Cracking UNIX Password Over SSH to Gain Shell Access

07 Oct 2017

Overview

This exercise involves brute-force searching for a UNIX password over SSH to gain shell access to a target machine. Students will gain a more concrete understanding of IP addresses, open/closed ports, and the possibility of using automated processes to rapidly try many weak passwords.

Prerequisites

  • A Kali Linux instance:
    • No extra programs beyond those provided by a clean install are needed to complete this exercise.
  • A Linux-based target VM running atop Kali Linux:
    • The VM should be reachable from Kali using a VirtualBox-provided Host-Only network, for which no DHCP server is required. On the VM, modify /etc/network/interfaces to provide a static IP appropriate for the subnet/address range of the network as defined in VirtualBox.
    • Enable and start the SSH daemon, configuring it to run on port 84 (or some port other than 22) in /etc/ssh/sshd_config.
    • Create a new UNIX user for students to attack (this username will be provided to students). Use passwd to change the password so that it matches one of those in one of the wordlists in Kali’s /usr/share/wordlists/*.txt.

Background Info to Provide Students

Show them how to start the VM in Kali, and show/remind them how to use ifconfig / ip a. Explain to them that various adapters listed in the output allow access to various networks; the vboxnet0 interface provides access to the network on which the VM is running.

Tell students that they will need to use nmap to scan IP addresses and ports open on those addresses on the network vboxnet0. They will find a single IP with a single open port; this is the VM to hack.

Once they have the IP, suggest that they use hydra to brute-force the password using one of the wordlists in /usr/share/wordlists. Tell them the username of the UNIX user created earlier so as not to make them spend hours testing various username/password combinations. Some of the wordlists are huge, so encourage them to start with the smallest files first.

Once hydra finds the password, have them ssh into the VM, using the IP address, port, username, and password they’ve found so far.

Solution

  1. $ ifconfig
    • Shows the vboxnet0 interface as having an IP address range of i.e. 192.168.56.??? (depending on specific configuration in VirtualBox and assuming subnet of 255.255.255.0).
  2. $ nmap 192.168.56.0-254
    • To find all hosts on the network with open ports; this will turn up one IP with one open port.
  3. $ hydra -l <pre-provided_username> -P /usr/share/wordlists/<wordlist_file.txt> ssh://<open_ip>:<open_port>
    • To find the password of the pre-provided UNIX user.
  4. $ ssh -p <open_port> <pre-provided_username>@<open_ip>
    • To gain shell access to the VM.

Reflections

Students got tripped up on scanning the IP address range; they scanned final octets 0 through 100, but as the octet could be above 100, they needed an explanation on the value range of an octet (0 through 255).

Some students had trouble with hydra’s -l/-L flags for single/file-list username provision, and -p/-P flags for single/file-list password provision. Having them open the man page for hydra and read carefully about the distinction between the flags was enough for them to figure it out and continue.