In this article we are going to discuss how to penetrate or compromise SSH (Secure Shell) using Kali Linux. Basically secure shell (SSH) protocol is a network protocol mainly used to establish an encrypted communication channel across an open network between a server and a client. Commonly, a public-private key pair allows users to log in to a system without requiring the password.
Compromise SSH (Secure Shell) Overview
The public key is present on all systems that require a secure connection, while the user keeps the private key secret. The authentication is based on the private key; SSH verifies the private key against the public key. On the target systems, the public key is verified against a list of authorized keys that are permitted to remotely access the system. This supposedly secure communication channel fails when the public key is not cryptographically strong and can be guessed.
Compromise SSH – Methodology
Like RDP, SSH is vulnerable to a bruteforce attack that enable attackers to guess the user’s access credentials or simply the. For this particular example, we’ll use a tool called hydra. The hydra tool is probably the oldest bruteforce tool and is definitely the most feature-rich tool. It also supports attacks against the greatest number of target protocols. The hydra tool can be found by navigating to Kali Linux → Password Attacks → Online Attacks, and this tool can be launched directly from the command line. This tool supports both: the CLI (command-line version) and the GUI version (hydra-gtk). We can use hydra from the terminal using the following command:
[email protected]:~# hydra -s 22 -v -V -L <file path/name>
-P <file path/name> -t 8 <Target IP><protocol>
Above command parameters explained below:
- -s: designates port to be used basically this speed up the process but does not need to be entered when the default port is intended to be used, it is used to remove ambiguities.
- -v and -V: These parameters are used to select maximum verbosity of reports.
- -L: To choose the login or username file.
- -P: To choose the password file.
- -t: To select number of parallel tasks or connections. If greater the number, the faster the testing will occur. However, if the number is too high, errors may be introduced and correct passwords will be missed.
Verbose output of the initial bruteforce attack are presented in the following screenshot:
After successful login by using the dictionary, hydra reports the port, the protocol, the host, and the login credentials. Then this tool continues to use the dictionaries to identify the other possible accounts. Following screenshot explains all the things, hydra has correctly identified an SSH account with root as the login and [email protected] as the
password; the screenshot also shows the other attempts made by hydra as it attempts to identify additional accounts:
We can autocreate the password list through hydra, use the following command to perform this task:
[email protected]:~# hydra -L user.lst -V -x 6:8:aA1 < Target IP address> SSH
Parameters used in the above command are described below:
- -x: directs hydra to automatically create the passwords used in the bruteforce attack. The passwords will be created according to the parameters that follow -x.
- 6:8: indicates a minimum password length of six characters and a maximum password length of eight characters.
- aA1: to automatically create the passwords using a combination of letters and numbers. It will use all lowercase letters (denoted by a) and all uppercase letters (denoted by A), and the numerals 0 to 9 (denoted by 1).
We can also add special characters to generated list; however, you need to add single quotes around the -x option, as shown in the following command:
Thanks for reading. I would recommend you to read my article on KRACKs attacks also.