Prévia do material em texto
Password Cracking: SSH 1 | P a g e https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH 2 | P a g e Contents Introduction ..................................................................................................................................................... 3 MITRE ATT&CK Techniques: ............................................................................................................... 3 Introduction of SSH (Port 22) ......................................................................................................................... 3 Enumeration .................................................................................................................................................... 3 Nmap Scan .................................................................................................................................................. 3 Defensive Strategy: ................................................................................................................................ 4 Brute-Force Techniques .................................................................................................................................. 4 Tools Quick Reference ............................................................................................................................... 4 Hydra .............................................................................................................................................................. 4 Step To Reproduce .................................................................................................................................. 4 Detection Strategy: ................................................................................................................................. 5 Metasploit ................................................................................................................................................... 5 Step To Reproduce .................................................................................................................................. 5 Defensive Control: .................................................................................................................................. 6 Medusa ....................................................................................................................................................... 7 Step To Reproduce .................................................................................................................................. 7 Defensive Strategy: ................................................................................................................................ 7 Netexec (aka nxc) ....................................................................................................................................... 7 Step To Reproduce .................................................................................................................................. 7 Defensive Statergy:................................................................................................................................. 8 Ncrack ......................................................................................................................................................... 8 Step To Reproduce .................................................................................................................................. 8 Defensive Strategy: ................................................................................................................................ 8 Patator ......................................................................................................................................................... 8 Step To Reproduce .................................................................................................................................. 8 Defensive Suggestion: ............................................................................................................................ 9 NMAP NSE Script ...................................................................................................................................... 9 Step To Reproduce .................................................................................................................................. 9 Defensive Strategy: .............................................................................................................................. 10 BruteSpray ................................................................................................................................................ 10 Step 1: Scan for SSH Services with Nmap ........................................................................................... 10 Step 2: Brute-Force SSH Logins with BruteSpray ............................................................................... 11 Defensive Strategy: .............................................................................................................................. 12 SSH Brute-Force – Offense, Defence & MITRE Mapping .......................................................................... 13 Defence-in-Depth Summary ......................................................................................................................... 13 https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH 3 | P a g e Introduction SSH brute-force atacks remain one of the most prevalent ini�al access vectors in modern penetra�on tes�ng engagements. Unlike legacy protocols, SSH's encrypted channel presents unique challenges and opportuni�es for creden�al based atacks. This guide explores advanced techniques for exploi�ng SSH authen�ca�on mechanisms across diverse network environments. MITRE ATT&CK Techniques: • T1110.001 – Brute Force: Password Guessing • T1046 – Network Service Scanning • T1078 – Valid Accounts Introduction of SSH (Port 22) SSH (Secure Shell) is a cryptographic network protocol used to securely access and manage remote computers over an unsecured network such as the internet. It operates primarily on port 22 and provides encrypted communica�on channels between clients and servers. Enumeration Nmap Scan MITRE Technique : T1046 Firstly, to start the enumera�on process, we perform a simple Nmap scan on the target IP address to check for an open SSH port and iden�fy the service version: nmap -p 22 -sV 192.168.1.111 Explana�on: • -p 22: Scans for SSH service on port 22. • -sV: Enables version detec�on to gather more informa�on about the running SSH service. Then, once Nmap iden�fies that port 22 is open and an SSH service is ac�ve, we can proceed to the next phase: brute force atacks to test for weak or default creden�als. https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH 4 | P a g e Defensive Strategy: Deploy NIDS/NIPS (e.g., Zeek or Suricata) to detect scans against port 22, and configure Fail2Ban or SSHGuard to blockIPs a�er repeated failures. Limit SSH exposure to known IP ranges using iptables or firewalls. Brute-Force Techniques Tools Quick Reference Hydra Hydra is a widely adopted brute forcing tool suppor�ng numerous protocols, including SSH. It's known for its speed, reliability, and ease of use. It leverages username and password lists to atempt logins in parallel, op�onally suppor�ng proxies and �me delays to evade detec�on. Kali Linux includes several built-in wordlists (for example rockyou.txt), but you can also create custom ones—such as user.txt and pass.txt—based on creden�al harves�ng or common password paterns. Step To Reproduce To perform a brute force atack against an SSH service, use the following command: hydra -L user.txt -P pass.txt 192.168.1.111 ssh Explana�on: • -L user.txt: Specifies the path to the username list. https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH 5 | P a g e • -P pass.txt: Specifies the path to the password list. • 192.168.1.111: Target IP address. • ssh: Protocol to atack. Hydra will systema�cally test each username-password pair against the SSH service on the specified host. If valid creden�als are found, Hydra will clearly report the success. Detection Strategy: To strengthen defenses, detect spikes in SSH login failures from a single source IP using /var/log/auth.log, and deploy Fail2Ban to throtle brute force atempts in real �me. Metasploit The ssh_login module is quite versa�le in that it can not only test a set of creden�als across a range of IP addresses, but it can also perform brute force login atempts. We will pass a file to the module containing usernames and passwords separated by a space as shown below. In this case, we can effec�vely automate login atempts to find weak or default creden�als on target systems by u�lizing our dic�onaries, user.txt and pass.txt. Step To Reproduce On kali terminal type msfconsole then run following commands: msf6 > use auxiliary/scanner/ssh/ssh_login set rhosts 192.168.1.111 set user_file user.txt set pass_file pass.txt set verbose false run Explana�on: • use auxiliary/scanner/ssh/ssh_login: Selects the Metasploit module designed for brute forcing SSH login creden�als. • set rhosts 192.168.1.111: Specifies the target machine’s IP address for the scan. • set user_file user.txt: Defines a file containing poten�al usernames to try during the brute force atack. • set pass_file pass.txt: Defines a file containing poten�al passwords to pair with each username. https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH 6 | P a g e • set verbose false: Disables verbose output, reducing on-screen cluter during the atack but if you are interested in knowledge failed atempt or all tried combina�on then you can reset as true. Defensive Control: Enable SSH account lockouts or rate limi�ng for repeated failures; for example, monitor /var/log/auth.log (or Event ID 4625 in Windows) for high-frequency login atempts from a single host. Correlate these atempts with scanning ac�vity typical of Metasploit modules to proac�vely detect brute force behavior. https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH 7 | P a g e Medusa Medusa is a parallel, modular login brute forcer offering high performance and broad protocol support. It supports mul�ple protocols; more specifically, it allows testers to perform dic�onary based atacks against services like SSH, FTP, HTTP, AFP, CVS, IMAP, rlogin, Subversion, VNC, and more. Step To Reproduce Below we have successfully grabbed creden�als using following command: medusa -h 192.168.1.111 -U user.txt -P pass.txt -M ssh | grep "ACCOUNT FOUND" Explana�on: • medusa: Invokes the Medusa brute force tool. • -h 192.169.1.111: Specifies the IP address of the target machine. • -U: Points to a file containing a list of usernames to try. • -P: Points to a file containing a list of passwords. • -M ssh: Indicates that the SSH module should be used for this atack. • | grep “ACCOUNT FOUND”: Filters the command output to display only successful login atempts, making it easier to iden�fy valid creden�als. Defensive Strategy: Addi�onally, detect high-rate parallel SSH login atempts by monitoring for simultaneous failures across mul�ple usernames in /var/log/auth.log and implement Fail2Ban or rate limi�ng to block aggressive sources. Netexec (aka nxc) NetExec can perform brute force atacks on SSH services using specified username and password lists. It is par�cularly useful for mass valida�on of creden�al pairs obtained during recon or OSINT phases. Step To Reproduce Firstly, to ini�ate a brute force atack against an SSH service using NetExec, run the following command: nxc ssh 192.168.1.111 -u user.txt -p pass.txt | grep [+] Explana�on: • nxc: Invokes the NetExec burte force tool • ssh: Specifies the protocol to target. • 192.168.1.111: The IP address of the target host. • -u user.txt: Path to the file containing a list of usernames. • -p pass.txt: Path to the file containing a list of passwords. • | grep [+]: Filters the command output to display only successful login atempts, making it easier to iden�fy valid creden�als. https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH 8 | P a g e Defensive Statergy: Segment internal assets. Restrict SSH access through jump hosts and enforce MFA to prevent lateral movement even a�er brute force success. Ncrack Developed by the Nmap creators, Ncrack is designed for high speed password audi�ng against network services including SSH. It supports a modular configura�on, making it ideal for larger assessments where performance and reliability are cri�cal. Step To Reproduce ncrack -U user.txt -P pass.txt 192.168.1.111 -p 22 Explana�on: • ncrack: Launches the Ncrack password cracking tool. • -U user.txt: Indicates the file containing a list of poten�al usernames. • -P pass.txt: Indicates the file containing a list of poten�al passwords. • -p 22: Specifies the target SSH service Defensive Strategy: Integrate SSH login anomaly detec�on into your SIEM to alert on rapid, repeated authen�ca�on atempts; apply connec�on rate limits to throtle brute force tools like Ncrack. Patator Patator is a versa�le, mul� threaded brute forcing tool capable of atacking a wide range of protocols including SSH, FTP, HTTP and more. Step To Reproduce Patator can be used to perform SSH brute force atacks by itera�ng through supplied username and password lists which in this case will be user.txt and pass.txt. patator ssh_login host=192.168.1.111 user=FILE0 0=user.txt password=FILE1 1=pass.txt Explana�on: • patator: Launches the Patator brute force tool. https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH9 | P a g e • ssh_login: Specifies the module for brute forcing SSH creden�als. • host=192.168.1.111: Indicates the target machine’s IP address. • user=FILE0 0=user.txt: Assigns FILE0 as a placeholder for usernames, pulling values from user.txt. • password=FILE1 1=pass.txt: Assigns FILE1 as a placeholder for passwords, pulling values from pass.txt. Note: You can add | grep ‘200 OK’ or -x ignore:code=530 for success filtering or to skip known failed responses based on Patator’s output codes. Defensive Suggestion: Moreover, throtle SSH connec�on atempts per IP and detect repeated login failures with low �me gaps to iden�fy Patator-style brute force behavior. NMAP NSE Script Nmap script, ssh-brute.nse, enables brute force login atempts on SSH servers using custom username and password lists. Although not as fast as dedicated brute force tools, it offers a convenient, built in op�on for quick password audits during reconnaissance. Step To Reproduce Firstly, to perform a brute force atack against an SSH service using Nmap, run the following command: nmap -p22 --script ssh-brute.nse --script-args userdb=user.txt,passdb=pass.txt 192.168.1.111 https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH 10 | P a g e Explana�on: • –p22: Scans port 22 (SSH). • –script ssh-brute.nse: Specifies the use of the SSH brute force NSE script. • –script-args userdb=user.txt,passdb=pass.txt: Provides the script with your custom username and password lists. This method is especially useful during early stage reconnaissance to iden�fy weak or default SSH creden�als on a target system. Defensive Strategy: Addi�onally, whitelist approved scanning hosts and flag brute force atempts from unknown sources. Detect login atempts from unexpected origins and flag NSE-style brute force behavior by correla�ng with prior port scans in SIEM or IDS tools. BruteSpray BruteSpray integrates seamlessly with Nmap’s output formats (grepable or XML), allowing you to quickly move from service discovery to targeted brute force atacks in streamlined workflow. Step 1: Scan for SSH Services with Nmap Firstly, run an Nmap scan to iden�fy open SSH ports and save the output in grepable format: nmap -p 22 192.168.1.111 -oG ssh_scan.txt Explana�on: • -p 22: Scans for SSH service on port 22. • -oG ssh_scan.txt: Outputs the results in grepable format, which BruteSpray can parse. https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH 11 | P a g e Step 2: Brute-Force SSH Logins with BruteSpray Then, once the scan is complete, use BruteSpray to atempt logins against the iden�fied SSH services using a username and password list: brutespray -f ssh_scan.txt -u user.txt -p pass.txt Explana�on: • -f ssh_scan.txt: Specifies the Nmap output file to use. • -u user.txt: Path to the list of usernames. • -p pass.txt: Path to the list of passwords. This workflow is par�cularly effec�ve because it is ideal for automa�ng brute force atempts immediately a�er service discovery, thereby streamlining the reconnaissance and exploita�on phases of an engagement. https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH 12 | P a g e Defensive Strategy: Flag and block IPs conduc�ng SSH scans followed by mass login atempts across mul�ple hosts; for example, apply tarpi�ng techniques to delay SSH responses. This slows down brute force tools like BruteSpray and increases the atacker's cost. Combine this with real �me alerts from SIEM and implement connec�on throtling for enhanced defense. https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC Password Cracking: SSH 13 | P a g e SSH Brute-Force – Offense, Defense & MITRE Mapping Defense-in-Depth Summary To learn more about Password Cracking. Follow this Link. https://www.hackingarticles.in/ https://www.linkedin.com/company/hackingarticles/ https://x.com/hackinarticles https://github.com/Ignitetechnologies https://discord.gg/vU2uUjrsPC https://www.hackingarticles.in/category/password-cracking/ JOIN OUR TRAINING PROGRAMS www.ignitetechnologies.in BEGINNER Network Pentest Bug Bounty Wireless Pentest Network Security EssentialsEthical Hacking ADVANCED EXPERT Burp Suite Pro CTF Windows Linux Pro Infrastructure VAPT APT’s - MITRE Attack Tactics MSSQL Security Assessment Active Directory Attack Red Team Operation Privilege Escalation Web Services-API Android Pentest Computer Forensics Advanced Metasploit CLICK HERE http://bit.ly/ignitetechnologies https://www.ignitetechnologies.in https://www.ignitetechnologies.in https://twitter.com/hackinarticles info@ignitetechnologies.in https://in.linkedin.com/company/hackingarticles https://github.com/Ignitetechnologies https://forms.gle/bowpX9TGEs41GDG99 Introduction MITRE ATT&CK Techniques: Introduction of SSH (Port 22) Enumeration Nmap Scan Defensive Strategy: Brute-Force Techniques Tools Quick Reference Hydra Step To Reproduce Detection Strategy: Metasploit Step To Reproduce Defensive Control: Medusa Step To Reproduce Defensive Strategy: Netexec (aka nxc) Step To Reproduce Defensive Statergy: Ncrack Step To Reproduce Defensive Strategy: Patator Step To Reproduce Defensive Suggestion: NMAP NSE Script Step To Reproduce Defensive Strategy: BruteSpray Step 1: Scan for SSH Services with Nmap Step 2: Brute-Force SSH Logins with BruteSpray Defensive Strategy: SSH Brute-Force – Offense, Defense & MITRE Mapping Defense-in-Depth Summary
Mais conteúdos dessa disciplina
1:18:50 Questão 8 Ainda não respondida Vale 1,0 ponto(s). Julgue os itens que seguem: I) A legitimidade para perpetrar ações judiciais com base na ...- Marque a assertiva que NÃO representa um ponto de atenção em um Programa de Integridade: Questão 5Resposta a. Quantitativo de funcionários; b. Es...
- Um momento importante vivido pelo PMI é o processo recente de aproximação de práticas já conhecidas e aderentes ao gerenciamento de projetos tradicion
- Questão 01 A segurança na computação em nuvem é um aspecto fundamental que envolve diversas práticas e ferramentas para proteger os dados e garanti...
- Questão 10 Considere as seguintes asserções acerca da criptografia de chave pública e do algoritmo RSA: A criptografia de chave pública permite qu...
- Questão 09 A criptografia e hashing são componentes essenciais na segurança da informação. Eles servem para proteger dados e assegurar que a comuni...
- Questão 08 Na era digital, a segurança das informações se tornou uma prioridade para proteger dados sensíveis contra acessos não autorizados. Vária...
- Questão 06 Associe cada conceito relacionado às funções de hash com sua descrição correta: Conceitos: Efeito avalanche Colisão Não repúdio XOR Bl...
- Questão 04 Considere as seguintes asserções acerca da utilização de funções de hash em sistemas de segurança da informação: As funções de hash são...
- Questão 01 Associe os conceitos de criptografia e hashing com suas respectivas descrições: Criptografia de chave simétrica Criptografia de chave a...
- Qual é a definição de privacidade? Questão 1Resposta a. O direito de usar informações pessoais para fins comerciais b. O direito individual de control
- Material de construção pode ser definido como todo e qualquer produto que seja utilizado na construção de um empreendimento, seja prédios públicos,...
- Questão 6 | GESTAO DE CARREIRA Código da questão: 63975 Existe um grupo de elementos que devem ser levados em conta pelas empresas, como possuir um...
- Avaliação Online Arquitetura e Organização de Computadores ESAB
- Aula 02 Introdução
