** #SSH protocol ( Secure shell protocol ) [ port : 22 ]**

SSH has 2 main authentication ways:

1. Username & Password Authentication.

2. Key Based Authentication.

• (A pair of Public & Private keys) Where the Public key is on the server.... And the Private key is given to the clients who are allowed to connect.

---

using: ~# nc <ip address> <ssh port> might give both SSH and linux versions.

a simple SSH login might give us the banner ( title ) for the purpose of the service

---

** #MSF modules :**

To search:

• search type:auxiliary name:ssh

    auxiliary/scanner/ssh/ssh_login
  

• Brute Force SSH.... (If you find a session and it doesn't response to commands. Create a Bash session : /bin/bash -i) After finding a password you can check: sessions and use them: sessions -i 1

  auxiliary/scanner/ssh/ssh_enumusers

• If Brute Force isn't successful try it to get available users.

---

#nmap_scripts -:

ssh2-enum-algos

• to enumerate all algorthims

ssh-hostkey --script-args ssh_hostkey=full

• gives us the SSH RSA hostkey

ssh-auth-methods --script-args ssh.user=<username>

• check for auth methods for that particular user

what is more interesting is if there is no auth methods for

that user then we can actually login through ssh directly!

---

Vulnerabilites & Exploitations:

MSF Module:

• libssh is a multiplatform C library implementing the SSHv2 protocol on client and serverside.

• libssh V0.6.0-0.8.0 is vulnerable to an authentication bypass vulnerability in the libssh server code that can be exploited to execute commands on the target server.

    auxiliary/scanner/ssh/libssh_auth_bypass
  

Then and run.

set SPAWN_PTY true