Exploiting SSH - Linux

Exploiting SSH

• SSH (Secure Shell) is a remote administration protocol that offers encryption and is the successor to Telnet.

• It is typically used for remote access to servers and systems.

• SSH uses TCP port 22 by default, however, like other services, it can be configured to use any other open TCP port.

• SSH authentication can be configured in two ways:

  • Username & password authentication

  • Key based authentication

• In the case of username and password authentication, we can perform a brute-force attack on the SSH server in order to identify legitimate credentials and consequently gain access to the target system.

Attack Flow for Exploiting SSH

1. Using Hydra

• Objective: To perform a brute-force attack on the SSH service to crack the credentials for a given username.

• Tool: Hydra

• Command:

  Copy

  hydra -l <user> -P /usr/share/wordlists/rockyou.txt <target> ssh

• Description: Hydra is a powerful tool for performing dictionary attacks against various protocols. In this case, you use Hydra to attempt different passwords against the specified username on the SSH service. The -l <user> flag specifies the username to target, -P points to the password list, and <target> is the IP address or hostname of the target machine. The "rockyou.txt" file is a popular wordlist containing common passwords.

2. Using Nmap

• Objective: To scan the SSH service and perform a brute-force attack using a script.

• Tool: Nmap

• Command:

  Copy

  nmap <target> -p 22 --script ssh-brute --script-args userdb=admin

• Description: Nmap is a versatile network scanning tool. The -p 22 flag specifies the SSH port, and --script ssh-brute uses the Nmap scripting engine to perform a brute-force attack. The --script-args userdb=admin argument specifies that the username to be used for the brute-force attack is "admin." This method scans for SSH on port 22 and tries to guess the password for the given username.

3. Using Metasploit

• Objective: To use Metasploit’s auxiliary module for automated SSH login attempts with different credentials.

• Tool: Metasploit

• Command:

  Copy

  use auxiliary/scanner/ssh/ssh_login

  Followed by setting necessary options:

  Copy

  set RHOSTS <target>
  set USERNAME <user>
  set PASSWORD <password>
  run

• Description: Metasploit is a comprehensive penetration testing framework. The auxiliary/scanner/ssh/ssh_login module is used for brute-forcing SSH credentials. After selecting the module with use auxiliary/scanner/ssh/ssh_login, you configure it with the target host (RHOSTS), the username (USERNAME), and the password (PASSWORD). Then you run the module to attempt login with the specified credentials.

Hacker's Mantra:The one thing that I know from the personal experiences that I’ve had with hackers and from people in tech who are brilliant at this thing, is there’s a lot of angst. - Sam Esmail