DiscordHackTheBoxTryHackMeGitHub

SSH

ABOUT

Secure Shell (SSH) enables two computers to establish an encrypted and direct connection within a possibly insecure network on the standard port TCP 22.

OpenSSH has six different authentification methods:

  1. Password authentification

  2. Public-key authentification

  3. Host-based authentification

  4. Keyboard authentification

  5. Challenge-response authentification

  6. GSSAPI authentification

Public Key Authentification

In a first step, the SSH server and client authenticate themselves to each other. The server sends a certificate to the client to verify that it is the correct server. After server authentication, however, the client must also prove to the server that it has access authorization. However, the SSH server is already in possession of the encrypted hash value of the password set for the desired user. As a result, users have to enter the password every time they log on to another server during the same session.

To make all this process easier, there is ability to use public and private key. The private key is created individually for the user's own computer and secured with a passphrase that should be longer than a typical password. The private key is stored exclusively on our own computer and always remains secret. Public keys are also stored on the server. The server creates a cryptographic problem with the client's public key and sends it to the client. The client, in turn, decrypts the problem with its own private key, sends back the solution, and thus informs the server that it may establish a legitimate connection. Config file is sshd_config, and located in /etc/ssh/sshd_config, also could be found via command:

cat /etc/ssh/sshd_config  | grep -v "#" | sed -r '/^\s*$/d'

Dangerous Settings

Setting
Description

PasswordAuthentication yes

Allows password-based authentication.

PermitEmptyPasswords yes

Allows the use of empty passwords.

PermitRootLogin yes

Allows to log in as the root user.

Protocol 1

Uses an outdated version of encryption.

X11Forwarding yes

Allows X11 forwarding for GUI applications.

AllowTcpForwarding yes

Allows forwarding of TCP ports.

PermitTunnel

Allows tunneling.

DebianBanner yes

Displays a specific banner when logging in.

Tips2Hack

  1. SSH-Audit

> git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
> ./ssh-audit.py 13.13.13.13

  1. Change Auth Method

ssh -v venator17@13.13.13.13 -o PreferredAuthentications=password

  1. If you have access to /.ssh/authorized_keys file, then put your public key inside of this file, and then you could log in without password

  2. If you have access to some private key you could download it and use, but check if permissions to private key is chmod 600

ssh -i /path/to/private/keyfile user@hostname

  1. Looking for Private Keys

grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
PreviousNFSNextRDP

Last updated