SSH or Secure Shell or Secure Socket Shell, is a network protocol that gives users a secure way to access a computer over an unsecured network.
Default port: 22
Syntax: ssh username@host
Enumeration
Banner Grabbing
- nc -vn 22
- nmap -sV
- Use msfconsole to Load metasploit framework and use given below exploit for fetching SSH banner.
auxiliary/scanner/ssh/ssh_version
- SSH login module
use auxiliary/scanner/ssh/ssh_login
Automated ssh-audit
ssh-audit is a tool for ssh server & client configuration auditing.
https://github.com/jtesta/ssh-audit is an updated fork from https://github.com/arthepsy/ssh-audit/
Features:
- SSH1 and SSH2 protocol server support;
- analyze SSH client configuration;
- grab banner, recognize device or software and operating system, detect compression;
- gather key-exchange, host-key, encryption and message authentication code algorithms;
- output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
- output algorithm recommendations (append or remove based on recognized software version);
- output security information (related issues, assigned CVE list, etc);
- analyze SSH version compatibility based on algorithm information;
- historical information from OpenSSH, Dropbear SSH and libssh;
- runs on Linux and Windows;
- no dependencies
usage: ssh-audit.py [-1246pbcnjvlt]
Brute force usernames, passwords and private keys
Username Enumeration
In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:
msf> use scanner/ssh/ssh_enumusers
Some common ssh credentials here and here and below.
Private/Public Keys BF
If you know some ssh private key that could be used… lets try it. You can use the nmap script:
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
Or the MSF auxiliary module:
msf> use scanner/ssh/ssh_identify_pubkeys
Kerberos
crackmapexec using the ssh protocol can use the option –kerberos to authenticate via kerberos. For more info run crackmapexec ssh –help.
Default Credentials
| Vendor | Usernames | Passwords |
| APC | apc, device | apc |
| Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, user | private, admin, user |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
| EMC | admin, root, sysadmin | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc |
| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin |
| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
| Juniper | netscreen | netscreen |
| NetApp | admin | netapp123 |
| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |
Config files
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
Hardening SSH
You can find interesting guides on how to harden SSH in https://www.ssh-audit.com/hardening_guides.html