Kali's MSF terminal is used to brute force crack the SSH service of the infiltrated target host.
The success of the cracking depends on whether the dictionary and the target use weak passwords.
1. Experimental environment
They are attack aircraft and target aircraft (or other target servers)
2. Use weak SSH passwords for brute force cracking
The most important element of brute force cracking is the password file. The password file usually contains the most likely username and password pairs of the target system. The principle of brute force cracking SSH is to read each username and password pair from the password file and try SSH login. If it fails Then try the next one, and print out the matching information if successful.
First of all, let's look at the contents of the dictionary file. The location of the file is in /usr/share/metasploit-framework/data/wordlists/. When you enter this folder, you can see that there are many dictionaries:
$ cd /usr/share/metasploit-framework/data/wordlists/
$ ls
The main reason for choosing here piata_ssh_userpass.txtis that the size of this file is not too bad, it will not run for too long, and it contains common weak password types.
View the length of the dictionary file (917 lines) and content (each line has two words, the first one is the user name, and the last one is the password):
cat
head
2.1 start msfconsole
Execute the following command in Kali to enter msfconsole:
You can search and start directly in the interface
sudo msfconsole
2.2 Attack modules used
Execute subsequent commands in msfconsole:
usecommand to use the attack modulesetCommand configuration parametersshow optionsview all parametersexploitexecute the attack
In this step, we use use the command to select the attack script:
msf > use auxiliary/scanner/ssh/ssh_login
Note: Added ssh_login information to the msfconsole prompt.
2.3 Configure the attack module
View and configure the necessary parameters of the attack module. The following information needs to be configured here:
- rhosts target server list, we configure as target
- The password dictionary file used by userpass_file, we use a password file built in metasploit-framework, introduced in 3.1, there are about 900 lines, if a larger dictionary file is used, the test time will be longer
- verbose is set to false to avoid outputting a lot of intermediate information
msf > set rhosts 目标IP
msf > set userpass_file /usr/share/metasploit-framework/data/wordlists/piata_ssh_userpass.txt
msf > set verbose false
2.4 Brute Force Attack
Finally, check the configuration information to confirm whether it is accurate:
msf > show options
Start to perform brute force cracking, using exploit the command:
Note: The execution time is relatively long. We can execute the interrupt program when the first correct message appears (about a few minutes) Ctrl-C , and then continue the subsequent experimental operations. (Here is the server of the attack, and it was not successful. If it is a target machine, it can be cracked, and the operation is the same)
2.5 enter the shell
Brute force cracking will take a long time, but some successful user name and password pairs will be output one after another in the middle, because there are many users on the target machine who can log in through SSH, and they all have weak passwords, so multiple output will be output. In order to save time, we You can directly Ctrl-C exit the subsequent brute force cracking process when the first one is output .
When the match is successful, the attack script will automatically create an SSH connection session, and we can use sessions -i <session_id> this command to switch the terminal to the session.
Note: The session id can be seen from the output information during the attack.
Entering this Shell, we can execute a series of commands:
Three, Hydra blasting
Kali also has a built-in brute force cracking tool hydra : hydra is an open source brute force password cracking tool developed by the famous hacker organization Thc. It has very powerful functions. It is installed by default under Kali and supports almost all protocols. online cracking. This tool can also be applied to the scene of SSH brute force cracking. Similarly, it also uses the password dictionary file for continuous attempts. Execute the following command on the Kali command line to attack:
Which -C specifies the dictionary file to use, but requires the user name and password in the dictionary to be : separated. The following IP address is our target target machine, and ssh is the attack service
hydra -C userpass.txt target address ssh
-l login lowercase, specify the username to crack
-L file uppercase, specify the user's username dictionary
-p pass Lowercase, used to specify password cracking, rarely used, generally using a password dictionary.
-P file uppercase, used to specify the password dictionary.
-e ns additional options, n: empty password test, s: use specified account and password test
-M file specifies the target ip list file to crack in batches.
-o file specifies the result output file
-f Abort cracking when the first pair of login names or passwords is found.
-t tasks The number of threads running at the same time, the default is 16
-w time set the maximum timeout time, unit
-v / -V show verbose process
-R restore blasting (if the cracking is interrupted, execute hydra -R /path/to/hydra.restore next time to continue the task.)
-x Custom password.
service: specify the service name, the supported services and protocols are: telnet, ftp, pop3 and so on.