I'm currently having some issues with medusa and hydra. I'm testing passwords on a web app which is using spring security. Now, I already know that it is vulnerable to dictionary attacks, I do however need to be able to show it. There are no requirements as far as password strength goes, and no lockout for repeated tries.
So I set up the app on a computer at home (10.0.0.4). I'm running Medusa as follows:
medusa -u username -P wordlist -M web-form -m FORM:"appname/j_spring_security_check" -m FORM-DATA:"POST?j_username=&j_password=&Login=Login" -m DENY-SIGNAL="failed" -h 10.0.0.4 -v 6 -w 10
Now, this works. On the web app, I can see a bunch of failed login attempts, as well as a single successful attempt, so I have my proof really. It is however quite frustrating that medusa can't see that. It instead reports a 302 error.
j_spring_security_check redirects to the protected area of the app if login is successful or back to the login page if not. Appearently, redirecting isn't something medusa handles well. Does anybody know of a workaround?
So without getting all the way home with medusa I tried with hydra. It seemed to work well at first. I could see login attempts at the server. However, once again, when a login was correct, hydra didn't seem to be able to report it.
This is how I ran hydra:
hydra -l username -P wordlist -t 14 -V 10.0.0.4 http-post-form "appname/j_spring_security_check:j_username=^USER^&j_passwo rd=^PASS^&Login=Login"
This seemed to work well, but I quickly realized the problem. Since there's no deny-signal defined, it would always think it failed, right? So I tried the following instead
hydra -l username -P wordlist -t 14 -V 10.0.0.4 http-post-form "appname/j_spring_security_check:j_username=^USER^&j_passwo rd=^PASS^&Login=Login:failed"
This time, I got a bunch of free() errors. It seems hydra which is currently in BT4 hasn't been patched with the following patch:
I tried compiling the damn thing myself. After a few tries trying to find the correct libs and eliminating the ones I didn't care about, I got it to compile without error, but for some reason it wouldn't run any services at all after that.
So I was wondering if
A: Anybody knew about a workaround which could make medusa do what I want.
B: Anybody who has compiled hydra in BT4 final who can be of help applying the patch
C: Anybody who's got a neato patched hydra binary lying around
Well, so I finally managed to compile hydra properly, and everything is hunkydory. It should really be updated with the patch.