Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rdp false positive #678

Closed
coneycalifornia opened this issue Aug 15, 2021 · 16 comments
Closed

rdp false positive #678

coneycalifornia opened this issue Aug 15, 2021 · 16 comments

Comments

@coneycalifornia
Copy link

1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-15 15:56:13
password dont match.
@yuyongxr
Copy link

I have the same problem, how can I solve it?

@vanhauser-thc
Copy link
Owner

how can anyone expect to get help when giving no information?
how is it clear that the password is wrong? maybe the account is locked or the password has expired. if the password is really different then where is the debug output that shows what exactly the server sends etc.

@ShyftXero
Copy link

ShyftXero commented Oct 13, 2021
edited
Loading

I encountered it and am curious.

I got excited and thought I had creds for a pentest...

image

redacted debugging output.

❯ hydra -dvv -l 'redacted_user' -p redacted_pass rdp://xxx.xxx.xxx.xxx
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

[DEBUG] Output color flag is 1
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-13 01:51:58
[DEBUG] cmdline: hydra -dvv -l redacted_user -p redacted_pass rdp://xxx.xxx.xxx.xxx 
[DEBUG] opt:6 argc:7 mod:rdp tgt:xxx.xxx.xxx.xxx port:0 misc:(null)
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 1
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking rdp://xxx.xxx.xxx.xxx:3389/
[VERBOSE] Resolving addresses ... 
[DEBUG] resolving xxx.xxx.xxx.xxx
[VERBOSE] resolving done
[DEBUG] Code: attack   Time: 1634104318
[DEBUG] Options: mode 0  ssl 0  restore 0  showAttempt 0  tasks 1  max_use 1 tnp 0  tpsal 0  tprl 0  exit_found 0  miscptr (null)  service rdp
[DEBUG] Brains: active 0  targets 1  finished 0  todo_all 1  todo 1  sent 0  found 0  countlogin 1  sizelogin 25  countpass 1  sizepass 6
[DEBUG] Target 0 - target xxx.xxx.xxx.xxx  ip xxx.xxx.xxx.xxx  login_no 0  pass_no 0  sent 0  pass_state 0  redo_state 0 (0 redos)  use_count 0  failed 0  done 0  fail_count 0  login_ptr redacted_user  pass_ptr redacted_pass
[DEBUG] Task 0 - pid 0  active 0  redo 0  current_login_ptr (null)  current_pass_ptr (null)
[DEBUG] Tasks 1 inactive  0 active
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 1014000
[DEBUG] head_no 0 has pid 1014000
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin redacted_user, tpass redacted_pass, logincnt 0/1, passcnt 0/1, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin redacted_user, cpass redacted_pass, tlogin -p, tpass redacted_pass, redo 0
[ATTEMPT] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - 1 of 1 [child 0] (0/0)
[DEBUG] head_no[0] read N
[STATUS] attack finished for xxx.xxx.xxx.xxx (waiting for children to complete tests)
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] all targets done and all heads finished
[DEBUG] while loop left with 1
1 of 1 target completed, 0 valid password found
[DEBUG] killing all remaining children now that might be stuck
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-13 01:51:59

@vanhauser-thc
Copy link
Owner

@ShyftXero and how do you know that the password is wrong? maybe the account is locked or the password expired.

@ShyftXero
Copy link

ShyftXero commented Oct 13, 2021
edited
Loading

I was using freerdp to validate the finding.

0xC000006D STATUS_LOGON_FAILURE is what's returned when using what hydra reported.

These are leaked creds we're using for a pentest. The password in question wouldn't adhere to the domain password policy so it's odd that it was accepted.

ms docs explaining the error -> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55

image

@ShyftXero
Copy link

redacted_user is the same account with different passwords.

[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: ubaldina, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: imirish, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: William11, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 62734ae760, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: becemecie, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: ethapoo12, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: ridall, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: te2Yuil01, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: LLONG, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: alexpao011010, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong123, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong2, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong322, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: LLONG, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llongq, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong123, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong2, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong322, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: LLONG, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llongq, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong123, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong2, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llong322, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: llongq, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 231069, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Robert130147!, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: FitnessBur, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: linkedinburger, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: jaisai, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Jablw8, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: elguapo1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Jablw8#, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: royals290657, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mikej7695, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: fdmikespinak5b, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: rekhareg321, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mendez, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mramnari, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: savion, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: emmacleo2, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: kaeden, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 760704353266944, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 014410, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: qwerty, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: aaron431, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: surfer, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Ch@kras12, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Moonlight1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: maurizio, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: guegon56, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: bobbuilder, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: proactive, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: kop2009, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: canadacards12, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: gospodi1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 05419msm, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mogioo, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: niko1611, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: ms6300220, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: welcome1!, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: S1nQFcuG, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 9191962, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 014410, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 1e23d5, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: summerslaw, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: bei1jing, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: danilo, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mg777255, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: PILY03, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: scorpion31, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: anagha, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 308455924079501, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: welcome1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Panormos10, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: famolare, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: aspenjonah, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: 25080825, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: tigger1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: june0185, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Imogen50!, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: ypunq5, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: laisa01, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: mmljar6, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: b4eQ6, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: marprieto, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: moni2004, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: nannaellen, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: aaron431, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: Duffy1, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: hollylydia, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: brkvch, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: e82641, continuing attacking the account.
[3389][rdp] account on xxx.xxx.xxx.xxx might be valid but account not active for remote desktop: login: redacted_domain\redacted_user password: gnawbone, continuing attacking the account.

errors adjacent to the large blob of false-positives

[ERROR] freerdp: The connection failed to establish.
[VERBOSE] Retrying connection for child 0
[ERROR] freerdp: The connection failed to establish.
[ERROR] freerdp: The connection failed to establish.
[ERROR] freerdp: The connection failed to establish.
[VERBOSE] Retrying connection for child 1
[VERBOSE] Retrying connection for child 2
[VERBOSE] Retrying connection for child 3
[ERROR] freerdp: The connection failed to establish.
[ERROR] freerdp: The connection failed to establish.
[VERBOSE] Retrying connection for child 3
[VERBOSE] Retrying connection for child 2
[ERROR] freerdp: The connection failed to establish.
[ERROR] freerdp: The connection failed to establish.
[VERBOSE] Retrying connection for child 0
[VERBOSE] Retrying connection for child 1

@vanhauser-thc
Copy link
Owner

@ShyftXero thank you, that is actually something I can work with :)
can you pleas fetch the current github state, compile, and then use the -d switch with an -l login -p pass that was reported successful but isnt? and paste the output.

@vanhauser-thc vanhauser-thc reopened this Oct 14, 2021
@ShyftXero
Copy link

Unfortunately, that machine was taken offline to mitigate some other findings during the pentest so I can't fully reproduce / validate that the creds aren't working.

I'm sure it's meaningless because there's no actual exchange of auth material at this point but I went ahead and did as you asked in case it was still up... fresh git clone and -dvv

hydra -l 'redacted_user' -p redacted_pass  rdp://xxx.xxx.xxx.xxx -dvv
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

[DEBUG] Output color flag is 1
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-15 02:16:07
[DEBUG] cmdline: hydra -l redacted_user -p redacted_pass -dvv rdp://xxx.xxx.xxx.xxx 
[DEBUG] opt:6 argc:7 mod:rdp tgt:xxx.xxx.xxx.xxx port:0 misc:(null)
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 1
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking rdp://xxx.xxx.xxx.xxx:3389/
[VERBOSE] Resolving addresses ... 
[DEBUG] resolving xxx.xxx.xxx.xxx
[VERBOSE] resolving done
[DEBUG] Code: attack   Time: 1634278577
[DEBUG] Options: mode 0  ssl 0  restore 0  showAttempt 0  tasks 1  max_use 1 tnp 0  tpsal 0  tprl 0  exit_found 0  miscptr (null)  service rdp
[DEBUG] Brains: active 0  targets 1  finished 0  todo_all 1  todo 1  sent 0  found 0  countlogin 1  sizelogin 26  countpass 1  sizepass 6
[DEBUG] Target 0 - target xxx.xxx.xxx.xxx  ip xxx.xxx.xxx.xxx  login_no 0  pass_no 0  sent 0  pass_state 0  redo_state 0 (0 redos)  use_count 0  failed 0  done 0  fail_count 0  login_ptr redacted_user  pass_ptr redacted_pass
[DEBUG] Task 0 - pid 0  active 0  redo 0  current_login_ptr (null)  current_pass_ptr (null)
[DEBUG] Tasks 1 inactive  0 active
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 23271
[DEBUG] head_no 0 has pid 23271
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin redacted_user, tpass redacted_pass, logincnt 0/1, passcnt 0/1, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin redacted_user, cpass redacted_pass, tlogin -p, tpass redacted_pass, redo 0
[ATTEMPT] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - 1 of 1 [child 0] (0/0)
[ERROR] freerdp: The connection failed to establish.
[DEBUG] pid 23271 called child_exit with code 1
[DEBUG] head_no[0] read C
[ATTEMPT-ERROR] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - child 0 - 1 of 1
[DEBUG] hydra_increase_fail_count: 1 >= 0 => disable
[DEBUG] - will be retried at the end: ip xxx.xxx.xxx.xxx - login redacted_user - pass redacted_pass - child 0
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 23280
[DEBUG] head_no 0 has pid 23280
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 1, redo_state 0, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass redacted_pass, logincnt 1/1, passcnt 0/1, loop_cnt 1
[COMPLETED] target xxx.xxx.xxx.xxx - login "" - pass "" - child 0 - 1 of 2
[DEBUG] send_next_pair_mid done 0, pass_state 0, clogin , cpass , tlogin -p, tpass redacted_pass, redo 1
[DEBUG] Entering redo_state
[DEBUG] send_next_pair_init target 0, head 0, redo 1, redo_state 1, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass redacted_pass, logincnt 1/1, passcnt 0/1, loop_cnt 2
[COMPLETED] target xxx.xxx.xxx.xxx - login "" - pass "" - child 0 - 1 of 2
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin redacted_user, cpass redacted_pass, tlogin -p, tpass redacted_pass, redo 1
[REDO-ATTEMPT] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - 2 of 2 [child 0] (1/1)
[ERROR] freerdp: The connection failed to establish.
[DEBUG] pid 23280 called child_exit with code 1
[DEBUG] head_no[0] read C
[ATTEMPT-ERROR] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - child 0 - 2 of 1
[DEBUG] hydra_increase_fail_count: 2 >= 0 => disable
[DEBUG] - will be retried at the end: ip xxx.xxx.xxx.xxx - login redacted_user - pass redacted_pass - child 0
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 23290
[DEBUG] head_no 0 has pid 23290
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 2, redo_state 2, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass redacted_pass, logincnt 1/1, passcnt 0/1, loop_cnt 1
[COMPLETED] target xxx.xxx.xxx.xxx - login "" - pass "" - child 0 - 2 of 3
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin redacted_user, cpass redacted_pass, tlogin -p, tpass redacted_pass, redo 2
[REDO-ATTEMPT] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - 3 of 3 [child 0] (2/2)
[ERROR] freerdp: The connection failed to establish.
[DEBUG] pid 23290 called child_exit with code 1
[DEBUG] head_no[0] read C
[ATTEMPT-ERROR] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - child 0 - 3 of 1
[DEBUG] hydra_increase_fail_count: 3 >= 0 => disable
[DEBUG] - will be retried at the end: ip xxx.xxx.xxx.xxx - login redacted_user - pass redacted_pass - child 0
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 23303
[DEBUG] head_no 0 has pid 23303
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 3, redo_state 3, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass redacted_pass, logincnt 1/1, passcnt 0/1, loop_cnt 1
[COMPLETED] target xxx.xxx.xxx.xxx - login "" - pass "" - child 0 - 3 of 4
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin redacted_user, cpass redacted_pass, tlogin -p, tpass redacted_pass, redo 3
[REDO-ATTEMPT] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - 4 of 4 [child 0] (3/3)
[STATUS] 4.00 tries/min, 4 tries in 00:01h, 1 to do in 00:01h, 1 active
[DEBUG] Code: STATUS   Time: 1634278637
[DEBUG] Options: mode 0  ssl 0  restore 0  showAttempt 0  tasks 1  max_use 1 tnp 0  tpsal 0  tprl 0  exit_found 0  miscptr (null)  service rdp
[DEBUG] Brains: active 1  targets 1  finished 0  todo_all 4  todo 1  sent 4  found 0  countlogin 1  sizelogin 26  countpass 1  sizepass 6
[DEBUG] Target 0 - target xxx.xxx.xxx.xxx  ip xxx.xxx.xxx.xxx  login_no 1  pass_no 0  sent 4  pass_state 0  redo_state 4 (3 redos)  use_count 1  failed 0  done 0  fail_count 3  login_ptr -p  pass_ptr redacted_pass
[DEBUG] Task 0 - pid 23303  active 1  redo 0  current_login_ptr redacted_user  current_pass_ptr redacted_pass
[DEBUG] Tasks 0 inactive  1 active
[ERROR] freerdp: The connection failed to establish.
[DEBUG] pid 23303 called child_exit with code 1
[DEBUG] head_no[0] read C
[ATTEMPT-ERROR] target xxx.xxx.xxx.xxx - login "redacted_user" - pass "redacted_pass" - child 0 - 4 of 1
[DEBUG] hydra_increase_fail_count: 4 >= 0 => disable
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 23315
[DEBUG] head_no 0 has pid 23315
[DEBUG] head_no[0] read n
[STATUS] attack finished for xxx.xxx.xxx.xxx (waiting for children to complete tests)
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] all targets done and all heads finished
[DEBUG] while loop left with 1
1 of 1 target completed, 0 valid password found
[DEBUG] killing all remaining children now that might be stuck
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-15 02:17:19

Like I said, the machine is INOP so impossible to reproduce... Sorry for the hassle.

@ShyftXero
Copy link

I will say I was trying to use creds that contained the windows domain prepended to the username

ecorp\jsmith as opposed to just jsmith

it could look like I was trying to escape the j ( \j ) and maybe that did something weird?

@ShyftXero
Copy link

I did try it at a later time with the ecorp\\jsmith just in case but I think the machine was already offline at that point.

@sec13b
Copy link

sec13b commented May 25, 2023
edited
Loading

how is correct ?
ecorp\\jsmith
or ecorp\jsmith

@ShyftXero
Copy link

idk man. computers. the \\ was to escape the backslash. / was doing something weird too. Maybe the same? I don't recall as it was a long time ago now.

@sec13b
Copy link

sec13b commented May 25, 2023

anyway with \\ give false

@wadethrillson
Copy link

wadethrillson commented Aug 24, 2023
edited
Loading

i have the same issue. was trying to brute rdp with hydra in my home lab.

it gave me false positive: the password for admin account was password1234 and it gives something else; hence false positive.

tried another tool (crowbar) it gives the same false positive as well. might be related to rdp idk.

`hydra -t 1 -dvv -f -l administrator -P /opt/rockyou.txt rdp://192.168.44.124 -s 3389
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

[DEBUG] Output color flag is 1
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-24 15:23:26
[DEBUG] cmdline: hydra -t 1 -dvv -f -l administrator -P /opt/rockyou.txt -s 3389 rdp://192.168.44.124
[DEBUG] opt:11 argc:12 mod:rdp tgt:192.168.44.124 port:3389 misc:(null)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 14344126 login tries (l:1/p:14344126), ~14344126 tries per task
[DATA] attacking rdp://192.168.44.124:3389/
[VERBOSE] Resolving addresses ...
[DEBUG] resolving 192.168.44.124
[VERBOSE] resolving done
[DEBUG] Code: attack Time: 1692879817
[DEBUG] Options: mode 1 ssl 0 restore 0 showAttempt 0 tasks 1 max_use 1 tnp 0 tpsal 0 tprl 0 exit_found 1 miscptr (null) service rdp
[DEBUG] Brains: active 0 targets 1 finished 0 todo_all 14344126 todo 14344126 sent 0 found 0 countlogin 1 sizelogin 14 countpass 14344126 sizepass 139901242
[DEBUG] Target 0 - target 192.168.44.124 ip 192.168.44.124 login_no 0 pass_no 0 sent 0 pass_state 0 redo_state 0 (0 redos) use_count 0 failed 0 done 0 fail_count 0 login_ptr administrator pass_ptr 123hfjdk147
[DEBUG] Task 0 - pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ptr (null)
[DEBUG] Tasks 1 inactive 0 active
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 176478
[DEBUG] head_no 0 has pid 176478
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin administrator, tpass 123hfjdk147, logincnt 0/1, passcnt 0/14344126, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 3, clogin administrator, cpass 123hfjdk147, tlogin administrator, tpass 1464688081, redo 0
[ATTEMPT] target 192.168.44.124 - login "administrator" - pass "123hfjdk147" - 1 of 14344126 [child 0] (0/0)
[DEBUG] rdp reported 00000000
[DEBUG] head_no[0] read F
[3389][rdp] host: 192.168.44.124 login: administrator password: 123hfjdk147
[STATUS] attack finished for 192.168.44.124 (valid pair found)
[DEBUG] head_no 0, kill 1, fail 2
[DEBUG] all targets done and all heads finished
[DEBUG] while loop left with 1
1 of 1 target successfully completed, 1 valid password found
[DEBUG] killing all remaining children now that might be stuck
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-24 15:23:38
`

@wadethrillson
Copy link

as i stated earlier; i checked the hydra_rdp.c file and it states it works on

win 7, 10. so this could be the issue here for MY CASE.

my lab machine is windows xp.

checked the crowbar source code it also initiates the xfreerdp +auth-only option where hydra also uses freerdp library and also checks

  if (password[0] == 0)
    instance->settings->AuthenticationOnly = FALSE;
  else
    instance->settings->AuthenticationOnly = TRUE;

when i try to login with terminal using xfreerdp to my xp machine with the given parameters ( +auth-only and /cert:ignore) it gives the same result with a false password.

both debug output is exactly same. will try on win7 later.

xp is already lost its vendor support. imo using ncrack with slow mode will solve our problems here.

@vanhauser-thc
Copy link
Owner

follow up in #923

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ShyftXero @vanhauser-thc @yuyongxr @coneycalifornia @wadethrillson @sec13b