This is a relatively simple brute force method to connect to a Unix machine using SSH in our pentesting lab. The target machine for this exploit is a Raspberry Pi 3 running Kali Linux with SSH enabled. The Raspberry Pi’s software is up-to-date and no other changes were made to the operating system. The machine performing the exploit is Kali Linux on VMWare.
The Target Machine
The Raspberry Pi is also performing other daily responsibilities so no additional setup on this machine is required for this test. SSH is enabled and the system is up-to-date using apt-update and apt upgrade.
Getting the Target IP Address
If you do not know the IP address, you can confirm the IP address of the Raspberry Pi or the target machine using the hostname -I or ifconfig command.
In this example, the IP address of our Raspberry Pi target machine is 192.168.1.95. You will need this later so write it down.
You are done with the Raspberry Pi. It is now just another server on a network doing normal computer things with SSH enabled on Port 22. A secure Unix machine serving up web pages and user accounts on the Internet. This can be any machine, but for this example, it is our target.
Setting up the Exploit
On our attacking Kali Linux machine, we need to set up some files and configure Metasploit to exploit the Raspberry Pi server. There is nothing complicated here, just some small attention to detail. This exploit uses a list of custom usernames and a list of select passwords. Each username and password are on separate lines in their respective files. To keep this test short and interesting, the lists contain common default usernames and passwords. You can use any dictionary for this exploit.
Create Username and Password files
Our target group of computers in our testing lab are Raspberry Pi’s. We know the usernames and passwords for this exploit are going to consist of default usernames and passwords specific to Raspberry Pi operating systems. You can use the standard Kali password lists, but that will take a lot longer to run.
The success of this exploit is banking on the fact that admins do not change the default login credentials.
Using your favorite text editor, create a user.txt file containing these usernames.
Feel free to add additional default usernames to this file. This is only an example of using some common default usernames on Raspberry Pi devices.
Create a password.txt file containing the following passwords, one password per line:
Just like the username file, feel free to add additional default passwords to this file. This is only an example of using some common default password on Raspberry Pi devices.
Save these two files to your local directory. In this example, we are using /home/kali/data.
Run an Nmap Scan
My homelab for this exploit has a lot of VMs, Raspberry Pi’s, and production machines in service. Most of these have open SSH ports. With this in mind and I’m never really sure how many open SSH ports there are on my network, I’m using the following command to get a feel for the landscape.
The -p 22 flag says only report on SSH and the -open flag lists only the ports that are open. Closed ports are not included in the output.
kali@Victim-Pi:~$ sudo nmap -p 22 -open 192.168.1.0/24
The results from our nmap scan show that the ssh service is running (open) on a lot of machines. Now we narrow our focus and use Metasploit to exploit the ssh vulnerabilities. We are interested in the 192.168.1.95 address because that is a Raspberry Pi and the target of our attack.
Launch Metasploit either from the Kali Applications menu or by typing msfconsole at the command prompt.
We want to exploit SSH and Metasploit provides a search engine to help us select the best exploit. Entering the search ssh command shows us all of the ssh options.
Look through the output for the ssh vulnerability. For this exploit we want to use Menu Item #21 — ‘use auxiliary/scanner/ssh/ssh_login’ which uses brute-force SSH login credentials with our username.txt and password.txt files we created in /home/kali/data. Note that your menu item number could be different.
Enter ‘use auxiliary/scanner/ssh/ssh_login‘ at the msf6 > prompt. You can also enter the menu number (for example: msf6> use 21
Type set USER_FILE /home/kali/data/username.txt and set PASS_FILE /home/kali/data/password.txt.
The next two options, set STOP_ON_SUCCESS true stops execution when there is a successful username/password combination and set VERBOSE true prints all status messages to the console.
The set RHOSTS command configures Metasploit to use the target machine. This is the same IP address (192.168.1.95) of the machine we issued the hostname -I or ifconfig commands earlier.
Use the advanced command to view additional configuration options
You can change any of these options for your situation, but we want quick access to the shell so set GATHERProof false.
All of our configuration options are set, run the exploit command to start the exploit.
After the failed login attempts, notice the [+] 192.168.1.95:22 — Success ‘pi:raspberry’ entry. This line reveals that a there is a successful username of pi with a password of raspberry combination.
The set STOP_ON_SUCCESS true option we set earlier tells Metasploit to stop the attack when there is a successful username/password combination.
Type the sessions command to see the active Metasploit sessions.
To connect to the current active session, enter the sessions 1 command.
At this point you can use Unix commands as if you were a regular user on the system.
Type the shell command to get access a bash shell.
Now that you have bash shell access you can use Python, Perl, and other system resources to complete your exploit.
How to Prevent this Type of SSH Attack on your Network.
This is a brute force attack on a common vulnerability. To mitigate your exposure you can perform the following actions.
- Educate users on proper usernames and passwords
- Disable default username/passwords
- Disable SSH
- Prevent multiple login attempts