Skip to main content

SSH Brute Force | Metasploit, Nmap, and THC Hydra

Introduction

As you are no doubt aware, reading this article, SSH is a common ,command line only, remote access protocol to virtually all non-windows devices. SSH is commonly used to administer or interact with servers, routers, embedded devices, and sometimes mobile phones. SSH is the protocol (RFC 4251), The de-facto implementation is OpenSSH, the OpenBSD project. Windows devices can run SSH, but Windows admins typically use RDP to administer machines because Windows Administration has historically required a GUI [1].

SSH Supports many modes of access including public key cryptography, one time passwords, and simple username/password authentication. Usename password authentication is vulnerable to brute force.

A wide variety of tools support brute forcing ssh. Here, I will review three commonly used tools. Metasploit, Nmap and THC Hydra.

Metasploit

Metasploit is a commonly used commercial penetration testing platform that includes a broad spectrum of attacks and is incredibly easy to use.

Almost all penetration testing materials cover metasploit to some degree, despite the canonical book [2] , being out dated. Most coverage is very rudimentary, and consequently the best mechanism for learning to use metasploit is use. Metasploit is very actively developed, but these new bells and whistles don’t generally effect the age old brute force attack.

What metasploit does extraordinarily well is integrate various tools into a singular interface with a common language, and collect data from each tool in a database to share between them. If your preforming the entire cyber kill chain [3] , then this integration could be very useful, while the common language makes learning to preform new attacks with new modules trivial.

Metasploit uses the auxiliary/scanner/ssh/ssh_login module to preform an ssh brute force. This module supports using collected credentials, hosts, usersnames, and passwords from the database. This allows integration with other metasploit modules. Other brute force modules are similarly titled *_login. For instance (smb,mssql,ftp,snmp,…).

Metasploit supports discovery of hosts through arp sweeps, ipv6 neighbor solicitations and has an integration with nmap via db_nmap. Metasploit can also import nmap reports. Metasploit will save obtained credentials in the database, and these credentials can be used to move laterally (pivot) by using them in other attacks with other modules.

Importantly, the rate of brute force can be controlled including the number of threads.

Metasploit has its own source of commonly used credentials, but can be supplied any of Usersnames, Passwords, or Username Password combinations.

Unfortunately, metasploit’s ssh_login algorithm will fix the username and sequentially try passwords rather than the opposite. The opposite technique is slightly less noisy, because the rate of login attempts for a specific user is lower. However, make no mistake, brute force is always noisy, and in practice this is unlikely to matter as your target will have either imposed security controls on brute force or not. Its unlikely that a realistic brute force campaign could fly under the radar by password spraying, fixing password and varying using name, instead of fixing username and trying passwords.

NMAP

NMAP, network mapper , is a all-in-one network tool. Its primary use is in discovery by network scanning, and this is what the interface primarily centers on, but nmap supports a wide variety of what can only be described as “actions” through “scripts”.

NMAP’s primary advantage is its availability. NMAP is far more likely to be available in repositories or installed on a box than metasploit or Hydra. NMAP is a legitimate system administration tool that is useful outside of pen-testing. This admittedly, isn’t a huge advantage. If you accidentally stumble upon nmap on a box, knowledge of scripts can enable you to trivially conduct brute force attacks without installing software. NMAP is emphatically, not designed as a penetration testing tool, and as such doesn’t have any exploits like metasploit.

NMAP conducts brute forcing through the *-brute scripts. These scripts accept a common language of arguments to simplify use. However, despite *-brute having a common language, nmap scripts are not generally integrated, and other tools are not trivially combined as in metasploit. SSH Brute forcing ssh is done through, get this, ssh-brute . Host discovery is trivially integrated, in fact, you have to tell nmap not to preform host discovery if you don’t want it to (-Pn switches). The language of the commands is somewhat awkward, because nmap runs all scripts in the context of a port scan. An important trick to remember, is when specifying a script with “–script” argument, you must place a ‘+’ in front of the script to cause it to run against non-default ports IE. (–script +ssh-brute). Nmap will also quit after 15 minutes unless a time-limit is specified.

NMAP provides its own commonly used usernames and passwords, by can be provided usernames and/or passwords but not combinations (IE. pair user1 with user1pw, and user2 with user2pw exclusively). This is done via userdb and passdb script arguments: –script-args ‘userdb=,passdb='.

nmap also has less timing control available. Timing can be suggested with the -T1, -T2, … -T5 options, but number of threads is not controllable.

NMAP takes a smarter approach than metasploit by fixing password and specifying user names first. IE. Password Spraying.

THC Hydra

THC Hydra is a specially designed run brute force attacks - this and nothing else. The interface isn’t designed around port scans or designed to be shared across many modules. However, the syntax for THC hdyra is one off and learning it doesn’t instantly grant you other tools. THC Hydra compensates for this by supporting a ~WIDE~ variety of protocols - more than nmap and metasploit.

THC Hydra is multithreaded by default, and allows fine grained control of this setting. Hydra supports password spraying (unlike metasploit), many targets at once, and usenames, passwords, and/or credentials (specific username password combinations, unlike nmap). THC Hydra is has the sanest defaults of any of the tools and supports the most options. Uniquely among the tools, an actual brute force mode where all possible passwords will be tried, and an option to continue after success to enumerate more (which is almost certainly undesirable as you should connect, enumerate and elevate rather than continuing to make noise) and most importantly, THC Hydra supports resuming killed sessions - something likely to occur in an actual attack.
In Summary:
Name Multi-Threaded? Password-Spray Credential Attack Useful Defaults
Metasploit YES/Not Default NO YES/+DB No/Threading
NMAP YES YES NO No/Timeout
THC Hydra YES/DEFAULT YES YES YES

Each tool has a clear use case. However, given the integration metasploit offers with other modules in its ecosystem, it is likely to be the victor for the penetration tester, while THC Hydra is likely to be most useful to the individual conducting a serious long running brute force against a difficult password.
Defense

Having appeared in classics like hackers, this attack is as old as hacking. In practice, this attack is extraordinarily unlikely to work as most admins will have controls in place to prevent brute forcing. These kinds of admin that don’t are also those likely to have weaker or default passwords anyway. This kind of self selection may be related to why 409 scams use poor English intentionally [4]. Controls that you should have to prevent this attack include most importantly using public key cryptography with SSH always. Its easy to setup, and far more secure than a password. Where this is impossible you should consider a jump-box or VPN and not exposing the device to the internet. Second, you should rate limit logins via PAM on Linux/BSD machines and use fail2ban/blacklistd. Either of these controls alone will out right prevent this attack: Being banned every three login attempts, or not being able to attempt passwords at all will stop each of these tools in their track. Its that easy.

A compensating control is moving your ssh service to a non-default port. Each of these tools supports targeting a non-default port, and discovery of these service is as easy as a portscan + banner grab (nmap -sT -sV … ). However, most of these attacks are automated and don’t yet target non-default ports. A targeted attack will almost certainly attempt your obscure port. Don’t believe security by obscurity doe anything for you.

Comments

Popular posts from this blog

How to hack wifi in Windows 7/8/8.1/10 without any software | using with cmd

How to Hack Wifi password using cmd Hello Friends, In this article we will share some tricks that can help you to hack wifi password using cmd. Youcan experiment these trick with your neighbors or friends. It’s not necessarily that this trick will work with every wifi because of upgraded hardware. But you can still try this crack with wifi having old modems or routers. 1: WEP: Wired Equivalent Privacy (WEP) is one of the widely used security key in wifi devices. It is also the oldest and most popular key and was added in 1999. WEP uses 128 bit and 256-bit encryption. With the help of this tutorial, you can easily get into 128-bit encryption and Hack WiFi password using CMD. 2: WAP and WAP2: Wi-Fi Protected Access is an another version of WiFi encryption and was first used in 2003. It uses the 256-bit encryption model and is tough to hack. WAP2 is an updated version of WAP and was introduced in 2006. Since then it has replaced WAP and is now been used mostly in offices and colle...

A Beginner’s Guide to Getting Started with Bitcoin

A man looks for Bitcoin Oasis If you have heard about blockchain or cryptocurrency, then the term that initially comes to mind is Bitcoin . Launched 12 years ago, it was the late 2017 bull run that created a media frenzy that propelled Bitcoin into the mainstream and our modern day lexicon. Often labeled as the “original” cryptocurrency, Bitcoin has been the catalyst (directly and/or indirectly) behind many new innovations in the blockchain and digital asset space, most notably Ethereum and Monero . Shortly after the late 2017 bull run lost its steam, interest in these new technologies started to fade ― but here we are in 2021 with Bitcoin having risen like a phoenix from the ashes. As you would assume, an appetite for the blockchain and digital asset space has returned and now it is more important than ever that we understand what exactly is behind this unique asset, Bitcoin. This article is meant to be a guide for individuals who are new to cryptocurren...

Copilot - Microsoft is gearing up to introduce its AI companion

 Microsoft is gearing up to introduce its AI companion, Copilot, this upcoming fall season. The highly-anticipated rollout is scheduled for September 26, with Copilot poised to seamlessly integrate with various Microsoft services, including Windows 11 and Microsoft 365. Additionally, enterprise customers can look forward to the availability of a new AI assistant, Microsoft 365 Chat, starting in November. Copilot, described by Yusuf Mehdi, Corporate Vice President and Consumer Chief Marketing Officer at Microsoft, as an "everyday AI companion," aims to make your daily workflow smoother and more efficient. Its primary goal is to embed an AI-powered "copilot" within Microsoft's most popular products, ensuring widespread accessibility. What distinguishes Copilot from other AI assistants is its focus on integration. Rather than operating in isolation within specific applications, Copilot promises a seamless user experience across multiple Microsoft products. This com...