22 - SSH
SSH is not typically vulnerable but it often a candidate for password reuse attacks. When enumerating you should check for:
Version info (banner grab)
ssh 10.10.10.5
NSE scripts
ssh2-enum-algos.nse -- reports algorithms supported
ssh-auth-methods.nse -- provides methods available for authentication
sshv1.nse -- checks for ssh v1 support
Username enumeration (CVE2018-15473)
OpenSSH versions prior to and including version 7.7 are vulnerable to username enumeration because there is no delay for invalid users. This makes is possible to conduct a timing attack to identify valid users.
To conduct this attack load Metasploit module scanner/ssh/ssh_enumusers
Set the RHOSTS, RPORT, and USERNAME OR USER_FILE options
If using a USER_FILE, any from /usr/share/seclists/Usernames will do
SSH keys
When enumerating other services/shares, you should also look for SSH keys. Public keys are commonly stored as "authorized_keys,", and private keys are commonly stored as "id_rsa". If you locate a private key you may be able to connect to the remote system via SSH.
chmod 600 id_rsa
ssh -i id_rsa [email protected]
Credential reuse
You should also attempt to connect to SSH with any credentials that you discover.
Creating keys (post exploitation)
ssh-keygen
scp (file transfers over ssh)
scp -r username@target-ip:/path/to/foo /home/username/desktop/
Specifying key exchange algorithms
Occasionally on older systems you'll receive and error indicating that no compatible key exchanges were found. Use the following command(s) to force the use of a specific algorithm.
ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@$TargetIP
ssh -o HostKeyAlgorithms=+ssh-rsa root@TargetIP
Last updated