- Metasploit Tutorial
RHOSTS yes The target address range or CIDR identifier RPORT 22 yes The target port STOPONSUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERFILE no File containing usernames, one per line VERBOSE true yes Whether to print. Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
- Metasploit Useful Resources
- Selected Reading
In a brute-force attack, the hacker uses all possible combinations of letters, numbers, special characters, and small and capital letters in an automated way to gain access over a host or a service. This type of attack has a high probability of success, but it requires an enormous amount of time to process all the combinations.
A brute-force attack is slow and the hacker might require a system with high processing power to perform all those permutations and combinations faster. In this chapter, we will discuss how to perform a brute-force attack using Metasploit.
After scanning the Metasploitable machine with NMAP, we know what services are running on it. The services are FTP, SSH, mysql, http, and Telnet.
To perform a brute-force attack on these services, we will use auxiliaries of each service. Auxiliaries are small scripts used in Metasploit which don’t create a shell in the victim machine; they just provide access to the machine if the brute-force attack is successful. Let’s see how to use auxiliaries.
Here, we have created a dictionary list at the root of Kali distribution machine.
Attack the FTP Service
Open Metasploit. The first service that we will try to attack is FTP and the auxiliary that helps us for this purpose is auxiliary/scanner/ftp/ftp_login.
Type the following command to use this auxiliary −
Set the path of the file that contains our dictionary.
Set the victim IP and run.
It will produce the following output −
As you can see, it is completed, but no session has been created. It means we were unsuccessful in retrieving any useful username and password.
Attack the SSH Service
To attack the SSH service, we can use the auxiliary: auxiliary/scanner/ssh/ssh_login
As you can see in the following screenshot, we have set the RHOSTS to 192.168.1.101 (that is the victim IP) and the username list and password (that is userpass.txt). Then we apply the run command.
As can be seen in the above screenshot, three sessions were created. It means three combinations were successful. We have underlined the usernames.
To interact with one of the three sessions, we use the command msf > sessions –i 3 which means we will connect with session number 3.
Attack the Telnet Service
The apply a brute-force attack on a Telnet service, we will take a provided set of credentials and a range of IP addresses and attempt to login to any Telnet servers. For this, we will use the auxiliary: auxiliary/scanner/telnet/telnet_login.
The process of using the auxiliary is same as in the case of attacking an FTP service or an SSH service. We have to use the auxiliary, set RHOST, then set the list of passwords and run it.
Take a look at the following screenshot. Highlighted in blue arrow are the incorrect attempts that the auxiliary did. The red arrows show the successful logins that created sessions.
Some other auxiliaries that you can apply in brute-force attack are −
SMB service − auxiliary/scanner/smb/smb_login
SNMP service − auxiliary/scanner/snmp/snmp_login
- 1SSH Service Info
- 1.1Metasploit SSH Exploits
- 2Brute Force ssh_login
- 3Private Key ssh_login_pubkey
- 3.1Obtaining Private Key
First, a reminder of the information nmap returned about the SSH service after a port scan:
This server isn’t using the 1.0 protocol, which is hopelessly broken and easy to defeat. This means getting past SSH will be (at least) mildly challenging.
Metasploit SSH Exploits
Two SSH attacks using metasploit:
- ssh_login
- ssh_login_pubkey
Metasploit ssh_login
The first attack is ssh_login, which allows you to use metasploit to brute-force guess SSH login credentials.
- Module name is
auxiliary/scanner/ssh/ssh_login
Link: https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/
Metasploit ssh_login_pubkey
The second attack requires a private key. If you do gain access to the private SSH keys on a victim machine, you can attempt to authenticate with a large number of hosts and services using that private key.
- Module name is
auxiliary/scanner/ssh/ssh_login_pubkey
Link: https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/
We already covered how to brute force the login with Hydra, Metasploitable/SSH/Brute Force
Did you know you can also brute force an SSH login with Metasploitable? Use the auxiliary/scanner/ssh/ssh_login
module.
Setting Up the Attack
We will use the module auxiliary/scanner/ssh/ssh_login
:
Set this to run on the Metasploitable virtual box target:
Running the Attack
Now run the attack:
Houston, We Have A Shell
At this point, we can create a session with the machine that we compromised. Logged in as user msfadmin:
If you manage to get your hands on the victim’s private key, the auxiliary/scanner/ssh/ssh_login_pubkey
module is for you!
This module uses the private key to do two things:
- Get access to the victim machine
- Get access to any machines that trust the victim’s private key (must be listed in the SSH files of the victim machine)
Obtaining Private Key
To carry out this attack, you will need to have access to the file system, and/or be able to mount the remote file system (which, on Metasploitable, happens to be possible!): see Metasploitable/NFS
Once you’ve got access to the file system, you’ll grab a copy of the remote machine’s private keys, and use them together with Metasploit to obtain access to the machine.
Metasploit Ssh Exploit
(Note that you could also plant your keys on the target, by adding your public SSH keys onto the target machine’s list of trusted machines, but this technique would restrict you to a particular machine, wile the Metasploit method is portable and less intrusive.)
To snatch the target’s private key:
Now you have a copy of the msfadmin
account’s private SSH key.
Metasploit We’ll use Metasploit to turn this into access to the remote machine.
This key is also useful for impersonating the target when connecting to OTHER remote machines.
Metasploit Openssh 7.4
Planting Private Keys
An alternative method to gain access, although it is not useful for gaining access to any machines other than the victim machine, is to GENERATE a public/private SSH key pair from the attacker machine, and copy the PRIVATE key over to the remote machine. (Using the public key and the above-mentioned technique would be easier, but it’s worth mentioning at least.)
To plant your private keys on the remote machine, you’ll need write access to the target user’s home directory. You’ll generate a public SSH key from the attacker machine, the machine you want to have access WITH, and add it to the other machine’s ~/.ssh/authorized_keys
.
This presumes the .ssh
directory exists. If it doesn’t exist, you can make it, and tamper with the filesystem.
Setting Up the Attack
Here’s info on the auxiliary/scanner/ssh/ssh_login_pubkey
module in Metasploit, which will carry out the attack:
Set some options, such as the private key file, the username to log in with, and the remote host:
Running the Attack
Execute the attack, to use the remote machine’s private key to gain access to the remote machine:
Success – we’ve got a session.
Getting a Shell
Now we can use the sessions
command to utilize the information we just found and set up an interactive session.
We could create more mischief, by copying everyone else’s private SSH keys and SSH connection histories, potentially giving us passwordless access to additional machines.
We could also get busy with post-exploit activities.
See https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/