Using nmap to brute-force SSH

2 min read

If we have a bunch of Raspberries on our network and we want to make sure we are not using the default password on any of them, we can using nmap fo trying to brute-force into them

First we will need to check that we have a fairly recent nmap version with the ssh-brute.nse script:

$ ls /usr/share/nmap/scripts/ssh-brute.nse 
/usr/share/nmap/scripts/ssh-brute.nse

Having this NSE available we can then create the user list and the password list we want to use. On this example we are going to use just one username and one password as follows:

$ cat users.lst 
pi
$ cat pass.lst 
raspberry

Finally, to launch the scan on the 10.12.16.0/24 demo network using the aforementioned user and password list we would run nmap as follows:

$ sudo nmap -p 22 10.12.16.0/24 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-06 13:03 CEST
NSE: [ssh-brute] Trying username/password pair: pi:pi
NSE: [ssh-brute] Trying username/password pair: pi:pi
NSE: [ssh-brute] Trying username/password pair: pi:raspberry
NSE: [ssh-brute] Trying username/password pair: pi:pi
NSE: [ssh-brute] Trying username/password pair: pi:raspberry
NSE: [ssh-brute] Trying username/password pair: pi:raspberry
NSE: [ssh-brute] Trying username/password pair: pi:pi
NSE: [ssh-brute] Trying username/password pair: pi:raspberry
NSE: [ssh-brute] Trying username/password pair: pi:pi
NSE: [ssh-brute] Trying username/password pair: pi:raspberry
Nmap scan report for _gateway (10.12.16.1)
Host is up (0.00085s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-brute: 
|   Accounts: No valid accounts found
|_  Statistics: Performed 0 guesses in 6 seconds, average tps: 0.0
MAC Address: F4:69:40:CC:EF:FA (Unknown)

Nmap scan report for 10.12.16.42
Host is up (0.021s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-brute: 
|   Accounts: 
|     pi:raspberry - Valid credentials
|_  Statistics: Performed 2 guesses in 3 seconds, average tps: 0.7
MAC Address: 1E:3B:04:CC:FE:AF (Unknown)

(...)

Nmap done: 256 IP addresses (9 hosts up) scanned in 28.11 seconds

On this example we can see how it found one host using the default password for raspbian


Posted on 15/09/2021