How to use Hydra to Brute-Force SSH Connections?

Let’s explore using Hydra to brute-force SSH. One of the most popular tools in a hacker’s toolbox is Hydra. It is a great tool for brute force attacks, and you can use it both as a blue team to audit and test ssh passwords against popular password lists like rockyou.txt and crack station wordlists and as a red team to break into computers. 

What is SSH (Secure Shell)?

The SSH Protocol uses the access credential SSH (Secure Shell). To put it another way, it is a cryptographic network protocol used to send encrypted data across a network. Without having to remember or type in your password for every system that needs to log in remotely from another system to a server, you can connect to one or more servers. 

What is Hydra?

Hydra is an open-source tool that allows us to perform various kinds of brute force attacks using wordlists. It comes by default with all Pentesting Distros like Kali Linux. Hydra is a parallelized login cracker that can attack many different protocols. It is already installed in Kali Linux and is used to launch dictionary or brute-force attacks against username and password to several services, including MS-SQL, FTP, ssh, telnet, etc. 

Installation and Usage of Hydra tool 

Installation:

Execute the below command in the terminal to install the hydra tool using the apt package manager.  

sudo apt install hydra 

Usage:

Example 1: Bruteforcing Both Usernames And Passwords

Type the below command on the terminal and hit Enter.

hydra -L user.txt -P pass.txt 192.168.29.135 ssh -t 4

• -l specifies a username during a brute force attack.
• -L specifies a username wordlist to be used during a brute force attack.
• -p specifies a password during a brute force attack.
• -P specifies a password wordlist to use during a brute force attack.
• -t set to 4, which sets the number of parallel tasks (threads) to run.
   

From the above screenshot we that the username and password were found. But in the real world, you need thousands, millions and even billions of trials to crack the password.

Example 2: Bruteforcing Passwords 

Type the below command on the terminal and hit Enter.

hydra -l msfadmin -P pass.txt 192.168.29.135 ssh -t 4

Here, we are only brute-forcing passwords on the target server.

Example 3: Bruteforcing Username

Type the below command on the terminal and hit Enter.

 hydra -L user.txt -p msfadmin 192.168.29.135 ssh -t 4

In the above example, we were a brute-forcing only passwords, so in this example, we are brute-forcing only usernames on the target server.

Some Special Flags: 

Example 1: Change The Number Of Threads

Type the below command on the terminal and hit Enter.

 hydra -L user.txt -P pass.txt 192.168.29.229 ssh -t 5

Here we are changing the Thread Number to 5 and finding the correct username and password. The default thread of Hydra use is 16. We can change the value with the tag -t.

Example 2: Change The Port Number

Type the below command on the terminal and hit Enter.

hydra -s 22 -L user.txt -P pass.txt 192.168.29.229 ssh -t 5

Here we are adding the port number of the ssh server as 22 and we have also got the correct password ‘msfadmin’ and username ‘msfadmin’.

Example 3: Brute Forcing A List Of IPs

Type the below command on the terminal and hit Enter.

 hydra -L user.txt -P pass.txt -M ip.txt ssh -t 4

Here, along with brute-forcing usernames and passwords, we are also a brute-forcing list of IP addresses that contain more than one target server address.

Example 4: Miscellaneous

Type the below command on the terminal and hit Enter.

hydra -l msfadmin -P pass.txt 192.168.29.229 -V -e nsr ssh

For Enable Verbose Mode in Hydra, We can use -V. But user/system admins leave some passwords that need to be accounted for beyond the scope of our wordlists which can be included with the -e flag. Here you can see a command ‘nsr‘ where ‘n’ stands for null,‘s‘ stands for same, ‘r’ tries the reversed username as a potential password

Example 5: -V (Verbose Mode)

Type the below command on the terminal and hit Enter.

hydra -s 22 -L user.txt -P pass.txt 192.168.29.229 ssh -V

The verbose mode in hydra is used for checking in-depth and getting the output results in a more detailed manner. So for this detailed output retrieval, the -V flag is used.

Example 6: -e nsr flag example

Type the below command on the terminal and hit Enter.

hydra -L user.txt -P pass.txt 192.168.29.229 -e nsr ssh

Sometimes user/system admins leave some passwords that need to be accounted for beyond the scope of our wordlists which can be included with the -e flag. Here you can see a command ‘nsr‘ where ‘n’ stands for null, ‘s‘ stands for same, and ‘r’ tries the reversed username as a potential password. We got the output msfadmin username and password is msfadmin.

Example 7: -s flag example 

Note: Example of Changing port number command is the same for this example

Type the below command on the terminal and hit Enter.

hydra -s 22 -L user.txt -P pass.txt 192.168.29.229 ssh -t 5

With flag -s we specify the port number here is port number is 22 and we are using it and got the output is a username is msfadmin and password is msfadmin.

Example 8: -h flag (To know more usage of Hydra )

Type This Command And Hit Enter:

hydra -h

-h flag is used to display the help menu of the hydra tool for a better understanding of the tool.

Hydra can be a pretty powerful tool when you want to brute-force ssh connections and can be coupled with several other flags to customize your attack. However, this must not be exploited to poke around with stuff you are not meant to and the users alone are accountable for their actions.