Exercise 11: Exploiting Weak SSH Configurations

Objective: Identify and exploit weak SSH configurations to gain unauthorized access, and learn how to harden SSH settings to mitigate such vulnerabilities.

Scenario: You are tasked with assessing the security of an SSH service running on a Linux system. The service may be misconfigured with weak settings or use insecure authentication methods. Your goal is to identify these weaknesses, exploit them, and implement best practices to secure the SSH service.

Lab Setup

1. Environment:
   • A Linux system with SSH enabled.
   • Weak SSH configurations (e.g., allowing root login or password authentication).
2. Tools Required:
   • hydra or medusa for brute-force attacks.
   • Access to a private key for testing.

Lab Steps

Step 1: Review SSH Configuration

Inspect the SSH configuration file for weak settings:

sudo cat /etc/ssh/sshd_config

Look for the following:

PermitRootLogin: If set to yes, root login is allowed.

PasswordAuthentication: If set to yes, password-based logins are enabled.

Ciphers and MACs: Check for outdated or weak algorithms (e.g., arcfour or cbc ciphers).

Example weak configuration:

PermitRootLogin yes 
PasswordAuthentication yes 
Ciphers aes128-cbc

Restart the SSH service if configuration changes are made: sudo systemctl restart sshd

Step 2: Attempt a Brute-Force Attack

Use hydra or medusa to brute-force SSH login:

Hydra example:

hydra -l root -P /path/to/wordlist.txt ssh://<target_ip>

Replace <target_ip> with the target system’s IP address.

-l: Specify the username (e.g., root).

-P: Provide a password wordlist.

Medusa example:

medusa -h <target_ip> -u root -P /path/to/wordlist.txt -M ssh

Observe the results to identify valid credentials.

Example success output:

[22][ssh] Host: <target_ip> Login: root Password: password123

Log in using the identified credentials:

ssh root@<target_ip>

Step 3: Exploit Unprotected Private Keys

Locate an unencrypted private key file (e.g., id_rsa) on the target system or as part of the provided setup.

Use the private key to authenticate:

ssh -i /path/to/id_rsa <user>@<target_ip>

If successful, you should gain access as the specified user.

Verify with:

whoami

Step 4: Harden SSH Configurations

Disable root login in /etc/ssh/sshd_config:

PermitRootLogin no

Enforce key-based authentication:

PasswordAuthentication no

Use strong encryption algorithms:

Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

Restart the SSH service:

sudo systemctl restart sshd

Test the hardened configurations by attempting to log in with root or password-based authentication.

Solution

Explanation:

• Weak SSH configurations, such as allowing root login or password authentication, expose the system to brute-force attacks and unauthorized access.
• Unprotected private keys further weaken authentication security.

Prevention:

Disable Root Login: Prevent direct root access by setting PermitRootLogin no.

Enforce Key-Based Authentication:

Generate SSH key pairs:

ssh-keygen -t rsa -b 4096

Copy the public key to the target system:

ssh-copy-id user@<target_ip>

Use Strong Encryption Algorithms: Avoid weak ciphers and MACs.

Monitor and Audit Logs: Track login attempts using:

sudo tail -f /var/log/auth.log

Testing and Verification

Attempt to brute-force SSH after hardening to confirm mitigation.

Test key-based authentication to ensure proper configuration.

Verify that weak ciphers are no longer supported using:

ssh -Q cipher

Reflection

This exercise demonstrates the risks of weak SSH configurations and provides practical steps to exploit and secure the service. By completing this lab, you’ve gained valuable insights into improving the security of SSH on Linux systems.