Brute Forcing SSH Passwords with Hydra


Hello, it’s Troy again, and today I will show you an extremely simple tutorial (And very short), on cracking SSH passwords.

What is SSH?

Secure Shell, (SSH) is a very simple and secure protocol which allows people to connecting between computers, primarily Linux/UNIX machines. It uses the crystallographic algorithm known as RSA to create a unbreakable tunnel between your computer, and your target. Unfortunately, as Edward Snowden has indicated, if tried hard enough, foreign agencies can easily can control of SSH. This is done either through a very weak password, or an exploit in your current version of SSH. In this tutorial, I will show you to perform a brute force attack on a target. Of course, then chances of success are very low, BUT THEN AGAIN, there’s always the chance that someone has chosen a stupid password.


Acquire a wordlist.

In order to perform the attack, you need a wordlist, which is a, well, list of words, that the program we will be using, Hydra, will use, and try different combinations of each entry. A good source for wordlists are located at PacketStorm.

There is also another way. You can acquire information about the victim, such as his/her name, their date of birth, parents, children, and any other information that could possibly be used against them, or within their password. A good example is if somebody chooses a password such as johann1210, where johann would be the name of their child, 12 their month of birth, and 10 their day of birth. A good program that allows you to compile this data into a wordlist is Ex0dus_0x’s D0xk1t, which you can find here.


Installing Hydra

Once you have some suitable wordlists, you can install Hydra. In this tutorial, I use Kali Linux, so this shouldn’t be much of an issue for most Debian Linux users.

sudo apt install hydra


Using Hydra

Now we can guess the password used by the user, by starting hydra. Here are some things you’ll need.

1.) A wordlist

2.) A possible username

3.) A target, usually an IP.


Please note that the target should be using SSH, and have the SSH port open to the world. You can find out if it’s open by using nmap, which I will explain in a different tutorial. Now we shall attack the target:

 hydra <TARGET ADDRESS HERE> ssh2 -s 22 -P <WORDLIST HERE> -L <USERNAME HERE> -e ns -t 10

Please note, that the process of cracking the process could take VERY LONG. But the results are rewarding. Usually once you have the attackers password, you have access to their OS, meaning you can do pretty much whatever you’d like, such as escalating to root privileges, or installing a back door. I hope this was informational. Please note I am not responsible for any damage caused by using this, as this is for educational purposes only.


LESSON LEARNED: Make stronger passwords!!!!



Troy Sweeney

Linux kernel contributor, C/Java programmer, hacktivist. Spends most of his time helping others stay up to current with technology, security, and end to end encryption, he also has an addiction to German pastries.