My buddy Aamir Lakhani aka drchaos wrote a great post on breaking SSH, VNC and other services. The original post can be found HERE.
Hydra is a very fast and effective network login cracker. It will help you perform brute force attacks against SSH servers, VNC, and other services. When you launch Hydra it will launch the GUI in Kali, however in this tutorial we will use xHydra, which is the command line version of the tool. The command line version of the tool gives you much for flexibility in how to use the tool.
Wordlists
This attack requires a wordlist. You can locate the default wordlist. This demo works well with the rockyou word list located at /usr/share/wordlists/rockyou.txt.gz in Kali. You will need to extract it first before using it. You can also use Aamir Lakhani’s Dr. Chaos guide to creating your wordlists with this tutorialhttp://www.drchaos.com/creating-custom-dictionary-files-using-cewl/ or simply download a pretty decent custom created wordlist here: http://www.drchaos.com/public_files/chaos-dictionary.lst.txt
Scanning for SSH Servers using NMAP
The first thing we will do is scan for SSH services listening on port 22. We are going to scan for the entire 10.1.100/24 subnet, but we could also scan for single host or a range.
Here’s a simple example that will scan all computers on the subnet and report any devices listening on port 22. . All of this along with the version of SSH that the server is running is output to a text file ssh_hosts:
nmap –p 22 –open –sV 10.1.100.0/24 > ssh_hosts
We could have also scanned it this way
nmap -p22 –open -PN -sV -oG ssh_hosts 10.1.100.0/24
Or another way, this presents a list if IPs that have SSH up:
nmap -p 22 10.44.46.0/27|awk ‘/scan report for/ {print $0}’|grep -Eo ‘[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}’
Next I am going to use Hydra. Hydra is very well-known and respected network log on cracker which can support many different services. (Similar projects and tools include medusa and John The Ripper).
Hydra is able to use external files for passwords, usernames, or username and password combinations. Hydra can be used to brute-force the following services:
As a password/ log on cracker (hacking tool) – Hydra has been tested on the following protocols:
| afp | cisco | cisco-enable | cvs |
| firebird | ftp | http-get | http-head |
| http-proxy | https-get | https-head | https-form-get |
| https-form-post | icq | imap | imap-ntlm |
| ldap2 | ldap3 | mssql | mysql |
| ncp | nntp | oracle-listener | pcanywhere |
| pcnfs | pop3 | pop3-ntlm | postgres |
| rexec | rlogin | rsh | sapr3 |
| sip | smb | smbnt | smtp-auth |
| smtp-auth-ntlm | snmp | socks5 | ssh2 |
| teamspeak | telnet | vmauthd | vnc |
We are going to enter the command
hydra –s 22 –v –l root –p /root/password.txt –t 10 192.168.0.128 ssh
The options in Hydra are very straightforward:
-s is the destination port
-v verbose logging
-l telling Hydra you will provide a static login (you can use a file for multiple usernames instead).
-p password file
-t target, The IP address of host name of the target
ssh – you can specify the protocol being used.
Special thanks to editor-in-chief Keith Rayle
This is great, however all a victim needs to do is check the auth.log to see your IP and therefore your location.
Running this behind a proxychain/HYDRA_PROXY is far better – you should have covered it