Hi, THC-Hydra is a well known tool from pentest, wich holds the 15th place in the 'top 100 network tools" ranking from insecure.org, and is part of nessus (the most renound vulnerabilities analisys tool in the UNIX world). It performs network wordbook attacks supporting more tan 30 protocols, with the goal to test the security of our services. Quoting from their site: "Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast." "This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system." A few days ago I was testing the hydra-http module, one of the modules from the latest version of THC-Hydra (v 5.4) refering to the http protocol, and I noticed that it wouldnt work as I had expected in certain situations. Specifically, it gives false positives because it doesnt parse the status codes from the http protocol correctly, returned from the server when the querys are performed to know if a user is valid or not in the http server. In other words, sometimes the user is valid but THC-Hydra doesnt inform us about it. Lets put a context where we know that a authorization protected folder exists, for example /protected/ where it does not exist neither index.html nor any other default page (the authorized users get access with the url /protected/unknow_path), we would pass the parameters of the server address to thc-hydra, the user and the password (or the list of them), as the path we want to check (in our case /protected/). The tool will start, and perform a petition to /protected/, if the user is NOT valid the status code that the server will return will be 401 (Authentication Requiered), however if the user is valid, because there is no index.html or any similar page, the return code will be 403 (Forbidden), but because of an error in the returned status codes handling it will not inform us that the user is valid. The same error happens with codes like 404 (Not Found), because hydra-http looks for the answer code http 200 (OK) or 301 (Redirect). I've written a patch that corrects this bug, here you have it: -- hydra-http_orig.c 2007-12-31 14:51:42.000000000 +0100 +++ hydra-http.c 2007-12-31 15:50:29.000000000 +0100 @@ -53,7 +53,7 @@ */ ptr = ((char *) index(buf, ' ')) + 1; - if (ptr != NULL && (*ptr == '2? || strncmp(ptr, "301, 3) == 0)) { + if (ptr != NULL && (*ptr == '2? || *ptr== '3? || strncmp(ptr, "403, 3) == 0 || strncmp(ptr, "404, 3) == 0)) { hydra_report_found_host(port, ip, "www", fp); hydra_completed_pair_found(); } else { To apply it just enter the THC-Hydra 5.4 folder and patch -p0 < hydra-http.patch after that compile it again. A practical example: Lets assume that we know a protected resource called /protected/ exists (but that doesnt have a default file): Request without user: user@host:~$ LC_ALL=en_EN wget http://server/protected/notfound 2>&1 |grep HTTP HTTP request sent, awaiting response... 401 Authorization Required Request with a valid user: user@host:~$ LC_ALL=en_EN wget --http-user=user --http-password=password http://server/protected/ 2>&1 |grep HTTP HTTP request sent, awaiting response... 403 Forbidden We would then run hydra, (to simplify the example I will only use one user/password): user@host:~/hydra-5.4-src$ ./hydra server http-head -l user -p password -m /protected/ Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2007-12-31 16:00:09 [DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task [DATA] attacking service http-head on port 80 [STATUS] attack finished for server (waiting for childs to finish) Hydra (http://www.thc.org) finished at 2007-12-31 16:00:10 It doesnt recognise that the user is valid, but it is! However, we apply the patch user@host:~/hydra-5.4-src$ patch -p0