SSH Brute Force | Metasploit, Nmap, and THC Hydra

Introduction

As you are no doubt aware, reading this article, SSH is a common ,command line only, remote access protocol to virtually all non-windows devices. SSH is commonly used to administer or interact with servers, routers, embedded devices, and sometimes mobile phones. SSH is the protocol (RFC 4251), The de-facto implementation is OpenSSH, the OpenBSD project. Windows devices can run SSH, but Windows admins typically use RDP to administer machines because Windows Administration has historically required a GUI [1].

SSH Supports many modes of access including public key cryptography, one time passwords, and simple username/password authentication. Usename password authentication is vulnerable to brute force.

A wide variety of tools support brute forcing ssh. Here, I will review three commonly used tools. Metasploit, Nmap and THC Hydra.

Metasploit

Metasploit is a commonly used commercial penetration testing platform that includes a broad spectrum of attacks and is incredibly easy to use.

Almost all penetration testing materials cover metasploit to some degree, despite the canonical book [2] , being out dated. Most coverage is very rudimentary, and consequently the best mechanism for learning to use metasploit is use. Metasploit is very actively developed, but these new bells and whistles don’t generally effect the age old brute force attack.

What metasploit does extraordinarily well is integrate various tools into a singular interface with a common language, and collect data from each tool in a database to share between them. If your preforming the entire cyber kill chain [3] , then this integration could be very useful, while the common language makes learning to preform new attacks with new modules trivial.

Metasploit uses the auxiliary/scanner/ssh/ssh_login module to preform an ssh brute force. This module supports using collected credentials, hosts, usersnames, and passwords from the database. This allows integration with other metasploit modules. Other brute force modules are similarly titled *_login. For instance (smb,mssql,ftp,snmp,…).

Metasploit supports discovery of hosts through arp sweeps, ipv6 neighbor solicitations and has an integration with nmap via db_nmap. Metasploit can also import nmap reports. Metasploit will save obtained credentials in the database, and these credentials can be used to move laterally (pivot) by using them in other attacks with other modules.

Importantly, the rate of brute force can be controlled including the number of threads.

Metasploit has its own source of commonly used credentials, but can be supplied any of Usersnames, Passwords, or Username Password combinations.

Unfortunately, metasploit’s ssh_login algorithm will fix the username and sequentially try passwords rather than the opposite. The opposite technique is slightly less noisy, because the rate of login attempts for a specific user is lower. However, make no mistake, brute force is always noisy, and in practice this is unlikely to matter as your target will have either imposed security controls on brute force or not. Its unlikely that a realistic brute force campaign could fly under the radar by password spraying, fixing password and varying using name, instead of fixing username and trying passwords.

NMAP

NMAP, network mapper , is a all-in-one network tool. Its primary use is in discovery by network scanning, and this is what the interface primarily centers on, but nmap supports a wide variety of what can only be described as “actions” through “scripts”.

NMAP’s primary advantage is its availability. NMAP is far more likely to be available in repositories or installed on a box than metasploit or Hydra. NMAP is a legitimate system administration tool that is useful outside of pen-testing. This admittedly, isn’t a huge advantage. If you accidentally stumble upon nmap on a box, knowledge of scripts can enable you to trivially conduct brute force attacks without installing software. NMAP is emphatically, not designed as a penetration testing tool, and as such doesn’t have any exploits like metasploit.

NMAP conducts brute forcing through the *-brute scripts. These scripts accept a common language of arguments to simplify use. However, despite *-brute having a common language, nmap scripts are not generally integrated, and other tools are not trivially combined as in metasploit. SSH Brute forcing ssh is done through, get this, ssh-brute . Host discovery is trivially integrated, in fact, you have to tell nmap not to preform host discovery if you don’t want it to (-Pn switches). The language of the commands is somewhat awkward, because nmap runs all scripts in the context of a port scan. An important trick to remember, is when specifying a script with “–script” argument, you must place a ‘+’ in front of the script to cause it to run against non-default ports IE. (–script +ssh-brute). Nmap will also quit after 15 minutes unless a time-limit is specified.

NMAP provides its own commonly used usernames and passwords, by can be provided usernames and/or passwords but not combinations (IE. pair user1 with user1pw, and user2 with user2pw exclusively). This is done via userdb and passdb script arguments: –script-args ‘userdb=,passdb='.

nmap also has less timing control available. Timing can be suggested with the -T1, -T2, … -T5 options, but number of threads is not controllable.

NMAP takes a smarter approach than metasploit by fixing password and specifying user names first. IE. Password Spraying.

THC Hydra

THC Hydra is a specially designed run brute force attacks - this and nothing else. The interface isn’t designed around port scans or designed to be shared across many modules. However, the syntax for THC hdyra is one off and learning it doesn’t instantly grant you other tools. THC Hydra compensates for this by supporting a ~WIDE~ variety of protocols - more than nmap and metasploit.

THC Hydra is multithreaded by default, and allows fine grained control of this setting. Hydra supports password spraying (unlike metasploit), many targets at once, and usenames, passwords, and/or credentials (specific username password combinations, unlike nmap). THC Hydra is has the sanest defaults of any of the tools and supports the most options. Uniquely among the tools, an actual brute force mode where all possible passwords will be tried, and an option to continue after success to enumerate more (which is almost certainly undesirable as you should connect, enumerate and elevate rather than continuing to make noise) and most importantly, THC Hydra supports resuming killed sessions - something likely to occur in an actual attack.

In Summary:

Name Multi-Threaded? Password-Spray Credential Attack Useful Defaults

Metasploit YES/Not Default NO YES/+DB No/Threading

NMAP YES YES NO No/Timeout

THC Hydra YES/DEFAULT YES YES YES

Each tool has a clear use case. However, given the integration metasploit offers with other modules in its ecosystem, it is likely to be the victor for the penetration tester, while THC Hydra is likely to be most useful to the individual conducting a serious long running brute force against a difficult password.

Defense

Having appeared in classics like hackers, this attack is as old as hacking. In practice, this attack is extraordinarily unlikely to work as most admins will have controls in place to prevent brute forcing. These kinds of admin that don’t are also those likely to have weaker or default passwords anyway. This kind of self selection may be related to why 409 scams use poor English intentionally [4]. Controls that you should have to prevent this attack include most importantly using public key cryptography with SSH always. Its easy to setup, and far more secure than a password. Where this is impossible you should consider a jump-box or VPN and not exposing the device to the internet. Second, you should rate limit logins via PAM on Linux/BSD machines and use fail2ban/blacklistd. Either of these controls alone will out right prevent this attack: Being banned every three login attempts, or not being able to attempt passwords at all will stop each of these tools in their track. Its that easy.

A compensating control is moving your ssh service to a non-default port. Each of these tools supports targeting a non-default port, and discovery of these service is as easy as a portscan + banner grab (nmap -sT -sV … ). However, most of these attacks are automated and don’t yet target non-default ports. A targeted attack will almost certainly attempt your obscure port. Don’t believe security by obscurity doe anything for you.