Brute-forcing the Raspberry Pi

Posted by Marcus - January 29, 2016

Anyone having ever fiddled around with a Raspberry Pi knows the default username and password (it's pi and raspberry). Most people change at least the default password when they receive their Pi but it that really enough? 

This post will cover how easy it is to crack passwords on the Raspberry Pi through SSH, what you should do instead including a how to link.

Scriptkiddies have feelings too

I could write a small Python script to do this but since free alternatives already exists for this purpose, I will be using a premade program instead called Hydra which is available for Windows and Linux.

The prerequisites for using Hydra is: an ip address, SSH port, username and a wordlist.

Getting the ip address of a Raspberry Pi can be obtained in multiple ways, say for example you know that a certain website is hosted on a Raspberry Pi then simply lookup the ip. The default SSH port is port 22 so we will be using that. 
As a first approach, using the default username pi will be sufficient.
Now all that is left is to get a wordlist which is exactly what it sounds like: a list of common passwords to try out. We will come back to this.

When you have all that, simply open up a command line/terminal, change directory to your Hydra folder and and issue

hydra -l pi -t num_tasks -P "path_to/wordlist.txt" ssh://pi_ip:ssh_port

This means that Hydra will login with username pi and run the attack using the task option. From the documentation"Experiment with the task option (-t) to speed things up! The higher - the faster ;-) (but too high - and it disables the service)"
It basically means that Hydra will try passwords in parallel. We will investigate the optimal value in a minute.
Then we specify the wordlist path and finally plugin the ip and port.

Now Hydra will run through the wordlist until it finds the correct password (which can take a while, doing this through SSH is definitely not very fast). In fact, choosing a -t value above 8 will throw a warning: 

[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4


I tested it out and as seen in the figure, the tries/min stagnates after -t 7, choosing a value of 14 or above cause Hydra to behave erratic. Therefore I went with -t 7.

This enabled Hydra to perform ~100 tries/min on my home network or equivalently ~1.4 mio. tries/day. Very huge lists of the most common passwords are readily available online, totalling around 19.9 mio. passwords (they are all merged, sorted and unique id'ed in the file called merged.txt.tar.gz found through the link). To check them all, we would need around 14 days. So if a person wanted, this could easily be done. 

How to avoid scriptkiddies

We could of course simply change the username or the port but that only lessens the problem, it doesn't solve it. 
What we need is called passwordles SSH access. As the name suggest it bypasses the normal login prompt and instead uses predefined access keys to login. Excellent, pi specific, guides have already been written so I suggest following one of those.

I would recommend to always do this when setting up a new Raspberry Pi (or any device which support this).