22 - SSH - CSPSec

# **Basic Information** According to [HTB Academy](https://academy.hackthebox.com/module/112/section/1240): > [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell) (`SSH`) enables two computers to establish an encrypted and direct connection within a possibly insecure network on the standard port `TCP 22`. This is necessary to prevent third parties from intercepting the data stream and thus intercepting sensitive data. The SSH server can also be configured to only allow connections from specific clients. An advantage of SSH is that the protocol runs on all common operating systems. Since it is originally a Unix application, it is also implemented natively on all Linux distributions and MacOS. SSH can also be used on Windows, provided we install an appropriate program. The well-known [OpenBSD SSH](https://www.openssh.com/) (`OpenSSH`) server on Linux distributions is an open-source fork of the original and commercial `SSH` server from SSH Communication Security. Accordingly, there are two competing protocols: `SSH-1` and `SSH-2`. ```bash # view configuration file cat /etc/ssh/sshd_config | grep -v "#" | sed -r '/^\s*$/d' ``` ## **Using Master Sockets** ```bash # ensure ControlMaster is enabled for the ssh client # echo " ControlMaster auto" | sudo tee -a /etc/ssh/ssh_config # sudo systemctl restart ssh ssh -M -S /tmp/socket_name -p <target_port> <user>@<target_ip> -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no # setup another SSH connection using the master socket ssh -S /tmp/socket_name dummy ``` # **Enumeration** ## **Scanning** ```bash git clone https://github.com/jtesta/ssh-audit.git && cd ssh-audit ./ssh-audit.py <target_ip> ``` ## **Persistence via Authorized Keys** ```bash # run on op station, create key pair # two files will be generated, key and key.pub ssh-keygen -t rsa -f key # run on target, copy contents of key.pub to authorized_keys echo '<contents_of_key.pub>' >> ~/.ssh/authorized_keys # run on op station, specify private key to use ssh -i key <user>@<target_ip> ``` ## **Change Authentication Method** ```bash # view what types of authentication can be used ssh -v <username><target_ip> # use specified authentication method ssh -v <username><target_ip> -o PreferredAuthentications=<authentication_method> ``` # **References** - [Using the SSH "Konami Code" (SSH Control Sequences)](https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences) - [SSH Hardening Guide](https://www.ssh-audit.com/hardening_guides.html) # **Practical Application** | Platform | Name | Notes | | -------- | ---- | ----- | | | | |