Unusual return code when password is correct about thc-hydra HOT 16 CLOSED

Hi,

please add the options: "-t 1 -d" and send me the output.

Greets,
vh

On 07.10.2014 05:14, julegatti wrote:

Something strange is happening, because I run hydra several times
against my own known password and I get "Unusual return code" most of
the times, and if I keep trying I get it was actually found.

However, when failing, looking at Wireshark, I can see the "HTTP/1.1 200
OK" packet.

i.e.

Hydra v8.1-dev (c) 2014 by van Hauser/THC - Please do not use in
military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2014-10-07 00:04:48
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries
(l:1/p:12), ~0 tries per task
[DATA] attacking service http-get on port 80
[WARNING] Unusual return code: for admin:mikemachuga
[WARNING] Unusual return code: for admin:mike
[WARNING] Unusual return code: for admin:asdf
[WARNING] Unusual return code: for admin:dfgklj
[WARNING] Unusual return code: for admin:gfgfg
[WARNING] Unusual return code: for admin:e4gfrlgjl
[WARNING] Unusual return code: for admin:mypass
[WARNING] Unusual return code: for admin:alksdlfk
[WARNING] Unusual return code: for admin:dfdkm
[WARNING] Unusual return code: for admin:sdfkl
[WARNING] Unusual return code: for admin:dfklmlsd
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-10-07 00:04:49

dione@saturno:~/misc$ hydra -l admin -P asdf 192.168.1.1 http-get /
Hydra v8.1-dev (c) 2014 by van Hauser/THC - Please do not use in
military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2014-10-07 00:04:49
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries
(l:1/p:12), ~0 tries per task
[DATA] attacking service http-get on port 80
[WARNING] Unusual return code: for admin:mike
[WARNING] Unusual return code: for admin:gfgfg
[WARNING] Unusual return code: for admin:dfgklj
[WARNING] Unusual return code: for admin:e4gfrlgjl
[WARNING] Unusual return code: for admin:alksdlfk
[WARNING] Unusual return code: for admin:flskfemkl
[80][www] host: 192.168.1.1 login: admin password: mypass
[WARNING] Unusual return code: for admin:dfdkm
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-10-07 00:04:50```

—
Reply to this email directly or view it on GitHub
https://github.com/vanhauser-thc/thc-hydra/issues/18.

from thc-hydra.

My password list contains the following 12 words, in which my real password is: mypass

$ cat asdf
mike
mikemachuga
asdf
gfgfg
dfgklj
e4gfrlgjl
mypass
alksdlfk
flskfemkl
dfdkm
dfklmlsd
sdfkl

I run my original hydra line plus "-t 1 -d". I haven't been successful until the fifth attempt repeating the same command. In Wireshark I can see the HTTP 200 OK packet everytime it tries with "admin:mypass".

Here they are,

Attempt n1: http://pastebin.com/hpkMg4TN
Attempt n5: http://pastebin.com/b6rvBSU4

Router is: TP-LINK Wireless N Router WR941N

from thc-hydra.

Can you please email me the wireshark of that attempt where it fails?
=> vh(at)thc.org
I see what the problem is, however it is something that should not
happen - either its a broken web server or a broken client operating
system ...

On 07.10.2014 18:46, julegatti wrote:

My password list contains the following 12 words, in which my real
password is: mypass

$ cat asdf
mike
mikemachuga
asdf
gfgfg
dfgklj
e4gfrlgjl
mypass
alksdlfk
flskfemkl
dfdkm
dfklmlsd
sdfkl
I run my original hydra line plus "-t 1 -d". I haven't been successful
until the fifth attempt repeating the same command. In Wireshark I can
see the HTTP 200 OK packet everytime it tries with "admin:mypass".

Here they are,

Attempt n1: http://pastebin.com/hpkMg4TN
Attempt n5: http://pastebin.com/b6rvBSU4

—
Reply to this email directly or view it on GitHub
#18 (comment).

from thc-hydra.

Thanks for the PCAP - as I suspected, the web server is badly implemented.
I added an addition to the http-get/head module to support this.
Please update your checkout, retry and report. thanks.

from thc-hydra.

Those tp link guys has also leave a hidden webshell in this router.

Thanks, I'll check it out!

pd: sorry about my github accounts confusion.

from thc-hydra.

Here's my report. First,

$ git pull
$ make clean
$ ./configure
$ make
$ make install

I get "Unsual return code: H" and fails on almost every attempt.

However, while running ./configure I've noticed that Firebird's libfbclient.so hadn't been found. I don't know if it's important. So, I've installed firebird1.2-dev package, and rebuilded Hydra again.

Now, I get the right response in most every attempts (I would say 95%), except for the wrong password tries in which I keep recieveing "Unusual return code: H"

I'm conformed, but just in case, this is an example of that 5% failed attempt (with libfbclient.so module): http://pastebin.com/VL2BS5XG

from thc-hydra.

Hi,

can you please try again and add again "-t 1 -d" and post the output?

Greets,
vh

On 08.10.2014 16:25, julegatti wrote:

Here's my report:

|$ git pull
$ make clean
$ ./configure
$ make
$ make install
|

I get "Unsual return code: H" and fails on almost every attempt.

However, while running ./configure I've noticed that Firebird's
libfbclient.so hadn't been found. I don't know if it's important. So,
I've installed firebird1.2-dev package, and rebuild Hydra.

Now, I get the right response in most every attempts (I would say 95%),
except for the wrong password tries in which I keep recieveing "Unusual
code: H"

I'm conformed, but just in case, this is an example of that 5% failed
attempt (with libfbclient.so module): http://pastebin.com/VL2BS5XG

—
Reply to this email directly or view it on GitHub
#18 (comment).

from thc-hydra.

... and first doing "git pull" ...

from thc-hydra.

My last pastebin was the output of doing:

$ hydra -l admin -P asdf -t 1 -d 192.168.1.1 http-get /

after I had pulled the lastest changes ("git pull") and rebuilded Hydra with Firebird module.

I didn't understand what to try. Do you mean without Firebird module?

from thc-hydra.

with/without firebird - doesnt matter.

git pull;make;make install
then send me again an output where it fails with -t 1 -d

from thc-hydra.

oh, I hadn't seen you've made a new commit for debugging.

Here, http://pastebin.com/hZRcMKtk

from thc-hydra.

sorry, I had a bug in the new function, please pull and try again.

On 08.10.2014 18:17, julegatti wrote:

oh, I hadn't seen you've made a new commit for debugging.

Here, http://pastebin.com/hZRcMKtk

—
Reply to this email directly or view it on GitHub
#18 (comment).

from thc-hydra.

Now it always works and doesn't return unusual code in any try. Genius

In few words, what was happening? I've seen you added something like a buffer.

from thc-hydra.

The web server in your router has code like
send(socket, "HTTP/1.1 ", 9);
if (code == 200)
send(socket, "200 OK\r\n", 8);
else if (code == 403)
send(socket, "404 NOK\r\n", 9);

so hydra would receive only the first packet contents which would not contain the information hydra was looking for.

from thc-hydra.

got it

from thc-hydra.

when i used hydra i get this with smtp protocol whts problem ?

1 of 1 target successfully completed, 0 valid password found

from thc-hydra.