ssh – Michele's Blog

Are you running Windows 10 as a host and want to connect to your Ubuntu VM? Are you using VirtualBox as a hosted hypervisor? If the answers to these questions are two yes, keep reading!

As you will see below, this technique is especially useful if you are using Ubuntu Server – which comes without a GUI – and want to avoid the pains of working on that terminal. For example, Page Up and Page Down didn’t work and the screen was too small. Even VirtualBox Guest Additions didn’t help solve the problem.

Here you find the list of steps from the creation of the VM to the SSH connection via PowerShell (the relative screenshots are under the list):

Create a Ubuntu VM on VirtualBox (I’m using VirtualBox 6.1.26).
Install Ubuntu Server 18.04.6 LTS in it (download the ISO from here by selecting “Server install image”).
Start the VM and logon.
Make sure that process sshd is running and listening on port 22 (s. Screenshot 1):
- ps aux | grep sshd
- sudo netstat -plant | grep :22
Power off the VM.
Open VirtualBox Manager, select the Ubuntu VM, and click on Settings. Click on Network, click on Advanced, click on Port Forwarding. Add a new port forwarding rule and click OK (s. Screenshot 2).
- PS: The Guest IP field is empty. With Guest IP = 10.0.2.15 (find yours by typing ifconfig in the terminal of the VM), the connection didn’t work.
Start the VM again.
Launch PowerShell on your host and type: ssh pb@127.0.0.1 -p 10022
The first time you connect, PowerShell will ask if you are sure that you want to connect and show you the ECDSA key fingerprint. You can double check it by typing this in the VM terminal: ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub (s. Screenshot 3).
Enter yes.
Type again: ssh pb@127.0.0.1 -p 10022 (if it does not work, restart PowerShell).
Enter you Ubuntu password. You will now see the Ubuntu welcome message (s. Screenshot 4). Now you are connected to your Ubuntu VM via PowerShell from your Windows 10 host. Congratulations! 🙂

Screenshot 1: Check if process *sshd* is running and listening on port 22.

Screenshot 3: Check if the ECDSA key fingerprint matches.

Screenshot 4: This message means victory 🙂

I hope you liked this post. If you have any questions, feel free to leave a comment in the comment section. Never stop learning!

In this blog post, I will show you how to automate a brute force attack on SSH with the help of Metasploit. The methodology that I present here can be used in a penetration test to check if the credentials of any SSH login are strong enough and, perhaps more importantly, to understand whether the blue team detects our brute force attacks.

In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).

Create a Connection to the HTB Network

Refer to this post of mine.

Scanning and Enumeration

Open https://www.hackthebox.eu/home/machines and write down Nibbles’s IPv4 address. Here we can also see that this is a Linux machine.

We first scan the target machine in order to identify open ports and services running behind those ports.

Ports 22 (SSH) and 80 (HTTP) are open on Nibbles.

Ports 22 (SSH) and 80 (HTTP) are open. In this post I will focus on SSH, even if HTTP is the way in for this machine¹.

Brute force SSH attack

We Google search “openssh 7.2p2 exploit”. From the results, we learn that we can enumerate users on an OpenSSH server using a malformed packet or timing attack. The idea here is to enumerate the users on this SSH server and then combine this list with common SSH passwords in order to run an automated brute force SSH attack.

To enumerate the users we will use the auxiliary/scanner/ssh/ssh_enumusers module on Metasploit with unix-users.txt as user list. Moreover, we will log the output of this module for later processing.

msfconsole
use auxiliary/scanner/ssh/ssh_enumusers
set rhosts 10.10.10.75
set user_file /usr/share/wordlists/metasploit/unix_users.txt
spool /root/Documents/nibbles/ssh_enumusers.log
run

We now extract the usernames from the log file with grep and save the output in ssh-users.txt

grep -v "not" ssh_enumusers.log | awk '{ if ($6 == "User") { print substr($7,2,length($7)-2) } }' > ssh-users.txt

We found 30 valid usernames on the SSH server of this machine.

The next step is to download a list of common SSH passwords and combine it with the username list that we already have. We first download this list which contains 21 passwords (even if the file name says 20). Then we run my shell script (s. screenshot below) to combine each username with each password. Each entry will be on its own line, and each username and password pair will be separated by a space.

This script combines each username to each password from the two original lists.

We then make this script executable with chmod 744 combi-usernames-passwords.sh and run it. The new list, which is saved in users-passwords-ssh.txt, contains 630 credential pairs. Now we will use this list to run the Metasploit’s module auxiliary/scanner/ssh/ssh_login which will brute force the SSH login.

msfconsole
use auxiliary/scanner/ssh/ssh_login
set rhosts 10.10.10.75
set stop_on_success true
set verbose true
set userpass_file /root/Documents/nibbles/users-passwords-ssh.txt
run

After some minutes, this module will terminate without having found a valid combination. This is fine as we only used 21 SSH passwords. If this were a pentest, we would expect the blue team to detect our attack as we made a lot of noise banging on their doors.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

Tag: ssh

How to connect to an Ubuntu VM via SSH with PowerShell

Brute force SSH attack on HTB Nibbles