Buy me a tea

SSH

Source CTF and HTB Academy

  • Usually port 22

Secure Shell (SSH) is a network protocol that runs on port 22 by default and provides users such as system administrators a secure way to access a computer remotely. SSH can be configured with password authentication or passwordless using public-key authentication using an SSH public/private key pair. SSH can be used to remotely access systems on the same network, over the internet, facilitate connections to resources in other networks using port forwarding/proxying, and upload/download files to and from remote systems.

SSH uses a client-server model, connecting a user running an SSH client application such as OpenSSH to an SSH server. While attacking a box or during a real-world assessment, we often obtain cleartext credentials or an SSH private key that can be leveraged to connect directly to a system via SSH. An SSH connection is typically much more stable than a reverse shell connection and can often be used as a "jump host" to enumerate and attack other hosts in the network, transfer tools, set up persistence, etc. If we obtain a set of credentials, we can use SSH to login remotely to the server by using the username @ the remote server IP, as follows: ssh user@10.10.10.10

Authentication method

Default config

Dangerous Settings

Setting
Description

PasswordAuthentication yes

Allows password-based authentication.

PermitEmptyPasswords yes

Allows the use of empty passwords.

PermitRootLogin yes

Allows to log in as the root user.

Protocol 1

Uses an outdated version of encryption.

X11Forwarding yes

Allows X11 forwarding for GUI applications.

AllowTcpForwarding yes

Allows forwarding of TCP ports.

PermitTunnel

Allows tunneling.

DebianBanner yes

Displays a specific banner when logging in.

Enumeration

  • We need to keep notes of the ssh version

ssh cmd

  • Finally for this error we can use this and will try to connect ssh 10.0.2.4 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -c aes128-cbc

SSH-Audit

  • git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit

  • ./ssh-audit.py 10.129.14.132

Nmap

  • nmap -p22 TARGET-IP --script ssh-auth-methods --script-args="ssh.user=username" will show authentication methods (requires a username). See output example

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-auth-methods: 
|   Supported authentication methods: 
|_    publickey

  • nmap -p22 TARGET-IP --script ssh-hostkey --script-args ssh_hostkey=full See output example

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMCwfnXf0WI8xwEChpVHr9JZNlgJxXnGbrVM7TkTx2Kh+bnYBwtuZrIBj7zD+LNRqIOHPMmDCZuVHOONRX9qauAq46EtCYBN35NtCtQnBRGPMC8fVxPk6KORkrWJ2J5c/crYnNCbVOt55fad739S1fYs35+X2As5/bR+F6zfnpsTMvNSiXzzJRb4C/W4PcQ9T3Az7knI+8oyP4WsbUN3l2KOq+QsWscv5Ida+ZTR7DJIbfFs/fdsPzJsLJsONsjOwyOmWsge/nik2zMRkuIUgrYco8MtPoKKfXohpFffUm4dx0I54wv9GiIHRjEEx3przciF6XvPq/2uPWhi1wpn9R
|   ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJjL31haOqBjuQ4XE/yrVby9ygrWlBMaGhxa2gzUau6Oxqp+Lomi72wf/KQ1/FPwG8qFGM0mJxTFKnwj/Ez5Ok0=
|_  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII61CNVnXxys5WNU/Q2WShh2JKJb3Pd1sPItUTK144ZJ

  • nmap -p22 TARGET-IP --script ssh2-enum-algos

Change Authentication Method

  • ssh -v cry0l1t3@10.129.14.132 -o PreferredAuthentications=password

Password spray or bruteforce

  • hydra -L users.txt -P passwords.txt TARGET-IP -t 4 ssh

  • hydra -L user.list -P password.list ssh://10.129.42.197

Connect to ssh server

  • ssh username@IP-TARGET

Resources

PreviousSNMPNextWinrm

Last updated