vanhauser-thc/thc-hydra

False positives in xrdp weak credential scanning

Open

#923 opened on Jan 10, 2024

View on GitHub
 (5 comments) (0 reactions) (0 assignees)C (8,689 stars) (1,913 forks)batch import
enhancementhelp wanted

Description

Describe the bug When Hydra scans an xrdp service, it always reports any username/password pair used to be valid, while printing out an error [ERROR] freerdp: The connection failed to establish. at the same time (even with the correct credential).

I've set up a Debian vm with xrdp. When I used Microsoft Remote Desktop to connect to it, the client behaviour was a bit unexpected (though I think it could be an x?rdp protocol quirk):

  1. If the credentials are correct, I can directly log into my debian instance
  2. If the credentials are incorrect, the initial connection is still established, then I get redirected to the xorg login portal:

I suspect this xrdp behaviour caused Hydra to always assume any credential pair is valid, because the initial connection is always established.

To Reproduce

Steps to reproduce the behavior:

  1. Enable xrdp on a linux vm: https://linuxize.com/post/how-to-install-xrdp-on-debian-10/
  2. Scan that vm with hydra: hydra -l root -p 'root' <linux_vm_ip> rdp, using any username/password

Expected behavior Ideally Hydra reports valid credential only if it can actually log into the debian instance If xrdp is not officially supported, it would be great to have a way to detect and skip xrdp services so that Hydra doesn't generate false positive findings.

Desktop (please complete the following information):

  • OS: Hydra is running in dockerized environment, using openjdk:11-jdk-bullseye as the base image, and installed via apt-get install -y hydra, which installed libfreerdp2-2/now 2.3.0+dfsg1-2+deb11u1 amd64 [installed,local] as part of the dependencies.
  • hydra version v9.1

Contributor guide

Tech stack
c
Domain
securitytesting
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
C programmingunderstanding of RDP protocolHydra source code
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Investigate the xrdp service behavior where initial connection always succeeds. Look at the hydra rdp module (likely in hydra rdp.c or similar) to understand how it currently determines login success. Compare the response from xrdp vs standard RDP to find a way to differentiate between actual successful login and the xrdp quirk that redirects to xorg login. Consider adding a check for the xrdp version or a specific response packet. If xrdp is not officially supported, document how to detect it and skip or warn the user.
False positives in xrdp weak credential scanning · vanhauser-thc/thc-hydra#923 | Good First Issue