Sometimes the best way to gain lateral movement during a penetration test is to steal a password. Here’s how to sniff passwords from a running SSH server.
If you’ve managed to gain a remote shell onto a Linux server and elevated your privileges to root (congrats!), the next step is to maintain your access and gain lateral movement around the network. If you’ve been unable to find anything on the compromised server that would indicate a password for any system, including the compromised server, you can always try to sniff SSH passwords straight out of OpenSSH. You can even be doing this while attacking password hashes offline. I always prefer multiple options that race each other to the correct answer.
The Reality of SSH Passwords
Lateral movement through OpenSSH password sniffing is a very viable concept because:
- People use the same username and password combinations on multiple systems
- Passwords often follow a common pattern which can be used to predict other passwords on the estate
- People type valid passwords into the wrong servers.
- Given enough time, someone will always login
There are exceptions to the above but unfortunately, most organisations are not that mature.