Metasploitable 3 Windows Walkthrough: Part III

Exploiting Port 22 – SSH

First, a reminder of the information Nmap returned about the SSH service after a port scan:

Port 22 Nmap scan results

The first challenge, when cracking SSH credentials via brute force, is to find usernames. There are two methods to do this:

  • Guess usernames from services
  • Obtain usernames from a file on the machine

It would be great if we could log in via SSH as system, but this is usually disabled. To be successful, we will need a list of users on the system. This can be obtained in many ways, sometimes credentials are immediately reported either by Legion or by OpenVAS.

Hydra results displayed in the Legion scan

OpenVAS results displaying SSH credentials

Once you have the usernames, you can try and crack the passwords.

  • For password wordlists, use the ones provided with Kali or use SecLists from Daniel Miessler on Github: https://github.com/danielmiessler/SecLists.
  • If you have usernames only, use Hydra to brute-force credentials.
  • If you have usernames and password hashes, use John the Ripper to brute-force credentials.

Besides, keep in mind that sometimes it will be easy to get credentials for other running services. Then, using the previously identified credentials it is easy to create a small custom list of usernames and passwords and attempt to get more using the usual tools.

Brute forcing SSH using Hydra

Once you have a list of credentials, you can use Hydra as you did for the FTP service:

Brute forcing SSH with Hydra

Brute forcing SSH using Metasploit

Metasploit has an auxiliary module that will test SSH credentials on a range of machines and report successful logins. If you have connected to a database, this module will record successful logins and hosts so you can track your access.

Besides, each successful login will immediately open a session on the remote machine. Then, this session can possibly be upgraded to a Meterpreter session.

Brute forcing SSH with Metasploit

You will get two high privilege command shell sessions, but it is not possible to upgrade them to Meterpreter…!

NOTE: You can see the module advanced options by typing show advanced or just advanced.

Brute forcing SSH using Nmap

Using Kali’s wordlists, you will get some results.

Brute forcing SSH with Nmap

Brute forcing SSH with Nmap

And you can try with your own custom wordlists.

Brute forcing SSH with Nmap using custom wordlists

Brute forcing SSH with Nmap using custom wordlists

Enumerating SSH using Metasploit

Take a close look at the OpenVAS results and you will find something else:

OpenVAS reporting enumeration vulnerability

This vulnerability will allow you validate which usernames are used by the SSH service.

Enumerating SSH with Metasploit

Obviously, it won’t create any session but it will help you in the refinement of the users list by rejecting all the invalid usernames. Now you can try to brute force the passwords only for these users.

Exploiting Port 80 – IIS

A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.

IIS Denial of Service

This vulnerability was reported by OpenVAS as being of extreme severity. It is identified by the number of the Microsoft Security Bulletin that explains it (MS15-034) and by its CVE (2015-1635).

Search for it on your Kali system:

Using searchsploit

Searching in Metasploit

Start with Metasploit’s scanner module:

Dumping the target's memory with Metasploit

The module works but it doesn’t return anything really interesting. However, it is a good example of how a target’s memory can be dumped and saved into the database.

Now, with the other module try to create a DoS:

Causing a DoS with Metasploit

And it works, the target machine immediately crashes:

The DoS exploit effect on the target

There are plenty other scanners that can used against port 80 but in this case they are all useless because in that specific port there is nothing to exploit, only this:

Metasploitable 3 port 80 banner


No comments: