SSH

Username and password Authentication

ssh bandit0@bandit.labs.overthewire.org -p 2220
ssh bandit0@bandit.labs.overthewire.org -p 2220 -oHostKeyAlgorithms=+ssh-rsa
sshpass -p 'password' ssh bandit0@bandit.labs.overthewire.org -p 2220

RSA keys Authentication

Enable service daemon

sudo systemctl start sshd

Create keys

Create pair of keys RSA keys in `/home/USER/.ssh

ssh-keygen

id_rsa (private) (400 permissions required to remote connection)
id_rsa.pub (public)

Connect from M2 to M1 without password

1### Method 1
The public key (id_rsa.pub) of computer 2 has to be in the file authorized_keys in the computer 1

400

⚠ Switch to EXCALIDRAW VIEW in the MORE OPTIONS menu of this document. ⚠ You can decompress Drawing data with the command palette: 'Decompress current Excalidraw file'. For more info check in plugin settings under 'Saving'

Excalidraw Data

Text Elements

Machine 2
Machine 1
Attacker
Target
id_rsa.pub
authorized_keys
Copy

The process to do this depend on some factors but If the authorized_keys file doesn't exist, we can simply copy the entire id_rsa.pub and change the name, but if the authorized_keys exists could content another authorized keys that we shouldn't delete. In this case we could add our key in the bottom of the authorized_keys like below:

  1. On the computer 2
    Copy the content of the file /home/USER/.ssh/id_rsa.pub
cat /home/USER/.ssh/id_rsa.pub

Pasted image 20241001192909.png
Copy to the clipboard

  1. On the computer 1
    Using echo paste the code and add or replace the authorized_keys
echo "ssh-rsa AAAA......gv7v......y2w/oJ0= kali@kali" >> authorized_keys

E.g. This is the new authorized_keysof the computer 1
Pasted image 20241002070248.png

  1. On the computer 2
    All is ready, now to connect without password execute:
ssh USER_OF_COMPUTER_1@IP_COF_COMPUTER_1

Method 2

Automated version of the method 1 but we need to introduce the password of the computer 1 at least once.

  1. On the computer 2
ssh-copy-id -i ~/.ssh/id_rsa.pub COMPUTER_1_USERNAME@COMPUTER_1_IP

After this our id_rsa.pub will copy on authorized_keys of the computer 1.

Method 3

  1. Set the public key of comp1 like "authorized_keys" on its machine (Could not work depending on configuration)
    To let to any connect to comp1 if the computer2 has the private key of comp1.
cp id_rsa.pub authorized_keys
  1. Copy the private key (id_rsa) from C1 to C2
  2. From C2 connect using that private key file of C1 (id_rsa) (the permission should be 600)
ssh -i id_rsa user@ipaddres
ssh -i root_key -oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa root@10.10.250.21

Port forwarding

80 port from a victim machine which we don't have access will be available in our machine on 127.0.0.1:33

ssh user@"VICTIM_IP" -L 80:127.0.0.1:33

Transfer files

  • Secure Copy Protocol
  • Transferring Files between two computers using the SSH protocol
  • Provide both authentication and encryption.
  • MITM

Working on a model of SOURCE and DESTINATION, SCP allows you to:

  • Copy files & directories from your current system to a remote system
  • Copy files & directories from a remote system to your current system

Send a file

Send file1.txt from my machine to the target machine with the name file2.txt

scp file1.txt <target_username>@<target_IP>:/home/ubuntu/file2.txt

Download a file

Get the documents.txt from the target machine to my machine. (To my current directory .)

scp <target_username>@<target_IP>:/home/ubuntu/documents.txt .

Change the name to notes.txt

scp <target_username>@<target_IP>:/home/ubuntu/documents.txt notes.txt

Examples to get all files from a folder

scp <target_username>@<target_IP>:/home/ubuntu/* .
scp <target_username>@<target_IP>:/home/ubuntu/* ~

Math

Tools RSA CTFs

https://github.com/Ganapati/RsaCtfTool
https://github.com/ius/rsatool

Errors

Enumeration

Get version and search in launchpad.

sudo nmap -sCV -p22 127.0.0.1

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
https://launchpad.net/ubuntu
OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13

Using Metasploit

SSH Enum

auxiliary/scanner/ssh/ssh_version
auxiliary/scanner/ssh/ssh_login # Brute force

Exploitation

John The Ripper

https://github.com/openwall/john/blob/bleeding-jumbo/run/ssh2john.py

wget https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/ssh2john.py

Note that if you don't have ssh2john installed, you can use ssh2john.py, which is located in the /opt/john/ssh2john.py. If you're doing this, replace the ssh2john command with python3 /opt/ssh2john.py or on Kali, python /usr/share/john/ssh2john.py.

ssh2john [id_rsa private key file] > [output file]

ssh2john - Invokes the ssh2john tool

[id_rsa private key file] - The path to the id_rsa file you wish to get the hash of

> - This is the output director, we're using this to send the output from this file to the...

[output file] - This is the file that will store the output from

Example Usage
ssh2john id_rsa > id_rsa_hash.txt

Cracking

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt

Exploit libssh

SSH Exploitation

use auxiliary/scanner/ssh/libssh_auth_bypass
set SPAWN_PTY true
run

Hardening SSH

  • In the admin shell, go to the /etc/ssh/sshd_config file and edit it using your favourite text editor (remember to use sudo).

  • Find the line that says #PasswordAuthentication yes and change it to PasswordAuthentication no (remove the # sign and change yes to no).

  • Next, find the line that says Include /etc/ssh/sshd_config.d/*.conf and change it to #Include /etc/ssh/sshd_config.d/*.conf (add a # sign at the beginning).

  • Save the file, then enter the command sudo systemctl restart ssh.