thc-hydra
thc-hydra copied to clipboard
rdp false positive
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-15 15:56:13
password dont match.
I have the same problem, how can I solve it?
how can anyone expect to get help when giving no information? how is it clear that the password is wrong? maybe the account is locked or the password has expired. if the password is really different then where is the debug output that shows what exactly the server sends etc.
I encountered it and am curious.
I got excited and thought I had creds for a pentest...
redacted debugging output.
❯ hydra -dvv -l 'redacted_user' -p redacted_pass rdp://xxx.xxx.xxx.xxx
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
[DEBUG] Output color flag is 1
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-13 01:51:58
[DEBUG] cmdline: hydra -dvv -l redacted_user -p redacted_pass rdp://xxx.xxx.xxx.xxx
[DEBUG] opt:6 argc:7 mod:rdp tgt:xxx.xxx.xxx.xxx port:0 misc:(null)
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 1
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking rdp://xxx.xxx.xxx.xxx:3389/
[VERBOSE] Resolving addresses ...
[DEBUG] resolving xxx.xxx.xxx.xxx
[VERBOSE] resolving done
[DEBUG] Code: attack Time: 1634104318
[DEBUG] Options: mode 0 ssl 0 restore 0 showAttempt 0 tasks 1 max_use 1 tnp 0 tpsal 0 tprl 0 exit_found 0 miscptr (null) service rdp
[DEBUG] Brains: active 0 targets 1 finished 0 todo_all 1 todo 1 sent 0 found 0 countlogin 1 sizelogin 25 countpass 1 sizepass 6
[DEBUG] Target 0 - target xxx.xxx.xxx.xxx ip xxx.xxx.xxx.xxx login_no 0 pass_no 0 sent 0 pass_state 0 redo_state 0 (0 redos) use_count 0 failed 0 done 0 fail_count 0 login_ptr redacted_user pass_ptr redacted_pass
[DEBUG] Task 0 - pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ptr (null)
[DEBUG] Tasks 1 inactive 0 active
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 1014000
[DEBUG] head_no 0 has pid 1014000
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin redacted_user, tpass redacted_pass, logincnt 0/1, passcnt 0/1, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin redacted_user, cpass redacted_pass, tlogin -p, tpass redacted_pass, redo 0
[ATTEMPT] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - 1 of 1 [child 0] (0/0)
[DEBUG] head_no[0] read N
[STATUS] attack finished for xxx.xxx.xxx.xxx (waiting for children to complete tests)
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] all targets done and all heads finished
[DEBUG] while loop left with 1
1 of 1 target completed, 0 valid password found
[DEBUG] killing all remaining children now that might be stuck
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-13 01:51:59
@ShyftXero and how do you know that the password is wrong? maybe the account is locked or the password expired.
I was using freerdp to validate the finding.
0xC000006D STATUS_LOGON_FAILURE is what's returned when using what hydra reported.
These are leaked creds we're using for a pentest. The password in question wouldn't adhere to the domain password policy so it's odd that it was accepted.
ms docs explaining the error -> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
redacted_user
is the same account with different passwords.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: ubaldina, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: imirish, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: William11, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 62734ae760, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: becemecie, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: ethapoo12, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: ridall, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: te2Yuil01, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: LLONG, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: alexpao011010, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong123, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong2, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong322, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: LLONG, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llongq, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong123, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong2, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong322, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: LLONG, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llongq, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong123, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong2, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong322, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llongq, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 231069, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Robert130147!, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: FitnessBur, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: linkedinburger, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: jaisai, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Jablw8, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: elguapo1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Jablw8#, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: royals290657, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mikej7695, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: fdmikespinak5b, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: rekhareg321, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mendez, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mramnari, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: savion, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: emmacleo2, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: kaeden, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 760704353266944, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 014410, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: qwerty, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: aaron431, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: surfer, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Ch@kras12, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Moonlight1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: maurizio, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: guegon56, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: bobbuilder, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: proactive, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: kop2009, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: canadacards12, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: gospodi1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 05419msm, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mogioo, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: niko1611, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: ms6300220, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: welcome1!, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: S1nQFcuG, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 9191962, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 014410, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 1e23d5, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: summerslaw, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: bei1jing, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: danilo, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mg777255, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: PILY03, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: scorpion31, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: anagha, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 308455924079501, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: welcome1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Panormos10, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: famolare, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: aspenjonah, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 25080825, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: tigger1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: june0185, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Imogen50!, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: ypunq5, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: laisa01, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mmljar6, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: b4eQ6, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: marprieto, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: moni2004, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: nannaellen, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: aaron431, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Duffy1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: hollylydia, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: brkvch, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: e82641, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: gnawbone, continuing attacking the account.
errors adjacent to the large blob of false-positives
[ERROR] freerdp: The connection failed to establish.
[VERBOSE] Retrying connection for child 0
[ERROR] freerdp: The connection failed to establish.
[ERROR] freerdp: The connection failed to establish.
[ERROR] freerdp: The connection failed to establish.
[VERBOSE] Retrying connection for child 1
[VERBOSE] Retrying connection for child 2
[VERBOSE] Retrying connection for child 3
[ERROR] freerdp: The connection failed to establish.
[ERROR] freerdp: The connection failed to establish.
[VERBOSE] Retrying connection for child 3
[VERBOSE] Retrying connection for child 2
[ERROR] freerdp: The connection failed to establish.
[ERROR] freerdp: The connection failed to establish.
[VERBOSE] Retrying connection for child 0
[VERBOSE] Retrying connection for child 1
@ShyftXero thank you, that is actually something I can work with :) can you pleas fetch the current github state, compile, and then use the -d switch with an -l login -p pass that was reported successful but isnt? and paste the output.
Unfortunately, that machine was taken offline to mitigate some other findings during the pentest so I can't fully reproduce / validate that the creds aren't working.
I'm sure it's meaningless because there's no actual exchange of auth material at this point but I went ahead and did as you asked in case it was still up... fresh git clone and -dvv
hydra -l 'redacted_user' -p redacted_pass rdp://xxx.xxx.xxx.xxx -dvv
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
[DEBUG] Output color flag is 1
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-15 02:16:07
[DEBUG] cmdline: hydra -l redacted_user -p redacted_pass -dvv rdp://xxx.xxx.xxx.xxx
[DEBUG] opt:6 argc:7 mod:rdp tgt:xxx.xxx.xxx.xxx port:0 misc:(null)
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 1
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking rdp://xxx.xxx.xxx.xxx:3389/
[VERBOSE] Resolving addresses ...
[DEBUG] resolving xxx.xxx.xxx.xxx
[VERBOSE] resolving done
[DEBUG] Code: attack Time: 1634278577
[DEBUG] Options: mode 0 ssl 0 restore 0 showAttempt 0 tasks 1 max_use 1 tnp 0 tpsal 0 tprl 0 exit_found 0 miscptr (null) service rdp
[DEBUG] Brains: active 0 targets 1 finished 0 todo_all 1 todo 1 sent 0 found 0 countlogin 1 sizelogin 26 countpass 1 sizepass 6
[DEBUG] Target 0 - target xxx.xxx.xxx.xxx ip xxx.xxx.xxx.xxx login_no 0 pass_no 0 sent 0 pass_state 0 redo_state 0 (0 redos) use_count 0 failed 0 done 0 fail_count 0 login_ptr redacted_user pass_ptr redacted_pass
[DEBUG] Task 0 - pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ptr (null)
[DEBUG] Tasks 1 inactive 0 active
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 23271
[DEBUG] head_no 0 has pid 23271
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin redacted_user, tpass redacted_pass, logincnt 0/1, passcnt 0/1, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin redacted_user, cpass redacted_pass, tlogin -p, tpass redacted_pass, redo 0
[ATTEMPT] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - 1 of 1 [child 0] (0/0)
[ERROR] freerdp: The connection failed to establish.
[DEBUG] pid 23271 called child_exit with code 1
[DEBUG] head_no[0] read C
[ATTEMPT-ERROR] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - child 0 - 1 of 1
[DEBUG] hydra_increase_fail_count: 1 >= 0 => disable
[DEBUG] - will be retried at the end: ip xxx.xxx.xxx.xxx - login redacted_user - pass redacted_pass - child 0
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 23280
[DEBUG] head_no 0 has pid 23280
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 1, redo_state 0, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass redacted_pass, logincnt 1/1, passcnt 0/1, loop_cnt 1
[COMPLETED] target xxx.xxx.xxx.xxx - login "" - pass "" - child 0 - 1 of 2
[DEBUG] send_next_pair_mid done 0, pass_state 0, clogin , cpass , tlogin -p, tpass redacted_pass, redo 1
[DEBUG] Entering redo_state
[DEBUG] send_next_pair_init target 0, head 0, redo 1, redo_state 1, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass redacted_pass, logincnt 1/1, passcnt 0/1, loop_cnt 2
[COMPLETED] target xxx.xxx.xxx.xxx - login "" - pass "" - child 0 - 1 of 2
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin redacted_user, cpass redacted_pass, tlogin -p, tpass redacted_pass, redo 1
[REDO-ATTEMPT] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - 2 of 2 [child 0] (1/1)
[ERROR] freerdp: The connection failed to establish.
[DEBUG] pid 23280 called child_exit with code 1
[DEBUG] head_no[0] read C
[ATTEMPT-ERROR] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - child 0 - 2 of 1
[DEBUG] hydra_increase_fail_count: 2 >= 0 => disable
[DEBUG] - will be retried at the end: ip xxx.xxx.xxx.xxx - login redacted_user - pass redacted_pass - child 0
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 23290
[DEBUG] head_no 0 has pid 23290
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 2, redo_state 2, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass redacted_pass, logincnt 1/1, passcnt 0/1, loop_cnt 1
[COMPLETED] target xxx.xxx.xxx.xxx - login "" - pass "" - child 0 - 2 of 3
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin redacted_user, cpass redacted_pass, tlogin -p, tpass redacted_pass, redo 2
[REDO-ATTEMPT] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - 3 of 3 [child 0] (2/2)
[ERROR] freerdp: The connection failed to establish.
[DEBUG] pid 23290 called child_exit with code 1
[DEBUG] head_no[0] read C
[ATTEMPT-ERROR] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - child 0 - 3 of 1
[DEBUG] hydra_increase_fail_count: 3 >= 0 => disable
[DEBUG] - will be retried at the end: ip xxx.xxx.xxx.xxx - login redacted_user - pass redacted_pass - child 0
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 23303
[DEBUG] head_no 0 has pid 23303
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 3, redo_state 3, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass redacted_pass, logincnt 1/1, passcnt 0/1, loop_cnt 1
[COMPLETED] target xxx.xxx.xxx.xxx - login "" - pass "" - child 0 - 3 of 4
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin redacted_user, cpass redacted_pass, tlogin -p, tpass redacted_pass, redo 3
[REDO-ATTEMPT] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - 4 of 4 [child 0] (3/3)
[STATUS] 4.00 tries/min, 4 tries in 00:01h, 1 to do in 00:01h, 1 active
[DEBUG] Code: STATUS Time: 1634278637
[DEBUG] Options: mode 0 ssl 0 restore 0 showAttempt 0 tasks 1 max_use 1 tnp 0 tpsal 0 tprl 0 exit_found 0 miscptr (null) service rdp
[DEBUG] Brains: active 1 targets 1 finished 0 todo_all 4 todo 1 sent 4 found 0 countlogin 1 sizelogin 26 countpass 1 sizepass 6
[DEBUG] Target 0 - target xxx.xxx.xxx.xxx ip xxx.xxx.xxx.xxx login_no 1 pass_no 0 sent 4 pass_state 0 redo_state 4 (3 redos) use_count 1 failed 0 done 0 fail_count 3 login_ptr -p pass_ptr redacted_pass
[DEBUG] Task 0 - pid 23303 active 1 redo 0 current_login_ptr redacted_user current_pass_ptr redacted_pass
[DEBUG] Tasks 0 inactive 1 active
[ERROR] freerdp: The connection failed to establish.
[DEBUG] pid 23303 called child_exit with code 1
[DEBUG] head_no[0] read C
[ATTEMPT-ERROR] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - child 0 - 4 of 1
[DEBUG] hydra_increase_fail_count: 4 >= 0 => disable
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 23315
[DEBUG] head_no 0 has pid 23315
[DEBUG] head_no[0] read n
[STATUS] attack finished for xxx.xxx.xxx.xxx (waiting for children to complete tests)
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] all targets done and all heads finished
[DEBUG] while loop left with 1
1 of 1 target completed, 0 valid password found
[DEBUG] killing all remaining children now that might be stuck
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-15 02:17:19
Like I said, the machine is INOP so impossible to reproduce... Sorry for the hassle.
I will say I was trying to use creds that contained the windows domain prepended to the username
ecorp\jsmith
as opposed to just jsmith
it could look like I was trying to escape the j ( \j
) and maybe that did something weird?
I did try it at a later time with the ecorp\\jsmith
just in case but I think the machine was already offline at that point.
how is correct ?
ecorp\\jsmith
or ecorp\jsmith
idk man. computers. the \\
was to escape the backslash. /
was doing something weird too. Maybe the same? I don't recall as it was a long time ago now.
anyway with \\
give false
i have the same issue. was trying to brute rdp with hydra in my home lab.
it gave me false positive: the password for admin account was password1234 and it gives something else; hence false positive.
tried another tool (crowbar) it gives the same false positive as well. might be related to rdp idk.
`hydra -t 1 -dvv -f -l administrator -P /opt/rockyou.txt rdp://192.168.44.124 -s 3389 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
[DEBUG] Output color flag is 1 Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-24 15:23:26 [DEBUG] cmdline: hydra -t 1 -dvv -f -l administrator -P /opt/rockyou.txt -s 3389 rdp://192.168.44.124 [DEBUG] opt:11 argc:12 mod:rdp tgt:192.168.44.124 port:3389 misc:(null) [WARNING] the rdp module is experimental. Please test, report - and if possible, fix. [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 1 task per 1 server, overall 1 task, 14344126 login tries (l:1/p:14344126), ~14344126 tries per task [DATA] attacking rdp://192.168.44.124:3389/ [VERBOSE] Resolving addresses ... [DEBUG] resolving 192.168.44.124 [VERBOSE] resolving done [DEBUG] Code: attack Time: 1692879817 [DEBUG] Options: mode 1 ssl 0 restore 0 showAttempt 0 tasks 1 max_use 1 tnp 0 tpsal 0 tprl 0 exit_found 1 miscptr (null) service rdp [DEBUG] Brains: active 0 targets 1 finished 0 todo_all 14344126 todo 14344126 sent 0 found 0 countlogin 1 sizelogin 14 countpass 14344126 sizepass 139901242 [DEBUG] Target 0 - target 192.168.44.124 ip 192.168.44.124 login_no 0 pass_no 0 sent 0 pass_state 0 redo_state 0 (0 redos) use_count 0 failed 0 done 0 fail_count 0 login_ptr administrator pass_ptr 123hfjdk147 [DEBUG] Task 0 - pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ptr (null) [DEBUG] Tasks 1 inactive 0 active [DEBUG] child 0 got target 0 selected [DEBUG] child 0 spawned for target 0 with pid 176478 [DEBUG] head_no 0 has pid 176478 [DEBUG] head_no[0] read n [DEBUG] send_next_pair_init target 0, head 0, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin administrator, tpass 123hfjdk147, logincnt 0/1, passcnt 0/14344126, loop_cnt 1 [DEBUG] send_next_pair_mid done 1, pass_state 3, clogin administrator, cpass 123hfjdk147, tlogin administrator, tpass 1464688081, redo 0 [ATTEMPT] target 192.168.44.124 - login "administrator" - pass "123hfjdk147" - 1 of 14344126 [child 0] (0/0) [DEBUG] rdp reported 00000000 [DEBUG] head_no[0] read F [3389][rdp] host: 192.168.44.124 login: administrator password: 123hfjdk147 [STATUS] attack finished for 192.168.44.124 (valid pair found) [DEBUG] head_no 0, kill 1, fail 2 [DEBUG] all targets done and all heads finished [DEBUG] while loop left with 1 1 of 1 target successfully completed, 1 valid password found [DEBUG] killing all remaining children now that might be stuck Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-24 15:23:38 `
as i stated earlier; i checked the hydra_rdp.c file and it states it works on
win 7, 10. so this could be the issue here for MY CASE.
my lab machine is windows xp.
checked the crowbar source code it also initiates the xfreerdp +auth-only option where hydra also uses freerdp library and also checks
if (password[0] == 0)
instance->settings->AuthenticationOnly = FALSE;
else
instance->settings->AuthenticationOnly = TRUE;
when i try to login with terminal using xfreerdp to my xp machine with the given parameters ( +auth-only and /cert:ignore) it gives the same result with a false password.
both debug output is exactly same. will try on win7 later.
xp is already lost its vendor support. imo using ncrack with slow mode will solve our problems here.
follow up in #923