Using Metasploit to Attack Default SSH Username/Passwords The Lab Environment This is a simple brute force method to connect to a Unix machine using SSH in our pentesting lab. The target machine, a Raspberry Pi running the Kali Linux OS is up-to-date and no other changes were made to the operating system. SSH is enabled, but in reality, this can be any machine with SSH. We are using common default usernames and passwords. The machine performing the exploit is Kali Linux on VMWare. The Target Machine The Raspberry Pi is also performing no other daily responsibilities so no additional setup on this machine is required for this test. SSH is enabled during the installation and the system is up-to-date using and . apt-update apt upgrade Getting the Target IP Address If you do not know the IP address of the target machine, you can confirm the IP address of the Raspberry Pi using the or command from the console. hostname -I ifconfig In this example, the IP address of our Raspberry Pi target machine is . You will need this later so write it down. 192.168.1.95 You are done with the Raspberry Pi. It is now just another server on a network doing normal computer things with SSH enabled on Port 22. A secure Linux machine serving up web pages and user accounts on the Internet. This can be any machine, but for this example, it is our target. Setting up the Exploit On our attacking Kali Linux machine, we need to set up some files and configure Metasploit to exploit the Raspberry Pi victim’s server. There is nothing complicated here, just some small attention to detail. To keep it simple, this exploit uses a list of custom usernames and a list of select passwords. Each username and password are on separate lines in their respective files. To keep this test short and interesting, the lists contain common default usernames and passwords for some Raspberry Pi distributions. You can use any dictionary for this exploit, but we are going to create a simple one for this example. Create Username and Password files Our target group of computers in our testing lab are Raspberry Pi’s. We know the usernames and passwords for this exploit are going to consist of default usernames and passwords specific to Raspberry Pi operating systems. You can use the standard Kali password lists like xxx.txt, but that will take a lot longer to run. The success of this exploit is banking on the fact that admins do not change the default login credentials. Using your favorite text editor, create a file containing these usernames. user.txt root admin kali raspberry pi support Feel free to add additional default usernames to this file. This is only an example of using some common default usernames on Raspberry Pi devices. Create a file containing the following passwords, one password per line: password.txt root toor pi kali admin raspberry password password123 Just like the username file, feel free to add additional default passwords to this file. This is only an example of using some common default passwords on Raspberry Pi devices. Save these two files to your local directory. In this example, we are using . /home/kali/data Run a Nmap Scan My homelab for this exploit has a lot of VMs, Raspberry Pi’s, and production machines in service. Most of these have open SSH ports. With this in mind and I’m never really sure how many open SSH ports there are on my network, I’m using the following command to get a feel for the landscape. The flag says only report on SSH and the flag lists only the ports that are open. Closed ports are not included in the output. -p 22 -open kali@Victim-Pi:~$ sudo nmap -p 22 -open 192.168.1.0/24 The results from our scan show that the ssh service is running (open) on a lot of machines. Now we narrow our focus and use Metasploit to exploit the ssh vulnerabilities. We are interested in the or address because that is a Raspberry Pi and the target of our attack. nmap Victim-Pi 192.168.1.95 Our attacking machine is the or kali-server 192.168.1.207 Raspberry Pi. Using Metasploit From the ( ) command line, launch Metasploit by typing . kali-server 192.1681.207 msfconsole Metasploit provides a search engine to help us select the best exploit to exploit SSH. Entering the command shows us all of the ssh options. search ssh Scan through the output for the ssh vulnerability. For this exploit we want to use Menu Item #21 — which uses brute-force SSH login credentials with our and files we created in . Note that your menu item number most likely will be different. ‘use auxiliary/scanner/ssh/ssh_login’ username.txt password.txt /home/kali/data Enter ‘use ‘ at the msf6 > prompt. You can also enter the menu number (for example: msf6> auxiliary/scanner/ssh/ssh_login use 21 Type and / . set USER_FILE /home/kali/data/username.txt set PASS_FILE home/kali/data/password.txt The next two options, stops execution when there is a successful username/password combination and prints all status messages to the console. set STOP_ON_SUCCESS true set VERBOSE true The command configures Metasploit to use the target machine. This is the same IP address (192.168.1.95) of the machine we issued the or commands earlier. set RHOSTS hostname -I ifconfig Use the command to view additional configuration options advanced You can change any of these options for your situation, but we want quick access to the shell so . set GATHERProof false All of our configuration options are set, run the command to start the exploit. exploit After several failed login attempts, notice the entry. This line reveals that there is a successful username of with a password of combination. [+] 192.168.1.95:22 — Success ‘pi:raspberry’ pi raspberry The option we set earlier tells Metasploit to stop the attack when there is a successful username/password combination. set STOP_ON_SUCCESS true Successful Login We have now successfully logged into the Victim-Pi machine using default login credentials. Type the command to see the active Metasploit sessions. sessions Connect to the current active session, enter the command. sessions 1 At this point, you can use Unix commands as if you were a regular user of the system. To get better control of our exploit type the command to get access to a bash shell. shell Now that you have access you can use Python, Perl, and other system resources to complete your exploit. bash shell How to Prevent this Type of SSH Attack on your Network. This is a brute force attack on a common vulnerability. To mitigate your exposure you can perform the following actions. Educate users on proper usernames and passwords Disable default username/passwords Disable SSH Prevent multiple login attempts Also Published Here
