SSH- Port 22
Last updated
Was this helpful?
Last updated
Was this helpful?
Become VeryLazyTech ! ๐
Follow us on:
โ Twitter .
๐พ Github .
๐ Medium .
Visit our for e-books and courses. ๐
Support us and . โ
SSH (Secure Shell or Secure Socket Shell) is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems.
Default port: 22
Use Nmap to scan for open SSH ports. Port Scanning
Identify the SSH version using nmap -sV. Service Enumeration
Attempt to grab the SSH banner for more info (nc or telnet). Banner Grabbing
Use ssh-audit to find weak configurations. Public Key Authentication Weaknesses
Search for CVEs related to the detected SSH version. Check for Known Vulnerabilities
If password authentication is used, attempt brute-forcing with Hydra or Medusa. Brute force
If SSH keys are exposed, use the key to authenticate directly. Using Exposed SSH Keys to Authenticate Directly
Set up SSH tunnels for lateral movement. Setting Up SSH Tunnels for Lateral Movement
Hijack existing SSH sessions if possible. Hijacking Existing SSH Sessions
Use Nmap to identify SSH ports (default is 22).
Check the SSH service version to identify potential vulnerabilities.
Extract the SSH banner to see the service version and OS information.
Once you have the SSH version from the previous steps, you can search for known vulnerabilities (CVEs) in public databases like CVE Details, or automate the process using Nmap NSE scripts.
Use Hydra, Medusa to attempt brute force attacks.
In more advanced penetration testing scenarios, attackers may leverage captured password hashes instead of brute-forcing plaintext passwords. This technique is known as Pass the Hash (PTH), and it allows attackers to authenticate using password hashes directly, bypassing traditional brute force limitations. Two common tools used for this purpose in the SSH context are CrackMapExec and pth-ssh.
CrackMapExec (CME) is a post-exploitation tool that can automate tasks across an entire network, including parallel brute-forcing of SSH login credentials. CME allows for simultaneous brute force attacks on multiple targets while leveraging password hashes in addition to plaintext passwords.
<target-ip>: The IP address of the target machine.
-u <username>: The username to attempt authentication with.
-p <password>: The password or password list to use in the brute force attempt.
Pass the Hash (PTH) attacks leverage stolen password hashes instead of trying to guess or brute-force plaintext passwords. pth-ssh is a tool specifically designed for SSH-based PTH attacks. It allows you to authenticate to an SSH service using a captured password hash, effectively bypassing password brute-force rate limiting or lockout mechanisms.
<username>: The username to attempt authentication with.
<target-ip>: The IP address of the target machine.
<password-hash>: The hash of the password that will be used to authenticate (instead of the plaintext password).
Stealthier than Brute-Force Attacks: Brute force attempts can be noisy and trigger security alarms, whereas PTH attacks are often less detectable, as you're directly using a valid authentication hash.
Bypass Rate Limits: Many SSH servers enforce rate limits or lockout periods after failed login attempts. Using PTH avoids these protections since the correct hash bypasses the normal authentication process.
Post-Exploitation: In scenarios where you've already compromised a machine and retrieved password hashes (e.g., /etc/shadow file on Linux), PTH allows you to pivot across the network more quickly.
Post-Exploitation Tools: After initial access to a system, tools like Mimikatz, John the Ripper, or Hashcat can extract password hashes from memory, disk, or network traffic.
Linux Systems: On Linux, password hashes are often stored in /etc/shadow (although the file is root-only).
Windows Systems: Password hashes are stored in the SAM (Security Account Manager) database, and tools like Mimikatz can extract these for later use in PTH attacks.
If SSH key-based authentication is used, weak keys or poorly secured key files can be an entry point. Tools like ssh-audit can help find weaknesses in SSH configurations and exposed keys.
Exploiting Vulnerabilities (e.g., CVE-2018-15473)
Certain vulnerabilities like CVE-2018-15473 (username enumeration) allow attackers to discover valid usernames by analyzing SSH responses. Exploiting outdated ciphers or protocol flaws can also lead to successful attacks.
use auxiliary/scanner/ssh/ssh_login: This module attempts to brute-force SSH credentials.
RHOSTS <target-ip>: The target's IP address.
USERNAME <username>: Username to brute-force.
PASS_FILE <path-to-password-list>: File containing passwords.
use auxiliary/scanner/ssh/ssh_version: This module scans and detects the SSH version running on the target.
RHOSTS <target-ip>: The IP address of the target system.
This Python script attempts to enumerate valid usernames by analyzing SSH responses during login attempts.
This is an older but critical vulnerability that affected Debian-based systems using OpenSSL, allowing attackers to guess private keys.
If the system is vulnerable to this, SSH keys can be recreated based on weak random numbers.
Download the key list for vulnerable Debian OpenSSL versions.
Search for the corresponding weak key.
APC
apc, device
apc
Brocade
admin
admin123, password, brocade, fibranne
Cisco
admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin
admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme
Citrix
root, nsroot, nsmaint, vdiadmin, kvm, cli, admin
C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler
D-Link
admin, user
private, admin, user
Dell
root, user1, admin, vkernel, cli
calvin, 123456, password, vkernel, Stor@ge!, admin
EMC
admin, root, sysadmin
EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc
HP/3Com
admin, root, vcx, app, spvar, manage, hpsupport, opc_op
admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin
Huawei
admin, root
123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123
IBM
USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer
PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer
Juniper
netscreen
netscreen
NetApp
admin
netapp123
Oracle
root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user
changeme, ilom-admin, ilom-operator, welcome1, oracle
VMware
vi-admin, root, hqadmin, vmware, admin
vmware, vmw@re, hqadmin, default
If you have access to an exposed or stolen SSH private key (id_rsa), you can use it to authenticate directly to the SSH service of a target system.
Step-by-Step Instructions:
Obtain the SSH Private Key: The private key typically has the filename id_rsa. Ensure it has the correct permissions (600) before attempting to use it.
Check and Set Permissions: The SSH client requires that the private key file has restricted permissions (only the owner can read it). Set the correct permissions:
SSH Into the Target Using the Exposed Key: Use the following command to SSH into the target using the private key.
id_rsa: The private key file you obtained.
<username>: The username for the SSH login.
<target-ip>: The IP address or hostname of the target system.
Example:
Verify Access: If the key is valid and properly configured on the target, you should now have SSH access to the target system without needing to brute force credentials.
SSH tunneling allows you to create an encrypted tunnel through the compromised machine to reach other machines on an internal network. This is useful for pivoting in post-exploitation scenarios.
Step-by-Step Instructions:
SSH Local Port Forwarding: This allows you to forward a local port on your machine to a port on another machine via the SSH server. Itโs useful when you want to access an internal service.
Command:
<local-port>: The port on your local machine that you want to use.
<internal-ip>: The internal IP address of the machine behind the SSH server you want to reach.
<internal-port>: The port on the internal machine that you want to access.
<username>@<target-ip>: Credentials and IP address of the compromised SSH server.
Example:
This command forwards your local port 8080 to port 80 on the internal machine with IP 10.10.10.5. After this, you can access the internal server by going to http://localhost:8080 in your browser.
SSH Remote Port Forwarding: This method allows you to expose a port from your local machine to the target network. Itโs useful for reverse shell setups.
Command:
Example:
This will allow you to connect to your local SSH service (port 22) from the target machine via port 9000.
Dynamic SSH Tunneling with SOCKS Proxy: You can create a dynamic SSH tunnel using a SOCKS proxy, which allows you to route traffic through the SSH server to any machine inside the network.
Command:
Example:
This creates a SOCKS proxy on localhost:8080. You can configure your browser or proxy-aware tool (like Burp Suite) to route traffic through this proxy.
In certain post-exploitation scenarios, it may be possible to hijack existing SSH sessions. This typically involves identifying and using SSH agent forwarding or hijacking a socket used by the active SSH session.
Step-by-Step Instructions:
Check for Active SSH Sessions: After gaining access to a system, you can check for active SSH sessions by looking for SSH processes.
Command:
This will show the active SSH connections and the processes tied to them. You can also check the /proc directory for further details.
Check for SSH Agent Forwarding: If SSH agent forwarding is enabled, you may be able to impersonate the user and reuse their SSH session. Check for SSH agent sockets in the /tmp/ directory.
Command:
If you find an SSH_AUTH_SOCK, it indicates the presence of an SSH agent. The agent stores private keys in memory, and you can use these keys to authenticate to other systems.
Hijacking the SSH Agent: If you find the SSH agent socket, you can use it to impersonate the user.
Command:
This will list the keys that are currently available in the agent. If keys are listed, you can use them to access other systems.
Using Hijacked SSH Agent for Pivoting: With the SSH agent hijacked, you can SSH to other systems without needing the actual private key, as long as the agent is authorized on those systems.
Command:
Example:
This forwards your hijacked SSH agent to the new target system, allowing you to use the stored keys for authentication.