BRUTEFORCE (II): ATTACKING AN SSH SERVER WITH BRUTER
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBtX7lKlmwGZrv0Mt6MGbqeAcQRlEEbLwnWzZqO80JPkBV6qe8SPW-Fsgqv6H2hoFVby0sIIqHmHMgVzyvCnKL6Mk4otNUYSMRv3uPtvmOjfW-gY1ykcBlnTYxT_ZoFa7qtaQ97LPwLiD4/s1600/screenshot.57.jpg)
- This exercise is based in the previous one:
http://www.whitelist1.com/2018/04/bruteforce-i-attacking-ftp-server-with.html
1 - Setting up an SSH server
- Downloading the freeSSHd server to the victim Windows 10:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiRIxOEGpXpawfR66rVOEpzo5aISoNdJ4Aih6ZEU8ZFqTMqwitOO5fNTUrLIAySBZuVLqnBLUDfxd92BeS4y4OFYtllicTJGpVbeJ-pG-MetyR4k786zo827FBM7BQu1wxHdPzs19K5djJ/s1600/screenshot.19.jpg)
- Running the executable:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpETjr8v7EqLM9A3cO9Zo3q3ZNZ3K5IHHnwO5pNQGGtk0_o5jlMFx5DD6KByWS6WmgXacnoGl9Q0Rd8OAV0N0R7eP7WMbHVddddO8iB5mZxkCtnHHjO74vDxGUtkuO4E6I7yPOnhbVLXQh/s400/screenshot.20.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaUN3NR4XzVV9LEkouj_XeqilI_6ztIXuc2KrP1yHlqOWv3ZJ-jbRX4fB8hia3_Wk03C8lSbCWLOk0EkwewzF47GYRijzBsgGcUvZnki_ouoNoCcZ4H2igi2bVTEP69OqFYVM4IeljMyzt/s400/screenshot.21.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDhIcdPEPC4-7sxgWGUgv4XMZRE4shuOvHSNnOnF1QMj_22aRHfd9tdNGD9nTxuEAUaUWQNWiW84bFo0d1ltPvHtkRkWx56Zw55ZhACSqd0IfTyatmgJib1ULgeDi9fzC47KpFVMkR6uZK/s1600/screenshot.23.jpg)
- Going to the SSH server Settings:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVQUmGpkUqYqQgB3aT7plvBsxmZq3vpX-ANZzVYlDVMdtD8WL_DA_nhukse9r8M5489a4JMZez_g8cXWKYacjItgyPSOog8MSS-84KAXTQZRbVtScoKPvpi_uIvAWmDtIeJB8gLUKYa42_/s400/screenshot.24.jpg)
- Starting the SSH server on the victim side Windows 10:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT7spXKzq54Ia8eXTPoQbI5d7AyJkNYzoZ99fZdz2gj8_lcagCo3ZHhWAtRpFlAdCF3mlEmTEt5D0UF-ZHQoSMUdlE8lfe8QwCfeb1o-WoeoSZtdiDPpL_yGMLDOX1NmRph-xW-xYRXk_n/s1600/screenshot.25.jpg)
- Adding a user admin and a simple password (123):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVjo_ojIdNdQTqtFMwhFU0d00xQ3-dp5N-Oo3j1TRB_5PoVzlkYgBoH_-xiwpJ6I16aA6l7DTC-Df-nkI3efskyFtThLlNbJsOKUxSwjZ1JZilzhyphenhyphenA6LrNzRDQ3J8TRcqNu6CrDDFp_hGA/s1600/screenshot.38.jpg)
- Finally the SSH server is up and running:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqQo55RrO9_Mrb-sodi10rFsCptfeY-pIaGuMCm6-CWQP_gLMYhOHXjUkX9lZuH1ZYoeeR0uVTfaOHxvkoqjVfM0nsZSEuV9Ig2EKZJEC-wTkjpNC-jnr-_3lOeeU41dAidiSkLqQx3e03/s1600/screenshot.28.jpg)
- Checking that the SSH service works for the user admin:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOblkxpdaXWITBdlFjXWTGicdkK5c1dNKn8_q0tAt2LtMXoDWsOYrNHdY98vB1EnJygg3PihAzeApcgAcVZ2Jt09bbtJ2p6tAk4YiZGjUHcGDGRx23nvZTuwxSArhuY66Vx1UJdbXIaw0h/s1600/screenshot.31.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiipzvLmlE9WCPhUZodmpq9z7DwLrdIlzFgxO4ivJkVUtWzEoOdBPr3JwU6YFPkjfO__nljjCgKs7TyLpaSCN96Qq7aCyghAL7CkhnsJJSmEvyUAwjAnfD71hlGKwH8UNoCgOHerCrX7ByG/s400/screenshot.34.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7hsQljwvZgKVKwHNpnrYDB6LMpeSgxPcGNuaiDPgMueyfZOYFvliOLeoqwLfO0h8G753AHcbR-b1bBIVh1wpLx8vHGCKkDw_IYVQNkTjEroTRdjuEKHzwLNjHRIoWA6SkvTKJ5l4tReF_/s1600/screenshot.35.jpg)
2 - Bruteforcing the SSH server
- From the attacker machine Windows 7, checking that the port 22 is open at the victim Windows 10 (192.168.1.6):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvZRDrlzV_v2gEF7RuTrXQHHvGYYKDNagCs83DTP1zuXwSZEiwQx_1PRoWFeyDU-XJq1qjjYBeUbWwA7ThNjA81I_Wp3BoSjLWNE39QYsII5B3RW1FDfrH_oluV9el3x3BwUXimFTkPsqE/s1600/screenshot.40.jpg)
- Running Bruter.exe from the attacker against the SSH server (IP 192.168.1.6, port 22):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7trK67ZfENJLEKNTdwKZAnoyAV9viPTZZNSW3TolJE3qRWdcU9j-KeYYE7977-CJiNDfQmTGYgyuWfUZNGYV_Uq-EcUOC5xilKqZtx88vYqtmn2NA630om_4qYzEf8gcVfvKGfsTcqk9w/s400/screenshot.55.jpg)
2.1) Dictionary
- Taking the Dictionary option, and browsing for a wordlist:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQVg8tVxDSUK1yte5bpTZBwIoGoV6kzB0QNGwGSkI2D8ktRUGhPnxH9a9LgIuuLMG02Te1AElN5QfGUWi_PgyOXNQS-WM1rOXMiLtNQrmlAlX0lcg82lfKPqhP0msJbT7HJ_nCp6Zv37YY/s1600/screenshot.6.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOo1967iN51Uc3fUhSsEZnFiR9wyauOqEdLyNOgzI9VHx3UmlHf1AWTiDhVQrjYuNEVbSJkXVCcp-85HpiNPA5etArkagfGHZKcNuufAxu8vYXWu8YDVG1ukP0CkHNqNx51Jh6y4hiCwEZ/s400/screenshot.1.jpg)
- Starting the attack:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMENuR3yWTVvMM-olJWwHWidsXKRVSuOi3F0avFZvU9fa-9Q2mqGq10vtnThrdVKI8lB-Zn1mYENztc61L9TQJJFT-TRJX8GuWghh_mN_KBNl9EUsnR7QyPzfgxWTXA2bl_TOCh-Z5iJVK/s400/screenshot.54.jpg)
- The attack is successful because and the password (123) is revealed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRiQiplu8oBXMNZsnqupia-Q7CfwniUZny4mIJtMXghKucrYn5FioGbZeyldLlxZDAXaY6l_bVZ0DmxsGbMvwuZpvBpP3niUA47BZv96JSyUnd0u2bLVdO9GCmIB22iOpsI0guYniygfTY/s1600/screenshot.43.jpg)
2.2) Brute force
- Choosing Brute force, setting options for the Charset and the length of the password:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXZoZ1zkv1B7C2vAlYeaELsJaFisBHRqtlSgj8WxD1btxuZTxB_KWDBBmkoxw0_hnsw3tYhwFHdJKdaiZ8wznYIww92MhWmwUl5rseAGemHgFVmsC619hla9CACIv3DjWA0BIHb1_f6zKH/s1600/screenshot.59.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgr88vDGsR7GIDeHlj3Q8Ld5ZHjCW1I3WHy6-kjryA-dBm-9-sIHPdCPFkZQF6ueTB4kuOSIiRipR_1TAzia0xemKqdcHwzbYtkkCZxb4xmElqTfoiiSRoLsBqaHVyvJG6m4d_b-RUPlqj7/s400/screenshot.44.jpg)
- Starting the attack:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMENuR3yWTVvMM-olJWwHWidsXKRVSuOi3F0avFZvU9fa-9Q2mqGq10vtnThrdVKI8lB-Zn1mYENztc61L9TQJJFT-TRJX8GuWghh_mN_KBNl9EUsnR7QyPzfgxWTXA2bl_TOCh-Z5iJVK/s400/screenshot.54.jpg)
- Finally the attack is successful because the password (123) is revealed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRiQiplu8oBXMNZsnqupia-Q7CfwniUZny4mIJtMXghKucrYn5FioGbZeyldLlxZDAXaY6l_bVZ0DmxsGbMvwuZpvBpP3niUA47BZv96JSyUnd0u2bLVdO9GCmIB22iOpsI0guYniygfTY/s1600/screenshot.43.jpg)
- The password has been chosen deliberately simple because the purpose of this exercise was just to demonstrate how to operate with the Bruter tool.
- For more complex passwords Bruter has a wide range of predefined Charsets with a greater number of characters, in addition to the possibility of decreasing the Min_Len parameter and increasing Max_Len.
- Obviously, the disadvantage would lie in the slowness of the attack, in addition to the greater amount of resources needed to implement it.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDWcGyfAGSUI6mCNjtxElGjMpFLv50fwVhFbx6l85Baw3iinb2VkMEeUDE89cekQt3sy_fRVXHZwVO1UJ6QSnFbbvYZNcav9GhBfQpN_vpO1y88Zr1k7dvxuAPuqK8o3UGYenKxtzGrjAU/s1600/screenshot.58.jpg)