# SSH

> *Source CTF and HTB Academy*

* Usually port 22

Secure Shell (SSH) is a network protocol that runs on port 22 by default and provides users such as system administrators a secure way to access a computer remotely. SSH can be configured with password authentication or passwordless using public-key authentication using an SSH public/private key pair. SSH can be used to remotely access systems on the same network, over the internet, facilitate connections to resources in other networks using port forwarding/proxying, and upload/download files to and from remote systems.

SSH uses a client-server model, connecting a user running an SSH client application such as OpenSSH to an SSH server. While attacking a box or during a real-world assessment, we often obtain cleartext credentials or an SSH private key that can be leveraged to connect directly to a system via SSH. An SSH connection is typically much more stable than a reverse shell connection and can often be used as a "jump host" to enumerate and attack other hosts in the network, transfer tools, set up persistence, etc. If we obtain a set of credentials, we can use SSH to login remotely to the server by using the username @ the remote server IP, as follows: `ssh user@10.10.10.10`

* [Openssh](https://www.openssh.com/)

## Authentication method

* Password authentication
* Public-key authentication
* Host-based authentication
* Keyboard authentication
* Challenge-response authentication
* GSSAPI authentication
* [6 SSH authentication methods to secure connection on GoLinuxCloud](https://www.golinuxcloud.com/openssh-authentication-methods-sshd-config/)

## Default config

* `cat /etc/ssh/sshd_config | grep -v "#" | sed -r '/^\s*$/d'`
* [sshd\_config on ssh.com](https://www.ssh.com/academy/ssh/sshd_config)

## Dangerous Settings

| Setting                    | Description                                 |
| -------------------------- | ------------------------------------------- |
| PasswordAuthentication yes | Allows password-based authentication.       |
| PermitEmptyPasswords yes   | Allows the use of empty passwords.          |
| PermitRootLogin yes        | Allows to log in as the root user.          |
| Protocol 1                 | Uses an outdated version of encryption.     |
| X11Forwarding yes          | Allows X11 forwarding for GUI applications. |
| AllowTcpForwarding yes     | Allows forwarding of TCP ports.             |
| PermitTunnel               | Allows tunneling.                           |
| DebianBanner yes           | Displays a specific banner when logging in. |

## Enumeration

* We need to keep notes of the ssh version

### ssh cmd

* We can try to ssh to our target `ssh IP-ADD`. In our example we get this\
  ![image](https://user-images.githubusercontent.com/96747355/175833787-a2b8bcbd-05a9-4ecb-ac37-b584c896253c.png)
* For this error we can try this `ssh 10.0.2.4 -oKexAlgorithms=+diffie-hellman-group1-sha1`\
  ![image](https://user-images.githubusercontent.com/96747355/175834000-bc2e9cbe-5949-4836-88d7-c9d399f95054.png)
* For this error we can try this `ssh 10.0.2.4 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa`\
  ![image](https://user-images.githubusercontent.com/96747355/175834033-1c9a18f8-bb6f-4961-bbc1-3550da4dba45.png)
* Finally for this error we can use this and will try to connect `ssh 10.0.2.4 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -c aes128-cbc`

## SSH-Audit

* `git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit`
* `./ssh-audit.py 10.129.14.132`

## Nmap

* `nmap -p22 TARGET-IP --script ssh-auth-methods --script-args="ssh.user=username"` will show authentication methods (requires a username).\
  See output example

```bash
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-auth-methods: 
|   Supported authentication methods: 
|_    publickey
```

* `nmap -p22 TARGET-IP --script ssh-hostkey --script-args ssh_hostkey=full` See output example

```bash
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMCwfnXf0WI8xwEChpVHr9JZNlgJxXnGbrVM7TkTx2Kh+bnYBwtuZrIBj7zD+LNRqIOHPMmDCZuVHOONRX9qauAq46EtCYBN35NtCtQnBRGPMC8fVxPk6KORkrWJ2J5c/crYnNCbVOt55fad739S1fYs35+X2As5/bR+F6zfnpsTMvNSiXzzJRb4C/W4PcQ9T3Az7knI+8oyP4WsbUN3l2KOq+QsWscv5Ida+ZTR7DJIbfFs/fdsPzJsLJsONsjOwyOmWsge/nik2zMRkuIUgrYco8MtPoKKfXohpFffUm4dx0I54wv9GiIHRjEEx3przciF6XvPq/2uPWhi1wpn9R
|   ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJjL31haOqBjuQ4XE/yrVby9ygrWlBMaGhxa2gzUau6Oxqp+Lomi72wf/KQ1/FPwG8qFGM0mJxTFKnwj/Ez5Ok0=
|_  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII61CNVnXxys5WNU/Q2WShh2JKJb3Pd1sPItUTK144ZJ
```

* `nmap -p22 TARGET-IP --script ssh2-enum-algos`

## Change Authentication Method

* `ssh -v cry0l1t3@10.129.14.132 -o PreferredAuthentications=password`

## Password spray or bruteforce

* `hydra -L users.txt -P passwords.txt TARGET-IP -t 4 ssh`
* `hydra -L user.list -P password.list ssh://10.129.42.197`

## Connect to ssh server

* `ssh username@IP-TARGET`

## Resources

{% embed url="<https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh>" %}
Pentesting SSH - Hacktricks
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://csbygb.gitbook.io/pentips/networking-protocols-and-network-pentest/ssh.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.