5. SSH Enumeration

SSH (Secure Shell) is a protocol for secure (encrypted) and reliable remote login from one computer to another.
It is a secure alternative to the unencrypted login protocols (telnet, rlogin) and insecure file transfer protocols (FTP).
It uses TCP port 22.
OpenSSH is the most popular version of SSH.
For better security we can change the default SSH port by editing /etc/sshd.
Instead of passwords, SSH key pairs can be used for more secure authentication.

Key based authentication in SSH:

When generating SSH authentication keys a RSA or DSA key pair is created.
When installing openssh-server the server's public and private keys are generated automatically. For the client, we'll have to do that manually using ssh-keygen.

Key-based authentication uses two keys:
"public" key that anyone is allowed to see, and
"private" key that only the owner is allowed to see.

To securely communicate using key-based authentication, one needs to create a key pair and securely store the private key on the computer one wants to log in from (client's machine), and store the public key on the computer one wants to log in to (server).
Both the client and the server have their own keys.
Before you (client) can use your keys, you need to save them on the server.
When you connect to a server, the server checks whether you are allowed to connect (defined in /etc/ssh/sshd_config) and if your public key is listed in the ~/.ssh/authorized_keys file.

The authorized_keys file specifies client's public key.

If a client (you) connects with the server, public keys are exchanged. You will receive the servers one, and the server yours.
The first time you receive the server's public key, you'll be asked to accept it. If this public key changes over a time, you'll be warned as it indicates a MiTM attack possibility.

When client attempts to connect to a server using key based authentication the server will use the client's public key to create a message for the client which can only be read with client's private key.

The client will then sends the appropriate response back to the server and the server will know that the client is legitimate.

This entire process is automatic.

Enumeration

9b27cf70367471c9c50515cc00b49cef.png

  1. ssh-auth-methods - Returns authentication methods that a SSH server supports by authenticating using a username.

  2. ssh-publickey-acceptance - This script takes a table of paths to private keys, passphrases, and usernames and checks each pair to see if the target ssh server accepts them for publickey authentication.
    If no keys are given it will check list of known static public keys.

Note: Scripts above are intrusive and the connection can get logged.

  1. ssh-hostkey - shows the target SSH server's key fingerprint and the public key (requires high verbosity level). It has many arguments.

  2. ssh2-enum-algos - Lists the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.

  3. sshv1 - Checks if the server supports SSH Version 1

4c73e3d5fe83845fdabda8184e254150.png

b7c3ca35380582a91cd473e6a05e8483.png

Search for SSH Enumeration and Scanning modules

search auxiliary/ssh/scanner

f47ff7e178de10fcc13a0bc2c2e79799.png

  1. ssh_login - It will test a set of credentials for SSH against a target and it can also be used to perform brute force login attempts by providing a USERPASS_FILE (list of username and passwords)

Metasploit contains lsit like username list,password list in /opt/metasploit-framework/data/wordlists/

ls /opt/metasploit-framework/data/wordlists

356f8c3106c7fd8fc394fdeb9d691276.png

From this directory we will use root_userpass.txt files
It contains usernames and passowrds. Which we will use to bruteforce the SSH service.

Print file contents

cat root_userpass.txt

d29fa9db908e0e946902c5d8a7cc6099.png

Edit it to include user= msfadmin, password=msfadmin

627a88e041df370ea7e934fdc29f0b7a.png

b2ad0eb7eb5e72ae392f70c3526a8510.png

Here we gain accesss (shell) to Metasploitbale2 through msfadmin user and pass.
It's opened on session 4.
We can send session to background using Ctrl + C and
access it again using

session -i [session_number]

  1. ssh_version

fba7f0b498287d4e297e1d6a189832e3.png

  1. ssh_enumusers

78a5ced4df5c4f5047ec7bbf15ac283b.png

d641b464ace4cf023328d96dbf4fde7b.png

Now we will use unix_users.txt (conatining usernames) file from wordlist directory for enumeration.

46d9244de538fb14a5e7838dfcb917c3.png

To print all the usernames (public) and passwords (private) we found with ssh we will use creds command.

creds -s [SERVICE NAME] [HOST IP]

b114bb4ecca8e6ef571583600b6e3e4f.png

Viewing Metasploitable2 SSH logs
As per above module (ssh_enumusers) invalid names will be logged.
The logs are located at /var/log directory in auth.log file.
Connect to Metasploitable2 using SSH or Telnet and use following commands to see the logs.

c531553ef4cc34833c44c4a0b6b6b1f7.png

167bd34dbd314bfc229748bfbe47c58a.png

As we can see everything we had done till now is logged.