Learn how to use Hydra to Brute-force SSH. Hydra is one of the favorite tools in a whitehats toolkit. It is an excellent tool for performing brute force attacks and can be used from a red team perspective to break into systems as well as from a blue team perspective to audit and test ssh passwords against common password lists like rockyou.txt and crackstation wordlists.
Note : This guide is purely for educational purposes. We do not claim liability for any property damages caused with the use of the knowledge gained from this guide.
What is Hydra?
Hydra is an open-source tool that allows us to perform various kinds of brute force attacks using wordlists. It comes by default with all Pentesting Distros like Kali Linux. However, it can also be installed with the apt command as follows:
In case the package is not found, or you run into an error, you can also refer to the Github repo and install it using the specified instructions.
How to Use Hydra?
Hydra offers a lot of functionality which can be easily displayed with :
However, in our case we will be dealing with the following four primary flags :
- -l -> Specify a username to use during brute force attack
- -L -> Specify a wordlist of usernames to be used during the bruteforce attack
- -p -> Specify a password to use during brute force attack
- -P -> Specify a wordlist of passwords to be used during the bruteforce attack
The basic syntax of hydra is :
Brute-force SSH Usernames and Passwords with Hydra
While trying to brute-force ssh credentials there are 3 possible combinations:
- Bruteforcing Passwords
- Bruteforcing Usernames
- Bruteforcing Passwords and Usernames
First things first we would need wordlists for our brute-force attack. You can fetch some well knows wordlists with wordlistctl and once you have your wordlist ready, we can move on !
1. Bruteforcing Passwords
To brute-force ssh passwords with a known username, the syntax is :
2. Bruteforcing Username
To brute-force ssh usernames with a known password, the syntax is :
3. Bruteforcing Both Usernames And Passwords
If you do not know both the username and the password, the syntax is as follows:
Some Special Flags
Sometimes we have some special conditions and we need to orchestrate our attack according to that. In this section, we will discuss some special flags which helps us to customize our attacks.
1. Change The Number Of Threads
By default, hydra runs 16 threads but we can change the value of the same with the -t flag as such :
2. Change The Port Number
Sometimes, sysadmins change the ssh port number from the default 22 to some other port. Hence, to use a different port number, we use the -s flag as :
3. Brute Forcing A List Of IPs
Just like we can bruteforce a list of usernames and passwords, we can also brute-force ssh IPs from a list using the -M flag :
We can also enable a more verbose output with the -V flag. Also, sometimes the users/sysadmins leave certain obvious passwords that need to be accounted for beyond the scope of our wordlists which can be included with the -e flag. A popular trio that goes with this flag are the letters ‘nsr’, where ‘n’ stands for null and tries to log in without any flag at all, ‘s‘ stands for same, i.e, it uses the username itself as a password while ‘r‘ tries the reversed username as a potential password. The syntax for this should look like this :
Hydra can be a pretty powerful tool when you want to brute-force ssh connections and can be coupled with several other flags to customize your attack. However, this must not be exploited to poke around stuff you are not meant to and the users alone are accountable for their actions.
You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- Musk Confirms Twitter 2.0 will Bring End-to-End Encryption to Direct Messages - 28 November 2022
- UK bans Chinese CCTV cameras at ‘sensitive’ government locations - 26 November 2022
- Chrome Update: Exploited Zero-Day Vulnerability fixed by Google, the 8th this year - 25 November 2022