False positives in xrdp weak credential scanning

[maoning]

Describe the bug
When Hydra scans an xrdp service, it always reports any username/password pair used to be valid, while printing out an error [ERROR] freerdp: The connection failed to establish. at the same time (even with the correct credential).

I've set up a Debian vm with xrdp. When I used Microsoft Remote Desktop to connect to it, the client behaviour was a bit unexpected (though I think it could be an x?rdp protocol quirk):

1. If the credentials are correct, I can directly log into my debian instance
2. If the credentials are incorrect, the initial connection is still established, then I get redirected to the xorg login portal:

I suspect this xrdp behaviour caused Hydra to always assume any credential pair is valid, because the initial connection is always established.

To Reproduce

Steps to reproduce the behavior:

1. Enable xrdp on a linux vm: https://linuxize.com/post/how-to-install-xrdp-on-debian-10/
2. Scan that vm with hydra: hydra -l root -p 'root' <linux_vm_ip> rdp, using any username/password

Expected behavior
Ideally Hydra reports valid credential only if it can actually log into the debian instance
If xrdp is not officially supported, it would be great to have a way to detect and skip xrdp services so that Hydra doesn't generate false positive findings.

Desktop (please complete the following information):

• OS: Hydra is running in dockerized environment, using openjdk:11-jdk-bullseye as the base image, and installed via apt-get install -y hydra, which installed libfreerdp2-2/now 2.3.0+dfsg1-2+deb11u1 amd64 [installed,local] as part of the dependencies.
• hydra version v9.1

[vanhauser-thc]

why are you creating an issue for an outdated version of hydra? please try the current version.

[maoning]

I've tried hydra v9.5 today, it no long prints out [ERROR] freerdp: The connection failed to establish., but the overall behaviour is the same. Hydra always reports credentials found when scanning an xrdp service.

[vanhauser-thc]

ah damn I hoped the various fixes were enough for your case.
do you have a Dockerfile for such an RDP instance so I can easily check this?

[maoning]

I found https://github.com/satishweb/docker-xrdp that can be used to reproduce this issue. My original testing was done by setting up xrdp on a gcp vm. Both work the same way.

[vanhauser-thc]

I looked into this and this seems to be a change on the server side. libfreerdp does not know if a connection was successful or not.

you can try this yourself:
xfreerdp /u:guest /p:PASSWORD /v:localhost +auth-only
now if PASSWORD is correct this will show exactly the same response and error code as when PASSWORD is incorrect.

maybe there is some magic in libfreerdp one can do to identify if a real session is active or another login window or error window is present. but I have not much clue about RDP that I would be able to do that with my limited amount of time that I have.

Someone with time needs to look into this.