22 ~ SSH
Password attack
Given that we have a username for a user on the target machine, we can perform a few password-based attack.s If there are no know usernames, we can use the ssh_enumusers Metasploit module to enumerate the usernames. Refer to the hackviser.com notes in the resources section below.
Missing password
$ ssh user@hostBrute force
$ hydra -l user -P /path/to/wordlist.txt ssh://<host_addr> -t 6
# eg.
$ hydra -l user -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://x.x.x.x -t 6
Log poisoning
CTF example: https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking-concepts/write-ups/tryhackme/include
Given that we have found a certain vulnerability (eg. LFI) that provides us access to the following files:
/var/log/auth.log
/var/log/access.log
/var/log/sshd.logSSH may be exploited to allow log poisoning via the following methods, which depending on the server technology and nature of the vulnerability, may provide RCE.
Username
Note that this method may not work for the recent versions of SSH if the payload contains certain type of special characters
$ ssh <payload>@<host>SSH identification strings
$ nc <host> <port>
# eg.
$ nc 10.10.10.10 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11
<payload> # click enter right afterOther SSH clients such as Putty
Persistence
Create a private-public key pair
Place the generated public key into the
/home/user/.ssh/authorized_keysdirectory on the target machine for the particular user
We can now SSH into the machine using the private key. Refer to the SSH notes for more information:
Other capabilities of SSH
SSH have many powerful capabilities such as port forwarding, file transfers, and even to bypass restrictive environments. Refer to the following notes for more information:
Resources
Last updated