SSH brute force attacks are a type of cyber attack that is becoming increasingly common. They involve the use of automated software to try and gain access to a system by guessing its username and password. The attack usually begins with the attacker trying to connect to the system using a variety of usernames and passwords. If the hacker is successful, they can gain full access to the system, including sensitive data and applications.
The most common way for attackers to gain access is through a dictionary attack. This type of attack uses a pre-defined list of commonly used usernames and passwords. The attacker will use these to try and gain access to the system. If the attacker is successful, they can gain access to the system and can then use it for malicious purposes.
In this guide, I will be showing you how bad actors can perform SSH brute force attacks on a vulnerable target system remotely.
Requirements
- PC running on Kali Linux.
- Dockerized metasploitable (This will be our target system).
- Basic knowledge of how to use various brute forcing tools.
- Nmap
- Metasploit
- Patator
- Ncrack
- xHydra
Scanning for SSH open port (22)
Before launching an SSH brute force attack on our target, the first step is to determine whether the SSH port is open on the target system. We start by using Nmap to check for open ports. In our case, we have a running Metasploitable docker instance with IP 172.17.0.2. To start scanning we use the command.
nmap 172.17.0.2
As shown in the image above, we have the SSH port (22) open. We can now proceed to start performing SSH brute force attacks on our target system.
xHdra
xHydra is the graphical version of Hydra. We can use xHydra to automate an SSH brute force attack on the target system. To perform the attack we provide the target IP address and specify the port and the service we want to brute force as shown in the image below.
On the next tab, we are required to provide the location of both the username file and the password file. In our case, we used Crunch to generate possible usernames and passwords combination. For us to use these files, we have to indicate their location on the computer storage as shown in the image below.
After we have provided these details, we can start the SSH brute force attack. In some cases, the servers limit the number of requests made by a client to avoid this kind of attack. XHydra has a tuning tab from where you can customize such details to make your attack effective. Depending on the number of tasks you have configured xHydra to run the attack and the size of your wordlists, the attack will take some time to complete, and once the valid login credentials are found they will be displayed as shown in the image below.
Ncrack
Ncrack is a tool used to attempt to crack network authentication via brute force attack. It was developed to assist organizations to manage network security by dynamically checking each host and each piece of network infrastructure for security flaws. We just need one command to launch an SSH brute force attack with Ncrack as shown in the image below.
ncrack -v -U /home/kali/Desktop/usernames.txt -P /home/kali/Desktop/passwords.txt 172.17.0.2:22
Patator
Patator is a multi-threaded tool written in Python that focuses on being more reliable and flexible than other brute-forcing tools. It is useful for making brute force attacks on several ports such as FTP, HTTP, POSTGRES, SMB, etc. To launch an SSH brute force attack on Patator, we have to provide various parameters; the script to use for the brute force attack (in this case, we are using ssh_login), the host the users file, and the password file. The command for SSH brute force attack has the below syntax.
patator ssh_login host=172.17.0.2 user=FILE0 0=/home/kali/Desktop/usernames.txt password=FILE1 1=/home/kali/Desktop/passwords.txt
Metasploit
Metasploit being the world's most used penetration testing framework, can also be used to perform SSH brute force attacks. To perform the attack we first launch Metasploit using the command.
msfconsole
Once launched we have to provide the required details for us to start the SSH brute force attack. The required information for this attack includes; the target IP address, the target port, the username, and the password list to use to brute force as shown in the image below.
Once all the details are provided, we can run to start SSH brute force attack using the provided lists. Depending on the size of your wordlists and other factors such as the number of threads you have set, it will take some time for valid credentials to be found and displayed as shown in the image below.
Conclusion
The best way to protect against SSH brute force attacks is to use strong passwords. Passwords should be at least 8 characters long and should contain a combination of upper and lower case letters, numbers, and special characters. Additionally, it is important to keep the passwords updated regularly and not use the same password for multiple accounts.
Another way to protect against SSH brute force attacks is to use two-factor authentication. This requires the user to enter two sets of credentials before gaining access, making it much harder for hackers to gain access. Additionally, it is important to keep the system updated with the latest security patches and to use antivirus software to detect any malicious activity.
Finally, it is important to monitor the system for any suspicious activity. If any suspicious activity is detected, it is important to take the necessary steps to block the attack. This can include banning the IP address from which the attack originated, or blocking the port used for the attack.
By following these steps, it is possible to greatly reduce the risk of an SSH brute force attack. However, it is important to remember that no security measure is foolproof and it is always important to remain vigilant.
