Re: help:tool to bruteforce ssh connections

[Aarón Mizrachi <unmanarc () gmail com>]

On Miércoles 06 Mayo 2009 15:15:16 Andy Harley escribió:
> Is ssh brute forcing at all effective? 
of course are not 100% effective.

The weakness here is the amount of users that uses predictable password.

Here is the statistical proof.

Suppose that every people have an estimated statistical probability of 0.05 
(5%) of have a password from top 100 passwords.

suppose that an attacker known the username list.

if the username list are 25 users, the probability of crack at least 1 
password using a short attack is:


1-(1-0.05)^25 = 0.72

72%.


If the username list are too big as 60 known usernames, the probability of 
crack at least 1 password using a short attack is:

1-(1-0.05)^60 = 0.95

95%.


proof concept:
not the probability of (The Probability of not to have a weak password in a 
secuence of n accounts)

> Surely most people running an
> ssh server would be wise to checking logs or running something similar
> to denyhosts?
not at all.

is not easy. I have an SSH server, and receive daily more than 10 different 
attacks from worms trying to ssh bruteforce me.

Unless i install some automated prevention system, its humanly impossible to 
halt by hand every hazzard comming from outside.

But the real defense line here is to have GOOD password policy.
> On Thu, May 7, 2009 at 3:15 AM, Aarón Mizrachi <unmanarc () gmail com> wrote:
> > On Miércoles 06 Mayo 2009 06:48:09 vibisreenivasan escribió:
> > > hello,
> > >       is there any tool to bruteforce ssh login.
> > > regards
> > > vibi
> >
> > THC-Hydra.
> >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: InfoSec Institute
> > >
> > > Learn all of the latest penetration testing techniques in InfoSec
> > > Institute's Ethical Hacking class. Totally hands-on course with evening
> > > Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified
> > > Penetration Tester exams, taught by an expert with years of real pen
> > > testing experience.
> > >
> > > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: InfoSec Institute
> >
> > Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
> > Instructor-Led and Online formats is the most concentrated exam prep
> > available. Comprehensive course materials and an expert instructor means
> > you pass the exam. Gain a laser like insight into what is covered on the
> > exam, with zero fluff!
> >
> > http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> > ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------