thc-hydra icon indicating copy to clipboard operation
thc-hydra copied to clipboard

Published 20 hours ago verified publisher icon vanhauser-thc

403 Forbidden considered success

Open schneemaier opened this issue 4 years ago • 9 comments

Hi, i downloaded the latest version from here and compiled it myself. I ran it on one of my hosts and but it was unsuccessful as the hydra considered 403 Forbidden as a success for a http-get attack. Based on https://github.com/vanhauser-thc/thc-hydra/issues/349 i thought that this was fixed.

here is the command line: ./hydra -d -s 80 -l admin -x 1:6:1 -t 1 -f -m http://cccc.ccc.cc/admin/index.html?Language=0 cccc.ccc.cc http-get

Here is the debug output: [DEBUG] hydra_receive_line: waittime: 32, conwait: 0, socket: 5, pid: 26920 [DEBUG] RECV [pid:26920] (158 bytes): 0000: 4854 5450 2f31 2e31 2034 3033 2046 6f72 [ HTTP/1.1 403 For ] 0010: 6269 6464 656e 0d0a 5374 6174 7573 3a20 [ bidden..Status: ] 0020: 3430 330d 0a44 6174 653a 2046 7269 2c20 [ 403..Date: Fri, ] 0030: 3238 2041 7567 2032 3032 3020 3134 3a34 [ 28 Aug 2020 14:4 ] 0040: 393a 3032 2047 4d54 0d0a 5365 7276 6572 [ 9:02 GMT..Server ] 0050: 3a20 7665 7232 2e34 2072 6576 300d 0a43 [ : ver2.4 rev0..C ] 0060: 6f6e 6e65 6374 696f 6e3a 2043 6c6f 7365 [ onnection: Close ] 0070: 0d0a 436f 6e74 656e 742d 6c65 6e67 7468 [ ..Content-length ] 0080: 3a20 3835 0d0a 0d0a 3c48 544d 4c3e 3c48 [ : 85....<HTML><H ] 0090: 4541 443e 3c54 4954 4c45 3e34 3033 [ EAD><TITLE>403 ] S:HTTP/1.1 403 Forbidden Status: 403 Date: Fri, 28 Aug 2020 14:49:02 GMT Server: ver2.4 rev0 Connection: Close Content-length: 85 <HTML><HEAD><TITLE>403 END condition match. [DEBUG] head_no[0] read F [80][http-get] host: cccc.ccc.cc login: admin password: 7 [STATUS] attack finished for cccc.ccc.cc (valid pair found) [DEBUG] head_no 0, kill 1, fail 2 [DEBUG] all targets done and all heads finished [DEBUG] while loop left with 1

schneemaier avatar Aug 28 '20 12:08 schneemaier

ah ... your output says

[80][http-get] host: cccc.ccc.cc login: admin password: 7
[STATUS] attack finished for cccc.ccc.cc (valid pair found)

so ... it is found ... ?

vanhauser-thc avatar Aug 31 '20 18:08 vanhauser-thc

No, in this case 7 is not the correct answer.

If you look at the log:: S:HTTP/1.1 403 Forbiddenwas the reply. The server replies forbidden for every 5-6 try from the same IP. Also the server send back a header<HTML><HEAD><TITLE>403`, probably this is tricking the code to think it is successful?

schneemaier avatar Aug 31 '20 19:08 schneemaier

how would I see from your issue post that case 7 is not the correct answer?

yes if the target has rate limiting and responds with 403 then this is an issue.

dunno what to do about this. for some targets 403 means success, for others it means failure ... maybe a optional modifier for that.

vanhauser-thc avatar Aug 31 '20 21:08 vanhauser-thc

I see your point. This is a weird webcam (Panasonic) which for example for the stream page accepts any username and password. By wikipedia 403 is defined: "HTTP 403 provides a distinct error case from HTTP 401; while HTTP 401 is returned when the client has not authenticated, and implies that a successful response may be returned following valid authentication, HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication such as insufficient permissions of the authenticated account."

So i think an optional modifier would work in this case

schneemaier avatar Aug 31 '20 22:08 schneemaier

is it already possible to mark 403 as fail?

AlBundy33 avatar Aug 15 '23 21:08 AlBundy33

If you compile from GitHub it should

vanhauser-thc avatar Aug 16 '23 06:08 vanhauser-thc

Thanks for your answer. (Maybe I did something wrong yesterday)

worked also with the version installed via apt in kali. Hydra v9.5

hydra -l admin -P /opt/SecLists/Passwords/Common-Credentials/10k-most-common.txt -I "http-get://localhosr:8888/some.html:F=403 Forbidden"

because this is displayed on the result page.

Version für from github (9.6dev) shows the same options in -U

Help for module http-get:
============================================================================
Module http-get requires the page to authenticate.
The following parameters are optional:
 (a|A)=auth-type   specify authentication mechanism to use: BASIC, NTLM or MD5
 (h|H)=My-Hdr\: foo   to send a user defined HTTP header with each request
 (F|S)=check for text in the HTTP reply. S= means if this text is found, a
       valid account has been found, F= means if this string is present the
       combination is invalid. Note: this must be the last option supplied.
For example:  "/secret" or "http://bla.com/foo/bar:H=Cookie\: sessid=aaaa" or "https://test.com:8080/members:A=NTLM"

Is F=403 Forbidden the preffered way or is there some option to check the response code?

AlBundy33 avatar Aug 16 '23 08:08 AlBundy33

Yes it is. If it does not work then compile from github

vanhauser-thc avatar Aug 16 '23 15:08 vanhauser-thc

Perfect - then it's solved for me. 👍

AlBundy33 avatar Aug 16 '23 18:08 AlBundy33