# 22 - Pentesting SSH/SFTP

## B**asic Information**

**SSH or Secure Shell or Secure Socket Shell,** is a network protocol that gives users a **secure way to access a computer over an unsecured network.**

**Default port:** 22

```text
22/tcp open  ssh     syn-ack
```

## **Enumeration**

### **Banner Grabbing**

```bash
nc -vn <IP> 22
```

### Public SSH key of server

```bash
ssh-keyscan -t rsa <IP> -p <PORT>
```

### Weak Cipher Algorithms

This is discovered by default by **nmap**. But you can also use **sslcan** or **sslyze**.

### Shodan

* `ssh`

## Brute force usernames, passwords and private keys

### Username Enumeration

In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:

```text
msf> use scanner/ssh/ssh_enumusers
```

### [Brute force](../brute-force.md#ssh)

Some common ssh credentials [here ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)and [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) and below.

### Private/Public Keys BF

If you know some ssh private key that could be used... lets try it. You can use the nmap script:

```text
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
```

Or the MSF auxiliary module:

```text
msf> use scanner/ssh/ssh_identify_pubkeys
```

#### Known badkeys can be found here:

{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}

You should look here in order to search for valid keys for the victim machine.

## Default Credentials

| **Vendor** | **Usernames** | **Passwords** |
| :--- | :--- | :--- |
| APC | apc, device | apc |
| Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, user | private, admin, user |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
| EMC | admin, root, sysadmin | EMCPMAdm7n, Password\#1, Password123\#, sysadmin, changeme, emc |
| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V\#rpar, procurve, badg3r5, OpC\_op, !manage, !admin |
| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12\#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
| Juniper | netscreen | netscreen |
| NetApp | admin | netapp123 |
| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |

## Config files

```text
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
```

## SFTP

You can configure **SSH to behave as a SFTP** server. So, some users will connect to SFTP service \(in port 22\) instead of to the SSH service.

You can even set a **chroot to the SFTP users**. A configuration example of SFTP users inside the file _**/etc/ssh/sshd\_config**_ can be seen in the following images.

All the **ots-\*** users will be jailed inside a **chroot**.

![](../.gitbook/assets/image%20%28197%29.png)

![](../.gitbook/assets/image%20%28337%29.png)

### SFTP Tunneling

If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:

```text
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised> 
```

### Symlink

The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** \(for example, if you can access the symlink from the web\), you could **open the symlinked files through the web**.

For example, to create a **symlink** from a new file **"**_**froot**_**" to "**_**/**_**"**:

```text
sftp> symlink / froot
```

If you can access the file "_froot_" via web, you will be able to list the root \("/"\) folder of the system.