SSH - 22
SSH (Secure Shell) is a protocol used to securely connect to remote computers over a network. It encrypts data to keep communication private and safe.
- Default port: 22
Servers & Libraries
SSH servers:
- openSSH – OpenBSD SSH, shipped in BSD, Linux distributions and Windows since Windows 10
- Dropbear – SSH implementation for environments with low memory and processor resources, shipped in OpenWrt
- PuTTY – SSH implementation for Windows, the client is commonly used but the use of the server is rarer
- CopSSH – implementation of OpenSSH for Windows
SSH libraries (implementing server-side):
- libssh – multiplatform C library implementing the SSHv2 protocol with bindings in Python, Perl and R; it’s used by KDE for sftp and by GitHub for the git SSH infrastructure
- wolfSSH – SSHv2 server library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments
- Apache MINA SSHD – Apache SSHD java library is based on Apache MINA
- paramiko – Python SSHv2 protocol library
Configuration Path
- Path:
/etc/ssh/sshd_config
Enumeration
- Checks supported algorithms, key types, protocol versions, etc.
git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
./ssh-audit.py 10.10.10.10
- SSH Client Debug (for Brute-force Check): Forces the SSH client to use password authentication.
ssh -v username@10.10.10.10 -o PreferredAuthentications=password
- Nmap Scripts for SSH Enumeration:
nmap -p22 <ip> -sC # Default Scripts
nmap -p22 <ip> -sV # Service Version Detection
nmap -p22 <ip> --script ssh2-enum-algos # Supported Algorithms (Ciphers, MACs, KEX, etc.)
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve and Analyze Host Keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Authentication Methods Enumeration
Username Enumeration
In some versions of OpenSSH we can make a timing attack to enumerate users. We can use a metasploit module in order to exploit this:
msf> use scanner/ssh/ssh_enumusers
SSH Credentials Bruteforce
We can use tools such as Hydra & Medusa to bruteforce ssh protocol with following wordlists:
- SSH Username & Passwords: [1] & [2 - user:pass]
info
We can also use NetExec to authenticate to ssh. Even with --kerberos authentication.