mirror of
https://github.com/vanhauser-thc/thc-hydra.git
synced 2025-03-12 04:36:23 -07:00
238 lines
8.6 KiB
C
238 lines
8.6 KiB
C
/*
|
|
|
|
libssh is available at http://www.libssh.org
|
|
If you want support for ssh v1 protocol, you
|
|
have to add option -DWITH_SSH1=On in the cmake
|
|
|
|
*/
|
|
|
|
#include "hydra-mod.h"
|
|
#ifndef LIBSSH
|
|
void dummy_ssh() { printf("\n"); }
|
|
#else
|
|
|
|
#include <libssh/libssh.h>
|
|
|
|
#if LIBSSH_VERSION_MAJOR == 0 && LIBSSH_VERSION_MINOR >= 4
|
|
|
|
ssh_session session = NULL;
|
|
|
|
extern hydra_option hydra_options;
|
|
extern char *HYDRA_EXIT;
|
|
int32_t new_session = 1;
|
|
|
|
int32_t start_ssh(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
|
|
char *empty = "";
|
|
char *login, *pass, keep_login[300];
|
|
int32_t auth_state = 0, rc = 0, i = 0;
|
|
|
|
if (strlen(login = hydra_get_next_login()) == 0)
|
|
login = empty;
|
|
if (strlen(pass = hydra_get_next_password()) == 0)
|
|
pass = empty;
|
|
|
|
if (new_session) {
|
|
if (session) {
|
|
ssh_disconnect(session);
|
|
// ssh_finalize();
|
|
ssh_free(session);
|
|
} else {
|
|
ssh_init();
|
|
}
|
|
|
|
session = ssh_new();
|
|
ssh_options_set(session, SSH_OPTIONS_PORT, &port);
|
|
ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
|
|
ssh_options_set(session, SSH_OPTIONS_USER, login);
|
|
ssh_options_set(session, SSH_OPTIONS_TIMEOUT, &hydra_options.waittime);
|
|
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
|
|
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
|
|
// might be better to add the legacy (first two for KEX and HOST) to the default instead of specifying the full list
|
|
ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE, "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256");
|
|
ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256");
|
|
if (ssh_connect(session) != 0) {
|
|
// if the connection was drop, exit and let hydra main handle it
|
|
if (verbose)
|
|
hydra_report(stderr, "[ERROR] could not connect to target port %d: %s\n", port, ssh_get_error(session));
|
|
return 3;
|
|
}
|
|
|
|
if ((rc = ssh_userauth_none(session, NULL)) == SSH_AUTH_ERROR) {
|
|
return 3;
|
|
} else if (rc == SSH_AUTH_SUCCESS) {
|
|
hydra_report_found_host(port, ip, "ssh", fp);
|
|
hydra_completed_pair_found();
|
|
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
|
|
return 2;
|
|
else
|
|
return 1;
|
|
}
|
|
} else
|
|
new_session = 1;
|
|
|
|
auth_state = ssh_auth_list(session);
|
|
if ((auth_state & SSH_AUTH_METHOD_PASSWORD) > 0) {
|
|
auth_state = ssh_userauth_password(session, NULL, pass);
|
|
} else if ((auth_state & SSH_AUTH_METHOD_INTERACTIVE) > 0) {
|
|
auth_state = ssh_userauth_kbdint(session, NULL, NULL);
|
|
while (auth_state == SSH_AUTH_INFO) {
|
|
rc = ssh_userauth_kbdint_getnprompts(session);
|
|
for (i = 0; i < rc; i++)
|
|
ssh_userauth_kbdint_setanswer(session, i, pass);
|
|
auth_state = ssh_userauth_kbdint(session, NULL, NULL);
|
|
}
|
|
} else {
|
|
return 4;
|
|
}
|
|
|
|
if (auth_state == SSH_AUTH_ERROR || !ssh_is_connected(session)) {
|
|
new_session = 1;
|
|
return 1;
|
|
}
|
|
|
|
if (auth_state == SSH_AUTH_SUCCESS || auth_state == SSH_AUTH_PARTIAL) {
|
|
hydra_report_found_host(port, ip, "ssh", fp);
|
|
hydra_completed_pair_found();
|
|
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
|
|
return 2;
|
|
return 1;
|
|
} else {
|
|
strncpy(keep_login, login, sizeof(keep_login) - 1);
|
|
keep_login[sizeof(keep_login) - 1] = '\0';
|
|
hydra_completed_pair();
|
|
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
|
|
return 2;
|
|
login = hydra_get_next_login();
|
|
if (strcmp(login, keep_login) == 0)
|
|
new_session = 0;
|
|
return 1;
|
|
}
|
|
|
|
/* not reached */
|
|
return 1;
|
|
}
|
|
|
|
void service_ssh(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
|
|
int32_t run = 1, next_run = 1, sock = -1;
|
|
|
|
hydra_register_socket(sp);
|
|
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
|
|
return;
|
|
while (1) {
|
|
switch (run) {
|
|
case 1: /* connect and service init function */
|
|
next_run = start_ssh(sock, ip, port, options, miscptr, fp);
|
|
if (next_run == 1 && hydra_options.conwait)
|
|
sleep(hydra_options.conwait);
|
|
break;
|
|
case 2:
|
|
ssh_disconnect(session);
|
|
ssh_finalize();
|
|
ssh_free(session);
|
|
hydra_child_exit(0);
|
|
break;
|
|
case 3:
|
|
ssh_disconnect(session);
|
|
ssh_finalize();
|
|
ssh_free(session);
|
|
if (verbose)
|
|
fprintf(stderr, "[ERROR] ssh protocol error\n");
|
|
hydra_child_exit(2);
|
|
break;
|
|
case 4:
|
|
ssh_disconnect(session);
|
|
ssh_finalize();
|
|
ssh_free(session);
|
|
fprintf(stderr, "[ERROR] ssh target does not support password auth\n");
|
|
hydra_child_exit(2);
|
|
break;
|
|
default:
|
|
ssh_disconnect(session);
|
|
ssh_finalize();
|
|
ssh_free(session);
|
|
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
|
|
hydra_child_exit(2);
|
|
}
|
|
run = next_run;
|
|
}
|
|
}
|
|
#else
|
|
#error "You are not using v0.4.x. Download from http://www.libssh.org and add -DWITH_SSH1=On in cmake to enable SSH v1 support"
|
|
#endif
|
|
#endif
|
|
|
|
//
|
|
// dirty workaround here: miscptr is the ptr to the logins, and the first one is
|
|
// used to test if password authentication is enabled!!
|
|
//
|
|
int32_t service_ssh_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
|
|
// called before the childrens are forked off, so this is the function
|
|
// which should be filled if initial connections and service setup has to be
|
|
// performed once only.
|
|
//
|
|
// fill if needed.
|
|
//
|
|
// return codes:
|
|
// 0 all OK
|
|
// 1 skip target without generating an error
|
|
// 2 skip target because of protocol problems
|
|
// 3 skip target because its unreachable
|
|
#ifdef LIBSSH
|
|
int32_t rc, method;
|
|
ssh_init();
|
|
ssh_session session = ssh_new();
|
|
|
|
if (verbose || debug)
|
|
printf("[INFO] Testing if password authentication is supported by "
|
|
"ssh://%s@%s:%d\n",
|
|
miscptr == NULL ? "hydra" : miscptr, hydra_address2string_beautiful(ip), port);
|
|
ssh_options_set(session, SSH_OPTIONS_PORT, &port);
|
|
ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip));
|
|
if (miscptr == NULL)
|
|
ssh_options_set(session, SSH_OPTIONS_USER, "hydra");
|
|
else
|
|
ssh_options_set(session, SSH_OPTIONS_USER, miscptr);
|
|
ssh_options_set(session, SSH_OPTIONS_TIMEOUT, &hydra_options.waittime);
|
|
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_C_S, "none");
|
|
ssh_options_set(session, SSH_OPTIONS_COMPRESSION_S_C, "none");
|
|
// might be better to add the legacy (first two for KEX and HOST) to the default instead of specifying the full list
|
|
ssh_options_set(session, SSH_OPTIONS_KEY_EXCHANGE, "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256");
|
|
ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256");
|
|
if (ssh_connect(session) != 0) {
|
|
fprintf(stderr, "[ERROR] could not connect to ssh://%s:%d - %s\n", hydra_address2string_beautiful(ip), port, ssh_get_error(session));
|
|
return 2;
|
|
}
|
|
rc = ssh_userauth_none(session, NULL);
|
|
method = ssh_userauth_list(session, NULL);
|
|
ssh_disconnect(session);
|
|
ssh_finalize();
|
|
ssh_free(session);
|
|
|
|
if (debug)
|
|
printf("[DEBUG] SSH method check: %08x\n", method);
|
|
|
|
if ((method & SSH_AUTH_METHOD_INTERACTIVE) || (method & SSH_AUTH_METHOD_PASSWORD)) {
|
|
if (verbose || debug)
|
|
printf("[INFO] Successful, password authentication is supported by "
|
|
"ssh://%s:%d\n",
|
|
hydra_address2string_beautiful(ip), port);
|
|
return 0;
|
|
} else if (method == 0) {
|
|
if (verbose || debug)
|
|
fprintf(stderr,
|
|
"[WARNING] invalid SSH method reply from ssh://%s:%d, continuing "
|
|
"anyway ... (check for empty password!)\n",
|
|
hydra_address2string_beautiful(ip), port);
|
|
return 0;
|
|
}
|
|
|
|
fprintf(stderr,
|
|
"[ERROR] target ssh://%s:%d/ does not support password "
|
|
"authentication (method reply %d).\n",
|
|
hydra_address2string_beautiful(ip), port, method);
|
|
return 1;
|
|
#else
|
|
return 0;
|
|
#endif
|
|
}
|