16 + strlen(miscptr)], "CRAM-MD5", strlen("CRAM-MD5"));
    buffer[16 + strlen(miscptr) + strlen("CRAM-MD5")] = 4;
    buffer[17 + strlen(miscptr) + strlen("CRAM-MD5")] = strlen(login) + 1 + strlen(buf2);
    memcpy(&buffer[18 + strlen(miscptr) + strlen("CRAM-MD5")], login, strlen(login));
    buffer[18 + strlen(miscptr) + strlen("CRAM-MD5") + strlen(login)] = ' ';
    memcpy(&buffer[18 + strlen(miscptr) + strlen("CRAM-MD5") + strlen(login) + 1], buf2, strlen(buf2));

    if (hydra_send(s, (char *)buffer, length, 0) < 0)
      return 1;
    free(buf);
    if ((buf = (unsigned char *)hydra_receive_line(s)) == NULL)
      return 1;
  } else {
    if (ldap_auth_mechanism == AUTH_DIGESTMD5) {
      char *ptr;
      char buffer2[500];
      int32_t ind = 0;

      ptr = strstr((char *)buf, "realm=");

      counter++;
      if (strstr(miscptr, "^USER^") != NULL) {
        miscptr = hydra_strrep(miscptr, "^USER^", login);
      }

      fooptr = buffer2;
      result = sasl_digest_md5(fooptr, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL);
      if (result == NULL) {
        free(buf);
        return 3;
      }

      length = 26 + strlen(miscptr) + strlen("DIGEST-MD5") + strlen(buffer2);

      memset(buffer, 0, sizeof(buffer));
      ind = 0;
      buffer[ind] = 48;
      ind++;
      buffer[ind] = 130;
      ind++;

      if (length - 4 > 255) {
        buffer[ind] = 1;
        ind++;
        buffer[ind] = length - 256 - 4;
        ind++;
      } else {
        buffer[ind] = 0;
        ind++;
        buffer[ind] = length - 4;
        ind++;
      }

      buffer[ind] = 2;
      ind++;
      buffer[ind] = 1;
      ind++;
      buffer[ind] = counter % 256;
      ind++;
      buffer[ind] = 96; /*0x60 */
      ind++;
      buffer[ind] = 130;
      ind++;
      if (length - 7 - 4 > 255) {
        buffer[ind] = 1;
        ind++;
        buffer[ind] = length - 256 - 11;
        ind++;
      } else {
        buffer[ind] = 0;
        ind++;
        buffer[ind] = length - 11;
        ind++;
      }

      buffer[ind] = 2;
      ind++;
      buffer[ind] = 1;
      ind++;
      buffer[ind] = version;
      ind++;
      buffer[ind] = 4;
      ind++;
      buffer[ind] = strlen(miscptr);
      ind++;
      memcpy(&buffer[ind], miscptr, strlen(miscptr));
      /*DN*/ buffer[ind + strlen(miscptr)] = 163; // 0xa3
      ind++;
      buffer[ind + strlen(miscptr)] = 130; // 0x82
      ind++;

      if (strlen(buffer2) + 6 + strlen("DIGEST-MD5") > 255) {
        buffer[ind + strlen(miscptr)] = 1;
        ind++;
        buffer[ind + strlen(miscptr)] = strlen(buffer2) + 6 + strlen("DIGEST-MD5") - 256;
      } else {
        buffer[ind + strlen(miscptr)] = 0;
        ind++;
        buffer[ind + strlen(miscptr)] = strlen(buffer2) + 6 + strlen("DIGEST-MD5");
      }
      ind++;

      buffer[ind + strlen(miscptr)] = 4;
      ind++;
      buffer[ind + strlen(miscptr)] = strlen("DIGEST-MD5");
      ind++;
      memcpy(&buffer[ind + strlen(miscptr)], "DIGEST-MD5", strlen("DIGEST-MD5"));
      buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 4;
      ind++;
      buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 130;
      ind++;

      if (strlen(buffer2) > 255) {
        buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 1;
        ind++;
        buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = strlen(buffer2) - 256;
      } else {
        buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = 0;
        ind++;
        buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")] = strlen(buffer2);
      }
      ind++;
      memcpy(&buffer[ind + strlen(miscptr) + strlen("DIGEST-MD5")], buffer2, strlen(buffer2));
      ind++;

      if (hydra_send(s, (char *)buffer, length, 0) < 0)
        return 1;
      free(buf);
      if ((buf = (unsigned char *)hydra_receive_line(s)) == NULL)
        return 1;
    }
  }
#endif

  /* success is: 0a 01 00 - failure is: 0a 01 31 */
  if ((buf[0] != 0 && buf[9] == 0) || (buf[0] != 32 && buf[9] == 32)) {
    hydra_report_found_host(port, ip, "ldap", fp);
    hydra_completed_pair_found();
    free(buf);
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 3;
    return 1;
  }

  if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 7) {
    hydra_report(stderr, "[ERROR] Unknown authentication method\n");
    free(buf);
    hydra_child_exit(2);
  }

  if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 53) {
    if (verbose)
      hydra_report(stderr,
                   "[VERBOSE] Server unwilling to perform action, maybe deny by server "
                   "config or too busy when tried login: %s   password: %s\n",
                   login, pass);
    free(buf);
    return 1;
  }

  if ((buf[0] != 0 && buf[0] != 32) && buf[9] == 2) {
    hydra_report(stderr,
                 "[ERROR] Invalid protocol version, you tried ldap%c, better "
                 "try ldap%c\n",
                 version + '0', version == 2 ? '3' : '2');
    free(buf);
    hydra_child_exit(2);
    sleep(1);
    hydra_child_exit(2);
  }
  // 0 0x30, 0x84, 0x20, 0x20, 0x20, 0x10, 0x02, 0x01,
  // 8 0x01, 0x61, 0x84, 0x20, 0x20, 0x20, 0x07, 0x0a,
  // 16 0x01, 0x20, 0x04, 0x20, 0x04, 0x20, 0x00, 0x00,

  // this is for w2k8 active directory ldap auth
  if (buf[0] == 48 && buf[1] == 132) {
    if (buf[9] == 0x61 && buf[1] == 0x84) {
      if (buf[17] == 0 || buf[17] == 0x20) {
        hydra_report_found_host(port, ip, "ldap", fp);
        hydra_completed_pair_found();
        free(buf);
        if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
          return 3;
        return 1;
      }
    }
  } else {
    if (buf[9] != 49 && buf[9] != 2 && buf[9] != 53) {
      hydra_report(stderr, "[ERROR] Uh, unknown LDAP response! Please report this: \n");
      print_hex((unsigned char *)buf, 24);
      free(buf);
      return 3;
    }
  }

  hydra_completed_pair();
  free(buf);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return 3;
  return 2;
}

void service_ldap(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname, char version, int32_t auth_method) {
  int32_t run = 1, next_run = 1, sock = -1;
  int32_t myport = PORT_LDAP, mysslport = PORT_LDAP_SSL;

  hydra_register_socket(sp);
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return;
  while (1) {
    switch (run) {
    case 1: /* connect and service init function */
      if (sock >= 0)
        sock = hydra_disconnect(sock);
      //      usleepn(275);
      if ((options & OPTION_SSL) == 0) {
        if (port != 0)
          myport = port;
        sock = hydra_connect_tcp(ip, myport);
        port = myport;
      } else {
        if (port != 0)
          mysslport = port;
        sock = hydra_connect_ssl(ip, mysslport, hostname);
        port = mysslport;
      }
      if (sock < 0) {
        if (verbose || debug)
          hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
        hydra_child_exit(1);
      }
      counter = 1;
      if (tls_required) {
        /* Start TLS operation OID = 1.3.6.1.4.1.1466.20037 according to RFC
         * 2830 */
        char confidentiality_required[] = "\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31"
                                          "\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";

        if (hydra_send(sock, confidentiality_required, strlen(confidentiality_required), 0) < 0)
          hydra_child_exit(1);

        if ((buf = (unsigned char *)hydra_receive_line(sock)) == NULL)
          hydra_child_exit(1);

        if ((buf[0] != 0 && buf[9] == 0) || (buf[0] != 32 && buf[9] == 32)) {
          /* TLS option negociation goes well, now trying to connect */
          free(buf);
          if ((hydra_connect_to_ssl(sock, hostname) == -1) && verbose) {
            hydra_report(stderr, "[ERROR] Can't use TLS\n");
            hydra_child_exit(1);
          } else {
            if (verbose)
              hydra_report(stderr, "[VERBOSE] TLS connection done\n");
            counter++;
          }
        } else {
          hydra_report(stderr, "[ERROR] Can't use TLS %s\n", buf);
          free(buf);
          hydra_child_exit(1);
        }
      }
      next_run = 2;
      break;
    case 2: /* run the cracking function */
      next_run = start_ldap(sock, ip, port, options, miscptr, fp, hostname, version, auth_method);
      counter++;
      break;
    case 3: /* clean exit */
      if (sock >= 0)
        sock = hydra_disconnect(sock);
      hydra_child_exit(0);
      return;
    default:
      hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
      hydra_child_exit(2);
    }
    run = next_run;
  }
}

void service_ldap2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 2, AUTH_CLEAR); }

void service_ldap3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CLEAR); }

void service_ldap3_cram_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_CRAMMD5); }

void service_ldap3_digest_md5(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { service_ldap(ip, sp, options, miscptr, fp, port, hostname, 3, AUTH_DIGESTMD5); }

int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
  // called before the childrens are forked off, so this is the function
  // which should be filled if initial connections and service setup has to be
  // performed once only.
  //
  // fill if needed.
  //
  // return codes:
  //   0 all OK
  //   -1  error, hydra will exit, so print a good error message here
  if (miscptr != NULL && strlen(miscptr) > 220) {
    fprintf(stderr, "[ERROR] the option string to this module may not be "
                    "larger than 220 bytes\n");
    return -1;
  }

  return 0;
}

void usage_ldap(const char *service) {
  printf("Module %s is optionally taking the DN (depending of the auth method "
         "choosed\n"
         "Note: you can also specify the DN as login when Simple auth method "
         "is used).\n"
         "The keyword \"^USER^\" is replaced with the login.\n"
         "Special notes for Simple method has 3 operation modes: anonymous, "
         "(no user no pass),\n"
         "unauthenticated (user but no pass), user/pass authenticated (user "
         "and pass).\n"
         "So don't forget to set empty string as user/pass to test all modes.\n"
         "Hint: to authenticate to a windows active directory ldap, this is "
         "usually\n"
         " cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com\n\n",
         service);
}