# 22 - Pentesting SSH/SFTP

## Basic Information

**SSH or Secure Shell or Secure Socket Shell,** is a network protocol that gives users a **secure way to access a computer over an unsecured network.**

**Default port: 22**

```text
22/tcp open  ssh     syn-ack
```

## Enumeration

### Banner Grabbing

```bash
nc -vn <IP> 22
```

### Automated ssh-audit

ssh-audit is a tool for ssh server & client configuration auditing.

https://github.com/jtesta/ssh-audit is an updated fork from https://github.com/arthepsy/ssh-audit/


##### Features:

- SSH1 and SSH2 protocol server support;
- analyze SSH client configuration;
- grab banner, recognize device or software and operating system, detect compression;
- gather key-exchange, host-key, encryption and message authentication code algorithms;
- output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
- output algorithm recommendations (append or remove based on recognized software version);
- output security information (related issues, assigned CVE list, etc);
- analyze SSH version compatibility based on algorithm information;
- historical information from OpenSSH, Dropbear SSH and libssh;
- runs on Linux and Windows;
- no dependencies

```bash
usage: ssh-audit.py [-1246pbcnjvlt] <host>

   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -p,  --port=<port>      port to connect
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
   -n,  --no-colors        disable colors
   -j,  --json             JSON output
   -v,  --verbose          verbose output
   -l,  --level=<level>    minimum output level (info|warn|fail)
   -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
                               (default: 5)
$ python3 ssh-audit <IP>
```

[See it in action (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)

### Public SSH key of server

```bash
ssh-keyscan -t rsa <IP> -p <PORT>
```

### Weak Cipher Algorithms

This is discovered by default by **nmap**. But you can also use **sslcan** or **sslyze**.

### Shodan

* `ssh`

## Brute force usernames, passwords and private keys

### Username Enumeration

In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:

```text
msf> use scanner/ssh/ssh_enumusers
```

### [Brute force](../brute-force.md#ssh)

Some common ssh credentials [here ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)and [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) and below.

### Private/Public Keys BF

If you know some ssh private key that could be used... lets try it. You can use the nmap script:

```text
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
```

Or the MSF auxiliary module:

```text
msf> use scanner/ssh/ssh_identify_pubkeys
```

#### Known badkeys can be found here:

{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}

You should look here in order to search for valid keys for the victim machine.

### Kerberos

**crackmapexec** using the `ssh` protocol can use the option `--kerberos` to **authenticate via kerberos**.  
For more info run `crackmapexec ssh --help`.

## Default Credentials

| **Vendor** | **Usernames** | **Passwords** |
| :--- | :--- | :--- |
| APC | apc, device | apc |
| Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, user | private, admin, user |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
| EMC | admin, root, sysadmin | EMCPMAdm7n, Password\#1, Password123\#, sysadmin, changeme, emc |
| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V\#rpar, procurve, badg3r5, OpC\_op, !manage, !admin |
| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12\#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
| Juniper | netscreen | netscreen |
| NetApp | admin | netapp123 |
| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |

## Config files

```text
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
```

## SFTP

You can configure **SSH to behave as a SFTP** server. So, some users will connect to SFTP service \(in port 22\) instead of to the SSH service.

You can even set a **chroot to the SFTP users**. A configuration example of SFTP users inside the file _**/etc/ssh/sshd\_config**_ can be seen in the following images.

All the **ots-\*** users will be jailed inside a **chroot**.

![](../.gitbook/assets/image%20%28197%29.png)

![](../.gitbook/assets/image%20%28337%29.png)

### SFTP Tunneling

If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:

```text
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised> 
```

### Symlink

The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** \(for example, if you can access the symlink from the web\), you could **open the symlinked files through the web**.

For example, to create a **symlink** from a new file **"**_**froot**_**" to "**_**/**_**"**:

```text
sftp> symlink / froot
```

If you can access the file "_froot_" via web, you will be able to list the root \("/"\) folder of the system.