22 - Pentesting SSH
Resources :
Secure Shell (SSH) enables two computers to establish an encrypted and direct connection within a possibly insecure network on the standard port TCP 22.
Default Configuration
cat /etc/ssh/sshd_config | grep -v "#" | sed -r '/^\s*$/d'
## DANGERIOUS SETTINGS
PasswordAuthentication yes #Allows password-based authentication.
PermitEmptyPasswords yes #Allows the use of empty passwords.
PermitRootLogin yes #Allows to log in as the root user.
Protocol 1 #Uses an outdated version of encryption.
X11Forwarding yes #Allows X11 forwarding for GUI applications.
AllowTcpForwarding yes #Allows forwarding of TCP ports.
PermitTunnel #Allows tunneling.
DebianBanner yes #Displays a specific banner when logging in.Footprinting SSH
One of the tools we can use to fingerprint the SSH server is ssh-audit. It checks the client-side and server-side configuration and shows some general information and which encryption algorithms are still used by the client and server.
git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
./ssh-audit.py 10.129.14.132For potential brute-force attacks, we can specify the authentication method with the SSH client option PreferredAuthentications.
ssh -v staphy@IP -o PreferredAuthentications=passwordNmap Scripts
nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methodsLast updated