BASH Script for Dictionary Attack Against SSH Server

Although they are several dictionary password attack tools available for Linux such as Hydra, Ncrack, Patator I have decided to practice BASH scripting and write a script getsshpass.sh. The script performs a dictionary attack against SSH server. It reads usernames and passwords from dictionaries (one for username and one for password) and uses them to login to SSH server. The script also supports interrupted guessing. It can be stopped without loosing info about the progress of guessing because it saves the last used username and password in a file 01xza01.txt. Once the script is started again it continues guessing using saved credentials until the correct username and password is found. Then it stores found credentials to the file x0x901f22result.txt and displays a result on the output. If a valid combination of username and password is not found, the script displays warining message and finishes.

Below are shown parameters of the script. The number of parallel SSH sessions can be controlled with a parameter -n. This parameters tells the script to wait constant time in seconds before a new SSH session is generated. Changing the value of the parameter we can effectively slow down or speed up generating parallel SSH sessions.  If no value is entered, the script sets the value to 0.1 second.

Picture1_Script_Parameters

Picture 1 - Script Parameters

Testing
Thy example of  the script usage is shown below. It takes 3 minutes and 29 seconds for the script to find a password located on 5000th row of a dictionary rockyou.txt (14344393 lines).

$ ./getsshpass-0.9.sh.txt -a 172.17.100.2 -d 22 -p rockyou.txt -u users.txt -n 0.04

<Output truncated>

Trying username: 'brezular' and password: '852963'
Trying username: 'brezular' and password: 'zanessa'
Trying username: 'brezular' and password: 'hateyou'
Trying username: 'brezular' and password: 'familyguy'
Trying username: 'brezular' and password: 'dogdog'
Trying username: 'brezular' and password: 'charm'
*** Found username: 'brezular' and password: 'xxxxxx' ***
Ellapsed time: 3m 29.13s
Program teminated.

The SSH cracking performance of the script was even better than performance achieved using a popular online password cracking tool THC Hydra. It took 4 minutes and 45 seconds for Hydra to find valid credentials using the maximum allowed 64 parallel sessions comparing to 3 minutes and 29 seconds achieved by the script.

I would like to thank Blai Peidro for his suggestions that helped me a lot to improve the script.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.