M3 Brute Forcing with Metasploit

Logging In

• Using a computer, go to https://apps.cyber.org
• Log in with the username and password provided by your teacher via Canvas email.
• The Username and Password is auto generated and does not contain any personal information.
• You will need the Windows Server 22 & Kali VM for this lab.

Next

Lab Background – Metasploit

• Metasploit is an open-source framework used for developing, testing, and executing exploits against systems to identify and verify security vulnerabilities which are often used for pen testing.

• It includes exploits, payloads, auxiliary modules, and post-exploitation tools to simulate real-world attacks.

• Cybersecurity professionals, ethical hackers, and red teams use Metasploit for authorized testing, vulnerability assessments, and training.

Back

Next

Lab Context

• Servers are often accessed remoted through a command line interface and typically this is through the secure shell protocol or SSH.

• Though SSH itself is secure and serves to connect to a remote server through an encrypted tunnel, a poorly configured machine could be vulnerable to brute forcing.

• Metasploit will be used to brute force or try every combination of the credentials used to connect to the Windows Server via SSH.

• Network recon has already been performed to know the target IP address like what is shown here.

Back

Next

Setup Environment

• Log into your range account at https://apps.cyber.org
• Open the Windows Server 22 Environment
• You should be on your Windows Server 22 Desktop

Back

Next

Start SSHD Service in Windows

• Start in the Windows Server VM.

• Click in the search bar at the bottom left and search for PowerShell. Click on the application icon when it appears.

• Run the command Start-Service sshd which will start the OpenSSH SSH Server.

• Run Get-Service sshd to verify that the sshd service says Running.

• Use ipconfig and take note of the IPv4 Address.

• Leave this PS terminal open.

IPv4 will be different for each person.

Back

Next

Start Metasploit in Kali

• Switch to the Kali VM.
• Open a terminal and run the command sudo msfconsole to start the Metasploit framework.

It may take a few seconds to load.

Back

Next

Search and Examine the SSH Options

• Use search ssh to view the available exploits and modules.

• Notice Metasploit offers several options for a wide array of devices and programs related to SSH.

Back

Next

Search and Examine the SSH Options

• Use the command use auxiliary/scanner/ssh/ssh_login to interact with the module needed.

Configure the Module

• Use the following command to configure the module:
• set RHOSTS <Unique Windows IP Address>

• set USER_file /home/kali/CourseFiles/CySec2/Brute-Force-Lab/usernames.txt

Back

Next

Configure the Module

• Use the following command to configure the module:

• set PASS_file /home/kali/CourseFiles/CySec2/Brute-Force-Lab/passwords.txt

• set VERBOSE true

Back

Next

Run the Attack

• Simply use the command run to start the attack.

• Because we turned VERBOSE on you can see each attempt as it occurs.

• Successful logins will be tagged but note the attack will run fully through all usernames and passwords unless stopped.

• In the real world, this would use very large dictionaries containing thousands of usernames and passwords, meaning it would take a very long time.

Back

Next

Successful Capture and Testing

• Successful logins will be marked as shown.

• Test the login in Kali by opening a new terminal and using the command ssh Administrator@<Unique Windows IP Address>

• Type yes and [Enter] for the authenticity prompt.

• Enter “password” and [Enter].
• The prompt will change to the Windows user.

• You now have control over the Windows Server.

Anything typed in for the password will not be see on screen.

Back

Next

Seeing the Attack on the Windows Side

• Switch to the Windows Server VM.

• Search for Event Viewer in the search bar at the bottom left and click the application icon to open it.

• Select Windows Logs in the left side panel.

• Double click Security in the center panel.

Back

Next

Checking the Failed Process

• Scroll down the list of events until you see an Audit Failure.

• Click on the failure then scroll down the window for the General tab.

• Examine the text to view the Process Information which should list sshd.exe.

• Close the Event Viewer.

• Although this is showing the event after it occurred, if configured properly, various security tools and software could detect and alert analysts of this type of attack.

Back

Next

Mitigation Efforts – Edit SSH Rules

• The Windows Server is allowing SSH connections via user credentials.

• That can be stopped by editing the sshd_config file.

• In PowerShell, use Start notepad++ C:\ProgramData\ssh\sshd_config

• This will open the configuration file in Notepad++ for editing. Any text editor could work.

• Scroll down to #PasswordAuthentication yes and change the yes to no and delete the # so the rule is not commented out and can take effect.

• Save the file and close.

Back

Next

Mitigation Efforts – Restart SSH and Test

• To apply the changes, use Restart-Service sshd in the PowerShell window.

• Return to the Kali VM.

• Changing the configuration file does not affect current SSH sessions, so use exit in the Kali terminal to end the session.

• Hit the up arrow or use ssh Administrator@<Unique Windows IP Address>

• This should result in permission being denied. You could even run Metasploit again and it will fail when attempting the correct credentials as well.

Back