Exploiting Port 22 – SSH
First, a reminder of the information Nmap returned about the SSH service after a port scan:
The first challenge, when cracking SSH credentials via brute force, is to find usernames. There are two methods to do this:
- Guess usernames from services
- Obtain usernames from a file on the machine
It would be great if you could log in via SSH as root, but this is usually disabled. To be successful, you will need a list of users on the system. This can be obtained in many ways, but two methods using SQL servers are covered ahead when talking about MySQL and Postgres. Both chapters cover techniques for obtaining usernames or the /etc/passwd contents with Metasploit.
Once you have the usernames, you can try and crack the passwords.
- For password wordlists, use the ones provided with Kali or use SecLists from Daniel Miessler on Github: https://github.com/danielmiessler/SecLists
- If you have usernames only, use Hydra to brute-force credentials
- If you have usernames and password hashes, use John the Ripper to brute-force credentials
Brute forcing SSH using Hydra
Once you have a list of credentials, you can use Hydra as you did for the FTP service:
Brute forcing SSH using Metasploit
Metasploit has an auxiliary module that will test SSH credentials on a range of machines and report successful logins. If you have connected to a database, this module will record successful logins and hosts so you can track your access.
Besides, each successful login will immediately open a session on the remote machine. Then, this session can possibly be upgraded to a Meterpreter session.
And that command shell session was upgraded to a more powerful Meterpreter session!
Brute forcing SSH using the RSA method
The OpenSSL package installed on the system is vulnerable to a brute force exploit due to a random number generator weakness (CVE 2008-0166). Searching ExploitDB you will find several exploits for this vulnerability.
Try using the one available at: http://www.exploit-db.com/exploits/5632/.
You can consult the source for more information, but basically the exploit checks if the root account has a weak SSH key, testing each key in the directory where you placed the keys. Upon a hit, you will see something like this:
Before running it, you have to download the precalculated vulnerable keys from:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
Extract the keys to a temp folder and download also the exploit script.
Now run the script and it will find a key after a while.
Then use that key to log in as root via SSH:
Brute forcing SSH using the Pubkey Method
If you manage to get your hands on the victim's private key, you can use the Metasploit ssh_login_pubkey auxiliary module! This module uses the private key to do two things:
- Get access to the victim machine
- Get access to any machines that trust the victim's private key (must be listed in the SSH files of the victim machine)
The remote private key can be obtained in many ways, and you already saw one of them. Just make sure you have the private key properly saved in a text file.
Success!
Exploiting Port 23 – Telnet
Telnet is a program used to establish a connection between two computers. It is inherently insecure because it transmits data in clear text.
Banner flaw
On the Kali box, open a terminal and telnet to the Metasploitable VM. The banner will display the credentials.
Exploiting Telnet with Metasploit
This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. The same password and user file from earlier will be used for this.
And you will have another session.
No comments:
Post a Comment