Port 22 SSH

SSH Enumeration

Version Enumeration with Metasploit

msfconsole
use auxiliary/scanner/ssh/ssh_version
set RHOSTS demo.ine.local
exploit

Bruteforce SSH

Metasploit SSH bruteforcing

We will now use ssh_login module to find the valid credentials to access the ssh server.

SSH Exploitation

Exploiting libssh with metasploit

Metasploit has an exploit for this. In the same module, there are both auxiliary scans and the exploit itself. Since we need to exploit it, let’s first check the available options.

For this exploit, we only need to set two parameters: RHOSTS and SPAWN_PTY. In the auxiliary section, we can confirm that it will directly spawn a shell once executed.

After setting the parameters, type exploit to execute the exploit and gain access to the shell.

As the output shows, the session has been created and opened. To verify, type the following command: sessions

To use this session, type sessions -i 2. This will successfully grant us access to the shell.

OpenSSH Exploits

Given that we have obtained the exact version of OpenSSH running on the target system, we can utilize Searchsploit to search for exploits that affect this specific version of OpenSSH.

This can be done by running the following command:

As shown in the following screenshot, Searchsploit reveals various username enumeration scripts that can be used to enumerate user accounts.

We can utilize these scripts to enumerate user accounts on the target system, we have already identified one user account that can also be used to authenticate with the OpenSSH server.

Metasploit SSH login