Notes
- If the server needs old crypto, use
-oKexAlgorithms=+diffie-hellman-group1-sha1 - OpenSSH 7.7. allows to enumerate existing users.
- It could be possible on Windows 10 ssh-agent to extract the keys.
Keys
Get fingerprints
nmap -p22 --script ssh-hostkey $target
Get hostkeys
nmap -p22 --script ssh-hostkey --script-args ssh_hostkey=full $target
Extract fingerprints from existing key file:
ssh-keygen -E md5 -lf /tmp/found_key
ssh-keygen -E sha1 -lf /tmp/found_key
ssh-keygen -E sha256 -lf /tmp/found_key
Grab SSH keys from a host range
for ip in $(cat hosts.txt); do
nmap -p22 --script ssh-hostkey $ip > /tmp/$ip.keys
done;
Testing a private key against a host range
for ip in $(cat hosts.txt); do
echo For ip $ip
ssh -oBatchMode=yes -i t root@$ip "echo 'is valid'"
done;
Tools
- ssh-audit
- Remote analysis of the version and ciphers.
- Usage:
git clone https://github.com/arthepsy/ssh-audit
cd ssh-audit
python ssh-audit.py $target_domain
- Try publicly known bad keys
- Crowbar (brute force, also for private SSH keys)
- Patator (brute force)
Leave a Reply
You must be logged in to post a comment.