4

I am trying to use Hydra to brute force a HTTP POST form page, however the page is returning a HTTP Continuation I'm not sure what that is.

This is being caused by the HTTP/1.0 at the top of the request. I'm not sure how to change it to HTTP/1.1 which would fix the issue.

Also, is there a way to change the order of HTTP headers? And is there an alternative to Hydra that actually has good support for this?

EDIT: Sorry, I didn't give enough information. I'm using wireshark to track the requests that Hydra is sending. It it is showing a sequence of packets like this

src            dst            prot   info
my computer    login server   HTTP   POST /login
login server   my computer    HTTP   Continuation

And if I examine the response, it contains only the lower half of the HTML document in the response. However, using Burpsuite to send the requests, I can somehow see the whole HTML document in the response.

I have tried enabling and disabling Allow subdissector to reassemble TCP streams, which doesn't change anything.

This is really confusing. Does anybody know what's going on??

sunny-lan
  • 251
  • 1
  • 6
  • Where are you seeing 'HTTP Continuation'? That's not in the HTTP spec. – David Jan 09 '18 at 02:13
  • *"..HTTP Continuation.."* - are you talking about a `HTTP/1.1 100 continue` response? Changing HTTP version will not help. If this response is coming the server is not following the standard anyway since it should only be sent if the client is sending the appropriate 'Expect: 100-continue` header to show that it can deal with this response. – Steffen Ullrich Jan 09 '18 at 07:13
  • @David Not either of those. It seems to be from TCP – sunny-lan Jan 11 '18 at 03:06
  • I think you are missinterpreting something. It is most likely what @David or Steffen Ullrich said. Maybe show an screenshot of the contuniation response so we can verify? – Nico Mar 12 '18 at 07:26

1 Answers1

1

Hydra's HTTP Form module only uses HTTP/1.0 as can be seen in the source. You could probably modify the source to send HTTP/1.1, though I can't guarantee its implementation is otherwise conforming. I've never seen a server which absolutely refuses to speak HTTP/1.0, and many tools use it by default, like wget.

The Continuation you see in Wireshark is because the full HTTP response is not contained in that packet. There should be a previous packet (if you captured it) that has the beginning of the HTTP response.

If you need a tool to test an application for HTTP passwords and need to speak HTTP/1.1, I believe ncrack supports that.

David
  • 15,814
  • 3
  • 48
  • 73