why did you put that shit in the background

Ever heard of denyhosts? I hope your "dictionary" has the right guess in the first 3 attempts.

LOL 3 line dictionary

log simply extracting password from dictionary. if password is not based on dictionary word, then this SHOULD FAIL. No use.

Looking at this from a "keys per second" perspective this isn't very effective. Most SSH servers worth cracking into have user passwords with a force-change of password every two weeks - two months. You tried 2 keys/sec. In a typical 10 character password using only lower case lettering and 0-9 you have 36 characters. 36 characters^10 = 3,656,158,440,062,976 possibilities. If the password used is truly random and you run this script, you'll crack it in about 57929524.37 years.

@bgreenall01 Perhaps the best theoretical way an SSH account could be cracked would be to have a dict with EVERY password in it, divide up that dictionary 1000 times and using "grid-computing" to divide up the process between a thousand servers working on their own piece you would need to best testing about 1.15 million keys per server per sec to crack it in one year or less. This would likely just lead to a massive denial of service / FBI raid on your server farm.

Yeahhhh, I'm not buying this... FYI, RAP SUCKS!

sdghsdgdsgdg

Hello boys. This is a computer. COM PU TER. dsghsgsdg you should learn this firstly. After that you can hack some computer.

What Distro?

Awesome. Think it's gr8 for a beginner as me to see where to begin entering a system. I am not a noob when it comes to prgramming, i know C/C++ and assembly but haven't really figured out where to begin hacking. Would love to do some more research SSH u know like the protocols and such. Any good tips on explanations for the SSH service

Lame. First off kannelal has some wrong statments, but...

Anyone who's got a decent server set up and doesnt suck at life will disconnect a client after 3 failed attempts and will ban a client after X failed attempts (I use 4). Furthermore I get brute force attempts all the time, often if it's coming from within northamerica I will attempt to do the same thing back to them, because I know it's a local noob like you and the box that you're trying to 'hack' from isnt nearly as secure as mine

bah, this is lame.

dude, ctrl + u

mandame e script!!!!

boriddlin you are a nOOb

You need a user name and a password. If you are lucky you can find an account with root access! This is so stupid that my little brother at 18 can fall for it. But bear in mind that most he can dispose of a computer is install vista by he self, but only if he is sure he can call me immediately if something goes wrong!

nOOb

you should probably add this to your dictionary if you ever wanna crack mine> helloI1ik3CH333ZzBuR635

@TYRONEBIGGLES

LOL

Watch my vid, doing this the RIGHT way.

(@boriddlin, ive tested this script against a ssh2 server, but it failed after 3 atemps. Was this a ssh1 server you atacked in this vid?)

Several problems:

1) What are the chances that the person's passwd is gonna be a dictionary word?

2) Even if it is, the host would disconnect you after a few tries down the list.

3) This only works if the victim is running ssh, with an open firewall, without specifying a source IP address.

4) This would take forever in real life.

5) The victim would have to be running *nix.

6) You should spend your time doing something else, like getting a life.

1) There are thousands of password dictionaries out there - try one!

2) This program connects only once each attempt - a fresh connection!

3) There are hosts with ssh running openly out there - scan for one

4) Not true

5) Everyone runs unix linux

6) The Government took my pills awway...

1) thousands, but that doesn't mean you will find the "one" passwd

2) many hosts now puting brute-force attempts into ban list via ip's

3) thats true

4) can be true : try to find user + passwd + good target machine - not easy

5) absolutly not true

6) you should take a new one

7) this practice is for child

@boriddlin actually, 4 IS true. and so is 2. on all my boxes i admin, i run bruteforce detectors that parse ssh attempt logs and add an iptables DROP rule for any source ip that fails after X# of failed attempts. opening a new socket wouldn't help if you're coming from the same source.

This is just silly. That script will no more crack ssh than flapping your arms will cause you to fly.

His box's password is item 3 in his dictionary. A real dictionary attack will never find a reasonable password because reasonable passwords won't be in his dictionary.

Additionally, properly configured systems only allow a couple of failed guesses before locking out the attacker's IP, so even if he tried brute-forcing the password, it would be a short-lived and futile attempt.

Actually, I disagree. This is brute forcing - there fore password guessing - at its finest.

It only connects once - so repeated password attempts will not be logged.

If all else fails - why the hell not try this script?

@boriddlin again, you're wrong. this is not bruteforcing, this is a dictionary attack. they are completely different things.

i don't need to try the script because if i wanted to do what you did, hydra does a better job of it.

hi, nice video, though I need to make a little point here. What is here is that ssh is here brute forced, not cracked, crack means you actually break down something, like exploiting a mistake in SSH algorithm or generating buffer overflow...or even worse things...

Very interesting, thanks.

wow very nice :) good to do some viclogs and get famous in the scene :)

Haha! Point taken - I've always known about autocomplete but rarely use it my self.

My god, learn to use autocomplete.

The tab key is your _friend_.

dont be abuse :D he have 14 experience with linux and shell programming, he "evidently" KNOW it.. :D

it looks like egowanker script-kiddie - worst combination ever, sorry man -5points, you dont have idea about hack/cracking ssh

Why you calling me a script kiddie? I write in Assembler, C, C++ and a variety of other languages.

If you took the time to look at my other videos you would not have made your self look like a complete nob head now, would you?

@boriddlin don't worry, people like throwing "script kiddie" around a lot

what kinda crap is this...this is a dictionary attack.. and u call yourself a 14+ experienced....this is purely a newbie's job.