Posted on Leave a comment

Hacking the SSH server, again

In the previous howto, we have seen how to research about a vulnerability in the FTP service running on our target system and exploit it to gain a shell on that system. In this howto, we will  see hacking the SSH service running on port 22. It can be seen that the target is running OPenSSH 4.7p1 SSH server.

I googled about the above mentioned version to find out if it had any vulnerabilities and exploits for those vulnerabilities. After an arduous search, I found one exploit but that seemed to be not working (Its not always a positive result in hacking).

Remember that we already gained a shell on the SSH server in one of our previous howtos. We did this using the credentials we obtained during enumeration of the target system. (This is why enumeration is so important). We used this credentials in a Metasploit SSH login module to get a shell on our target system.

This time we will see another way of gaining access to the SSH server using the same module. This SSH login module can also be used to brute force the credentials of the SSH server. Let’s see how it works. Load the module and check the required options.

In order to brute force the credentials, we need to specify a dictionary for cracking username- s and passwords in the similar fashion we set while using Hydra. We will use the same dictionary we have used while performing password cracking with Hydra.

I have set the same file for both username and passwords. To conserve time I have set the option “stop_on_success” to True. This option will stop the brute forcing if it finds even one login credential. I have set the “verbose” option also to TRUE. This module is normally used to brute force multiple SSH servers at once. That’s the reason it has “RHOSTS” option instead of “RHOST” option. Any how we can still set a single IP as target. All the options are shown as below.

After all the options are set, execute the exploit using the command “run”.

Once the password is cracked successfully, the module displays the credentials and automatically gives us a shell on the target system as shown in the above image. The available sessions can be viewed as shown below.

We can also login into the SSH server using the credentials we obtained prior as shown below.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.