22 - SSH

Files

Each SSH server has its own key and signature which it presents upon initial connection by a client. This is an extra integrity step to minimise the risk of man-in-the-middle attacks. Once the host key has been accepted its signature is saved in .ssh/known_hosts on the client.

This means that we would have, at least the following files on the server

.ssh/authorized_keys – holding the signature of the public key of any authorised clients

And the following files on the client:

.ssh/id_rsa – Holds the private key for the client

.ssh/id_rsa.pub – Holds the public key for the client

.ssh/known_hosts – Holds a list of host signatures of hosts that the client has previously connected to

Generating ssh key:

root@Kali:~# ssh-keygen  
Generating public/private rsa key pair. 
Enter file in which to save the key (/root/.ssh/id_rsa):  
Created directory '/root/.ssh'. 
Enter passphrase (empty for no passphrase):  
Enter same passphrase again:  
Your identification has been saved in /root/.ssh/id_rsa. 
Your public key has been saved in /root/.ssh/id_rsa.pub. 
The key fingerprint is: 
SHA256:0S22hr1iXCscptJ3CUDSsKPMYrFVOfFJIgvH8pEtst8 root@DESKTOP99 
The key's randomart image is: 
+---[RSA 3072]----+ 
| ..o=*+.         | 
| oo=+B= .. .     | 
| .=o= oo. + .    | 
| ++o . . = o     | 
|.o= .   S =      | 
|.. . E = = +     | 
|    . o B =      | 
|     . o +       | 
|                 | 
+----[SHA256]-----+ 

Choice encryption and key length:

ssh-keygen -t rsa -b 4096

Copy the id_rsa.pub to the authorized_keys

or use the ssh-copy-id command

Enumeration

https://www.rapid7.com/db/modules/auxiliary/scanner/ssh/ssh_enumusers

SSH Mismatch

if you get the error:

Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Use the '-oKexAlgorithms' or '-keyexchange'

Example:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

Install ssh v1

sudo apt-get install -y openssh-client-ssh1