Tag Archives: ssh

Hydra – Socket error: Connection reset by peer

Posted on by
Reply

[VERBOSE] Disabled child 2 because of too many errors
[VERBOSE] Disabled child 6 because of too many errors
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error

Looks like the issue can happen if you have too many threads going at once. Lower the amount of threads your using with -t. Recommended amount for ssh is 4.

hydra -L usernames.txt  -P "passwords.txt" 192.168.1.20 ssh -t4

How To Fix no matching cipher found. Their offer: aes128-cbc,3des-cbc…

Posted on by
Reply

When trying to SSH to older devices like a Ubiquiti Bullet2, you may receive an error saying

no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc

The work around is to manually specify the cipher with the “-c” option. You will also probably need to specify the KexAlgorithm “Key Exchange Algorithm”

ssh -c aes128-cbc -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.20

You can see what ciphers SSH supports by running “ssh -Q cipher”

Example output

ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

More information
https://www.openssh.com/legacy.html

Change Channel Width on Ubiquiti AC CPE Over SSH

Posted on by
Reply

SSH into CPE

ssh ubnt@192.168.1.20

open up the “/tmp/system.cfg” file

vi /tmp/system.cfg

Find the “radio.1.chanbw=” line and change to the following

radio.1.chanbw=10

Note: it may say “radio.1.chanbw=0” that looks to be the default and works for 20mhz

exit file with 

esc + :wq + Return or Enter

Save settings with 

/usr/etc/rc.d/rc.softrestart save

Change AP to 10Mhz and the CPE should reconnect.

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Posted on by
Reply

Work around is to use the -o option and specify KexAlgorithms with the correct option.

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.11.1

https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0#340853

List of errors from devices

The following are errors that are returned when trying to ssh to a device.

Cambium 450i PMP Equipment

Unable to negotiate with 192.168.0.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

How To Fix “no matching host key type found. Their offer: ssh-rsa,ssh-dss”

Posted on by
Reply

2023 Update: Recent versions of REHL have completely disabled DES which can cause issues even when using the +ssh-rsa or +ssh-rsa. You can use the following command to enable SHA1, however, upgrading the server would be recommended. 

update-crypto-policies --set DEFAULT:SHA1

Reason for it not working is some of the older weaker SSH encryption algorithms have been disabled. You can allow ssh to use it by specifying the following option.

 -oHostKeyAlgorithms=+ssh-dss

The whole command would look like

ssh  -o HostKeyAlgorithms=+ssh-dss root@192.168.111.4

http://www.openssh.com/legacy.html

https://askubuntu.com/questions/836048/ssh-returns-no-matching-host-key-type-found-their-offer-ssh-dss#836064

Mikrotik hAP – Change SSID via command line

Posted on by
Reply

Problem – Need 2.4 Ghz network enabled and SSID set to WiFi. Wireless router is behind a NAT, using UNMS to ssh into the radio, and from the radio ssh into hAP. Enter/Return key not working to run commands, so running the commands over ssh from the radio.

WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless print'
admin@192.168.88.2's password: 
Flags: X - disabled, R - running 
 0    name="wlan1" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B3 
      arp=enabled interface-type=Atheros AR9300 mode=station ssid="MikroTik" 
      frequency=2412 band=2ghz-b/g channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=any vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

 1  R name="wlan2" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B2 
      arp=enabled interface-type=Atheros AR9888 mode=ap-bridge ssid="WiFi" 
      frequency=5180 band=5ghz-n/ac channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless set disabled=no ssid=WiFi wlan1'
admin@192.168.88.2's password: 
WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless print'
admin@192.168.88.2's password: 
Flags: X - disabled, R - running 
 0    name="wlan1" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B3 
      arp=enabled interface-type=Atheros AR9300 mode=station ssid="WiFi" 
      frequency=2412 band=2ghz-b/g channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=any vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

 1  R name="wlan2" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B2 
      arp=enabled interface-type=Atheros AR9888 mode=ap-bridge ssid="WiFi" 
      frequency=5180 band=5ghz-n/ac channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless registration-table print'
admin@192.168.88.2's password: 
 # INTERFACE           RADIO-NAME       MAC-ADDRESS       AP  SIGNAL... TX-RATE
 0 wlan2                                A7:32:54:EE:E4:35 no  -77dBm... 18Mbps 
 1 wlan2                                34:7A:F4:43:AD:81 no  -69dBm... 6Mbps  

WA.v8.4.2# exit

Ubiquiti AirMax – Set radio to use DHCP from command line

Posted on by
Reply

Gain access to radio via ssh

ssh ubnt@192.168.1.20

open up the /tmp/system.cfg

vi /tmp/system.cfg

Delete the following line. To move the cursor to the following line and type “dd” and vi will delete the whole line.

dhcpc.status=disabled

Add the following 5 lines. Hit “i” to enter vi insert mode.
br0 should be correct interface in most scenarios.

dhcpc.1.devname=br0          
dhcpc.1.fallback=192.168.1.20         
dhcpc.1.fallback_netmask=255.255.255.0
dhcpc.1.status=enabled      
dhcpc.status=enabled

Save the file by hitting esc and then “:wq” followed by Return/Enter

Save the config changes and reboot the radio so it pulls an address.

/usr/etc/rc.d/rc.softrestart save && reboot

Hydra – SSH Example

Posted on by
Reply

Hydra is a network login cracker. You’ll need a password list and username(s) to get started.

Install Hydra

sudo apt-get install -y hydra

Launch against device
Change the IP address to the target IP
Change ubnt to target Username
Change password.lst to your password list file

SSH Example

hydra -l ubnt -P password.lst 192.168.1.20 ssh

Run hydra -h to get the full help.

Alfred@localhost:~$ hydra -h
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
 Options:
   -R        restore a previous aborted/crashed session
   -I        ignore an existing restore file (don't wait 10 seconds)
   -S        perform an SSL connect
   -s PORT   if the service is on a different default port, define it here
   -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
   -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
   -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
   -y        disable use of symbols in bruteforce, see above
   -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
   -u        loop around users, not passwords (effective! implied with -x)
   -C FILE   colon separated "login:pass" format, instead of -L/-P options
   -M FILE   list of servers to attack, one entry per line, ':' to specify port
   -o FILE   write found login/password pairs to FILE instead of stdout
   -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
   -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
   -t TASKS  run TASKS number of connects in parallel per target (default: 16)
   -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
   -w / -W TIME  wait time for a response (32) / between connects per thread (0)
   -c TIME   wait time per login attempt over all threads (enforces -t 1)
   -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
   -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode 
   -O        use old SSL v2 and v3
   -q        do not print messages about connection errors
   -U        service module usage details
   -h        more command line options (COMPLETE HELP)
   server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
   service   the service to crack (see below for supported protocols)
   OPT       some service modules support additional input (-U for module help)
 Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
 Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
 v3.0. The newest version is always available at http://www.thc.org/thc-hydra
 Don't use in military or secret service organizations, or for illegal purposes.
 These services were not compiled in: afp ncp oracle sapr3.
 Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
 E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
      % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
      % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
      % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)
 Examples:
   hydra -l user -P passlist.txt ftp://192.168.0.1
   hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
   hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
   hydra -l admin -p password ftp://[192.168.0.0/24]/
   hydra -L logins.txt -P pws.txt -M targets.txt ssh

Ubiquiti AirOS – “test” changes from command line

Posted on by
Reply

The following is a method to recover from a command that may inadvertenly make a radio go offline.

The idea is to launch a process in the background that sleeps for 5 minutes and then reboots the radio, so any changes not saved will be reverted. If the changes were successful, you’ll just need to log back in and kill the background process to keep the device from rebooting.

This can be helpful if your changing networking settings using ifconfig, trying to change routes, or something went wrong while trying to apply a system.cfg setting.

Commands

sleep 300 && reboot &

Execute whatever command you need to. i.e.

ifconfig 192.168.1.100

If your command worked you can log back into the device and search for the process id of the sleep command and kill it so the radio doesn’t reboot.

ps | grep sleep

Example output

2XC.v8.5.12# ps | grep sleep
   412 admin     1636 S    sleep 500
   414 admin     1640 S    grep sleep
 2XC.v8.5.12#

Kill the pid

kill 412