ssh bruteforcing

**tijstijs** · 09-30-2009, 08:50 AM

Hi guys,

I need some help. There is a friend of mine, who's got a server. He knows all the ssh passwords (for the home dir, and so on), but yesterday he changed the root password, and something went wrong.

It is possible that he mistyped it, or wrote it down wrong, but still he is unable to log in. So I was joking that "we can use hydra/medusa for that", but now it seems, this would be the only solution, if he can't login today, he said, we should try bruteforcing it tomorrow. This is a legal bruteforcing, nobody is hacking anything.

What we know:
- it should be 6 characters (although if he accidentally pushed a button, it is 7)
- the first 3 characters are numbers, fourth and fifth characters are alphabets (he remembers these ones), and one number at the end

My questions are:
- I've read medusa is better for ssh, is it true?
- how should I feed medusa with a wordlist?
- how should I use medusa without crashing the server?

Thanks a lot

**lupin** · 09-30-2009, 09:01 AM

Originally Posted by tijstijs

Hi guys,

I need some help. There is a friend of mine, who's got a server. He knows all the ssh passwords (for the home dir, and so on), but yesterday he changed the root password, and something went wrong.

It is possible that he mistyped it, or wrote it down wrong, but still he is unable to log in. So I was joking that "we can use hydra/medusa for that", but now it seems, this would be the only solution, if he can't login today, he said, we should try bruteforcing it tomorrow. This is a legal bruteforcing, nobody is hacking anything.

What we know:
- it should be 6 characters (although if he accidentally pushed a button, it is 7)
- the first 3 characters are numbers, fourth and fifth characters are alphabets (he remembers these ones), and one number at the end

My questions are:
- I've read medusa is better for ssh, is it true?
- how should I feed medusa with a wordlist?
- how should I use medusa without crashing the server?

Thanks a lot

Do you have physical access to the system? Grabbing passwd and shadow using a boot disk like BackTrack and feeding them into john would be a quicker way to retrieve the password.

Usage info for medusa and a comparision between medusa and hydra is included at the link below - the medusa homepage!

Foofus Networking Services - Medusa

Theres nothing too specific there about the various merits of each for ssh cracking.

Create your own custom wordlist based on the known parameters and feed this in.

**tijstijs** · 09-30-2009, 09:37 AM

Originally Posted by lupin

Do you have physical access to the system? Grabbing passwd and shadow using a boot disk like BackTrack and feeding them into john would be a quicker way to retrieve the password.
Create your own custom wordlist based on the known parameters and feed this in.

Thanks for the fast reply!

Of course, we have physical access, but it's a lot more complicated then trying out a few passwords remotely. Of course, if medusa fails we'll go to the server room.

Anyway, could you please post a guide, how to create a custom wordlist? thanks!

**lupin** · 09-30-2009, 10:06 AM

Originally Posted by tijstijs

Anyway, could you please post a guide, how to create a custom wordlist? thanks!

Try crunch

BackTrack Linux - Penetration Testing Distribution

Thread: ssh bruteforcing

Thread Tools

Search Thread

Display

ssh bruteforcing

Posting Permissions