22 ~ SSH

Password attack

Given that we have a username for a user on the target machine, we can perform a few password-based attack.s If there are no know usernames, we can use the ssh_enumusers Metasploit module to enumerate the usernames. Refer to the hackviser.com notes in the resources section below.

Missing password

$ ssh user@host

Brute force

$ hydra -l user -P /path/to/wordlist.txt ssh://<host_addr> -t 6

# eg.
$ hydra -l user -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://x.x.x.x -t 6

hydra | Kali Linux ToolsKali Linux

Log poisoning

CTF example: https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking-concepts/write-ups/tryhackme/include

Given that we have found a certain vulnerability (eg. LFI) that provides us access to the following files:

/var/log/auth.log
/var/log/access.log
/var/log/sshd.log

SSH may be exploited to allow log poisoning via the following methods, which depending on the server technology and nature of the vulnerability, may provide RCE.

Username

Note that this method may not work for the recent versions of SSH if the payload contains certain type of special characters

$ ssh <payload>@<host>

SSH identification strings

$ nc <host> <port>

# eg.
$ nc 10.10.10.10 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11
<payload> # click enter right after

Other SSH clients such as Putty

Persistence

Create a private-public key pair
Place the generated public key into the /home/user/.ssh/authorized_keys directory on the target machine for the particular user

We can now SSH into the machine using the private key. Refer to the SSH notes for more information:

SSH public key authentication | Networking conceptsjarrettgxz-sec.gitbook.io

Other capabilities of SSH

SSH have many powerful capabilities such as port forwarding, file transfers, and even to bypass restrictive environments. Refer to the following notes for more information:

Introduction | Networking conceptsjarrettgxz-sec.gitbook.io