hacktricks/pentesting/pentesting-ssh.md

# 22 - Pentesting SSH/SFTP

## B**asic Information**

**SSH or Secure Shell or Secure Socket Shell,** is a network protocol that gives users a **secure way to access a computer over an unsecured network.**

**Default port:** 22

```text
22/tcp open  ssh     syn-ack
```

## **Enumeration**

### **Banner Grabbing**

```bash
nc -vn <IP> 22
```

### Public SSH key of server

```bash
ssh-keyscan -t rsa <IP> -p <PORT>
```

### Weak Cipher Algorithms

This is discovered by default by **nmap**. But you can also use **sslcan** or **sslyze**.

### Shodan

* `ssh`

## Brute force usernames, passwords and private keys

### Username Enumeration

In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:

```text
msf> use scanner/ssh/ssh_enumusers
```

### [Brute force](../brute-force.md#ssh)

Some common ssh credentials [here ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)and [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) and below.

### Private/Public Keys BF

If you know some ssh private key that could be used... lets try it. You can use the nmap script:

```text
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
```

Or the MSF auxiliary module:

```text
msf> use scanner/ssh/ssh_identify_pubkeys
```

#### Known badkeys can be found here:

{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}

You should look here in order to search for valid keys for the victim machine.

## Default Credentials

| **Vendor** | **Usernames** | **Passwords** |
| :--- | :--- | :--- |
| APC | apc, device | apc |
| Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, user | private, admin, user |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
| EMC | admin, root, sysadmin | EMCPMAdm7n, Password\#1, Password123\#, sysadmin, changeme, emc |
| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V\#rpar, procurve, badg3r5, OpC\_op, !manage, !admin |
| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12\#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
| Juniper | netscreen | netscreen |
| NetApp | admin | netapp123 |
| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |

## Config files

```text
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
```

## SFTP

You can configure **SSH to behave as a SFTP** server. So, some users will connect to SFTP service \(in port 22\) instead of to the SSH service.

You can even set a **chroot to the SFTP users**. A configuration example of SFTP users inside the file _**/etc/ssh/sshd\_config**_ can be seen in the following images.

All the **ots-\*** users will be jailed inside a **chroot**.

![](../.gitbook/assets/image%20%28197%29.png)

![](../.gitbook/assets/image%20%28337%29.png)

### SFTP Tunneling

If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:

```text
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised> 
```

### Symlink

The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** \(for example, if you can access the symlink from the web\), you could **open the symlinked files through the web**.

For example, to create a **symlink** from a new file **"**_**froot**_**" to "**_**/**_**"**:

```text
sftp> symlink / froot
```

If you can access the file "_froot_" via web, you will be able to list the root \("/"\) folder of the system.
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# 22 - Pentesting SSH/SFTP`

			`## Basic Information`

			`SSH or Secure Shell or Secure Socket Shell, is a network protocol that gives users a secure way to access a computer over an unsecured network.`

			`Default port: 22`

			```text
			`22/tcp open ssh syn-ack`
			```

			`## Enumeration`

			`### Banner Grabbing`

			```bash
			`nc -vn <IP> 22`
			```

			`### Public SSH key of server`

			```bash
			`ssh-keyscan -t rsa <IP> -p <PORT>`
			```

			`### Weak Cipher Algorithms`

			`This is discovered by default by nmap. But you can also use sslcan or sslyze.`

			`### Shodan`

			* `ssh`

			`## Brute force usernames, passwords and private keys`

			`### Username Enumeration`

			`In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:`

			```text
			`msf> use scanner/ssh/ssh_enumusers`
			```

			`### [Brute force](../brute-force.md#ssh)`

			`Some common ssh credentials [here ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)and [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) and below.`

			`### Private/Public Keys BF`

			`If you know some ssh private key that could be used... lets try it. You can use the nmap script:`

			```text
			`https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html`
			```

			`Or the MSF auxiliary module:`

			```text
			`msf> use scanner/ssh/ssh_identify_pubkeys`
			```

			`#### Known badkeys can be found here:`

			`{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}`

			`You should look here in order to search for valid keys for the victim machine.`

			`## Default Credentials`

			`\| Vendor \| Usernames \| Passwords \|`
			`\| :--- \| :--- \| :--- \|`
			`\| APC \| apc, device \| apc \|`
			`\| Brocade \| admin \| admin123, password, brocade, fibranne \|`
			`\| Cisco \| admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin \| admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme \|`
			`\| Citrix \| root, nsroot, nsmaint, vdiadmin, kvm, cli, admin \| C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler \|`
			`\| D-Link \| admin, user \| private, admin, user \|`
			`\| Dell \| root, user1, admin, vkernel, cli \| calvin, 123456, password, vkernel, Stor@ge!, admin \|`
			`\| EMC \| admin, root, sysadmin \| EMCPMAdm7n, Password\#1, Password123\#, sysadmin, changeme, emc \|`
			`\| HP/3Com \| admin, root, vcx, app, spvar, manage, hpsupport, opc\_op \| admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V\#rpar, procurve, badg3r5, OpC\_op, !manage, !admin \|`
			`\| Huawei \| admin, root \| 123456, admin, root, Admin123, Admin@storage, Huawei12\#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 \|`
			`\| IBM \| USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer \| PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer \|`
			`\| Juniper \| netscreen \| netscreen \|`
			`\| NetApp \| admin \| netapp123 \|`
			`\| Oracle \| root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user \| changeme, ilom-admin, ilom-operator, welcome1, oracle \|`
			`\| VMware \| vi-admin, root, hqadmin, vmware, admin \| vmware, vmw@re, hqadmin, default \|`

			`## Config files`

			```text
			`ssh_config`
			`sshd_config`
			`authorized_keys`
			`ssh_known_hosts`
			`known_hosts`
			`id_rsa`
			```

			`## SFTP`

			`You can configure SSH to behave as a SFTP server. So, some users will connect to SFTP service \(in port 22\) instead of to the SSH service.`

			`You can even set a chroot to the SFTP users. A configuration example of SFTP users inside the file _/etc/ssh/sshd\_config_ can be seen in the following images.`

			`All the ots-\* users will be jailed inside a chroot.`

			`![](../.gitbook/assets/image%20%28197%29.png)`

			`![](../.gitbook/assets/image%20%28337%29.png)`

			`### SFTP Tunneling`

			`If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:`

			```text
			`sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>`
			```

			`### Symlink`

			`The sftp have the command "symlink". Therefor, if you have writable rights in some folder, you can create symlinks of other folders/files. As you are probably trapped inside a chroot this won't be specially useful for you, but, if you can access the created symlink from a no-chroot service \(for example, if you can access the symlink from the web\), you could open the symlinked files through the web.`

			`For example, to create a symlink from a new file "_froot_" to "_/_":`

			```text
			`sftp> symlink / froot`
			```

			`If you can access the file "_froot_" via web, you will be able to list the root \("/"\) folder of the system.`