02. SSH Dictionary Attack
1. Scanning SSH Service Version Using Nmap¶
Command:¶
Explanation:¶
nmap: Network Mapper tool used for network scanning.<IP Address>: Replace with the target's IP address.-sV: Enables version detection to determine the SSH service version.-p 22: Scans only port 22, which is the default SSH port.
Example:¶
Output:¶
This confirms that SSH is running on the target with OpenSSH 8.4p1.
2. Brute-Forcing SSH Credentials Using Hydra¶
Command:¶
Explanation:¶
hydra: Password-cracking tool.-l username: Specifies the target username (replaceusernamewith an actual user, e.g.,root).-P /usr/share/wordlists/rockyou.txt: Uses RockYou.txt as the password list.<IP Address>: Target IP.ssh: Specifies the SSH protocol.
Example:¶
Output (If successful):¶
This means the credentials root:123456 are valid.
3. Brute-Force SSH Using Nmap Scripts¶
Command:¶
Explanation:¶
--script ssh-brute: Uses the Nmap SSH brute-force script.--script-args userdb=/path/to/userlist: Uses a list of usernames for attack.
Example:¶
Output (If successful):¶
This means the username admin with password admin is valid.
4. Brute-Force SSH Using Metasploit¶
Steps:¶
- Open Metasploit:
- Load SSH login scanner module:
- View options:
- Set target IP:
- Set the username-password file:
- Stop on first success:
- Enable verbose mode:
- Start attack:
Example:¶
msfconsole
use auxiliary/scanner/ssh/ssh_login
set rhost 192.168.1.10
set userpass_file /usr/share/wordlists/metasploit/root_userpass.txt
set STOP_ON_SUCCESS true
set verbose true
run
Output (If successful):¶
This means the root user password is toor.