Hacking SSH Server.

[michael_kent123]

I understand how SSH servers work - they provide a tunnel between the client and the final destination. All traffic between the client and the SSH server is encrypted.

However, I'm not sure what the advantages would be in hacking someone else's SSH server?

I ask because you have the option to target SSH in the Medusa brute force program.

Thanks!

[Mr-Protocol]

To have shell access to the system. You have the ability to install and run programs as well as use it as a pivot point to other network resources.

[newbi3]

If you can get access to someones SSH server especially if it is root access its game over and you are the man. Think of it as you can do anything to that machine that you could do if you were physically there (besides install or remove hardware such as ram).

[Pwnd2Pwnr]

The trick, I do believe, is ascertaining the root RSA key, correct?

[newbi3]

That is one way. Assuming that the server is running Apache you could also attempt to upload a shell and hope that the person who wrote the site knows very little about permissions so the owner of the shell is root. Once the shell is uploaded you could change the password for the root user and login. If this isn't a cooperate system it could go unnoticed for a while, however, you are leaving behind a sign that the system was compromised and it will be eventually found it.

[michael_kent123]

I see. So, the point is, that it's assumed that if one has access to the SSH server then one is legitimately able to manage whatever the server re-directs the user to.

Medusa also has modules for a variety of services. Some of these are obvious like FTP, Telnet, and VNC.

But I'm not sure how you would use HTTP. The manual says:

The HTTP module tests accounts against HTTP/HTTPS services using BASIC-AUTH, integrated windows authentication (NTLM) and digest (MD5 and MD5-sess).

I don't really understand this. How does one 'log in' to HTTP?

Thanks.

[newbi3]

When ever you login to a website you create whats called a session I've never used medusa personally but from what you posted I am assuming it alows to you to look at and modify the variables in the session. Also I think that your view of ssh is a little obscured. SSH (secure shell) is a protocol that allows you remote access to a command line interface on a remote host. This host could be sitting 5 feet away from you or 500 miles it could even be the machine you are using. Think of it like when ever you are using a linux distro and you open a terminal window you can type commands and get output. That is exactly what ssh is except it is sending the output over a network connection to a remote machine running an ssh client. Darren and Shannon did a whole class on ssh you should check it out.

http://hak5.org/episodes/hak5-1108

[Pwnd2Pwnr]

I have found multiple ssh servers... but I have a rule of thumb... If it ain't my SSH... I ain't touching it (unless I have prior vuln assesment permissions). You do know that SSH is also a great way to send-receive illegal images (kiddie porn). I would use the side of caution when it comes to SSH... you have NO clue what maybe being sent... worse yet; if the SSH is coming from a corporation and the admin finds it... anyone whom was engaged in the SSH can/will be charged (maybe even the mitm).

I am a cautious Kevin though... so do what is smart.

[digip]

I see. So, the point is, that it's assumed that if one has access to the SSH server then one is legitimately able to manage whatever the server re-directs the user to.

Medusa also has modules for a variety of services. Some of these are obvious like FTP, Telnet, and VNC.

But I'm not sure how you would use HTTP. The manual says:

The HTTP module tests accounts against HTTP/HTTPS services using BASIC-AUTH, integrated windows authentication (NTLM) and digest (MD5 and MD5-sess).

I don't really understand this. How does one 'log in' to HTTP?

Thanks.

SSH access only give syou permissions of the user you logged in with, and in some cases, thats not anything other than their home folder only. Not to mention, most systems keep a lastlog or log of the last time that shell was logged into, and from what IP. Its sometime possible to delete it, with a job you start before terminating the session, but 9 times out of 10, the file is locked, or even not in the home users path if the admin configured things correctly, they can 1, log all login attempts, and 2, even send themselves an email when an account has been logged onto, as well as count brute force attempts, etc.

Unless you know the system, SSH is usually the last thing you want to go after, just because of the paper trail of bits. Pretty much any connection made can be picked up with a well configured system, firewalls and things like IDS, Snort, etc.

For learning purposes, educational use of a tool, setup a home lab of VM's and work it like a boss ;)