SSH Brute Force

When SSH allows password authentication, brute force attacks can yield credentials. This lesson covers effective techniques while managing the risk of detection and account lockouts.

Brute Force Tools

Hydra

The most versatile brute forcing tool. Supports single target/user or multiple from files. Custom ports and task limiting available for stealth.

Medusa

Parallel password tester supporting multiple hosts simultaneously.

Ncrack

Nmap project cracking tool with similar functionality.

Wordlist Selection

Effective wordlists improve success rates. Common locations include rockyou.txt and SecLists password collections. Custom lists generated with CeWL from target websites and rule-based expansion with hashcat improve chances.

Username Enumeration

Identify valid usernames first. Common SSH usernames include root, admin, administrator, user, test, company names, and employee names from OSINT/LDAP.

Avoiding Detection

Slow down attacks to evade lockouts using wait time between attempts and limiting concurrent tasks. Fast attacks with 10+ attempts per second get detected. Moderate at 1 attempt per second provides some evasion. Slow at 1 attempt per minute is hard to detect.

Password Spraying

Try common passwords across many users. Spray one password against many users before moving to the next password. Add delays between passwords to avoid lockouts.

Success leaves you with credentials for initial access or privilege escalation.