Free to read – no sign-up

Pentest Basics: SSH Brute Force

First offensive module: you attack a deliberately weak SSH instance. You'll learn nmap, hydra, and see live why the hardening rules from the SSH-Hardening module are not a toy. Everything happens on YOUR own lab VM (loopback) — no external target.

Duration: 45 minLevel: IntermediateExercises: 3

Brute force a weak root password

Pentest basics: SSH brute force (on your own VM only)

This module shows the attacker's perspective — so you understand why the hardening rules from the other modules are not a toy. Everything happens exclusively on your own lab VM (local localhost/loopback) — no external target, no real victim. This is legal and ethical because it is your own system.

Key terms & tools

Pentest (penetration test): an authorised, simulated attack to find weaknesses before real attackers do.
nmap: port scanner — finds out which services/ports are open.
hydra: login brute-force tool — tries password lists against a service.

⚠️ Ethics & law: use such tools only on your own or explicitly authorised systems. Attacking foreign systems is a crime.

Your goal

You scan the deliberately weak SSH service on port 2222, crack the weak root password by brute force, and capture the "flag".

Exercises

1. Identify port 2222 as open
Concept: port scan. Before attacking, you reconnoitre the target (reconnaissance). nmap checks which ports are open. On this VM a second, deliberately weak SSH service runs on port 2222.

Scan localhost and save the output:
```
nmap -p 2222 localhost > /tmp/nmap-scan.txt
```
Check: /tmp/nmap-scan.txt shows 2222/tcp open.
2. Crack the root password
Concept: brute force. hydra automatically tries many passwords against a login. This is exactly what bots on the internet do around the clock — and exactly why weak passwords + permitted root login are so dangerous.

Launch a brute force against root on port 2222 with a wordlist:
```
hydra -l root -P /usr/share/wordlists/lab-rockyou-mini.txt -s 2222 ssh://localhost > /tmp/hydra-output.txt
```
Once hydra finds the password it prints a line host: localhost login: root password: ....

Check: /tmp/hydra-output.txt contains a login: root password: line (the cracked password).
3. Capture the flag
Task: capture the flag. Log in with the cracked password on port 2222 and read the "flag" — a marker in the form FLAG{...} proving you had access. Write it to /var/log/flag-captured.
```
ssh -p 2222 root@localhost
# after login on the target instance:
cat /root/flag.txt
```
Copy the printed flag and write it (as root) to /var/log/flag-captured:
```
echo 'FLAG{...}' | sudo tee /var/log/flag-captured
```
Lesson: a weak password + permitted root login = full takeover. Exactly what the hardening modules prevent.

Check: /var/log/flag-captured contains a line in the form FLAG{...}.

Now practice it yourself

Reading is good – doing is better. Start this course on a real Linux VM, right in your browser. A free account is all it takes.

Start for free

Brute force a weak root password

Pentest basics: SSH brute force (on your own VM only)

Key terms & tools

Your goal

Exercises

1. Identify port 2222 as open

2. Crack the root password

3. Capture the flag

Now practice it yourself