The Secure Shell (SSH) service is commonly used to remotely access a computer using a secure encrypted protocol. SSH service listens on TCP port 22 by default.
Login with ssh client
# Login to a remote machine with ssh
ssh user@host
ssh root@x.x.x.x
ssh user@x.x.x.x
# Specify port if not default port 22
ssh user@x.x.x.x -p 23Login with public key
For older versions of OpenSSH server (like 5.3) with newer client (like 8.8), use this command to connect or the password will be asked even when specifying the key.
https://serverfault.com/questions/1092998/ssh-no-matching-host-key-type-found
ssh -v -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa user@x.x.x.xOr edit ssh client configuration: ~/.ssh/config, Host can be an expression like 192.168.*.*
Host x.x.x.x
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsaGenerate a public/private key pair on kali
ssh-keygen -t rsa
[leave all default parameters]When getting this error when connecting: “debug1: send_pubkey_test: no mutual signature algorithm”. Also validate that setting “AuthorizedKeysFile %h/.ssh/authorized_keys” is not commented in /etc/ssh/sshd_config.
ssh-keygen -t ed25519
[leave all default parameters]Permissions on files (private keys must be r or rw by owner only)
chmod 400 ~/.ssh/id_rsa
chmod 400 ~/.ssh/id_ed25519
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/configStore my public key in .ssh/authorized_keys file on the remote system
# Can use any upload file mechanisms (like an exploit) to add my public key
scp ~/.ssh/id_rsa.pub someuser@${IP}:~/.ssh/authorized_keysConnect using my private key
TIP: Use “-v” to debug.
ssh -i ~/.ssh/id_rsa someuser@${IP}Run a script on remote server using public key mechanism
ssh someuser@${IP} "/home/someuser/myscript.sh"Force login with diffie-hellman key exchange
# When only diffie-hellman-group1-sha1 is supported as key exchange method
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss root@x.x.x.xRun a local script (Kali) on remote host (victim)
IP=x.x.x.x
ssh root@${IP} < unix_checks.shLogin with sshpass
Install sshpass
apt install sshpassLogin
IP=x.x.x.x
USERNAME=root
PASSWORD=toor
sshpass -p ${PASSWORD} ssh -o StrictHostKeyChecking=no ${USERNAME}@${IP} echo "${IP}:${USERNAME}/${PASSWORD}"Common login errors
no matching key exchange method
Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1# Client-side ssh config
nano /etc/ssh/ssh_config
# Uncomment
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbcssh -vvvv -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc root@x.x.x.xTIP: If error “Invalid key length” after these steps, use Putty instead.
SSH Port Forwarding / SSH Tunneling
Kali machine -> jumper machine -> target machine
# From Kali machine:
JUMPER_IP=x.x.x.x
TARGET_IP=y.y.y.y
TARGET_PORT=22
LOCAL_PORT=12345
# ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER
ssh -L 127.0.0.1:${LOCAL_PORT}:${TARGET_IP}:${TARGET_PORT} user@${JUMPER_IP}
# Using key to connect on jumper machine
ssh -L 127.0.0.1:${LOCAL_PORT}:${TARGET_IP}:${TARGET_PORT} -i ssh-keypair user@${JUMPER_IP}# Open another terminal window on Kali machine:
nc 127.0.0.1 ${LOCAL_PORT}
# When target port is for SSH
ssh ${TARGET_USER}@127.0.0.1 -p ${LOCAL_PORT}
# Target port is TARGET_PORT=443
sslscan --verbose --show-certificate --xml=./sslscan.xml 127.0.0.1:12345Using Putty
Not tested, to complete
Session
Host Name (or IP address): JUMPER_IP
Port: 22
Connection -> SSH -> Tunnels
Forwarded ports:
Source port: LOCAL_PORT
Destination: TARGET_IP:TARGET_PORTOpen a second Putty session
Session
Host Name (or IP address): localhost
Port: LOCAL_PORT# For Windows TARGET
Open an RDP connection (mstsc) and enter 127.0.0.1:LOCAL_PORT.Start SSH Service on a Kali Linux
Check the status of the SSH service
sudo service ssh statussudo systemctl status sshsudo netstat -antp | grep sshdsudo ss -antpl | grep sshdConfigure SSH
NOTE: Permitting root login with password is not recommended. This is not for corporate setting…
nano /etc/ssh/sshd_configX11Forwarding yes
PermitRootLogin yesStart/stop the SSH service
sudo service ssh start
sudo service ssh stop
sudo service ssh statussudo systemctl start ssh
sudo systemctl stop ssh
sudo systemctl status sshsudo /etc/init.d/ssh start
sudo /etc/init.d/ssh stop
sudo /etc/init.d/ssh statusTurn off SSH indefinitely
sudo systemctl disable ssh
# sudo systemctl enable sshIMPORTANT: If disk encryption is enabled on your Kali Linux machine, the SSH service will not start unless the password to unlock the disk is entered. This cannot be done remotely.
Enable Wake On Lan
ethtool -s eth0 wol gOr edit the file manually
cd /etc/network/interfaces.d
nano eth0auto eth0
iface eth0 inet dhcp
ethernet-wol gsudo rebootsudo ethtool eth0“g” means it is working
Wake-on: gEdit the Wake On LAN configuration in the BIOS also.
To send the Magic Packet from Windows to wake up the remote computer, use WakeMeOnLan.
Brute force user accounts & passwords
TIP: Use exploit 45233 to enumerate users (OpenSSH < 7.7)
TIP: For keyboard-interactive mode, see ssh_bruteforce.sh
Hydra
IP=x.x.x.x
hydra -s 22 -l root -P /usr/share/wordlists/rockyou.txt -t 4 $IP sshnmap
IP=x.x.x.x
nmap -sV -p 22 --script=ssh* $IPIP=x.x.x.x
USERS=/root/users.txt
WL=/usr/share/wordlists/rockyou.txt
nmap -p 22 --script ssh-brute --script-args userdb=$USERS,passdb=$WL $IPOpenSSH Version & Vulnerability
IP=x.x.x.x
ssh root@${IP}
# Show OpenSSH version
# E.g. OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
ssh -V
# Show OpenSSH version
# E.g. openssh-server-5.3p1-124.el6_10.x86_64
rpm -qa | grep openssh
# Show fixes for this OpenSSH version
rpm -q --changelog openssh-server-5.3p1-124.el6_10.x86_64 | grep CVE
- Fix for CVE-2018-15473: User enumeration via malformed packets in authentication requests
- Fix for CVE-2016-6210: User enumeration via covert timing channel (#1357442)
- CVE-2015-8325: privilege escalation via user's PAM environment and UseLogin=yes (1405374)
...Then search for OpenSSH version on Exploit-DB and NVD