Brute force SSH attack on HTB Nibbles

I will show you how to automate a brute force attack on SSH with the help of Metasploit.

In this blog post, I will show you how to automate a brute force attack on SSH with the help of Metasploit. The methodology that I present here can be used in a penetration test to check if the credentials of any SSH login are strong enough and, perhaps more importantly, to understand whether the blue team detects our brute force attacks.

In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).

Create a Connection to the HTB Network

Refer to this post of mine.

Scanning and Enumeration

Open and write down Nibbles’s IPv4 address. Here we can also see that this is a Linux machine.

We first scan the target machine in order to identify open ports and services running behind those ports.

Ports 22 (SSH) and 80 (HTTP) are open on Nibbles.

Ports 22 (SSH) and 80 (HTTP) are open. In this post I will focus on SSH, even if HTTP is the way in for this machine1.

Brute force SSH attack

We Google search “openssh 7.2p2 exploit”. From the results, we learn that we can enumerate users on an OpenSSH server using a malformed packet or timing attack. The idea here is to enumerate the users on this SSH server and then combine this list with common SSH passwords in order to run an automated brute force SSH attack.

To enumerate the users we will use the auxiliary/scanner/ssh/ssh_enumusers module on Metasploit with unix-users.txt as user list. Moreover, we will log the output of this module for later processing.


use auxiliary/scanner/ssh/ssh_enumusers

set rhosts

set user_file /usr/share/wordlists/metasploit/unix_users.txt

spool /root/Documents/nibbles/ssh_enumusers.log


We now extract the usernames from the log file with grep and save the output in ssh-users.txt

grep -v "not" ssh_enumusers.log | awk '{ if ($6 == "User") { print substr($7,2,length($7)-2) } }' > ssh-users.txt

We found 30 valid usernames on the SSH server of this machine.

The next step is to download a list of common SSH passwords and combine it with the username list that we already have. We first download this list which contains 21 passwords (even if the file name says 20). Then we run my shell script (s. screenshot below) to combine each username with each password. Each entry will be on its own line, and each username and password pair will be separated by a space.

This script combines each username to each password from the two original lists.

We then make this script executable with chmod 744 and run it. The new list, which is saved in users-passwords-ssh.txt, contains 630 credential pairs. Now we will use this list to run the Metasploit’s module auxiliary/scanner/ssh/ssh_login which will brute force the SSH login.


use auxiliary/scanner/ssh/ssh_login

set rhosts

set stop_on_success true

set verbose true

set userpass_file /root/Documents/nibbles/users-passwords-ssh.txt


After some minutes, this module will terminate without having found a valid combination. This is fine as we only used 21 SSH passwords. If this were a pentest, we would expect the blue team to detect our attack as we made a lot of noise banging on their doors.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!