Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] HTTP-GET module with option A=MD5 use Basic Auth instead of Digest Auth #888

Open
bmos1 opened this issue Aug 30, 2023 · 5 comments
Open

[BUG] HTTP-GET module with option A=MD5 use Basic Auth instead of Digest Auth #888

bmos1 opened this issue Aug 30, 2023 · 5 comments

Comments

@bmos1
Copy link

bmos1 commented Aug 30, 2023

Describe the bug
Using hydra http-get module with the option A=MD5 (digest) should use Digest Auth only. However if you run hydra, you can find multiple Basic Auth attempts instead of Digest Auth only. Important note: It seems to be a threading issue, because the more tasks are running the more Basic Auth attempt can be seen. We have noticed a single Basic Auth attempt when running with options t 1 (single task). This is still not correct.

To Reproduce

  • Run hydra http-get module with option :A=MD5
  • Use passwords.txt file with 100K entries

Steps to reproduce the behavior:

  1. hydra -d -V -l root -P passwords.txt -F "http-get://10.10.10.10/cgi/login.cgi:A=MD5:F=You don't have permission to access this resource." &> hydra.debug
  2. grep -n "Basic " hydra.debug
  3. Authorization: Basic cm9vdDpiPDdwcnJSUDUj

Expected behavior
We expect to see Digest Auth only if we configure hydra http-get module with option :A=MD5.
grep -n "Basic " hydra.debug | wc -l
0
grep -n "Digest " hydra.debug
Authorization: Digest username="root"

Screenshots
None

Desktop (please complete the following information):

  • OS: Kali Linux 2023.3
  • hydra version v9.5 on Apple Silicon M1 / PRO

Additional context
None
@bmos1 bmos1 changed the title HTTP-GET module with option A=MD5 use Basic Auth instead of Digest Auth [BUG] HTTP-GET module with option A=MD5 use Basic Auth instead of Digest Auth Aug 30, 2023
@bmos1
Copy link
Author

bmos1 commented Aug 30, 2023
edited
Loading

The following line in hydra-http.c leads to to the described behavior. The http_buf may be NULL due to currency issues.

 // we must reset this if buf is NULL and we do MD5 digest
  if (http_buf == NULL && http_auth_mechanism == AUTH_DIGESTMD5)
    http_auth_mechanism = AUTH_BASIC;

Here the unexpected result from option A=MD5 (Digest Auth) after a single run with less than 100K attempts:

$ AUTH="Digest"; COUNT=$(grep ": $AUTH " hydra.debug | wc -l); echo "Found $(($COUNT/2)) $AUTH Auth"
Found 6180 Digest Auth

$ AUTH="Basic"; COUNT=$(grep ": $AUTH "  hydra.debug | wc -l); echo "Found $(($COUNT/2)) $AUTH Auth"
Found 55527 Basic Auth

@bmos1
Copy link
Author

bmos1 commented Aug 30, 2023
edited
Loading

I found the reason for the strange behavior in the debug log. It seems that the http-get option :A=MD5 is NOT enforced. If the an attempt with Digest Auth doesn't return the response header WWW-Authenticate, the next try with the next password is an attempt with Basic Auth. That's a BUG, because the next password can only be used after an WWW-Authenticate has been received again. The Authorization method MUST NOT be changed if option :A=MD5 is configured.

  1. Attempt runs Digest Auth and returns 401 Unauthorized plus response header WWW-Authenticate

C:GET /cgi/login.cgi HTTP/1.0
Host: 10.10.10.10
Authorization: Digest username="root", realm="any", response="redacted", nonce="Y5YDCfrsBQA=29da8a2e52a381209cf118d80c56602efd6a0e7a", cnonce="hydra", nc=00000001, algorithm=MD5, qop=auth, uri="/cgi/login.cgi"
User-Agent: Mozilla/4.0 (Hydra)
Connection: keep-alive

S:HTTP/1.1 401 Unauthorized
Date: Tue, 08 Nov 2022 18:52:00 GMT
Server: Apache/2.4.57 (Unix) OpenSSL/1.1.1u
WWW-Authenticate: Digest realm="any", nonce="7zoFCfrsBQA=9c1a7f589d39aeead60971666b5204ec2b622e46", algorithm=MD5, qop="auth"
Content-Length: 381

  1. Attempt runs Digest Auth and returns 403 Forbidden without response header WWW-Authenticate

C:GET /cgi/login.cgi HTTP/1.0
Host: 10.10.10.10
Authorization: Digest username="root", realm="any", response="redacted", nonce="zoBqCPrsBQA=92b4f4cf2ca196e7e0c12b8ec5c58d407b473565", cnonce="hydra", nc=00000001, algorithm=MD5, qop=auth, uri="/cgi/login.cgi"
User-Agent: Mozilla/4.0 (Hydra)
Connection: keep-alive

S:HTTP/1.1 403 Forbidden
Date: Tue, 08 Nov 2022 18:51:50 GMT
Server: Apache/2.4.57 (Unix) OpenSSL/1.1.1u
Content-Length: 199
Connection: Keep-Alive

  1. Attempt runs Basic Auth due to the previous 403 Forbidden without response header WWW-Authenticate

C:GET /cgi/login.cgi HTTP/1.1
Host: 10.10.179.119
Connection: close
Authorization: Basic redacted
User-Agent: Mozilla/4.0 (Hydra)

@vanhauser-thc
Copy link
Owner

If you think there is a bug I will happily merge a PR from you :)

@protechq88
Copy link

✌️ ✌️ ✌️

@bmos1
Copy link
Author

bmos1 commented Sep 4, 2023
edited
Loading

You are right. If the server side responds with 403 Forbidden, the next request must start with new credentials and with Basic Auth. Anyways, if this request results in a 401 Unauthorized, hydra always should try the same credentials using configured MD5 Digest Auth.

If this is the case (untested), we can close the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vanhauser-thc @bmos1 @protechq88