Brute-Forcing Remote Services With Metasploit Module and Hydra

Metasploitable 2 Walkthrough (Part-2)

In my previous walkthrough, we exploited the vulnerable ftp service on Metasploitable 2.

In this walkthrough I will be using “Brute force” attack to exploit “ssh” and “telnet” services.

Methods of exploiting for those services may be different in other walkthroughs.

My point is to show you how can we use the “Brute force” attacks to gain access to various network services.

Let’s do it.

SSH Brute-force

As we can see in our previous scanning results, there is an open “ssh” port that is use to remotely access the machine.

We can confirm it with Nmap;

“nmap -sS -sC -sV -p 22 192.168.164.133”

There we go, the port is up and open and it’s software version is OpenSSH 4.7p1 .

But we will not be discussing about the software version vulnerabilities in this walkthrough.

We will be using the “Brute Force” attack.

What is “Brute Force” attack?

A brute force attack is an attempt to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. 

This is an old attack method, but it's still effective and popular with hackers.


In order to gain access to the “ssh” service on Metasploitable 2 with “Brute Force” attack, we can use two different tools , one is “ssh brute force” module in Metasploit and another is using “Hydra”.

I will be using both tools in this walkthrough.

We already familiar with “Metasploit” framework, but “Hydra” might be a bit new tool to you.

“Hydra” is a parallelized login cracker which supports numerous protocols to attack. 

It is very fast and flexible, and new modules are easy to add. 

This tool makes it possible for researchers and penetration testers to show how easy it would be to gain unauthorized access to a system remotely.

All right , let's do this.

SSH Login Brute Force with Metasploit-Framework

Let’s fire up “Metasploit”.

We will need to search ssh_login module, using “search” function in Metasploit.

“search ssh_login”

There we go, “auxillary/scanner/ssh/ssh_login” is the module we will be using.

"use auxillary/scanner/ssh/ssh_login" 

Next, we will need to check what are the requirements for the module to work;

“show options”

As we can see , this module requires two major options ; 

first is RHOSTS (ip address of the target machine) , second is 

the USERPASS_FILE ; the file that contains “usernames & passwords” combinations called Wordlists.

In this walkthrough, I’d created two wordlist to use with Metasploit and Hydra. These are for easier brute forcing the Target, so you can save time and resources.


You can download it below.

https://drive.google.com/file/d/1df8Lq85ZaLiZSVkXUhRPGkNnR2BJcQ_6/view?usp=sharing

I recommend you download it and extract it on Kali linux Desktop.

Next step is to set the require options for Metasploit module by using “set” option.

To set the target ip address:

“set RHOSTS 192.168.164.133”

To set the wordlist for brute forcing:

“set USERPASS_FILE ~/Desktop/Metasploit.txt”

Then we will tell the module to stop the attack if a valid login credential is found. (This step is optional but it will save you time.)

“set STOP_ON_SUCCESS true”

Then we will tell the module to show the brute forcing status on screen. (Optional too)

“set VERBOSE true”

Then , all we need to do is run the “exploit” and let the bruteforce module do it’s job.

It will take sometime in brute force attacks depending on the strength of the credentials and performance of your PC.

But, with my customized wordlists, it will only take a while.

There we go, we found the valid credentials for Metasploitable 2, a session is open and shell is ready to use.

You can check the open session with the command:

“sessions -i”

You can see there is a shell session is open for us after successful brute force attack.

You can use that shell by using command “sessions 1”

Now we are connected to Metasploitable 2, you can now use any linux commands in this shell.

Now we have successfully brute forced the “ssh” login with Metasploit.

I will show you how to use “Hydra” to carry out a brute force attack.

You can learn more about “Hydra” in “Kali Linux Tools”.

https://tools.kali.org/password-attacks/hydra

Alright , let’s do this.

SSH Login Brute Force With Hydra

First , we need to open a new terminal instance , and type;

“hydra -C ~/Desktop/hail_hydra.txt ssh://192.168.164.133 -v”

“-C” option is use to define the “wordlist” for brute force attack , the one you downloaded earlier.

You will need to provide it like “location/file_name.txt”.

“ssh://” is to define the service we will be brute forcing. Syntax is “service://ip” .

“-t” option is to adjust the brute forcing speed.

“-v” is for Verbosity. To see the results and status on screen.

There we go , we have found six valid logins for Metasploitable 2.

Use those credentials and connect to Metasploitable 2 via ssh.

“ssh -l msfadmin 192.168.164.133”

There we go , we have successfully connected to Metasploitable 2 via ssh.

Alright , don’t let your guard down yet , we still need to hack into the “Telnet” service.

Hardest part is here now.

Open terminal , and connect to “Telnet”.

"telnet 192.168.164.133"

There we go , “msfadmin/msfadmin”.

Just use it to login via “Telnet”.

Success!

Done.

Sometimes, before thinking about scanning the vulnerabilities and choosing exploit, a simple banner gives you the key to the door.

A sharp eye does it. That’s why “Foot printing & Reconnaissance” is a really important step in Penetration Testing and Ethical Hacking.

But , I suggest you should try to brute force the “Telnet” login yourself as a practice.

See you in Walkthrough Part-3 , Good Luck.