learn cybersecurity
Learn how to use Hydra to Brute-force SSH. Hydra is one of the favorite tools in a whitehats toolkit. It is an excellent tool for performing brute force attacks and can be used from a red team perspective to break into systems as well as from a blue team perspective to audit and test ssh passwords against common password lists like rockyou.txt and crackstation wordlists.
Note : This guide is purely for educational purposes. We do not claim liability for any property damages caused with the use of the knowledge gained from this guide.
Hydra is an open-source tool that allows us to perform various kinds of brute force attacks using wordlists. It comes by default with all Pentesting Distros like Kali Linux. However, it can also be installed with the apt command as follows:
$ sudo apt install hydra |
In case the package is not found, or you run into an error, you can also refer to the Github repo and install it using the specified instructions.
Hydra offers a lot of functionality which can be easily displayed with :
$ hydra -h |
However, in our case we will be dealing with the following four primary flags :
The basic syntax of hydra is :
hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]] |
While trying to brute-force ssh credentials there are 3 possible combinations:
First things first we would need wordlists for our brute-force attack. You can fetch some well knows wordlists with wordlistctl and once you have your wordlist ready, we can move on !
To brute-force ssh passwords with a known username, the syntax is :
$ hydra -l <username> -P <path to wordlist> <IP> ssh |
To brute-force ssh usernames with a known password, the syntax is :
$ hydra -L <path to wordlist> -p <password> <IP> ssh |
If you do not know both the username and the password, the syntax is as follows:
$ hydra -L <path to username wordlist> -P <path to password wordlist> <IP> ssh |
Sometimes we have some special conditions and we need to orchestrate our attack according to that. In this section, we will discuss some special flags which helps us to customize our attacks.
By default, hydra runs 16 threads but we can change the value of the same with the -t flag as such :
$ hydra -l <username> -P <path to wordlist> <IP> -t <number of threads> ssh |
Sometimes, sysadmins change the ssh port number from the default 22 to some other port. Hence, to use a different port number, we use the -s flag as :
$ hydra -s <port number> -l <username> -P <path to wordlist> <IP> ssh |
Just like we can bruteforce a list of usernames and passwords, we can also brute-force ssh IPs from a list using the -M flag :
$ hydra -l <username> -P <path to wordlist> -M <path to Ip list> ssh |
We can also enable a more verbose output with the -V flag. Also, sometimes the users/sysadmins leave certain obvious passwords that need to be accounted for beyond the scope of our wordlists which can be included with the -e flag. A popular trio that goes with this flag are the letters ‘nsr’, where ‘n’ stands for null and tries to log in without any flag at all, ‘s‘ stands for same, i.e, it uses the username itself as a password while ‘r‘ tries the reversed username as a potential password. The syntax for this should look like this :
$ hydra -l <username> -P <path to wordlist> <IP> -V -e nsr ssh |
Hydra can be a pretty powerful tool when you want to brute-force ssh connections and can be coupled with several other flags to customize your attack. However, this must not be exploited to poke around stuff you are not meant to and the users alone are accountable for their actions.
You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
This post was last modified on 11 February 2022 8:28 PM
British high street chain WH Smith has recently revealed that it was hit by a…
As banks worldwide roll out Voice ID as a means of user authentication over the…
In the era of digital transformation, cybersecurity has become a major concern for businesses. When…
In today's digital age, cybersecurity threats have become a significant concern for businesses of all…
The RIG Exploit Kit is currently in the midst of its most productive phase, attempting…
One of the most transformational technologies of our time, artificial intelligence (AI), has quickly come…
Leave a Comment