Bruteforce on SSH Server
SSH is an encrypted network between Client and a Server which can be accessed from any remote location using server IP Address and Public Key or Password (According to the encryption technique they use). SSH provide a secure channel over an unsecured network. These services include remote command-line login and remote command execution. This network can be secured with SSH. Generally, SSH server uses PORT Number 22 but that can be changed using command line on server side. In Linux its an in-built service but in windows it requires third part tool to run the SSH server but starting from Windows 10 professional it comes as an add-on feature.
This protocol can be used as: • Accessing Server computer from any remote location using Server Username and Password. • It provides secure connection between client server so can be used for ftp as SFTP server. • Managing server computer using Terminal commands.
In Linux following command are used for SSH to create SSH server:
- Start SSH service
service ssh start
- Stop SSH service
service ssh stop
- Restart SSH service
service ssh restart
- Check Status of SSH service
service ssh status
As Windows doesn’t come with so we are using 3rd party called freeSSHd which is a free SSH software to create an SSH server in windows. Link to Download
Download the first link freeSSHd.exe and execute it.
After Installation process open the freeSShd application file and create a server using following steps: -
Click on the Add to create a New User so that client can recognize the SSH Server and can Authenticate itself by using Password or Public key.
Input the Login ID and Choose the Authorization Method by choosing between three options: - NT authentication, Password stored as SSH1 hash, Public Key (SSH only). If Password option Is taken then provide the Password else leave them blank. Server can add the features that client of that user can use by checking on the three options in “User can use” title.
New user has been created and can modify any changes to it by clicking on change button.
Click on the Logging Title
Provide the file location of the log and logs will be generated in txt format.
By clicking on the link of “SSH server is not running.” Starts the SSH server. If it shows error like this then
Go to Command Prompt in elevated privileges mode and type following commands –
netstat -ano | findstr : 22
This command is used to get the PID of the service using PORT 22
taskkill /PID 3680 /F
Then repeat Step IV and SSH server will start without any problem.
We are going to view the Client side from which first we are going to login using USERNAME and PASSWORD of SSH server we have created
ssh username@ipaddress
As we can see we have gained access to the command prompt of the SSH server.
In windows install CYGWIN from Download Link to connect to ssh server
After installation use Above Linux commands to connect to SSH server.
We are using Hydra to generate Bruteforce attack on SSH server to retrieve its Password. Use this link to download Hydra for Windows and follow instruction written on it.
Download it using whole archive link and extract it to a location then choose that location to open in command prompt and use following command
Hydra -l as -V -x 3:4:1 192.168.1.7 ssh
Here Hydra is the software name in which -l is used for Username which written next to it “as” now -V means we activated Verbose now we generate password using this line “-x 3:4:1” in this “-x” stands for password “3” stands for minimum length of password and “4” stands for maximum length of the password and “1” stands or Numbers which can be changed if password contains letter it would be written as “1aA” in this “a” stands for small letter and “A” stand Capital letters . This command can be used in Linux also.
From these command Bruteforce attack has been started as we can see each and every combination is being tested with the Username combination so if the combination is matched it would generate a window like this.
From we can see a matched combination of USERNAME as “as” and PASSWORD as “123” is matched it also show the rate of attempts and total number of combination that it has to use and amount of time it will take to complete it.
Checking logs in SSH server for any unusual activity is a must as Machine cannot differentiate unusual activities unless proper measures are not implemented. For checking Bruteforce attack we can see the logs and see difference easily.
Usual Activity log
Logs After Bruteforce Attack
As we can see after Bruteforce attack we can see Multiple connection attempts are made within a second so by seeing the logs we can stop the Bruteforce attack by blocking the IP Address 192.168.1.3 or directing its request to reCAPTCHA page so that if a human made those attempts then we can provide the service to the user so that we can preserve Availability. Else if it is a computer-generated request then we can block it and prevent our SSH server.