183 lines
7.0 KiB
Markdown
183 lines
7.0 KiB
Markdown
# 22 - Pentesting SSH/SFTP
|
|
|
|
## Basic Information
|
|
|
|
**SSH or Secure Shell or Secure Socket Shell,** is a network protocol that gives users a **secure way to access a computer over an unsecured network.**
|
|
|
|
**Default port:** 22
|
|
|
|
```text
|
|
22/tcp open ssh syn-ack
|
|
```
|
|
|
|
## Enumeration
|
|
|
|
### Banner Grabbing
|
|
|
|
```bash
|
|
nc -vn <IP> 22
|
|
```
|
|
|
|
### Automated ssh-audit
|
|
|
|
ssh-audit is a tool for ssh server & client configuration auditing.
|
|
|
|
[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) is an updated fork from [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)
|
|
|
|
**Features:**
|
|
|
|
* SSH1 and SSH2 protocol server support;
|
|
* analyze SSH client configuration;
|
|
* grab banner, recognize device or software and operating system, detect compression;
|
|
* gather key-exchange, host-key, encryption and message authentication code algorithms;
|
|
* output algorithm information \(available since, removed/disabled, unsafe/weak/legacy, etc\);
|
|
* output algorithm recommendations \(append or remove based on recognized software version\);
|
|
* output security information \(related issues, assigned CVE list, etc\);
|
|
* analyze SSH version compatibility based on algorithm information;
|
|
* historical information from OpenSSH, Dropbear SSH and libssh;
|
|
* runs on Linux and Windows;
|
|
* no dependencies
|
|
|
|
```bash
|
|
usage: ssh-audit.py [-1246pbcnjvlt] <host>
|
|
|
|
-1, --ssh1 force ssh version 1 only
|
|
-2, --ssh2 force ssh version 2 only
|
|
-4, --ipv4 enable IPv4 (order of precedence)
|
|
-6, --ipv6 enable IPv6 (order of precedence)
|
|
-p, --port=<port> port to connect
|
|
-b, --batch batch output
|
|
-c, --client-audit starts a server on port 2222 to audit client
|
|
software config (use -p to change port;
|
|
use -t to change timeout)
|
|
-n, --no-colors disable colors
|
|
-j, --json JSON output
|
|
-v, --verbose verbose output
|
|
-l, --level=<level> minimum output level (info|warn|fail)
|
|
-t, --timeout=<secs> timeout (in seconds) for connection and reading
|
|
(default: 5)
|
|
$ python3 ssh-audit <IP>
|
|
```
|
|
|
|
[See it in action \(Asciinema\)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
|
|
|
|
### Public SSH key of server
|
|
|
|
```bash
|
|
ssh-keyscan -t rsa <IP> -p <PORT>
|
|
```
|
|
|
|
### Weak Cipher Algorithms
|
|
|
|
This is discovered by default by **nmap**. But you can also use **sslcan** or **sslyze**.
|
|
|
|
### Shodan
|
|
|
|
* `ssh`
|
|
|
|
## Brute force usernames, passwords and private keys
|
|
|
|
### Username Enumeration
|
|
|
|
In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:
|
|
|
|
```text
|
|
msf> use scanner/ssh/ssh_enumusers
|
|
```
|
|
|
|
### [Brute force](../brute-force.md#ssh)
|
|
|
|
Some common ssh credentials [here ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)and [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) and below.
|
|
|
|
### Private/Public Keys BF
|
|
|
|
If you know some ssh private key that could be used... lets try it. You can use the nmap script:
|
|
|
|
```text
|
|
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
|
|
```
|
|
|
|
Or the MSF auxiliary module:
|
|
|
|
```text
|
|
msf> use scanner/ssh/ssh_identify_pubkeys
|
|
```
|
|
|
|
#### Known badkeys can be found here:
|
|
|
|
{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" caption="" %}
|
|
|
|
You should look here in order to search for valid keys for the victim machine.
|
|
|
|
### Kerberos
|
|
|
|
**crackmapexec** using the `ssh` protocol can use the option `--kerberos` to **authenticate via kerberos**.
|
|
For more info run `crackmapexec ssh --help`.
|
|
|
|
## Default Credentials
|
|
|
|
| **Vendor** | **Usernames** | **Passwords** |
|
|
| :--- | :--- | :--- |
|
|
| APC | apc, device | apc |
|
|
| Brocade | admin | admin123, password, brocade, fibranne |
|
|
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
|
|
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
|
|
| D-Link | admin, user | private, admin, user |
|
|
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
|
|
| EMC | admin, root, sysadmin | EMCPMAdm7n, Password\#1, Password123\#, sysadmin, changeme, emc |
|
|
| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V\#rpar, procurve, badg3r5, OpC\_op, !manage, !admin |
|
|
| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12\#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
|
|
| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
|
|
| Juniper | netscreen | netscreen |
|
|
| NetApp | admin | netapp123 |
|
|
| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
|
|
| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |
|
|
|
|
## Config files
|
|
|
|
```text
|
|
ssh_config
|
|
sshd_config
|
|
authorized_keys
|
|
ssh_known_hosts
|
|
known_hosts
|
|
id_rsa
|
|
```
|
|
|
|
## Hardening SSH
|
|
|
|
You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening_guides.html)
|
|
|
|
## SFTP
|
|
|
|
You can configure **SSH to behave as a SFTP** server. So, some users will connect to SFTP service \(in port 22\) instead of to the SSH service.
|
|
|
|
You can even set a **chroot to the SFTP users**. A configuration example of SFTP users inside the file _**/etc/ssh/sshd\_config**_ can be seen in the following images.
|
|
|
|
All the **ots-\*** users will be jailed inside a **chroot**.
|
|
|
|
![](../.gitbook/assets/image%20%28197%29.png)
|
|
|
|
![](../.gitbook/assets/image%20%28337%29.png)
|
|
|
|
### SFTP Tunneling
|
|
|
|
If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:
|
|
|
|
```text
|
|
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
|
|
```
|
|
|
|
### Symlink
|
|
|
|
The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** \(for example, if you can access the symlink from the web\), you could **open the symlinked files through the web**.
|
|
|
|
For example, to create a **symlink** from a new file **"**_**froot**_**" to "**_**/**_**"**:
|
|
|
|
```text
|
|
sftp> symlink / froot
|
|
```
|
|
|
|
If you can access the file "_froot_" via web, you will be able to list the root \("/"\) folder of the system.
|
|
|