Hydra | Notion

This report is a methodological template detailing a successful Targeted SSH Brute Force attack using the Hydra tool, designed to secure initial access in a CTF environment. It explains the core principle of intelligence driven wordlist creation, where highly specific user and password files are generated from thematic clues (e.g., character names, security phrases) to maximize success against the SSH service. The document provides the exact command structure, hydra -L -P ssh:// -t 4, and highlights the importance of the low threading setting (-t 4) for maintaining stealth and bypassing network defenses like tcpwrapped.

Targeted SSH Brute Force

1. Core Principle: Intelligence Driven Wordlists

The success of a critical attack like SSH brute force hinges on the rule: Never brute force blindly. The CTF creator hides the password as a direct, case sensitive phrase from the provided thematic clues. The goal is to move past large, inefficient lists and create focused dictionaries, maximizing the probability of success while minimizing detection time.

The methodology requires creating two specialized files: users.txt and passwords.txt.

A. Creating the users.txt File (Login Candidates)

The username list should contain every unique proper noun or alias discovered during reconnaissance.

Username Source	Rationale
Verified Identities	Names heard in video dialogues (e.g., `wernerbrandes`), and case variations.
Character/Alias Clues	Unique names from file archives, HTML comments, or flag hints (e.g., `leroybrown`, `Abbott`, `Cosmo`, `Bishop`).
Format	Always include both standard lowercase (e.g., `leroybrown`) and likely case sensitive variations (e.g., `WernerBrandes`).

B. Creating the passwords.txt File (Key Candidates)

The password list should be a comprehensive collection of every direct, thematic, or suspicious string found, especially those requiring specific casing.

Password Source	Rationale
Security Phrases	Exact dialogue quotes from videos (e.g., `MyVoiceIsMyPassport`, `verify me`) and common contractions (`VerifyMe`).
Thematic Words	Words derived from songs, movie titles, or anagrams (e.g., `Doris`, `leroybrown`, `toomanysecrets`, `SetecAstronomy`).
Known Leaks/Aliases	Any previously discovered low value passwords or aliases used as a potential password (e.g., `Darth Vader`, `yourmother`).

2. Execution Command: Hydra Brute Force

The Hydra tool is used to execute the combination attack against the SSH service. The low threading setting is critical to manage server defenses.

The Command Structure:

hydra -L <USERLIST_PATH> -P <PASSLIST_PATH> ssh://<TARGET_IP> -t 4

t 4: Setting it low keeps the attack stealthy and prevents an outright block.