Hi,

THC-Hydra is a well known tool from pentest, wich holds the 15th place
in the 'top 100 network tools" ranking from insecure.org, and is part
of nessus (the most renound vulnerabilities analisys tool in the UNIX
world).
It performs network wordbook attacks supporting more tan 30 protocols,
with the goal to test the security of our services.

Quoting from their site:

"Number one of the biggest security holes are passwords, as every
password security study shows. Hydra is a parallized login cracker
which supports numerous protocols to attack. New modules are easy to
add, beside that, it is flexible and very fast."

"This tool is a proof of concept code, to give researchers and
security consultants the possiblity to show how easy it would be to
gain unauthorized access from remote to a system."


A few days ago I was testing the hydra-http module, one of the modules
from the latest version of THC-Hydra (v 5.4) refering to the http
protocol, and I noticed that it wouldnt work as I had expected in
certain situations.

Specifically, it gives false positives because it doesnt parse the
status codes from the http protocol correctly, returned from the
server when the querys are performed to know if a user is valid or not
in the http server. In other words, sometimes the user is valid but
THC-Hydra doesnt inform us about it.

Lets put a context where we know that a authorization protected folder
exists, for example /protected/ where it does not exist neither
index.html nor any other default page (the authorized users get access
with the url /protected/unknow_path), we would pass the parameters of
the server address to thc-hydra, the user and the password (or the
list of them), as the path we want to check (in our case /protected/).

The tool will start, and perform a petition to /protected/, if the
user is NOT valid the status code that the server will return will be
401 (Authentication Requiered), however if the user is valid, because
there is no index.html or any similar page, the return code will be
403 (Forbidden), but because of an error in the returned status codes
handling it will not inform us that the user is valid. The same error
happens with codes like 404 (Not Found), because hydra-http looks for
the answer code http 200 (OK) or 301 (Redirect).

I've written a patch that corrects this bug, here you have it:

    -- hydra-http_orig.c 2007-12-31 14:51:42.000000000 +0100
    +++ hydra-http.c 2007-12-31 15:50:29.000000000 +0100
    @@ -53,7 +53,7 @@
    */

    ptr = ((char *) index(buf, ' ')) + 1;
    - if (ptr != NULL && (*ptr == '2? || strncmp(ptr, "301, 3) == 0)) {
    + if (ptr != NULL && (*ptr == '2? || *ptr== '3? || strncmp(ptr,
"403, 3) == 0 || strncmp(ptr, "404, 3) == 0)) {
    hydra_report_found_host(port, ip, "www", fp);
    hydra_completed_pair_found();
    } else {



To apply it just enter the THC-Hydra 5.4 folder and patch -p0 < hydra-http.patch
after that compile it again.

A practical example:

Lets assume that we know a protected resource called /protected/
exists (but that doesnt have a default file):

Request without user:

user@host:~$ LC_ALL=en_EN wget http://server/protected/notfound 2>&1 |grep HTTP
HTTP request sent, awaiting response... 401 Authorization Required

Request with a valid user:

user@host:~$ LC_ALL=en_EN wget --http-user=user
--http-password=password  http://server/protected/ 2>&1 |grep HTTP
HTTP request sent, awaiting response... 403 Forbidden

We would then run hydra, (to simplify the example I will only use one
user/password):

user@host:~/hydra-5.4-src$ ./hydra server http-head -l user -p
password -m /protected/
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2007-12-31 16:00:09
[DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task
[DATA] attacking service http-head on port 80
[STATUS] attack finished for server (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2007-12-31 16:00:10

It doesnt recognise that the user is valid, but it is!

However, we apply the patch

user@host:~/hydra-5.4-src$ patch -p0<hydra-http.patch
patching file hydra-http.c

/* recompile */
user@host:~hydra-5.4-src$ make clean && ./configure && make

We perform the test again with the same parameters:

user@host~/hydra-5.4-src$ ./hydra server http-head -l user -p password
-m /protected/
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2007-12-31 16:01:08
[DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task
[DATA] attacking service http-head on port 80
[STATUS] attack finished for server (waiting for childs to finish)
[80][www] host: server login: user password: password
Hydra (http://www.thc.org ) finished at 2007-12-31 16:01:09


Bingo! Now it does recognise it! it was only a problem handling the
HTTP protocol codes (it looked for the 200 or 301 code). But in this
case the returned code is 403 /forbidden) and it also shows that the
user is valid (the same as it would have if the code would have been
404 (not found).


Cheers!