search

vanhauser-thc / thc-hydra

hydra
GNU Affero General Public License v3.0
9.72k stars 2.02k forks source link

Can't connect via SSH when brute-forcing on MAC (valid pass) #376

Closed jansramek closed 5 years ago

jansramek commented 5 years ago

Can't find password even with raw valid pass on input on MAC OS Mojave (Same command works properly on Kali)

MAC terminal hydra -F -V -l root -t 1 -p GFAGFDgfSADF 192.168.1.30 ssh Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-11-13 14:14:47 [DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task [DATA] attacking ssh://192.168.1.30:22/ [ATTEMPT] target 192.168.1.30 - login "root" - pass "GFAGFDgfSADF" - 1 of 1 [child 0] (0/0) [REDO-ATTEMPT] target 192.168.1.30 - login "root" - pass "GFAGFDgfSADF" - 2 of 2 [child 0] (1/1) [REDO-ATTEMPT] target 192.168.1.30 - login "root" - pass "GFAGFDgfSADF" - 3 of 3 [child 0] (2/2) [REDO-ATTEMPT] target 192.168.1.30 - login "root" - pass "GFAGFDgfSADF" - 4 of 4 [child 0] (3/3) 1 of 1 target completed, 0 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2018-11-13 14:14:50

Target auth.log Nov 13 13:19:34 localhost sshd[28036]: Received disconnect from 196.245.151.20: 11: Bye Bye [preauth] Nov 13 13:19:35 localhost sshd[28038]: Connection closed by 196.245.151.20 [preauth] Nov 13 13:19:35 localhost sshd[28040]: Connection closed by 196.245.151.20 [preauth] Nov 13 13:19:35 localhost sshd[28042]: Connection closed by 196.245.151.20 [preauth] Nov 13 13:19:36 localhost sshd[28044]: Connection closed by 196.245.151.20 [preauth]

(ip's are replaced...)

MarkCumminsIRL commented 5 years ago

I've the same issue using latest hydra, tried with parrot Os, kali, and clean install on Ubuntu all without success.. testing against de-ice 1.100 VM. Any ideas?

vanhauser-thc commented 5 years ago

@jansramek @MarkCumminsIRL

What is the libssh-dev version that you are using? and can you please paste the full output of

hydra -l root -p -v -d ssh://

(search-replace password if its a public reachable system!)

EDIT: and please also paste a "ssh root@" output to verify it is possible to logon

jansramek commented 5 years ago

libssh-dev brew info libssh libssh: stable 0.8.4 (bottled), HEAD C library SSHv1/SSHv2 client and server protocols https://www.libssh.org/ /usr/local/Cellar/libssh/0.8.4 (21 files, 1.3MB) * Poured from bottle on 2018-11-13 at 12:44:31

hydra -l root -p REPLACED_PASS -v -d ssh://REPLACED_HOST

hydra -l root -p REPLACED_PASS -v -d ssh://REPLACED_HOST Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

[DEBUG] Ouput color flag is 0 Hydra (http://www.thc.org/thc-hydra) starting at 2018-11-14 12:03:35 [DEBUG] cmdline: hydra -l root -p REPLACED_PASS -v -d ssh://REPLACED_HOST [DEBUG] opt:7 argc:8 mod:ssh tgt:REPLACED_HOST port:0 misc:(null) [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task [DATA] attacking ssh://REPLACED_HOST:22/ [VERBOSE] Resolving addresses ... [DEBUG] resolving REPLACED_HOST [VERBOSE] resolving done [INFO] Testing if password authentication is supported by ssh://root@REPLACED_HOST:22 [INFO] Successful, password authentication is supported by ssh://REPLACED_HOST:22 [DEBUG] Code: attack Time: 1542193416 [DEBUG] Options: mode 0 ssl 0 restore 0 showAttempt 0 tasks 1 max_use 1 tnp 0 tpsal 0 tprl 0 exit_found 0 miscptr (null) service ssh [DEBUG] Brains: active 0 targets 1 finished 0 todo_all 1 todo 1 sent 0 found 0 countlogin 1 sizelogin 5 countpass 1 sizepass 21 [DEBUG] Target 0 - target REPLACED_HOST ip REPLACED_HOST login_no 0 pass_no 0 sent 0 pass_state 0 redo_state 0 (0 redos) use_count 0 failed 0 done 0 fail_count 0 login_ptr root pass_ptr REPLACED_PASS [DEBUG] Task 0 - pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ptr (null) [DEBUG] Tasks 1 inactive 0 active [DEBUG] child 0 got target 0 selected [DEBUG] child 0 spawned for target 0 with pid 9899 [DEBUG] head_no 0 has pid 9899 [DEBUG] head_no[0] read n [DEBUG] send_next_pair_init target 0, head 0, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin root, tpass REPLACED_PASS, logincnt 0/1, passcnt 0/1, loop_cnt 1 [DEBUG] send_next_pair_mid done 1, pass_state 0, clogin root, cpass REPLACED_PASS, tlogin -p, tpass REPLACED_PASS, redo 0 [ATTEMPT] target REPLACED_HOST - login "root" - pass "REPLACED_PASS" - 1 of 1 [child 0] (0/0) [DEBUG] children crashed! (0) [DEBUG] head_no[0] read E [ATTEMPT-ERROR] target REPLACED_HOST - login "root" - pass "REPLACED_PASS" - child 0 - 1 of 1 [DEBUG] hydra_increase_fail_count: 1 >= 0 => disable [DEBUG] - will be retried at the end: ip REPLACED_HOST - login root - pass REPLACED_PASS - child 0 [DEBUG] head_no 0, kill 1, fail 0 [DEBUG] child 0 got target 0 selected [DEBUG] child 0 spawned for target 0 with pid 9900 [DEBUG] head_no 0 has pid 9900 [DEBUG] head_no[0] read n [DEBUG] send_next_pair_init target 0, head 0, redo 1, redo_state 0, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass REPLACED_PASS, logincnt 1/1, passcnt 0/1, loop_cnt 1 [COMPLETED] target REPLACED_HOST - login "" - pass "" - child 0 - 1 of 2 [DEBUG] send_next_pair_mid done 0, pass_state 0, clogin , cpass , tlogin -p, tpass REPLACED_PASS, redo 1 [DEBUG] Entering redo_state [DEBUG] send_next_pair_init target 0, head 0, redo 1, redo_state 1, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass REPLACED_PASS, logincnt 1/1, passcnt 0/1, loop_cnt 2 [COMPLETED] target REPLACED_HOST - login "" - pass "" - child 0 - 1 of 2 [DEBUG] send_next_pair_mid done 1, pass_state 0, clogin root, cpass REPLACED_PASS, tlogin -p, tpass REPLACED_PASS, redo 1 [REDO-ATTEMPT] target REPLACED_HOST - login "root" - pass "REPLACED_PASS" - 2 of 2 [child 0] (1/1) [DEBUG] children crashed! (0) [DEBUG] head_no[0] read E [ATTEMPT-ERROR] target REPLACED_HOST - login "root" - pass "REPLACED_PASS" - child 0 - 2 of 1 [DEBUG] hydra_increase_fail_count: 2 >= 0 => disable [DEBUG] - will be retried at the end: ip REPLACED_HOST - login root - pass REPLACED_PASS - child 0 [DEBUG] head_no 0, kill 1, fail 0 [DEBUG] child 0 got target 0 selected [DEBUG] child 0 spawned for target 0 with pid 9901 [DEBUG] head_no 0 has pid 9901 [DEBUG] head_no[0] read n [DEBUG] send_next_pair_init target 0, head 0, redo 2, redo_state 2, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass REPLACED_PASS, logincnt 1/1, passcnt 0/1, loop_cnt 1 [COMPLETED] target REPLACED_HOST - login "" - pass "" - child 0 - 2 of 3 [DEBUG] send_next_pair_mid done 1, pass_state 0, clogin root, cpass REPLACED_PASS, tlogin -p, tpass REPLACED_PASS, redo 2 [REDO-ATTEMPT] target REPLACED_HOST - login "root" - pass "REPLACED_PASS" - 3 of 3 [child 0] (2/2) [DEBUG] children crashed! (0) [DEBUG] head_no[0] read E [ATTEMPT-ERROR] target REPLACED_HOST - login "root" - pass "REPLACED_PASS" - child 0 - 3 of 1 [DEBUG] hydra_increase_fail_count: 3 >= 0 => disable [DEBUG] - will be retried at the end: ip REPLACED_HOST - login root - pass REPLACED_PASS - child 0 [DEBUG] head_no 0, kill 1, fail 0 [DEBUG] child 0 got target 0 selected [DEBUG] child 0 spawned for target 0 with pid 9902 [DEBUG] head_no 0 has pid 9902 [DEBUG] head_no[0] read n [DEBUG] send_next_pair_init target 0, head 0, redo 3, redo_state 3, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass REPLACED_PASS, logincnt 1/1, passcnt 0/1, loop_cnt 1 [COMPLETED] target REPLACED_HOST - login "" - pass "" - child 0 - 3 of 4 [DEBUG] send_next_pair_mid done 1, pass_state 0, clogin root, cpass REPLACED_PASS, tlogin -p, tpass REPLACED_PASS, redo 3 [REDO-ATTEMPT] target REPLACED_HOST - login "root" - pass "REPLACED_PASS" - 4 of 4 [child 0] (3/3) [DEBUG] children crashed! (0) [DEBUG] head_no[0] read E [ATTEMPT-ERROR] target REPLACED_HOST - login "root" - pass "REPLACED_PASS" - child 0 - 4 of 1 [DEBUG] hydra_increase_fail_count: 4 >= 0 => disable [DEBUG] head_no 0, kill 1, fail 0 [DEBUG] child 0 got target 0 selected [DEBUG] child 0 spawned for target 0 with pid 9903 [DEBUG] head_no 0 has pid 9903 [DEBUG] head_no[0] read n [STATUS] attack finished for REPLACED_HOST (waiting for children to complete tests) [DEBUG] head_no 0, kill 1, fail 0 [DEBUG] all targets done and all heads finished [DEBUG] while loop left with 1 1 of 1 target completed, 0 valid passwords found [DEBUG] killing all remaining childs now that might be stuck Hydra (http://www.thc.org/thc-hydra) finished at 2018-11-14 12:03:38

ssh root@REPLACED_HOST

ssh root@REPLACED_HOST root@REPLACED_HOST's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail. Last login: Tue Nov 13 13:17:10 2018 from 196.245.151.20 root@vps:~#

vanhauser-thc commented 5 years ago

@jansramek OK ... this is in the output:

[DEBUG] children crashed! (0)

this means that libssh segfaults. could it be that you have different libssh installed and it is compiled with one but run with another?

I have never seen this issue, so I cant really help you there. Recommendation: unstinall the libssh from brew, download libssh from libssh.org, compile and install - and then it should work.

jansramek commented 5 years ago

Recommendation: unstinall the libssh from brew, download libssh from libssh.org, compile and install - and then it should work.

Confirmed that this really fixed the problem. Thank you.

vanhauser-thc commented 5 years ago

I updated the README compile section to recommend this. thanks.