@@benmattta I think I bought two of those. They aren't dual band I don't think. I ended up getting Atheros, one tp link t2u plus, I even bought a Net gear. They all work great. That specific Alfa is the one I bought. Didn't have much luck with it on Linux in either my Mac or My Dell.
I love your vids. I'm newish on the subject of security. You're very clear and concise and I'm glad I found you. Your posts are most often the highlight of my news feeds. Shit hot man :)
If someone sets up a SSH server, one should assume that he/she has the appropriate knowledge to do so and takes some precaution against attacks like this: 1) never let user root login in 2) use fail2ban to ban a certain IP address for a certain amount of time after a certain amount failed attempts - which I thought to be a no-brainer with ssh. and those attempts will definitely be logged! if you fail to properly setup your ssh-server I can't see an need for proper passwords. The here mentioned Ashley-Madison hack is an exzellent example for (presumably) good passwording but failed administration on the server side. (weak hashes, no salt'n peppa, etc.) No matter how strong / save your password or you password manager is, if the server admins fail, there is no protection! but definitely a good python training
If a server admin doesn't use fail2ban, uses weak, unsalted hashes - but strong passwords - how does this diminish the server's security against outside attacks?
@@APerson-jf2md Hi und thanks for the question! Sure, if a password is strong enough, it is supposed to be secure enough! The question is: how strong needs "strong" to be, to be secure. And from a practical position I see a need for a very strong access-password compared to the "owner's password" that you need as member of the sudoer-group and that you need on a more regular base. But no doubt - there is a certain laziness even among admins too. The best practice for both max secure access AND convenience should be using a) certificates instead of passwords b) disable external access as root c) use fail2ban to stop attempts as early as possible, because "no access - no probing" So I see Davids python script as an excellent example to show admins the general problem using password based ssh access and make them switch to certificates based ssh login no password, no password cracking If password access is used, the passwords need to be stored server-side - hopefully not in plaintext. the notorious Ashley-Madison-hack covers this aspect and was - to my knowledge - not a ssh misconfiguration. Actually I do not know how they got the user data. But they were able to reveal the most of the passwords from the hashes. This shows the importance of using strong hash procedures besides strong passwords. Because weak (md5) or completely missing server side hashing, renders all client effort useless! Even worse - beyond a policy statement a customer has no control how his/her passwords are treated server side. To my surprise that very strong hash Argon-2 seems to be rarely in use. the Argon-2 hash needs a lot of cpu and memory especially in comparison to the SHA-Family which is optimized for speed. The increase in CPU cycles reduces the max possible amount of hashes per second and the increase in needed memory decreases or prohibits too many concurrent hashes. So it takes way much longer to calc one hash, which does not matter when you want to verify just ONE given password, but when it comes to mass calculating hashes for example the rockyou-list, it "literally" takes years. Anyway! To summarize that - YES a strong enough password is strong enough, but not recommended for various (practical) reasons. The certificate approach is considered way more secure und more convenient. So when you consider using the python script beyond practicing against a "real" ssh server, expect to be noticed, logged(!) and blocked.
@@tomschulte3237 Thanks for the reply. I do agree an most of your points, but you might have missed mine - so I'm gonna up the "provocation" a notch: An SSH server with plaintext password for root in /etc/shadow, no fail2ban, root login allowed and a random password of only 8 (as in eight) characters is absolutely fine and secure. :) (If you could test 1000 passwords via network per second it would take ~25k years for a 50:50 chance that you'd get it right). [and it goes without saying: please don't to that nevertheless... ..ok.. I guess I said it..] Very often people mix up "best security practices" (common ones like: no root login, certs/keys instead of passwords,..) with "things you always do". While they all have their right of existence, they do not apply in every case. On e.g. an SQL server with one "disabled" (a.k.a no login password) database user and root SSH access only, my "most-unsecure" setup from above would be totally fine to use and renders SSH as IV useless - on that machine there are other things you would care (a lot) more about. So what I'm saying is: do not use "things that can increase security" as "general rules" (e.g. fail2ban could be a DDOS, for yourself in certain configs). I initially just responded to your comment, because all your suggestions (while very good ones in the right context) would not have any impact on the word-list attack from this video as long as your password is not in those word lists (and a root password really shouldn't ;)).
Hey David big fan of you and Network Chuck 😀 love all of your videos I'm following you and subbed to you have whatching all of you videos and you and Network Chuck you guys are the best teacher's ever :)
Nobody uses password for ssh, but keys. Otherwise login attempts are strictly limited. If you encounter machine with ssh password which allows you brute force - most likely you are in honeypot
Hi does your python script write the found text file as soon as it gets a hit or only once its completed going through the passwords.csv file. Many thanks
I need to stop struggling to learn programming. Because I'm really curious as to how I could use this type of method or something similar to get a password like aircrack but by writing my own script to either make it simpler or faster.
chances are, unless you're an experience developer, you'll not find anything that's faster than things like hydra, hashcat or aircrack, as there are many people developing the algorithms used there. That said, learning how to write your own quick and dirty solutions is a great way to go for education and for times when you need to do something a little out of the ordinary and normal solutions don't fit.
@@samurphy thank you for the info. I'm just starting out in learning cyber security. Thing is I don't want to get stuck at script kiddie level. I hope to actually get a decent red team job after I've got enough under my belt. So I didn't know but I was curious after watching The video if it was possible. So thank you I have a better understanding of something I may have to look into branching out into after a long while.
This would definitely automatically get flagged in a real environment with any decent security lol probably immediately shut down too Still it's cool seeing python automating these attacks this script would probably be great for someone to practice with on their own network to both learn cybersecurity AND python by using this to attack your own network then strengthening the security until it no longer succeeds then tweaking the python code until it successfully gains entry then rinse and repeat
is there any log, which records that this ip tried to conect using ssh , or any blocking system to not allow a particular machine to connect to the sever with ssh
@@davidbombal I mean to say , that I can't make my pi portable , i have to use the ethernet cable continuously so , is there any solution for it , i want to use my pi anywhere without connecting it to a wifi router with ethernet cable. I hope u understand 🙏❤️
David, You always give us a much great content love your videos keep growing ♥️ could you tell me are you offering courses related to ethical hacking??
I am trying to set this up on windows, but when i do the source .ssh........ command, it says source not installed, how can i install it, I already ran pip install source, I also want to know how to change the code so that it doesnt brute force the username, and just asks you for it. What do I do?
Hey chat gpt makes scripts and all this is it gona take over the ethical hacking world . Would people survive along with it or will I be replaced make a vedio on that sir . These ai geting soo good has me worried about my future and I'm just 24
Sir Can you please make a tutorial video on how to upload files online where the files get saved with a python script . It's a humble request from my and many others ... Looking forward for your Tutorial
David don’t you think that this may not be that effective due to the fact that the attacker may not have the private private key to even get to where you may need the password
1:50 writting you email phone password its leaked then sure they log them lol. just change your password harder to guess and not give it to 3rd party lol. when people learn. even you
Hello David. Love the content and thought to give it a try. However, im having difficulty trying to fix the copy and paste from one host to another. I have read all the forums endlessly but i cannot seem to find the root of the issue. MacOS /UTM for kali.. any ideas?
use paramiko.RSAKey.from_private_key_file() method passing the ssh private key file location and password as arguments. Use the return value of that method in the .connect method as the pkey named argument.
How would you learn Python if you don't learn to use it for interesting things? Also, as some people may say "You want to remain a script kiddie forever?" - if you learn how to use Python, you can write your own tools and also use it when hydra and other tools are not available.
How would you learn Python if you don't learn to use it for interesting things? Also, as some people may say "You want to remain a script kiddie forever?" - if you learn how to use Python, you can write your own tools and also use it when hydra and other tools are not available.
Yet people still use weak passwords. I've also seen passwords over 10 characters in this database, but very badly constructed. If the passwords leak, I have to change the passwords quickly anyway and hope that no one has logged into my accounts. Otherwise it was lost.
I wonder whether you would get root access. Standard root login in only enabled on console Furthermore this will be noise and easily detectible. So I do doubt the usefulness
But it doesn't find a single access code, but many together. Also, we didn't only learn how to brute force with python, but we also learned the behavior of the server.
Who uses bad passwords? Who accepts mfa bombing requests? Who puts passwords in Slack? Who does lots of other things they shouldn't.... well, unfortunately as history as shown us.... too many individuals and too many companies. Just because it shouldn't be done a certain way, doesn't mean people don't do it that way.
// MENU //
00:00 - Intro
00:16 - SSH Brute Force demo using Linode
01:37 - Your password is vulnerable
01:58 - Leaked passwords // rockyou database
03:25 - SSH Brute Force demo (continued)
05:59 - Disclaimer
06:20 - SSH Brute Force demo (continued)
10:24 - Conclusion
// Script //
Download from github here: github.com/davidbombal/ssh_bruteforcing
// Sites mentioned //
Haveibeenpwned: haveibeenpwned.com/
Kali Linux seclists: gitlab.com/kalilinux/packages/seclists/-/tree/kali/master/Passwords/Leaked-Databases
Daniel's GitHub page: github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
// David's Social //
Discord: discord.gg/davidbombal
Twitter: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
UA-cam Main Channel: ua-cam.com/users/davidbombal
UA-cam Tech Channel: ua-cam.com/channels/ZTIRrENWr_rjVoA7BcUE_A.html
UA-cam Clips Channel: ua-cam.com/channels/bY5wGxQgIiAeMdNkW5wM6Q.html
UA-cam Shorts Channel: ua-cam.com/channels/EyCubIF0e8MYi1jkgVepKg.html
Apple Podcast: davidbombal.wiki/applepodcast
Spotify Podcast: open.spotify.com/show/3f6k6gERfuriI96efWWLQQ
Could you modify this script to do telnet attacks?
Would I just have to change the port to 23?
¿the requeriments is for a virtual simulation of red ?
@davidbombal i have a question please, DOES alfa AWUS036NHR support injection and monitor mode??
@@benmattta I think I bought two of those. They aren't dual band I don't think. I ended up getting Atheros, one tp link t2u plus, I even bought a Net gear. They all work great. That specific Alfa is the one I bought. Didn't have much luck with it on Linux in either my Mac or My Dell.
There are sooo many scammers in your comments that you need to do a vid on securing a ssh server using fail2ban and like tools.
I don't have words to express my feelings, literally you are great person, thanks for the wonderfull information David Sir... ❤
Thanks Mr David suggestion from my side is make a playlist on hacking with termux. It will be great playlist ever in your channel.
Great suggestion!
I love your vids. I'm newish on the subject of security. You're very clear and concise and I'm glad I found you. Your posts are most often the highlight of my news feeds. Shit hot man :)
The Start of the Video!!!!!! EPICCCCCC!!!!!!!! great way to start a video. Much love from Uganda.
NOW THIS IS THE TECH TIPS!
Kudos Good Sir And May You Keep Us the IT Peasants well informed.
If someone sets up a SSH server, one should assume that he/she has the appropriate knowledge to do so and takes some precaution against attacks like this:
1) never let user root login in
2) use fail2ban to ban a certain IP address for a certain amount of time after a certain amount failed attempts - which I thought to be a no-brainer with ssh.
and those attempts will definitely be logged!
if you fail to properly setup your ssh-server I can't see an need for proper passwords. The here mentioned Ashley-Madison hack is an exzellent example for (presumably) good passwording but failed administration on the server side. (weak hashes, no salt'n peppa, etc.)
No matter how strong / save your password or you password manager is, if the server admins fail, there is no protection!
but definitely a good python training
If a server admin doesn't use fail2ban, uses weak, unsalted hashes - but strong passwords - how does this diminish the server's security against outside attacks?
@@APerson-jf2md Hi und thanks for the question!
Sure, if a password is strong enough, it is supposed to be secure enough!
The question is: how strong needs "strong" to be, to be secure. And from a practical position I see a need for a very strong access-password compared to the "owner's password" that you need as member of the sudoer-group and that you need on a more regular base.
But no doubt - there is a certain laziness even among admins too.
The best practice for both max secure access AND convenience should be using
a) certificates instead of passwords
b) disable external access as root
c) use fail2ban to stop attempts as early as possible, because "no access - no probing"
So I see Davids python script as an excellent example to show admins the general problem using password based ssh access and make them switch to certificates based ssh login
no password, no password cracking
If password access is used, the passwords need to be stored server-side - hopefully not in plaintext.
the notorious Ashley-Madison-hack covers this aspect and was - to my knowledge - not a ssh misconfiguration. Actually I do not know how they got the user data. But they were able to reveal the most of the passwords from the hashes.
This shows the importance of using strong hash procedures besides strong passwords. Because weak (md5) or completely missing server side hashing, renders all client effort useless!
Even worse - beyond a policy statement a customer has no control how his/her passwords are treated server side.
To my surprise that very strong hash Argon-2 seems to be rarely in use.
the Argon-2 hash needs a lot of cpu and memory especially in comparison to the SHA-Family which is optimized for speed. The increase in CPU cycles reduces the max possible amount of hashes per second and the increase in needed memory decreases or prohibits too many concurrent hashes.
So it takes way much longer to calc one hash, which does not matter when you want to verify just ONE given password, but when it comes to mass calculating hashes for example the rockyou-list, it "literally" takes years.
Anyway!
To summarize that - YES a strong enough password is strong enough, but not recommended for various (practical) reasons. The certificate approach is considered way more secure und more convenient.
So when you consider using the python script beyond practicing against a "real" ssh server, expect to be noticed, logged(!) and blocked.
@@tomschulte3237 Thanks for the reply. I do agree an most of your points, but you might have missed mine - so I'm gonna up the "provocation" a notch:
An SSH server with plaintext password for root in /etc/shadow, no fail2ban, root login allowed and a random password of only 8 (as in eight) characters is absolutely fine and secure. :)
(If you could test 1000 passwords via network per second it would take ~25k years for a 50:50 chance that you'd get it right).
[and it goes without saying: please don't to that nevertheless... ..ok.. I guess I said it..]
Very often people mix up "best security practices" (common ones like: no root login, certs/keys instead of passwords,..) with "things you always do". While they all have their right of existence, they do not apply in every case. On e.g. an SQL server with one "disabled" (a.k.a no login password) database user and root SSH access only, my "most-unsecure" setup from above would be totally fine to use and renders SSH as IV useless - on that machine there are other things you would care (a lot) more about.
So what I'm saying is: do not use "things that can increase security" as "general rules" (e.g. fail2ban could be a DDOS, for yourself in certain configs).
I initially just responded to your comment, because all your suggestions (while very good ones in the right context) would not have any impact on the word-list attack from this video as long as your password is not in those word lists (and a root password really shouldn't ;)).
David is an adorable person to me, his speech and videos are excellent!
Hey David big fan of you and Network Chuck 😀 love all of your videos I'm following you and subbed to you have whatching all of you videos and you and Network Chuck you guys are the best teacher's ever :)
Big fan watching from Nigeria 🇳🇬🎉
Thank you!
thank you for all the great work you have been doing
This is awesome Thanks David!
Thank you very much David
You're welcome!
Need this sorts of contents 🙂💙
Glad you enjoyed the video!
This is awesome, Thank You
Thank you!
Mantap bang David👍🏻
Nobody uses password for ssh, but keys. Otherwise login attempts are strictly limited. If you encounter machine with ssh password which allows you brute force - most likely you are in honeypot
the world is not too easy David ;)
But Thanks for the Videos, your making a great Job man
Great David !! Thank you
also when ur doing it there will be a log file of ur ip in the victims server of ssh logs
Great video❤
Thank you David.. you are awesome
Perfect job dude! u earned my sub!
Woooot 🔥🙌
Thanks!
Great video!! always clear and straight to the point. One Question. Why are there so many requirements in requirements.txt ? Am I missing something?
Am a new subscriber
Welcome!
@@davidbombal yes nice I love your video
Hi does your python script write the found text file as soon as it gets a hit or only once its completed going through the passwords.csv file. Many thanks
How would you do that if there was an SSH id_rsa key and the password is disable ???
requirements.txt has 440 modules
edit: great video
I need to stop struggling to learn programming. Because I'm really curious as to how I could use this type of method or something similar to get a password like aircrack but by writing my own script to either make it simpler or faster.
chances are, unless you're an experience developer, you'll not find anything that's faster than things like hydra, hashcat or aircrack, as there are many people developing the algorithms used there. That said, learning how to write your own quick and dirty solutions is a great way to go for education and for times when you need to do something a little out of the ordinary and normal solutions don't fit.
@@samurphy thank you for the info. I'm just starting out in learning cyber security. Thing is I don't want to get stuck at script kiddie level. I hope to actually get a decent red team job after I've got enough under my belt. So I didn't know but I was curious after watching The video if it was possible. So thank you I have a better understanding of something I may have to look into branching out into after a long while.
love the new intro
This would definitely automatically get flagged in a real environment with any decent security lol probably immediately shut down too
Still it's cool seeing python automating these attacks this script would probably be great for someone to practice with on their own network to both learn cybersecurity AND python by using this to attack your own network then strengthening the security until it no longer succeeds then tweaking the python code until it successfully gains entry then rinse and repeat
How to tweak? And make script stronger
@@hetmilpatel3361 you need to understand the code and how it works and what’s it’s actually doing and be a master at python and kali
Hi David, thank you for the video! Is it possible to run the script with Kali Linux ProxyChaining, without having any additional Python code?
Is this script using the AsyncSSH package for python? (just curious)
We are using paramiko in this script
Thank you that was perfect 🤠❤️
Really cool video
Thank you Alejandro. Glad you enjoyed it!
Hey David your channel is trending in india
That's fantastic news! Thank you for sharing :)
Awesome, can you make a video on how to crack a captured hash or handshake using the cloud ? :]
is there any log, which records that this ip tried to conect using ssh , or any blocking system to not allow a particular machine to connect to the sever with ssh
I love your videos , and pls make a video on how to use raspberry Pi without ethernet connection with ssh ❤️❤️plssss , Love from India ❤️
Not sure what you mean? You could use a WiFi adapter on the pi
@@davidbombal I mean to say , that I can't make my pi portable , i have to use the ethernet cable continuously so , is there any solution for it , i want to use my pi anywhere without connecting it to a wifi router with ethernet cable. I hope u understand 🙏❤️
He just told you WIFI adapter this went over your head by the looks of it and you need internet to use it I think you trolling
Hi David do you have a Cisco certification exam discount voucher code?
David, You always give us a much great content love your videos keep growing ♥️ could you tell me are you offering courses related to ethical hacking??
I am trying to set this up on windows, but when i do the source .ssh........ command, it says source not installed, how can i install it, I already ran pip install source, I also want to know how to change the code so that it doesnt brute force the username, and just asks you for it. What do I do?
Hey chat gpt makes scripts and all this is it gona take over the ethical hacking world . Would people survive along with it or will I be replaced make a vedio on that sir . These ai geting soo good has me worried about my future and I'm just 24
Watch the second half of this video: ua-cam.com/video/Clu3-5TFdw0/v-deo.html - I asked specifically about AI
GREAT!
Thanks!
i guues i was in need a brute force guesser for my oldest zip file with pasword locked i created a decede ago . how do i do that .
Hi David,
Is it possible to use TP-Link router emulator in gns3. I'm unable to download Cisco router from Cisco website. Thank you
Sir Can you please make a tutorial video on how to upload files online where the files get saved with a python script . It's a humble request from my and many others ... Looking forward for your Tutorial
Hello , most of the servers block the credentials after multiples attempts...
I have tried to install this command in window but I can't. Does anyone know how?
David don’t you think that this may not be that effective due to the fact that the attacker may not have the private private key to even get to where you may need the password
I run the script on my Mac and when I enter an ip address it just stays blank
1:50 writting you email phone password its leaked then sure they log them lol. just change your password harder to guess and not give it to 3rd party lol. when people learn. even you
Hello David. Love the content and thought to give it a try. However, im having difficulty trying to fix the copy and paste from one host to another. I have read all the forums endlessly but i cannot seem to find the root of the issue.
MacOS /UTM for kali.. any ideas?
Most people ban password logins to their servers. Do you have anything to brute force the SSH private key?
use paramiko.RSAKey.from_private_key_file() method passing the ssh private key file location and password as arguments. Use the return value of that method in the .connect method as the pkey named argument.
For sure, almost anyone uses Fail2ban, btw I am working on that
why not using hydra or metasploit 😊
How would you learn Python if you don't learn to use it for interesting things? Also, as some people may say "You want to remain a script kiddie forever?" - if you learn how to use Python, you can write your own tools and also use it when hydra and other tools are not available.
@@davidbombal thanks for the useful reply 👍
Really nice👍👍
Yeh a wizurd Bombul!
6:09 point take yet again bad server. not block multiple trys
can you do a tut on how to make a .py program that has a trial period be forever or give the username more time greeeaaat
Please compare between Kali Linux and parrot OS which is best for hacking and simplicity.
Can you explain the code for cracking mobile password with brute force attack
Ok...but why...when there are tools like hydra which are way better and fine tuned for this type of work...
How would you learn Python if you don't learn to use it for interesting things? Also, as some people may say "You want to remain a script kiddie forever?" - if you learn how to use Python, you can write your own tools and also use it when hydra and other tools are not available.
Yet people still use weak passwords. I've also seen passwords over 10 characters in this database, but very badly constructed. If the passwords leak, I have to change the passwords quickly anyway and hope that no one has logged into my accounts. Otherwise it was lost.
How to find user name of an administrator in a website?
fail2ban should stop this, right?
I know that my HDD bitlocker password is 4 digits, is there a simple way to brute force it ?
Hello sir I am some issues to install nessus it's error is plugins please help me
Sir respect you
Python pip-3 named no module how to fix Sir
Would (or could) and ids/ips detect this attack?
2:38 bros mouse lacking
After Five attempt you will lock 🔐 the ssh you need good look for to do it in 4 time not more
I wonder whether you would get root access.
Standard root login in only enabled on console
Furthermore this will be noise and easily detectible.
So I do doubt the usefulness
Coool!!
Thank you!
What is with IP blocking?
Successful and lovely man
Nice content david
Hi David, where do I get the python script? I want to run this against my Linode server.
GitHub
Thanks sir🙏
This is not going to work because even hobby servers use tools like fail2ban. Your IP will be banned after 3 unsuccessful ssh login attempts.
i love it🥰
Do I need to use a server?
not working in my laptop
It should at least break/stop the loop when it finds the correct password instead of trying all the passwords in the list
But it doesn't find a single access code, but many together. Also, we didn't only learn how to brute force with python, but we also learned the behavior of the server.
What if key is being used instead of password
Awesome
Thank you!
¿can i install this script en windows ?
brute force to server should not possible its 2022 you should get blocked after couple try
Anyone know about brute force attack on Insta using hydra can you suggest me the video for learning
Please make latest video on wifi hacking using that script
How to known pass not in file password.cvs
thank sir👍
David sir can u create the Mr robots password cracker
I don't allow root logins for SSH. Create an account that's not well known with sudo access. Fail2ban is another good tool to ban these attempts.
How uses a password to login on their servers?
Who uses bad passwords? Who accepts mfa bombing requests? Who puts passwords in Slack? Who does lots of other things they shouldn't.... well, unfortunately as history as shown us.... too many individuals and too many companies. Just because it shouldn't be done a certain way, doesn't mean people don't do it that way.
Hloo David I watched your previous interview video. Hire me now Iam ready 😄
super basic and very inefficient script....and it reads from a CSV file...WTF, that's like the worst type of file to read from for something like this
Love you sir from india
UA-cam please allow to teach them hacking deeply..