segfault ssh but only for certain targets

[deargle]

root@kali:/opt/thc-hydra# uname -a
Linux kali 4.18.0-kali1-amd64 #1 SMP Debian 4.18.6-1kali1 (2018-09-10) x86_64 GNU/Linux

root@kali:/opt/thc-hydra# echo "attacking metasploitable ssh login with known username:password msfadmin:msfadmin"
attacking metasploitable ssh login with known username:password msfadmin:msfadmin

root@kali:/opt/thc-hydra# hydra -V -l msfadmin -p msfadmin 192.168.55.102 ssh
Hydra v8.7-dev (c) 2018 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2018-10-24 16:44:14
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://192.168.55.102:22/
[ATTEMPT] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - 1 of 1 [child 0] (0/0)
[REDO-ATTEMPT] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - 2 of 2 [child 0] (1/1)
[REDO-ATTEMPT] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - 3 of 3 [child 0] (2/2)
[REDO-ATTEMPT] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - 4 of 4 [child 0] (3/3)
1 of 1 target completed, 0 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2018-10-24 16:44:20

root@kali:/opt/thc-hydra# ping 192.168.55.102
PING 192.168.55.102 (192.168.55.102) 56(84) bytes of data.
64 bytes from 192.168.55.102: icmp_seq=1 ttl=64 time=0.354 ms
^C
--- 192.168.55.102 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.354/0.354/0.354/0.000 ms

root@kali:/opt/thc-hydra# ssh msfadmin@192.168.55.102 hostname
msfadmin@192.168.55.102's password: 
metasploitable

[deargle]

debug output:

root@kali:/opt/thc-hydra# hydra -V -d -l msfadmin -p msfadmin 192.168.55.102 ssh
Hydra v8.7-dev (c) 2018 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

[DEBUG] Output color flag is 1
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2018-10-24 16:47:20
[DEBUG] cmdline: hydra -V -d -l msfadmin -p msfadmin 192.168.55.102 ssh 
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://192.168.55.102:22/
[VERBOSE] Resolving addresses ... 
[DEBUG] resolving 192.168.55.102
[VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://msfadmin@192.168.55.102:22
[DEBUG] SSH method check: 00000006
[INFO] Successful, password authentication is supported by ssh://192.168.55.102:22
[DEBUG] Code: attack   Time: 1540414041
[DEBUG] Options: mode 0  ssl 0  restore 0  showAttempt 1  tasks 1  max_use 1 tnp 0  tpsal 0  tprl 0  exit_found 0  miscptr (null)  service ssh
[DEBUG] Brains: active 0  targets 1  finished 0  todo_all 1  todo 1  sent 0  found 0  countlogin 1  sizelogin 9  countpass 1  sizepass 9
[DEBUG] Target 0 - target 192.168.55.102  ip 192.168.55.102  login_no 0  pass_no 0  sent 0  pass_state 0  redo_state 0 (0 redos)  use_count 0  failed 0  done 0  fail_count 0  login_ptr msfadmin  pass_ptr msfadmin
[DEBUG] Task 0 - pid 0  active 0  redo 0  current_login_ptr (null)  current_pass_ptr (null)
[DEBUG] Tasks 1 inactive  0 active
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 6653
[DEBUG] head_no 0 has pid 6653
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin msfadmin, tpass msfadmin, logincnt 0/1, passcnt 0/1, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin msfadmin, cpass msfadmin, tlogin -p, tpass msfadmin, redo 0
[ATTEMPT] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - 1 of 1 [child 0] (0/0)
[DEBUG] children crashed! (0)
[DEBUG] head_no[0] read E
[ATTEMPT-ERROR] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - child 0 - 1 of 1
[DEBUG] hydra_increase_fail_count: 1 >= 0 => disable
[DEBUG] - will be retried at the end: ip 192.168.55.102 - login msfadmin - pass msfadmin - child 0
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 6654
[DEBUG] head_no 0 has pid 6654
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 1, redo_state 0, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass msfadmin, logincnt 1/1, passcnt 0/1, loop_cnt 1
[COMPLETED] target 192.168.55.102 - login "" - pass "" - child 0 - 1 of 2
[DEBUG] send_next_pair_mid done 0, pass_state 0, clogin , cpass , tlogin -p, tpass msfadmin, redo 1
[DEBUG] Entering redo_state
[DEBUG] send_next_pair_init target 0, head 0, redo 1, redo_state 1, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass msfadmin, logincnt 1/1, passcnt 0/1, loop_cnt 2
[COMPLETED] target 192.168.55.102 - login "" - pass "" - child 0 - 1 of 2
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin msfadmin, cpass msfadmin, tlogin -p, tpass msfadmin, redo 1
[REDO-ATTEMPT] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - 2 of 2 [child 0] (1/1)
[DEBUG] children crashed! (0)
[DEBUG] head_no[0] read E
[ATTEMPT-ERROR] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - child 0 - 2 of 1
[DEBUG] hydra_increase_fail_count: 2 >= 0 => disable
[DEBUG] - will be retried at the end: ip 192.168.55.102 - login msfadmin - pass msfadmin - child 0
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 6655
[DEBUG] head_no 0 has pid 6655
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 2, redo_state 2, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass msfadmin, logincnt 1/1, passcnt 0/1, loop_cnt 1
[COMPLETED] target 192.168.55.102 - login "" - pass "" - child 0 - 2 of 3
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin msfadmin, cpass msfadmin, tlogin -p, tpass msfadmin, redo 2
[REDO-ATTEMPT] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - 3 of 3 [child 0] (2/2)
[DEBUG] children crashed! (0)
[DEBUG] head_no[0] read E
[ATTEMPT-ERROR] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - child 0 - 3 of 1
[DEBUG] hydra_increase_fail_count: 3 >= 0 => disable
[DEBUG] - will be retried at the end: ip 192.168.55.102 - login msfadmin - pass msfadmin - child 0
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 6656
[DEBUG] head_no 0 has pid 6656
[DEBUG] head_no[0] read n
[DEBUG] send_next_pair_init target 0, head 0, redo 3, redo_state 3, pass_state 0. loop_mode 0, curlogin , curpass , tlogin -p, tpass msfadmin, logincnt 1/1, passcnt 0/1, loop_cnt 1
[COMPLETED] target 192.168.55.102 - login "" - pass "" - child 0 - 3 of 4
[DEBUG] send_next_pair_mid done 1, pass_state 0, clogin msfadmin, cpass msfadmin, tlogin -p, tpass msfadmin, redo 3
[REDO-ATTEMPT] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - 4 of 4 [child 0] (3/3)
[DEBUG] children crashed! (0)
[DEBUG] head_no[0] read E
[ATTEMPT-ERROR] target 192.168.55.102 - login "msfadmin" - pass "msfadmin" - child 0 - 4 of 1
[DEBUG] hydra_increase_fail_count: 4 >= 0 => disable
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] child 0 got target 0 selected
[DEBUG] child 0 spawned for target 0 with pid 6657
[DEBUG] head_no 0 has pid 6657
[DEBUG] head_no[0] read n
[STATUS] attack finished for 192.168.55.102 (waiting for children to complete tests)
[DEBUG] head_no 0, kill 1, fail 0
[DEBUG] all targets done and all heads finished
[DEBUG] while loop left with 1
1 of 1 target completed, 0 valid passwords found
[DEBUG] killing all remaining children now that might be stuck
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2018-10-24 16:47:22

[deargle]

figured out a lil bit how to gdb forked process:

Thread 2.1 "hydra" received signal SIGSEGV, Segmentation fault.
0x00007ffff74f7b40 in BN_is_odd () from /lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) backtrace
#0  0x00007ffff74f7b40 in BN_is_odd () from /lib/x86_64-linux-gnu/libcrypto.so.1.1
#1  0x00007ffff74f367f in BN_mod_exp () from /lib/x86_64-linux-gnu/libcrypto.so.1.1
#2  0x00007ffff78e5bc0 in ?? () from /lib/x86_64-linux-gnu/libssh.so.4
#3  0x00007ffff78e5f3a in ?? () from /lib/x86_64-linux-gnu/libssh.so.4
#4  0x00007ffff78e19a9 in ?? () from /lib/x86_64-linux-gnu/libssh.so.4
#5  0x00007ffff78e82b3 in ?? () from /lib/x86_64-linux-gnu/libssh.so.4
#6  0x00007ffff78f1c60 in ?? () from /lib/x86_64-linux-gnu/libssh.so.4
#7  0x00007ffff78f2158 in ?? () from /lib/x86_64-linux-gnu/libssh.so.4
#8  0x00007ffff78fb868 in ?? () from /lib/x86_64-linux-gnu/libssh.so.4
#9  0x00007ffff78f836c in ?? () from /lib/x86_64-linux-gnu/libssh.so.4
#10 0x00007ffff78f9249 in ?? () from /lib/x86_64-linux-gnu/libssh.so.4
#11 0x00007ffff78f932b in ?? () from /lib/x86_64-linux-gnu/libssh.so.4
#12 0x00007ffff78e2009 in ssh_connect () from /lib/x86_64-linux-gnu/libssh.so.4
#13 0x0000555555587d50 in start_ssh (s=-1, ip=0x5555555e8bc8 "\004\300\250\067f", port=22, 
    options=0 '\000', miscptr=0x0, fp=0x7ffff7431760 <_IO_2_1_stdout_>) at hydra-ssh.c:50
#14 0x000055555558815c in service_ssh (ip=0x5555555e8bc8 "\004\300\250\067f", sp=4, 
    options=0 '\000', miscptr=0x0, fp=0x7ffff7431760 <_IO_2_1_stdout_>, port=22, 
    hostname=0x5555555e7356 "192.168.55.102") at hydra-ssh.c:121
#15 0x000055555555d5fa in hydra_spawn_head (head_no=0, target_no=0) at hydra.c:1172
#16 0x0000555555568b5d in main (argc=7, argv=0x7fffffffe278) at hydra.c:3698

[deargle]

Fixed it, but don't fully understand how. Something to do with openssl version thread initialization process not being thread safe 🤷 https://stackoverflow.com/a/52646033/5917194

I added ssh_init(); to hydra-ssh.c:34 and now it works.