Exploiting SSH - Linux

Exploiting SSH

SSH (Secure Shell) is a remote administration protocol that offers encryption and is the successor to Telnet.
It is typically used for remote access to servers and systems.
SSH uses TCP port 22 by default, however, like other services, it can be configured to use any other open TCP port.
SSH authentication can be configured in two ways:
- Username & password authentication
- Key based authentication
In the case of username and password authentication, we can perform a brute-force attack on the SSH server in order to identify legitimate credentials and consequently gain access to the target system.

Attack Flow for Exploiting SSH

1. Using Hydra

Objective: To perform a brute-force attack on the SSH service to crack the credentials for a given username.
Tool: Hydra

Command:

hydra -l <user> -P /usr/share/wordlists/rockyou.txt <target> ssh

Description: Hydra is a powerful tool for performing dictionary attacks against various protocols. In this case, you use Hydra to attempt different passwords against the specified username on the SSH service. The -l <user> flag specifies the username to target, -P points to the password list, and <target> is the IP address or hostname of the target machine. The "rockyou.txt" file is a popular wordlist containing common passwords.

2. Using Nmap

Objective: To scan the SSH service and perform a brute-force attack using a script.
Tool: Nmap

Command:

nmap <target> -p 22 --script ssh-brute --script-args userdb=admin

Description: Nmap is a versatile network scanning tool. The -p 22 flag specifies the SSH port, and --script ssh-brute uses the Nmap scripting engine to perform a brute-force attack. The --script-args userdb=admin argument specifies that the username to be used for the brute-force attack is "admin." This method scans for SSH on port 22 and tries to guess the password for the given username.

3. Using Metasploit

Objective: To use Metasploit’s auxiliary module for automated SSH login attempts with different credentials.
Tool: Metasploit

Command:

use auxiliary/scanner/ssh/ssh_login

Followed by setting necessary options:

set RHOSTS <target>
set USERNAME <user>
set PASSWORD <password>
run

Description: Metasploit is a comprehensive penetration testing framework. The auxiliary/scanner/ssh/ssh_login module is used for brute-forcing SSH credentials. After selecting the module with use auxiliary/scanner/ssh/ssh_login, you configure it with the target host (RHOSTS), the username (USERNAME), and the password (PASSWORD). Then you run the module to attempt login with the specified credentials.

Hacker's Mantra:The one thing that I know from the personal experiences that I’ve had with hackers and from people in tech who are brilliant at this thing, is there’s a lot of angst. - Sam Esmail

PreviousExploiting FTP - Linux NextExploiting SAMBA - Linux

Last updated 9 months ago

Was this helpful?

Exploiting SSH

SSH (Secure Shell) is a remote administration protocol that offers encryption and is the successor to Telnet.

It is typically used for remote access to servers and systems.

SSH uses TCP port 22 by default, however, like other services, it can be configured to use any other open TCP port.

SSH authentication can be configured in two ways:

Username & password authentication
Key based authentication

In the case of username and password authentication, we can perform a brute-force attack on the SSH server in order to identify legitimate credentials and consequently gain access to the target system.

Attack Flow for Exploiting SSH

1. Using Hydra

Objective: To perform a brute-force attack on the SSH service to crack the credentials for a given username.

Tool: Hydra

Command:

hydra -l <user> -P /usr/share/wordlists/rockyou.txt <target> ssh

Description: Hydra is a powerful tool for performing dictionary attacks against various protocols. In this case, you use Hydra to attempt different passwords against the specified username on the SSH service. The -l <user> flag specifies the username to target, -P points to the password list, and <target> is the IP address or hostname of the target machine. The "rockyou.txt" file is a popular wordlist containing common passwords.

2. Using Nmap

Objective: To scan the SSH service and perform a brute-force attack using a script.

Tool: Nmap

Command:

nmap <target> -p 22 --script ssh-brute --script-args userdb=admin

Description: Nmap is a versatile network scanning tool. The -p 22 flag specifies the SSH port, and --script ssh-brute uses the Nmap scripting engine to perform a brute-force attack. The --script-args userdb=admin argument specifies that the username to be used for the brute-force attack is "admin." This method scans for SSH on port 22 and tries to guess the password for the given username.

3. Using Metasploit

Objective: To use Metasploit’s auxiliary module for automated SSH login attempts with different credentials.

Tool: Metasploit

Command:

use auxiliary/scanner/ssh/ssh_login

Followed by setting necessary options:

set RHOSTS <target>
set USERNAME <user>
set PASSWORD <password>
run

Description: Metasploit is a comprehensive penetration testing framework. The auxiliary/scanner/ssh/ssh_login module is used for brute-forcing SSH credentials. After selecting the module with use auxiliary/scanner/ssh/ssh_login, you configure it with the target host (RHOSTS), the username (USERNAME), and the password (PASSWORD). Then you run the module to attempt login with the specified credentials.

Hacker's Mantra:

The one thing that I know from the personal experiences that I’ve had with hackers and from people in tech who are brilliant at this thing, is there’s a lot of angst. - Sam Esmail