Secure shell (SSH)
Secure shell (SSH) is the most commonly used protocol to access a remote shell on a remote host.
ποΈ Port: 22 (TCP)
π₯ SSH can be used to create a secure connection for an insecure protocol. For instance, SFTP is for FTP over SSH.
Basic usage:
$ ssh username@IP
$ ssh username@IP -p port
You may use a private key instead of a password (if configured). Note that the key must have at least the permissions 600
.
$ ssh username@IP -i /path/to/id_rsa
SSH Pentester Notes β οΈ
Foothold
-
The
.ssh
folder may contain a ssh key (often calledid_rsa
) to connect to a host. This file may be protected by a password, but using offline hash cracking, we may be able to find it. -
Use
-v
to detect allowed authentication modes and force one that is convenient for us.
$ ssh [...] -v -o PreferredAuthentications=password
- The password may be weak and vulnerable to brute force.
$ hydra -L user.list -P password.list ssh://IP -V -f
Additional Ressources
-
Run ssh-audit (3.0k β) and analyze the output
-
Use
puttygen saved_key.ppk -O private-openssh -o id_rsa
to convert a Putty key file to a Linux SSH file.
π» To-do π»
Stuff that I found, but never read/used yet.
-
ssh xxx@yyy -T -L sp:domain:dp
: create a tunnel mapping one port to another.ssh -N -f -l username IP
- ssh-keygen
-
ssh-keygen -f key
: leave in>> /root/.ssh/authorized_keys
the pub -
-R "xxx"
-
ssh -X
withX11Forwarding
enabled -
sshpass -p 'XXX' ssh xxx@IP
- Authorized keys
-
sudo systemctl restart sshd
-
ssh-copy-id username@server
: add to remote server our public key
-
/etc/ssh/sshd_config
-
PermitRootLogin no
-
PubkeyAuthentication yes
-
PasswordAuthentication no
- Hardening
-
SSH Forward Agent tests
$ ssh xxx@yyy -A
ssh> ssh-add -l
ssh> cat /proc/$$/environ | tr '\0' '\n' | grep SSH_AUTH_SOCK
ssh> cat /proc/*/environ 2> /dev/null | tr '\0' '\n' | grep SSH_AUTH_SOCK
ssh> SSH_AUTH_SOCK=/tmp/ssh-XXX/agent.$pid <something?>