If we use these purely hacking tools, we can really check how our servers appear to a black hat hacker. It is normal not to know how to use them by a relatively new sysadmin. These will give you idea why odd log entries appear too. Here is real life way to brute force SSH test own server with ncrack, hydra, medusa. These are no way closest to real black hat hackers work. They will have many machines with full anonymous status, huge resource of basic things like list of passwords. If your password is really password, it will take few seconds to discover.
Brute Force SSH Test Own Server With ncrack, hydra, medusa
Installing these tools from repository is just easy, here are more than those three tools :
1 2 | apt-get install ncrack medusa hydra dmitry nmap ## for deb, ubuntu yum install ncrack medusa hydra dmitry nmap # for centos, rehl |
If you want to completely remove later, you can purge them. wget this list of 1717681 passwords (I am not joking about the number) :
---
1 | wget https://dazzlepod.com/site_media/txt/passwords.txt |
If you want more passwords, here are more :
1 2 | https://github.com/danielmiessler/SecLists/tree/master/Passwords https://github.com/duyetdev/bruteforce-database |
If list of passwords lists name is passwords.txt, you are running on localhost 127.0.0.1 against SSH, assumed SSH user is root, then command will be :
1 | hydra -l root -P passwords.txt 127.0.0.1 ssh |
You will get easy to understand respond as output if password matches with the list. With the same criterion, with ncrack the command will be :
1 | ncrack -p 22 --user root -P passwords.txt 127.0.0.1 |
With medusa, command will be :
1 | medusa -u root -P 500-worst-passwords.txt -h 127.0.0.1 -M ssh |
Yes, so much easy to brute force! That is the basic reason we suggest change the default username from root to something else, disable root SSH access, use fail2ban etc. After running those tools, check your logs for entries. Do not run those tools on others, they can bring DDoS attack.
