Hello friends how are you today? I hope you are doing great and hacking stuff that you don’t know 😀 . So guys in this article we will be walking about Brute Force SSH and how you can do it in Kali Linux. This tutorial is going to be really simple and will be explaining everything that you need to know.
And for all those BugBounty Hunting guys out there I wanted to tell you that it is a valid bug report as many of the Researchers don’t pay much attention to this try of attacks and never report these so if you are reading out this do remember to check for the issue and make a report :).
What is SSH?
SSH is an acronym which stands for Secure Shell, which provides a secure shell access to a remote machine. This allow people to connect to a local and remote computer, and it comes readily installed in Linux/UNIX and it can be installed on Windows machine too. SSH also refers to the suite of utilities that implement the protocol or cryptogr1aphic network protocol.
Use of SSH?
SSH provides strong authentication and secures encrypted data communications between two computers connecting over an insecure network such as the Internet. It is used by all of the system and server administrators to connect to the remote machines and execute system commands, move, create and edit different files on the remote machine.
It uses RSA encryption algorithm which create an unbreakable tunnel between the client computer and to the remote computer and as we all know that nothing is unbreakable 😛 .
What is Brute Force:-
The above picture totally explains what Brute Force attack is :D. But let us take an other look and explain it in a much better way for you to understand.
Brute force attacks work by testing every possible combination that could be used as the password by the user and then testing it to see if it is the correct password. To see if the password is correct or not it check for any errors in the response from the server.
As the password’s length increases, the amount of time used to find the correct password also rapidly increases. That mean that short passwords are fairly easy to crack.
Also check out this:
Brute Force Recommended Method:-
So in many cases, it is recommended to use dictionary attack to brute force the correct password. In this method we provide the tools with the list of possible passwords to use against the target system until it get the correct password for the user.
This works if the user is using weak password like “123456” or “password” which is a not the case now a days but still some people do use passwords like this and there is a saying that:-
There is no fix for human stupidity.
So you can still find many people using these password combinations. may be your best friend is use it 😀 you never know.
This picture truly describe how brute force attack really work you try until it works.
Also Read: How To Setup Network Wide Ads Blocking
Brute Force SSH:-
So now you know what brute force attack is, let’s proceed to the next step. During this article, we will be using a dictionary attack to get the username and password for the remote ssh user.
In order to perform this attack, you will need a wordlist which has a good combination of words and commonly used password and the tools that we will try different combinations with each password.
A good resource for wordlists can be found over here PacketStorm.
There is also another way of creating your own wordlist like if you know the victim you can use there information such as his/her name, date of birth, parents name, children, pets and other information related to the victim and could be used against them.
An example of the password that might be like this “david0512” where david is there dads name, 05 the month 12 year of there birth.
A good program that allows you to compile this data into a wordlist is Ex0dus_0x’s D0xk1t, which you can find here.
You can also download other Wordlists from here:-
And if you are using Kali Linux then you can also find the default wordlist here:-
Scanning For SSH servers using NMAP:-
After setting up your attacking tools the next step to take after that is to find a server which is running SSH. What we can do to find that is use NMAP to scan for open port 22 as SSH services listen on port 22.
For finding the server running SSH locally we are going to scan the entire network 192.168.1.0/24 here is the NMAP command that you can use to scan all the computers.
nmap 192.168.1.0/24 -p22
Running On Remote Server:-
Now if we want to test the attack on a remote server then you will have to scan the server for open ports like SSH service here is how you can scan the remote server using NMAP.
nmap <target> -p22
How to Brute force SSH:-
So after all that talk I hope that you are bored to death 😀 😀 this is the part all of us were waiting for (including me :p) so now I will be talking about the tools that we will be using to perform the brute force attack.
So the first tools we will take a look at the most commonly and powerful tool Hydra. If you are using Kali Linux you will already have access to this tool. It have to versions, GUI and command line we will take a look at both.
Here is how you can get it installed on most Debian Linux.
sudo apt-get install hydra hydra-gtk
This can be installed with the Launchpad repository ppa:pi-rho/security
sudo add-apt-repository ppa:pi-rho/security sudo apt-get update sudo apt-get install hydra
Alternative Method :-
The alternative method that you can use to install this tool is this:-
tar -xvzf hydra-8.3.tar.gz
Now you can use the tool to perform the attack.
Here is the command that you will use to use Hydra.
[email protected]:~/Desktop# hydra -l root -P '/root/Desktop/500-worst-passwords.txt' 192.168.1.31 ssh
As you can see that Hydra have successfully cracked the password and you can use it to login to the system.
Here is the video explaning all the steps.
The second tool that we will use is called NCrack it is also included in Kali Linux and you can also install it on other Debian Distro
wget https://nmap.org/ncrack/dist/ncrack-0.5.tar.gz tar -xvzf ncrack-0.5.tar.gz cd ncrack-0.5 ./configure make make install
This will install NCrack on your system and then you can run it to crack the ssh password.
[email protected]:~/Desktop# ncrack -p 22 --user root -P '/root/Desktop/500-worst-passwords.txt' 192.168.1.31
Successfully found the password with NCrack! Here is the Video of the steps .
This is the last tool which can be used to brute force the login you can install it by following these steps:-
wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz tar -xvzf medusa-2.0.tar.gz cd medusa-2.0 ./configure make make install
Here is the command that is used to crack the password:-
[email protected]:~/Desktop# medusa -u root -P '/root/Desktop/500-worst-passwords.txt' -h 192.168.1.31 -M ssh
Success full attack 🙂 here is the video covering all the steps.
How to Protect from this attack?
The most recommended methods that you should use to protect from this attack are:-
- Run SSH on non-standard port.(Other then 22)
- Block SSH login for root user.
- Use Fail2Ban. (Will cover in future post)
- Limit user login attempts.
What we Learned !!!!
So what did we learned from all this? Never use weak password 😀 seriously never use weak passwords.
And on the other hand, we have learned how you can use different tools to test and exploit this issue.
I hope that you have enjoyed the article and if you have any problem do let us know in the comments section below we will gladly help and resolve your issue.