Security Basics mailing list archives

Re: THC Hydra and HTTP brute-force cracking

From: Martin T <m4rtntns () gmail com>
Date: Sun, 3 Apr 2011 05:20:53 +0200

David,
ok, looking forward to Hydra 6.2 :)


Jérôme,
yes, looks like the HTTP server running on the router does not support
HEAD request as I get "Connection closed by foreign host" right away
if I telnet to httpd port on the router and make a HEAD request. Most
likely it would be smart to check the support of HEAD requests of the
HTTP server before attacking it.. However, thanks for clarifying
differences between the HTTP HEAD and GET requests.


regards,
martin


2011/4/1 Jérôme Nokin <jerome () wallaby be>:

Hi Martin,

You are maybe misunderstanding something. Just to be sure..

Even if the credential information will be added into the "header" of
the HTTP request, it is not related to the use of http-head or http-get
plugging.

In HTTP protocol, "HEAD" is a method like "GET", "POST", "PUT", ...
HEAD is like GET, but without providing the body of the answer (thus,
using http-head should be more fast than http-get).

Try "telnet www.google.com 80" , then "GET / HTTP/1.0" + return + return

Now try the same telnet but with HEAD method "HEAD / HTTP/1.0" + return
+return
You will see the difference.

Regarding your device, maybe it don't support HEAD method (?).
Actually I've never used http-head.

Good luck,
Jérôme

When should one use http-head? In addition, I have read many people
complaining(mainly in backtrack-linux.org/forums) about "-t" feature
in hydra as it runs by default 16 parallel tasks simultaneously and
may skip passwords in password file.. Jérôme mentiod this as well. Is
there a fix for this or is it a hydra bug at all?


regarding,
martin


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Re: THC Hydra and HTTP brute-force cracking Martin T (Apr 01)
- Re: THC Hydra and HTTP brute-force cracking David Maciejak (Apr 01)
- Message not available
  - Re: THC Hydra and HTTP brute-force cracking Martin T (Apr 05)