github/thc-hydra
1
0
Fork 0
mirror of https://github.com/vanhauser-thc/thc-hydra.git synced 2025-03-12 04:36:23 -07:00
Code Issues Packages Projects Releases Wiki Activity
thc-hydra/hydra-radmin2.c
catatonic 2386d4517f Improving data specificity more.
2017-07-08 01:14:41 +00:00

363 lines
11 KiB
C
Raw Permalink Blame History

#include "hydra-mod.h"
#include <arpa/inet.h>
#include <unistd.h>
#ifdef HAVE_GCRYPT
#include <gcrypt.h>
#endif
extern char *HYDRA_EXIT;
//RAdmin 2.x
struct rmessage {
uint8_t magic; //Indicates version, probably?
uint32_t length; //Total message size of data.
uint32_t checksum; //Checksum from type to end of data.
uint8_t type; //Command type, table below.
unsigned char data[32]; //data to be sent.
};
/*
* Usage: sum = checksum(message);
* Function: Returns a 4 byte little endian sum of the messages typecode+data. This data is zero padded for alignment.
* Example message (big endian):
* [01][00000021][0f43d461] sum([1b6e779a f37189bb c1b22982 c80d1f4d 66678ff9 4b10f0ce eabff6e8 f4fb8338 3b] + zeropad(3)])
* Sum: is 0f43d461 (big endian)
*/
uint32_t checksum(struct rmessage *msg) {
int32_t blen;
uint8_t *stream;
uint32_t sum;
blen = msg->length; //Get the real length.
blen += (4 - (blen % 4));
//Allocate a worksapce.
stream = calloc(blen, sizeof(uint8_t));
memcpy(stream, &msg->type, sizeof(uint8_t));
memcpy(stream+1, msg->data, blen-1);
sum = 0;
for(blen -= sizeof(uint32_t); blen > 0; blen -= sizeof(uint32_t)) {
sum += *(uint32_t *)(stream + blen);
}
sum += *(uint32_t *)stream;
//Free the workspace.
free(stream);
return sum;
}
/*
* Usage: challenge_request(message);
* Function: Modifies message to reflect a request for a challenge. Updates the checksum as appropriate.
*/
void challenge_request(struct rmessage *msg) {
msg->magic = 0x01;
msg->length = 0x01;
msg->type = 0x1b;
msg->checksum = checksum(msg);
}
/*
* Usage: challenge_request(message);
* Function: Modifies message to reflect a response to a challenge. Updates the checksum as appropriate.
*/
void challenge_response(struct rmessage *msg, unsigned char *solution) {
msg->magic = 0x01;
msg->length = 0x21;
msg->type = 0x09;
memcpy(msg->data, solution, 0x20);
msg->checksum = checksum(msg);
}
/*
* Usage: buffer = message2buffer(message); send(buffer, message->length + 10); free(buffer)
* Function: Allocates a buffer for transmission and fills the buffer with message data such that it is ready to transmit.
*/
//TODO: conver to a sendMessage() function?
char *message2buffer(struct rmessage *msg) {
char *data;
if(msg == NULL) {
hydra_report(stderr, "rmessage is null\n");
hydra_child_exit(0);
return NULL;
}
switch(msg->type) {
case 0x1b: //Challenge request
data = calloc (10, sizeof(unsigned char));
if(data == NULL) {
hydra_report(stderr, "calloc failure\n");
hydra_child_exit(0);
}
memcpy(data, &msg->magic, sizeof(char));
*((int32_t *)(data+1)) = htonl(msg->length);
*((int32_t *)(data+5)) = htonl(msg->checksum);
memcpy((data+9), &msg->type, sizeof(char));
break;
case 0x09:
data = calloc (42, sizeof(unsigned char));
if(data == NULL) {
hydra_report(stderr, "calloc failure\n");
hydra_child_exit(0);
}
memcpy(data, &msg->magic, sizeof(char));
*((int32_t *)(data+1)) = htonl(msg->length);
*((int32_t *)(data+5)) = htonl(msg->checksum);
memcpy((data+9), &msg->type, sizeof(char));
memcpy((data+10), msg->data, sizeof(char) * 32);
break;
default:
hydra_report(stderr, "unknown rmessage type\n");
hydra_child_exit(0);
return NULL;
}
return data;
}
struct rmessage *buffer2message(char *buffer) {
struct rmessage *msg;
msg = calloc(1, sizeof(struct rmessage));
if(msg == NULL) {
hydra_report(stderr, "calloc failure\n");
hydra_child_exit(0);
}
//Start parsing...
msg->magic = buffer[0];
buffer += sizeof(char);
msg->length = ntohl(*((uint32_t *)(buffer)));
buffer += sizeof(uint32_t);
msg->checksum = ntohl(*((uint32_t *)(buffer)));
buffer += sizeof(uint32_t);
msg->type = buffer[0];
buffer += sizeof(char);
//Verify known fields...
if(msg->magic != 0x01) {
hydra_report(stderr, "Bad magic\n");
hydra_child_exit(0);
return NULL;
}
switch(msg->type) {
case 0x1b:
if(msg->length != 0x21) {
hydra_report(stderr, "Bad length...%08x\n", msg->length);
hydra_child_exit(0);
return NULL;
}
memcpy(msg->data, buffer, 32);
break;
case 0x0a:
//Win!
case 0x0b:
//Lose!
break;
default:
hydra_report(stderr, "unknown rmessage type");
hydra_child_exit(0);
return NULL;
}
return msg;
}
int32_t start_radmin2(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE * fp) {
return 0;
}
void service_radmin2(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
#ifdef HAVE_GCRYPT
int32_t sock = -1;
int32_t index;
int32_t bytecount;
char *request;
struct rmessage *msg;
int32_t myport = PORT_RADMIN2;
char buffer[42];
char password[101];
uint8_t rawkey[16];
uint8_t *IV = "\xFE\xDC\xBA\x98\x76\x54\x32\x10\xA3\x9D\x4A\x18\xF8\x5B\x4A\x52";
uint8_t encrypted[32];
gcry_error_t err;
gcry_cipher_hd_t cipher;
gcry_md_hd_t md;
if(port != 0) {
myport = port;
}
gcry_check_version(NULL);
memset(buffer, 0x00, sizeof(buffer));
//Phone the mother ship
hydra_register_socket(sp);
if( memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) {
return;
}
while(1) {
/* Typical conversation goes as follows...
0) connect to server
1) request challenge
2) receive 32 byte challenge response
3) send 32 byte challenge solution
4) receive 1 byte auth success/fail message
*/
// 0) Connect to the server
sock = hydra_connect_tcp(ip, myport);
if(sock < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
// 1) request challenge (working)
msg = calloc(1, sizeof(struct rmessage));
challenge_request(msg);
request = message2buffer(msg);
hydra_send(sock, request, 10, 0);
free(msg);
free(request);
//2) receive response (working)
index = 0;
while(index < 42) { //We're always expecting back a 42 byte buffer from a challenge request.
switch(hydra_data_ready(sock)) {
case -1:
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
break;
case 0:
//keep waiting...
break;
default:
bytecount = hydra_recv(sock, buffer+index, 42 - index);
if(bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;
}
}
//3) Send challenge solution.
// Get a password to work with.
memset(password, 0x00, sizeof(password));
memset(encrypted, 0x00, sizeof(encrypted));
hydra_get_next_pair();
strncpy(password, hydra_get_next_password(), sizeof(password)-1);
//MD5 the password to generate the password key, this is used with twofish below.
err = gcry_md_open(&md, GCRY_MD_MD5, 0);
if(err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_md_open error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
gcry_md_reset(md);
gcry_md_write(md, password, 100);
if(gcry_md_read(md, 0) == NULL) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_md_read error (%08x)\n", (int32_t)getpid(), index);
hydra_child_exit(1);
}
memcpy(rawkey, gcry_md_read(md, 0), 16);
gcry_md_close(md);
//3.a) generate a new message from the buffer
msg = buffer2message(buffer);
//3.b) encrypt data received using pkey & known IV
err= gcry_cipher_open(&cipher, GCRY_CIPHER_TWOFISH128, GCRY_CIPHER_MODE_CBC, 0);
if(err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_open error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_setiv(cipher, IV, 16);
if(err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_setiv error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_setkey(cipher, rawkey, 16);
if(err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_setkey error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
err = gcry_cipher_encrypt(cipher, encrypted, 32, msg->data, 32);
if(err) {
hydra_report(stderr, "Error: Child with pid %d terminating, gcry_cipher_encrypt error (%08x)\n%s/%s", (int32_t)getpid(), index, gcry_strsource(err), gcry_strerror(err));
hydra_child_exit(1);
}
gcry_cipher_close(cipher);
//3.c) half sum - this is the solution to the challenge.
for(index=0; index < 16; index++) {
*(encrypted+index) += *(encrypted+index+16);
}
memset((encrypted+16), 0x00, 16);
//3.d) send half sum
challenge_response(msg, encrypted);
request = message2buffer(msg);
hydra_send(sock, request, 42, 0);
free(msg);
free(request);
//4) receive auth success/failure
index = 0;
while(index < 10) { //We're always expecting back a 42 byte buffer from a challenge request.
switch(hydra_data_ready(sock)) {
case -1:
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
break;
case 0:
//keep waiting...
break;
default:
bytecount = hydra_recv(sock, buffer+index, 10 - index);
if(bytecount < 0) {
hydra_report(stderr, "Error: Child with pid %d terminating, receive error\nerror:\t%s\n", (int32_t)getpid(), strerror(errno));
hydra_child_exit(1);
}
index += bytecount;
}
}
msg = buffer2message(buffer);
switch(msg->type) {
case 0x0a:
hydra_completed_pair_found();
break;
case 0x0b:
hydra_completed_pair();
hydra_disconnect(sock);
break;
default:
hydra_report(stderr, "Error: Child with pid %d terminating, protocol error\n", (int32_t)getpid());
hydra_child_exit(2);
}
}
#endif
}
int32_t service_radmin2_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE * fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
// return codes:
// 0 all OK
// -1 error, hydra will exit, so print a good error message here
return 0;
}
Reference in New Issue View Git Blame Copy Permalink