Skip to content

Commit

Permalink
New CobaltStrike module
Browse files Browse the repository at this point in the history
  • Loading branch information
@ultimaiiii
ultimaiiii authored Aug 20, 2021
1 parent 93cee75 commit 84c7b11
Show file tree
Hide file tree
Showing 4 changed files with 240 additions and 4 deletions.
108 changes: 105 additions & 3 deletions Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,110 @@
all:
@echo Error: you must run "./configure" first
STRIP=strip
XDEFINES= -DHAVE_MYSQL_MYSQL_H -DLIBOPENSSL -DLIBFIREBIRD -DLIBIDN -DHAVE_PR29_H -DHAVE_PCRE -DLIBMYSQLCLIENT -DLIBPOSTGRES -DLIBSVN -DLIBSSH -DHAVE_ZLIB -DHAVE_GCRYPT -DLIBMCACHED -DHAVE_MATH_H
XLIBS= -lgcrypt -lz -lssl -lfbclient -lidn -lpcre -lmysqlclient -lpq -lsvn_client-1 -lapr-1 -laprutil-1 -lsvn_subr-1 -lssh -lcrypto -lmemcached
XLIBPATHS=-L/usr/lib -L/usr/local/lib -L/lib -L/usr/lib/x86_64-linux-gnu -L/lib/x86_64-linux-gnu -L/usr/lib/x86_64-linux-gnu
XIPATHS= -I/usr/include/mysql -I/usr/include -I/usr/include -I/usr/include -I/usr/include/postgresql -I/usr/include -I/usr/include/subversion-1 -I/usr/include/apr-1.0 -I/usr/include/subversion-1 -I/usr/include/libmemcached-1.0
PREFIX=/usr/local
XHYDRA_SUPPORT=xhydra
STRIP=strip

HYDRA_LOGO=
PWI_LOGO=
SEC=-pie -fPIE -fstack-protector-all --param ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -Wl,-z,now -Wl,-z,relro

#
# Makefile for Hydra - (c) 2001-2020 by van Hauser / THC <[email protected]>
#
WARN_CLANG=-Wformat-nonliteral -Wstrncat-size -Wformat-security -Wsign-conversion -Wconversion -Wfloat-conversion -Wshorten-64-to-32 -Wuninitialized -Wmissing-variable-declarations -Wmissing-declarations
WARN_GCC=-Wformat=2 -Wformat-overflow=2 -Wformat-nonliteral -Wformat-truncation=2 -Wnull-dereference -Wstrict-overflow=2 -Wstringop-overflow=4 -Walloca-larger-than=4096 -Wtype-limits -Wconversion -Wtrampolines -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fno-common -Wcast-align
CFLAGS ?= -g
OPTS=-I. -O3 $(CFLAGS) -fcommon -Wl,--allow-multiple-definition
# -Wall -g -pedantic
LIBS=-lm
DESTDIR ?=
BINDIR = /bin
MANDIR = /man/man1/
DATADIR = /etc
PIXDIR = /share/pixmaps
APPDIR = /share/applications

SRC = hydra-vnc.c hydra-pcnfs.c hydra-rexec.c hydra-nntp.c hydra-socks5.c \
hydra-telnet.c hydra-cisco.c hydra-http.c hydra-ftp.c hydra-imap.c \
hydra-pop3.c hydra-smb.c hydra-icq.c hydra-cisco-enable.c hydra-ldap.c \
hydra-memcached.c hydra-mongodb.c hydra-mysql.c hydra-mssql.c hydra-cobaltstrike.c hydra-xmpp.c \
hydra-http-proxy-urlenum.c hydra-snmp.c hydra-cvs.c hydra-smtp.c \
hydra-smtp-enum.c hydra-sapr3.c hydra-ssh.c hydra-sshkey.c hydra-teamspeak.c \
hydra-postgres.c hydra-rsh.c hydra-rlogin.c hydra-oracle-listener.c \
hydra-svn.c hydra-pcanywhere.c hydra-sip.c hydra-oracle.c hydra-vmauthd.c \
hydra-asterisk.c hydra-firebird.c hydra-afp.c hydra-ncp.c hydra-rdp.c \
hydra-oracle-sid.c hydra-http-proxy.c hydra-http-form.c hydra-irc.c \
hydra-s7-300.c hydra-redis.c hydra-adam6500.c hydra-rtsp.c \
hydra-rpcap.c hydra-radmin2.c \
hydra-time.c crc32.c d3des.c bfg.c ntlm.c sasl.c hmacmd5.c hydra-mod.c \
hydra-smb2.c
OBJ = hydra-vnc.o hydra-pcnfs.o hydra-rexec.o hydra-nntp.o hydra-socks5.o \
hydra-telnet.o hydra-cisco.o hydra-http.o hydra-ftp.o hydra-imap.o \
hydra-pop3.o hydra-smb.o hydra-icq.o hydra-cisco-enable.o hydra-ldap.o \
hydra-memcached.o hydra-mongodb.o hydra-mysql.o hydra-mssql.o hydra-cobaltstrike.o hydra-xmpp.o \
hydra-http-proxy-urlenum.o hydra-snmp.o hydra-cvs.o hydra-smtp.o \
hydra-smtp-enum.o hydra-sapr3.o hydra-ssh.o hydra-sshkey.o hydra-teamspeak.o \
hydra-postgres.o hydra-rsh.o hydra-rlogin.o hydra-oracle-listener.o \
hydra-svn.o hydra-pcanywhere.o hydra-sip.o hydra-oracle-sid.o hydra-oracle.o \
hydra-vmauthd.o hydra-asterisk.o hydra-firebird.o hydra-afp.o \
hydra-ncp.o hydra-http-proxy.o hydra-http-form.o hydra-irc.o \
hydra-redis.o hydra-rdp.o hydra-s7-300.c hydra-adam6500.o hydra-rtsp.o \
hydra-rpcap.o hydra-radmin2.o \
crc32.o d3des.o bfg.o ntlm.o sasl.o hmacmd5.o hydra-mod.o hydra-time.o \
hydra-smb2.o
BINS = hydra pw-inspector

EXTRA_DIST = README README.arm README.palm CHANGES TODO INSTALL LICENSE \
hydra-mod.h hydra.h crc32.h d3des.h

all: pw-inspector hydra $(XHYDRA_SUPPORT)
@echo
@echo Now type "make install"

hydra: hydra.c $(OBJ)
$(CC) $(OPTS) $(SEC) $(LIBS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o hydra $(HYDRA_LOGO) hydra.c $(OBJ) $(LIBS) $(XLIBS) $(XLIBPATHS) $(XIPATHS) $(XDEFINES)
@echo
@echo If men could get pregnant, abortion would be a sacrament
@echo

xhydra:
-cd hydra-gtk && sh ./make_xhydra.sh

pw-inspector: pw-inspector.c
-$(CC) $(OPTS) $(SEC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o pw-inspector $(PWI_LOGO) pw-inspector.c

.c.o:
$(CC) $(OPTS) $(SEC) $(CFLAGS) $(CPPFLAGS) -c $< $(XDEFINES) $(XIPATHS)

strip: all
strip $(BINS)
-echo OK > /dev/null && test -x xhydra && strip xhydra || echo OK > /dev/null

install: strip
-mkdir -p $(DESTDIR)$(PREFIX)$(BINDIR)
cp -f hydra-wizard.sh $(BINS) $(DESTDIR)$(PREFIX)$(BINDIR) && cd $(DESTDIR)$(PREFIX)$(BINDIR) && chmod 755 hydra-wizard.sh $(BINS)
-echo OK > /dev/null && test -x xhydra && cp xhydra $(DESTDIR)$(PREFIX)$(BINDIR) && cd $(DESTDIR)$(PREFIX)$(BINDIR) && chmod 755 xhydra || echo OK > /dev/null
-sed -e "s|^INSTALLDIR=.*|INSTALLDIR="$(PREFIX)"|" dpl4hydra.sh | sed -e "s|^LOCATION=.*|LOCATION="$(DATADIR)"|" > $(DESTDIR)$(PREFIX)$(BINDIR)/dpl4hydra.sh
-chmod 755 $(DESTDIR)$(PREFIX)$(BINDIR)/dpl4hydra.sh
-mkdir -p $(DESTDIR)$(PREFIX)$(DATADIR)
-cp -f *.csv $(DESTDIR)$(PREFIX)$(DATADIR)
-mkdir -p $(DESTDIR)$(PREFIX)$(MANDIR)
-cp -f hydra.1 xhydra.1 pw-inspector.1 $(DESTDIR)$(PREFIX)$(MANDIR)
-mkdir -p $(DESTDIR)$(PREFIX)$(PIXDIR)
-cp -f xhydra.png $(DESTDIR)$(PREFIX)$(PIXDIR)/
-mkdir -p $(DESTDIR)$(PREFIX)$(APPDIR)
-desktop-file-install --dir $(DESTDIR)$(PREFIX)$(APPDIR) xhydra.desktop

clean:
rm -rf xhydra pw-inspector hydra *.o core *.core *.stackdump *~ Makefile.in Makefile dev_rfc hydra.restore arm/*.ipk arm/ipkg/usr/bin/* hydra-gtk/src/*.o hydra-gtk/src/xhydra hydra-gtk/stamp-h hydra-gtk/config.status hydra-gtk/errors hydra-gtk/config.log hydra-gtk/src/.deps hydra-gtk/src/Makefile hydra-gtk/Makefile
cp -f Makefile.orig Makefile

uninstall:
@echo Error: you must run "./configure" first
-rm -f $(DESTDIR)$(PREFIX)$(BINDIR)/xhydra $(DESTDIR)$(PREFIX)$(BINDIR)/hydra $(DESTDIR)$(PREFIX)$(BINDIR)/pw-inspector $(DESTDIR)$(PREFIX)$(BINDIR)/hydra-wizard.sh $(DESTDIR)$(PREFIX)$(BINDIR)/dpl4hydra.sh
-rm -f $(DESTDIR)$(PREFIX)$(DATADIR)/dpl4hydra_full.csv $(DESTDIR)$(PREFIX)$(DATADIR)/dpl4hydra_local.csv
-rm -f $(DESTDIR)$(PREFIX)$(MANDIR)/hydra.1 $(DESTDIR)$(PREFIX)$(MANDIR)/xhydra.1 $(DESTDIR)$(PREFIX)$(MANDIR)/pw-inspector.1
-rm -f $(DESTDIR)$(PREFIX)$(PIXDIR)/xhydra.png
-rm -f $(DESTDIR)$(PREFIX)$(APPDIR)/xhydra.desktop
126 changes: 126 additions & 0 deletions hydra-cobaltstrike.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
#include "hydra-mod.h"

#define MSLEN 256

extern char *HYDRA_EXIT;
char *buf;

int32_t start_cobaltstrike(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
char *empty = "";
char *pass, buffer[4 + 1 + 256];
char ms_pass[MSLEN + 1];
unsigned char len_pass;
unsigned char reply_byte_0;
unsigned char reply_byte_1;
unsigned char reply_byte_2;
unsigned char reply_byte_3;
int32_t ret = -1;

if (strlen(pass = hydra_get_next_password()) == 0)
pass = empty;
if (strlen(pass) > MSLEN)
pass[MSLEN - 1] = 0;
len_pass = strlen(pass);
memset(ms_pass, 0, MSLEN + 1);
strcpy(ms_pass, pass);

memset(buffer, 0x41, sizeof(buffer));
buffer[0] = 0x00;
buffer[1] = 0x00;
buffer[2] = 0xBE;
buffer[3] = 0xEF;
memcpy(buffer + 4, &len_pass, 1);
memcpy(buffer + 5, ms_pass, len_pass);

if (hydra_send(s, buffer, sizeof(buffer), 0) < 0)
return 1;

reply_byte_0 = 0x00;
ret = hydra_recv_nb(s, &reply_byte_0, 1);
if (ret <= 0)
return 3;

reply_byte_1 = 0x00;
ret = hydra_recv_nb(s, &reply_byte_1, 1);
if (ret <= 0)
return 3;

reply_byte_2 = 0x00;
ret = hydra_recv_nb(s, &reply_byte_2, 1);
if (ret <= 0)
return 3;

reply_byte_3 = 0x00;
ret = hydra_recv_nb(s, &reply_byte_3, 1);
if (ret <= 0)
return 3;

if (reply_byte_0 == 0x00 && reply_byte_1 == 0x00 && reply_byte_2 == 0xCA && reply_byte_3 == 0xFE) {
hydra_report_found_host(port, ip, "cobaltstrike", fp);
hydra_completed_pair_found();
free(buf);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;
return 1;
}

free(buf);
hydra_completed_pair();
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return 2;

return 1;
}

void service_cobaltstrike(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
int32_t run = 1, next_run = 1, sock = -1;
int32_t myport = PORT_MSSQL, mysslport = PORT_MSSQL_SSL;

hydra_register_socket(sp);
if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
return;
while (1) {
switch (run) {
case 1: /* connect and service init function */
if (port != 0)
mysslport = port;
sock = hydra_connect_ssl(ip, mysslport, hostname);
port = mysslport;
if (sock < 0) {
hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int32_t)getpid());
hydra_child_exit(1);
}
next_run = start_cobaltstrike(sock, ip, port, options, miscptr, fp);
hydra_disconnect(sock);
break;
case 2: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(0);
return;
case 3: /* clean exit */
if (sock >= 0)
sock = hydra_disconnect(sock);
hydra_child_exit(2);
return;
default:
hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
hydra_child_exit(2);
}
run = next_run;
}
}

int32_t service_cobaltstrike_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
// called before the childrens are forked off, so this is the function
// which should be filled if initial connections and service setup has to be
// performed once only.
//
// fill if needed.
//
// return codes:
// 0 all OK
// -1 error, hydra will exit, so print a good error message here

return 0;
}
8 changes: 7 additions & 1 deletion hydra.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ extern void service_http_post_form(char *ip, int32_t sp, unsigned char options,
extern void service_icq(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern void service_pcnfs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern void service_mssql(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern void service_cobaltstrike(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern void service_cvs(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern void service_snmp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern void service_smtp(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
Expand Down Expand Up @@ -178,6 +179,7 @@ extern int32_t service_imap_init(char *ip, int32_t sp, unsigned char options, ch
extern int32_t service_irc_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern int32_t service_ldap_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern int32_t service_mssql_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern int32_t service_cobaltstrike_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern int32_t service_nntp_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern int32_t service_pcanywhere_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
extern int32_t service_pcnfs_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname);
Expand Down Expand Up @@ -208,7 +210,7 @@ char *SERVICES = "adam6500 asterisk afp cisco cisco-enable cvs firebird ftp[s] "
"memcached mongodb mssql mysql ncp nntp oracle oracle-listener oracle-sid "
"pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap "
"rsh rtsp s7-300 sapr3 sip smb smb2 smtp[s] smtp-enum snmp socks5 ssh "
"sshkey svn teamspeak telnet[s] vmauthd vnc xmpp";
"sshkey svn teamspeak telnet[s] vmauthd vnc xmpp cobaltstrike";

#define MAXBUF 520
#define MAXLINESIZE ((MAXBUF / 2) - 4)
Expand Down Expand Up @@ -402,6 +404,7 @@ static const struct {
{"memcached", service_mcached_init, service_mcached, NULL},
#endif
SERVICE(mssql),
SERVICE(cobaltstrike),
#ifdef LIBMONGODB
SERVICE3("mongodb", mongodb),
#endif
Expand Down Expand Up @@ -1344,6 +1347,7 @@ int32_t hydra_lookup_port(char *service) {
{"memcached", PORT_MCACHED, PORT_MCACHED_SSL},
{"mongodb", PORT_MONGODB, PORT_MONGODB},
{"mssql", PORT_MSSQL, PORT_MSSQL_SSL},
{"cobaltstrike", PORT_COBALTSTRIKE, PORT_COBALTSTRIKE_SSL},
{"mysql", PORT_MYSQL, PORT_MYSQL_SSL},
{"postgres", PORT_POSTGRES, PORT_POSTGRES_SSL},
{"pcanywhere", PORT_PCANYWHERE, PORT_PCANYWHERE_SSL},
Expand Down Expand Up @@ -2800,6 +2804,8 @@ int main(int argc, char *argv[]) {
}
if (strcmp(hydra_options.service, "mssql") == 0)
i = 1;
if (strcmp(hydra_options.service, "cobaltstrike") == 0)
i = 2;
if ((strcmp(hydra_options.service, "oracle-listener") == 0) || (strcmp(hydra_options.service, "tns") == 0)) {
i = 2;
hydra_options.service = malloc(strlen("oracle-listener") + 1);
Expand Down
2 changes: 2 additions & 0 deletions hydra.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,8 @@
#define PORT_MYSQL_SSL 3306
#define PORT_MSSQL 1433
#define PORT_MSSQL_SSL 1433
#define PORT_COBALTSTRIKE 50050
#define PORT_COBALTSTRIKE_SSL 50050
#define PORT_POSTGRES 5432
#define PORT_POSTGRES_SSL 5432
#define PORT_ORACLE 1521
Expand Down

0 comments on commit 84c7b11

Please sign in to comment.