http-post-form - password trimmed if too long

[kortyl]

In [http-post-form] module, if password used exceed a certain length (251 chars I think), it gets trimmed. I need to crack a password which is encrypted and has a fixed length of 256 chars. Hydra sends POST request with the password trimmed to 249 chars as in the example below. Another side effect which I've noted: Addtional POST is done with the last character of the trimmed password - in the case below POST with the password = {5} - last character of the trimmed string {dfc2a15}.

Found in Hydra 9.0.

Example:

hydra -I -l admin -p 5478b4036a5ca17e9d457e6aacc844c177a85cb8144699a12d69e9097d6ac791e69d123224e1237be8999f5a72d34bf7895a3dec656e9fb965fa6bef8545b8d3c443713131b11bd632838aa11b50f303bd34ed2a310ab4e5422ab5b29bb48f3a672d79a1a73d3b91412b4cc3123f34f9a1e91ae63e42dd97c9c70c537dfc2a15 "http-post-form://10.0.2.2:8056/api/security/login:{'logOnName':'^USER^','password':'^PASS^'}:failed:H=Content-Type:application/json"

The password which is sent over the wire is trimmed to [5478b4036a5ca17e9d457e6aacc844c177a85cb8144699a12d69e9097d6ac791e69d123224e1237be8999f5a72d34bf7895a3dec656e9fb965fa6bef8545b8d3c443713131b11bd632838aa11b50f303bd34ed2a310ab4e5422ab5b29bb48f3a672d79a1a73d3b91412b4cc3123f34f9a1e91ae63e42dd97c9c70c537]

[vanhauser-thc]

yes its trimmed. but that does not look like a normal password, but a (salted? nonce?) hashed and hex encoded password. hydra can not generate these passwords so that they are cut off is rather pointless as you could not use hydra to crack such passwords.

[kortyl]

Thanks for your reply. I cannot agree with your comment. Please consider the following scenario: web application exposes the public key. Client-side code encrypts the password with the public key and sends it, along with the user name, to the server (there's no SSL/TLS, hence the password encyption on the app level I bielieve). Since I'm able to reverse engineer the encryption algorithm (it's in javascript) I want to perform the dictionaty attack. I would just need to provide the input dictionary which I create myself by taking the clear text password, encrypt it according to the reverse-engineered algorithm, and dump it into the output dictionary. I will next use this output dictionary as the input file to Hydra module. And since the encryption algorithm produces long passwords, I'm unable to proceed, since they get trimmed.

[vanhauser-thc]

yeah in that scenario that would be a show stopper. but is it like that? Commonly it also gets a nonce which is hashed with it so you cannot build a dictionary.

[kortyl]

Nope, no nonce whatsoever in this case. But generally I agree that such mechanism should be introduced. But I'm not the one who looks after functionality of this particular web app. I am only tasked to perform pentests. Hence this issue. Would you mind re-opnening the issue?

[vanhauser-thc]

sure, though you could have done that yourself :)

not sure I have time to do the proper changes the next days, so a pull request is appreciated. but its not that easy like just adding a few bytes there, as other variables also have to be increased - but the right ones ...

[kortyl]

I know I could :) Just didn't want to impose anything. It's your software after all :) Many thanks once again.

[vanhauser-thc]

I am too busy for this for two weeks, so I am happy to receive a PR. its not easy though as there are quite some more depending buffers

[kortyl]

Hello, any chance for anyone to take care of this one please? Many thanks!