Security Basics mailing list archives
Re: help:tool to bruteforce ssh connections
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Thu, 7 May 2009 11:50:42 -0430
On Miércoles 06 Mayo 2009 15:15:16 Andy Harley escribió:
Is ssh brute forcing at all effective?
of course are not 100% effective. The weakness here is the amount of users that uses predictable password. Here is the statistical proof. Suppose that every people have an estimated statistical probability of 0.05 (5%) of have a password from top 100 passwords. suppose that an attacker known the username list. if the username list are 25 users, the probability of crack at least 1 password using a short attack is: 1-(1-0.05)^25 = 0.72 72%. If the username list are too big as 60 known usernames, the probability of crack at least 1 password using a short attack is: 1-(1-0.05)^60 = 0.95 95%. proof concept: not the probability of (The Probability of not to have a weak password in a secuence of n accounts)
Surely most people running an ssh server would be wise to checking logs or running something similar to denyhosts?
not at all. is not easy. I have an SSH server, and receive daily more than 10 different attacks from worms trying to ssh bruteforce me. Unless i install some automated prevention system, its humanly impossible to halt by hand every hazzard comming from outside. But the real defense line here is to have GOOD password policy.
On Thu, May 7, 2009 at 3:15 AM, Aarón Mizrachi <unmanarc () gmail com> wrote:On Miércoles 06 Mayo 2009 06:48:09 vibisreenivasan escribió:hello, is there any tool to bruteforce ssh login. regards vibiTHC-Hydra.------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- help:tool to bruteforce ssh connections vibisreenivasan (May 06)
- Re: help:tool to bruteforce ssh connections Nikhil Wagholikar (May 06)
- Re: help:tool to bruteforce ssh connections Aarón Mizrachi (May 06)
- Re: help:tool to bruteforce ssh connections Ell0 (May 07)
- Re: help:tool to bruteforce ssh connections Mike Acker (May 07)
- Re: help:tool to bruteforce ssh connections Andy Harley (May 07)
- Re: help:tool to bruteforce ssh connections Aarón Mizrachi (May 07)
- Re: help:tool to bruteforce ssh connections Mike Acker (May 08)
- Re: help:tool to bruteforce ssh connections Ell0 (May 07)
- <Possible follow-ups>
- Re: Re: help:tool to bruteforce ssh connections cy10 (May 08)
- Re: help:tool to bruteforce ssh connections Gregory Boyce (May 11)
- Re: help:tool to bruteforce ssh connections v3nd3rs5uck (May 11)
- Message not available
- Message not available
- Re: help:tool to bruteforce ssh connections kevin fielder (May 20)
- Message not available