How to use Hydra to Brute-Force SSH Connections?

Brute Force SSH Using Hydra

Let’s learn to Brute-force SSH Using Hydra. Hydra is one of the favorite tools in a hacker’s toolkit. It is an excellent tool for performing brute force attacks and can be used from a red team perspective to break into systems as well as from a blue team perspective to audit and test ssh passwords against common password lists like rockyou.txt and crackstation wordlists.

Note : This guide is purely for educational purposes. We do not claim liability for any property damages caused with the use of the knowledge gained from this guide.

What is Hydra?

Hydra is an open-source tool that allows us to perform various kinds of brute force attacks using wordlists. It comes by default with all Pentesting Distros like Kali Linux. However, it can also be installed with the apt command as follows:

$ sudo apt install hydra

In case the package is not found, or you run into an error, you can also refer to the Github repo and install it using the specified instructions.

How to Use Hydra?

Hydra offers a lot of functionality which can be easily displayed with :

$ hydra -h

However, in our case we will be dealing with the following four primary flags :

  • -l -> Specify a username to use during brute force attack
  • -L -> Specify a wordlist of usernames to be used during the bruteforce attack
  • -p -> Specify a password to use during brute force attack
  • -P -> Specify a wordlist of passwords to be used during the bruteforce attack

The basic syntax of hydra is :

hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]

Brute-force SSH Usernames and Passwords with Hydra

While trying to brute-force ssh credentials there are 3 possible combinations:

  • Bruteforcing Passwords
  • Bruteforcing Usernames
  • Bruteforcing Passwords and Usernames

First things first we would need wordlists for our brute-force attack. You can fetch some well knows wordlists with wordlistctl and once you have your wordlist ready, we can move on !

1. Bruteforcing Passwords

To brute-force ssh passwords with a known username, the syntax is :

$ hydra -l <username> -P <path to wordlist> <IP> ssh

2. Bruteforcing Username

To brute-force ssh usernames with a known password, the syntax is :

$ hydra -L <path to wordlist> -p <password> <IP> ssh

3. Bruteforcing Both Usernames And Passwords

If you do not know both the username and the password, the syntax is as follows:

$ hydra -L <path to username wordlist> -P <path to password wordlist> <IP> ssh

Some Special Flags

Sometimes we have some special conditions and we need to orchestrate our attack according to that. In this section, we will discuss some special flags which helps us to customize our attacks.

1. Change The Number Of Threads

By default, hydra runs 16 threads but we can change the value of the same with the -t flag as such :

$ hydra -l <username> -P <path to wordlist> <IP> -t <number of threads> ssh

2. Change The Port Number

Sometimes, sysadmins change the ssh port number from the default 22 to some other port. Hence, to use a different port number, we use the -s flag as :

$ hydra -s <port number> -l <username> -P <path to wordlist> <IP> ssh

3. Brute Forcing A List Of IPs

Just like we can bruteforce a list of usernames and passwords, we can also brute-force ssh IPs from a list using the -M flag :

$ hydra -l <username> -P <path to wordlist> -M <path to Ip list> ssh

4. Miscellaneous

We can also enable a more verbose output with the -V flag. Also, sometimes the users/sysadmins leave certain obvious passwords that need to be accounted for beyond the scope of our wordlists which can be included with the -e flag. A popular trio that goes with this flag are the letters ‘nsr’, where ‘n’ stands for null and tries to log in without any flag at all, ‘s‘ stands for same, i.e, it uses the username itself as a password while ‘r‘ tries the reversed username as a potential password. The syntax for this should look like this :

$ hydra -l <username> -P <path to wordlist> <IP> -V -e nsr ssh

Conclusion

Hydra can be a pretty powerful tool when you want to brute-force ssh connections and can be coupled with several other flags to customize your attack. However, this must not be exploited to poke around stuff you are not meant to and the users alone are accountable for their actions.