> For the complete documentation index, see [llms.txt](https://x7331.gitbook.io/boxes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://x7331.gitbook.io/boxes/services/tcp/remote-access/22-ssh.md). # 22 - SSH ## Usage {% hint style="warning" %} Key authentication cannot be used for network based authentication → limit us to local interaction only. {% endhint %} {% code overflow="wrap" %} ```bash # Connect via SSH using a password ssh x7331@10.10.10.1 # Connect via SSH using a private key chmod 400 id_rsa ssh -i id_rsa x7331@10.10.10.1 # Inline command execution ssh user1@10.10.10.10 -p 2222 'ls /home/user1/' ``` {% endcode %} ## scp {% code overflow="wrap" %} ```bash # Local to remote (upload) scp ./myFile molly@172.16.10.10:/tmp/myFile # Remote to local (download) scp molly@172.16.10.10:/tmp/myFile ./myFile # Recursive download scp -i id_rsa -P 2222 -r molly@10.10.10.5:"/mnt/c/Backups" . # Multiple files (host must end with a directory: ':~' or ':/') scp agent.exe proxy x7331@srv02:~ ``` {% endcode %} If error messages, try `-0`. ```bash $ scp -i id_rsa ./authorized_keys bob@sorc:/home/bob/.ssh/authorized_keys scp: Received message too long 1094927173 scp: Ensure the remote shell produces no output for non-interactive sessions. $ scp -O -i id_rsa ./authorized_keys bob@sorc:/home/bob/.ssh/authorized_keys ``` ### Key Generation ```bash # Generate key pair $ ssh-keygen -t rsa -f ~/.ssh/id_rsa -N '' # Add public key to authorized keys $ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys # Read private key $ cat .ssh/id_rsa ``` ## Enumeration ```bash # Enuemrate supported authentication methods nmap -p22 -script=ssh-auth-methods dc01 # Audit ssh-audit 192.168.0.24 ``` ### Key to User Mapping {% code overflow="wrap" %} ```bash # Remove first and last line and decode it $ base64 -d id_rsa | xxd ... 00000730: c118 9576 6abc 9f4f 0000 000d 7376 635f ...vj..O....svc_ 00000740: 6261 636b 7570 4044 4301 0203 0405 backup@DC..... # Or generate a public key $ ssh-keygen -y -f ./id_rsa.bak ssh-rsa AA...us= svc_backup@D ``` {% endcode %} ## Attacks ### Brute Force {% code overflow="wrap" %} ```bash # BFA hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.0.24:22 -t 4 nmap -p 22 --script ssh-brute userdb=users.lst,passdb=pass.lst,ssh-brute.timeout=4s 10.10.10.3 nxc ssh 10.130.434.10 -u users.txt -p passwords.txt ``` {% endcode %} {% code overflow="wrap" %} ```bash $ msfconsole -q msf6 > use auxiliary/scanner/ssh/ssh_login msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt PASS_FILE => /usr/share/wordlists/metasploit/unix_passwords.txt msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME root USERNAME => root msf6 auxiliary(scanner/ssh/ssh_login) > set USER_AS_PASS true USER_AS_PASS => true msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.57.134 RHOSTS => 192.168.57.134 ``` {% endcode %} ### Password Spray ```bash # Password spray attack nxc ssh 10.130.434.10 -u users.txt -p Passw0rd123! ``` ### Crack Private Keys ```bash # Convert the private key into a hashcat-friendly format $ ssh2john id_rsa > ssh.hash # Remove the filename from the file (e.g. id_rsa:) $ cat ssh.hash $sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e737 # Crack the hash (might not work) $ hashcat -m 22921 ssh.hash ssh.passwords # This will probably work $ john --wordlist=ssh.passwords ssh.hash ``` SSH supports multiple key types, each with a default filename, thus, when trying to exfiltrate one don't just search for `id_rsa`! | Key Type | Private Key File | Public Key File | | --------- | ------------------- | ----------------------- | | RSA | `~/.ssh/id_rsa` | `~/.ssh/id_rsa.pub` | | ECDSA | `~/.ssh/id_ecdsa` | `~/.ssh/id_ecdsa.pub` | | ED25519 | `~/.ssh/id_ed25519` | `~/.ssh/id_ed25519.pub` | | DSA (old) | `~/.ssh/id_dsa` | `~/.ssh/id_dsa.pub` | * **ECDSA** and **ED25519** are newer and generally faster/smaller than RSA. * **ED25519** is currently the recommended default for many systems (`ssh-keygen` defaults to it now). * **RSA** is still widely supported, but **4096-bit keys** are preferred now due to security standards. ## PPK to PEM Convert a Putty user key file (`.ppk`) to an SSH `.pem` file. ```bash # Converting PPK to PEM sudo puttygen key.ppk -O private-openssh -o key.pem # Assigning the appropriate permissions sudo chmod 600 key.pem # Confirming permissions ls -l key.pem # Using public key authentication ssh root@10.10.11.227 -i key.pem ``` For an example of the above process, check [Keeper](/boxes/boxes/easy/keeper.md#keepass-exploitation). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://x7331.gitbook.io/boxes/services/tcp/remote-access/22-ssh.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.