Last time, I wrote about SSH. I explained how to install it on a Ubuntu machine and showed you how to use it. If you want to read the previous post, you can find it here.
Today, I would like to show you how to execute a dictionary attack on SSH and emphasize the need for choosing a strong password.
My lab looks similar to this network diagram. I will use two virtual machines connected on my local area network via wireless. One machine is running Kali Linux and the target host is running Ubuntu 22.04. Both machines have IP addresses from the network 192.168.1.0/24.
A dictionary attack is a method of breaking into a system which is protected by a password. The attack consists of trying to login on the system by attempting every word from a dictionary as the password. You can find multiple lists with passwords on the Internet recovered from past data breaches.
You can read more about dictionary attack on Wikipedia.
Table of Contents
Discover the running services on the target host with nmap
I will start on the Kali Linux machine. In order to discover the running services on the target host, I use nmap.
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. Check the man page for more information about nmap.
nmap 192.168.1.130
From the output of the nmap command, we see that the target machine is running SSH on its default TCP port.
Download the 1000 most used passwords
After we confirmed that SSH is running on the Ubuntu machine, the next step is to search for a list with common used passwords. For this, we will open a browser and use the Google search engine.
I will open the second link and I will download the list on my Kali Linux machine.
Copy the link and download the repository on the local machine with the git command.
git clone https://github.com/DavidWittman/wpxmlrpcbrute.git
Crack the login password with hydra
Next, you need to change your directory. Run the cd command.
cd wpxmlrpcbrute/wordlists 
When you are in the the same directory as the text file containing the 1000 most used passwords, you need to run the hydra command.
Hydra is a parallelized login cracker, which supports numerous protocols to attack. For more details, check its man page.
We will use hydra with the following options:
-l LOGIN – specify the user account;
-P FILE – specify the file which contains the list with the passwords.
hydra -l brutus -P 1000-most-common-passwords.txt 192.168.1.130 ssh
As you can see, hydra found the password for the user account brutus. The password for user brutus is iloveyou.
Login to the target host
After discovering the password for our user, it remains to login to the target host to confirm that the password was cracked successfully.
ssh brutus@192.168.1.130
As you can see, I was able to login on the Ubuntu machine. This confirms that the SSH password was cracked successfully.
I would like to encourage you to use strong passwords. You can use the suggestions from passwd command.
On the passwd man page, you can read the following:
As a general guideline, passwords should consist of 6 to 8 characters including one or more characters from each of the following sets:
• lower case alphabetics
• digits 0 thru 9
• punctuation marksI hope you find this post helpful.
[…] Recently, I showed you how to perform a dictionary attack on a SSH server. You can find the post here: How to use a dictionary attack to crack the password for SSH. […]