thc-hydra
thc-hydra copied to clipboard
False positives in xrdp weak credential scanning
Describe the bug
When Hydra scans an xrdp service, it always reports any username/password pair used to be valid, while printing out an error [ERROR] freerdp: The connection failed to establish.
at the same time (even with the correct credential).
I've set up a Debian vm with xrdp. When I used Microsoft Remote Desktop to connect to it, the client behaviour was a bit unexpected (though I think it could be an x?rdp protocol quirk):
- If the credentials are correct, I can directly log into my debian instance
- If the credentials are incorrect, the initial connection is still established, then I get redirected to the xorg login portal:
I suspect this xrdp behaviour caused Hydra to always assume any credential pair is valid, because the initial connection is always established.
To Reproduce
Steps to reproduce the behavior:
- Enable xrdp on a linux vm: https://linuxize.com/post/how-to-install-xrdp-on-debian-10/
- Scan that vm with hydra:
hydra -l root -p 'root' <linux_vm_ip> rdp
, using any username/password
Expected behavior Ideally Hydra reports valid credential only if it can actually log into the debian instance If xrdp is not officially supported, it would be great to have a way to detect and skip xrdp services so that Hydra doesn't generate false positive findings.
Desktop (please complete the following information):
- OS: Hydra is running in dockerized environment, using
openjdk:11-jdk-bullseye
as the base image, and installed viaapt-get install -y hydra
, which installedlibfreerdp2-2/now 2.3.0+dfsg1-2+deb11u1 amd64 [installed,local]
as part of the dependencies. - hydra version v9.1