what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

hydra-patch.txt

hydra-patch.txt
Posted Feb 6, 2008
Authored by thc, Juan Galiana Lara

This is a patch for THC Hydra that fixes a status code parsing error for the HTTP protocol.

tags | web, protocol
SHA-256 | 9f8bbdd611cf293292e197b96cc9bc52d77927cf395d6b5e00bc56cdf3233cc4

hydra-patch.txt

Change Mirror Download
Hi,

THC-Hydra is a well known tool from pentest, wich holds the 15th place
in the 'top 100 network tools" ranking from insecure.org, and is part
of nessus (the most renound vulnerabilities analisys tool in the UNIX
world).
It performs network wordbook attacks supporting more tan 30 protocols,
with the goal to test the security of our services.

Quoting from their site:

"Number one of the biggest security holes are passwords, as every
password security study shows. Hydra is a parallized login cracker
which supports numerous protocols to attack. New modules are easy to
add, beside that, it is flexible and very fast."

"This tool is a proof of concept code, to give researchers and
security consultants the possiblity to show how easy it would be to
gain unauthorized access from remote to a system."


A few days ago I was testing the hydra-http module, one of the modules
from the latest version of THC-Hydra (v 5.4) refering to the http
protocol, and I noticed that it wouldnt work as I had expected in
certain situations.

Specifically, it gives false positives because it doesnt parse the
status codes from the http protocol correctly, returned from the
server when the querys are performed to know if a user is valid or not
in the http server. In other words, sometimes the user is valid but
THC-Hydra doesnt inform us about it.

Lets put a context where we know that a authorization protected folder
exists, for example /protected/ where it does not exist neither
index.html nor any other default page (the authorized users get access
with the url /protected/unknow_path), we would pass the parameters of
the server address to thc-hydra, the user and the password (or the
list of them), as the path we want to check (in our case /protected/).

The tool will start, and perform a petition to /protected/, if the
user is NOT valid the status code that the server will return will be
401 (Authentication Requiered), however if the user is valid, because
there is no index.html or any similar page, the return code will be
403 (Forbidden), but because of an error in the returned status codes
handling it will not inform us that the user is valid. The same error
happens with codes like 404 (Not Found), because hydra-http looks for
the answer code http 200 (OK) or 301 (Redirect).

I've written a patch that corrects this bug, here you have it:

-- hydra-http_orig.c 2007-12-31 14:51:42.000000000 +0100
+++ hydra-http.c 2007-12-31 15:50:29.000000000 +0100
@@ -53,7 +53,7 @@
*/

ptr = ((char *) index(buf, ' ')) + 1;
- if (ptr != NULL && (*ptr == '2? || strncmp(ptr, "301, 3) == 0)) {
+ if (ptr != NULL && (*ptr == '2? || *ptr== '3? || strncmp(ptr,
"403, 3) == 0 || strncmp(ptr, "404, 3) == 0)) {
hydra_report_found_host(port, ip, "www", fp);
hydra_completed_pair_found();
} else {



To apply it just enter the THC-Hydra 5.4 folder and patch -p0 < hydra-http.patch
after that compile it again.

A practical example:

Lets assume that we know a protected resource called /protected/
exists (but that doesnt have a default file):

Request without user:

user@host:~$ LC_ALL=en_EN wget http://server/protected/notfound 2>&1 |grep HTTP
HTTP request sent, awaiting response... 401 Authorization Required

Request with a valid user:

user@host:~$ LC_ALL=en_EN wget --http-user=user
--http-password=password http://server/protected/ 2>&1 |grep HTTP
HTTP request sent, awaiting response... 403 Forbidden

We would then run hydra, (to simplify the example I will only use one
user/password):

user@host:~/hydra-5.4-src$ ./hydra server http-head -l user -p
password -m /protected/
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2007-12-31 16:00:09
[DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task
[DATA] attacking service http-head on port 80
[STATUS] attack finished for server (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2007-12-31 16:00:10

It doesnt recognise that the user is valid, but it is!

However, we apply the patch

user@host:~/hydra-5.4-src$ patch -p0<hydra-http.patch
patching file hydra-http.c

/* recompile */
user@host:~hydra-5.4-src$ make clean && ./configure && make

We perform the test again with the same parameters:

user@host~/hydra-5.4-src$ ./hydra server http-head -l user -p password
-m /protected/
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2007-12-31 16:01:08
[DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task
[DATA] attacking service http-head on port 80
[STATUS] attack finished for server (waiting for childs to finish)
[80][www] host: server login: user password: password
Hydra (http://www.thc.org ) finished at 2007-12-31 16:01:09


Bingo! Now it does recognise it! it was only a problem handling the
HTTP protocol codes (it looked for the 200 or 301 code). But in this
case the returned code is 403 /forbidden) and it also shows that the
user is valid (the same as it would have if the code would have been
404 (not found).


Cheers!

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close