MSSQL module has an undocumented username and password length limit

[pv2b]

The MSSQL module has an undocumented and silent username and password limit of 30 characters.

See here: https://github.com/vanhauser-thc/thc-hydra/blob/master/hydra-mssql.c#L68-L71

It just chops the password off without any warning to the user. I've not yet tried recompiling the code with a higher limit (maybe there are other protocol reasons for this limit?) but that might be worth trying for anyone who needs to explore brute forcing characters longer than 30 characters on MSSQL.

[vanhauser-thc]

maybe that comes from a time when that was the max password length? maybe it still is? I don't know, I didn't write the module :)

[pv2b]

Thank you for the feedback. Can you clarify what you meant though, did Hydra ever have a max password length of 30? Or are you suspecting maybe early versions of MSSQL had such a password limit?

[vanhauser-thc]

it could be that the limit was in early versions of the mssql database. or still is. I dont know.
I don't think there is a length limit for passwords in hydra itself. the modules can restrict the lengths themselves though like the mssql one.