Complete Metasploit Guide (part-3 Bruteforcing SSH with Auxiliary)
Bruteforcing SSH login with Metasploit Auxiliary
right now what we want to do is basically just start with some of the auxiliary modules that are in the Metasploit framework. So we want to basically scan the machine with msfconsole. Now let us, first of all, start the MSF console. Now if you did start the Postgresql before this started, so this can run faster.
But while this is starting I also want to start my OWASP virtual machine. whether it is Metasploitable one or a Metasploitable two, you can also run that one as well.
I am using OWASP. I will show you some of the attacks you can perform on owasp broken web application. But some of the attacks are also similar for OWASP and for the Metasploitable. So just start any of those two machines. as we remember this is a virtual machine. It will prompt us with entering our user name and password, which is the user name is a root and the password is owaspbwa.
We get the standard command-line tool. Let us just first check the IP address of this so we know it. So the IP address of our OWASP virtual machine is 192.168.56.101.you can run a bunch of different commands, or basically all the commands we run from our regular terminal you can also run from the Metasploit framework command line.
First what we want to do is let's first take a good scan of the OWASP virtual machine. Now we covered Nmap before, so what we want to do right now is
Nmap -sV 192.168.56.101
so we can get the version from the services running on certain ports, and then we specify the IP address of our OWASP virtual machine. Or in your case, if you're using Metasploitable, of your Metasploitable machine. To execute this. And now we wait for this to finish. It should prompt us with all of the open ports.
It should prompt us with the services running on the open ports. And it should prompt us with the version of those services running, which can be useful especially when you use the Metasploit framework. So what we will do is we will try some of the certain attacks on this. Now we can see that the scan has finished in 33.9 seconds.
So we get the open ports, and let's start off with the SSH port. Now here are a bunch of these other ports such as 139 and 445 running Samba smbd versions 3 to 4, which is also a vulnerable software. You also have it on Metasploitable, I believe, the same version. I will show you how you can exploit it later on. But for now, let us start off by trying to get in over the SSH.
So we can see that the service running is SSH on Port 22, and the version is OpenSSH 5.3p1 Debian 3ubuntu4. So what we will do is we will use the auxiliary module that is in the Metasploit framework, and we will try to brute force the SSH on Port 22 from our OWASP virtual machine. Or if you're running Metasploitable, once again, from your Metasploitable the process is the same. So let us try searching SSH.
search auxiliary/scanner
Now this will print us all of the available exploits auxiliary modules, post exploit modules for the SSH. What we are searching for is a scanner, and the scanner has to be the login. So here it is
auxiliary/scanner/ssh/ssh_login.
Now it does not have the date when it came out and is it is ranked as normal, and it says the SSH login check scanner. Which basically means the SSH bruteforcer. Now you can also, for example, check the SSH version before you start that. So auxiliary scanner SSH version, SSH version scanner,
let's, first of all, start with that one. I believe it will give us the same thing that the Nmap gave us, which is the version of the SSH. Now you can use this instead of Nmap since sometimes Nmap won't give you the version, and I believe this one is actually more detailed.
So as we saw in the previous article, in order to pick any of these, you just type use and then the name of the module itself. And what we want to do is show our available options. So we can see that we have four different options and they are all required. Most of them are already selected for us. So the RPORT, for example, is selected as 22 which is good. SSH is most likely always, and also by default, is running on Port 22. If it is not you would want to change this.
Thread is the number of threads basically running during this process. Now the more threads, the faster this process will go. So depending on the power of the virtual machine you can select, for example, Now we also covered the set command, so you set basically all of these options with just set command, and then the name of the option you want, and then the number.
The only thing that we need to select right now is the RHOSTS. So the RHOSTS is basically the target address for our OWASP virtual machine.
It is basically the IP address of your target. So set RHOSTS, we know it is 192.168.56.101, and now if we show our options again in order to check if everything is good, we will be able to run this. Now if you just run this, so just type in run, this will probably... here it is. This will print out the SSH version that it is running on the target software, or on target port 22. As we can see, SSH version this one, and it gives a bunch of other options as well that could be potentially useful to you.
Now, this is a simple scan that we did for the first one, but now let's actually try to brute force this SSH on Port 22. So let us go to our available auxiliary modules, and what we want to use is the SSH to log in one. So just select the
auxiliary/scanner/ssh/ssh_login
copy, paste it, and then we can see that it changed the module., and let's show our options. Now you can see unlike the last one, this one has a lot of different options that we need to specify.
Now some of them are required and some of them are not.
For example, BLANK_PASSWORDS are not required. The next things we need, these are all not required.
The password to authenticate with, no. Well basically you would use this if you already knew the password side, you see the point of this option right here.
What we do want is the RHOSTS, the same as in the previous scan. So just type your set RHOSTS and then the IP address of our target machine. So 192.168.56.101,.
And also what you would want to set, basically let's set threads to be 3 So
set THREADS 3
RPORT is correct and it is 22,
stop on success false, stop guessing when a credential works for a host. So you want to set this to true since there is no real point in continuing the brute force, unless you want to on multiple accounts after you find hosts that actually work. So on credentials that are useful. So we type in
set STOP_ON_SUCCESS true
so you can just press tab in order for it to fill the rest of the name, and you can set this from false to true. And we can see that stop on success is now set to true for both.
You also want to set to true so you can see all of the attempts that they're running. Now you do not need to, basically, I always set it to true so I can see the attempts of a brute force that we covered already.
we should have all of our options set and ready to go. Now I believe there is something else we need to use which is the password list since this doesn't have a password list pre-specified I believe.
So what we want to use is basically...let us try to find our simple password list. So let's open up a second terminal. So new window, and we know that there are some passwords in the usr/share/wordlists.
we won't use like the rockyou.txt. It would take forever. These large passwords are most likely the best choice for the Wi-Fi cracking. For the brute-forcing, it's really not that good of a choice since it's not as fast as the Wi-Fi cracking. It's not nearly as fast.
If you dont have these wordlists in /usr/share folder then simply get them by using cammand
apt install wordlists
So what we want to do is go to the Metasploit, type here ls, and we will see some of the password lists that are in Metasploit.
So we do not need to really crack the SSH, we just need to show you the process of cracking it, and we will choose any password list we want. So let's say we choose this one,
mirai_user_pass.txt
Now what that means, I believe, is that it also has both user and password. Yeah, it has both user and password separated with the space. So we will use that and we will see the available option for that right here, which would be the user pass file. So file containing users and password separated by a space, one pair per line, which is exactly what we selected.
So we need to set this option right here. So let us set that option.
set USERPASS_FILE
and then we specify the path to the word list. So it was
usr/share/wordlists/metasploit and then mirai_ user_ pass.txt
So we set the path to our brute force list, or basically password and user name list. And now if we show options once again, I believe now now we should really be good to go.
So let us run this. We press here to run and it should start brute-forcing the SSH on port 22. As we can see it is starting different types of usernames and passwords. It is going by that list that we specified. So these are all failed ones. And if it reaches one that actually exists it will stop and it'll prompt us with a success. So here we can see root:admin, admin:admin, root:root, and some of the other passwords.
I just wanted to show you some of the different types of SSH auxiliary modules that you can use. So we saw how we can actually scan the version of SSH. We also saw how we can brute force the SSH. Now you can actually try this both on Metasploitable and on the OWASP machine. I'm not really sure if this password list has a username and password for those machines, so I added them to the list to show you how it works.
So now you can use any password list you want and actually hope that you will brute force the SSH. So, that would be it for this tutorial. In the next tutorial,, we will cover another auxiliary module that we will use to attack another service running on our OWASP virtual machine. So that'll be it for this tutorial, and I hope I see you in the next one.
Happy Hacking..
Now, this is a simple scan that we did for the first one, but now let's actually try to brute force this SSH on Port 22. So let us go to our available auxiliary modules, and what we want to use is the SSH to log in one. So just select the
auxiliary/scanner/ssh/ssh_login
copy, paste it, and then we can see that it changed the module., and let's show our options. Now you can see unlike the last one, this one has a lot of different options that we need to specify.
Now some of them are required and some of them are not.
For example, BLANK_PASSWORDS are not required. The next things we need, these are all not required.
The password to authenticate with, no. Well basically you would use this if you already knew the password side, you see the point of this option right here.
What we do want is the RHOSTS, the same as in the previous scan. So just type your set RHOSTS and then the IP address of our target machine. So 192.168.56.101,.
And also what you would want to set, basically let's set threads to be 3 So
set THREADS 3
RPORT is correct and it is 22,
stop on success false, stop guessing when a credential works for a host. So you want to set this to true since there is no real point in continuing the brute force, unless you want to on multiple accounts after you find hosts that actually work. So on credentials that are useful. So we type in
set STOP_ON_SUCCESS true
so you can just press tab in order for it to fill the rest of the name, and you can set this from false to true. And we can see that stop on success is now set to true for both.
You also want to set to true so you can see all of the attempts that they're running. Now you do not need to, basically, I always set it to true so I can see the attempts of a brute force that we covered already.
we should have all of our options set and ready to go. Now I believe there is something else we need to use which is the password list since this doesn't have a password list pre-specified I believe.
So what we want to use is basically...let us try to find our simple password list. So let's open up a second terminal. So new window, and we know that there are some passwords in the usr/share/wordlists.
we won't use like the rockyou.txt. It would take forever. These large passwords are most likely the best choice for the Wi-Fi cracking. For the brute-forcing, it's really not that good of a choice since it's not as fast as the Wi-Fi cracking. It's not nearly as fast.
If you dont have these wordlists in /usr/share folder then simply get them by using cammand
apt install wordlists
So what we want to do is go to the Metasploit, type here ls, and we will see some of the password lists that are in Metasploit.
So we do not need to really crack the SSH, we just need to show you the process of cracking it, and we will choose any password list we want. So let's say we choose this one,
mirai_user_pass.txt
Now what that means, I believe, is that it also has both user and password. Yeah, it has both user and password separated with the space. So we will use that and we will see the available option for that right here, which would be the user pass file. So file containing users and password separated by a space, one pair per line, which is exactly what we selected.
So we need to set this option right here. So let us set that option.
set USERPASS_FILE
and then we specify the path to the word list. So it was
usr/share/wordlists/metasploit and then mirai_ user_ pass.txt
So we set the path to our brute force list, or basically password and user name list. And now if we show options once again, I believe now now we should really be good to go.
So let us run this. We press here to run and it should start brute-forcing the SSH on port 22. As we can see it is starting different types of usernames and passwords. It is going by that list that we specified. So these are all failed ones. And if it reaches one that actually exists it will stop and it'll prompt us with a success. So here we can see root:admin, admin:admin, root:root, and some of the other passwords.
I just wanted to show you some of the different types of SSH auxiliary modules that you can use. So we saw how we can actually scan the version of SSH. We also saw how we can brute force the SSH. Now you can actually try this both on Metasploitable and on the OWASP machine. I'm not really sure if this password list has a username and password for those machines, so I added them to the list to show you how it works.
So now you can use any password list you want and actually hope that you will brute force the SSH. So, that would be it for this tutorial. In the next tutorial,, we will cover another auxiliary module that we will use to attack another service running on our OWASP virtual machine. So that'll be it for this tutorial, and I hope I see you in the next one.
Happy Hacking..