4.9 KiB
22 - Pentesting SSH/SFTP
Basic Information
SSH or Secure Shell or Secure Socket Shell, is a network protocol that gives users a secure way to access a computer over an unsecured network.
Default port: 22
22/tcp open ssh syn-ack
Enumeration
Banner Grabbing
nc -vn <IP> 22
Public SSH key of server
ssh-keyscan -t rsa <IP> -p <PORT>
Weak Cipher Algorithms
This is discovered by default by nmap. But you can also use sslcan or sslyze.
Shodan
ssh
Brute force usernames, passwords and private keys
Username Enumeration
In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:
msf> use scanner/ssh/ssh_enumusers
Brute force
Some common ssh credentials here and here and below.
Private/Public Keys BF
If you know some ssh private key that could be used... lets try it. You can use the nmap script:
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
Or the MSF auxiliary module:
msf> use scanner/ssh/ssh_identify_pubkeys
Known badkeys can be found here:
{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}
You should look here in order to search for valid keys for the victim machine.
Kerberos
crackmapexec using the ssh protocol can use the option --kerberos to authenticate via kerberos.
For more info run crackmapexec ssh --help.
Default Credentials
| Vendor | Usernames | Passwords |
|---|---|---|
| APC | apc, device | apc |
| Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, user | private, admin, user |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
| EMC | admin, root, sysadmin | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc |
| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin |
| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
| Juniper | netscreen | netscreen |
| NetApp | admin | netapp123 |
| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |
Config files
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
SFTP
You can configure SSH to behave as a SFTP server. So, some users will connect to SFTP service in port 22 instead of to the SSH service.
You can even set a chroot to the SFTP users. A configuration example of SFTP users inside the file /etc/ssh/sshd_config can be seen in the following images.
All the ots-* users will be jailed inside a chroot.
SFTP Tunneling
If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
Symlink
The sftp have the command "symlink". Therefor, if you have writable rights in some folder, you can create symlinks of other folders/files. As you are probably trapped inside a chroot this won't be specially useful for you, but, if you can access the created symlink from a no-chroot service for example, if you can access the symlink from the web, you could open the symlinked files through the web.
For example, to create a symlink from a new file "froot" to "/":
sftp> symlink / froot
If you can access the file "froot" via web, you will be able to list the root "/" folder of the system.