Metasploitable3: SSH Bruteforce & get Remote Shell

by do son · Published · Updated

SSH Bruteforce
Description

The SSH server on the remote host accepts a publicly known static SSH private key for authentication. A remote attacker can log in to this host using this publicly known private key.
Solution

Remove the vulnerable public keys from the SSH server.
See Also

http://packetstormsecurity.com/files/view/38537/lantronix.txt
Loadbalancer.org Enterprise VA 7.5.2 Static SSH Key
Array Networks vAPV / vxAG Code Execution
https://www.trustmatta.com/advisories/MATTA-2012-002.txt
Supermicro IPMI Firmware Vulnerabilities

Output

  • Nessus was able to verify the following users and public SSH keys (with publicly known private keys) are accepted :

    Port Hosts
    22 / tcp / ssh
    192.168.1.9

    Open Metasploit, and use module auxiliary/scanner/ssh/ssh_login

    Description:
    This module will test ssh logins on a range of machines and report
    successful logins. If you have loaded a database plugin and
    connected to a database this module will record successful logins
    and hosts so you can track your access.

    Set your USERPASS_FILE, RHOSTS, THREADS… parameters and then use run command

    I found ssh credential and get shell

     

Demo

Tags: Brute Forcebrute force attackmetasploitmetasploitable3penetration testingssh