SSH

SSH Security & Exploitation Guide

1. About SSH

Secure Shell (SSH) is a cryptographic network protocol that enables two computers to establish an encrypted and secure connection over potentially insecure networks.

• Default Port: 22/TCP

• Configuration File: /etc/ssh/sshd_config

Check configuration:

cat /etc/ssh/sshd_config | grep -v "#" | sed -r '/^\s*$/d'

---

2. Authentication Methods in OpenSSH

OpenSSH supports six different authentication mechanisms:

1. Password Authentication – Users log in with username + password.

2. Public-Key Authentication – Most secure; uses private/public key pairs.

3. Host-Based Authentication – Trusts authentication from specific hosts.

4. Keyboard-Interactive Authentication – Step-by-step challenges (MFA).

5. Challenge-Response Authentication – One-time tokens or OTPs.

6. GSSAPI Authentication – Kerberos-based authentication.

---

3. Public Key Authentication (Recommended)

• Private Key → Stays on client machine (id_rsa). Must be kept secret.

• Public Key → Stored in server’s ~/.ssh/authorized_keys.

Process:

1. Server sends a challenge encrypted with client’s public key.

2. Client decrypts with its private key.

3. Successful validation = secure login without typing password.

File Permissions:

chmod 600 ~/.ssh/id_rsa
chmod 700 ~/.ssh

---

4. Dangerous SSH Config Settings

Be cautious if any of these appear in sshd_config:

• PermitRootLogin yes → Allows direct root logins (should be disabled).

• PasswordAuthentication yes → Weaker than key-based authentication.

• PermitEmptyPasswords yes → Allows accounts with blank passwords.

• AllowTcpForwarding yes → Can be abused for tunneling.

• X11Forwarding yes → May allow GUI hijacking.

• HostbasedAuthentication yes → Trusts clients too easily.

---

5. Tools & Exploitation Techniques

SSH Audit

Scan SSH server for weaknesses:

git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
./ssh-audit.py 192.0.2.25

Change Authentication Method

Force SSH to use password authentication:

ssh -v rio@192.0.2.25 -o PreferredAuthentications=password

Use Private Key for Login

ssh -i /path/to/private/keyfile user@192.0.2.25

Inject Your Own Public Key

If you gain write access to:

~/.ssh/authorized_keys

→ Add your public key and log in without a password.

Searching for Private Keys on Compromised Systems

grep -rnw "PRIVATE KEY" / 2>/dev/null | grep ":1"

---

6. Tips2Hack

• Hunt for exposed private keys in backups, config files, or misconfigured directories.

• Abuse weak configs (like PermitRootLogin yes).

• Pivot using SSH tunnels:

  ssh -L 8080:127.0.0.1:80 user@192.0.2.25

• Bruteforce (last resort): Tools like hydra or medusa can test credentials, but key-based logins often bypass rate-limiting.