Attack Default SSH Username/Passwords Using Metasploit

Using Metasploit to Attack Default SSH Username/Passwords

The Lab Environment

This is a simple brute force method to connect to a Unix machine using SSH in our pentesting lab. The target machine, a Raspberry Pi running the Kali Linux OS is up-to-date and no other changes were made to the operating system. SSH is enabled, but in reality, this can be any machine with SSH. We are using common default usernames and passwords. The machine performing the exploit is Kali Linux on VMWare.

The Target Machine

The Raspberry Pi is also performing no other daily responsibilities so no additional setup on this machine is required for this test. SSH is enabled during the installation and the system is up-to-date using apt-update and apt upgrade.

Getting the Target IP Address

If you do not know the IP address of the target machine, you can confirm the IP address of the Raspberry Pi using the hostname -I or ifconfig command from the console.

In this example, the IP address of our Raspberry Pi target machine is 192.168.1.95. You will need this later so write it down.

You are done with the Raspberry Pi. It is now just another server on a network doing normal computer things with SSH enabled on Port 22. A secure Linux machine serving up web pages and user accounts on the Internet. This can be any machine, but for this example, it is our target.

Setting up the Exploit

On our attacking Kali Linux machine, we need to set up some files and configure Metasploit to exploit the Raspberry Pi victim’s server. There is nothing complicated here, just some small attention to detail.

To keep it simple, this exploit uses a list of custom usernames and a list of select passwords. Each username and password are on separate lines in their respective files. To keep this test short and interesting, the lists contain common default usernames and passwords for some Raspberry Pi distributions. You can use any dictionary for this exploit, but we are going to create a simple one for this example.

Create Username and Password files

Our target group of computers in our testing lab are Raspberry Pi’s. We know the usernames and passwords for this exploit are going to consist of default usernames and passwords specific to Raspberry Pi operating systems. You can use the standard Kali password lists like xxx.txt, but that will take a lot longer to run.

The success of this exploit is banking on the fact that admins do not change the default login credentials.

Using your favorite text editor, create a user.txt file containing these usernames.

root

admin

kali

raspberry

pi

support

Feel free to add additional default usernames to this file. This is only an example of using some common default usernames on Raspberry Pi devices.

Create a password.txt file containing the following passwords, one password per line:

root

toor

pi

kali

admin

raspberry

password

password123

Just like the username file, feel free to add additional default passwords to this file. This is only an example of using some common default passwords on Raspberry Pi devices.

Save these two files to your local directory. In this example, we are using /home/kali/data.

Run a Nmap Scan

My homelab for this exploit has a lot of VMs, Raspberry Pi’s, and production machines in service. Most of these have open SSH ports. With this in mind and I’m never really sure how many open SSH ports there are on my network, I’m using the following command to get a feel for the landscape.

The -p 22 flag says only report on SSH and the -open flag lists only the ports that are open. Closed ports are not included in the output.

kali@Victim-Pi:~$ sudo nmap -p 22 -open 192.168.1.0/24

The results from our nmap scan show that the ssh service is running (open) on a lot of machines. Now we narrow our focus and use Metasploit to exploit the ssh vulnerabilities. We are interested in the Victim-Pi or 192.168.1.95 address because that is a Raspberry Pi and the target of our attack.

Our attacking machine is the kali-server or 192.168.1.207

Raspberry Pi.

Using Metasploit

From the kali-server (192.1681.207) command line, launch Metasploit by typing msfconsole.

Metasploit provides a search engine to help us select the best exploit to exploit SSH. Entering the search ssh command shows us all of the ssh options.

Scan through the output for the ssh vulnerability. For this exploit we want to use Menu Item #21 — ‘use auxiliary/scanner/ssh/ssh_login’ which uses brute-force SSH login credentials with our username.txt and password.txt files we created in /home/kali/data. Note that your menu item number most likely will be different.

Enter ‘use auxiliary/scanner/ssh/ssh_login‘ at the msf6 > prompt. You can also enter the menu number (for example: msf6> use 21

Type set USER_FILE /home/kali/data/username.txt and set PASS_FILE /home/kali/data/password.txt.

The next two options, set STOP_ON_SUCCESS true stops execution when there is a successful username/password combination and set VERBOSE true prints all status messages to the console.

The set RHOSTS command configures Metasploit to use the target machine. This is the same IP address (192.168.1.95) of the machine we issued the hostname -I or ifconfig commands earlier.

Use the advanced command to view additional configuration options

You can change any of these options for your situation, but we want quick access to the shell so set GATHERProof false.

All of our configuration options are set, run the exploit command to start the exploit.

After several failed login attempts, notice the [+] 192.168.1.95:22 — Success ‘pi:raspberry’ entry. This line reveals that there is a successful username of pi with a password of raspberry combination.

The set STOP_ON_SUCCESS true option we set earlier tells Metasploit to stop the attack when there is a successful username/password combination.

Successful Login

We have now successfully logged into the Victim-Pi machine using default login credentials.

Type the sessions command to see the active Metasploit sessions.

Connect to the current active session, enter the sessions 1 command.

At this point, you can use Unix commands as if you were a regular user of the system.

To get better control of our exploit type the shell command to get access to a bash shell.

Now that you have bash shell access you can use Python, Perl, and other system resources to complete your exploit.

How to Prevent this Type of SSH Attack on your Network.

This is a brute force attack on a common vulnerability. To mitigate your exposure you can perform the following actions.

• Educate users on proper usernames and passwords
• Disable default username/passwords
• Disable SSH
• Prevent multiple login attempts

---

Also Published