Page cover image

SSH

Key Points

  1. SSH-Related Processes:

    • Source Host: Processes like ssh.exe or third-party SSH client executables.

    • Destination Host: The SSH server process, typically sshd, handles incoming SSH connections.

  2. Important Registry Keys and Configuration Files:

    • Source Host: Registry keys for third-party SSH clients (e.g., PuTTY stores sessions in HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions).

    • Destination Host: Configuration file sshd_config located in the SSH installation directory.

  3. Event Log Analysis:

    • Windows does not natively log SSH connections in Event Viewer. However, third-party SSH server logs on the destination host can provide connection details.

  4. Alternate Secure Access Methods:

    • Awareness of other secure access methods like OpenVPN or WireGuard used for secure connections.

  5. Security Configuration:

    • Implementing strict access control and monitoring on SSH usage, especially for administrative access.

  6. Artifact Locations:

    • Locating SSH client and server logs, configuration files, and relevant registry entries is crucial for thorough forensic investigation.

Considerations

  • Security Implications: Unauthorized SSH access is a potential method for data exfiltration and lateral movement in cyber attacks.

  • Limited Windows Logging: Native Windows Event Logs do not typically record SSH activities, necessitating reliance on third-party logs and tools for monitoring.

  • Encryption: SSH encrypts all traffic, including login credentials, making network-based detection more challenging.

Technical Explanations

SSH on Windows

  • Windows 10 and Later: Integrated OpenSSH client (ssh.exe) and server (sshd).

  • Third-Party Applications: Applications like PuTTY, WinSCP, and Bitvise SSH Client are commonly used.

Log Analysis

  • SSH Server Logs: On the destination host, sshd logs can be found in the installation directory, providing details on connections, authentication, and errors.

  • Client Logs: Some SSH clients maintain logs of connection attempts and sessions.

Security Settings

  • Configuration Best Practices:

    • Restricting SSH access to specific users and groups.

    • Disabling root login over SSH.

    • Using key-based authentication instead of passwords.

  • Monitoring and Auditing:

    • Implementing centralized logging and monitoring solutions for SSH activities.

Example Logs

  • SSH Server Log Entry:

    Accepted password for user1 from 192.168.1.100 port 54022 ssh2
Session opened for user user1 by (uid=0)

  • PuTTY Session Registry Entry:

    HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\session_name
"HostName"="192.168.1.100"
"UserName"="user1"

Example Command Lines

  • Starting an SSH Session (Client):

ssh.exe [email protected]

  • Basic Connection

putty.exe -ssh username@hostname

  • Specifying a port

putty.exe -ssh username@hostname -P portnumber

  • Using a Private Key

putty.exe -ssh username@hostname -i C:\path\to\private_key.ppk

  • Saving Session Information

putty.exe -load "session_name"

  • Enabling X11 Forwarding

    • X11 forwarding is a feature of the SSH (Secure Shell) protocol that enables the graphical output of an application running on a remote server to be displayed on a local client machine.

putty.exe -ssh username@hostname -X
PreviousDestination System Artifacts - Quick ReferenceNextRouge Local Accounts

Last updated

Was this helpful?