07 Apr, 2023

Secure Shell (SSH)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

SSH – Secure Shell protocol. It is a network protocol that provides a secure way to access a remote computer over an unsecured network. It encrypts the data that is sent over the network and provides strong authentication mechanisms to ensure that only authorized users can access the remote computer. SSH is commonly used in server administration and file transfer applications.

SSH common ports

TCP port 22: This is the default port used by Secure Shell (SSH) for encrypted network services, such as remote login and command execution. SSH provides a secure channel over an unsecured network in a client-server architecture. It is often used by system administrators to securely access and manage remote servers.

TCP port 2222: This port is sometimes used as an alternative to TCP port 22 for SSH connections. The use of a non-standard port can help mitigate attacks against SSH servers that target default ports. However, it is important to note that attackers can still scan for and discover non-standard ports.

TCP port 8022: This is another non-standard port that is sometimes used for SSH connections. It is not as commonly used as port 22 or 2222.

TCP port 222: This port is used by some applications, such as Microsoft Office Communications Server, to provide secure communication between clients and servers.

TCP port 2200: This is a non-standard port that is sometimes used for remote desktop connections, such as those provided by Virtual Network Computing (VNC) or Windows Remote Desktop.

Tools for using protocol SSH

Manual Tools:

  • ssh: The standard command line tool for SSH access to remote servers. Can be used for manual testing of SSH connections.

  • PuTTY: A Windows-based SSH client that can be used for manual testing of SSH connections.

  • OpenSSH: A suite of secure networking utilities that includes the ssh command line tool. Can be used for manual testing of SSH connections.

  • Telnet: An unsecured protocol that can be used for manual testing of SSH connections.

  • Netcat: A command line tool that can be used for manual testing of SSH connections.

  • Nmap: A network exploration and security auditing tool that can be used for manual testing of SSH connections.

  • Wireshark: A network protocol analyzer that can be used for manual testing of SSH connections.

  • Tcpdump: A command line tool that can be used for manual testing of SSH connections.

Automated Tools:

  • Metasploit: An open source penetration testing framework that includes modules for SSH testing.

  • Nessus: A vulnerability scanner that can be used for automated SSH testing.

  • OpenVAS: A vulnerability scanner that can be used for automated SSH testing.

  • Qualys: A cloud-based vulnerability management platform that includes modules for SSH testing.

  • Retina: A vulnerability scanner that can be used for automated SSH testing.

  • Burp Suite: A web application security testing tool that includes modules for SSH testing.

  • Zed Attack Proxy (ZAP): An open source web application security testing tool that includes modules for SSH testing.

  • OWASP: A non-profit organization that provides free resources for web application security testing, including modules for SSH testing.

  • Acunetix: A web application security testing tool that includes modules for SSH testing.

  • Nikto: A web server scanner that can be used for automated SSH testing.

Browser Plugins:

  • SSH Agent: A browser plugin that allows for easy management of SSH keys.

  • Secure Shell: A browser plugin that provides a secure terminal emulator for SSH access.

Last known CVE for SSH

• CVE-2018-0279 – A vulnerability in the Secure Copy Protocol (SCP) server of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to access the shell of the underlying Linux operating system on the affected device. The vulnerability is due to improper input validation of command arguments. An attacker could exploit this vulnerability by using crafted arguments when opening a connection to the affected device. An exploit could allow the attacker to gain shell access with a non-root user account to the underlying Linux operating system on the affected device. Due to the system design, access to the Linux shell could allow execution of additional attacks that may have a significant impact on the affected system. This vulnerability affects Cisco devices that are running release 3.7.1, 3.6.3, or earlier releases of Cisco Enterprise NFV Infrastructure Software (NFVIS) when access to the SCP server is allowed on the affected device. Cisco NFVIS Releases 3.5.x and 3.6.x do allow access to the SCP server by default, while Cisco NFVIS Release 3.7.1 does not. Cisco Bug IDs: CSCvh25026.

• CVE-2001-0572 – The SSH protocols 1 and 2 (aka SSH-2) as implemented in OpenSSH and other packages have various weaknesses which can allow a remote attacker to obtain the following information via sniffing: (1) password lengths or ranges of lengths, which simplifies brute force password guessing, (2) whether RSA or DSA authentication is being used, (3) the number of authorized_keys in RSA authentication, or (4) the lengths of shell commands.

Useful information

– SSH stands for Secure Shell and is a secure network communication protocol.

– The SSH protocol was designed as a secure alternative to unsecured remote shell protocols. 

– SSH utilizes a client-server paradigm, in which clients and servers communicate via a secure channel.

– The SSH protocol has three layers: The transport layer, which ensures secure communication between the server and the client and monitors data encryption; the user authentication layer, which verifies the identity of users and servers; and the connection layer, which handles the creation, maintenance, and termination of sessions. 

– SSH can be used to connect to remote devices securely, transfer files, and execute commands. 

– Prior to SSH’s development, users and administrators used insecure network protocols. 

– Secure Shell provides strong authentication and secure encrypted data communications between two computers. 

– SSH is widely used in nearly every data center and in every large enterprise. 

Known banners

  1. OpenSSH: “SSH-2.0-OpenSSH”

  2. Dropbear: “SSH-2.0-dropbear”

  3. Bitvise SSH: “SSH-2.0-BvSsh”

  4. F-Secure SSH: “SSH-2.0-F-SecureSSH”

  5. GlobalScape SecureFTP: “SSH-2.0-GlobalScape”

  6. WinSCP: “SSH-2.0-WinSCP”

  7. VanDyke Software: “SSH-2.0-VShell”

  8. ProFTPD: “SSH-2.0-PROFTPD”

  9. Cisco: “SSH-2.0-Cisco-1.25” or “SSH-2.0-Cisco-1.99”

  10. Juniper: “SSH-2.0-juniper-1.0”

Books for studies SSH

SSH Mastery: OpenSSH, PuTTY, Tunnels and Keys by Michael W. Lucas – This book is an excellent resource for learning about SSH and its various features. The author provides detailed explanations of how SSH works, as well as practical advice on how to use it effectively. The book covers both OpenSSH and PuTTY, two of the most popular SSH clients, and provides detailed instructions on how to configure and use them. In addition, the book covers advanced topics such as SSH tunnels and keys, which are essential for securing your SSH connections.

SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes – This book is a comprehensive guide to SSH, covering everything from the basics of SSH to advanced topics such as key management and tunneling. The authors provide clear and concise explanations of SSH concepts, as well as detailed instructions on how to use SSH in practice. The book is also filled with practical examples and tips, making it a valuable resource for anyone who wants to learn about SSH.

Pro OpenSSH by Michael Stahnke – This book is a comprehensive guide to OpenSSH, one of the most popular SSH implementations. The author provides detailed explanations of OpenSSH features, as well as practical advice on how to use them. The book covers topics such as key management, tunneling, and file transfer, and provides detailed instructions on how to configure and use OpenSSH in various environments. In addition, the book covers advanced topics such as scripting with OpenSSH, making it a valuable resource for experienced SSH users.

SSH, The Secure Shell: A Cookbook by Lee Allen and Syngress – This book is a collection of recipes for using SSH in various scenarios. The authors provide practical solutions to common SSH problems, such as setting up SSH tunnels, managing SSH keys, and automating SSH tasks. The book is organized by topic, making it easy to find solutions to specific problems. In addition, the book is filled with tips and tricks for using SSH more effectively, making it a valuable resource for anyone who uses SSH regularly.

List of Payload for SSH

  • Reverse shell: This payload allows an attacker to establish a connection to the target machine and gain access to its command line interface, effectively giving them control over the machine.

  • File transfer: SSH can be used to transfer files between machines, and an attacker may use this to transfer malicious files to the target machine, or to exfiltrate sensitive files from the target machine.

  • Port forwarding: SSH can be used to create a secure tunnel between two machines, which can be used to bypass firewalls or to access services that are not directly accessible from the attacker’s machine.

  • Password cracking: An attacker may use SSH to brute force the password for a user account on the target machine, allowing them to gain access to the machine.

Mitigation

  1.  To prevent hackers from accessing the root account, it is recommended to disable direct root login and instead use a separate user account with sudo privileges.

  2.  Ensure that all user accounts have strong and unique passwords to prevent brute-force attacks.

  3. Implement key-based authentication for SSH connections to avoid using passwords and prevent unauthorized access.

  4. Restrict SSH access by implementing a firewall to allow only authorized IP addresses or subnets.

  5. Disable unused SSH features such as X11 forwarding, port forwarding, and tunneling, as they can be used to bypass security measures.

  6. Ensure that the SSH software is updated to the latest version with security patches.

  7.  Regularly monitor SSH logs for any suspicious activity and take action to mitigate potential security threats.

Conclusion

Secured Shell (SSH) is a network protocol that provides a secure way to access remote machines over an unsecured network. SSH encrypts all data transmitted between two computers, preventing unauthorized access or interception of sensitive information. SSH operates on the client-server model and uses public-key cryptography to verify the identity of the server and the client. SSH has become an essential tool for system administrators, developers, and IT professionals as it provides a secure and encrypted means of accessing remote resources. The identification strings exchanged between the SSH client and server help identify the software and version of the SSH protocol being used during the session. There are several books available that discuss SSH and its implementations, including SSH, The Secure Shell: The Definitive Guide and SSH Mastery: OpenSSH, PuTTY, Tunnels and Keys.

Other Services

Ready to secure?

Let's get in touch