Password Brute Force Attack using Hydra on Metasploitable 2

Durre ShaffaDurre Shaffa
2 min read

Table of contents

Lab Environment:

  • Attacker Machine: Kali Linux (VMware Workstation)

  • Target Machine: Metasploitable 2 (VMware Workstation)

  • Network Configuration: Host-only / NAT (isolated lab environment)

1. Objective

The objective of this lab was to perform a password brute force attack on a vulnerable system (Metasploitable 2) using Kali Linux and Hydra. The exercise demonstrates how weak credentials can be exploited, highlighting the importance of strong password policies.

2. Lab Setup

  • Kali Linux: Installed in VMware as the attacker machine.

  • Metasploitable 2: Deployed in VMware as the vulnerable target.

  • Verified network connectivity and obtained the target machine’s IP address using the command:

      ip a

3. Methodology

Step 1: Accessing the Target System

  • Logged into Metasploitable 2 with default credentials:

    • Username: msfadmin

    • Password: msfadmin

  • Retrieved the IP address of Metasploitable 2 using:

      ip a

Step 2: Preparing Wordlists

  • On Kali Linux, created two files using touch:

    • user.txt → Contained 7–8 usernames including the real username (msfadmin).

    • pass.txt → Contained multiple passwords including the real password (msfadmin).

  • Edited files with gedit to insert the usernames and passwords.

Step 3: Executing Hydra Attack

  • Used the following Hydra command to perform a brute force attack:

      hydra -L user.txt -P pass.txt <Target-IP> ssh

  • Hydra systematically attempted all username-password combinations from the files.

Step 4: Successful Credential Discovery

  • Hydra successfully matched the correct username and password:

      [22][ssh] host: <Target-IP>   login: msfadmin   password: msfadmin

4. Results

  • Valid Credentials Identified:

    • Username: msfadmin

    • Password: msfadmin

  • Demonstrated that weak/default credentials are highly vulnerable to brute force attacks.

  • Hydra efficiently automated the attack by matching wordlist entries against the target.

5. Analysis & Key Findings

  • Systems using default or weak passwords are extremely vulnerable.

  • Brute force tools like Hydra can break into such systems quickly if username/password combinations are guessable.

  • Attack success emphasizes the need for:

    • Strong password policies

    • Disabling default accounts

    • Monitoring SSH login attempts

6. Conclusion

This lab successfully demonstrated how attackers can exploit weak credentials using Hydra. It reinforced the importance of enforcing strong password policies, securing default accounts, and implementing security monitoring to prevent brute force attacks.

0
Subscribe to my newsletter

Read articles from Durre Shaffa directly inside your inbox. Subscribe to the newsletter, and don't miss out.

TryHackMe Walkthroughpenetration testingbruteforceattack#cybersecurityethicalhacking

Written by

Durre Shaffa
Durre Shaffa