SSH Pentesting Notes

Protocol Overview

Basic Information

  • Port: TCP 22 (default)

  • Protocol Type: Encrypted, application layer

  • Purpose: Secure remote access and file transfer

  • Security: Strong encryption and authentication mechanisms

Protocol Versions

  1. SSH-1

    • Legacy protocol

    • Vulnerable to MITM attacks

    • Should be disabled

  2. SSH-2

    • Current standard

    • Improved security

    • Supports multiple authentication methods

Initial Enumeration

Port Scanning

# Basic Nmap scan
nmap -p22 -sV <target>

# Aggressive scan with scripts
nmap -p22 -sV -sC -A <target>

# All SSH scripts
nmap -p22 --script ssh* <target>
# Using netcat
nc -vn <target> 22

# Using telnet
telnet <target> 22

# Direct SSH connection
ssh -v <target>

Authentication Methods

Testing Different Auth Methods

# Password authentication
ssh -v user@<target> -o PreferredAuthentications=password

# Public key authentication
ssh -i key_file user@<target>

# Keyboard-interactive
ssh -v user@<target> -o PreferredAuthentications=keyboard-interactive

Key-Based Authentication Check

# Generate new key pair
ssh-keygen -t rsa -b 4096

# Copy key to server
ssh-copy-id -i ~/.ssh/id_rsa.pub user@<target>

# Test key permissions
ls -la ~/.ssh/

Brute Force Attacks

Using Hydra

# Basic password attack
hydra -l user -P passwords.txt ssh://<target>

# Multiple users
hydra -L users.txt -P passwords.txt ssh://<target>

# With timing controls
hydra -l user -P passwords.txt ssh://<target> -t 4 -W 5

Using Medusa

# Basic attack
medusa -h <target> -u user -P passwords.txt -M ssh

# Parallel connections
medusa -h <target> -u user -P passwords.txt -M ssh -t 10

Using Ncrack

ncrack -p 22 --user user -P passwords.txt <target>

Common NSE Scripts

# Run all SSH scripts
nmap --script ssh* -p 22 <target>

# Important individual scripts
nmap -p22 --script ssh-auth-methods <target>     # Authentication methods
nmap -p22 --script ssh-brute <target>            # Brute force
nmap -p22 --script ssh-hostkey <target>          # Host key check
nmap -p22 --script ssh-publickey-acceptance <target>  # Public key testing
nmap -p22 --script ssh2-enum-algos <target>      # Algorithm enumeration

SSH Auditing

Using SSH-Audit

# Clone and run ssh-audit
git clone https://github.com/jtesta/ssh-audit.git
cd ssh-audit
./ssh-audit.py <target>

# Basic audit
./ssh-audit.py <target> --level basic

# Detailed audit
./ssh-audit.py <target> --level aggressive

File Operations

SCP (Secure Copy)

# Download file
scp user@<target>:/path/to/file local_file

# Upload file
scp local_file user@<target>:/path/to/destination

# Recursive copy
scp -r user@<target>:/remote/dir/ local_dir/

SFTP Operations

# Connect
sftp user@<target>

# Common commands
sftp> ls
sftp> get file
sftp> put file
sftp> mget *.txt
sftp> mput *.txt
sftp> bye

Configuration Files

Server Configuration

  • Main config: /etc/ssh/sshd_config

  • Host keys: /etc/ssh/ssh_host_*_key

  • Known hosts: /etc/ssh/ssh_known_hosts

User Configuration

  • SSH directory: ~/.ssh/

  • Private keys: ~/.ssh/id_*

  • Known hosts: ~/.ssh/known_hosts

  • Authorized keys: ~/.ssh/authorized_keys

Common Vulnerabilities

  1. Configuration Issues:

    • Weak passwords allowed

    • Root login enabled

    • Old protocol versions

    • Weak ciphers/MACs

  2. Authentication Problems:

    • Password authentication enabled

    • Empty passwords allowed

    • Weak private key protection

    • Misconfigured authorized_keys

  3. Version-specific:

    • OpenSSH vulnerabilities

    • Legacy SSH-1 problems

    • Weak key exchange methods

    • Deprecated algorithms

Post Exploitation

Information Gathering

  • Check SSH configuration

  • List authorized keys

  • Examine user permissions

  • Review SSH logs

  • Search for private keys

Privilege Escalation

  • Check for writable config files

  • Look for unprotected keys

  • Test for SSH agent hijacking

  • Examine cron jobs

  • Review sudo permissions

Common SSH Response Codes

Message
Meaning

Permission denied

Authentication failed

Connection refused

Port closed or filtered

Host key verification failed

Changed/unknown host key

Connection timed out

Host unreachable/blocked

Best Practices for Pentesting

  1. Initial Reconnaissance:

    • Identify SSH version

    • Check available algorithms

    • Test authentication methods

    • Review banners/fingerprints

  2. Deep Enumeration:

    • Run SSH audits

    • Test key-based auth

    • Check configuration

    • Verify encryption methods

  3. Documentation:

    • Record findings

    • Note configurations

    • Document vulnerabilities

    • Save evidence

  4. Risk Assessment:

    • Evaluate security posture

    • Check compliance

    • Assess attack surface

    • Recommend hardening steps

Common Dangerous Settings

Setting
Risk

PermitRootLogin yes

Allows direct root access

PasswordAuthentication yes

Enables password attacks

PermitEmptyPasswords yes

Allows blank passwords

Protocol 1

Uses vulnerable protocol

X11Forwarding yes

Potential GUI exploitation

AllowTcpForwarding yes

Possible tunneling abuse

DebianBanner yes

Information disclosure

PreviousSMB Pentesting NotesNextIPMI Pentesting Notes