How to use a dictionary attack to crack the password for SSH

Last time, I wrote about SSH. I explained how to install it on a Ubuntu machine and showed you how to use it. If you want to read the previous post, you can find it here.

Today, I would like to show you how to execute a dictionary attack on SSH and emphasize the need for choosing a strong password.

My lab looks similar to this network diagram. I will use two virtual machines connected on my local area network via wireless. One machine is running Kali Linux and the target host is running Ubuntu 22.04. Both machines have IP addresses from the network 192.168.1.0/24.

Network lab diagram
Network lab diagram

A dictionary attack is a method of breaking into a system which is protected by a password. The attack consists of trying to login on the system by attempting every word from a dictionary as the password. You can find multiple lists with passwords on the Internet recovered from past data breaches.

You can read more about dictionary attack on Wikipedia.

Discover the running services on the target host with nmap

I will start on the Kali Linux machine. In order to discover the running services on the target host, I use nmap.

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. Check the man page for more information about nmap.

nmap 192.168.1.130
Discover the running services on the target host
Discover the running services on the target host

From the output of the nmap command, we see that the target machine is running SSH on its default TCP port.

Download the 1000 most used passwords

After we confirmed that SSH is running on the Ubuntu machine, the next step is to search for a list with common used passwords. For this, we will open a browser and use the Google search engine.

Look for most used 1000 passwords
Look for most used 1000 passwords

I will open the second link and I will download the list on my Kali Linux machine.

1000 most used passwords
1000 most used passwords
Copy the link for the repository
Copy the link for the repository

Copy the link and download the repository on the local machine with the git command.

git clone https://github.com/DavidWittman/wpxmlrpcbrute.git
Download the repository on the Kali Linux machine
Download the repository on the Kali Linux machine

Crack the login password with hydra

Next, you need to change your directory. Run the cd command.

cd wpxmlrpcbrute/wordlists 
Change the directory with cd
Change the directory with cd

When you are in the the same directory as the text file containing the 1000 most used passwords, you need to run the hydra command.

Hydra is a parallelized login cracker, which supports numerous protocols to attack. For more details, check its man page.

We will use hydra with the following options:

-l LOGIN – specify the user account;

-P FILE – specify the file which contains the list with the passwords.

hydra -l brutus -P 1000-most-common-passwords.txt 192.168.1.130 ssh
Crack the login password with hydra
Crack the login password with hydra

As you can see, hydra found the password for the user account brutus. The password for user brutus is iloveyou.

Login to the target host

After discovering the password for our user, it remains to login to the target host to confirm that the password was cracked successfully.

ssh brutus@192.168.1.130
Confirm that the SSH password was cracked
Confirm that the SSH password was cracked

As you can see, I was able to login on the Ubuntu machine. This confirms that the SSH password was cracked successfully.

I would like to encourage you to use strong passwords. You can use the suggestions from passwd command.

On the passwd man page, you can read the following:

As a general guideline, passwords should consist of 6 to 8 characters including one or more characters from each of the following sets:

   •   lower case alphabetics

   •   digits 0 thru 9

   •   punctuation marks

I hope you find this post helpful.

Processing…
Success! You're on the list.

One comment

Leave a Reply