Cracking SSH Password on Metasploitable

Metasploitable as we explored in previous blog posts is made to be exploited. Ideal for those learning penetration testing and wanting to become familiar with the procedures, and techniques.

In this article we will look at how we can exploit a vulnerability in SSH that allows us to obtain the root user password.

The first thing we need to do though is obtain the username. We can do this using nmap

By running an nmap scan on our network we can find out target machine on IP address 10.0.2.6

──(kali㉿kali)-[~]
└─$ nmap 10.0.2.0/24
metasploitable Nmap scan

On 10.0.2.6, which is our metapsloitable target machine, we see the services and ports available.

┌──(kali㉿kali)-[~]
└─$ nmap -script smb-enum-users.nse -p 445 10.0.2.6

Next run the above command. This will run a script on the target host IP address. The port 445 is used as we can see it is open on the nmap scan that will enumerate all the user ID’s on the target machine. The result is below.

metasploitable username scan with nmap

You can see that there is an account that is not disabled named msfadmin. Now armed with this information cracking the password will be much easier.

We will run an attack known as a dictionary attack. I am using the easy to find rockyou.txt with contains a huge list of common passwords. We will use a built in function of metasploit to scan this list and try each password against the username we have found until it gets a result.

Go ahead and open up a terminal window and start up metasploit with the msfconsole command. Then load up the ssh_login module.

msf6 > use auxiliary/scanner/ssh/ssh_login

Now type options and you can see several parameters we need to set.

We need to set the RHOSTS to 10.0.2.6, our target machine. RPORT is port 22, which as we saw in nmap is port 22 for ssh. The USERNAME we already determined is msfadmin and our USERPASS_FILE is the directory location of our rockyou.txt password list. We will also set VERBOSE too true, this means the results will be displayed for each tested password. STOP_ON_SUCCESS should also be set too true.

msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.0.2.6
RHOSTS => 10.0.2.6

msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /home/kali/Desktop/rockyou.txt
PASS_FILE => /home/kali/Desktop/rockyou.txt

msf6 auxiliary(scanner/ssh/ssh_login) > set verbose true
verbose => true

msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true

msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME msfadmin
USERNAME => msfadmin

Now all options are set, it’s a matter of typing run and letting the script run through each line in the rockyou.txt dictionary of passwords. It may take some time, depends on how far through the dictionary your password is (assuming it is there at all!). I made sure for purposes of the exercise that the password was included in the rockyou.txt file by manually adding msfadmin password after a few hundred lines, and as you can see below it was picked up as a positive result.

So there you have it, a simple introduction to the basics of how to find a Linux username, and crack the password using metasploit. Of course this is purely an exercise, and in real life target machines will NOT be this easy. This blog is for educational purposes only, to help you understand why it’s important to secure your machines, and also give practice to those embarking upon a career in ethical hacking and penetration testing.

Advertisement

4 thoughts on “Cracking SSH Password on Metasploitable

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: