Comments (11)
vanhauser-thc
commented on July 23, 2024
True!
Thats a bug...
from thc-hydra.
vanhauser-thc
commented on July 23, 2024
I checked in a fix but can not test it.
Can you please try if this fixes the issue?
from thc-hydra.
sagishahar-zz
commented on July 23, 2024
Unfortunately, no good news. In fact, it's worse now because the number of Cookie headers have doubled. In the screenshot, you can see the actual request below the table (marked in orange):
From the screenshot, you can also notice that I have marked in red some GET requests. These requests are sent to the target server prior to every request sent for brute forcing purposes. I am not sure if this is a feature or a bug, so I didn't create a new issue. However, this doubles the amount of traffic sent to the server.
I would suggest sending one GET request before the attack to verify that the target is up (marked in green) and thereafter only brute forcing requests.
I haven't looked at the actual code, so feel free to ignore my suggestion.
from thc-hydra.
commented on July 23, 2024
Those preceding GET requests are actually aimed at gathering the cookies from the server :D
from thc-hydra.
commented on July 23, 2024
I'm thinking of fixing this bug with libapreq which greatly simplifies handling the HTTP protocol. Is it ok if I insert a new dependency? Of course, we'd have to update configure too.
from thc-hydra.
vanhauser-thc
commented on July 23, 2024
No that would be a very, very bad idea.
It would mean that the http-form module would only work where this library is present.
Is this library a standard on any Linux, Cygwin, OS X and FreeBSD installation without the need of installing something optional? If so, OK, otherwise no.
from thc-hydra.
sagishahar-zz
commented on July 23, 2024
@Strunk18 The whole point of a cookie is to maintain a session as the HTTP protocol is stateless. In other words, the cookie worth something only after one was successfully authenticated to the web application. Therefore, it is unclear to me why the cookie value is necessary prior to successful authentication?
I have not seen yet that the web server will not accept an authentication request without the cookie value. However, if the implementation of the extra GET request tries to address this edge case then why not reuse the cookie that was captured initially with the first GET request before attempting to perform the brute force attack?
from thc-hydra.
vanhauser-thc
commented on July 23, 2024
@sagishahar there are web services that only accept autentication if you sent a preset cookie, that is why this is necessary.
from thc-hydra.
vanhauser-thc
commented on July 23, 2024
@Strunk18 this bug is now three weeks old and breaks the module for most use cases.
please submit a fix asap, otherwise I have to revert your patch and release a 8.2 without it.
I can't leave it this way.
from thc-hydra.
vanhauser-thc
commented on July 23, 2024
@sagishahar - Strunk18 provided a fix - can you please test if this fixes the issue?
I am at a security conference in canada while writing this so I the first time I can take a look at the fix is in 2-3 days ... :)
from thc-hydra.
vanhauser-thc
commented on July 23, 2024
fixed
from thc-hydra.
Related Issues (20)
- [ERROR] invalid restore file (end) HOT 2
- Compilation failures with recent freerdp-3 HOT 2
- CAN YOU MAKE VIDEO HOW TO USE?
- Update INSTALL with current Oracle instant-client download URL HOT 1
- Djjdhj
- THC Hydra Help pls
- PGM
- windows
- https post form
- [ERROR]: all children were disabled due too many connection errors 0 of 1 target completed, 0 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-19 09:10:34 HOT 1
- Wwe
- can not working for mssql 2014
- let`s go HOT 1
- go
- Makefile error HOT 1
- make: *** [Makefile:89: install] Error 1 HOT 1
- the variables ^USER^ and ^PASS^ are not assigned correctly
- [ERROR] Out of memory for HTTP headers (H) HOT 1
- hydra giving wrong passwords HOT 2
- Hydra
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from thc-hydra.