SSH
( TCP 22 )
Enumeration
Testing Connection and Version
attempt to connect to see if there is a banner when connecting
also ssh login banners might be helpful some times.
User Enumeration Timing Attack
In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:
Automated SSH Audit
Basic server auditing:
To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):
To audit a client configuration (listens on port 2222 by default; connect using ssh -p 2222 anything@localhost):
To audit a client configuration, with a listener on port 4567:
To list all official built-in policies (hint: use resulting policy names with -P/--policy):
To run a policy audit against a server:
To run a policy audit against a client:
To run a policy audit against many servers:
To create a policy based on a target server (which can be manually edited):
Login Brute Force
SSH User Code Execution
This module connects to the target system and executes the necessary commands to run the specified payload via SSH. If a native payload is specified, an appropriate stager will be used. Thus we gave host IP along with username and password, if everything goes in right then we get meterpreter session on our listening machine.
as a result you can observe that we have meterpreter session of the host machine.
Default Credentials
Vendor
Usernames
Passwords
APC
apc, device
apc
Brocade
admin
admin123, password, brocade, fibranne
Cisco
admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin
admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme
Citrix
root, nsroot, nsmaint, vdiadmin, kvm, cli, admin
C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler
D-Link
admin, user
private, admin, user
Dell
root, user1, admin, vkernel, cli
calvin, 123456, password, vkernel, Stor@ge!, admin
EMC
admin, root, sysadmin
EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc
HP/3Com
admin, root, vcx, app, spvar, manage, hpsupport, opc_op
admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin
Huawei
admin, root
123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123
IBM
USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer
PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer
Juniper
netscreen
netscreen
NetApp
admin
netapp123
Oracle
root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user
changeme, ilom-admin, ilom-operator, welcome1, oracle
VMware
vi-admin, root, hqadmin, vmware, admin
vmware, vmw@re, hqadmin, default
Stealing SSH Keys (post)
This attack requires a compromised server with SSH server running. If you are able to compromise a server with Metasploit and server has SSH running but require a key to connect with it. in that situation, you can steal the keys from the compromised server.
Once you have compromised the server with Metasploit then run it in the background and run the above post exploit within your Metasploit and set your exploited server session id.
Once you find that you can get the key for that you have to start the session and download the key.
Once the key is downloaded you can find it in /home the directory. If you have the key then you can use it to connect with it as we saw earlier. There are lots of other things you can do with SSH you can check Metasploit use auxiliary/scanner/ssh to list all the options available.
SSH 2.0 Version Fuzzer
Last updated
