-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positives in xrdp weak credential scanning #923
Comments
why are you creating an issue for an outdated version of hydra? please try the current version. |
I've tried hydra v9.5 today, it no long prints out |
ah damn I hoped the various fixes were enough for your case. |
I found https://github.com/satishweb/docker-xrdp that can be used to reproduce this issue. My original testing was done by setting up xrdp on a gcp vm. Both work the same way. |
I looked into this and this seems to be a change on the server side. libfreerdp does not know if a connection was successful or not. you can try this yourself: maybe there is some magic in libfreerdp one can do to identify if a real session is active or another login window or error window is present. but I have not much clue about RDP that I would be able to do that with my limited amount of time that I have. Someone with time needs to look into this. |
Describe the bug
When Hydra scans an xrdp service, it always reports any username/password pair used to be valid, while printing out an error
[ERROR] freerdp: The connection failed to establish.
at the same time (even with the correct credential).I've set up a Debian vm with xrdp. When I used Microsoft Remote Desktop to connect to it, the client behaviour was a bit unexpected (though I think it could be an x?rdp protocol quirk):
I suspect this xrdp behaviour caused Hydra to always assume any credential pair is valid, because the initial connection is always established.
To Reproduce
Steps to reproduce the behavior:
hydra -l root -p 'root' <linux_vm_ip> rdp
, using any username/passwordExpected behavior
Ideally Hydra reports valid credential only if it can actually log into the debian instance
If xrdp is not officially supported, it would be great to have a way to detect and skip xrdp services so that Hydra doesn't generate false positive findings.
Desktop (please complete the following information):
openjdk:11-jdk-bullseye
as the base image, and installed viaapt-get install -y hydra
, which installedlibfreerdp2-2/now 2.3.0+dfsg1-2+deb11u1 amd64 [installed,local]
as part of the dependencies.The text was updated successfully, but these errors were encountered: