Results 1 to 1 of 1

Thread: Some trouble with medusa/hydra

Threaded View

  1. #1
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    2

    Default Some trouble with medusa/hydra

    Hi

    I'm currently having some issues with medusa and hydra. I'm testing passwords on a web app which is using spring security. Now, I already know that it is vulnerable to dictionary attacks, I do however need to be able to show it. There are no requirements as far as password strength goes, and no lockout for repeated tries.

    So I set up the app on a computer at home (10.0.0.4). I'm running Medusa as follows:

    medusa -u username -P wordlist -M web-form -m FORM:"appname/j_spring_security_check" -m FORM-DATA:"POST?j_username=&j_password=&Login=Login" -m DENY-SIGNAL="failed" -h 10.0.0.4 -v 6 -w 10

    Now, this works. On the web app, I can see a bunch of failed login attempts, as well as a single successful attempt, so I have my proof really. It is however quite frustrating that medusa can't see that. It instead reports a 302 error.

    j_spring_security_check redirects to the protected area of the app if login is successful or back to the login page if not. Appearently, redirecting isn't something medusa handles well. Does anybody know of a workaround?

    So without getting all the way home with medusa I tried with hydra. It seemed to work well at first. I could see login attempts at the server. However, once again, when a login was correct, hydra didn't seem to be able to report it.

    This is how I ran hydra:
    hydra -l username -P wordlist -t 14 -V 10.0.0.4 http-post-form "appname/j_spring_security_check:j_username=^USER^&j_passwo rd=^PASS^&Login=Login"

    This seemed to work well, but I quickly realized the problem. Since there's no deny-signal defined, it would always think it failed, right? So I tried the following instead

    hydra -l username -P wordlist -t 14 -V 10.0.0.4 http-post-form "appname/j_spring_security_check:j_username=^USER^&j_passwo rd=^PASS^&Login=Login:failed"

    This time, I got a bunch of free() errors. It seems hydra which is currently in BT4 hasn't been patched with the following patch:
    http://packetstorm.linuxsecurity.com...ttp-form.patch

    I tried compiling the damn thing myself. After a few tries trying to find the correct libs and eliminating the ones I didn't care about, I got it to compile without error, but for some reason it wouldn't run any services at all after that.

    So I was wondering if
    A: Anybody knew about a workaround which could make medusa do what I want.
    B: Anybody who has compiled hydra in BT4 final who can be of help applying the patch
    C: Anybody who's got a neato patched hydra binary lying around

    Well, so I finally managed to compile hydra properly, and everything is hunkydory. It should really be updated with the patch.
    Last edited by Archangel-Amael; 02-03-2010 at 04:27 PM.

Similar Threads

  1. No ssh2 on Hydra - What about Bt4final?
    By giusef in forum BackTrack Bugs
    Replies: 7
    Last Post: 03-01-2010, 10:57 PM
  2. Trouble Deauthing my Laptop?
    By MassAppeal in forum Beginners Forum
    Replies: 8
    Last Post: 01-20-2010, 10:00 AM
  3. Trouble connecting to the internet via verizon wireless usb modem
    By detectivehemp in forum Beginners Forum
    Replies: 0
    Last Post: 01-16-2010, 12:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •