How an intruder attacks SSH
Brute Force
Sometimes the only way to break into an SSH server is through brute force – and yes, there are tools for that.
One particular Linux service needs no introduction: Secure Shell (SSH) is synonymous with logging into remote Linux devices of all varieties. You can use SSH to log into a Raspberry Pi, a mail server, a web server, or even embedded Linux devices such as those running Internet of Things (IoT) applications.
SSH emerged in the 1990s, when it became clear that the unencrypted Telnet was not suitable for communication on the open Internet. SSH version 1 was popular for years, but experts eventually began to warn that it had its own security problems. SSH version 2 was a major rewrite, due to the numerous issues that plagued version 1, including vulnerability to man-in-the-middle attacks. In the Linux world, the SSH software of choice for both client and server is called OpenSSH [1].
This article looks at some of the approaches attackers and ethical hackers use to compromise SSH servers. I will also look at how to prevent a common type of attack against SSH servers. It should go without saying: Only use the tools discussed in this article on servers that you own or explicitly have permission to test against. A number of these approaches could cause downtime or ultimately lock you out of the target SSH instance.
Serve the Public Trust
Imagine that an attacker has gained access to a device on a Local Area Network (LAN). One of the first tasks is to see whether there are other devices that the attacker can gain access to by probing the network, attempting what's called lateral movement.
A number of tools are specifically designed for scouting out SSH servers, and I will describe these tools later in this article. But first, I'll look at an uber-efficient tool that an attacker might use first to uncover other vulnerable servers in addition to SSH. The tool is called masscan [2], and I use it before doing anything else because it can highlight open ports on IP addresses in a matter of seconds. At that point, I can sort the wheat from the chaff very quickly and focus my attention on items of interest.
On Debian Linux derivatives, like Ubuntu Linux, you can install masscan using the following command:
$ apt install masscan -y
The GitHub repository suggests that you can also build masscan on other Linux distributions. Use the following commands (assuming git
, make
, and gcc
are present on your system):
$ git clone https://github.com/robertdavidgraham/masscan $ cd masscan $ make
masscan has a limited number of dependencies, so it is relatively simple to install; refer to the README if you have any questions.
Once masscan is installed, you can get some practice by trying it out on a Capture the Flag (CTF) exercise at the inimitable TryHackMe [3] website. I use the following command to focus on one specific IP address:
$ IP="10.10.XX.XX"; masscan -p0-65535 --rate 10000 ${IP} -e tun0 --router-ip 10.11.0.1
In the preceding example, I only append -e tun0 --router-ip 10.11.0.1
because I use a virtual private network (VPN) for the public Internet and then another VPN to connect into the CTF network that I'm using. To get the setting for the tunnel (shown as tun0
) and the gateway IP address (-router-ip
), enter the command ip a
and have a look at the output. The tunnel is either tun0
or tun1
, and I'm using the first IP address from the subnet of the connected IP address as the gateway IP address. Or, simply switch off one of the VPNs to disentangle your local routing configuration if that makes life easier.
The preceding example shows one IP address as the ${IP}
target and masscan
is asked to run through all 65,535 TCP ports at a good rate. Listing 1 shows a scan against my localhost as an example.
Listing 1
Using masscan against localhost
$ IP="127.0.0.1"; masscan -p0-65535 --rate 10000 ${IP} Starting masscan 1.3.2 (http://bit.ly/14GZzcT) Initiating SYN Stealth Scan Scanning 1 hosts [65536 ports/host]
Of course, scanning one IP address isn't that useful if you have a limited window of opportunity to attack a subnet. Also, in this case, I am specifically looking for SSH server ports, and the default SSH port is TCP 22, with alternative ports likely in the TCP 2000-3000 range. Listing 2 reflects these insights in a refined command.
Listing 2
Scanning for SSH
$ masscan -p22,2000-3000 127.0.0.1/8 Starting masscan 1.3.2 (http://bit.ly/14GZzcT) Initiating SYN Stealth Scan Scanning 16777216 hosts [1002 ports/host]
If you append the following to a command:
--echo > masscan.conf
a reusable configuration file is created. Listing 3 shows the contents of the masscan.conf
file.
Listing 3
masscan.conf
seed = 535234345767656361 rate = 100 shard = 1/1 nocapture = servername # TARGET SELECTION (IP, PORTS, EXCLUDES) ports = 22,2000-3000 range = 127.0.0.0/8
Rather than entering a long, complex command at the command line, you can use the configuration file, as follows:
$ masscan -c masscan.conf --rate 10000
You can also use masscan to discover open port banner information. Have a look at the README.
Protect the Innocent
Imagine you have identified a couple of SSH servers using masscan and want to look closely at how SSH is set up. At this point, I would turn to a tool called ssh-audit [4]. I think you might be surprised at how much information you can get from an SSH server.
There are several options for installing ssh-audit. I'll use the Python package manager, pip, as shown in Listing 4.
Listing 4
Installing ssh-audit
$ pip3 install ssh-audit Collecting ssh-audit Downloading ssh_audit-2.9.0-py3-none-any.whl (97 kB) ???????????????????????????????????????? 98.0/98.0 kB 317.3 kB/s eta 0:00:00 Installing collected packages: ssh-audit Successfully installed ssh-audit-2.9.0
If you don't have pip installed, you can use the following command on Debian Linux derivatives:
$ apt install python3-pip -y
Once you complete the installation, the -help
flag will offer information on available options (Figure 1).
As you can see in Figure 1, ssh_audit offers several options. The developer, Joe Testa [5], also provides a helpful website [6] for you to use with the tool. Figure 2 shows the splash page.
As Figure 3 shows, it is possible to target specific policies for known operating system versions and OpenSSH versions.
You can use the following command to scan multiple IP addresses; the text file holds a list of IP addresses or hostnames, in the format HOST:PORT
:, as shown here
$ ssh-audit -T server-list.txt
I'm going to test against one OpenSSH server that I have running on Debian Linux, using TCP port 2002. The server is completely patched and up-to-date. I use the following command:
$ ssh-audit 18.XX.XX.XX:2002
Figure 4 shows the first part of the output for this command.
At the top of the output, the orange-colored text shows well-known vulnerabilities that apparently apply to this version of OpenSSH (note that this is the latest Debian Linux version of OpenSSH). See the Common Vulnerabilities and Exposures (CVE) project if you want more information on CVE-2021-41617 (CVSS v2: 7.0 – privilege escalation via supplemental groups) and CVE-2016-20012 (CVSS v2: 5.3 – enumerate usernames via challenge response).
The red-colored text refers to the algorithm ecdh-sha2-nistp256: "[fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency."
The bottom of the output gives solid advice about which algorithms should be removed (Figure 5).
As Figure 5 demonstrates, even with hardening in place, there are a number of issues of concern. The README covers some other powerful features of ssh-audit and how to get started with them.
Uphold the Law
An excellent addition to the available tools for scanning SSH servers is a lightweight tool called ScanSSH [7]. To install ScanSSH on Debian Linux, I use the following command:
$ apt install scanssh
To run ScanSSH without extra options, use this command:
$ scanssh -s ssh 18.XX.XX.XX:2002
Figure 6 shows some of the help options for ScanSSH. The tool provides some impressive proxy detection support, in addition to scanning multiple servers for SSH server version banners, which are presented at connection time.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.