Secure shell (SSH)
Secure shell (SSH) is the most commonly used protocol to access a remote shell on a remote host.
ποΈ Port: 22 (TCP)
π₯ SSH can be used to create a secure connection for an insecure protocol. For instance, SFTP is for FTP over SSH.
Basic usage:
$ ssh username@IP
$ ssh username@IP -p port
You may use a private key instead of a password (if configured). Note that the key must have at least the permissions 600.
$ ssh username@IP -i /path/to/id_rsa
SSH Pentester Notes β οΈ
Foothold
-
The
.sshfolder may contain a ssh key (often calledid_rsa) to connect to a host. This file may be protected by a password, but using offline hash cracking, we may be able to find it. -
Use
-vto detect allowed authentication modes and force one that is convenient for us.
$ ssh [...] -v -o PreferredAuthentications=password
- The password may be weak and vulnerable to brute force.
$ hydra -L user.list -P password.list ssh://IP -V -f
Additional Ressources
-
Run ssh-audit (3.0k β) and analyze the output
-
Use
puttygen saved_key.ppk -O private-openssh -o id_rsato convert a Putty key file to a Linux SSH file.
π» To-do π»
Stuff that I found, but never read/used yet.
-
ssh xxx@yyy -T -L sp:domain:dp: create a tunnel mapping one port to another.ssh -N -f -l username IP - ssh-keygen
-
ssh-keygen -f key: leave in>> /root/.ssh/authorized_keysthe pub -
-R "xxx" -
ssh -XwithX11Forwardingenabled -
sshpass -p 'XXX' ssh xxx@IP - Authorized keys
-
sudo systemctl restart sshd -
ssh-copy-id username@server: add to remote server our public key
-
/etc/ssh/sshd_config-
PermitRootLogin no -
PubkeyAuthentication yes -
PasswordAuthentication no - Hardening
-
SSH Forward Agent tests
$ ssh xxx@yyy -A
ssh> ssh-add -l
ssh> cat /proc/$$/environ | tr '\0' '\n' | grep SSH_AUTH_SOCK
ssh> cat /proc/*/environ 2> /dev/null | tr '\0' '\n' | grep SSH_AUTH_SOCK
ssh> SSH_AUTH_SOCK=/tmp/ssh-XXX/agent.$pid <something?>