One particular Linux service needs no introduction: Secure Shell (SSH) is synonymous with logging into remote Linux devices of all varieties. You can use SSH to log into a Raspberry Pi, a mail server, a web server, or even embedded Linux devices such as those running Internet of Things (IoT) applications.

SSH emerged in the 1990s, when it became clear that the unencrypted Telnet was not suitable for communication on the open Internet. SSH version 1 was popular for years, but experts eventually began to warn that it had its own security problems. SSH version 2 was a major rewrite, due to the numerous issues that plagued version 1, including vulnerability to man-in-the-middle attacks. In the Linux world, the SSH software of choice for both client and server is called OpenSSH [1].

This article looks at some of the approaches attackers and ethical hackers use to compromise SSH servers. I will also look at how to prevent a common type of attack against SSH servers. It should go without saying: Only use the tools discussed in this article on servers that you own or explicitly have permission to test against. A number of these approaches could cause downtime or ultimately lock you out of the target SSH instance.

Serve the Public Trust

Imagine that an attacker has gained access to a device on a Local Area Network (LAN). One of the first tasks is to see whether there are other devices that the attacker can gain access to by probing the network, attempting what's called lateral movement.

A number of tools are specifically designed for scouting out SSH servers, and I will describe these tools later in this article. But first, I'll look at an uber-efficient tool that an attacker might use first to uncover other vulnerable servers in addition to SSH. The tool is called masscan [2], and I use it before doing anything else because it can highlight open ports on IP addresses in a matter of seconds. At that point, I can sort the wheat from the chaff very quickly and focus my attention on items of interest.

On Debian Linux derivatives, like Ubuntu Linux, you can install masscan using the following command:

$ apt install masscan -y

The GitHub repository suggests that you can also build masscan on other Linux distributions. Use the following commands (assuming git, make, and gcc are present on your system):

$ git clone https://github.com/robertdavidgraham/masscan
$ cd masscan
$ make

masscan has a limited number of dependencies, so it is relatively simple to install; refer to the README if you have any questions.

Once masscan is installed, you can get some practice by trying it out on a Capture the Flag (CTF) exercise at the inimitable TryHackMe [3] website. I use the following command to focus on one specific IP address:

$ IP="10.10.XX.XX"; masscan -p0-65535 --rate 10000 ${IP} -e tun0 --router-ip 10.11.0.1

In the preceding example, I only append -e tun0 --router-ip 10.11.0.1 because I use a virtual private network (VPN) for the public Internet and then another VPN to connect into the CTF network that I'm using. To get the setting for the tunnel (shown as tun0) and the gateway IP address (-router-ip), enter the command ip a and have a look at the output. The tunnel is either tun0 or tun1, and I'm using the first IP address from the subnet of the connected IP address as the gateway IP address. Or, simply switch off one of the VPNs to disentangle your local routing configuration if that makes life easier.

The preceding example shows one IP address as the ${IP} target and masscan is asked to run through all 65,535 TCP ports at a good rate. Listing 1 shows a scan against my localhost as an example.

$ IP="127.0.0.1"; masscan -p0-65535 --rate 10000 ${IP}
Starting masscan 1.3.2 (http://bit.ly/14GZzcT)
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]

Of course, scanning one IP address isn't that useful if you have a limited window of opportunity to attack a subnet. Also, in this case, I am specifically looking for SSH server ports, and the default SSH port is TCP 22, with alternative ports likely in the TCP 2000-3000 range. Listing 2 reflects these insights in a refined command.

$ masscan -p22,2000-3000 127.0.0.1/8
Starting masscan 1.3.2 (http://bit.ly/14GZzcT)
Initiating SYN Stealth Scan
Scanning 16777216 hosts [1002 ports/host]

If you append the following to a command:

--echo > masscan.conf

a reusable configuration file is created. Listing 3 shows the contents of the masscan.conf file.

seed = 535234345767656361
rate = 100
shard = 1/1
nocapture = servername
# TARGET SELECTION (IP, PORTS, EXCLUDES)
ports = 22,2000-3000
range = 127.0.0.0/8

Rather than entering a long, complex command at the command line, you can use the configuration file, as follows:

$ masscan -c masscan.conf --rate 10000

You can also use masscan to discover open port banner information. Have a look at the README.

Protect the Innocent

Imagine you have identified a couple of SSH servers using masscan and want to look closely at how SSH is set up. At this point, I would turn to a tool called ssh-audit [4]. I think you might be surprised at how much information you can get from an SSH server.

There are several options for installing ssh-audit. I'll use the Python package manager, pip, as shown in Listing 4.

$ pip3 install ssh-audit
Collecting ssh-audit
  Downloading ssh_audit-2.9.0-py3-none-any.whl (97 kB)
 ???????????????????????????????????????? 98.0/98.0 kB 317.3 kB/s eta 0:00:00
Installing collected packages: ssh-audit
Successfully installed ssh-audit-2.9.0

If you don't have pip installed, you can use the following command on Debian Linux derivatives:

$ apt install python3-pip -y

Once you complete the installation, the -help flag will offer information on available options (Figure 1).

Figure 1: Abbreviated help output for ssh-audit.

As you can see in Figure 1, ssh_audit offers several options. The developer, Joe Testa [5], also provides a helpful website [6] for you to use with the tool. Figure 2 shows the splash page.

Figure 2: Online scanning with ssh-audit. © https://www.ssh-audit.com

As Figure 3 shows, it is possible to target specific policies for known operating system versions and OpenSSH versions.

Figure 3: Profiles to test against with ssh-audit. © https://www.ssh-audit.com

You can use the following command to scan multiple IP addresses; the text file holds a list of IP addresses or hostnames, in the format HOST:PORT:, as shown here

$ ssh-audit -T server-list.txt

I'm going to test against one OpenSSH server that I have running on Debian Linux, using TCP port 2002. The server is completely patched and up-to-date. I use the following command:

$ ssh-audit 18.XX.XX.XX:2002

Figure 4 shows the first part of the output for this command.

Figure 4: The comprehensive ssh-audit is weaving its magic.

At the top of the output, the orange-colored text shows well-known vulnerabilities that apparently apply to this version of OpenSSH (note that this is the latest Debian Linux version of OpenSSH). See the Common Vulnerabilities and Exposures (CVE) project if you want more information on CVE-2021-41617 (CVSS v2: 7.0 – privilege escalation via supplemental groups) and CVE-2016-20012 (CVSS v2: 5.3 – enumerate usernames via challenge response).

The red-colored text refers to the algorithm ecdh-sha2-nistp256: "[fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency."

The bottom of the output gives solid advice about which algorithms should be removed (Figure 5).

Figure 5: Recommendations about algorithms from ssh-audit.

As Figure 5 demonstrates, even with hardening in place, there are a number of issues of concern. The README covers some other powerful features of ssh-audit and how to get started with them.

Uphold the Law

An excellent addition to the available tools for scanning SSH servers is a lightweight tool called ScanSSH [7]. To install ScanSSH on Debian Linux, I use the following command:

$ apt install scanssh

To run ScanSSH without extra options, use this command:

$ scanssh -s ssh 18.XX.XX.XX:2002

Figure 6 shows some of the help options for ScanSSH. The tool provides some impressive proxy detection support, in addition to scanning multiple servers for SSH server version banners, which are presented at connection time.

Figure 6: ScanSSH can also work with proxies.