Examining through every open port is essentially the first step hackers take in order to prepare for their attack. And in order to operate, one is expected to keep their port open but at the same time, they are intimidated by the fear of hackers. Therefore, one must learn to defend their ports even if they are open. In this post, we will consider penetration testing of SSH which is also recognized as Secure Shell.
The SSH protocol also declared as Secure Shell is a procedure for safe and reliable antique login from one computer to another. It allows various options for strong authentication, as it preserves the connections and communications and integrity with secure encryption. It is a protected alternative to the non-protected login protocols and insecure file transfer systems.
How do we install SSH?
It is very simple to install and configure ssh service, we can quickly install ssh set by using the OpenSSH-server package from the ubuntu repo. To install any help you must have a root right account and then follow the given below command.
apt install OpenSSH-server
When you do the above command it will remove the package the install the error configure on the host organization.
How do we do SSH port scanning?
If you don’t have a direct way to the host device, use Nmap to remotely recognize the port state that is estimated to be the primary step of the penetration test. Here we’re working to use Kali Linux to conduct penetration testing.
So, to recognize an open port on a remote network, we will use a variant scan of the map that will not only recognize an open port but will also complete a banner grabbing that displays the connected version of the service.
nmap -sV -p22 192.168.1.103
What are the methods to connect SSH?
Terminal Command (Linux) Now complete the next command to enter the ssh shell of the remote device as an approved user. Username: ignite Password: 123
ssh [email protected]
- Step 1: Connect putty.exe and operate it, then start the HOST IP address <192.168.1.103> and port <22>, also want to connect type as SSH.
- Step 2: To establish an association between the client and the server, a putty gathering will be created that needs a login credential. Username: ignite Password: 123 How to do port redirection testing?
Thus, if we have worked the scan on port 22, it has given port state CLOSE for ssh whereas port 2222 OPEN for ssh which can be seen .
How to establish an SSH connection using an RSA key?
Safe passwords don’t seem to be nice to obtain from the server because a brute power attack can break them. That’s why you need an additional protection method to defend the SSH server.SSH key pairs are another important feature to confirm clients to the server. It consists of a long string of figures:
a public and a private key. You can put the public key on the server and the private key on the client device and unlock the server by comparing the private key of the client engine. Once the keys match up, the system allows you to automatically build an SSH session without the requirement to type in a password.
Ssh-keygen is a tool for generating new authentication key pairs for SSH. The before-mentioned key pairs are used for automating logins, single sign-on, and for verifying hosts. Thus, we will follow the steps for generating a key pair for a confirmed connection.
Step 1: Move the given command to create an ssh key pair on the host device Ubuntu.
Step 2: Equal should be done on the client device which is allowed to build the relationship with the host device.
Step 3: Once the ssh key pair gets created then rename the id_rsa.pub into authorized_keys.
cat id_rsa.pub > authorized_keys
Step 4: Give the authorized_keys to the host device by making it into the .ssh directory.
Step 5: Correct the sshd_config from inside the /etc/sshd using the editor.
Step 6: Make the “password authentication no” comment As a consequence of only the authorized movement, the RSA key can create an association with the host machine without using the password.
Now if you require it to equate to the ssh server using your password username, the server will release your connection offer because it will authenticate the request that has an authorized key.
Step 7: Follow the id_rsa key from Kali Linux to the windows device, to build an association using authorized_keys on the windows machine.
Step 8: Connect puttygen.exe
Step 9: Run puttygen.exe and place the id_rsa and “save as key” described as Key
Step 10: Use putty.exe to combine with the host device by starting hostname 192.168.1.103 and port 22.
Step 11: Drive to SSH >auth and peruse the private key that you have collected as mentioned in step 9.
How to exploit SSH with Metasploit?
SSH Key Persistence- Post Exploitation:
Suppose a situation, that by agreeing on the host device you have received a meterpreter gathering and need to leave a strong backdoor that will give a backward attachment for next time.
This can be accomplished with the guidance of the Metasploit module called “SSH Key Persistence-a post exploit” when port 22 is working on the host device. This module will continue an SSH key to a designated user, to allow past login on the victim via SSH at any point.
use post/linux/manage/sshkey_persistence msf post(sshkey_persistence) > set session 1 msf post(sshkey_persistence) >exploit
As we guarantee this by joining the host device via port 22 using a private key created above. Here I have renamed the private as “key” and gave support600.
chmod 600 key ssh -i key [email protected]
Stealing the SSH key
Suppose a place, that by agreeing on the host device you have received a meterpreter assembly and port 22 is open for ssh and you require to have SSH public key and authorized key. This can be done with the direction Metasploit module named “Multi Gather OpenSSH PKI Credentials Collection -a post exploit” as shown below.
This module will get the contents of all user’s .ssh directories on the targeted device. Additionally, known_hosts and authorized_keys and other files are also downloaded. This module is mainly based on firefox_creds.RB.
use post/multi/gather/ssh_creds msf post(ssh_creds) >set session 1 msf post(ssh_creds) >exploit
authorized keys stored in the/home/ignite/.ssh folder in our local device at /root/.msf4/loot and now use those keys for login into an SSH server.
As we ensure this by connecting the host device via port 22 using the private key downloaded above. Let’s change the support for the RSA key and to do this follow the step given below.
chmod 600 key ssh -i key [email protected]
SSH login using pubkey
Thinking you have the id_rsa key of the host device and want to obtain a meterpreter assembly via Metasploit and this can be accomplished with the guidance of the subsequent module.
This module will test ssh logins on a spectrum of devices using a defined private key file and report thriving logins. If you have placed a database plugin and compared it to a database this module will record strong logins and hosts so you can track your path. Key files may be a separate private key or individual private keys in a particular directory.
use auxillary/scanner/ssh /ssh_login_pubkey auxiliary (scanner/ssh /ssh_login_pubkey)>set rhosts 192.168.1.103 auxiliary (scanner/ssh /ssh_login_pubkey)>set username ignite auxiliary (scanner/ssh /ssh_login_pubkey)>set key_path /root/.ssh/id_rsa auxiliary (scanner/ssh /ssh_login_pubkey)>exploit
This will open a commanded assembly which can be extra updated into the meterpreter assembly by doing the next command.
sessions -u 1
How do we do SSH password cracking?
We can examine a brute force attack on ssh for suggesting the password or to test the entrance policy while performing entrance testing on SSH. It needs a dictionary for username list and password list, here we have username reference“user.txt” and password account named “pass.txt” to create the brute force approach with the help of hydra
hydra -L user.txt -P pass.txt 192.168.1.103 ssh
As a result, you can recognize that the host device has no protection against brute force attack, and we were able to obtain ssh importance.
To preserve your aid against brute force drive you can use fail2ban which is an IPS.
If you have any doubts about this topic or have to get advice and get the best services and consultation about SSH installation and its ability. Feel free to contact us. AIRZERO SEC will be your strong digital solution. Email id: [email protected]
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/