Skip to content

An SSH Bruteforcer using Java, Apache Commons CLI and JCSH - built using Gradle.

Notifications You must be signed in to change notification settings

lfbr0/ssh-bruteforce

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ssh-bruteforce

An SSH Bruteforcer using Java, Apache Commons CLI and JCSH.

Running

The project can be built using Gradle and has a task to make a fat jar. To make it just use: ./gradlew shadowjar. It will be available in the app\build\libs folder.

To run use java -jar ssh-bruteforce.jar <ARGUMENTS> or use gradle to run it. Both ways MUST follow the following argument rules:

  • -ip $IP_ADDR [obligatory]
  • -port $SSH_PORT [obligatory]
  • -user $USER_NAME_TO_TRY [obligatory]
  • -dict $FILE_PATH_OF_PASSWORDS_DICTIONARY [obligatory]
  • -v [verbose option to print passwords being tested, no arg]

All arguments are required except for the verbose flag.

Sample execution for example

Here's an example of this running against a Debian VM with an SSH server and a weak password. First to confirm the IP address of the SSH server:

IP address of SSH Server

To confirm it's running SSH:

SSH Server status

To prove the authentication details using PuTTY tools:

Proving SSH auth details

Using the application we can bruteforce with dictionary attack (please note the -target argument has, in newer builds, been replaced with -ip for simplicity):

Example run

TODO

To be done:

  • Multithreaded to run quicker (done, but has to be severely improved...)
  • Variable timeout
  • Dictionary attack on username
  • Attack several ports for hidden SSH ports
  • Log instead of printing to stdout