what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Feb 6, 2008
Authored by thc, Juan Galiana Lara

This is a patch for THC Hydra that fixes a status code parsing error for the HTTP protocol.

tags | web, protocol
SHA-256 | 9f8bbdd611cf293292e197b96cc9bc52d77927cf395d6b5e00bc56cdf3233cc4


Change Mirror Download

THC-Hydra is a well known tool from pentest, wich holds the 15th place
in the 'top 100 network tools" ranking from insecure.org, and is part
of nessus (the most renound vulnerabilities analisys tool in the UNIX
It performs network wordbook attacks supporting more tan 30 protocols,
with the goal to test the security of our services.

Quoting from their site:

"Number one of the biggest security holes are passwords, as every
password security study shows. Hydra is a parallized login cracker
which supports numerous protocols to attack. New modules are easy to
add, beside that, it is flexible and very fast."

"This tool is a proof of concept code, to give researchers and
security consultants the possiblity to show how easy it would be to
gain unauthorized access from remote to a system."

A few days ago I was testing the hydra-http module, one of the modules
from the latest version of THC-Hydra (v 5.4) refering to the http
protocol, and I noticed that it wouldnt work as I had expected in
certain situations.

Specifically, it gives false positives because it doesnt parse the
status codes from the http protocol correctly, returned from the
server when the querys are performed to know if a user is valid or not
in the http server. In other words, sometimes the user is valid but
THC-Hydra doesnt inform us about it.

Lets put a context where we know that a authorization protected folder
exists, for example /protected/ where it does not exist neither
index.html nor any other default page (the authorized users get access
with the url /protected/unknow_path), we would pass the parameters of
the server address to thc-hydra, the user and the password (or the
list of them), as the path we want to check (in our case /protected/).

The tool will start, and perform a petition to /protected/, if the
user is NOT valid the status code that the server will return will be
401 (Authentication Requiered), however if the user is valid, because
there is no index.html or any similar page, the return code will be
403 (Forbidden), but because of an error in the returned status codes
handling it will not inform us that the user is valid. The same error
happens with codes like 404 (Not Found), because hydra-http looks for
the answer code http 200 (OK) or 301 (Redirect).

I've written a patch that corrects this bug, here you have it:

-- hydra-http_orig.c 2007-12-31 14:51:42.000000000 +0100
+++ hydra-http.c 2007-12-31 15:50:29.000000000 +0100
@@ -53,7 +53,7 @@

ptr = ((char *) index(buf, ' ')) + 1;
- if (ptr != NULL && (*ptr == '2? || strncmp(ptr, "301, 3) == 0)) {
+ if (ptr != NULL && (*ptr == '2? || *ptr== '3? || strncmp(ptr,
"403, 3) == 0 || strncmp(ptr, "404, 3) == 0)) {
hydra_report_found_host(port, ip, "www", fp);
} else {

To apply it just enter the THC-Hydra 5.4 folder and patch -p0 < hydra-http.patch
after that compile it again.

A practical example:

Lets assume that we know a protected resource called /protected/
exists (but that doesnt have a default file):

Request without user:

user@host:~$ LC_ALL=en_EN wget http://server/protected/notfound 2>&1 |grep HTTP
HTTP request sent, awaiting response... 401 Authorization Required

Request with a valid user:

user@host:~$ LC_ALL=en_EN wget --http-user=user
--http-password=password http://server/protected/ 2>&1 |grep HTTP
HTTP request sent, awaiting response... 403 Forbidden

We would then run hydra, (to simplify the example I will only use one

user@host:~/hydra-5.4-src$ ./hydra server http-head -l user -p
password -m /protected/
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2007-12-31 16:00:09
[DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task
[DATA] attacking service http-head on port 80
[STATUS] attack finished for server (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2007-12-31 16:00:10

It doesnt recognise that the user is valid, but it is!

However, we apply the patch

user@host:~/hydra-5.4-src$ patch -p0<hydra-http.patch
patching file hydra-http.c

/* recompile */
user@host:~hydra-5.4-src$ make clean && ./configure && make

We perform the test again with the same parameters:

user@host~/hydra-5.4-src$ ./hydra server http-head -l user -p password
-m /protected/
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2007-12-31 16:01:08
[DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task
[DATA] attacking service http-head on port 80
[STATUS] attack finished for server (waiting for childs to finish)
[80][www] host: server login: user password: password
Hydra (http://www.thc.org ) finished at 2007-12-31 16:01:09

Bingo! Now it does recognise it! it was only a problem handling the
HTTP protocol codes (it looked for the 200 or 301 code). But in this
case the returned code is 403 /forbidden) and it also shows that the
user is valid (the same as it would have if the code would have been
404 (not found).


Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By