Using nmap to brute-force SSH

2 min read | by Jordi Prats

If we have a bunch of Raspberries on our network and we want to make sure we are not using the default password on any of them, we can using nmap fo trying to brute-force into them

First we will need to check that we have a fairly recent nmap version with the ssh-brute.nse script:

$ ls /usr/share/nmap/scripts/ssh-brute.nse  /usr/share/nmap/scripts/ssh-brute.nse

Having this NSE available we can then create the user list and the password list we want to use. On this example we are going to use just one username and one password as follows:

$ cat users.lst  pi $ cat pass.lst  raspberry

Finally, to launch the scan on the 10.12.16.0/24 demo network using the aforementioned user and password list we would run nmap as follows:

$ sudo nmap -p 22 10.12.16.0/24 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-06 13:03 CEST NSE: [ssh-brute] Trying username/password pair: pi:pi NSE: [ssh-brute] Trying username/password pair: pi:pi NSE: [ssh-brute] Trying username/password pair: pi:raspberry NSE: [ssh-brute] Trying username/password pair: pi:pi NSE: [ssh-brute] Trying username/password pair: pi:raspberry NSE: [ssh-brute] Trying username/password pair: pi:raspberry NSE: [ssh-brute] Trying username/password pair: pi:pi NSE: [ssh-brute] Trying username/password pair: pi:raspberry NSE: [ssh-brute] Trying username/password pair: pi:pi NSE: [ssh-brute] Trying username/password pair: pi:raspberry Nmap scan report for _gateway (10.12.16.1) Host is up (0.00085s latency). PORT STATE SERVICE 22/tcp open ssh | ssh-brute:  | Accounts: No valid accounts found |_ Statistics: Performed 0 guesses in 6 seconds, average tps: 0.0 MAC Address: F4:69:40:CC:EF:FA (Unknown) Nmap scan report for 10.12.16.42 Host is up (0.021s latency). PORT STATE SERVICE 22/tcp open ssh | ssh-brute:  | Accounts:  | pi:raspberry - Valid credentials |_ Statistics: Performed 2 guesses in 3 seconds, average tps: 0.7 MAC Address: 1E:3B:04:CC:FE:AF (Unknown)  (...) Nmap done: 256 IP addresses (9 hosts up) scanned in 28.11 seconds

On this example we can see how it found one host using the default password for raspbian

Posted on 15/09/2021

Categories