Mass SSH Scanners used for Massive Bruteforce Attacks

Mass SSH Scanners used for Massive Bruteforce Attacks Linux

Brute force attacks, one of the most common attacks initiated by script kiddies or crackers. Successful logins for various boxes includes good compensation especially if you get a Linux box and not just some Busybox routers, Linux embedded boxes or MikroTik RouterOS.

Today a lot of programmers and coders released a lof of network logon crackers just like THC-HYDRA and SSHtrix. But there are actually mass SSH scanners that are used for massive brute force attacks for a certain IP range. These include Unixcod, Piata, GSM Scanner, etc. In fact the ‘Silly Routers Release’ of Lulzsec included simple logins which is just the same to the dictionary list of the said mass SSH scanners. And if you think that the fake AnonPH got some skills because of releasing their own Silly Routers Release and SSH Logins in a DNN Vulnerable Website, then think again.. coz they are just using a mass SSH scanner. Now I’m not sure if they are using Piata or Unixcod but it’s probably Piata because of the familiar usernames and passwords. :p

Piata is usually archived and compressed in a tar file and it’s filename is ab.tar.gz. It has the same features of a Unixcod SSH Scanner and the GSM Scanner, the only difference is its bash filenames and wordlists.  And so in this article, let’s try to take a look on how to use a Piata SSH Scanner which is the most common massive SSH scanner since it’s release(it’s quiet old already).

So what the attacker needs to do first is to set the IP range he wants to attack. So if the attacker uses the command ./a 124.107, the scanner will scan the IP Ranges 124.107.0.0 – 124.107.240.255.255 using the dictionary wordlist named as pass_file. The attacker could also execute the command ./mass 124 which attacks the IP Ranges 124.0.0.0 – 124.255.255.255. Successful attacks will be shown in the terminal and logged to the file named as vuln.txt.

 These are some of the USER:PASS wordlists in Piata SSH Scanner:
root root
admin admin
test test
root matrix
ghost ghost
root sleeper
root slider
guest guest
ghost 123456
magnos magnos
root 333333
root 444444
aaron aaron
jun jun
rebecca rebecca
einstein einstein
anna anna
sara sara
root einstein
root singnin
amy amy
amy 123456
root !@#$%^
root 555555
tracy tracy
root happy
controller controller
root 666666
emily emily
root god
backuppc backuppc
backuppc 123456
avahi avahi
root solomon
root a
root controller
root 666
amavisd amavisd
mysql mysql

I also observe today that most free SSH shell accounts are used by malicious attackers for scanning SSH Logins. I was able to discover  this by using the command lines locate vuln.txt, locate mfu.txt, and locate pass_file and by grepping some commands found in the script in some Shell accounts I have.

And so the lesson here is not to use simple passwords and usernames like iloveu, sex, god, rock, 123456, love, 666, etc. Use alphanumeric keys but a complicated one and include characters like *, >, +, ~, =, )(, &, etc.

Be safe from simple attacks like brute force attacks.