🔮
P4n1cBook
  • 🏴‍☠️Welcome!
    • 🔮P4n1cBook
    • 🚨Licence and Disclaimer
    • ⚡About Author
    • 📚Bookmarks
  • Fundamentals
    • Basic Commands
      • Linux
      • Git
    • 🌐Network Protocols
      • ICMP
      • SSH
      • Telnet
      • DNS
      • FTP
      • HTTP/HTTPS
      • SMB
      • SNMP
      • SMTP
      • NFS
      • IPP
      • WinRM
      • LLMNR
    • Databases
      • MySQL
      • NoSQL
    • Web APIs
      • GraphQL
    • Shells/TTYs
    • 💾Regex
    • Dorks
    • Python Essentials
    • Cryptography
    • Reverse Engineering
    • Tools
      • curl
      • Netcat
      • tcpdump
      • Nmap
      • ffuf
      • Gobuster
      • feroxbuster
      • SQLmap
      • 🦈Wireshark
      • Metasploit
      • GoWitness
      • Crunch
      • NetExec
  • Web Exploitation
    • Recon
    • Main Techniques
      • Session Hijacking
      • SSRF
      • Eval Injection
      • Template Manipulation
      • Path Traversal
      • Prototype Pollution
      • XXE
      • Deserialization
      • Log Poisoning
      • Command Injection
      • SQLi
      • Arbitrary File Upload
      • SSTI
      • LFI
      • XSS
    • Web Servers
      • Apache
      • Nginx
    • Web Services
      • HashiCorp Vault
      • Laravel
      • Express
      • Magento
      • Tiny File Manager
      • Joomla
      • CMS Made Simple
      • Werkzeug
      • 🌵Cacti
      • Tomcat
      • Zabbix
      • OpenNetAdmin
      • Wordpress
      • Java-based web application
        • Struts
        • .WAR
        • JDWP
      • ImageMagick
  • Cloud Exploitation
    • Kubernetes
  • Post Exploitation
    • File Transfer
    • Credential Dumping
      • Thunderbird
    • Pivoting/Lateral Movement
    • Persistence
    • Linux Privilege Escalation
      • Hijacks
      • Jailbreaks
      • Binary Exploitation - Linux
      • Kernel Exploits
      • Buffer Overflow - Linux
      • Escaping Docker
  • Wireless Exploitation
    • NFC
Powered by GitBook
On this page
  • Key generation
  • Trouble Shooting
  • OpenSSH Vulnerabilities
Edit on GitHub
  1. Fundamentals
  2. Network Protocols

SSH

Secure Shell Protocol

Port 22

Key generation

GitHub-Keys
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
ssh-keygen -t ed25519
ssh-keygen -t ecdsa-sk
ssh-keygen -t ed25519-sk
No-Touch Mode
ssh-keygen -O no-touch-required -t ed25519-sk
Allow mode on sshd
no-touch-required sk-ssh-ed25519@openssh.com AAAAInN... user@example.com
Details
ssh-keygen -C "$(whoami)@$(uname -n)-$(date -I)"
Key lenght
ssh-keygen -l -f public_key

Trouble Shooting

SSH2_MSG_KEX_ECDH_REPLY
ssh -o MACs=hmac-sha2-256 <HOST>

  • Sometimes the /etc/hosts.allow or /etc/hosts.deny may be configured to blacklist or whitelist IPs trying to connect to the server:

Whitelist an IP
ALL : 10.10.16.8

  • Add that in the /hosts.allow file; make sure to let a blank line at the end.

  • sshd_wl is the syslink to host.allow and is normally in .ssh

  • In recent versions of OpenSSH, certain older key types like ssh-rsa have been deprecated because of security concerns with the SHA-1 hash algorithm they use:

ssh root@10.10.10.34 -i id_rsa -o PubkeyAcceptedKeyTypes=ssh-rsa

OpenSSH Vulnerabilities

RsaCtfTool

  • RSA attack tool (mainly for ctf) - retrieve private key from weak public key and/or uncipher data.

  • Install libmpc-dev, libgmp3-dev and sagemath

  • Also recommend to use a virtual environment

RsaCtfTool/RsaCtfTool.py --publickey decoder.pub --decryptfile pass.crypt

CVE-2008-0166

  • Debian OpenSSL Predictable PRNG -> Check the repo

  • Look for matches for a given public_key:

grep -R -n `cat public_key` rsa/
PreviousICMPNextTelnet

Last updated 1 month ago

🌐
Logoopenssh vulnerabilities - Repology