** #SSH protocol ( Secure shell protocol ) [ port : 22 ]**

SSH has 2 main authentication ways:

1. Username & Password Authentication.

2. Key Based Authentication.

• (A pair of Public & Private keys) Where the Public key is on the server.... And the Private key is given to the clients who are allowed to connect.

using: ~# nc <ip address> <ssh port> might give both SSH and linux versions.

a simple SSH login might give us the banner ( title ) for the purpose of the service

** #MSF modules :**

To search:

• search type:auxiliary name:ssh

  auxiliary/scanner/ssh/ssh_login

• Brute Force SSH.... (If you find a session and it doesn't response to commands. Create a Bash session : /bin/bash -i)
  After finding a password you can check: sessions and use them: sessions -i 1

  auxiliary/scanner/ssh/ssh_enumusers

• If Brute Force isn't successful try it to get available users.

#nmap_scripts -:

ssh2-enum-algos

• to enumerate all algorthims

ssh-hostkey --script-args ssh_hostkey=full

• gives us the SSH RSA hostkey

ssh-auth-methods --script-args ssh.user=<username>

• check for auth methods for that particular user

what is more interesting is if there is no auth methods for

that user then we can actually login through ssh directly!

Vulnerabilites & Exploitations:

• libssh is a multiplatform C library implementing the SSHv2 protocol on client and serverside.

• libssh V0.6.0-0.8.0 is vulnerable to an authentication bypass vulnerability in the libssh server code that can be exploited to execute commands on the target server.

  auxiliary/scanner/ssh/libssh_auth_bypass

Then and run.

set SPAWN_PTY true