SSH (22)

SSH

Generate key

ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/parrot/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Your identification has been saved in /home/parrot/.ssh/id_rsa
Our public key has been saved in /home/parrot/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:...SNIP... parrot@parrot
The key's randomart image is:
+---[RSA 3072]----+
|            o..  |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|       + +oo+o   |
+----[SHA256]-----+

SSH with a key id_rsa

[Apr 06, 2024 - 07:50:27 (EDT)] exegol-CPTS /workspace # chmod 600 id_rsa              
[Apr 06, 2024 - 07:52:03 (EDT)] exegol-CPTS /workspace # ssh -i id_rsa ceil@10.129.42.195

Metasploit

LogoSSHMetasploit Documentation Penetration Testing Software, Pen Testing Security

Dangerous settings

Setting

Description

PasswordAuthentication yes

Allows password-based authentication.

PermitEmptyPasswords yes

Allows the use of empty passwords.

PermitRootLogin yes

Allows to log in as the root user.

Protocol 1

Uses an outdated version of encryption.

X11Forwarding yes

Allows X11 forwarding for GUI applications.

AllowTcpForwarding yes

Allows forwarding of TCP ports.

PermitTunnel

Allows tunneling.

DebianBanner yes

Displays a specific banner when logging in.

## SSH-Audit

SSH Audit

$ git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
$ ./ssh-audit.py 10.129.14.132

Change Authentication Method

$ ssh -v cry0l1t3@10.129.14.132

OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config 
...SNIP...
debug1: Authentications that can continue: publickey,password,keyboard-interactive

For potential brute-force attacks, we can specify the authentication method with the SSH client option PreferredAuthentications.

$ ssh -v cry0l1t3@10.129.14.132 -o PreferredAuthentications=password

OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
...SNIP...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password

cry0l1t3@10.129.14.132's password:

Bruteforce

SSH Bruteforce

Nmap

[Apr 06, 2024 - 10:09:33 (EDT)] exegol-CPTS /workspace # nmap 10.129.202.20 -sV -p22 --script ssh-brute
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-06 10:09 EDT
NSE: [ssh-brute] Trying username/password pair: root:root
NSE: [ssh-brute] Trying username/password pair: admin:admin
NSE: [ssh-brute] Trying username/password pair: administrator:administrator
NSE: [ssh-brute] Trying username/password pair: webadmin:webadmin
NSE: [ssh-brute] Trying username/password pair: sysadmin:sysadmin
NSE: [ssh-brute] Trying username/password pair: netadmin:netadmin
NSE: [ssh-brute] Trying username/password pair: guest:guest
NSE: [ssh-brute] Trying username/password pair: user:user
NSE: [ssh-brute] Trying username/password pair: web:web
NSE: [ssh-brute] Trying username/password pair: test:test
NSE: [ssh-brute] Trying username/password pair: root:
NSE: [ssh-brute] Trying username/password pair: admin:
NSE: [ssh-brute] Trying username/password pair: administrator:
NSE: [ssh-brute] Trying username/password pair: webadmin:

Hydra - See Brute force - SSH

$ hydra -L user.list -P password.list ssh://10.129.42.197

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-10 15:03:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://10.129.42.197:22/
[22][ssh] host: 10.129.42.197   login: user   password: password
1 of 1 target successfully completed, 1 valid password found

SSH on Windows

Binaries:

LogoGitHub - PowerShell/Win32-OpenSSH: Win32 port of OpenSSHGitHub

Install SSH on Windows:

LogoInstalling SFTP/SSH Server on Windows using OpenSSH :: WinSCP

Execute command - Windows

PreviousSNMP (10161, UDP 161)NextWinRM (5985, 5986)

Last updated