Breaking SSH, VNC, and other passwords with Kali Linux and Hydra

Breaking SSH, VNC, and other passwords with Kali Linux and Hydra featured

Hydra is a very fast and effective network login cracker. It will help you perform brute force attacks against SSH servers, VNC, and other services. When you launch Hydra it will launch the GUI in Kali, however in this tutorial we will use xHydra, which is the command line version of the tool. The command line version of the tool gives you much for flexibility in how to use the tool.


This attack requires a wordlist. You can locate the default wordlist. This demo works well with the rockyou word list located at /usr/share/wordlists/rockyou.txt.gz in Kali. You will need to extract it first before using it. You can also use Aamir Lakhani’s Dr. Chaos guide to creating your wordlists with this tutorial or simply download a pretty decent custom created wordlist here:


This tutorial was solely based on cracking any ssh service running on your target host… to crack other known services one must indicate the port or the service name to be cracked.

for example to crack ftp service it will be


hydra -l root -P /root/password.txt ftp


Scanning for SSH Servers using NMAP

The first thing we will do is scan for SSH services listening on port 22. We are going to scan for the entire 10.1.100/24 subnet, but we could also scan for single host or a range.

Here’s a simple example that will scan all computers on the subnet and report any devices listening on port 22. . All of this along with the version of SSH that the server is running is output to a text file ssh_hosts:

nmap –p 22 –open –sV > ssh_hosts

We could have also scanned it this way

nmap -p22 –open -PN -sV -oG ssh_hosts

Or another way, this presents a list if IPs that have SSH up:

nmap -p 22|awk ‘/scan report for/ {print $0}’|grep -Eo ‘[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}’

Next I am going to use Hydra. Hydra is very well-known and respected network log on cracker which can support many different services. (Similar projects and tools include medusa and John The Ripper).

Hydra is able to use external files for passwords, usernames, or username and password combinations. Hydra can be used to brute-force the following services: for example we know port 21 is for service ftp


As a password/ log on cracker (hacking tool) – Hydra has been tested on the following protocols:

afp cisco cisco-enable cvs
firebird ftp http-get http-head
http-proxy https-get https-head https-form-get
https-form-post icq imap imap-ntlm
ldap2 ldap3 mssql mysql
ncp nntp oracle-listener pcanywhere
pcnfs pop3 pop3-ntlm postgres
rexec rlogin rsh sapr3
sip smb smbnt smtp-auth
smtp-auth-ntlm snmp socks5 ssh2
teamspeak telnet vmauthd vnc

We are going to enter the command

hydra -l root -P /root/password.txt ssh

The options in Hydra are very straightforward:

-l telling Hydra you will provide a static login (you can use a file for multiple usernames instead).

-P password file, or (lowercase) -p for (static) password

-t TASKS of number of connected in parallel (per host, default is 16).

ssh – you can specify the protocol being used.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s