Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix smb password expired vs account expired confusion #914

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

tothi
Copy link
Contributor

@tothi tothi commented Dec 5, 2023

  • If SMB password is MUST_CHANGE or EXPIRED, it is still valid, it is possible to change it remotely, so it should be returned as valid.
  • If the account is EXPIRED, it is no longer usable, even if the password is ok. It should be returned as invalid.

Testing is in this thread: https://twitter.com/an0n_r0/status/1731109539204710416

Originally Hydra returned valid if the account was expired but invalid if the password was expired. It is wrong, it should be exactly the opposite: valid if password was expired, but invalid if account was expired.

hydra-smb.c Outdated
@@ -1311,7 +1311,7 @@ int32_t start_smb(int32_t s, char *ip, int32_t port, unsigned char options, char
} else if (SMBerr == 0x000071) { /* password expired */
if (verbose)
fprintf(stderr, "[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED\n", port, ipaddr_str, login);
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think "Error" in that line is then not helpful? Maybe change it to "Information"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Absolutely, "Information" is much better.

@vanhauser-thc
Copy link
Owner

looks good just one minor nit

@vanhauser-thc
Copy link
Owner

@tothi can you please fix the "Error" string to "Information" so I can merge this? thanks you

@PoesJakals
Copy link

Carynw_ Instagram password

fixed logging (if found -> hydra_report to stdout with Information instead of Error)
@tothi
Copy link
Contributor Author

tothi commented Feb 29, 2024

added some logging fix. sorry for the super long delay, totally forgot it :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants