SSH

SSH Security & Exploitation Guide

1. About SSH

Secure Shell (SSH) is a cryptographic network protocol that enables two computers to establish an encrypted and secure connection over potentially insecure networks.

  • Default Port: 22/TCP

  • Configuration File: /etc/ssh/sshd_config

Check configuration:

cat /etc/ssh/sshd_config | grep -v "#" | sed -r '/^\s*$/d'

2. Authentication Methods in OpenSSH

OpenSSH supports six different authentication mechanisms:

  1. Password Authentication – Users log in with username + password.

  2. Public-Key Authentication – Most secure; uses private/public key pairs.

  3. Host-Based Authentication – Trusts authentication from specific hosts.

  4. Keyboard-Interactive Authentication – Step-by-step challenges (MFA).

  5. Challenge-Response Authentication – One-time tokens or OTPs.

  6. GSSAPI Authentication – Kerberos-based authentication.

3. Public Key Authentication (Recommended)

  • Private Key → Stays on client machine (id_rsa). Must be kept secret.

  • Public Key → Stored in server’s ~/.ssh/authorized_keys.

Process:

  1. Server sends a challenge encrypted with client’s public key.

  2. Client decrypts with its private key.

  3. Successful validation = secure login without typing password.

File Permissions:

chmod 600 ~/.ssh/id_rsa
chmod 700 ~/.ssh

4. Dangerous SSH Config Settings

Be cautious if any of these appear in sshd_config:

  • PermitRootLogin yes → Allows direct root logins (should be disabled).

  • PasswordAuthentication yes → Weaker than key-based authentication.

  • PermitEmptyPasswords yes → Allows accounts with blank passwords.

  • AllowTcpForwarding yes → Can be abused for tunneling.

  • X11Forwarding yes → May allow GUI hijacking.

  • HostbasedAuthentication yes → Trusts clients too easily.

5. Tools & Exploitation Techniques

SSH Audit

Scan SSH server for weaknesses:

git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit
./ssh-audit.py 192.0.2.25

Change Authentication Method

Force SSH to use password authentication:

ssh -v rio@192.0.2.25 -o PreferredAuthentications=password

Use Private Key for Login

ssh -i /path/to/private/keyfile user@192.0.2.25

Inject Your Own Public Key

If you gain write access to:

~/.ssh/authorized_keys

→ Add your public key and log in without a password.

Searching for Private Keys on Compromised Systems

grep -rnw "PRIVATE KEY" / 2>/dev/null | grep ":1"

6. Tips2Hack

  • Hunt for exposed private keys in backups, config files, or misconfigured directories.

  • Abuse weak configs (like PermitRootLogin yes).

  • Pivot using SSH tunnels:

    ssh -L 8080:127.0.0.1:80 user@192.0.2.25

  • Bruteforce (last resort): Tools like hydra or medusa can test credentials, but key-based logins often bypass rate-limiting.

PreviousNFSNextRDP

Last updated