Secure Shell (SSH) – port 22

The Secure Shell (SSH) service is commonly used to remotely access a computer using a secure encrypted protocol. SSH service listens on TCP port 22 by default.

• OpenSSH Security
• OpenSSH release versions
• Bad SSH keys

Login with ssh client

# Login to a remote machine with ssh
ssh user@host
ssh root@x.x.x.x
ssh user@x.x.x.x

# Specify port if not default port 22
ssh user@x.x.x.x -p 23

Login with key

https://serverfault.com/questions/1092998/ssh-no-matching-host-key-type-found

ssh -v -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa user@x.x.x.x

Or edit ssh client configuration: ~/.ssh/config, Host can be an expression like 192.168.*.*

Host x.x.x.x
    HostkeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa

Generate a public/private key pair on kali

ssh-keygen -t rsa
[leave all default parameters]

When getting this error when connecting: “debug1: send_pubkey_test: no mutual signature algorithm”. Also validate that setting “AuthorizedKeysFile %h/.ssh/authorized_keys” is not commented in /etc/ssh/sshd_config.

ssh-keygen -t ed25519
[leave all default parameters]

Permissions on files (private keys must be r or rw by owner only)

chmod 400 ~/.ssh/id_rsa
chmod 400 ~/.ssh/id_ed25519
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/config

Store my public key in .ssh/authorized_keys file on the remote system

# Can use any upload file mechanisms (like an exploit) to add my public key
scp ~/.ssh/id_rsa.pub someuser@${IP}:~/.ssh/authorized_keys

Connect using my private key

ssh -i ~/.ssh/id_rsa someuser@${IP}

Run a script on remote server using public key mechanism

ssh someuser@${IP} "/home/someuser/myscript.sh"

Force login with diffie-hellman key exchange

# When only diffie-hellman-group1-sha1 is supported as key exchange method
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss root@x.x.x.x

Run a local script (Kali) on remote host (victim)

IP=x.x.x.x
ssh root@${IP} < unix_checks.sh

Login with sshpass

Install sshpass

apt install sshpass

Login

IP=x.x.x.x
USERNAME=root
PASSWORD=toor
sshpass -p ${PASSWORD} ssh -o StrictHostKeyChecking=no ${USERNAME}@${IP} echo "${IP}:${USERNAME}/${PASSWORD}"

Common login errors

no matching key exchange method

Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

# Client-side ssh config
nano /etc/ssh/ssh_config

# Uncomment
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

ssh -vvvv -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc root@x.x.x.x

SSH Port Forwarding / SSH Tunneling

Kali machine -> jumper machine -> target machine

# From Kali machine:
JUMPER_IP=x.x.x.x
TARGET_IP=y.y.y.y
TARGET_PORT=22
LOCAL_PORT=12345

# ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER
ssh -L 127.0.0.1:${LOCAL_PORT}:${TARGET_IP}:${TARGET_PORT} user@${JUMPER_IP}

# Using key to connect on jumper machine
ssh -L 127.0.0.1:${LOCAL_PORT}:${TARGET_IP}:${TARGET_PORT} -i ssh-keypair user@${JUMPER_IP}

# Open another terminal window on Kali machine:
nc 127.0.0.1 ${LOCAL_PORT}

# When target port is for SSH
ssh ${TARGET_USER}@127.0.0.1 -p ${LOCAL_PORT}

# Target port is TARGET_PORT=443
sslscan --verbose --show-certificate --xml=./sslscan.xml 127.0.0.1:12345

Using Putty

Session
  Host Name (or IP address): JUMPER_IP
  Port: 22

Connection -> SSH -> Tunnels
    Forwarded ports:
    Source port: LOCAL_PORT
    Destination: TARGET_IP:TARGET_PORT

Open a second Putty session

Session
  Host Name (or IP address): localhost
  Port: LOCAL_PORT

# For Windows TARGET
Open an RDP connection (mstsc) and enter 127.0.0.1:LOCAL_PORT.

Start SSH Service on a Kali Linux

Check the status of the SSH service

sudo service ssh status

sudo systemctl status ssh

sudo netstat -antp | grep sshd

sudo ss -antpl | grep sshd

Configure SSH

nano /etc/ssh/sshd_config

X11Forwarding yes
PermitRootLogin yes

Start/stop the SSH service

sudo service ssh start
sudo service ssh stop
sudo service ssh status

sudo systemctl start ssh
sudo systemctl stop ssh
sudo systemctl status ssh

sudo /etc/init.d/ssh start
sudo /etc/init.d/ssh stop
sudo /etc/init.d/ssh status

Turn off SSH indefinitely

sudo systemctl disable ssh
# sudo systemctl enable ssh

Enable Wake On Lan

Documentation on Debian

ethtool -s eth0 wol g

Or edit the file manually

cd /etc/network/interfaces.d
nano eth0

auto eth0
iface eth0 inet dhcp
ethernet-wol g

sudo reboot

sudo ethtool eth0

“g” means it is working

Wake-on: g

Edit the Wake On LAN configuration in the BIOS also.

To send the Magic Packet from Windows to wake up the remote computer, use WakeMeOnLan.

Brute force user accounts & passwords

Hydra

IP=x.x.x.x
hydra -s 22 -l root -P /usr/share/wordlists/rockyou.txt -t 4 $IP ssh

nmap

IP=x.x.x.x
nmap -sV -p 22 --script=ssh* $IP

IP=x.x.x.x
USERS=/root/users.txt
WL=/usr/share/wordlists/rockyou.txt
nmap -p 22 --script ssh-brute --script-args userdb=$USERS,passdb=$WL $IP

OpenSSH Version & Vulnerability

IP=x.x.x.x
ssh root@${IP}

# Show OpenSSH version
# E.g. OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
ssh -V

# Show OpenSSH version
# E.g. openssh-server-5.3p1-124.el6_10.x86_64
rpm -qa | grep openssh

# Show fixes for this OpenSSH version
rpm -q --changelog openssh-server-5.3p1-124.el6_10.x86_64 | grep CVE
- Fix for CVE-2018-15473: User enumeration via malformed packets in authentication requests
- Fix for CVE-2016-6210: User enumeration via covert timing channel (#1357442)
- CVE-2015-8325: privilege escalation via user's PAM environment and UseLogin=yes (1405374)
...

Then search for OpenSSH version on Exploit-DB and NVD