Infrastructure penetration testing notes
  • Initial page
  • Table Of Content
  • Infrastructure testing
    • Enumeration
      • Packet Capture
      • Host Discovery
      • Services / Ports
        • 21 - FTP
        • 22 - SSH
        • 25 - SMTP
        • 53 - DNS
        • 67 - DHCP
        • 69 - TFTP
        • 79 - Finger
        • 88 - Kerberos
        • 111 - RPC
        • 113 - ident
        • 135 - MSRPC
        • 137 - Netbios
        • 139/445 - SMB
        • 161 - SNMP
        • 177 - XDMCP
        • 363 - LDAP
        • 443 - HTTPS
        • 500 - IKE (IPSEC)
        • 512/513/514 - R Services
        • 623 - IPMI
        • 873 - RSYNC
        • 1099 - Java RMI
        • 1433 - Microsoft SQL
        • 1521 - Oracle DB
        • 2049 - NFS
        • 3306 - MySQL
        • 3389 - RDP
        • 5432 - PostgresSQL
        • 5900 - VNC
        • 5985 - WinRM
        • 6000 - X11
        • 6379 - Redis
        • 8080 - Jenkins
        • 11211 - Memcached
        • RDS
        • SQLite
        • Docker
      • IPV6
        • Scanning
        • Enumeration
        • Transfering files
        • Pivoting and routes
        • THC IPv6
    • Gaining Access
      • IP Forwarding
      • VLAN Information
      • Psexec
      • Upgrading shell
      • Reverse Shells One-Liners
      • Bruteforce
      • MITM cleartext protocols
      • Null session
      • LLMNR / NBT NS Spoofing
      • Port knocking
      • Downloading/Transfer files
      • Remote Desktop
      • NAC Bypass
      • Pass-The-Hash
    • Exploitation
      • Solaris
      • IPv6
      • Windows
        • Compiling Code
        • SMB Vulnerabilities
        • Kerberos Attacks
    • Privilege Escalation
      • Situational Awareness
        • Linux
        • Windows
          • Registry
          • PowerView
          • FSMO Roles
      • Windows
        • Disable Apps and Firewall
        • Add user script
        • UAC Bypass
        • icacls
        • Running services
        • Common Exploits
      • Linux
        • SUID Shell script
        • CVE-2019-14287
        • Kernel exploit
      • Solaris
      • FreeBSD
      • Automated tools
      • Metasploit Modules
      • Password Dumping
    • Breakout
      • LOLBas
      • powershell constrained language byass
      • Alternatives to command prompt
      • Windows utilities
      • Applocker
      • Restricted shells
      • Environmental Variables / Bypassing Path Restrictions
      • Docker escape
      • Just Enough Administration (JEA)
    • Presistance
      • Windows
    • Pivoting
      • Adding routes
    • Password Cracking
      • Hashcat
      • John
      • Cisco Passwords
      • Passwords Lists
      • Generating wordlist
    • Tools
      • Nishang
      • UACME
      • Bypass-UAC
      • MSBuildAPICaller
      • Impacket
      • SharpPersist
      • Terminals
      • IP Calculation
      • pwsh
      • psTools / Sysinternals
      • Unlock applocker
      • enum4linux
      • Bloodhound
        • aclpwn
      • mitm6
      • Enyx
      • nfsshell
      • PowerUpSQL
      • Metasploit
        • msfvenom
    • Others
Powered by GitBook
On this page
  • Files
  • Enumeration
  • SSH Mismatch
  • Install ssh v1

Was this helpful?

  1. Infrastructure testing
  2. Enumeration
  3. Services / Ports

22 - SSH

Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network. applications include remote command-line, login, and remote command execution.

Files

Each SSH server has its own key and signature which it presents upon initial connection by a client. This is an extra integrity step to minimise the risk of man-in-the-middle attacks. Once the host key has been accepted its signature is saved in .ssh/known_hosts on the client.

This means that we would have, at least the following files on the server

.ssh/authorized_keys – holding the signature of the public key of any authorised clients

And the following files on the client:

.ssh/id_rsa – Holds the private key for the client

.ssh/id_rsa.pub – Holds the public key for the client

.ssh/known_hosts – Holds a list of host signatures of hosts that the client has previously connected to

Generating ssh key:

root@Kali:~# ssh-keygen  
Generating public/private rsa key pair. 
Enter file in which to save the key (/root/.ssh/id_rsa):  
Created directory '/root/.ssh'. 
Enter passphrase (empty for no passphrase):  
Enter same passphrase again:  
Your identification has been saved in /root/.ssh/id_rsa. 
Your public key has been saved in /root/.ssh/id_rsa.pub. 
The key fingerprint is: 
SHA256:0S22hr1iXCscptJ3CUDSsKPMYrFVOfFJIgvH8pEtst8 root@DESKTOP99 
The key's randomart image is: 
+---[RSA 3072]----+ 
| ..o=*+.         | 
| oo=+B= .. .     | 
| .=o= oo. + .    | 
| ++o . . = o     | 
|.o= .   S =      | 
|.. . E = = +     | 
|    . o B =      | 
|     . o +       | 
|                 | 
+----[SHA256]-----+ 

Choice encryption and key length:

ssh-keygen -t rsa -b 4096

Copy the id_rsa.pub to the authorized_keys

or use the ssh-copy-id command

ssh-copy-id -i ~/.ssh/mykey user@host

Enumeration

msf5 auxiliary(scanner/ssh/ssh_enumusers) > show options  
Module options (auxiliary/scanner/ssh/ssh_enumusers): 
Name Current Setting Required Description 
---- --------------- -------- ----------- 
CHECK_FALSE false no Check for false positives (random username) 
Proxies no A proxy chain of format type:host:port[,type:host:port][...] 
RHOSTS yes The target address range or CIDR identifier 
RPORT 22 yes The target port 
THREADS 1 yes The number of concurrent threads 
THRESHOLD 10 yes Amount of seconds needed before a user is considered found (timing attack only) 
USERNAME no Single username to test (username spray) 
USER_FILE no File containing usernames, one per line 
Auxiliary action: 
Name Description 
---- ----------- 
Malformed Packet Use a malformed packet 
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set THREADS 50 
THREADS => 50 
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 10.10.10.86 
RHOSTS => 10.10.10.86 
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE users.lst 
USER_FILE => users.lst 
msf5 auxiliary(scanner/ssh/ssh_enumusers) > run 
[*] 10.10.10.86:22 - SSH - Using malformed packet technique 
[*] 10.10.10.86:22 - SSH - Starting scan 
[-] 10.10.10.86:22 - SSH - User 'jackie.abbott' not found 
[-] 10.10.10.86:22 - SSH - User 'isidro' not found 
[-] 10.10.10.86:22 - SSH - User 'roy' not found 
[-] 10.10.10.86:22 - SSH - User 'colleen' not found 
[-] 10.10.10.86:22 - SSH - User 'harrison.hessel' not found 
[-] 10.10.10.86:22 - SSH - User 'asa.christiansen' not found 
[-] 10.10.10.86:22 - SSH - User 'jessie' not found 
[-] 10.10.10.86:22 - SSH - User 'milton_hintz' not found 
[-] 10.10.10.86:22 - SSH - User 'demario_homenick' not found 
[-] 10.10.10.86:22 - SSH - User 'paris' not found 
[-] 10.10.10.86:22 - SSH - User 'gardner_ward' not found 
[-] 10.10.10.86:22 - SSH - User 'daija.casper' not found 
[-] 10.10.10.86:22 - SSH - User 'alanna.prohaska' not found 
[-] 10.10.10.86:22 - SSH - User 'russell_borer' not found 
[-] 10.10.10.86:22 - SSH - User 'domenica.kulas' not found 
[-] 10.10.10.86:22 - SSH - User 'nick' not found 
[-] 10.10.10.86:22 - SSH - User 'rose' not found 
[-] 10.10.10.86:22 - SSH - User 'pat_wilkinson' not found 
[+] 10.10.10.86:22 - SSH - User 'genevieve' found 
[-] 10.10.10.86:22 - SSH - User 'blaise.sauer' not found 
[-] 10.10.10.86:22 - SSH - User 'abbigail' not found 

SSH Mismatch

if you get the error:

Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Use the '-oKexAlgorithms' or '-keyexchange'

Example:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

Install ssh v1

sudo apt-get install -y openssh-client-ssh1

Previous21 - FTPNext25 - SMTP

Last updated 5 years ago

Was this helpful?

https://www.rapid7.com/db/modules/auxiliary/scanner/ssh/ssh_enumusers