🔐Exploiting SSH - Linux

Exploiting SSH

  • SSH (Secure Shell) is a remote administration protocol that offers encryption and is the successor to Telnet.

  • It is typically used for remote access to servers and systems.

  • SSH uses TCP port 22 by default, however, like other services, it can be configured to use any other open TCP port.

  • SSH authentication can be configured in two ways:

    • Username & password authentication

    • Key based authentication

  • In the case of username and password authentication, we can perform a brute-force attack on the SSH server in order to identify legitimate credentials and consequently gain access to the target system.

Attack Flow for Exploiting SSH

1. Using Hydra

  • Objective: To perform a brute-force attack on the SSH service to crack the credentials for a given username.

  • Tool: Hydra

  • Command:

    hydra -l <user> -P /usr/share/wordlists/rockyou.txt <target> ssh

  • Description: Hydra is a powerful tool for performing dictionary attacks against various protocols. In this case, you use Hydra to attempt different passwords against the specified username on the SSH service. The -l <user> flag specifies the username to target, -P points to the password list, and <target> is the IP address or hostname of the target machine. The "rockyou.txt" file is a popular wordlist containing common passwords.

2. Using Nmap

  • Objective: To scan the SSH service and perform a brute-force attack using a script.

  • Tool: Nmap

  • Command:

    nmap <target> -p 22 --script ssh-brute --script-args userdb=admin

  • Description: Nmap is a versatile network scanning tool. The -p 22 flag specifies the SSH port, and --script ssh-brute uses the Nmap scripting engine to perform a brute-force attack. The --script-args userdb=admin argument specifies that the username to be used for the brute-force attack is "admin." This method scans for SSH on port 22 and tries to guess the password for the given username.

3. Using Metasploit

  • Objective: To use Metasploit’s auxiliary module for automated SSH login attempts with different credentials.

  • Tool: Metasploit

  • Command:

    use auxiliary/scanner/ssh/ssh_login

    Followed by setting necessary options:

    set RHOSTS <target>
set USERNAME <user>
set PASSWORD <password>
run

  • Description: Metasploit is a comprehensive penetration testing framework. The auxiliary/scanner/ssh/ssh_login module is used for brute-forcing SSH credentials. After selecting the module with use auxiliary/scanner/ssh/ssh_login, you configure it with the target host (RHOSTS), the username (USERNAME), and the password (PASSWORD). Then you run the module to attempt login with the specified credentials.

Hacker's Mantra:The one thing that I know from the personal experiences that I’ve had with hackers and from people in tech who are brilliant at this thing, is there’s a lot of angst. - Sam Esmail

PreviousExploiting FTP - LinuxNextExploiting SAMBA - Linux

Last updated