Exploiting Port 22 – SSH
First, a reminder of the information Nmap returned about the SSH service after a port scan:
The first challenge, when cracking SSH credentials via brute force, is to find usernames. There are two methods to do this:
- Guess usernames from services
- Obtain usernames from a file on the machine
It would be great if we could log in via SSH as system, but this is usually disabled. To be successful, we will need a list of users on the system. This can be obtained in many ways, sometimes credentials are immediately reported either by Legion or by OpenVAS.
Once you have the usernames, you can try and crack the passwords.
- For password wordlists, use the ones provided with Kali or use SecLists from Daniel Miessler on Github: https://github.com/danielmiessler/SecLists.
- If you have usernames only, use Hydra to brute-force credentials.
- If you have usernames and password hashes, use John the Ripper to brute-force credentials.
Besides, keep in mind that sometimes it will be easy to get credentials for other running services. Then, using the previously identified credentials it is easy to create a small custom list of usernames and passwords and attempt to get more using the usual tools.
Brute forcing SSH using Hydra
Once you have a list of credentials, you can use Hydra as you did for the FTP service:
Brute forcing SSH using Metasploit
Metasploit has an auxiliary module that will test SSH credentials on a range of machines and report successful logins. If you have connected to a database, this module will record successful logins and hosts so you can track your access.
Besides, each successful login will immediately open a session on the remote machine. Then, this session can possibly be upgraded to a Meterpreter session.
You will get two high privilege command shell sessions, but it is not possible to upgrade them to Meterpreter…!
NOTE: You can see the module advanced options by typing show advanced or just advanced.
Brute forcing SSH using Nmap
Using Kali’s wordlists, you will get some results.
And you can try with your own custom wordlists.
Enumerating SSH using Metasploit
Take a close look at the OpenVAS results and you will find something else:
This vulnerability will allow you validate which usernames are used by the SSH service.
Obviously, it won’t create any session but it will help you in the refinement of the users list by rejecting all the invalid usernames. Now you can try to brute force the passwords only for these users.
Exploiting Port 80 – IIS
A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
IIS Denial of Service
This vulnerability was reported by OpenVAS as being of extreme severity. It is identified by the number of the Microsoft Security Bulletin that explains it (MS15-034) and by its CVE (2015-1635).
Search for it on your Kali system:
Start with Metasploit’s scanner module:
The module works but it doesn’t return anything really interesting. However, it is a good example of how a target’s memory can be dumped and saved into the database.
Now, with the other module try to create a DoS:
And it works, the target machine immediately crashes:
There are plenty other scanners that can used against port 80 but in this case they are all useless because in that specific port there is nothing to exploit, only this:
No comments:
Post a Comment