Cybersecurity · NAS Security Attack & Defense Lab · Lab 2 — Successful Brute Force Login

Lab 2 — Successful Brute Force Login

Attack: SSH credentials cracked via Metasploit’s ssh_login. Defense: detect the success in logs, reset/disable, and harden SSH to keys-only.

Scenario

Building on Lab 1, SSH (port 22) is exposed on the NAS host. A weak user password allows a successful brute-force using Metasploit’s auxiliary/scanner/ssh_login. On defense, authentication logs reveal the success; the account is secured and SSH is hardened.

Offensive

Metasploit console prepared for SSH brute-force
Preparing Metasploit for the SSH attack.
Metasploit auxiliary/scanner/ssh_login module options
Using auxiliary/scanner/ssh_login.
Successful SSH login via brute-force
Credentials found — shell access obtained.

With a BSD shell obtained, upgrade to Meterpreter using the post module post/multi/manage/shell_to_meterpreter.

Upgrading shell to Meterpreter session
Upgrading shell to Meterpreter.
Interactive Meterpreter session on the target
Interactive Meterpreter session.
getuid and sysinfo confirming user and system details
getuid / sysinfo confirm context.

Defensive

Detect the Successful Login

Review /var/log/auth.log (or platform equivalent). Look for a sequence of failures followed by a success.

Log view showing failed attempts leading up to success
Failed attempts chained together.
Log view highlighting the successful SSH login event
Success event identified in logs.

Immediate Account Actions

Reset the compromised password and temporarily disable interactive SSH access for the account while IR proceeds.

Resetting the user password on the NAS host
Password reset.
Disabling the user account or restricting login
Disable or restrict account logins.

Hardening SSH

Disable Password-Based Logins

Move to key-based authentication and disable password auth for SSH to prevent brute-force success.

Server configuration snippet related to SSH password settings
Disable password logins; use keys only.
SSH server settings showing keys-only configuration
Confirm SSH server settings.

Additional options: rate-limit via firewall, fail2ban-style lockouts, and limiting SSH to trusted management networks.

Back to NAS Security Attack & Defense Lab