What is SSH?
SSH stands for secure shell. It is a protocol that allows us to log into computers via the command line. SSH is extremely popular. It first appeared in the mid-90s as a sort of replacement of a way of connecting a remote machine over the internet. Up until that time, the technologies used for remote connections were insecure. For example telnet, rlogin, RSH, and so on. But these are clear text protocols, they get transmitted in clear texts over the internet. So, if you logged into a remote machine the data gets insecure. The attacker can sniff the data including sensitive information such as credit card details or passwords by network sniffing tools.
SSH Protocol : Basics
1} SSH is a cryptographic network protocol for operating network services securely over an unsecured network.
2} The best alternative to the non-protected login protocols such as telnet, RSH, etc and insecure file transfer like FTP.
3} SSH works on Client-Server architecture.
4} It uses public-key cryptography asymmetric key encryption to connect to remote machines.
How Secure Shell works?
When the user tries to login through SSH in a remote machine, a TCP connection between those two machines gets opened up. The user can also define the type of encryption according to which we can remote into a machine. The SSH packets get divided into five parts, packet length, padding amount, payload, padding, and message authentication code. The user can also define payload compression according to specified compression algorithms. Then the whole packet, excluding the length gets encrypted while the connection persists. At the other end, the server decrypts the data and reads the packets.
Then the user opens the series of data channels in which data gets transferred. This allows the user to have multiplex multiple connections over SSH. Like multithreading in java, we can have multiple connections over the same devices in the network. So, you can have multiple connections made over SSH. And if the same connection is re-established, it reuses the existing connection and multiplexes the two connections. It can start and stop TCP connections over the other addresses, in both directions. The reason for all this functionality is because particularly in Unix or Linux based environments, the user may just want to remote into that machine and use it by command line.
SSH Bruteforcing
Bruteforcing uses the trial and error method. The attacker tries to guess the possible passphrases and use it to generate passwords. These passwords get worked through all the possible permutations and combinations in order to generate the right one. This is one downside to SSH. If you use a weak password then the attacker can easily break into it. After gaining server access through SSH the attacker can possibly gain a persistence reverse shell connection over the machine.
The following are the steps for brute-forcing into SSH remotely:
1} The attacker gets the IP address of the victim machine through reconnaissance.
2} Then the attacker generates a list or a dictionary of all the possible combinations of passphrases using tools like crunch.
3} An attacker then brute-force the SSH remotely by using the list of passwords generated in the previous step.
4} After a successful brute-force attack, the attacker then tries to get a reverse shell connection from the victim machine.
5} Then if the reverse connection is successful, the attacker tries to get a persistent connection over the victim machine.
The top tools the attacker can use for brute-forcing SSH include NMAP, HYDRA, Metasploit Framework, etc. Most of the iPhone or Mac systems contain SSH with default passwords set in it. And most of the users don’t know it. So, in most cases, the attacker can SSH remotely into these devices and exploit the system.
How to defend against SSH Bruteforcing attack?
The user can disable the root access in order to give less access to the attacker even if the machine gets compromised in SSH brute-forcing. The user can disable SSH client server service if not in use. The user can also change the default port on which SSH runs. This will help in mitigating the automated scanning on default SSH port. Using a strong password is always a great way to mitigate such attacks.
