The Hacker Recipes
GitHubTwitterExegolTools
Searchโ€ฆ
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
๐Ÿ› ๏ธ FTP
๐Ÿ› ๏ธ SSH
๐Ÿ› ๏ธ Telnet
๐Ÿ› ๏ธ DNS
๐Ÿ› ๏ธ HTTP
๐Ÿ› ๏ธ Kerberos
๐Ÿ› ๏ธ LDAP
๐Ÿ› ๏ธ SMB
๐Ÿ› ๏ธ RTSP
๐Ÿ› ๏ธ MSSQL
๐Ÿ› ๏ธ NFS
๐Ÿ› ๏ธ MySQL
๐Ÿ› ๏ธ RDP
๐Ÿ› ๏ธ WinRM
Privilege escalation
Pivoting
๐Ÿ› ๏ธ Physical
Locks
Networking
Machines
Super secret zones
๐Ÿ› ๏ธ Intelligence gathering
CYBINT
OSINT
GEOINT
๐Ÿ› ๏ธ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
๐Ÿ› ๏ธ mobile apps
Android
iOS
Powered By GitBook
๐Ÿ› ๏ธ SSH

Theory

The SSH protocol (Secure Shell) is used to login from one machine to another securely. It offers several options for strong authentication, as it protects the connections and communications security and integrity with strong encryption. This connection can be used for terminal access, file transfers, and for tunneling other applications.

Enumeration

Authentication type

It is possible to enumerate the allowed authentication types with the following command:
1
ssh -v <IP>
2
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
3
...
4
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Copied!
Useful to get basic information about the SSH server such as its type and version.
1
nc -vn <IP> 22
2
...
3
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7
Copied!

Server's public SSH key

1
ssh-keyscan -t rsa <IP> -p <PORT>
Copied!

Weak Cipher Algorithms

Some auditing tools can help to quikly find the target version and which algorithms are available on the server in order to give recommendations to the customer.
sslscan
nmap
ssh-audit
1
sslscan <IP>:22
Copied!
1
nmap -p22 -n -sV --script ssh2-enum-algos <IP>
Copied!
1
ssh-audit -p 22 -4 <IP>
Copied!

SSH fuzzing

Fuzzing the SSH service could help to find vulnerabilities. The automated fuzzing is simple but not very targeted so it usually takes a lot of time and could miss some results. The custom and the manual approach is more effective but it takes time to familiarize yourself with the target. Here is an example of a custom fuzzing : Fuzzing the OpenSSH daemon using AFL.
Automated fuzzing
1
msfconsole
2
use auxiliary/fuzzers/ssh/ssh_version_2
3
set RHOSTS <IP>
4
run
Copied!

Attacks

Weak cryptographic keys

Authentication bruteforcing

User enumeration

1
msfconsole
2
use scanner/ssh/ssh_enumusers
3
set RHOSTS <IP>
4
set USER_FILE <user_file_path>
Copied!

Password Bruteforcing

Hydra
Metasploit
1
hydra -l <user> -s 22 -P <path_pass_list> <IP> -t 4 ssh
Copied!
1
msfconsole
2
use auxiliary/scanner/ssh/ssh_login
3
set PASS_FILE /usr/share/wordlists/password/rockyou.txt
4
set RHOSTS <IP>
5
set STOP_ON_SUCCESS true
6
set username <USER>
7
run
Copied!
Some common ssh credentials here and here.

Private key Bruteforcing

References

22 - Pentesting SSH/SFTP
HackTricks
SSH Pentesting Guide
TurgenSec Community
Previous
๐Ÿ› ๏ธ FTP
Next
๐Ÿ› ๏ธ Telnet
Last modified 5mo ago
Copy link
Contents
Theory
Enumeration
Authentication type
Banner Grabbing
Server's public SSH key
Weak Cipher Algorithms
SSH fuzzing
Attacks
Weak cryptographic keys
Authentication bruteforcing
References