New upstream version 9.3
Daniel Echeverri
2 years ago
0 | 0 | Changelog for hydra |
1 | 1 | ------------------- |
2 | ||
3 | Release 9.3 | |
4 | * support Xcode compilation | |
5 | * new module: cobaltstrike by ultimaiiii, thank you! | |
6 | * fix for ssh to support -M or ip/range | |
7 | * fix for rdp to detect empty passwords | |
8 | * fix for http-form to no send empty headers | |
9 | * fix for http on non-default ports when using with a proxy | |
10 | * for vnc/cisco/... protocols that only check for a password, skip host | |
11 | after the password is found | |
12 | * fix to support IPv6 addresses in -M | |
13 | * fix to test all entries in -C files, not exiting after the first found | |
14 | * make disappearing targets faster to terminate on | |
15 | * added "make uninstall" | |
2 | 16 | |
3 | 17 | |
4 | 18 | Release 9.2 |
0 | cff-version: 1.2.0 | |
1 | message: "If you use this software, please cite it as below." | |
2 | authors: | |
3 | - given-names: Marc | |
4 | family-names: Heuse | |
5 | name-particle: "van Hauser" | |
6 | email: vh@thc.org | |
7 | affiliation: The Hacker's Choice | |
8 | title: "hydra" | |
9 | version: 9.2 | |
10 | type: software | |
11 | date-released: 2021-03-15 | |
12 | url: "https://github.com/vanhauser-thc/thc-hydra" | |
13 | keywords: | |
14 | - scanning | |
15 | - passwords | |
16 | - hacking | |
17 | - pentesting | |
18 | - securiy | |
19 | license: AGPL-3.0-or-later |
5 | 5 | Redhat/Fedora: yum install openssl-devel pcre-devel ncpfs-devel postgresql-devel libssh-devel subversion-devel libncurses-devel |
6 | 6 | OpenSuSE: zypper install libopenssl-devel pcre-devel libidn-devel ncpfs-devel libssh-devel postgresql-devel subversion-devel libncurses-devel |
7 | 7 | |
8 | ||
9 | For Termux/Android you need the following setup: | |
10 | ||
11 | Install the necessary dependencies | |
12 | # pkg install -y x11-repo | |
13 | # pkg install -y clang make openssl openssl-tool wget openssh coreutils gtk2 gtk3 | |
14 | And then compiling hydra | |
15 | # ./configure --prefix=$PREFIX | |
16 | # make | |
17 | # make install | |
18 | ||
19 | ||
20 | To use xhydra, you will need to install a graphical output in termux, you can be guided from this article: | |
21 | ||
22 | https://wiki.termux.com/wiki/Graphical_Environment | |
23 | ||
24 | ||
8 | 25 | For the Oracle login module, install the basic and SDK packages: |
9 | 26 | http://www.oracle.com/technetwork/database/features/instant-client/index.html |
10 | 27 |
2 | 2 | |
3 | 3 | clean: |
4 | 4 | cp -f Makefile.orig Makefile |
5 | ||
6 | uninstall: | |
7 | @echo Error: you must run "./configure" first |
0 | 0 | # |
1 | # Makefile for Hydra - (c) 2001-2020 by van Hauser / THC <vh@thc.org> | |
1 | # Makefile for Hydra - (c) 2001-2022 by van Hauser / THC <vh@thc.org> | |
2 | 2 | # |
3 | 3 | WARN_CLANG=-Wformat-nonliteral -Wstrncat-size -Wformat-security -Wsign-conversion -Wconversion -Wfloat-conversion -Wshorten-64-to-32 -Wuninitialized -Wmissing-variable-declarations -Wmissing-declarations |
4 | 4 | WARN_GCC=-Wformat=2 -Wformat-overflow=2 -Wformat-nonliteral -Wformat-truncation=2 -Wnull-dereference -Wstrict-overflow=2 -Wstringop-overflow=4 -Walloca-larger-than=4096 -Wtype-limits -Wconversion -Wtrampolines -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fno-common -Wcast-align |
5 | 5 | CFLAGS ?= -g |
6 | OPTS=-I. -O3 $(CFLAGS) -fcommon -Wl,--allow-multiple-definition | |
6 | OPTS=-I. -O3 $(CFLAGS) -fcommon | |
7 | 7 | # -Wall -g -pedantic |
8 | 8 | LIBS=-lm |
9 | 9 | DESTDIR ?= |
10 | 10 | BINDIR = /bin |
11 | 11 | MANDIR = /man/man1/ |
12 | 12 | DATADIR = /etc |
13 | PIXDIR = /share/pixmaps | |
14 | APPDIR = /share/applications | |
13 | 15 | |
14 | 16 | SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \ |
15 | 17 | hydra-telnet.c hydra-cisco.c hydra-http.c hydra-ftp.c hydra-imap.c \ |
22 | 24 | hydra-asterisk.c hydra-firebird.c hydra-afp.c hydra-ncp.c hydra-rdp.c \ |
23 | 25 | hydra-oracle-sid.c hydra-http-proxy.c hydra-http-form.c hydra-irc.c \ |
24 | 26 | hydra-s7-300.c hydra-redis.c hydra-adam6500.c hydra-rtsp.c \ |
25 | hydra-rpcap.c hydra-radmin2.c \ | |
27 | hydra-rpcap.c hydra-radmin2.c hydra-cobaltstrike.c \ | |
26 | 28 | hydra-time.c crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c \ |
27 | 29 | hydra-smb2.c |
28 | 30 | OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \ |
29 | 31 | hydra-telnet.o hydra-cisco.o hydra-http.o hydra-ftp.o hydra-imap.o \ |
30 | 32 | hydra-pop3.o hydra-smb.o hydra-icq.o hydra-cisco-enable.o hydra-ldap.o \ |
31 | hydra-memcached.o hydra-mongodb.o hydra-mysql.o hydra-mssql.o hydra-xmpp.o \ | |
33 | hydra-memcached.o hydra-mongodb.o hydra-mysql.o hydra-mssql.o hydra-cobaltstrike.o hydra-xmpp.o \ | |
32 | 34 | hydra-http-proxy-urlenum.o hydra-snmp.o hydra-cvs.o hydra-smtp.o \ |
33 | 35 | hydra-smtp-enum.o hydra-sapr3.o hydra-ssh.o hydra-sshkey.o hydra-teamspeak.o \ |
34 | 36 | hydra-postgres.o hydra-rsh.o hydra-rlogin.o hydra-oracle-listener.o \ |
64 | 66 | $(CC) $(OPTS) $(SEC) $(CFLAGS) $(CPPFLAGS) -c $< $(XDEFINES) $(XIPATHS) |
65 | 67 | |
66 | 68 | strip: all |
67 | strip $(BINS) | |
69 | -strip $(BINS) | |
68 | 70 | -echo OK > /dev/null && test -x xhydra && strip xhydra || echo OK > /dev/null |
69 | 71 | |
70 | 72 | install: strip |
77 | 79 | -cp -f *.csv $(DESTDIR)$(PREFIX)$(DATADIR) |
78 | 80 | -mkdir -p $(DESTDIR)$(PREFIX)$(MANDIR) |
79 | 81 | -cp -f hydra.1 xhydra.1 pw-inspector.1 $(DESTDIR)$(PREFIX)$(MANDIR) |
82 | -mkdir -p $(DESTDIR)$(PREFIX)$(PIXDIR) | |
83 | -cp -f xhydra.png $(DESTDIR)$(PREFIX)$(PIXDIR)/ | |
84 | -mkdir -p $(DESTDIR)$(PREFIX)$(APPDIR) | |
85 | -desktop-file-install --dir $(DESTDIR)$(PREFIX)$(APPDIR) xhydra.desktop | |
80 | 86 | |
81 | 87 | clean: |
82 | 88 | rm -rf xhydra pw-inspector hydra *.o core *.core *.stackdump *~ Makefile.in Makefile dev_rfc hydra.restore arm/*.ipk arm/ipkg/usr/bin/* hydra-gtk/src/*.o hydra-gtk/src/xhydra hydra-gtk/stamp-h hydra-gtk/config.status hydra-gtk/errors hydra-gtk/config.log hydra-gtk/src/.deps hydra-gtk/src/Makefile hydra-gtk/Makefile |
83 | 89 | cp -f Makefile.orig Makefile |
84 | 90 | |
91 | uninstall: | |
92 | -rm -f $(DESTDIR)$(PREFIX)$(BINDIR)/xhydra $(DESTDIR)$(PREFIX)$(BINDIR)/hydra $(DESTDIR)$(PREFIX)$(BINDIR)/pw-inspector $(DESTDIR)$(PREFIX)$(BINDIR)/hydra-wizard.sh $(DESTDIR)$(PREFIX)$(BINDIR)/dpl4hydra.sh | |
93 | -rm -f $(DESTDIR)$(PREFIX)$(DATADIR)/dpl4hydra_full.csv $(DESTDIR)$(PREFIX)$(DATADIR)/dpl4hydra_local.csv | |
94 | -rm -f $(DESTDIR)$(PREFIX)$(MANDIR)/hydra.1 $(DESTDIR)$(PREFIX)$(MANDIR)/xhydra.1 $(DESTDIR)$(PREFIX)$(MANDIR)/pw-inspector.1 | |
95 | -rm -f $(DESTDIR)$(PREFIX)$(PIXDIR)/xhydra.png | |
96 | -rm -f $(DESTDIR)$(PREFIX)$(APPDIR)/xhydra.desktop |
2 | 2 | |
3 | 3 | clean: |
4 | 4 | cp -f Makefile.orig Makefile |
5 | ||
6 | uninstall: | |
7 | @echo Error: you must run "./configure" first |
0 | ||
1 | H Y D R A | |
2 | ||
3 | (c) 2001-2022 by van Hauser / THC | |
4 | <vh@thc.org> https://github.com/vanhauser-thc/thc-hydra | |
5 | many modules were written by David (dot) Maciejak @ gmail (dot) com | |
6 | BFG code by Jan Dlabal <dlabaljan@gmail.com> | |
7 | ||
8 | Licensed under AGPLv3 (see LICENSE file) | |
9 | ||
10 | Please do not use in military or secret service organizations, | |
11 | or for illegal purposes. | |
12 | (This is the wish of the author and non-binding. Many people working | |
13 | in these organizations do not care for laws and ethics anyways. | |
14 | You are not one of the "good" ones if you ignore this.) | |
15 | ||
16 | ||
17 | ||
18 | INTRODUCTION | |
19 | ------------ | |
20 | Number one of the biggest security holes are passwords, as every password | |
21 | security study shows. | |
22 | This tool is a proof of concept code, to give researchers and security | |
23 | consultants the possibility to show how easy it would be to gain unauthorized | |
24 | access from remote to a system. | |
25 | ||
26 | THIS TOOL IS FOR LEGAL PURPOSES ONLY! | |
27 | ||
28 | There are already several login hacker tools available, however, none does | |
29 | either support more than one protocol to attack or support parallelized | |
30 | connects. | |
31 | ||
32 | It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, | |
33 | FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS. | |
34 | ||
35 | Currently this tool supports the following protocols: | |
36 | Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, | |
37 | HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, | |
38 | HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, | |
39 | HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, | |
40 | Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, | |
41 | Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, | |
42 | SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, | |
43 | VNC and XMPP. | |
44 | ||
45 | However the module engine for new services is very easy so it won't take a | |
46 | long time until even more services are supported. | |
47 | Your help in writing, enhancing or fixing modules is highly appreciated!! :-) | |
48 | ||
49 | ||
50 | ||
51 | WHERE TO GET | |
52 | ------------ | |
53 | You can always find the newest release/production version of hydra at its | |
54 | project page at https://github.com/vanhauser-thc/thc-hydra/releases | |
55 | If you are interested in the current development state, the public development | |
56 | repository is at Github: | |
57 | svn co https://github.com/vanhauser-thc/thc-hydra | |
58 | or | |
59 | git clone https://github.com/vanhauser-thc/thc-hydra | |
60 | Use the development version at your own risk. It contains new features and | |
61 | new bugs. Things might not work! | |
62 | ||
63 | ||
64 | ||
65 | HOW TO COMPILE | |
66 | -------------- | |
67 | To configure, compile and install hydra, just type: | |
68 | ||
69 | ``` | |
70 | ./configure | |
71 | make | |
72 | make install | |
73 | ``` | |
74 | ||
75 | If you want the ssh module, you have to setup libssh (not libssh2!) on your | |
76 | system, get it from https://www.libssh.org, for ssh v1 support you also need | |
77 | to add "-DWITH_SSH1=On" option in the cmake command line. | |
78 | IMPORTANT: If you compile on MacOS then you must do this - do not install libssh via brew! | |
79 | ||
80 | If you use Ubuntu/Debian, this will install supplementary libraries needed | |
81 | for a few optional modules (note that some might not be available on your distribution): | |
82 | ||
83 | ``` | |
84 | apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ | |
85 | libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \ | |
86 | firebird-dev libmemcached-dev libgpg-error-dev \ | |
87 | libgcrypt11-dev libgcrypt20-dev | |
88 | ``` | |
89 | ||
90 | This enables all optional modules and features with the exception of Oracle, | |
91 | SAP R/3, NCP and the apple filing protocol - which you will need to download and | |
92 | install from the vendor's web sites. | |
93 | ||
94 | For all other Linux derivates and BSD based systems, use the system | |
95 | software installer and look for similarly named libraries like in the | |
96 | command above. In all other cases, you have to download all source libraries | |
97 | and compile them manually. | |
98 | ||
99 | ||
100 | ||
101 | SUPPORTED PLATFORMS | |
102 | ------------------- | |
103 | - All UNIX platforms (Linux, *BSD, Solaris, etc.) | |
104 | - MacOS (basically a BSD clone) | |
105 | - Windows with Cygwin (both IPv4 and IPv6) | |
106 | - Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq) | |
107 | ||
108 | ||
109 | ||
110 | HOW TO USE | |
111 | ---------- | |
112 | If you just enter `hydra`, you will see a short summary of the important | |
113 | options available. | |
114 | Type `./hydra -h` to see all available command line options. | |
115 | ||
116 | Note that NO login/password file is included. Generate them yourself. | |
117 | A default password list is however present, use "dpl4hydra.sh" to generate | |
118 | a list. | |
119 | ||
120 | For Linux users, a GTK GUI is available, try `./xhydra` | |
121 | ||
122 | For the command line usage, the syntax is as follows: | |
123 | For attacking one target or a network, you can use the new "://" style: | |
124 | hydra [some command line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS | |
125 | The old mode can be used for these too, and additionally if you want to | |
126 | specify your targets from a text file, you *must* use this one: | |
127 | ||
128 | ``` | |
129 | hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS] | |
130 | ``` | |
131 | ||
132 | Via the command line options you specify which logins to try, which passwords, | |
133 | if SSL should be used, how many parallel tasks to use for attacking, etc. | |
134 | ||
135 | PROTOCOL is the protocol you want to use for attacking, e.g. ftp, smtp, | |
136 | http-get or many others are available | |
137 | TARGET is the target you want to attack | |
138 | MODULE-OPTIONS are optional values which are special per PROTOCOL module | |
139 | ||
140 | FIRST - select your target | |
141 | you have three options on how to specify the target you want to attack: | |
142 | 1. a single target on the command line: just put the IP or DNS address in | |
143 | 2. a network range on the command line: CIDR specification like "192.168.0.0/24" | |
144 | 3. a list of hosts in a text file: one line per entry (see below) | |
145 | ||
146 | SECOND - select your protocol | |
147 | Try to avoid telnet, as it is unreliable to detect a correct or false login attempt. | |
148 | Use a port scanner to see which protocols are enabled on the target. | |
149 | ||
150 | THIRD - check if the module has optional parameters | |
151 | hydra -U PROTOCOL | |
152 | e.g. hydra -U smtp | |
153 | ||
154 | FOURTH - the destination port | |
155 | this is optional, if no port is supplied the default common port for the | |
156 | PROTOCOL is used. | |
157 | If you specify SSL to use ("-S" option), the SSL common port is used by default. | |
158 | ||
159 | ||
160 | If you use "://" notation, you must use "[" "]" brackets if you want to supply | |
161 | IPv6 addresses or CIDR ("192.168.0.0/24") notations to attack: | |
162 | hydra [some command line options] ftp://[192.168.0.0/24]/ | |
163 | hydra [some command line options] -6 smtps://[2001:db8::1]/NTLM | |
164 | ||
165 | Note that everything hydra does is IPv4 only! | |
166 | If you want to attack IPv6 addresses, you must add the "-6" command line option. | |
167 | All attacks are then IPv6 only! | |
168 | ||
169 | If you want to supply your targets via a text file, you can not use the :// | |
170 | notation but use the old style and just supply the protocol (and module options): | |
171 | hydra [some command line options] -M targets.txt ftp | |
172 | You can also supply the port for each target entry by adding ":<port>" after a | |
173 | target entry in the file, e.g.: | |
174 | ||
175 | ``` | |
176 | foo.bar.com | |
177 | target.com:21 | |
178 | unusual.port.com:2121 | |
179 | default.used.here.com | |
180 | 127.0.0.1 | |
181 | 127.0.0.1:2121 | |
182 | ``` | |
183 | ||
184 | Note that if you want to attach IPv6 targets, you must supply the -6 option | |
185 | and *must* put IPv6 addresses in brackets in the file(!) like this: | |
186 | ||
187 | ``` | |
188 | foo.bar.com | |
189 | target.com:21 | |
190 | [fe80::1%eth0] | |
191 | [2001::1] | |
192 | [2002::2]:8080 | |
193 | [2a01:24a:133:0:00:123:ff:1a] | |
194 | ``` | |
195 | ||
196 | LOGINS AND PASSWORDS | |
197 | -------------------- | |
198 | You have many options on how to attack with logins and passwords | |
199 | With -l for login and -p for password you tell hydra that this is the only | |
200 | login and/or password to try. | |
201 | With -L for logins and -P for passwords you supply text files with entries. | |
202 | e.g.: | |
203 | ||
204 | ``` | |
205 | hydra -l admin -p password ftp://localhost/ | |
206 | hydra -L default_logins.txt -p test ftp://localhost/ | |
207 | hydra -l admin -P common_passwords.txt ftp://localhost/ | |
208 | hydra -L logins.txt -P passwords.txt ftp://localhost/ | |
209 | ``` | |
210 | ||
211 | Additionally, you can try passwords based on the login via the "-e" option. | |
212 | The "-e" option has three parameters: | |
213 | ||
214 | ``` | |
215 | s - try the login as password | |
216 | n - try an empty password | |
217 | r - reverse the login and try it as password | |
218 | ``` | |
219 | ||
220 | If you want to, e.g. try "try login as password and "empty password", you | |
221 | specify "-e sn" on the command line. | |
222 | ||
223 | But there are two more modes for trying passwords than -p/-P: | |
224 | You can use text file which where a login and password pair is separated by a colon, | |
225 | e.g.: | |
226 | ||
227 | ``` | |
228 | admin:password | |
229 | test:test | |
230 | foo:bar | |
231 | ``` | |
232 | ||
233 | This is a common default account style listing, that is also generated by the | |
234 | dpl4hydra.sh default account file generator supplied with hydra. | |
235 | You use such a text file with the -C option - note that in this mode you | |
236 | can not use -l/-L/-p/-P options (-e nsr however you can). | |
237 | Example: | |
238 | ||
239 | ``` | |
240 | hydra -C default_accounts.txt ftp://localhost/ | |
241 | ``` | |
242 | ||
243 | And finally, there is a bruteforce mode with the -x option (which you can not | |
244 | use with -p/-P/-C): | |
245 | ||
246 | ``` | |
247 | -x minimum_length:maximum_length:charset | |
248 | ``` | |
249 | ||
250 | the charset definition is `a` for lowercase letters, `A` for uppercase letters, | |
251 | `1` for numbers and for anything else you supply it is their real representation. | |
252 | Examples: | |
253 | ||
254 | ``` | |
255 | -x 1:3:a generate passwords from length 1 to 3 with all lowercase letters | |
256 | -x 2:5:/ generate passwords from length 2 to 5 containing only slashes | |
257 | -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers | |
258 | ``` | |
259 | ||
260 | Example: | |
261 | ||
262 | ``` | |
263 | hydra -l ftp -x 3:3:a ftp://localhost/ | |
264 | ``` | |
265 | ||
266 | SPECIAL OPTIONS FOR MODULES | |
267 | --------------------------- | |
268 | Via the third command line parameter (TARGET SERVICE OPTIONAL) or the -m | |
269 | command line option, you can pass one option to a module. | |
270 | Many modules use this, a few require it! | |
271 | ||
272 | To see the special option of a module, type: | |
273 | ||
274 | hydra -U <module> | |
275 | ||
276 | e.g. | |
277 | ||
278 | ./hydra -U http-post-form | |
279 | ||
280 | The special options can be passed via the -m parameter, as 3rd command line | |
281 | option or in the service://target/option format. | |
282 | ||
283 | Examples (they are all equal): | |
284 | ||
285 | ``` | |
286 | ./hydra -l test -p test -m PLAIN 127.0.0.1 imap | |
287 | ./hydra -l test -p test 127.0.0.1 imap PLAIN | |
288 | ./hydra -l test -p test imap://127.0.0.1/PLAIN | |
289 | ``` | |
290 | ||
291 | RESTORING AN ABORTED/CRASHED SESSION | |
292 | ------------------------------------ | |
293 | When hydra is aborted with Control-C, killed or crashes, it leaves a | |
294 | "hydra.restore" file behind which contains all necessary information to | |
295 | restore the session. This session file is written every 5 minutes. | |
296 | NOTE: the hydra.restore file can NOT be copied to a different platform (e.g. | |
297 | from little endian to big endian, or from Solaris to AIX) | |
298 | ||
299 | HOW TO SCAN/CRACK OVER A PROXY | |
300 | ------------------------------ | |
301 | The environment variable HYDRA_PROXY_HTTP defines the web proxy (this works | |
302 | just for the http services!). | |
303 | The following syntax is valid: | |
304 | ||
305 | ``` | |
306 | HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" | |
307 | HYDRA_PROXY_HTTP="http://login:password@123.45.67.89:8080/" | |
308 | HYDRA_PROXY_HTTP="proxylist.txt" | |
309 | ``` | |
310 | ||
311 | The last example is a text file containing up to 64 proxies (in the same | |
312 | format definition as the other examples). | |
313 | ||
314 | For all other services, use the HYDRA_PROXY variable to scan/crack. | |
315 | It uses the same syntax. eg: | |
316 | ||
317 | ``` | |
318 | HYDRA_PROXY=[connect|socks4|socks5]://[login:password@]proxy_addr:proxy_port | |
319 | ``` | |
320 | ||
321 | for example: | |
322 | ||
323 | ``` | |
324 | HYDRA_PROXY=connect://proxy.anonymizer.com:8000 | |
325 | HYDRA_PROXY=socks4://auth:pw@127.0.0.1:1080 | |
326 | HYDRA_PROXY=socksproxylist.txt | |
327 | ``` | |
328 | ||
329 | ADDITIONAL HINTS | |
330 | ---------------- | |
331 | * sort your password files by likelihood and use the -u option to find | |
332 | passwords much faster! | |
333 | * uniq your dictionary files! this can save you a lot of time :-) | |
334 | cat words.txt | sort | uniq > dictionary.txt | |
335 | * if you know that the target is using a password policy (allowing users | |
336 | only to choose a password with a minimum length of 6, containing a least one | |
337 | letter and one number, etc. use the tool pw-inspector which comes along | |
338 | with the hydra package to reduce the password list: | |
339 | cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt | |
340 | ||
341 | ||
342 | RESULTS OUTPUT | |
343 | -------------- | |
344 | ||
345 | The results are output to stdio along with the other information. Via the -o | |
346 | command line option, the results can also be written to a file. Using -b, | |
347 | the format of the output can be specified. Currently, these are supported: | |
348 | ||
349 | * `text` - plain text format | |
350 | * `jsonv1` - JSON data using version 1.x of the schema (defined below). | |
351 | * `json` - JSON data using the latest version of the schema, currently there | |
352 | is only version 1. | |
353 | ||
354 | If using JSON output, the results file may not be valid JSON if there are | |
355 | serious errors in booting Hydra. | |
356 | ||
357 | ||
358 | JSON Schema | |
359 | ----------- | |
360 | Here is an example of the JSON output. Notes on some of the fields: | |
361 | ||
362 | * `errormessages` - an array of zero or more strings that are normally printed | |
363 | to stderr at the end of the Hydra's run. The text is very free form. | |
364 | * `success` - indication if Hydra ran correctly without error (**NOT** if | |
365 | passwords were detected). This parameter is either the JSON value `true` | |
366 | or `false` depending on completion. | |
367 | * `quantityfound` - How many username+password combinations discovered. | |
368 | * `jsonoutputversion` - Version of the schema, 1.00, 1.01, 1.11, 2.00, | |
369 | 2.03, etc. Hydra will make second tuple of the version to always be two | |
370 | digits to make it easier for downstream processors (as opposed to v1.1 vs | |
371 | v1.10). The minor-level versions are additive, so 1.02 will contain more | |
372 | fields than version 1.00 and will be backward compatible. Version 2.x will | |
373 | break something from version 1.x output. | |
374 | ||
375 | Version 1.00 example: | |
376 | ``` | |
377 | { | |
378 | "errormessages": [ | |
379 | "[ERROR] Error Message of Something", | |
380 | "[ERROR] Another Message", | |
381 | "These are very free form" | |
382 | ], | |
383 | "generator": { | |
384 | "built": "2021-03-01 14:44:22", | |
385 | "commandline": "hydra -b jsonv1 -o results.json ... ...", | |
386 | "jsonoutputversion": "1.00", | |
387 | "server": "127.0.0.1", | |
388 | "service": "http-post-form", | |
389 | "software": "Hydra", | |
390 | "version": "v8.5" | |
391 | }, | |
392 | "quantityfound": 2, | |
393 | "results": [ | |
394 | { | |
395 | "host": "127.0.0.1", | |
396 | "login": "bill@example.com", | |
397 | "password": "bill", | |
398 | "port": 9999, | |
399 | "service": "http-post-form" | |
400 | }, | |
401 | { | |
402 | "host": "127.0.0.1", | |
403 | "login": "joe@example.com", | |
404 | "password": "joe", | |
405 | "port": 9999, | |
406 | "service": "http-post-form" | |
407 | } | |
408 | ], | |
409 | "success": false | |
410 | } | |
411 | ``` | |
412 | ||
413 | ||
414 | SPEED | |
415 | ----- | |
416 | through the parallelizing feature, this password cracker tool can be very | |
417 | fast, however it depends on the protocol. The fastest are generally POP3 | |
418 | and FTP. | |
419 | Experiment with the task option (-t) to speed things up! The higher - the | |
420 | faster ;-) (but too high - and it disables the service) | |
421 | ||
422 | ||
423 | ||
424 | STATISTICS | |
425 | ---------- | |
426 | Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing | |
427 | 295 entries (294 tries invalid logins, 1 valid). Every test was run three | |
428 | times (only for "1 task" just once), and the average noted down. | |
429 | ||
430 | ``` | |
431 | P A R A L L E L T A S K S | |
432 | SERVICE 1 4 8 16 32 50 64 100 128 | |
433 | ------- -------------------------------------------------------------------- | |
434 | telnet 23:20 5:58 2:58 1:34 1:05 0:33 0:45* 0:25* 0:55* | |
435 | ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0:32 | |
436 | pop3 92:10 27:16 13:56 6:42 2:55 1:57 1:24 1:14 0:50 | |
437 | imap 31:05 7:41 3:51 1:58 1:01 0:39 0:32 0:25 0:21 | |
438 | ``` | |
439 | ||
440 | (*) | |
441 | Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with | |
442 | 128 tasks, running four times resulted in timings between 28 and 97 seconds! | |
443 | The reason for this is unknown... | |
444 | ||
445 | guesses per task (rounded up): | |
446 | ||
447 | 295 74 38 19 10 6 5 3 3 | |
448 | ||
449 | guesses possible per connect (depends on the server software and config): | |
450 | ||
451 | telnet 4 | |
452 | ftp 6 | |
453 | pop3 1 | |
454 | imap 3 | |
455 | ||
456 | ||
457 | ||
458 | BUGS & FEATURES | |
459 | --------------- | |
460 | Hydra: | |
461 | Email me or David if you find bugs or if you have written a new module. | |
462 | vh@thc.org (and put "antispam" in the subject line) | |
463 | ||
464 | ||
465 | You should use PGP to encrypt emails to vh@thc.org : | |
466 | ||
467 | ``` | |
468 | -----BEGIN PGP PUBLIC KEY BLOCK----- | |
469 | Version: GnuPG v3.3.3 (vh@thc.org) | |
470 | ||
471 | mQINBFIp+7QBEADQcJctjohuYjBxq7MELAlFDvXRTeIqqh8kqHPOR018xKL09pZT | |
472 | KiBWFBkU48xlR3EtV5fC1yEt8gDEULe5o0qtK1aFlYBtAWkflVNjDrs+Y2BpjITQ | |
473 | FnAPHw0SOOT/jfcvmhNOZMzMU8lIubAVC4cVWoSWJbLTv6e0DRIPiYgXNT5Quh6c | |
474 | vqhnI1C39pEo/W/nh3hSa16oTc5dtTLbi5kEbdzml78TnT0OASmWLI+xtYKnP+5k | |
475 | Xv4xrXRMVk4L1Bv9WpCY/Jb6J8K8SJYdXPtbaIi4VjgVr5gvg9QC/d/QP2etmw3p | |
476 | lJ1Ldv63x6nXsxnPq6MSOOw8+QqKc1dAgIA43k6SU4wLq9TB3x0uTKnnB8pA3ACI | |
477 | zPeRN9LFkr7v1KUMeKKEdu8jUut5iKUJVu63lVYxuM5ODb6Owt3+UXgsSaQLu9nI | |
478 | DZqnp/M6YTCJTJ+cJANN+uQzESI4Z2m9ITg/U/cuccN/LIDg8/eDXW3VsCqJz8Bf | |
479 | lBSwMItMhs/Qwzqc1QCKfY3xcNGc4aFlJz4Bq3zSdw3mUjHYJYv1UkKntCtvvTCN | |
480 | DiomxyBEKB9J7KNsOLI/CSst3MQWSG794r9ZjcfA0EWZ9u6929F2pGDZ3LiS7Jx5 | |
481 | n+gdBDMe0PuuonLIGXzyIuMrkfoBeW/WdnOxh+27eemcdpCb68XtQCw6UQARAQAB | |
482 | tB52YW4gSGF1c2VyICgyMDEzKSA8dmhAdGhjLm9yZz6JAjkEEwECACMCGwMCHgEC | |
483 | F4AFAlIp/QcGCwkIAwcCBhUKCQgLAgUWAwIBAAAKCRDI8AEqhCFiv2R9D/9qTCJJ | |
484 | xCH4BUbWIUhw1zRkn9iCVSwZMmfaAhz5PdVTjeTelimMh5qwK2MNAjpR7vCCd3BH | |
485 | Z2VLB2Eoz9MOgSCxcMOnCDJjtCdCOeaxiASJt8qLeRMwdMOtznM8MnKCIO8X4oo4 | |
486 | qH8eNj83KgpI50ERBCj/EMsgg07vSyZ9i1UXjFofFnbHRWSW9yZO16qD4F6r4SGz | |
487 | dsfXARcO3QRI5lbjdGqm+g+HOPj1EFLAOxJAQOygz7ZN5fj+vPp+G/drONxNyVKp | |
488 | QFtENpvqPdU9CqYh8ssazXTWeBi/TIs0q0EXkzqo7CQjfNb6tlRsg18FxnJDK/ga | |
489 | V/1umTg41bQuVP9gGmycsiNI8Atr5DWqaF+O4uDmQxcxS0kX2YXQ4CSQJFi0pml5 | |
490 | slAGL8HaAUbV7UnQEqpayPyyTEx1i0wK5ZCHYjLBfJRZCbmHX7SbviSAzKdo5JIl | |
491 | Atuk+atgW3vC3hDTrBu5qlsFCZvbxS21PJ+9zmK7ySjAEFH/NKFmx4B8kb7rPAOM | |
492 | 0qCTv0pD/e4ogJCxVrqQ2XcCSJWxJL31FNAMnBZpVzidudNURG2v61h3ckkSB/fP | |
493 | JnkRy/yxYWrdFBYkURImxD8iFD1atj1n3EI5HBL7p/9mHxf1DVJWz7rYQk+3czvs | |
494 | IhBz7xGBz4nhpCi87VDEYttghYlJanbiRfNh3okCOAQTAQIAIgUCUin7tAIbAwYL | |
495 | CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQyPABKoQhYr8OIA//cvkhoKay88yS | |
496 | AjMQypach8C5CvP7eFCT11pkCt1DMAO/8Dt6Y/Ts10dPjohGdIX4PkoLTkQDwBDJ | |
497 | HoLO75oqj0CYLlqDI4oHgf2uzd0Zv8f/11CQQCtut5oEK72mGNzv3GgVqg60z2KR | |
498 | 2vpxvGQmDwpDOPP620tf/LuRQgBpks7uazcbkAE2Br09YrUQSCBNHy8kirHW5m5C | |
499 | nupMrcvuFx7mHKW1z3FuhM8ijG7oRmcBWfVoneQgIT3l2WBniXg1mKFhuUSV8Erc | |
500 | XIcc11qsKshyqh0GWb2JfeXbAcTW8/4IwrCP+VfAyLO9F9khP6SnCmcNF9EVJyR6 | |
501 | Aw+JMNRin7PgvsqbFhpkq9N+gVBAufz3DZoMTEbsMTtW4lYG6HMWhza2+8G9XyaL | |
502 | ARAWhkNVsmQQ5T6qGkI19thB6E/T6ZorTxqeopNVA7VNK3RVlKpkmUu07w5bTD6V | |
503 | l3Ti6XfcSQqzt6YX2/WUE8ekEG3rSesuJ5fqjuTnIIOjBxr+pPxkzdoazlu2zJ9F | |
504 | n24fHvlU20TccEWXteXj9VFzV/zbPEQbEqmE16lV+bO8U7UHqCOdE83OMrbNKszl | |
505 | 7LSCbFhCDtflUsyClBt/OPnlLEHgEE1j9QkqdFFy90l4HqGwKvx7lUFDnuF8LYsb | |
506 | /hcP4XhqjiGcjTPYBDK254iYrpOSMZSIRgQQEQIABgUCUioGfQAKCRBDlBVOdiii | |
507 | tuddAJ4zMrge4qzajScIQcXYgIWMXVenCQCfYTNQPGkHVyp3dMhJ0NR21TYoYMC5 | |
508 | Ag0EUin7tAEQAK5/AEIBLlA/TTgjUF3im6nu/rkWTM7/gs5H4W0a04kF4UPhaJUR | |
509 | gCNlDfUnBFA0QD7Jja5LHYgLdoHXiFelPhGrbZel/Sw6sH2gkGCBtFMrVkm3u7tt | |
510 | x3AZlprqqRH68Y5xTCEjGRncCAmaDgd2apgisJqXpu0dRDroFYpJFNH3vw9N2a62 | |
511 | 0ShNakYP4ykVG3jTDC4MSl2q3BO5dzn8GYFHU0CNz6nf3gZR+48BG+zmAT77peTS | |
512 | +C4Mbd6LmMmB0cuS2kYiFRwE2B69UWguLHjpXFcu9/85JJVCl2CIab7l5hpqGmgw | |
513 | G/yW8HFK04Yhew7ZJOXJfUYlv1EZzR5bOsZ8Z9inC6hvFmxuCYCFnvkiEI+pOxPA | |
514 | oeNOkMaT/W4W+au0ZVt3Hx+oD0pkJb5if0jrCaoAD4gpWOte6LZA8mAbKTxkHPBr | |
515 | rA9/JFis5CVNI688O6eDiJqCCJjPOQA+COJI+0V+tFa6XyHPB4LxA46RxtumUZMC | |
516 | v/06sDJlXMNpZbSd5Fq95YfZd4l9Vr9VrvKXfbomn+akwUymP8RDyc6Z8BzjF4Y5 | |
517 | 02m6Ts0J0MnSYfEDqJPPZbMGB+GAgAqLs7FrZJQzOZTiOXOSIJsKMYsPIDWE8lXv | |
518 | s77rs0rGvgvQfWzPsJlMIx6ryrMnAsfOkzM2GChGNX9+pABpgOdYII4bABEBAAGJ | |
519 | Ah8EGAECAAkFAlIp+7QCGwwACgkQyPABKoQhYr+hrg/9Er0+HN78y6UWGFHu/KVK | |
520 | d8M6ekaqjQndQXmzQaPQwsOHOvWdC+EtBoTdR3VIjAtX96uvzCRV3sb0XPB9S9eP | |
521 | gRrO/t5+qTVTtjua1zzjZsMOr1SxhBgZ5+0U2aoY1vMhyIjUuwpKKNqj2uf+uj5Y | |
522 | ZQbCNklghf7EVDHsYQ4goB9gsNT7rnmrzSc6UUuJOYI2jjtHp5BPMBHh2WtUVfYP | |
523 | 8JqDfQ+eJQr5NCFB24xMW8OxMJit3MGckUbcZlUa1wKiTb0b76fOjt0y/+9u1ykd | |
524 | X+i27DAM6PniFG8BfqPq/E3iU20IZGYtaAFBuhhDWR3vGY4+r3OxdlFAJfBG9XDD | |
525 | aEDTzv1XF+tEBo69GFaxXZGdk9//7qxcgiya4LL9Kltuvs82+ZzQhC09p8d3YSQN | |
526 | cfaYObm4EwbINdKP7cr4anGFXvsLC9urhow/RNBLiMbRX/5qBzx2DayXtxEnDlSC | |
527 | Mh7wCkNDYkSIZOrPVUFOCGxu7lloRgPxEetM5x608HRa3hDHoe5KvUBmmtavB/aR | |
528 | zlGuZP1S6Y7S13ytiULSzTfUxJmyGYgNo+4ygh0i6Dudf9NLmV+i9aEIbLbd6bni | |
529 | 1B/y8hBSx3SVb4sQVRe3clBkfS1/mYjlldtYjzOwcd02x599KJlcChf8HnWFB7qT | |
530 | zB3yrr+vYBT0uDWmxwPjiJs= | |
531 | =ytEf | |
532 | -----END PGP PUBLIC KEY BLOCK----- | |
533 | ``` |
0 | ||
1 | H Y D R A | |
2 | ||
3 | (c) 2001-2021 by van Hauser / THC | |
4 | <vh@thc.org> https://github.com/vanhauser-thc/thc-hydra | |
5 | many modules were written by David (dot) Maciejak @ gmail (dot) com | |
6 | BFG code by Jan Dlabal <dlabaljan@gmail.com> | |
7 | ||
8 | Licensed under AGPLv3 (see LICENSE file) | |
9 | ||
10 | Please do not use in military or secret service organizations, | |
11 | or for illegal purposes. | |
12 | (This is the wish of the author and non-binding. Many people working | |
13 | in these organizations do not care for laws and ethics anyways. | |
14 | You are not one of the "good" ones if you ignore this.) | |
15 | ||
16 | ||
17 | ||
18 | INTRODUCTION | |
19 | ------------ | |
20 | Number one of the biggest security holes are passwords, as every password | |
21 | security study shows. | |
22 | This tool is a proof of concept code, to give researchers and security | |
23 | consultants the possibility to show how easy it would be to gain unauthorized | |
24 | access from remote to a system. | |
25 | ||
26 | THIS TOOL IS FOR LEGAL PURPOSES ONLY! | |
27 | ||
28 | There are already several login hacker tools available, however, none does | |
29 | either support more than one protocol to attack or support parallelized | |
30 | connects. | |
31 | ||
32 | It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, | |
33 | FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS. | |
34 | ||
35 | Currently this tool supports the following protocols: | |
36 | Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, | |
37 | HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, | |
38 | HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, | |
39 | HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, | |
40 | Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, | |
41 | Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, | |
42 | SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, | |
43 | VNC and XMPP. | |
44 | ||
45 | However the module engine for new services is very easy so it won't take a | |
46 | long time until even more services are supported. | |
47 | Your help in writing, enhancing or fixing modules is highly appreciated!! :-) | |
48 | ||
49 | ||
50 | ||
51 | WHERE TO GET | |
52 | ------------ | |
53 | You can always find the newest release/production version of hydra at its | |
54 | project page at https://github.com/vanhauser-thc/thc-hydra/releases | |
55 | If you are interested in the current development state, the public development | |
56 | repository is at Github: | |
57 | svn co https://github.com/vanhauser-thc/thc-hydra | |
58 | or | |
59 | git clone https://github.com/vanhauser-thc/thc-hydra | |
60 | Use the development version at your own risk. It contains new features and | |
61 | new bugs. Things might not work! | |
62 | ||
63 | ||
64 | ||
65 | HOW TO COMPILE | |
66 | -------------- | |
67 | To configure, compile and install hydra, just type: | |
68 | ||
69 | ``` | |
70 | ./configure | |
71 | make | |
72 | make install | |
73 | ``` | |
74 | ||
75 | If you want the ssh module, you have to setup libssh (not libssh2!) on your | |
76 | system, get it from http://www.libssh.org, for ssh v1 support you also need | |
77 | to add "-DWITH_SSH1=On" option in the cmake command line. | |
78 | IMPORTANT: If you compile on MacOS then you must do this - do not install libssh via brew! | |
79 | ||
80 | If you use Ubuntu/Debian, this will install supplementary libraries needed | |
81 | for a few optional modules (note that some might not be available on your distribution): | |
82 | ||
83 | ``` | |
84 | apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ | |
85 | libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \ | |
86 | firebird-dev libmemcached-dev libgpg-error-dev \ | |
87 | libgcrypt11-dev libgcrypt20-dev | |
88 | ``` | |
89 | ||
90 | This enables all optional modules and features with the exception of Oracle, | |
91 | SAP R/3, NCP and the apple filing protocol - which you will need to download and | |
92 | install from the vendor's web sites. | |
93 | ||
94 | For all other Linux derivates and BSD based systems, use the system | |
95 | software installer and look for similarly named libraries like in the | |
96 | command above. In all other cases, you have to download all source libraries | |
97 | and compile them manually. | |
98 | ||
99 | ||
100 | ||
101 | SUPPORTED PLATFORMS | |
102 | ------------------- | |
103 | - All UNIX platforms (Linux, *BSD, Solaris, etc.) | |
104 | - MacOS (basically a BSD clone) | |
105 | - Windows with Cygwin (both IPv4 and IPv6) | |
106 | - Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq) | |
107 | ||
108 | ||
109 | ||
110 | HOW TO USE | |
111 | ---------- | |
112 | If you just enter `hydra`, you will see a short summary of the important | |
113 | options available. | |
114 | Type `./hydra -h` to see all available command line options. | |
115 | ||
116 | Note that NO login/password file is included. Generate them yourself. | |
117 | A default password list is however present, use "dpl4hydra.sh" to generate | |
118 | a list. | |
119 | ||
120 | For Linux users, a GTK GUI is available, try `./xhydra` | |
121 | ||
122 | For the command line usage, the syntax is as follows: | |
123 | For attacking one target or a network, you can use the new "://" style: | |
124 | hydra [some command line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS | |
125 | The old mode can be used for these too, and additionally if you want to | |
126 | specify your targets from a text file, you *must* use this one: | |
127 | ||
128 | ``` | |
129 | hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS] | |
130 | ``` | |
131 | ||
132 | Via the command line options you specify which logins to try, which passwords, | |
133 | if SSL should be used, how many parallel tasks to use for attacking, etc. | |
134 | ||
135 | PROTOCOL is the protocol you want to use for attacking, e.g. ftp, smtp, | |
136 | http-get or many others are available | |
137 | TARGET is the target you want to attack | |
138 | MODULE-OPTIONS are optional values which are special per PROTOCOL module | |
139 | ||
140 | FIRST - select your target | |
141 | you have three options on how to specify the target you want to attack: | |
142 | 1. a single target on the command line: just put the IP or DNS address in | |
143 | 2. a network range on the command line: CIDR specification like "192.168.0.0/24" | |
144 | 3. a list of hosts in a text file: one line per entry (see below) | |
145 | ||
146 | SECOND - select your protocol | |
147 | Try to avoid telnet, as it is unreliable to detect a correct or false login attempt. | |
148 | Use a port scanner to see which protocols are enabled on the target. | |
149 | ||
150 | THIRD - check if the module has optional parameters | |
151 | hydra -U PROTOCOL | |
152 | e.g. hydra -U smtp | |
153 | ||
154 | FOURTH - the destination port | |
155 | this is optional, if no port is supplied the default common port for the | |
156 | PROTOCOL is used. | |
157 | If you specify SSL to use ("-S" option), the SSL common port is used by default. | |
158 | ||
159 | ||
160 | If you use "://" notation, you must use "[" "]" brackets if you want to supply | |
161 | IPv6 addresses or CIDR ("192.168.0.0/24") notations to attack: | |
162 | hydra [some command line options] ftp://[192.168.0.0/24]/ | |
163 | hydra [some command line options] -6 smtps://[2001:db8::1]/NTLM | |
164 | ||
165 | Note that everything hydra does is IPv4 only! | |
166 | If you want to attack IPv6 addresses, you must add the "-6" command line option. | |
167 | All attacks are then IPv6 only! | |
168 | ||
169 | If you want to supply your targets via a text file, you can not use the :// | |
170 | notation but use the old style and just supply the protocol (and module options): | |
171 | hydra [some command line options] -M targets.txt ftp | |
172 | You can also supply the port for each target entry by adding ":<port>" after a | |
173 | target entry in the file, e.g.: | |
174 | ||
175 | ``` | |
176 | foo.bar.com | |
177 | target.com:21 | |
178 | unusual.port.com:2121 | |
179 | default.used.here.com | |
180 | 127.0.0.1 | |
181 | 127.0.0.1:2121 | |
182 | ``` | |
183 | ||
184 | Note that if you want to attach IPv6 targets, you must supply the -6 option | |
185 | and *must* put IPv6 addresses in brackets in the file(!) like this: | |
186 | ||
187 | ``` | |
188 | foo.bar.com | |
189 | target.com:21 | |
190 | [fe80::1%eth0] | |
191 | [2001::1] | |
192 | [2002::2]:8080 | |
193 | [2a01:24a:133:0:00:123:ff:1a] | |
194 | ``` | |
195 | ||
196 | LOGINS AND PASSWORDS | |
197 | -------------------- | |
198 | You have many options on how to attack with logins and passwords | |
199 | With -l for login and -p for password you tell hydra that this is the only | |
200 | login and/or password to try. | |
201 | With -L for logins and -P for passwords you supply text files with entries. | |
202 | e.g.: | |
203 | ||
204 | ``` | |
205 | hydra -l admin -p password ftp://localhost/ | |
206 | hydra -L default_logins.txt -p test ftp://localhost/ | |
207 | hydra -l admin -P common_passwords.txt ftp://localhost/ | |
208 | hydra -L logins.txt -P passwords.txt ftp://localhost/ | |
209 | ``` | |
210 | ||
211 | Additionally, you can try passwords based on the login via the "-e" option. | |
212 | The "-e" option has three parameters: | |
213 | ||
214 | ``` | |
215 | s - try the login as password | |
216 | n - try an empty password | |
217 | r - reverse the login and try it as password | |
218 | ``` | |
219 | ||
220 | If you want to, e.g. try "try login as password and "empty password", you | |
221 | specify "-e sn" on the command line. | |
222 | ||
223 | But there are two more modes for trying passwords than -p/-P: | |
224 | You can use text file which where a login and password pair is separated by a colon, | |
225 | e.g.: | |
226 | ||
227 | ``` | |
228 | admin:password | |
229 | test:test | |
230 | foo:bar | |
231 | ``` | |
232 | ||
233 | This is a common default account style listing, that is also generated by the | |
234 | dpl4hydra.sh default account file generator supplied with hydra. | |
235 | You use such a text file with the -C option - note that in this mode you | |
236 | can not use -l/-L/-p/-P options (-e nsr however you can). | |
237 | Example: | |
238 | ||
239 | ``` | |
240 | hydra -C default_accounts.txt ftp://localhost/ | |
241 | ``` | |
242 | ||
243 | And finally, there is a bruteforce mode with the -x option (which you can not | |
244 | use with -p/-P/-C): | |
245 | ||
246 | ``` | |
247 | -x minimum_length:maximum_length:charset | |
248 | ``` | |
249 | ||
250 | the charset definition is `a` for lowercase letters, `A` for uppercase letters, | |
251 | `1` for numbers and for anything else you supply it is their real representation. | |
252 | Examples: | |
253 | ||
254 | ``` | |
255 | -x 1:3:a generate passwords from length 1 to 3 with all lowercase letters | |
256 | -x 2:5:/ generate passwords from length 2 to 5 containing only slashes | |
257 | -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers | |
258 | ``` | |
259 | ||
260 | Example: | |
261 | ||
262 | ``` | |
263 | hydra -l ftp -x 3:3:a ftp://localhost/ | |
264 | ``` | |
265 | ||
266 | SPECIAL OPTIONS FOR MODULES | |
267 | --------------------------- | |
268 | Via the third command line parameter (TARGET SERVICE OPTIONAL) or the -m | |
269 | command line option, you can pass one option to a module. | |
270 | Many modules use this, a few require it! | |
271 | ||
272 | To see the special option of a module, type: | |
273 | ||
274 | hydra -U <module> | |
275 | ||
276 | e.g. | |
277 | ||
278 | ./hydra -U http-post-form | |
279 | ||
280 | The special options can be passed via the -m parameter, as 3rd command line | |
281 | option or in the service://target/option format. | |
282 | ||
283 | Examples (they are all equal): | |
284 | ||
285 | ``` | |
286 | ./hydra -l test -p test -m PLAIN 127.0.0.1 imap | |
287 | ./hydra -l test -p test 127.0.0.1 imap PLAIN | |
288 | ./hydra -l test -p test imap://127.0.0.1/PLAIN | |
289 | ``` | |
290 | ||
291 | RESTORING AN ABORTED/CRASHED SESSION | |
292 | ------------------------------------ | |
293 | When hydra is aborted with Control-C, killed or crashes, it leaves a | |
294 | "hydra.restore" file behind which contains all necessary information to | |
295 | restore the session. This session file is written every 5 minutes. | |
296 | NOTE: the hydra.restore file can NOT be copied to a different platform (e.g. | |
297 | from little endian to big endian, or from Solaris to AIX) | |
298 | ||
299 | HOW TO SCAN/CRACK OVER A PROXY | |
300 | ------------------------------ | |
301 | The environment variable HYDRA_PROXY_HTTP defines the web proxy (this works | |
302 | just for the http services!). | |
303 | The following syntax is valid: | |
304 | ||
305 | ``` | |
306 | HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" | |
307 | HYDRA_PROXY_HTTP="http://login:password@123.45.67.89:8080/" | |
308 | HYDRA_PROXY_HTTP="proxylist.txt" | |
309 | ``` | |
310 | ||
311 | The last example is a text file containing up to 64 proxies (in the same | |
312 | format definition as the other examples). | |
313 | ||
314 | For all other services, use the HYDRA_PROXY variable to scan/crack. | |
315 | It uses the same syntax. eg: | |
316 | ||
317 | ``` | |
318 | HYDRA_PROXY=[connect|socks4|socks5]://[login:password@]proxy_addr:proxy_port | |
319 | ``` | |
320 | ||
321 | for example: | |
322 | ||
323 | ``` | |
324 | HYDRA_PROXY=connect://proxy.anonymizer.com:8000 | |
325 | HYDRA_PROXY=socks4://auth:pw@127.0.0.1:1080 | |
326 | HYDRA_PROXY=socksproxylist.txt | |
327 | ``` | |
328 | ||
329 | ADDITIONAL HINTS | |
330 | ---------------- | |
331 | * sort your password files by likelihood and use the -u option to find | |
332 | passwords much faster! | |
333 | * uniq your dictionary files! this can save you a lot of time :-) | |
334 | cat words.txt | sort | uniq > dictionary.txt | |
335 | * if you know that the target is using a password policy (allowing users | |
336 | only to choose a password with a minimum length of 6, containing a least one | |
337 | letter and one number, etc. use the tool pw-inspector which comes along | |
338 | with the hydra package to reduce the password list: | |
339 | cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt | |
340 | ||
341 | ||
342 | RESULTS OUTPUT | |
343 | -------------- | |
344 | ||
345 | The results are output to stdio along with the other information. Via the -o | |
346 | command line option, the results can also be written to a file. Using -b, | |
347 | the format of the output can be specified. Currently, these are supported: | |
348 | ||
349 | * `text` - plain text format | |
350 | * `jsonv1` - JSON data using version 1.x of the schema (defined below). | |
351 | * `json` - JSON data using the latest version of the schema, currently there | |
352 | is only version 1. | |
353 | ||
354 | If using JSON output, the results file may not be valid JSON if there are | |
355 | serious errors in booting Hydra. | |
356 | ||
357 | ||
358 | JSON Schema | |
359 | ----------- | |
360 | Here is an example of the JSON output. Notes on some of the fields: | |
361 | ||
362 | * `errormessages` - an array of zero or more strings that are normally printed | |
363 | to stderr at the end of the Hydra's run. The text is very free form. | |
364 | * `success` - indication if Hydra ran correctly without error (**NOT** if | |
365 | passwords were detected). This parameter is either the JSON value `true` | |
366 | or `false` depending on completion. | |
367 | * `quantityfound` - How many username+password combinations discovered. | |
368 | * `jsonoutputversion` - Version of the schema, 1.00, 1.01, 1.11, 2.00, | |
369 | 2.03, etc. Hydra will make second tuple of the version to always be two | |
370 | digits to make it easier for downstream processors (as opposed to v1.1 vs | |
371 | v1.10). The minor-level versions are additive, so 1.02 will contain more | |
372 | fields than version 1.00 and will be backward compatible. Version 2.x will | |
373 | break something from version 1.x output. | |
374 | ||
375 | Version 1.00 example: | |
376 | ``` | |
377 | { | |
378 | "errormessages": [ | |
379 | "[ERROR] Error Message of Something", | |
380 | "[ERROR] Another Message", | |
381 | "These are very free form" | |
382 | ], | |
383 | "generator": { | |
384 | "built": "2021-03-01 14:44:22", | |
385 | "commandline": "hydra -b jsonv1 -o results.json ... ...", | |
386 | "jsonoutputversion": "1.00", | |
387 | "server": "127.0.0.1", | |
388 | "service": "http-post-form", | |
389 | "software": "Hydra", | |
390 | "version": "v8.5" | |
391 | }, | |
392 | "quantityfound": 2, | |
393 | "results": [ | |
394 | { | |
395 | "host": "127.0.0.1", | |
396 | "login": "bill@example.com", | |
397 | "password": "bill", | |
398 | "port": 9999, | |
399 | "service": "http-post-form" | |
400 | }, | |
401 | { | |
402 | "host": "127.0.0.1", | |
403 | "login": "joe@example.com", | |
404 | "password": "joe", | |
405 | "port": 9999, | |
406 | "service": "http-post-form" | |
407 | } | |
408 | ], | |
409 | "success": false | |
410 | } | |
411 | ``` | |
412 | ||
413 | ||
414 | SPEED | |
415 | ----- | |
416 | through the parallelizing feature, this password cracker tool can be very | |
417 | fast, however it depends on the protocol. The fastest are generally POP3 | |
418 | and FTP. | |
419 | Experiment with the task option (-t) to speed things up! The higher - the | |
420 | faster ;-) (but too high - and it disables the service) | |
421 | ||
422 | ||
423 | ||
424 | STATISTICS | |
425 | ---------- | |
426 | Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing | |
427 | 295 entries (294 tries invalid logins, 1 valid). Every test was run three | |
428 | times (only for "1 task" just once), and the average noted down. | |
429 | ||
430 | ``` | |
431 | P A R A L L E L T A S K S | |
432 | SERVICE 1 4 8 16 32 50 64 100 128 | |
433 | ------- -------------------------------------------------------------------- | |
434 | telnet 23:20 5:58 2:58 1:34 1:05 0:33 0:45* 0:25* 0:55* | |
435 | ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0:32 | |
436 | pop3 92:10 27:16 13:56 6:42 2:55 1:57 1:24 1:14 0:50 | |
437 | imap 31:05 7:41 3:51 1:58 1:01 0:39 0:32 0:25 0:21 | |
438 | ``` | |
439 | ||
440 | (*) | |
441 | Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with | |
442 | 128 tasks, running four times resulted in timings between 28 and 97 seconds! | |
443 | The reason for this is unknown... | |
444 | ||
445 | guesses per task (rounded up): | |
446 | ||
447 | 295 74 38 19 10 6 5 3 3 | |
448 | ||
449 | guesses possible per connect (depends on the server software and config): | |
450 | ||
451 | telnet 4 | |
452 | ftp 6 | |
453 | pop3 1 | |
454 | imap 3 | |
455 | ||
456 | ||
457 | ||
458 | BUGS & FEATURES | |
459 | --------------- | |
460 | Hydra: | |
461 | Email me or David if you find bugs or if you have written a new module. | |
462 | vh@thc.org (and put "antispam" in the subject line) | |
463 | ||
464 | ||
465 | You should use PGP to encrypt emails to vh@thc.org : | |
466 | ||
467 | ``` | |
468 | -----BEGIN PGP PUBLIC KEY BLOCK----- | |
469 | Version: GnuPG v3.3.3 (vh@thc.org) | |
470 | ||
471 | mQINBFIp+7QBEADQcJctjohuYjBxq7MELAlFDvXRTeIqqh8kqHPOR018xKL09pZT | |
472 | KiBWFBkU48xlR3EtV5fC1yEt8gDEULe5o0qtK1aFlYBtAWkflVNjDrs+Y2BpjITQ | |
473 | FnAPHw0SOOT/jfcvmhNOZMzMU8lIubAVC4cVWoSWJbLTv6e0DRIPiYgXNT5Quh6c | |
474 | vqhnI1C39pEo/W/nh3hSa16oTc5dtTLbi5kEbdzml78TnT0OASmWLI+xtYKnP+5k | |
475 | Xv4xrXRMVk4L1Bv9WpCY/Jb6J8K8SJYdXPtbaIi4VjgVr5gvg9QC/d/QP2etmw3p | |
476 | lJ1Ldv63x6nXsxnPq6MSOOw8+QqKc1dAgIA43k6SU4wLq9TB3x0uTKnnB8pA3ACI | |
477 | zPeRN9LFkr7v1KUMeKKEdu8jUut5iKUJVu63lVYxuM5ODb6Owt3+UXgsSaQLu9nI | |
478 | DZqnp/M6YTCJTJ+cJANN+uQzESI4Z2m9ITg/U/cuccN/LIDg8/eDXW3VsCqJz8Bf | |
479 | lBSwMItMhs/Qwzqc1QCKfY3xcNGc4aFlJz4Bq3zSdw3mUjHYJYv1UkKntCtvvTCN | |
480 | DiomxyBEKB9J7KNsOLI/CSst3MQWSG794r9ZjcfA0EWZ9u6929F2pGDZ3LiS7Jx5 | |
481 | n+gdBDMe0PuuonLIGXzyIuMrkfoBeW/WdnOxh+27eemcdpCb68XtQCw6UQARAQAB | |
482 | tB52YW4gSGF1c2VyICgyMDEzKSA8dmhAdGhjLm9yZz6JAjkEEwECACMCGwMCHgEC | |
483 | F4AFAlIp/QcGCwkIAwcCBhUKCQgLAgUWAwIBAAAKCRDI8AEqhCFiv2R9D/9qTCJJ | |
484 | xCH4BUbWIUhw1zRkn9iCVSwZMmfaAhz5PdVTjeTelimMh5qwK2MNAjpR7vCCd3BH | |
485 | Z2VLB2Eoz9MOgSCxcMOnCDJjtCdCOeaxiASJt8qLeRMwdMOtznM8MnKCIO8X4oo4 | |
486 | qH8eNj83KgpI50ERBCj/EMsgg07vSyZ9i1UXjFofFnbHRWSW9yZO16qD4F6r4SGz | |
487 | dsfXARcO3QRI5lbjdGqm+g+HOPj1EFLAOxJAQOygz7ZN5fj+vPp+G/drONxNyVKp | |
488 | QFtENpvqPdU9CqYh8ssazXTWeBi/TIs0q0EXkzqo7CQjfNb6tlRsg18FxnJDK/ga | |
489 | V/1umTg41bQuVP9gGmycsiNI8Atr5DWqaF+O4uDmQxcxS0kX2YXQ4CSQJFi0pml5 | |
490 | slAGL8HaAUbV7UnQEqpayPyyTEx1i0wK5ZCHYjLBfJRZCbmHX7SbviSAzKdo5JIl | |
491 | Atuk+atgW3vC3hDTrBu5qlsFCZvbxS21PJ+9zmK7ySjAEFH/NKFmx4B8kb7rPAOM | |
492 | 0qCTv0pD/e4ogJCxVrqQ2XcCSJWxJL31FNAMnBZpVzidudNURG2v61h3ckkSB/fP | |
493 | JnkRy/yxYWrdFBYkURImxD8iFD1atj1n3EI5HBL7p/9mHxf1DVJWz7rYQk+3czvs | |
494 | IhBz7xGBz4nhpCi87VDEYttghYlJanbiRfNh3okCOAQTAQIAIgUCUin7tAIbAwYL | |
495 | CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQyPABKoQhYr8OIA//cvkhoKay88yS | |
496 | AjMQypach8C5CvP7eFCT11pkCt1DMAO/8Dt6Y/Ts10dPjohGdIX4PkoLTkQDwBDJ | |
497 | HoLO75oqj0CYLlqDI4oHgf2uzd0Zv8f/11CQQCtut5oEK72mGNzv3GgVqg60z2KR | |
498 | 2vpxvGQmDwpDOPP620tf/LuRQgBpks7uazcbkAE2Br09YrUQSCBNHy8kirHW5m5C | |
499 | nupMrcvuFx7mHKW1z3FuhM8ijG7oRmcBWfVoneQgIT3l2WBniXg1mKFhuUSV8Erc | |
500 | XIcc11qsKshyqh0GWb2JfeXbAcTW8/4IwrCP+VfAyLO9F9khP6SnCmcNF9EVJyR6 | |
501 | Aw+JMNRin7PgvsqbFhpkq9N+gVBAufz3DZoMTEbsMTtW4lYG6HMWhza2+8G9XyaL | |
502 | ARAWhkNVsmQQ5T6qGkI19thB6E/T6ZorTxqeopNVA7VNK3RVlKpkmUu07w5bTD6V | |
503 | l3Ti6XfcSQqzt6YX2/WUE8ekEG3rSesuJ5fqjuTnIIOjBxr+pPxkzdoazlu2zJ9F | |
504 | n24fHvlU20TccEWXteXj9VFzV/zbPEQbEqmE16lV+bO8U7UHqCOdE83OMrbNKszl | |
505 | 7LSCbFhCDtflUsyClBt/OPnlLEHgEE1j9QkqdFFy90l4HqGwKvx7lUFDnuF8LYsb | |
506 | /hcP4XhqjiGcjTPYBDK254iYrpOSMZSIRgQQEQIABgUCUioGfQAKCRBDlBVOdiii | |
507 | tuddAJ4zMrge4qzajScIQcXYgIWMXVenCQCfYTNQPGkHVyp3dMhJ0NR21TYoYMC5 | |
508 | Ag0EUin7tAEQAK5/AEIBLlA/TTgjUF3im6nu/rkWTM7/gs5H4W0a04kF4UPhaJUR | |
509 | gCNlDfUnBFA0QD7Jja5LHYgLdoHXiFelPhGrbZel/Sw6sH2gkGCBtFMrVkm3u7tt | |
510 | x3AZlprqqRH68Y5xTCEjGRncCAmaDgd2apgisJqXpu0dRDroFYpJFNH3vw9N2a62 | |
511 | 0ShNakYP4ykVG3jTDC4MSl2q3BO5dzn8GYFHU0CNz6nf3gZR+48BG+zmAT77peTS | |
512 | +C4Mbd6LmMmB0cuS2kYiFRwE2B69UWguLHjpXFcu9/85JJVCl2CIab7l5hpqGmgw | |
513 | G/yW8HFK04Yhew7ZJOXJfUYlv1EZzR5bOsZ8Z9inC6hvFmxuCYCFnvkiEI+pOxPA | |
514 | oeNOkMaT/W4W+au0ZVt3Hx+oD0pkJb5if0jrCaoAD4gpWOte6LZA8mAbKTxkHPBr | |
515 | rA9/JFis5CVNI688O6eDiJqCCJjPOQA+COJI+0V+tFa6XyHPB4LxA46RxtumUZMC | |
516 | v/06sDJlXMNpZbSd5Fq95YfZd4l9Vr9VrvKXfbomn+akwUymP8RDyc6Z8BzjF4Y5 | |
517 | 02m6Ts0J0MnSYfEDqJPPZbMGB+GAgAqLs7FrZJQzOZTiOXOSIJsKMYsPIDWE8lXv | |
518 | s77rs0rGvgvQfWzPsJlMIx6ryrMnAsfOkzM2GChGNX9+pABpgOdYII4bABEBAAGJ | |
519 | Ah8EGAECAAkFAlIp+7QCGwwACgkQyPABKoQhYr+hrg/9Er0+HN78y6UWGFHu/KVK | |
520 | d8M6ekaqjQndQXmzQaPQwsOHOvWdC+EtBoTdR3VIjAtX96uvzCRV3sb0XPB9S9eP | |
521 | gRrO/t5+qTVTtjua1zzjZsMOr1SxhBgZ5+0U2aoY1vMhyIjUuwpKKNqj2uf+uj5Y | |
522 | ZQbCNklghf7EVDHsYQ4goB9gsNT7rnmrzSc6UUuJOYI2jjtHp5BPMBHh2WtUVfYP | |
523 | 8JqDfQ+eJQr5NCFB24xMW8OxMJit3MGckUbcZlUa1wKiTb0b76fOjt0y/+9u1ykd | |
524 | X+i27DAM6PniFG8BfqPq/E3iU20IZGYtaAFBuhhDWR3vGY4+r3OxdlFAJfBG9XDD | |
525 | aEDTzv1XF+tEBo69GFaxXZGdk9//7qxcgiya4LL9Kltuvs82+ZzQhC09p8d3YSQN | |
526 | cfaYObm4EwbINdKP7cr4anGFXvsLC9urhow/RNBLiMbRX/5qBzx2DayXtxEnDlSC | |
527 | Mh7wCkNDYkSIZOrPVUFOCGxu7lloRgPxEetM5x608HRa3hDHoe5KvUBmmtavB/aR | |
528 | zlGuZP1S6Y7S13ytiULSzTfUxJmyGYgNo+4ygh0i6Dudf9NLmV+i9aEIbLbd6bni | |
529 | 1B/y8hBSx3SVb4sQVRe3clBkfS1/mYjlldtYjzOwcd02x599KJlcChf8HnWFB7qT | |
530 | zB3yrr+vYBT0uDWmxwPjiJs= | |
531 | =ytEf | |
532 | -----END PGP PUBLIC KEY BLOCK----- | |
533 | ``` |
997 | 997 | if [ "X" = "X$MCACHED_IPATH" ]; then |
998 | 998 | if [ -f "$i/memcached.h" ]; then |
999 | 999 | MCACHED_IPATH="$i" |
1000 | fi | |
1001 | if [ -f "$i/libmemcached/memcached.h" ]; then | |
1000 | elif [ -f "$i/libmemcached/memcached.h" ]; then | |
1002 | 1001 | MCACHED_IPATH="$i/libmemcached" |
1003 | fi | |
1004 | if [ -f "$i/libmemcached-1.0/memcached.h" ]; then | |
1002 | elif [ -f "$i/libmemcached-1.0/memcached.h" ]; then | |
1005 | 1003 | MCACHED_IPATH="$i/libmemcached-1.0" |
1006 | 1004 | fi |
1007 | 1005 | fi |
1361 | 1359 | echo "int main() { char *x = strrchr(\"test\", 'e'); if (x == NULL) return 0; else return 1; }" >> $TMPC.c |
1362 | 1360 | $CC -o $TMPC $TMPC.c > /dev/null 2>&1 |
1363 | 1361 | test -x $TMPC && STRRCHR="" |
1362 | rm -f $TMPC | |
1363 | $CC -o $TMPC -Wl,--allow-multiple-definition $TMPC.c > /dev/null 2>&1 | |
1364 | WALLOW="no" | |
1365 | test -x $TMPC && WALLOW="yes" | |
1364 | 1366 | rm -f $TMPC $TMPC.c |
1365 | 1367 | echo " ... strrchr()$STRRCHR found" |
1366 | 1368 | if [ -n "$CRYPTO_PATH" ]; then |
1390 | 1392 | rm -f $TMPC $TMPC.c $TMPC.c.err |
1391 | 1393 | echo " Compiling... $GCCSEC" |
1392 | 1394 | echo " Linking... $LDSEC" |
1395 | ||
1396 | echo "Checking for --allow-multiple-definition linker option ... $WALLOW" | |
1397 | if [ "$WALLOW" = "yes" ]; then | |
1398 | GCCSECOPT="$GCCSECOPT -Wl,--allow-multiple-definition" | |
1399 | fi | |
1393 | 1400 | |
1394 | 1401 | echo |
1395 | 1402 | XDEFINES="" |
2416 | 2416 | dreambox,All models,all versions,http, telnet,root,dreambox,, |
2417 | 2417 | dreambox,All models,all versions,http,telnet,root,dreambox,gives access to a busybox allowing to control the box using basic unix commands embedded into busybox, |
2418 | 2418 | drupal.org,Drupal,,administrator,admin,admin,,, |
2419 | ducati,Diavel motorcycles,,console,,last 4 digits of the motorcycle's VIN,Start and drive the motorcycle without a key,This is the ignition password - if you have one of these bikes change the password ASAP as you may be liable for any accident damage caused by the thief!, | |
2420 | ducati,Diavel,,,,Last 4 digits of VIN,,, | |
2421 | 2419 | dupont,Digital Water Proofer,,,root,par0t,,, |
2422 | 2420 | dynalink,RTA020,,,admin,private,,, |
2423 | 2421 | dynalink,RTA020,,Admin,admin,private,,, |
3060 | 3058 | hewlettpackard,Officejet,all versions,http,admin,,admin,http interface, |
3061 | 3059 | hewlettpackard,Power Manager,3,HTTP,admin,admin,Admin,, |
3062 | 3060 | hewlettpackard,ProcCurve MSC-5100,,,admin,admin,,, |
3063 | hewlettpackard,Remote Insight Board,,,Administrator,The last eight digits of the serial number,,, | |
3064 | 3061 | hewlettpackard,StoreOnce,,,HPSupport,badg3r5,,, |
3065 | 3062 | hewlettpackard,Vectra,,Console,,hewlpack,Admin,, |
3066 | 3063 | hewlettpackard,iLo,,http,Admin,Admin,Admin,, |
3610 | 3607 | iwill,PC BIOS,,,,iwill,,, |
3611 | 3608 | iwill,PC BIOS,,Admin,,iwill,,, |
3612 | 3609 | iwill,PC BIOS,,Console,,iwill,Admin,, |
3613 | jacksoncommunitycollege,My Network Services,,web,(first 7 letters of student's last name + first seven letters of first name + middle initial -- no spaces or punctuation),(First letter of first name Capitalized + First letter of last name in lowercase + day of birth {01-31} + birth year {2 digits} + last 4 digits of student ID),My Network Services access,, | |
3614 | 3610 | jaht,adsl router,AR41/2A,HTTP,admin,epicrouter,Admin,, |
3615 | 3611 | jamfsoftware,Casper Suite,,,jamfsoftware,jamfsw03,,, |
3616 | 3612 | janitza,UMG 508,,,Homepage Password,0th,,, |
3785 | 3781 | kyocera,FS6025MFP,,system menus,Admin,Admin,Admin,, |
3786 | 3782 | kyocera,Intermate LAN FS Pro 10/100,K82_0371,HTTP,admin,admin,Admin,, |
3787 | 3783 | kyocera,KM-4850W,,,admin,,,, |
3788 | kyocera,KR2,,http,,read notes,,it is the last 6 characters of the mac address, | |
3789 | 3784 | kyocera,TASKalfa 250 Ci,,,Admin,admin00,,if enable local authentification, |
3790 | 3785 | kyocera,TASKalfa 250ci,,IP,,admin00,,, |
3791 | 3786 | kyocera,TASKalfa 266ci,,Console Panel,Admin,Admin,Admin,, |
5187 | 5182 | oce,tcs500,Windows XP,all models,12.3.0(1668),console,http://192.168.0.81,, |
5188 | 5183 | ods,1094 IS Chassis,,,ods,ods,,4.x, |
5189 | 5184 | ods,1094,,,ods,ods,,, |
5190 | oki,9600,,,admin,last six characters of the MAC address (letters uppercase).,,, | |
5191 | oki,B410,,http (dhcp),admin,last six charachter of mac address (upper case),,, | |
5192 | oki,B410dn,,http://169.254.39.211/,admin,Last 6 characters (chars uppercased) from MAC Address,admin,, | |
5193 | 5185 | oki,B411,all ver,Http or AdminManager,root,aaaaaa,Administrator,, |
5194 | oki,B420,,http (dhcp),admin,last six charachter of mac address (upper case),,, | |
5195 | oki,B430,,http (dhcp),admin,last six charachter of mac address (upper case),,, | |
5196 | 5186 | oki,B431,all ver,Http or AdminManager,root,aaaaaa,Administrator,, |
5197 | 5187 | oki,B431dn,,http://192.168.1.xxx,root,123456,Admin,, |
5198 | oki,B43xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), | |
5199 | 5188 | oki,B6100n,,,admin,OkiLAN,admin,with 61e(NIC), |
5200 | 5189 | oki,B6200n,,,admin,OkiLAN,admin,with 62e(NIC), |
5201 | oki,B6300,,,root,last six charachter of mac address,root,, | |
5202 | 5190 | oki,B6300n,,,admin,OkiLAN,admin,with 62e(NIC), |
5203 | oki,B6500,,,root,(last 6 digits of MAC address),root,, | |
5204 | 5191 | oki,B710,all,http://192.168.1.33,root,aaaaaa,Administrator,, |
5205 | 5192 | oki,B720,all,http://192.168.1.33,root,aaaaaa,Administrator,, |
5206 | 5193 | oki,B720N,All versions,Web interface,root,aaaaaa,Root access,, |
5207 | 5194 | oki,B730,all,http://192.168.1.33,root,aaaaaa,Administrator,, |
5208 | 5195 | oki,B8300n,,,admin,OkiLAN,admin,with 83e(NIC), |
5209 | oki,B930n,,,root,(last 4 digits of MAC address),root,, | |
5210 | oki,C3200n,,Web Interface - Device IP,root,last 6 of MAC Address - case sensitive,,, | |
5211 | 5196 | oki,C330,all versions etc.,http://192.168.0.1,root,aaaaaa,Admin,Administrator, |
5212 | 5197 | oki,C3450,,http://192.168.1.50,admin,heslo,admin,, |
5213 | oki,C3450,,web,admin,last 6 digits of MAC code, Use uppercase letters,, | |
5214 | oki,C3450,,web,admin,last 6 digits of MAC code,Use uppercase letters,Administrator, | |
5215 | oki,C3530,,console,admin,last 6 digits of MAC address,Admin,, | |
5216 | oki,C380,,,admin,last 6 characters of the MAC ADRESS,,, | |
5217 | oki,C51xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), | |
5218 | 5198 | oki,C530dn,A1.02,http://192.168.1.51,root,aaaaaa,Admin,, |
5219 | oki,C53xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), | |
5220 | oki,C54xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), | |
5221 | 5199 | oki,C5550 MFP,,http,,*blank*,Admin,, |
5222 | oki,C5650,,Multi,root,Last 6 characters of MAC address (uppercase),Admin,Last 6 digits are also at the end of the default printer name, | |
5223 | 5200 | oki,C5650dn,,,,000000,menu,, |
5224 | 5201 | oki,C5650n,,,,000000,menu,, |
5225 | oki,C5700,,HTTP,root,the 6 last digit of the MAC adress,Admin,running with other models, | |
5226 | oki,C5850,,http,admin,last 6 characters of the MAC ADRESS,,, | |
5227 | oki,C5900,,HTTP,root,Last 6 characters (chars uppercased) from MAC Address,admin,, | |
5228 | 5202 | oki,C6050dn,,,,000000,menu,, |
5229 | 5203 | oki,C6050n,,,,000000,menu,, |
5230 | 5204 | oki,C610,,,admin,aaaaaa,admin,, |
5231 | oki,C6100,,HTTP,root,Last 6 characters of MAC address (uppercase),Administrative,seems to work with a variety of oki printers., | |
5232 | oki,C6150,N1.01 Network Firmware 08.51,ZeroConFig Bonjour,root,last six characters of MAC address,Basic Setup,Printer ID,Protocol | |
5233 | 5205 | oki,C6150dn,,,,000000,menu,, |
5234 | 5206 | oki,C6150dtn,,,,000000,menu,, |
5235 | 5207 | oki,C6150hdn,,,,000000,menu,, |
5236 | 5208 | oki,C6150n,,,,000000,menu,, |
5237 | 5209 | oki,C7000,,,admin,OkiLAN,admin,with 6200e(NIC), |
5238 | oki,C7000,,,root,(last 6 digits of MAC address),admin,with 7200e(NIC) or 7300e(NIC), | |
5239 | oki,C710,All versions,http,root,Last 6 characters (chars uppercased) from MAC Address,Full acces to printer configuration,, | |
5240 | 5210 | oki,C711,,Web,admin,aaaaaa,Admin access,, |
5241 | oki,C7300,A3.14, may apply to other versions,Multi,root,Last six digits of default device name,, | |
5242 | oki,C7300,A3.14,may apply to other versions,Multi,root,Last six digits of default device name,Give this a try if the last six digits of the MAC don't work. I believe alpha characters would be uppercased if there were any present., | |
5243 | oki,C7350,,Administrator,root,Last 6 characters (chars uppercased) from MAC Address,,, | |
5244 | oki,C7350,,Multi,root,Last 6 characters (chars uppercased) from MAC Address,Administrator,, | |
5245 | oki,C810,,http://192.168.0.1,root,Last 6 characters (chars uppercased) from MAC Address,,, | |
5246 | oki,C821,all version?,HTTP,root,last six charachter of mac address,Admin,, | |
5247 | oki,C830,all,web,root,last 6 digits of the MAC address,,, | |
5248 | oki,C8800,,Web or Console,root,Last six characters of MAC address,,, | |
5249 | 5211 | oki,C9000,,,admin,OkiLAN,admin,with 6200e(NIC), |
5250 | oki,C9000,,,root,(last 6 digits of MAC address),admin,with 7200e(NIC) or 7300e(NIC), | |
5251 | oki,C9500,,HTTP / telnet,root,Last 6 characters (chars uppercased) from MAC Address,Administration,, | |
5252 | 5212 | oki,C9650,,,,0000,Print statistics,, |
5253 | 5213 | oki,C9650,,,,aaaaaa,Administration,, |
5254 | oki,C9655,,HTTP,root,last 6 digits of MAC address,Administrator,, | |
5255 | 5214 | oki,C9655,,printer menu,,aaaaaa,printer menubutton,, |
5256 | oki,C9800,,,root,(last 6 digits of MAC address),,, | |
5257 | oki,C9850,,,root,(last 6 digits of MAC address),,, | |
5258 | 5215 | oki,CX1145,,,,123456,,, |
5259 | 5216 | oki,CX2032 MFP,,http,,*blank*,Admin,, |
5260 | 5217 | oki,CX2033,,Printer Menu,,,,When asked for password just press OK, |
5261 | 5218 | oki,CX2633,,Web interface,admin,aaaaaa,admin,, |
5262 | 5219 | oki,CX2731,,Web interface,admin,aaaaaa,admin,, |
5263 | oki,CX3641,,,root,(last 6 digits of MAC address),,, | |
5264 | 5220 | oki,Color 8 +14ex,,,admin,OkiLAN,admin,with 6100e(NIC), |
5265 | oki,ES3640,,,root,(last 6 digits of MAC address),,, | |
5266 | 5221 | oki,ES5460 MFP,,Local configuration menu,,aaaaaa,Admin/Root i guess,, |
5267 | 5222 | oki,ES7120,,Web,root,aaaaaa,Admin,, |
5268 | 5223 | oki,ES7411,,web HTTP,admin,aaaaaa,Administrator,, |
5274 | 5229 | oki,MC160,,Web,,sysAdmin,Admin,, |
5275 | 5230 | oki,MC342w,,,admin,aaaaaa,admin,, |
5276 | 5231 | oki,MC360,,Console,admin,aaaaaa,Full acces to printer configuration,, |
5277 | oki,MC360,,HTTP,admin,Last 6 characters (chars uppercased) from MAC Address,Administration,, | |
5278 | 5232 | oki,MC361,,Web interface,admin,aaaaaa,admin,, |
5279 | 5233 | oki,MC560,,Printer Menu,,,,When asked for password just press OK, |
5280 | 5234 | oki,MC560,,Printer Menu,,,,When asked for password, |
5284 | 5238 | oki,ML3xx,,,admin,OkiLAN,admin,with 6010e(NIC),6020e(NIC) |
5285 | 5239 | oki,ML491n,,http://,Admin,OkiLAN,Admin,, |
5286 | 5240 | oki,ML4xx,,,admin,OkiLAN,admin,with 6010e(NIC),6020e(NIC) |
5287 | oki,ML8810,,,root,(last 6 digits of MAC address),,, | |
5288 | 5241 | oki,N22113B,A2.00,http://192.168.1.9,,noe,Admin,, |
5289 | 5242 | oki,WebTools,,,Administrator,,,, |
5290 | 5243 | oki,b710,all,http://192.168.1.33,root,aaaaaa,Administrator,, |
5291 | oki,c3450,All,Multi,admin,last 6 characters of the MAC ADRESS,Admin,, | |
5292 | oki,c3450,All,Multi,admin,last 6 characters of the MAC ADRESS,Admin,no, | |
5293 | 5244 | oki,c511dn,B7.00,,admin,aaaaaa,Full administrator Access,the machine picks up dhcp address,manually configure static on machine directly if required or print a config page to get the dhcp address that was assigned. |
5294 | oki,c5300,,,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters type them as upper case",,, | |
5295 | oki,c5300,,Console,root,last 6 characters of the MAC ADRESS ""if it contains any alpha characters,type them as upper case"",, | |
5296 | oki,c5300,,Console,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters,type them as upper case",No, | |
5297 | oki,c5300,,Multi,root,last 6 characters of the MAC ADRESS ""if it contains any alpha characters,type them as upper case"",admin, | |
5298 | oki,c5300,,Multi,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters,type them as upper case",No, | |
5299 | oki,c5300,,admin,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters type them as upper case",,, | |
5300 | 5245 | oki,c5750,n1.02,http://192.168.0.200,,,,, |
5301 | 5246 | oki,c810,1.0,192.100.185.78,admin,admin,admin,, |
5302 | 5247 | olegkhabarov,Comfy CMS,,,username,password,,, |
10099 | 10044 | telus,Telephony and internet services,,,(username),telus13,User,Initial password if issued in 2013, |
10100 | 10045 | telus,Telephony and internet services,,,(username),telus99,User,Initial password if issued in 1999, |
10101 | 10046 | tenda,W150M,,192.168.1.1,admin,admin,Admin,, |
10102 | teradyne,4TEL,VRS400,DTMF,(last 5 digits of lineman's SSN),(same as user ID),,, | |
10103 | 10047 | terayon,,,,admin,nms,,6.29, |
10104 | 10048 | terayon,,Comcast-supplied,HTTP,,,diagnostics page,192.168.100.1/diagnostics_page.html, |
10105 | 10049 | terayon,TeraLink 1000 Controller,,,admin,password,,, |
10402 | 10346 | unisys,ClearPath MCP,,Multi,HTTP,HTTP,Web Server Administration,, |
10403 | 10347 | unisys,ClearPath MCP,,Multi,NAU,NAU,Privileged,Network Administration Utility, |
10404 | 10348 | unitedtechnologiescorporation,Interlogix truVision IP Camera,,,admin,1234,,, |
10405 | universityoftennessee,All Employee and Student Services,,,<NetID> - See Notes,See Notes,Varies with account,Username based on email - eg. if email is smith123@tennessee.edu then NetID (username) is smith123. Def. Password composed of first two letters of birth month in lower case; last two digits of birth; last four digits of UT ID Number; eg. Born Feb 1979 and UT ID Number is 123-45-6789 - default password is fe796789, | |
10406 | universityoftennessee,All Employee and Student Services,,,lt;NetIDgt; - See Notes,See Notes,Varies with account,Username based on email - eg. if email is smith123@tennessee.edu then NetID (username) is smith123. Def. Password composed of first two letters of birth month in lower case; last two digits of birth; last four digits of UT ID Number; eg. Born Feb 1979 and UT ID Number is 123-45-6789 - default password is fe796789, | |
10407 | 10349 | unix,Generic,,,adm,,,, |
10408 | 10350 | unix,Generic,,,adm,adm,,, |
10409 | 10351 | unix,Generic,,,admin,admin,,, |
2416 | 2416 | dreambox,All models,all versions,http, telnet,root,dreambox,, |
2417 | 2417 | dreambox,All models,all versions,http,telnet,root,dreambox,gives access to a busybox allowing to control the box using basic unix commands embedded into busybox, |
2418 | 2418 | drupal.org,Drupal,,administrator,admin,admin,,, |
2419 | ducati,Diavel motorcycles,,console,,last 4 digits of the motorcycle's VIN,Start and drive the motorcycle without a key,This is the ignition password - if you have one of these bikes change the password ASAP as you may be liable for any accident damage caused by the thief!, | |
2420 | ducati,Diavel,,,,Last 4 digits of VIN,,, | |
2421 | 2419 | dupont,Digital Water Proofer,,,root,par0t,,, |
2422 | 2420 | dynalink,RTA020,,,admin,private,,, |
2423 | 2421 | dynalink,RTA020,,Admin,admin,private,,, |
3060 | 3058 | hewlettpackard,Officejet,all versions,http,admin,,admin,http interface, |
3061 | 3059 | hewlettpackard,Power Manager,3,HTTP,admin,admin,Admin,, |
3062 | 3060 | hewlettpackard,ProcCurve MSC-5100,,,admin,admin,,, |
3063 | hewlettpackard,Remote Insight Board,,,Administrator,The last eight digits of the serial number,,, | |
3064 | 3061 | hewlettpackard,StoreOnce,,,HPSupport,badg3r5,,, |
3065 | 3062 | hewlettpackard,Vectra,,Console,,hewlpack,Admin,, |
3066 | 3063 | hewlettpackard,iLo,,http,Admin,Admin,Admin,, |
3610 | 3607 | iwill,PC BIOS,,,,iwill,,, |
3611 | 3608 | iwill,PC BIOS,,Admin,,iwill,,, |
3612 | 3609 | iwill,PC BIOS,,Console,,iwill,Admin,, |
3613 | jacksoncommunitycollege,My Network Services,,web,(first 7 letters of student's last name + first seven letters of first name + middle initial -- no spaces or punctuation),(First letter of first name Capitalized + First letter of last name in lowercase + day of birth {01-31} + birth year {2 digits} + last 4 digits of student ID),My Network Services access,, | |
3614 | 3610 | jaht,adsl router,AR41/2A,HTTP,admin,epicrouter,Admin,, |
3615 | 3611 | jamfsoftware,Casper Suite,,,jamfsoftware,jamfsw03,,, |
3616 | 3612 | janitza,UMG 508,,,Homepage Password,0th,,, |
3785 | 3781 | kyocera,FS6025MFP,,system menus,Admin,Admin,Admin,, |
3786 | 3782 | kyocera,Intermate LAN FS Pro 10/100,K82_0371,HTTP,admin,admin,Admin,, |
3787 | 3783 | kyocera,KM-4850W,,,admin,,,, |
3788 | kyocera,KR2,,http,,read notes,,it is the last 6 characters of the mac address, | |
3789 | 3784 | kyocera,TASKalfa 250 Ci,,,Admin,admin00,,if enable local authentification, |
3790 | 3785 | kyocera,TASKalfa 250ci,,IP,,admin00,,, |
3791 | 3786 | kyocera,TASKalfa 266ci,,Console Panel,Admin,Admin,Admin,, |
5187 | 5182 | oce,tcs500,Windows XP,all models,12.3.0(1668),console,http://192.168.0.81,, |
5188 | 5183 | ods,1094 IS Chassis,,,ods,ods,,4.x, |
5189 | 5184 | ods,1094,,,ods,ods,,, |
5190 | oki,9600,,,admin,last six characters of the MAC address (letters uppercase).,,, | |
5191 | oki,B410,,http (dhcp),admin,last six charachter of mac address (upper case),,, | |
5192 | oki,B410dn,,http://169.254.39.211/,admin,Last 6 characters (chars uppercased) from MAC Address,admin,, | |
5193 | 5185 | oki,B411,all ver,Http or AdminManager,root,aaaaaa,Administrator,, |
5194 | oki,B420,,http (dhcp),admin,last six charachter of mac address (upper case),,, | |
5195 | oki,B430,,http (dhcp),admin,last six charachter of mac address (upper case),,, | |
5196 | 5186 | oki,B431,all ver,Http or AdminManager,root,aaaaaa,Administrator,, |
5197 | 5187 | oki,B431dn,,http://192.168.1.xxx,root,123456,Admin,, |
5198 | oki,B43xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), | |
5199 | 5188 | oki,B6100n,,,admin,OkiLAN,admin,with 61e(NIC), |
5200 | 5189 | oki,B6200n,,,admin,OkiLAN,admin,with 62e(NIC), |
5201 | oki,B6300,,,root,last six charachter of mac address,root,, | |
5202 | 5190 | oki,B6300n,,,admin,OkiLAN,admin,with 62e(NIC), |
5203 | oki,B6500,,,root,(last 6 digits of MAC address),root,, | |
5204 | 5191 | oki,B710,all,http://192.168.1.33,root,aaaaaa,Administrator,, |
5205 | 5192 | oki,B720,all,http://192.168.1.33,root,aaaaaa,Administrator,, |
5206 | 5193 | oki,B720N,All versions,Web interface,root,aaaaaa,Root access,, |
5207 | 5194 | oki,B730,all,http://192.168.1.33,root,aaaaaa,Administrator,, |
5208 | 5195 | oki,B8300n,,,admin,OkiLAN,admin,with 83e(NIC), |
5209 | oki,B930n,,,root,(last 4 digits of MAC address),root,, | |
5210 | oki,C3200n,,Web Interface - Device IP,root,last 6 of MAC Address - case sensitive,,, | |
5211 | 5196 | oki,C330,all versions etc.,http://192.168.0.1,root,aaaaaa,Admin,Administrator, |
5212 | 5197 | oki,C3450,,http://192.168.1.50,admin,heslo,admin,, |
5213 | oki,C3450,,web,admin,last 6 digits of MAC code, Use uppercase letters,, | |
5214 | oki,C3450,,web,admin,last 6 digits of MAC code,Use uppercase letters,Administrator, | |
5215 | oki,C3530,,console,admin,last 6 digits of MAC address,Admin,, | |
5216 | oki,C380,,,admin,last 6 characters of the MAC ADRESS,,, | |
5217 | oki,C51xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), | |
5218 | 5198 | oki,C530dn,A1.02,http://192.168.1.51,root,aaaaaa,Admin,, |
5219 | oki,C53xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), | |
5220 | oki,C54xx,,,root,(last 6 digits of MAC address),admin,with 8100e(NIC), | |
5221 | 5199 | oki,C5550 MFP,,http,,*blank*,Admin,, |
5222 | oki,C5650,,Multi,root,Last 6 characters of MAC address (uppercase),Admin,Last 6 digits are also at the end of the default printer name, | |
5223 | 5200 | oki,C5650dn,,,,000000,menu,, |
5224 | 5201 | oki,C5650n,,,,000000,menu,, |
5225 | oki,C5700,,HTTP,root,the 6 last digit of the MAC adress,Admin,running with other models, | |
5226 | oki,C5850,,http,admin,last 6 characters of the MAC ADRESS,,, | |
5227 | oki,C5900,,HTTP,root,Last 6 characters (chars uppercased) from MAC Address,admin,, | |
5228 | 5202 | oki,C6050dn,,,,000000,menu,, |
5229 | 5203 | oki,C6050n,,,,000000,menu,, |
5230 | 5204 | oki,C610,,,admin,aaaaaa,admin,, |
5231 | oki,C6100,,HTTP,root,Last 6 characters of MAC address (uppercase),Administrative,seems to work with a variety of oki printers., | |
5232 | oki,C6150,N1.01 Network Firmware 08.51,ZeroConFig Bonjour,root,last six characters of MAC address,Basic Setup,Printer ID,Protocol | |
5233 | 5205 | oki,C6150dn,,,,000000,menu,, |
5234 | 5206 | oki,C6150dtn,,,,000000,menu,, |
5235 | 5207 | oki,C6150hdn,,,,000000,menu,, |
5236 | 5208 | oki,C6150n,,,,000000,menu,, |
5237 | 5209 | oki,C7000,,,admin,OkiLAN,admin,with 6200e(NIC), |
5238 | oki,C7000,,,root,(last 6 digits of MAC address),admin,with 7200e(NIC) or 7300e(NIC), | |
5239 | oki,C710,All versions,http,root,Last 6 characters (chars uppercased) from MAC Address,Full acces to printer configuration,, | |
5240 | 5210 | oki,C711,,Web,admin,aaaaaa,Admin access,, |
5241 | oki,C7300,A3.14, may apply to other versions,Multi,root,Last six digits of default device name,, | |
5242 | oki,C7300,A3.14,may apply to other versions,Multi,root,Last six digits of default device name,Give this a try if the last six digits of the MAC don't work. I believe alpha characters would be uppercased if there were any present., | |
5243 | oki,C7350,,Administrator,root,Last 6 characters (chars uppercased) from MAC Address,,, | |
5244 | oki,C7350,,Multi,root,Last 6 characters (chars uppercased) from MAC Address,Administrator,, | |
5245 | oki,C810,,http://192.168.0.1,root,Last 6 characters (chars uppercased) from MAC Address,,, | |
5246 | oki,C821,all version?,HTTP,root,last six charachter of mac address,Admin,, | |
5247 | oki,C830,all,web,root,last 6 digits of the MAC address,,, | |
5248 | oki,C8800,,Web or Console,root,Last six characters of MAC address,,, | |
5249 | 5211 | oki,C9000,,,admin,OkiLAN,admin,with 6200e(NIC), |
5250 | oki,C9000,,,root,(last 6 digits of MAC address),admin,with 7200e(NIC) or 7300e(NIC), | |
5251 | oki,C9500,,HTTP / telnet,root,Last 6 characters (chars uppercased) from MAC Address,Administration,, | |
5252 | 5212 | oki,C9650,,,,0000,Print statistics,, |
5253 | 5213 | oki,C9650,,,,aaaaaa,Administration,, |
5254 | oki,C9655,,HTTP,root,last 6 digits of MAC address,Administrator,, | |
5255 | 5214 | oki,C9655,,printer menu,,aaaaaa,printer menubutton,, |
5256 | oki,C9800,,,root,(last 6 digits of MAC address),,, | |
5257 | oki,C9850,,,root,(last 6 digits of MAC address),,, | |
5258 | 5215 | oki,CX1145,,,,123456,,, |
5259 | 5216 | oki,CX2032 MFP,,http,,*blank*,Admin,, |
5260 | 5217 | oki,CX2033,,Printer Menu,,,,When asked for password just press OK, |
5261 | 5218 | oki,CX2633,,Web interface,admin,aaaaaa,admin,, |
5262 | 5219 | oki,CX2731,,Web interface,admin,aaaaaa,admin,, |
5263 | oki,CX3641,,,root,(last 6 digits of MAC address),,, | |
5264 | 5220 | oki,Color 8 +14ex,,,admin,OkiLAN,admin,with 6100e(NIC), |
5265 | oki,ES3640,,,root,(last 6 digits of MAC address),,, | |
5266 | 5221 | oki,ES5460 MFP,,Local configuration menu,,aaaaaa,Admin/Root i guess,, |
5267 | 5222 | oki,ES7120,,Web,root,aaaaaa,Admin,, |
5268 | 5223 | oki,ES7411,,web HTTP,admin,aaaaaa,Administrator,, |
5274 | 5229 | oki,MC160,,Web,,sysAdmin,Admin,, |
5275 | 5230 | oki,MC342w,,,admin,aaaaaa,admin,, |
5276 | 5231 | oki,MC360,,Console,admin,aaaaaa,Full acces to printer configuration,, |
5277 | oki,MC360,,HTTP,admin,Last 6 characters (chars uppercased) from MAC Address,Administration,, | |
5278 | 5232 | oki,MC361,,Web interface,admin,aaaaaa,admin,, |
5279 | 5233 | oki,MC560,,Printer Menu,,,,When asked for password just press OK, |
5280 | 5234 | oki,MC560,,Printer Menu,,,,When asked for password, |
5284 | 5238 | oki,ML3xx,,,admin,OkiLAN,admin,with 6010e(NIC),6020e(NIC) |
5285 | 5239 | oki,ML491n,,http://,Admin,OkiLAN,Admin,, |
5286 | 5240 | oki,ML4xx,,,admin,OkiLAN,admin,with 6010e(NIC),6020e(NIC) |
5287 | oki,ML8810,,,root,(last 6 digits of MAC address),,, | |
5288 | 5241 | oki,N22113B,A2.00,http://192.168.1.9,,noe,Admin,, |
5289 | 5242 | oki,WebTools,,,Administrator,,,, |
5290 | 5243 | oki,b710,all,http://192.168.1.33,root,aaaaaa,Administrator,, |
5291 | oki,c3450,All,Multi,admin,last 6 characters of the MAC ADRESS,Admin,, | |
5292 | oki,c3450,All,Multi,admin,last 6 characters of the MAC ADRESS,Admin,no, | |
5293 | 5244 | oki,c511dn,B7.00,,admin,aaaaaa,Full administrator Access,the machine picks up dhcp address,manually configure static on machine directly if required or print a config page to get the dhcp address that was assigned. |
5294 | oki,c5300,,,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters type them as upper case",,, | |
5295 | oki,c5300,,Console,root,last 6 characters of the MAC ADRESS ""if it contains any alpha characters,type them as upper case"",, | |
5296 | oki,c5300,,Console,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters,type them as upper case",No, | |
5297 | oki,c5300,,Multi,root,last 6 characters of the MAC ADRESS ""if it contains any alpha characters,type them as upper case"",admin, | |
5298 | oki,c5300,,Multi,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters,type them as upper case",No, | |
5299 | oki,c5300,,admin,root,last 6 characters of the MAC ADRESS "if it contains any alpha characters type them as upper case",,, | |
5300 | 5245 | oki,c5750,n1.02,http://192.168.0.200,,,,, |
5301 | 5246 | oki,c810,1.0,192.100.185.78,admin,admin,admin,, |
5302 | 5247 | olegkhabarov,Comfy CMS,,,username,password,,, |
10099 | 10044 | telus,Telephony and internet services,,,(username),telus13,User,Initial password if issued in 2013, |
10100 | 10045 | telus,Telephony and internet services,,,(username),telus99,User,Initial password if issued in 1999, |
10101 | 10046 | tenda,W150M,,192.168.1.1,admin,admin,Admin,, |
10102 | teradyne,4TEL,VRS400,DTMF,(last 5 digits of lineman's SSN),(same as user ID),,, | |
10103 | 10047 | terayon,,,,admin,nms,,6.29, |
10104 | 10048 | terayon,,Comcast-supplied,HTTP,,,diagnostics page,192.168.100.1/diagnostics_page.html, |
10105 | 10049 | terayon,TeraLink 1000 Controller,,,admin,password,,, |
10402 | 10346 | unisys,ClearPath MCP,,Multi,HTTP,HTTP,Web Server Administration,, |
10403 | 10347 | unisys,ClearPath MCP,,Multi,NAU,NAU,Privileged,Network Administration Utility, |
10404 | 10348 | unitedtechnologiescorporation,Interlogix truVision IP Camera,,,admin,1234,,, |
10405 | universityoftennessee,All Employee and Student Services,,,<NetID> - See Notes,See Notes,Varies with account,Username based on email - eg. if email is smith123@tennessee.edu then NetID (username) is smith123. Def. Password composed of first two letters of birth month in lower case; last two digits of birth; last four digits of UT ID Number; eg. Born Feb 1979 and UT ID Number is 123-45-6789 - default password is fe796789, | |
10406 | universityoftennessee,All Employee and Student Services,,,lt;NetIDgt; - See Notes,See Notes,Varies with account,Username based on email - eg. if email is smith123@tennessee.edu then NetID (username) is smith123. Def. Password composed of first two letters of birth month in lower case; last two digits of birth; last four digits of UT ID Number; eg. Born Feb 1979 and UT ID Number is 123-45-6789 - default password is fe796789, | |
10407 | 10349 | unix,Generic,,,adm,,,, |
10408 | 10350 | unix,Generic,,,adm,adm,,, |
10409 | 10351 | unix,Generic,,,admin,admin,,, |
4 | 4 | #endif |
5 | 5 | |
6 | 6 | extern char *HYDRA_EXIT; |
7 | char *buf = NULL; | |
7 | static char *buf = NULL; | |
8 | 8 | |
9 | 9 | int32_t start_cisco(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { |
10 | 10 | char *empty = ""; |
0 | #include "hydra-mod.h" | |
1 | ||
2 | #define CSLEN 256 | |
3 | ||
4 | extern char *HYDRA_EXIT; | |
5 | char *buf; | |
6 | ||
7 | int32_t start_cobaltstrike(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) { | |
8 | char *empty = ""; | |
9 | char *pass, buffer[4 + 1 + 256]; | |
10 | char cs_pass[CSLEN + 1]; | |
11 | unsigned char len_pass; | |
12 | unsigned char reply_byte_0; | |
13 | unsigned char reply_byte_1; | |
14 | unsigned char reply_byte_2; | |
15 | unsigned char reply_byte_3; | |
16 | int32_t ret = -1; | |
17 | ||
18 | if (strlen(pass = hydra_get_next_password()) == 0) | |
19 | pass = empty; | |
20 | if (strlen(pass) > CSLEN) | |
21 | pass[CSLEN - 1] = 0; | |
22 | len_pass = strlen(pass); | |
23 | memset(cs_pass, 0, CSLEN + 1); | |
24 | strcpy(cs_pass, pass); | |
25 | ||
26 | memset(buffer, 0x41, sizeof(buffer)); | |
27 | buffer[0] = 0x00; | |
28 | buffer[1] = 0x00; | |
29 | buffer[2] = 0xBE; | |
30 | buffer[3] = 0xEF; | |
31 | memcpy(buffer + 4, &len_pass, 1); | |
32 | memcpy(buffer + 5, cs_pass, len_pass); | |
33 | ||
34 | if (hydra_send(s, buffer, sizeof(buffer), 0) < 0) | |
35 | return 1; | |
36 | ||
37 | reply_byte_0 = 0x00; | |
38 | ret = hydra_recv_nb(s, &reply_byte_0, 1); | |
39 | if (ret <= 0) | |
40 | return 3; | |
41 | ||
42 | reply_byte_1 = 0x00; | |
43 | ret = hydra_recv_nb(s, &reply_byte_1, 1); | |
44 | if (ret <= 0) | |
45 | return 3; | |
46 | ||
47 | reply_byte_2 = 0x00; | |
48 | ret = hydra_recv_nb(s, &reply_byte_2, 1); | |
49 | if (ret <= 0) | |
50 | return 3; | |
51 | ||
52 | reply_byte_3 = 0x00; | |
53 | ret = hydra_recv_nb(s, &reply_byte_3, 1); | |
54 | if (ret <= 0) | |
55 | return 3; | |
56 | ||
57 | if (reply_byte_0 == 0x00 && reply_byte_1 == 0x00 && reply_byte_2 == 0xCA && reply_byte_3 == 0xFE) { | |
58 | hydra_report_found_host(port, ip, "cobaltstrike", fp); | |
59 | hydra_completed_pair_found(); | |
60 | free(buf); | |
61 | if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) | |
62 | return 2; | |
63 | return 1; | |
64 | } | |
65 | ||
66 | free(buf); | |
67 | hydra_completed_pair(); | |
68 | if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) | |
69 | return 2; | |
70 | ||
71 | return 1; | |
72 | } | |
73 | ||
74 | void service_cobaltstrike(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { | |
75 | int32_t run = 1, next_run = 1, sock = -1; | |
76 | int32_t mysslport = PORT_COBALTSTRIKE_SSL; | |
77 | ||
78 | hydra_register_socket(sp); | |
79 | if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) | |
80 | return; | |
81 | while (1) { | |
82 | switch (run) { | |
83 | case 1: /* connect and service init function */ | |
84 | if (port != 0) | |
85 | mysslport = port; | |
86 | sock = hydra_connect_ssl(ip, mysslport, hostname); | |
87 | port = mysslport; | |
88 | if (sock < 0) { | |
89 | hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid()); | |
90 | hydra_child_exit(1); | |
91 | } | |
92 | next_run = start_cobaltstrike(sock, ip, port, options, miscptr, fp); | |
93 | hydra_disconnect(sock); | |
94 | break; | |
95 | case 2: /* clean exit */ | |
96 | if (sock >= 0) | |
97 | sock = hydra_disconnect(sock); | |
98 | hydra_child_exit(0); | |
99 | return; | |
100 | case 3: /* clean exit */ | |
101 | if (sock >= 0) | |
102 | sock = hydra_disconnect(sock); | |
103 | hydra_child_exit(2); | |
104 | return; | |
105 | default: | |
106 | hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); | |
107 | hydra_child_exit(2); | |
108 | } | |
109 | run = next_run; | |
110 | } | |
111 | } | |
112 | ||
113 | int32_t service_cobaltstrike_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) { | |
114 | // called before the childrens are forked off, so this is the function | |
115 | // which should be filled if initial connections and service setup has to be | |
116 | // performed once only. | |
117 | // | |
118 | // fill if needed. | |
119 | // | |
120 | // return codes: | |
121 | // 0 all OK | |
122 | // -1 error, hydra will exit, so print a good error message here | |
123 | ||
124 | return 0; | |
125 | } |
9 | 9 | AM_PROG_CC_STDC |
10 | 10 | AC_HEADER_STDC |
11 | 11 | |
12 | pkg_modules="gtk+-2.0 >= 2.0.0" | |
12 | pkg_modules="gtk+-3.0 >= 3.24.24" | |
13 | 13 | PKG_CHECK_MODULES(PACKAGE, [$pkg_modules]) |
14 | 14 | AC_SUBST(PACKAGE_CFLAGS) |
15 | 15 | AC_SUBST(PACKAGE_LIBS) |
256 | 256 | int32_t add_header(ptr_header_node *ptr_head, char *header, char *value, char type) { |
257 | 257 | ptr_header_node cur_ptr = NULL; |
258 | 258 | ptr_header_node existing_hdr, new_ptr; |
259 | ||
260 | if (!header || !value || !strlen(header) || !strlen(value)) | |
261 | return; | |
259 | 262 | |
260 | 263 | // get to the last header |
261 | 264 | for (cur_ptr = *ptr_head; cur_ptr && cur_ptr->next; cur_ptr = cur_ptr->next) |
571 | 574 | if (ret == NULL) |
572 | 575 | return NULL; |
573 | 576 | |
574 | if (index(ret, '%') != NULL) | |
577 | if (strchr(ret, '%') != NULL) | |
575 | 578 | ret = hydra_strrep(ret, "%", "%25"); |
576 | if (index(ret, ' ') != NULL) | |
579 | if (strchr(ret, ' ') != NULL) | |
577 | 580 | ret = hydra_strrep(ret, " ", "%20"); |
578 | if (index(ret, '&') != NULL) | |
581 | if (strchr(ret, '&') != NULL) | |
579 | 582 | ret = hydra_strrep(ret, "&", "%26"); |
580 | if (index(ret, '#') != NULL) | |
583 | if (strchr(ret, '#') != NULL) | |
581 | 584 | ret = hydra_strrep(ret, "#", "%23"); |
582 | if (index(ret, '=') != NULL) | |
585 | if (strchr(ret, '=') != NULL) | |
583 | 586 | ret = hydra_strrep(ret, "=", "%3D"); |
584 | if (index(ret, '+') != NULL) | |
587 | if (strchr(ret, '+') != NULL) | |
585 | 588 | ret = hydra_strrep(ret, "+", "%2B"); |
586 | 589 | |
587 | 590 | return ret; |
645 | 648 | } else if (endcookie2 != NULL) |
646 | 649 | *endcookie2 = 0; |
647 | 650 | // is the cookie already there? if yes, remove it! |
648 | if (index(startcookie, '=') != NULL && (ptr = index(startcookie, '=')) - startcookie + 1 <= sizeof(tmpname)) { | |
651 | if (strchr(startcookie, '=') != NULL && (ptr = strchr(startcookie, '=')) - startcookie + 1 <= sizeof(tmpname)) { | |
649 | 652 | strncpy(tmpname, startcookie, sizeof(tmpname) - 2); |
650 | 653 | tmpname[sizeof(tmpname) - 2] = 0; |
651 | ptr = index(tmpname, '='); | |
654 | ptr = strchr(tmpname, '='); | |
652 | 655 | *(++ptr) = 0; |
653 | 656 | // is the cookie already in the cookiejar? (so, does it have to be |
654 | 657 | // replaced?) |
674 | 677 | strcpy(cookie, tmpcookie); |
675 | 678 | } |
676 | 679 | } |
677 | ptr = index(str, '='); | |
680 | ptr = strchr(str, '='); | |
678 | 681 | // only copy the cookie if it has a value (otherwise the server wants to |
679 | 682 | // delete the cookie) |
680 | 683 | if (ptr != NULL && *(ptr + 1) != ';' && *(ptr + 1) != 0 && *(ptr + 1) != '\n' && *(ptr + 1) != '\r') { |
1285 | 1288 | |
1286 | 1289 | cond = ptr; |
1287 | 1290 | |
1288 | if ((ptr2 = index(ptr, ':')) != NULL) { | |
1291 | if ((ptr2 = strchr(ptr, ':')) != NULL) { | |
1289 | 1292 | *ptr2++ = 0; |
1290 | 1293 | if (*ptr2) |
1291 | 1294 | optional1 = ptr2; |
27 | 27 | ptr++; |
28 | 28 | strncpy(mhost, ptr, sizeof(mhost) - 1); |
29 | 29 | mhost[sizeof(mhost) - 1] = 0; |
30 | if ((ptr = index(mhost, '/')) != NULL) | |
30 | if ((ptr = strchr(mhost, '/')) != NULL) | |
31 | 31 | *ptr = 0; |
32 | if ((ptr = index(mhost, ']')) != NULL) | |
32 | if ((ptr = strchr(mhost, ']')) != NULL) | |
33 | 33 | *ptr = 0; |
34 | else if ((ptr = index(mhost, ':')) != NULL) | |
34 | else if ((ptr = strchr(mhost, ':')) != NULL) | |
35 | 35 | *ptr = 0; |
36 | 36 | |
37 | if (miscptr != NULL && index(miscptr, ':') != NULL) { | |
37 | if (miscptr != NULL && strchr(miscptr, ':') != NULL) { | |
38 | 38 | strncpy(mlogin, miscptr, sizeof(mlogin) - 1); |
39 | 39 | mlogin[sizeof(mlogin) - 1] = 0; |
40 | ptr = index(mlogin, ':'); | |
40 | ptr = strchr(mlogin, ':'); | |
41 | 41 | *ptr++ = 0; |
42 | 42 | strncpy(mpass, ptr, sizeof(mpass) - 1); |
43 | 43 | mpass[sizeof(mpass) - 1] = 0; |
214 | 214 | } |
215 | 215 | } |
216 | 216 | // result analysis |
217 | ptr = ((char *)index(buf, ' ')) + 1; | |
217 | ptr = ((char *)strchr(buf, ' ')) + 1; | |
218 | 218 | if (*ptr == '2' || (*ptr == '3' && (*(ptr + 2) == '1' || *(ptr + 2) == '2')) || strncmp(ptr, "404", 4) == 0 || strncmp(ptr, "403", 4) == 0) { |
219 | 219 | hydra_report_found_host(port, ip, "http-proxy", fp); |
220 | 220 | if (fp != stdout) |
23 | 23 | sprintf(url, "%.500s", miscptr); |
24 | 24 | ptr = strstr(miscptr, "://"); // :// check is in hydra.c |
25 | 25 | sprintf(host, "Host: %.50s", ptr + 3); |
26 | if ((ptr = index(host, '/')) != NULL) | |
26 | if ((ptr = strchr(host, '/')) != NULL) | |
27 | 27 | *ptr = 0; |
28 | if ((ptr = index(host + 6, ':')) != NULL && host[0] != '[') | |
28 | if ((ptr = strchr(host + 6, ':')) != NULL && host[0] != '[') | |
29 | 29 | *ptr = 0; |
30 | 30 | strcat(host, "\r\n"); |
31 | 31 | } |
184 | 184 | char *pbuffer, *result; |
185 | 185 | |
186 | 186 | http_proxy_auth_mechanism = AUTH_DIGESTMD5; |
187 | auth_hdr == NULL; | |
187 | auth_hdr = NULL; | |
188 | 188 | pbuffer = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest "); |
189 | 189 | strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer)); |
190 | 190 | buffer[sizeof(buffer) - 1] = '\0'; |
231 | 231 | } |
232 | 232 | } |
233 | 233 | |
234 | ptr = ((char *)index(http_proxy_buf, ' ')) + 1; | |
234 | ptr = ((char *)strchr(http_proxy_buf, ' ')) + 1; | |
235 | 235 | if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2') || (*ptr == '4' && *(ptr + 2) == '4')) { |
236 | 236 | hydra_report_found_host(port, ip, "http-proxy", fp); |
237 | 237 | hydra_completed_pair_found(); |
239 | 239 | http_proxy_buf = NULL; |
240 | 240 | } else { |
241 | 241 | if (*ptr != '4') |
242 | hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char)*(index(http_proxy_buf, ' ') + 1), login, pass); | |
242 | hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char)*(strchr(http_proxy_buf, ' ') + 1), login, pass); | |
243 | 243 | else if (verbose && *(ptr + 2) == '3') |
244 | 244 | hydra_report(stderr, "[INFO] Potential success, could be false positive: %s:%s\n", login, pass); |
245 | 245 | hydra_completed_pair(); |
51 | 51 | /* again: no snprintf to be portable. don't worry, buffer can't overflow */ |
52 | 52 | if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) |
53 | 53 | sprintf(buffer, |
54 | "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: " | |
54 | "%s http://%s%.250s HTTP/1.1\r\nHost: %s\r\nConnection: " | |
55 | 55 | "close\r\nAuthorization: Basic %s\r\nProxy-Authorization: Basic " |
56 | 56 | "%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", |
57 | type, webtarget, webport, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header); | |
57 | type, webtarget, miscptr, webtarget, buffer2, proxy_authentication[selected_proxy], header); | |
58 | 58 | else { |
59 | 59 | if (use_proxy == 1) |
60 | 60 | sprintf(buffer, |
61 | "%s http://%s:%d%.250s HTTP/1.1\r\nHost: %s\r\nConnection: " | |
61 | "%s http://%s%.250s HTTP/1.1\r\nHost: %s\r\nConnection: " | |
62 | 62 | "close\r\nAuthorization: Basic %s\r\nUser-Agent: Mozilla/4.0 " |
63 | 63 | "(Hydra)\r\n%s\r\n", |
64 | type, webtarget, webport, miscptr, webtarget, buffer2, header); | |
64 | type, webtarget, miscptr, webtarget, buffer2, header); | |
65 | 65 | else |
66 | 66 | sprintf(buffer, |
67 | 67 | "%s %.250s HTTP/1.1\r\nHost: %s\r\nConnection: " |
109 | 109 | // send the first.. |
110 | 110 | if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) |
111 | 111 | sprintf(buffer, |
112 | "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " | |
112 | "%s http://%s%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " | |
113 | 113 | "%s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 " |
114 | 114 | "(Hydra)\r\n%s\r\n", |
115 | type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); | |
115 | type, webtarget, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); | |
116 | 116 | else { |
117 | 117 | if (use_proxy == 1) |
118 | 118 | sprintf(buffer, |
119 | "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " | |
119 | "%s http://%s%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " | |
120 | 120 | "%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", |
121 | type, webtarget, webport, miscptr, webtarget, buf1, header); | |
121 | type, webtarget, miscptr, webtarget, buf1, header); | |
122 | 122 | else |
123 | 123 | sprintf(buffer, |
124 | 124 | "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " |
173 | 173 | // create the auth response |
174 | 174 | if (use_proxy == 1 && proxy_authentication[selected_proxy] != NULL) |
175 | 175 | sprintf(buffer, |
176 | "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " | |
176 | "%s http://%s%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " | |
177 | 177 | "%s\r\nProxy-Authorization: Basic %s\r\nUser-Agent: Mozilla/4.0 " |
178 | 178 | "(Hydra)\r\n%s\r\n", |
179 | type, webtarget, webport, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); | |
179 | type, webtarget, miscptr, webtarget, buf1, proxy_authentication[selected_proxy], header); | |
180 | 180 | else { |
181 | 181 | if (use_proxy == 1) |
182 | 182 | sprintf(buffer, |
183 | "%s http://%s:%d%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " | |
183 | "%s http://%s%s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " | |
184 | 184 | "%s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", |
185 | type, webtarget, webport, miscptr, webtarget, buf1, header); | |
185 | type, webtarget, miscptr, webtarget, buf1, header); | |
186 | 186 | else |
187 | 187 | sprintf(buffer, |
188 | 188 | "%s %s HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM " |
207 | 207 | complete_line = 0; |
208 | 208 | tmpreplybuf[0] = 0; |
209 | 209 | |
210 | while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (index(http_buf, '\n') == NULL && complete_line == 0))) { | |
210 | while (http_buf != NULL && (strstr(http_buf, "HTTP/1.") == NULL || (strchr(http_buf, '\n') == NULL && complete_line == 0))) { | |
211 | 211 | if (debug) |
212 | 212 | printf("il: %d, tmpreplybuf: %s, http_buf: %s\n", complete_line, tmpreplybuf, http_buf); |
213 | 213 | if (tmpreplybuf[0] == 0 && strstr(http_buf, "HTTP/1.") != NULL) { |
244 | 244 | if (debug) |
245 | 245 | hydra_report(stderr, "S:%s\n", http_buf); |
246 | 246 | |
247 | ptr = ((char *)index(http_buf, ' ')); | |
247 | ptr = ((char *)strchr(http_buf, ' ')); | |
248 | 248 | if (ptr != NULL) |
249 | 249 | ptr++; |
250 | 250 | if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) { |
294 | 294 | |
295 | 295 | send(s, buf, strlen(buf), 0); |
296 | 296 | if (debug) { |
297 | char *ptr = index(buf, '\r'); | |
297 | char *ptr = strchr(buf, '\r'); | |
298 | 298 | if (ptr != NULL) |
299 | 299 | *ptr = 0; |
300 | 300 | printf("DEBUG_CONNECT_PROXY_SENT: %s\n", buf); |
301 | 301 | } |
302 | 302 | recv(s, buf, 4096, 0); |
303 | if (strncmp("HTTP/", buf, 5) == 0 && (tmpptr = index(buf, ' ')) != NULL && *++tmpptr == '2') { | |
303 | if (strncmp("HTTP/", buf, 5) == 0 && (tmpptr = strchr(buf, ' ')) != NULL && *++tmpptr == '2') { | |
304 | 304 | if (debug) |
305 | 305 | printf("DEBUG_CONNECT_PROXY_OK\n"); |
306 | 306 | } else { |
636 | 636 | __fck = write(intern_socket, "C", 1); |
637 | 637 | else if (code == 2) /* application protocol error or service shutdown */ |
638 | 638 | __fck = write(intern_socket, "E", 1); |
639 | // code 3 means exit without telling mommy about it - a bad idea. mommy should | |
639 | else if (code == 3) /* application protocol error or service shutdown */ | |
640 | __fck = write(intern_socket, "D", 1); | |
641 | // code 4 means exit without telling mommy about it - a bad idea. mommy should | |
640 | 642 | // know |
641 | else if (code == -1 || code > 3) { | |
643 | else if (code == -1 || code > 4) { | |
642 | 644 | fprintf(stderr, "[TOTAL FUCKUP] a module should not use " |
643 | 645 | "hydra_child_exit(-1) ! Fix it in the source please ...\n"); |
644 | 646 | __fck = write(intern_socket, "E", 1); |
66 | 66 | char *proxy_authentication[MAX_PROXY_COUNT]; |
67 | 67 | char *cmdlinetarget; |
68 | 68 | |
69 | #ifndef __APPLE__ | |
69 | 70 | typedef int32_t BOOL; |
71 | #else /* __APPLE__ */ | |
72 | /* ensure compatibility with objc libraries */ | |
73 | #if (TARGET_OS_IPHONE && __LP64__) || TARGET_OS_WATCH | |
74 | typedef bool BOOL; | |
75 | #else | |
76 | typedef signed char BOOL; | |
77 | #endif | |
78 | #endif /* __APPLE__ */ | |
70 | 79 | |
71 | 80 | #define hydra_report fprintf |
72 | 81 |
71 | 71 | mongoc_log_set_handler(NULL, NULL); |
72 | 72 | bson_init(&q); |
73 | 73 | |
74 | snprintf(uri, sizeof(uri), "mongodb://%s:%s@%s/?authSource=%s", login, pass, hydra_address2string(ip), miscptr); | |
74 | snprintf(uri, sizeof(uri), "mongodb://%s:%s@%s:%d/?authSource=%s", login, pass, hydra_address2string(ip), port, miscptr); | |
75 | 75 | client = mongoc_client_new(uri); |
76 | 76 | if (!client) |
77 | 77 | return 3; |
21 | 21 | instance->settings->Username = login; |
22 | 22 | instance->settings->Password = password; |
23 | 23 | instance->settings->IgnoreCertificate = TRUE; |
24 | instance->settings->AuthenticationOnly = TRUE; | |
24 | if (password[0] == 0) | |
25 | instance->settings->AuthenticationOnly = FALSE; | |
26 | else | |
27 | instance->settings->AuthenticationOnly = TRUE; | |
25 | 28 | instance->settings->ServerHostname = server; |
26 | 29 | instance->settings->ServerPort = port; |
27 | 30 | instance->settings->Domain = domain; |
31 | instance->settings->MaxTimeInCheckLoop = 100; | |
28 | 32 | freerdp_connect(instance); |
29 | 33 | err = freerdp_get_last_error(instance->context); |
30 | 34 | return err; |
53 | 57 | } |
54 | 58 | |
55 | 59 | login_result = rdp_connect(server, port, domain, login, pass); |
60 | if (debug) hydra_report(stderr, "[DEBUG] rdp reported %08x\n", login_result); | |
56 | 61 | switch (login_result) { |
57 | 62 | case 0: |
58 | 63 | // login success |
41 | 41 | int32_t code; |
42 | 42 | char tmpbuf[SIP_MAX_BUF], word[SIP_MAX_BUF]; |
43 | 43 | |
44 | if (sscanf(buf, "%s %i %s", tmpbuf, &code, word) != 3) | |
44 | if (sscanf(buf, "%256s %i %256s", tmpbuf, &code, word) != 3) | |
45 | 45 | return -1; |
46 | 46 | return code; |
47 | 47 | } |
70 | 70 | } |
71 | 71 | |
72 | 72 | int32_t has_sip_cred = 0; |
73 | int32_t try | |
74 | = 0; | |
73 | int32_t try = 0; | |
75 | 74 | |
76 | 75 | /* We have to check many times because server may begin to send "100 Trying" |
77 | 76 | * before "401 Unauthorized" */ |
78 | 77 | while (try < 2 && !has_sip_cred) { |
79 | try | |
80 | ++; | |
78 | try++; | |
81 | 79 | if (hydra_data_ready_timed(s, 3, 0) > 0) { |
82 | 80 | i = hydra_recv(s, (char *)buf, sizeof(buf) - 1); |
83 | 81 | if (i > 0) |
159 | 157 | if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { |
160 | 158 | return 3; |
161 | 159 | } |
162 | try | |
163 | = 0; | |
160 | try = 0; | |
164 | 161 | int32_t has_resp = 0; |
165 | 162 | int32_t sip_code = 0; |
166 | 163 | |
167 | 164 | while (try < 2 && !has_resp) { |
168 | try | |
169 | ++; | |
165 | try++; | |
170 | 166 | if (hydra_data_ready_timed(s, 5, 0) > 0) { |
171 | 167 | memset(buf, 0, sizeof(buf)); |
172 | 168 | if ((i = hydra_recv(s, (char *)buf, sizeof(buf) - 1)) >= 0) |
1493 | 1493 | ctime = time(NULL); |
1494 | 1494 | do { |
1495 | 1495 | usleepn(300); |
1496 | } while ((ready = hydra_data_ready(sock)) <= 0 && ctime + 5 <= time(NULL)); | |
1496 | } while ((ready = hydra_data_ready(sock)) <= 0 && ctime + 5 >= time(NULL)); | |
1497 | 1497 | |
1498 | 1498 | if (ready <= 0) { |
1499 | 1499 | fprintf(stderr, "[ERROR] no reply from target smb://%s:%d/\n", hostname, port); |
127 | 127 | //#endif |
128 | 128 | // hydra_report(stderr, "Server %s", err); |
129 | 129 | // } |
130 | if (strncmp(buf, "500 ", 4) == 0) { | |
130 | if (strncmp(buf, "500 ", 4) == 0 || strncmp(buf, "502 ", 4) == 0) { | |
131 | 131 | hydra_report(stderr, |
132 | 132 | "[ERROR] command is disabled on the server (choose " |
133 | 133 | "different method): %s", |
134 | 134 | buf); |
135 | 135 | free(buf); |
136 | return 3; | |
136 | return 4; | |
137 | 137 | } |
138 | 138 | memset(buffer, 0, sizeof(buffer)); |
139 | 139 | // 503 5.5.1 Error: nested MAIL command |
244 | 244 | } |
245 | 245 | hydra_child_exit(0); |
246 | 246 | return; |
247 | case 4: /* unsupported exit */ | |
248 | if (sock >= 0) { | |
249 | sock = hydra_disconnect(sock); | |
250 | } | |
251 | hydra_child_exit(3); | |
252 | return; | |
247 | 253 | default: |
248 | 254 | hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n"); |
249 | 255 | hydra_child_exit(0); |
33 | 33 | if (new_session) { |
34 | 34 | if (session) { |
35 | 35 | ssh_disconnect(session); |
36 | ssh_finalize(); | |
37 | ssh_free(session); | |
38 | } | |
39 | ||
40 | ssh_init(); | |
36 | // ssh_finalize(); | |
37 | ssh_free(session); | |
38 | } else { | |
39 | ssh_init(); | |
40 | } | |
41 | ||
41 | 42 | session = ssh_new(); |
42 | 43 | ssh_options_set(session, SSH_OPTIONS_PORT, &port); |
43 | 44 | ssh_options_set(session, SSH_OPTIONS_HOST, hydra_address2string(ip)); |
172 | 173 | // 3 skip target because its unreachable |
173 | 174 | #ifdef LIBSSH |
174 | 175 | int32_t rc, method; |
176 | ssh_init(); | |
175 | 177 | ssh_session session = ssh_new(); |
176 | 178 | |
177 | 179 | if (verbose || debug) |
32 | 32 | if (new_session) { |
33 | 33 | if (session) { |
34 | 34 | ssh_disconnect(session); |
35 | ssh_finalize(); | |
36 | 35 | ssh_free(session); |
36 | } else { | |
37 | ssh_init(); | |
37 | 38 | } |
38 | 39 | |
39 | 40 | session = ssh_new(); |
35 | 35 | if ((buf = hydra_receive_line(s)) == NULL) |
36 | 36 | return 1; |
37 | 37 | |
38 | if (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '%') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL) { | |
38 | if (strchr(buf, '/') != NULL || strchr(buf, '>') != NULL || strchr(buf, '%') != NULL || strchr(buf, '$') != NULL || strchr(buf, '#') != NULL) { | |
39 | 39 | hydra_report_found_host(port, ip, "telnet", fp); |
40 | 40 | hydra_completed_pair_found(); |
41 | 41 | free(buf); |
74 | 74 | } |
75 | 75 | |
76 | 76 | /*win7 answering with do terminal type = 0xfd 0x18 */ |
77 | while ((buf = hydra_receive_line(s)) != NULL && make_to_lower(buf) && (strstr(buf, "login:") == NULL || strstr(buf, "last login:") != NULL) && strstr(buf, "sername:") == NULL) { | |
78 | if ((miscptr != NULL && strstr(buf, miscptr) != NULL) || (miscptr == NULL && strstr(buf, "invalid") == NULL && strstr(buf, "failed") == NULL && strstr(buf, "bad ") == NULL && (index(buf, '/') != NULL || index(buf, '>') != NULL || index(buf, '$') != NULL || index(buf, '#') != NULL || index(buf, '%') != NULL || ((buf[1] == '\xfd') && (buf[2] == '\x18'))))) { | |
77 | while ((buf = hydra_receive_line(s)) != NULL && make_to_lower(buf) && (strstr(buf, "password:") == NULL || strstr(buf, "login:") == NULL || strstr(buf, "last login:") != NULL) && strstr(buf, "sername:") == NULL) { | |
78 | if ((miscptr != NULL && strstr(buf, miscptr) != NULL) || (miscptr == NULL && strstr(buf, "invalid") == NULL && strstr(buf, "incorrect") == NULL && strstr(buf, "bad ") == NULL && (strchr(buf, '/') != NULL || strchr(buf, '>') != NULL || strchr(buf, '$') != NULL || strchr(buf, '#') != NULL || strchr(buf, '%') != NULL || ((buf[1] == '\xfd') && (buf[2] == '\x18'))))) { | |
79 | 79 | hydra_report_found_host(port, ip, "telnet", fp); |
80 | 80 | hydra_completed_pair_found(); |
81 | 81 | free(buf); |
82 | 82 | if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) |
83 | 83 | return 3; |
84 | 84 | return 1; |
85 | } | |
86 | free(buf); | |
85 | } else if (buf && strstr(buf, "assword:")) { | |
86 | hydra_completed_pair(); | |
87 | // printf("password prompt\n"); | |
88 | free(buf); | |
89 | if (strlen(pass = hydra_get_next_password()) == 0) | |
90 | pass = empty; | |
91 | sprintf(buffer, "%s\r", pass); | |
92 | if (no_line_mode) { | |
93 | for (i = 0; i < strlen(buffer); i++) { | |
94 | if (strcmp(&buffer[i], "\r") == 0) { | |
95 | send(s, "\r\0", 2, 0); | |
96 | } else { | |
97 | send(s, &buffer[i], 1, 0); | |
98 | } | |
99 | usleepn(20); | |
100 | } | |
101 | } else { | |
102 | if (hydra_send(s, buffer, strlen(buffer) + 1, 0) < 0) { | |
103 | return 1; | |
104 | } | |
105 | } | |
106 | } else if (buf && strstr(buf, "login:")) { | |
107 | free(buf); | |
108 | hydra_completed_pair(); | |
109 | return 2; | |
110 | } else | |
111 | free(buf); | |
87 | 112 | } |
88 | 113 | |
89 | 114 | hydra_completed_pair(); |
18 | 18 | int32_t failed_auth = 0; |
19 | 19 | |
20 | 20 | extern char *HYDRA_EXIT; |
21 | char *buf; | |
21 | static char *buf; | |
22 | 22 | |
23 | 23 | /* |
24 | 24 | * Encrypt CHALLENGESIZE bytes in memory using a password. |
0 | .TH "HYDRA" "1" "01/01/2021" | |
0 | .TH "HYDRA" "1" "01/01/2022" | |
1 | 1 | .SH NAME |
2 | 2 | hydra \- a very fast network logon cracker which supports many different services |
3 | 3 | .SH SYNOPSIS |
0 | 0 | /* |
1 | * hydra (c) 2001-2021 by van Hauser / THC <vh@thc.org> | |
1 | * hydra (c) 2001-2022 by van Hauser / THC <vh@thc.org> | |
2 | 2 | * https://github.com/vanhauser-thc/thc-hydra |
3 | 3 | * |
4 | 4 | * Parallized network login hacker. |
77 | 77 | extern void service_icq(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
78 | 78 | extern void service_pcnfs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
79 | 79 | extern void service_mssql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
80 | extern void service_cobaltstrike(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); | |
80 | 81 | extern void service_cvs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
81 | 82 | extern void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
82 | 83 | extern void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
177 | 178 | extern int32_t service_irc_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
178 | 179 | extern int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
179 | 180 | extern int32_t service_mssql_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
181 | extern int32_t service_cobaltstrike_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); | |
180 | 182 | extern int32_t service_nntp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
181 | 183 | extern int32_t service_pcanywhere_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
182 | 184 | extern int32_t service_pcnfs_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
201 | 203 | extern int32_t service_rpcap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname); |
202 | 204 | |
203 | 205 | // ADD NEW SERVICES HERE |
204 | char *SERVICES = "adam6500 asterisk afp cisco cisco-enable cvs firebird ftp[s] " | |
206 | char *SERVICES = "adam6500 asterisk afp cisco cisco-enable cobaltstrike cvs firebird ftp[s] " | |
205 | 207 | "http[s]-{head|get|post} http[s]-{get|post}-form http-proxy " |
206 | 208 | "http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] " |
207 | 209 | "memcached mongodb mssql mysql ncp nntp oracle oracle-listener oracle-sid " |
225 | 227 | #define RESTOREFILE "./hydra.restore" |
226 | 228 | |
227 | 229 | #define PROGRAM "Hydra" |
228 | #define VERSION "v9.2" | |
230 | #define VERSION "v9.3" | |
229 | 231 | #define AUTHOR "van Hauser/THC" |
230 | 232 | #define EMAIL "<vh@thc.org>" |
231 | 233 | #define AUTHOR2 "David Maciejak" |
401 | 403 | {"memcached", service_mcached_init, service_mcached, NULL}, |
402 | 404 | #endif |
403 | 405 | SERVICE(mssql), |
406 | SERVICE(cobaltstrike), | |
404 | 407 | #ifdef LIBMONGODB |
405 | 408 | SERVICE3("mongodb", mongodb), |
406 | 409 | #endif |
592 | 595 | "others,\n" |
593 | 596 | " just add their real representation.\n" |
594 | 597 | " -y disable the use of the above letters as placeholders\n" |
595 | " -r use a shuffling method called 'rain' to try to break\n" | |
596 | " the linearity of the bruteforce\n" | |
597 | 598 | "Examples:\n" |
598 | 599 | " -x 3:5:a generate passwords from length 3 to 5 with all " |
599 | 600 | "lowercase letters\n" |
806 | 807 | fprintf(stderr, |
807 | 808 | "[WARNING] restore file was created by version %c.%c, this is " |
808 | 809 | "version %s\n", |
809 | buf[0], buf[2], VERSION); | |
810 | buf[0], buf[1], VERSION); | |
810 | 811 | if (buf[2] != sizeof(int32_t) % 256 || buf[3] != sizeof(hydra_head *) % 256) { |
811 | 812 | fprintf(stderr, "[ERROR] restore file was created on a different, " |
812 | 813 | "incompatible processor platform!\n"); |
882 | 883 | printf("[DEBUG] reading restore file: Step 8 complete\n"); |
883 | 884 | |
884 | 885 | login_ptr = malloc(hydra_brains.sizelogin + hydra_brains.countlogin + 8); |
886 | if (!login_ptr) { | |
887 | fprintf(stderr, "Error: malloc(%lu) failed\n", hydra_brains.sizelogin + hydra_brains.countlogin + 8); | |
888 | exit(-1); | |
889 | } | |
885 | 890 | fck = (int32_t)fread(login_ptr, hydra_brains.sizelogin + hydra_brains.countlogin + 8, 1, f); |
886 | 891 | if (debug) |
887 | 892 | printf("[DEBUG] reading restore file: Step 9 complete\n"); |
888 | 893 | if (!check_flag(hydra_options.mode, MODE_COLON_FILE)) { // NOT colonfile mode |
889 | 894 | pass_ptr = malloc(hydra_brains.sizepass + hydra_brains.countpass + 8); |
895 | if (!pass_ptr) { | |
896 | fprintf(stderr, "Error: malloc(%lu) failed\n", hydra_brains.sizepass + hydra_brains.countpass + 8); | |
897 | exit(-1); | |
898 | } | |
890 | 899 | fck = (int32_t)fread(pass_ptr, hydra_brains.sizepass + hydra_brains.countpass + 8, 1, f); |
891 | 900 | } else { // colonfile mode |
892 | 901 | hydra_options.colonfile = empty_login; // dummy |
896 | 905 | printf("[DEBUG] reading restore file: Step 10 complete\n"); |
897 | 906 | |
898 | 907 | hydra_targets = (hydra_target **)malloc((hydra_brains.targets + 3) * sizeof(hydra_target *)); |
908 | if (!hydra_targets) { | |
909 | fprintf(stderr, "Error: malloc(%lu) failed\n", (hydra_brains.targets + 3) * sizeof(hydra_target *)); | |
910 | exit(-1); | |
911 | } | |
899 | 912 | for (j = 0; j < hydra_brains.targets; j++) { |
900 | 913 | hydra_targets[j] = malloc(sizeof(hydra_target)); |
914 | if (!hydra_targets[j]) { | |
915 | fprintf(stderr, "Error: malloc(%lu) failed\n", sizeof(hydra_target)); | |
916 | exit(-1); | |
917 | } | |
901 | 918 | fck = (int32_t)fread(hydra_targets[j], sizeof(hydra_target), 1, f); |
902 | 919 | sck = fgets(out, sizeof(out), f); |
903 | 920 | if (out[0] != 0 && out[strlen(out) - 1] == '\n') |
949 | 966 | if (debug) |
950 | 967 | printf("[DEBUG] reading restore file: Step 11 complete\n"); |
951 | 968 | hydra_heads = malloc(sizeof(hydra_head *) * hydra_options.max_use); |
969 | if (!hydra_heads) { | |
970 | fprintf(stderr, "Error: malloc(%lu) failed\n", sizeof(hydra_head *) * hydra_options.max_use); | |
971 | exit(-1); | |
972 | } | |
952 | 973 | for (j = 0; j < hydra_options.max_use; j++) { |
953 | 974 | hydra_heads[j] = malloc(sizeof(hydra_head)); |
975 | if (!hydra_heads[j]) { | |
976 | fprintf(stderr, "Error: malloc(%lu) failed\n", sizeof(hydra_head)); | |
977 | exit(-1); | |
978 | } | |
954 | 979 | fck = (int32_t)fread(hydra_heads[j], sizeof(hydra_head), 1, f); |
955 | 980 | hydra_heads[j]->sp[0] = -1; |
956 | 981 | hydra_heads[j]->sp[1] = -1; |
1106 | 1131 | tmp[len] = 0; |
1107 | 1132 | } |
1108 | 1133 | if (colonmode) { |
1109 | if ((ptr2 = index(tmp, ':')) == NULL) { | |
1134 | if ((ptr2 = strchr(tmp, ':')) == NULL) { | |
1110 | 1135 | fprintf(stderr, |
1111 | 1136 | "[ERROR] invalid line in colon file (-C), missing colon " |
1112 | 1137 | "in line: %s\n", |
1319 | 1344 | {"memcached", PORT_MCACHED, PORT_MCACHED_SSL}, |
1320 | 1345 | {"mongodb", PORT_MONGODB, PORT_MONGODB}, |
1321 | 1346 | {"mssql", PORT_MSSQL, PORT_MSSQL_SSL}, |
1347 | {"cobaltstrike", PORT_COBALTSTRIKE, PORT_COBALTSTRIKE_SSL}, | |
1322 | 1348 | {"mysql", PORT_MYSQL, PORT_MYSQL_SSL}, |
1323 | 1349 | {"postgres", PORT_POSTGRES, PORT_POSTGRES_SSL}, |
1324 | 1350 | {"pcanywhere", PORT_PCANYWHERE, PORT_PCANYWHERE_SSL}, |
1460 | 1486 | hydra_heads[head_no]->current_pass_ptr = empty_login; |
1461 | 1487 | } |
1462 | 1488 | if (hydra_targets[target_no]->fail_count >= MAXFAIL + hydra_options.tasks * hydra_targets[target_no]->ok) { |
1463 | if (hydra_targets[target_no]->done == TARGET_ACTIVE && hydra_options.max_use == hydra_targets[target_no]->failed) { | |
1489 | if (hydra_targets[target_no]->done == TARGET_ACTIVE && hydra_options.max_use <= hydra_targets[target_no]->failed) { | |
1464 | 1490 | if (hydra_targets[target_no]->ok == 1) |
1465 | 1491 | hydra_targets[target_no]->done = TARGET_ERROR; // mark target as done by errors |
1466 | 1492 | else |
1469 | 1495 | fprintf(stderr, |
1470 | 1496 | "[ERROR] Too many connect errors to target, disabling " |
1471 | 1497 | "%s://%s%s%s:%d\n", |
1472 | hydra_options.service, hydra_targets[target_no]->ip[0] == 16 && index(hydra_targets[target_no]->target, ':') != NULL ? "[" : "", hydra_targets[target_no]->target, hydra_targets[target_no]->ip[0] == 16 && index(hydra_targets[target_no]->target, ':') != NULL ? "]" : "", hydra_targets[target_no]->port); | |
1498 | hydra_options.service, hydra_targets[target_no]->ip[0] == 16 && strchr(hydra_targets[target_no]->target, ':') != NULL ? "[" : "", hydra_targets[target_no]->target, hydra_targets[target_no]->ip[0] == 16 && strchr(hydra_targets[target_no]->target, ':') != NULL ? "]" : "", hydra_targets[target_no]->port); | |
1499 | } else { | |
1500 | hydra_targets[target_no]->failed++; | |
1473 | 1501 | } |
1474 | if (hydra_brains.targets > hydra_brains.finished) | |
1502 | if (hydra_brains.targets <= hydra_brains.finished) | |
1475 | 1503 | hydra_kill_head(head_no, 1, 0); |
1476 | 1504 | else |
1477 | 1505 | hydra_kill_head(head_no, 1, 2); |
1478 | } // we keep the last one alive as long as it make sense | |
1506 | } | |
1507 | // we keep the last one alive as long as it make sense | |
1479 | 1508 | } else { |
1480 | 1509 | // we need to put this in a list, otherwise we fail one login+pw test |
1481 | 1510 | if (hydra_targets[target_no]->done == TARGET_ACTIVE && hydra_options.skip_redo == 0 && hydra_targets[target_no]->redo <= hydra_options.max_use * 2 && ((hydra_heads[head_no]->current_login_ptr != empty_login && hydra_heads[head_no]->current_pass_ptr != empty_login) || (hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL))) { |
1490 | 1519 | hydra_heads[head_no]->current_login_ptr = empty_login; |
1491 | 1520 | hydra_heads[head_no]->current_pass_ptr = empty_login; |
1492 | 1521 | } |
1522 | /* | |
1493 | 1523 | hydra_targets[target_no]->fail_count--; |
1494 | 1524 | if (k < 5 && hydra_targets[target_no]->ok) |
1495 | 1525 | hydra_targets[target_no]->fail_count--; |
1496 | 1526 | if (k == 2 && hydra_targets[target_no]->ok) |
1497 | 1527 | hydra_targets[target_no]->fail_count--; |
1498 | if (hydra_brains.targets > hydra_brains.finished) | |
1528 | */ | |
1529 | if (hydra_brains.targets <= hydra_brains.finished) | |
1499 | 1530 | hydra_kill_head(head_no, 1, 0); |
1500 | 1531 | else { |
1501 | 1532 | hydra_kill_head(head_no, 1, 2); |
1906 | 1937 | // the above line |
1907 | 1938 | } |
1908 | 1939 | if (debug || hydra_options.showAttempt) { |
1909 | printf("[%sATTEMPT] target %s - login \"%s\" - pass \"%s\" - %" hPRIu64 " of %" hPRIu64 " [child %d] (%d/%d)\n", hydra_targets[target_no]->redo_state ? "REDO-" : snp_is_redo ? "RE-" : "", hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->sent, hydra_brains.todo + hydra_targets[target_no]->redo, head_no, hydra_targets[target_no]->redo_state ? hydra_targets[target_no]->redo_state - 1 : 0, | |
1910 | hydra_targets[target_no]->redo); | |
1940 | printf("[%sATTEMPT] target %s - login \"%s\" - pass \"%s\" - %" hPRIu64 " of %" hPRIu64 " [child %d] (%d/%d)\n", | |
1941 | hydra_targets[target_no]->redo_state ? "REDO-" | |
1942 | : snp_is_redo ? "RE-" | |
1943 | : "", | |
1944 | hydra_targets[target_no]->target, hydra_heads[head_no]->current_login_ptr, hydra_heads[head_no]->current_pass_ptr, hydra_targets[target_no]->sent, hydra_brains.todo + hydra_targets[target_no]->redo, head_no, hydra_targets[target_no]->redo_state ? hydra_targets[target_no]->redo_state - 1 : 0, hydra_targets[target_no]->redo); | |
1911 | 1945 | } |
1912 | 1946 | loop_cnt = 0; |
1913 | 1947 | return 0; |
1932 | 1966 | hydra_targets[target_no]->skipcnt++; |
1933 | 1967 | } |
1934 | 1968 | if (hydra_options.loop_mode == 0 && !check_flag(hydra_options.mode, MODE_COLON_FILE)) { |
1935 | if (memcmp(username, hydra_targets[target_no]->login_ptr, strlen(username)) == 0) { | |
1969 | if (strcmp(username, hydra_targets[target_no]->login_ptr) == 0) { | |
1936 | 1970 | if (debug) |
1937 | 1971 | printf("[DEBUG] skipping username %s\n", username); |
1938 | 1972 | // increase count |
2022 | 2056 | } |
2023 | 2057 | *sep = 0; |
2024 | 2058 | target_string = sep + 3; |
2025 | if ((sep = index(target_string, '@')) != NULL) { | |
2059 | if ((sep = strchr(target_string, '@')) != NULL) { | |
2026 | 2060 | auth_string = target_string; |
2027 | 2061 | *sep = 0; |
2028 | 2062 | target_string = sep + 1; |
2029 | if (index(auth_string, ':') == NULL) { | |
2063 | if (strchr(auth_string, ':') == NULL) { | |
2030 | 2064 | fprintf(stderr, |
2031 | 2065 | "[WARNING] %s has an invalid authentication definition %s, must " |
2032 | 2066 | "be in the format login:pass, entry ignored\n", |
2034 | 2068 | return; |
2035 | 2069 | } |
2036 | 2070 | } |
2037 | if ((sep = index(target_string, ':')) != NULL) { | |
2071 | if ((sep = strchr(target_string, ':')) != NULL) { | |
2038 | 2072 | *sep = 0; |
2039 | 2073 | port_string = sep + 1; |
2040 | if ((sep = index(port_string, '%')) != NULL) { | |
2074 | if ((sep = strchr(port_string, '%')) != NULL) { | |
2041 | 2075 | *sep = 0; |
2042 | 2076 | device_string = sep + 1; |
2043 | 2077 | } |
2044 | if ((sep = index(port_string, '/')) != NULL) | |
2078 | if ((sep = strchr(port_string, '/')) != NULL) | |
2045 | 2079 | *sep = 0; |
2046 | 2080 | port = atoi(port_string); |
2047 | 2081 | if (port < 1 || port > 65535) { |
2151 | 2185 | struct sockaddr_in6 *ipv6 = NULL; |
2152 | 2186 | struct sockaddr_in *ipv4 = NULL; |
2153 | 2187 | |
2154 | printf("%s %s (c) 2021 by %s & %s - Please do not use in military or secret " | |
2188 | printf("%s %s (c) 2022 by %s & %s - Please do not use in military or secret " | |
2155 | 2189 | "service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\n", |
2156 | 2190 | PROGRAM, VERSION, AUTHOR, AUTHOR2); |
2157 | 2191 | #ifndef LIBAFP |
2189 | 2223 | #ifndef HAVE_GCRYPT |
2190 | 2224 | SERVICES = hydra_string_replace(SERVICES, "radmin2 ", ""); |
2191 | 2225 | strcat(unsupported, "radmin2 "); |
2226 | #endif | |
2227 | #ifndef LIBFREERDP | |
2228 | SERVICES = hydra_string_replace(SERVICES, "rdp ", ""); | |
2229 | strcat(unsupported, "rdp "); | |
2192 | 2230 | #endif |
2193 | 2231 | #ifndef LIBSAPR3 |
2194 | 2232 | SERVICES = hydra_string_replace(SERVICES, "sapr3 ", ""); |
2235 | 2273 | // for oracle-sid |
2236 | 2274 | SERVICES = hydra_string_replace(SERVICES, " oracle-sid", ""); |
2237 | 2275 | strcat(unsupported, "SSL-services (ftps, sip, rdp, oracle-services, ...) "); |
2238 | #endif | |
2239 | ||
2240 | #ifndef LIBFREERDP | |
2241 | // for rdp | |
2242 | SERVICES = hydra_string_replace(SERVICES, " rdp", ""); | |
2243 | 2276 | #endif |
2244 | 2277 | |
2245 | 2278 | #ifndef HAVE_MATH_H |
2570 | 2603 | |
2571 | 2604 | if (*target_pos == '[') { |
2572 | 2605 | target_pos++; |
2573 | if ((param_pos = index(target_pos, ']')) == NULL) | |
2606 | if ((param_pos = strchr(target_pos, ']')) == NULL) | |
2574 | 2607 | bail("no closing ']' found in target definition"); |
2575 | 2608 | *param_pos++ = 0; |
2576 | 2609 | if (*param_pos == ':') |
2577 | 2610 | port_pos = ++param_pos; |
2578 | if ((param_pos = index(param_pos, '/')) != NULL) | |
2611 | if ((param_pos = strchr(param_pos, '/')) != NULL) | |
2579 | 2612 | *param_pos++ = 0; |
2580 | 2613 | } else { |
2581 | port_pos = index(target_pos, ':'); | |
2582 | param_pos = index(target_pos, '/'); | |
2614 | port_pos = strchr(target_pos, ':'); | |
2615 | param_pos = strchr(target_pos, '/'); | |
2583 | 2616 | if (port_pos != NULL && param_pos != NULL && port_pos > param_pos) |
2584 | 2617 | port_pos = NULL; |
2585 | 2618 | if (port_pos != NULL) |
2586 | 2619 | *port_pos++ = 0; |
2587 | 2620 | if (param_pos != NULL) |
2588 | 2621 | *param_pos++ = 0; |
2589 | if (port_pos != NULL && index(port_pos, ':') != NULL) { | |
2622 | if (port_pos != NULL && strchr(port_pos, ':') != NULL) { | |
2590 | 2623 | if (prefer_ipv6) |
2591 | 2624 | bail("Illegal IPv6 target definition must be written within '[' " |
2592 | 2625 | "']'"); |
2775 | 2808 | } |
2776 | 2809 | if (strcmp(hydra_options.service, "mssql") == 0) |
2777 | 2810 | i = 1; |
2811 | if (strcmp(hydra_options.service, "cobaltstrike") == 0) | |
2812 | i = 2; | |
2778 | 2813 | if ((strcmp(hydra_options.service, "oracle-listener") == 0) || (strcmp(hydra_options.service, "tns") == 0)) { |
2779 | 2814 | i = 2; |
2780 | 2815 | hydra_options.service = malloc(strlen("oracle-listener") + 1); |
2869 | 2904 | "like parallel connections)\n"); |
2870 | 2905 | hydra_options.tasks = 1; |
2871 | 2906 | } |
2872 | if (hydra_options.login != NULL && (index(hydra_options.login, '\\') != NULL || index(hydra_options.login, '/') != NULL)) | |
2907 | if (hydra_options.login != NULL && (strchr(hydra_options.login, '\\') != NULL || strchr(hydra_options.login, '/') != NULL)) | |
2873 | 2908 | fprintf(stderr, "[WARNING] potential windows domain specification found in " |
2874 | 2909 | "login. You must use the -m option to pass a domain.\n"); |
2875 | 2910 | i = 1; |
2893 | 2928 | #if !defined(LIBSMBCLIENT) |
2894 | 2929 | bail("Compiled without LIBSMBCLIENT support, module not available!"); |
2895 | 2930 | #else |
2896 | if (hydra_options.login != NULL && (index(hydra_options.login, '\\') != NULL || index(hydra_options.login, '/') != NULL)) | |
2931 | if (hydra_options.login != NULL && (strchr(hydra_options.login, '\\') != NULL || strchr(hydra_options.login, '/') != NULL)) | |
2897 | 2932 | fprintf(stderr, "[WARNING] potential windows domain specification found in " |
2898 | 2933 | "login. You must use the -m option to pass a domain.\n"); |
2899 | 2934 | if (hydra_options.miscptr == NULL || (strlen(hydra_options.miscptr) == 0)) { |
3284 | 3319 | } |
3285 | 3320 | hydra_options.port = port; |
3286 | 3321 | } |
3322 | ||
3323 | if (hydra_options.login == NULL && hydra_options.loginfile == NULL && | |
3324 | hydra_options.colonfile == NULL) | |
3325 | hydra_options.exit_found = 1; | |
3287 | 3326 | |
3288 | 3327 | if (hydra_options.ssl == 0 && hydra_options.port == 443) |
3289 | 3328 | fprintf(stderr, "[WARNING] you specified port 443 for attacking a http " |
3546 | 3585 | if (*tmpptr == '[') { |
3547 | 3586 | tmpptr++; |
3548 | 3587 | hydra_targets[i]->target = tmpptr; |
3549 | if ((tmpptr2 = index(tmpptr, ']')) != NULL) { | |
3588 | if ((tmpptr2 = strchr(tmpptr, ']')) != NULL) { | |
3550 | 3589 | *tmpptr2++ = 0; |
3551 | 3590 | tmpptr = tmpptr2; |
3552 | 3591 | } |
3553 | 3592 | } else |
3554 | 3593 | hydra_targets[i]->target = tmpptr; |
3555 | if ((tmpptr2 = index(hydra_targets[i]->target, ':')) != NULL) { | |
3594 | if ((tmpptr2 = strchr(tmpptr, ':')) != NULL) { | |
3556 | 3595 | *tmpptr2++ = 0; |
3557 | 3596 | tmpptr = tmpptr2; |
3558 | 3597 | hydra_targets[i]->port = atoi(tmpptr2); |
3568 | 3607 | } else if (hydra_options.server == NULL) { |
3569 | 3608 | fprintf(stderr, "Error: no target server given, nor -M option used\n"); |
3570 | 3609 | exit(-1); |
3571 | } else if (index(hydra_options.server, '/') != NULL) { | |
3610 | } else if (strchr(hydra_options.server, '/') != NULL) { | |
3572 | 3611 | if (cmdlinetarget == NULL) |
3573 | 3612 | bail("You seem to mix up \"service://target:port/options\" syntax with " |
3574 | 3613 | "\"target service options\" syntax. Read the README on how to use " |
3575 | 3614 | "hydra correctly!"); |
3576 | 3615 | if (strstr(cmdlinetarget, "://") != NULL) { |
3577 | tmpptr = index(hydra_options.server, '/'); | |
3616 | tmpptr = strchr(hydra_options.server, '/'); | |
3578 | 3617 | if (tmpptr != NULL) |
3579 | 3618 | *tmpptr = 0; |
3580 | 3619 | countservers = hydra_brains.targets = 1; |
3597 | 3636 | exit(-1); |
3598 | 3637 | } |
3599 | 3638 | strcpy(tmpptr, hydra_options.server); |
3600 | tmpptr2 = index(tmpptr, '/'); | |
3639 | tmpptr2 = strchr(tmpptr, '/'); | |
3601 | 3640 | *tmpptr2++ = 0; |
3602 | 3641 | if ((k = atoi(tmpptr2)) < 16 || k > 31) { |
3603 | 3642 | fprintf(stderr, "Error: network size may only be between /16 and /31: %s\n", hydra_options.server); |
3763 | 3802 | printf(" per task\n"); |
3764 | 3803 | |
3765 | 3804 | if (hydra_brains.targets == 1) { |
3766 | if (index(hydra_targets[0]->target, ':') == NULL) { | |
3805 | if (strchr(hydra_targets[0]->target, ':') == NULL) { | |
3767 | 3806 | printf("[DATA] attacking %s%s://%s:", hydra_options.service, hydra_options.ssl == 1 ? "s" : "", hydra_targets[0]->target); |
3768 | 3807 | printf("%d%s%s\n", port, hydra_options.miscptr == NULL || hydra_options.miscptr[0] != '/' ? "/" : "", hydra_options.miscptr != NULL ? hydra_options.miscptr : ""); |
3769 | 3808 | } else { |
3839 | 3878 | #ifdef AF_INET6 |
3840 | 3879 | ipv6 = NULL; |
3841 | 3880 | #endif |
3842 | if ((device = index(hydra_targets[i]->target, '%')) != NULL) | |
3881 | if ((device = strchr(hydra_targets[i]->target, '%')) != NULL) | |
3843 | 3882 | *device++ = 0; |
3844 | 3883 | if (getaddrinfo(hydra_targets[i]->target, NULL, &hints, &res) != 0) { |
3845 | 3884 | if (use_proxy == 0) { |
3905 | 3944 | } |
3906 | 3945 | freeaddrinfo(res); |
3907 | 3946 | } |
3908 | // restore device information if present | |
3947 | // restore device information if present (overwrite null bytes) | |
3909 | 3948 | if (device != NULL) { |
3910 | *(device - 1) = '%'; | |
3949 | char *tmpptr = device - 1; | |
3950 | *tmpptr = '%'; // you can ignore the compiler warning | |
3911 | 3951 | fprintf(stderr, "[WARNING] not all modules support BINDTODEVICE for IPv6 " |
3912 | 3952 | "link local addresses, e.g. SSH does not\n"); |
3913 | 3953 | } |
4128 | 4168 | fck = write(hydra_heads[head_no]->sp[1], "n", 1); // small hack |
4129 | 4169 | break; |
4130 | 4170 | |
4171 | case 'D': // disable target, unknown protocol or feature | |
4172 | for (j = 0; j < hydra_brains.targets; j++) | |
4173 | if (hydra_targets[j]->done == TARGET_ACTIVE) { | |
4174 | hydra_targets[j]->done = TARGET_FINISHED; | |
4175 | hydra_brains.finished++; | |
4176 | } | |
4177 | for (j = 0; j < hydra_options.max_use; j++) | |
4178 | if (hydra_heads[j]->active >= 0 && hydra_heads[j]->target_no == target_no) { | |
4179 | if (hydra_brains.targets > hydra_brains.finished) | |
4180 | hydra_kill_head(j, 1, 0); // kill all heads working on the target | |
4181 | else | |
4182 | hydra_kill_head(j, 1, 2); // kill all heads working on the target | |
4183 | } | |
4184 | break; | |
4185 | ||
4131 | 4186 | // we do not make a difference between 'C' and 'E' results - yet |
4132 | 4187 | case 'E': // head reports protocol error |
4133 | 4188 | case 'C': // head reports connect error |
4334 | 4389 | strncat(json_error, tmp_str, STRMAX); |
4335 | 4390 | strncat(json_error, "\"", STRMAX); |
4336 | 4391 | error = 1; |
4392 | hydra_restore_write(1); | |
4337 | 4393 | } |
4338 | 4394 | // yeah we did it |
4339 | 4395 | printf("%s (%s) finished at %s\n", PROGRAM, RESOURCE, hydra_build_time()); |
100 | 100 | #define PORT_MYSQL_SSL 3306 |
101 | 101 | #define PORT_MSSQL 1433 |
102 | 102 | #define PORT_MSSQL_SSL 1433 |
103 | #define PORT_COBALTSTRIKE 50050 | |
104 | #define PORT_COBALTSTRIKE_SSL 50050 | |
103 | 105 | #define PORT_POSTGRES 5432 |
104 | 106 | #define PORT_POSTGRES_SSL 5432 |
105 | 107 | #define PORT_ORACLE 1521 |
0 | [Desktop Entry] | |
1 | Name=XHydra | |
2 | GenericName=Hydra very fast network log-on cracker | |
3 | Comment=GUI frontend for Hydra network log-on cracker | |
4 | Version=1.0 | |
5 | Exec=xhydra | |
6 | Icon=xhydra | |
7 | Terminal=false | |
8 | Type=Application | |
9 | Categories=System;Security;GTK; |
Binary diff not shown