SSH

Secure Shell Protocol - Port 22

Key Generation

RSA

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Ed25519

ssh-keygen -t ed25519

ECDSA

ssh-keygen -t ecdsa-sk

FIDO/U2F NO-TOUCH MODE

Without Touch-Mode

ssh-keygen -O no-touch-required -t ed25519-sk

Allow mode on sshd

no-touch-required sk-ssh-ed25519@openssh.com AAAAInN... user@example.com

Enumeration

Show Details

ssh-keygen -C "$(whoami)@$(uname -n)-$(date -I)"

Key lenght

ssh-keygen -l -f public_key

Password Spray

Check SSH access

nxc ssh <IP> -u <USER> -p 'password'

Check SSH access from a user list

nxc ssh 10.10.10.229 -u usersList -p 'Password' --continue-on-success

SSH Brute Force

nmap -n -p22 --script ssh-brute --script-args userdb=usernames.txt,passdb=passwords.txt <IP>

Troubleshooting

SSH2_MSG_KEX_ECDH_REPLY error:

ssh -o MACs=hmac-sha2-256 <HOST>

• Sometimes the /etc/hosts.allow or /etc/hosts.deny may be configured to blacklist or whitelist IPs trying to connect to the server:

Whitelist

ALL : 10.10.16.8

• Add that in the /hosts.allow file; make sure to let a blank line at the end.

• sshd_wl is the syslink to host.allow and is normally in .ssh

• In recent versions of OpenSSH, certain older key types like ssh-rsa have been deprecated because of security concerns with the SHA-1 hash algorithm they use:

ssh root@10.10.10.34 -i id_rsa -o PubkeyAcceptedKeyTypes=ssh-rsa

OpenSSH Vulnerabilities

Repology

RsaCtfTool

• RSA attack tool (mainly for ctf) - retrieve private key from weak public key and/or uncipher data.

• Install libmpc-dev, libgmp3-dev and sagemath

• Also recommend to use a virtual environment

RsaCtfTool/RsaCtfTool.py --publickey decoder.pub --decryptfile pass.crypt

CVE-2008-0166

• Debian OpenSSL Predictable PRNG -> Check the repo

• Look for matches for a given public_key:

grep -R -n `cat public_key` rsa/

Password Spraying | NetExecwww.netexec.wiki