# 22 - SSH SSH is not typically vulnerable but it often a candidate for password reuse attacks. When enumerating you should check for: * Version info (banner grab) ``` ssh 10.10.10.5 ``` ### NSE scripts ``` ssh2-enum-algos.nse -- reports algorithms supported ssh-auth-methods.nse -- provides methods available for authentication sshv1.nse -- checks for ssh v1 support ``` ### Username enumeration (CVE2018-15473) OpenSSH versions prior to and including version 7.7 are vulnerable to username enumeration because there is no delay for invalid users. This makes is possible to conduct a timing attack to identify valid users. ``` To conduct this attack load Metasploit module scanner/ssh/ssh_enumusers Set the RHOSTS, RPORT, and USERNAME OR USER_FILE options If using a USER_FILE, any from /usr/share/seclists/Usernames will do ``` ### SSH keys When enumerating other services/shares, you should also look for SSH keys. Public keys are commonly stored as "authorized\_keys,", and private keys are commonly stored as "id\_rsa". If you locate a private key you may be able to connect to the remote system via SSH. ``` chmod 600 id_rsa ssh -i id_rsa user@10.10.10.5 ``` ### Credential reuse You should also attempt to connect to SSH with any credentials that you discover. ``` ssh user@10.10.10.5 ``` ### Creating keys (post exploitation) ``` ssh-keygen ``` ### scp (file transfers over ssh) ``` scp -r username@target-ip:/path/to/foo /home/username/desktop/ ``` Specifying key exchange algorithms Occasionally on older systems you'll receive and error indicating that no compatible key exchanges were found. Use the following command(s) to force the use of a specific algorithm. ``` ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@$TargetIP ssh -o HostKeyAlgorithms=+ssh-rsa root@TargetIP ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.oncyberwar.com/3.-enumeration/22-ssh.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.