\
# Using Metasploit to Attack Default SSH Username/Passwords

# **The Lab Environment**

This is a simple brute force method to connect to a Unix machine using SSH in our pentesting lab. The target machine, a Raspberry Pi running the Kali Linux OS is up-to-date and no other changes were made to the operating system. SSH is enabled, but in reality, this can be any machine with SSH.  We are using common default usernames and passwords.

The machine performing the exploit is Kali Linux on VMWare.

# The Target Machine

The Raspberry Pi is also performing no other daily responsibilities so no additional setup on this machine is required for this test. SSH is enabled during the installation and the system is up-to-date using **apt-update** and **apt upgrade**.

# Getting the Target IP Address

If you do not know the IP address of the target machine, you can confirm the IP address of the Raspberry Pi using the **hostname** *-I* or **ifconfig** command from the console.

\
In this example, the IP address of our Raspberry Pi target machine is **192.168.1.95**. You will need this later so write it down.

\
You are done with the Raspberry Pi. It is now just another server on a network doing normal computer things with SSH enabled on Port 22. A secure Linux machine serving up web pages and user accounts on the Internet. This can be any machine, but for this example, it is our target.

# Setting up the Exploit

On our attacking Kali Linux machine, we need to set up some files and configure Metasploit to exploit the Raspberry Pi victim’s server. There is nothing complicated here, just some small attention to detail.

\
To keep it simple, this exploit uses a list of custom usernames and a list of select passwords. Each username and password are on separate lines in their respective files. To keep this test short and interesting, the lists contain common default usernames and passwords for some Raspberry Pi distributions. You can use any dictionary for this exploit, but we are going to create a simple one for this example.

# Create Username and Password files

Our target group of computers in our testing lab are Raspberry Pi’s. We know the usernames and passwords for this exploit are going to consist of default usernames and passwords specific to Raspberry Pi operating systems. You can use the standard Kali password lists like xxx.txt, but that will take a lot longer to run.

\
The success of this exploit is banking on the fact that admins do not change the default login credentials.

\
Using your favorite text editor, create a **user.txt** file containing these usernames.

\
`root   `

`admin   `

`kali   `

`raspberry   `

`pi   `

`support`

\
Feel free to add additional default usernames to this file. This is only an example of using some common default usernames on Raspberry Pi devices.

\
Create a **password.txt** file containing the following passwords, one password per line:

\
`root   `

`toor `

`pi `

`kali `

`admin `

`raspberry `

`password `

`password123`

\
Just like the username file, feel free to add additional default passwords to this file. This is only an example of using some common default passwords on Raspberry Pi devices.

\
Save these two files to your local directory. In this example, we are using */home/kali/data*.

# Run a Nmap Scan

My homelab for this exploit has a lot of VMs, Raspberry Pi’s, and production machines in service. Most of these have open SSH ports. With this in mind and I’m never really sure how many open SSH ports there are on my network, I’m using the following command to get a feel for the landscape.

\
The *-p 22* flag says only report on SSH and the *-open* flag lists only the ports that are open. Closed ports are not included in the output.

\
kali@Victim-Pi:\~$ **sudo nmap -p 22 -open 192.168.1.0/24**

 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.236Z-cl5bmsog5000o0bs62ep48piu)

The results from our **nmap** scan show that the ssh service is running (open) on a lot of machines. Now we narrow our focus and use Metasploit to exploit the ssh vulnerabilities. We are interested in the *Victim-Pi* or *192.168.1.95* address because that is a Raspberry Pi and the target of our attack.

\
Our attacking machine is the *kali-server* or *192.168.1.207*

\
Raspberry Pi.

# Using Metasploit

From the *kali-server* (*192.1681.207*) command line, launch Metasploit by typing **msfconsole**.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.239Z-cl5bmsog7000p0bs6cxyu9x4k)

Metasploit provides a search engine to help us select the best exploit to exploit SSH. Entering the **search ssh** command shows us all of the ssh options.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.240Z-cl5bmsog8000q0bs64yn654ia)

Scan through the output for the ssh vulnerability. For this exploit we want to use Menu Item #21 — *‘use auxiliary/scanner/ssh/ssh_login’* which uses brute-force SSH login credentials with our *username.txt* and *password.txt* files we created in */home/kali/data*. Note that your menu item number most likely will be different.

\
Enter ‘use *auxiliary/scanner/ssh/ssh_login*‘ at the msf6 > prompt. You can also enter the menu number (for example: msf6> **use 21**

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.240Z-cl5bmsog8000r0bs6dpmaheav)

Type **set USER_FILE** */home/kali/data/username.txt* and **set PASS_FILE** /*home/kali/data/password.txt*.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.342Z-cl5bmsoj200120bs659htb0kd)

The next two options, **set STOP_ON_SUCCESS true** stops execution when there is a successful username/password combination and **set VERBOSE true** prints all status messages to the console.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.341Z-cl5bmsoj100110bs6ei0cczap)

The **set RHOSTS** command configures Metasploit to use the target machine. This is the same IP address (192.168.1.95) of the machine we issued the **hostname -I** or **ifconfig** commands earlier.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.341Z-cl5bmsoj100100bs619ir160n)

Use the **advanced** command to view additional configuration options

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.258Z-cl5bmsogq000z0bs6f9tb85pf)

You can change any of these options for your situation, but we want quick access to the shell so **set GATHERProof false**.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.257Z-cl5bmsogp000y0bs64wlh8039)

All of our configuration options are set, run the **exploit** command to start the exploit.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.255Z-cl5bmsogn000x0bs61fsn9uhy)

After several failed login attempts, notice the **\[+\] 192.168.1.95:22 — Success ‘pi:raspberry’** entry. This line reveals that there is a successful username of *pi* with a password of *raspberry* combination.

\
The **set STOP_ON_SUCCESS true** option we set earlier tells Metasploit to stop the attack when there is a successful username/password combination.

# Successful Login

We have now successfully logged into the Victim-Pi machine using default login credentials.

Type the **sessions** command to see the active Metasploit sessions.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.254Z-cl5bmsogm000w0bs68kay4aa2)

Connect to the current active session, enter the **sessions *1*** command.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.247Z-cl5bmsogf000v0bs6887yb7tz)

At this point, you can use Unix commands as if you were a regular user of the system.

\
 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.246Z-cl5bmsogf000u0bs6c0exelyk)

To get better control of our exploit type the **shell** command to get access to a bash shell.

 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.246Z-cl5bmsoge000t0bs67mt28ifg)

Now that you have *bash shell* access you can use Python, Perl, and other system resources to complete your exploit.

 ![](https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-2022-07-07T22:59:35.245Z-cl5bmsogd000s0bs6ays1euju)

# How to Prevent this Type of SSH Attack on your Network.

This is a brute force attack on a common vulnerability. To mitigate your exposure you can perform the following actions.

* Educate users on proper usernames and passwords
* Disable default username/passwords
* Disable SSH
* Prevent multiple login attempts

\

---

Also Published [Here](https://medium.com/@wicked_picker/using-metasploit-to-attack-default-ssh-username-passwords-73312a5a67a)

Target

 Linux and Cybersecurity Writing

Technical Writer

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

Attack Default SSH Username/Passwords Using Metasploit

Too Long; Didn't Read

Company Mentioned

@fatman

RELATED STORIES