ASSESSMENT OVERVIEW:

First of all, I apply simple methodology in which first step was to get Ip of machine and do some
Reconnaissance. So, I scan with Nmap in Kali Linux and found some ports open. Here is the list:
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] ssh found on tcp/4222.
I scan machine IP with multiple scanning and exploitation tools:
Nmap (which you saw previously)
1. Legion
2. Autorecon
3. Some ssh scanners (from GitHub).

• Legion:
About Legion:
Legion package contains an open source, easy to use, super extensible and semi automated
network penetration testing tool that aids in discovery, reconnaissance and exploitation of information
systems. Legion is a fork of SECFORCE's Sparta.

1.Legion:
This tool showed open ports same as the Nmap result.
But I used the legion tool to attack one of the open ports which was the ssh 22 port. Since legion use the
hydra tool to crack the password of ssh. So, I give some wordlist to the legion.
Wordlist was present in the following directory:

"/usr/share/wordlists/metasploit-framework/wordlists/unix-usernames.Txt"

And I used a password wordlist from the following directory:

" /usr/share/wordlists/metasploit-framework/wordlists/unix-passwords.Txt"

And start this route force attack this attack took lots of time but and resulted in the password did not
find.
Then I decide to change my word list to rockyou.Txt
It was present in the following directory:

"/usr/share/wordlists/rockyou.Txt"

This attack took an even longer time I allow this attack to complete until the whole night but the result
was not so good, they were the same that the password is not found.
The Password is not found. Then I move to the next tool:
• Autorecon
About Autorecon:
AutoRecon is a multi threaded network reconnaissance tool which performs automated
enumeration of services. It is intended as a time saving tool for use in CTFs and other penetration
testing environments (e.g., OSCP). It may also be useful in real world engagements.
The tool works by firstly performing port scans / service detection scans. From those initial results, the
tool will launch further enumeration scans of those services using a number of different tools. For
example, if HTTP is found, feroxbuster will be launched (as well as many others).

• Autorecon:
Then I launched Autorecon with a machine IP address.
It says that it will take a while to complete the scan.
Then after a while, the scan was completed and it made a directory called result in which a folder
appears with the IP of the machine IP. There were results stored in that directory it showed all the
details information with an insanelevel of scanning using Nmap and other tools like Dirbuster.
So, I do a lot of research in these folders to find something interesting but unfortunately, I cannot find
any exploit some other details were found that some ports were open that are following
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] ssh found on tcp/4222.
It should have all the detailed information about these sports their open ssh version and their relevant
details. I note down every important detail.
These details are included with this report in the RAR file.
Ssh Scanners:
I downloaded some ssh scanner tools from GitHub. They have some errors and bugs on
their source codes but I decide to go with them then I try to fix them and some of them fix but they
were not working for this machine currently.
The last thing I can do was to manually find exploits for the specific ssh port with its Open SHH
version. And there's something interesting happening. I found the Open SHH version is:
Then I use a tool called searchsploit .
This tool gives me information details about the exploits present on the internet of that specific Open
SSH Version. Which is openssh 7.4 version.
Searchsploit Result is:
OpenSSH 2.3 < 7.7 - Username Enumeration |
linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) |
linux/remote/45210.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege
Escalation | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading
| linux/remote/40963.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading
| linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) |
linux/remote/45939.py

Exploits Links:
https://www.exploit-db.com/exploits/45233

https://www.exploit-db.com/exploits/45210

https://www.exploit-db.com/exploits/40962

https://www.exploit-db.com/exploits/40963

https://www.exploit-db.com/exploits/45939
I also searched openssh 7.4 version exploits on the google. Then
I downloaded all these exploits from internet in but the problem was some exploits were written for
python 2 and not working now so I convert them into Python 3 but they do not work.
In some tools there were lots of errors and bugs present I manually fixed those errors and bugs.
Even after fixing bugs, they do not work. One of them is working correctly but the problem was even
though I had a random username which is lengthy it even shows that the username is correct. More
details are in the video which is attached to this report with a Google drive link.
So, all the exploits are not working correctly.

Result (Something interesting found while

Reconnaissance):
Username: Teacher
Username: teacher
NTLM Hash:
$6$X0kVPz3OC6U3TBwV$GexH00TNpTuG1b.zKFgEwcBGYmdEowXVHu3U6my/2xqIXbag9GclXj
reEKikM8gARvkJo9g3VhHDOBahfFV6P.:18687:0:99999:7:::
Username: dang
Summary:
I do complete Reconnaissance and then I launch an attack using some popular tools like
hydra legion etc. But in the end result, the password is not found. I even tried truth force with some
popular wordlists. But the password is not found. A complete overview video is attached with this
report in the Google drive link.
All the exploits used are in the RAR file attached with this report.
Thank You.