# Exploiting SSH - Linux

## Exploiting SSH

* SSH (Secure Shell) is a remote administration protocol that offers encryption and is the successor to Telnet.
* It is typically used for remote access to servers and systems.
* SSH uses TCP port 22 by default, however, like other services, it can be configured to use any other open TCP port.
* SSH authentication can be configured in two ways:
  * Username & password authentication
  * Key based authentication
* In the case of username and password authentication, we can perform a brute-force attack on the SSH server in order to identify legitimate credentials and consequently gain access to the target system.

## Attack Flow for Exploiting SSH

### 1. **Using Hydra**

* **Objective:** To perform a brute-force attack on the SSH service to crack the credentials for a given username.
* **Tool:** Hydra
* **Command:**

  ```bash
  hydra -l <user> -P /usr/share/wordlists/rockyou.txt <target> ssh
  ```
* **Description:** Hydra is a powerful tool for performing dictionary attacks against various protocols. In this case, you use Hydra to attempt different passwords against the specified username on the SSH service. The `-l <user>` flag specifies the username to target, `-P` points to the password list, and `<target>` is the IP address or hostname of the target machine. The "rockyou.txt" file is a popular wordlist containing common passwords.

### 2. **Using Nmap**

* **Objective:** To scan the SSH service and perform a brute-force attack using a script.
* **Tool:** Nmap
* **Command:**

  ```bash
  nmap <target> -p 22 --script ssh-brute --script-args userdb=admin
  ```
* **Description:** Nmap is a versatile network scanning tool. The `-p 22` flag specifies the SSH port, and `--script ssh-brute` uses the Nmap scripting engine to perform a brute-force attack. The `--script-args userdb=admin` argument specifies that the username to be used for the brute-force attack is "admin." This method scans for SSH on port 22 and tries to guess the password for the given username.

### 3. **Using Metasploit**

* **Objective:** To use Metasploit’s auxiliary module for automated SSH login attempts with different credentials.
* **Tool:** Metasploit
* **Command:**

  ```bash
  use auxiliary/scanner/ssh/ssh_login
  ```

  Followed by setting necessary options:

  ```bash
  set RHOSTS <target>
  set USERNAME <user>
  set PASSWORD <password>
  run
  ```
* **Description:** Metasploit is a comprehensive penetration testing framework. The `auxiliary/scanner/ssh/ssh_login` module is used for brute-forcing SSH credentials. After selecting the module with `use auxiliary/scanner/ssh/ssh_login`, you configure it with the target host (`RHOSTS`), the username (`USERNAME`), and the password (`PASSWORD`). Then you run the module to attempt login with the specified credentials.

***

***

***

**`Hacker's Mantra:`**`The one thing that I know from the personal experiences that I’ve had with hackers and from people in tech who are brilliant at this thing, is there’s a lot of angst. - Sam Esmail`