search
Infiltr8ForumGitHub
githubEdit

SSH

Pentesting SSH - TCP Port 22

hashtag
Theory

SSH or Secure Shell or Secure Socket Shell, is a network protocol that gives users a secure way to access a computer over an unsecured network.

SHH protocol operate by default on TCP port 22

hashtag
Practice

hashtag
Enumerate SSH server

We can use nmap to enumerate informations about the running SSH server

# Send default nmap scripts for SSH and retreive version
nmap -p22 <ip> -sC -sV

# Send all nmap ssh related scripts
nmap -p22 <ip> --script ssh-*

# Retrieve supported algorythms 
nmap -p22 <ip> --script ssh2-enum-algos

# Retrieve weak keys
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full

# Check authentication methods for an user
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root"

hashtag
Enumerate Users

In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:

hashtag
Brute-Force Credentials

circle-info

If the target host opens port 80 or 443, you can generate wordlist from the contents of the website then use it with your tool.

When bruteforcing accounts, you may lock accounts

hashtag
Crack SSH Private Key

Some private keys require a password or passphrase for operation, so we may attempt to Brute Forcearrow-up-right the passphrase off-line.

SSH Private Keyschevron-right

hashtag
Persistence

It's possible to backdoor an SSH public key using the command= argument. The backdoor will execute whenever the user logs in using this key.

SSH for Persistencechevron-right

hashtag
Resources

Logo22 - Pentesting SSH/SFTP - HackTricksbook.hacktricks.xyzchevron-right
https://exploit-notes.hdks.org/exploit/network/protocol/ssh-pentestingexploit-notes.hdks.orgchevron-right

Last updated