hacktricks/network-services-pentesting/pentesting-ssh.md

# 22 - Pentesting SSH/SFTP

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

## Basic Information

**SSH (Secure Shell or Secure Socket Shell)** je mrežni protokol koji omogućava sigurnu vezu sa računarom preko nesigurne mreže. Ključan je za očuvanje poverljivosti i integriteta podataka prilikom pristupa udaljenim sistemima.

**Podrazumevani port:** 22
```
22/tcp open  ssh     syn-ack
```
**SSH сервери:**

* [openSSH](http://www.openssh.org) – OpenBSD SSH, испоручен у BSD, Linux дистрибуцијама и Windows од Windows 10
* [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) – SSH имплементација за окружења са малом меморијом и ресурсима процесора, испоручена у OpenWrt
* [PuTTY](https://www.chiark.greenend.org.uk/\~sgtatham/putty/) – SSH имплементација за Windows, клијент се често користи, али је употреба сервера ређа
* [CopSSH](https://www.itefix.net/copssh) – имплементација OpenSSH за Windows

**SSH библиотеке (имплементирање на серверској страни):**

* [libssh](https://www.libssh.org) – мултиплатформска C библиотека која имплементира SSHv2 протокол са везама у [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) и [R](https://github.com/ropensci/ssh); користи се од стране KDE за sftp и од стране GitHub за git SSH инфраструктуру
* [wolfSSH](https://www.wolfssl.com/products/wolfssh/) – SSHv2 серверска библиотека написана у ANSI C и намењена за уграђене, RTOS и окружења ограничена ресурсима
* [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) – Apache SSHD java библиотека је заснована на Apache MINA
* [paramiko](https://github.com/paramiko/paramiko) – Python SSHv2 протокол библиотека

## Енумерација

### Узимање банера
```bash
nc -vn <IP> 22
```
### Automated ssh-audit

ssh-audit je alat za reviziju konfiguracije ssh servera i klijenta.

[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) je ažurirani fork sa [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)

**Karakteristike:**

* Podrška za SSH1 i SSH2 protokol servera;
* analizira konfiguraciju SSH klijenta;
* uzima banner, prepoznaje uređaj ili softver i operativni sistem, detektuje kompresiju;
* prikuplja algoritme za razmenu ključeva, host-key, enkripciju i kod za autentifikaciju poruka;
* izlazne informacije o algoritmima (dostupno od, uklonjeno/onemogućeno, nesigurno/slabo/legacy, itd);
* izlazne preporuke za algoritme (dodati ili ukloniti na osnovu prepoznate verzije softvera);
* izlazne informacije o bezbednosti (povezani problemi, dodeljena CVE lista, itd);
* analizira kompatibilnost verzija SSH na osnovu informacija o algoritmima;
* istorijske informacije iz OpenSSH, Dropbear SSH i libssh;
* radi na Linux-u i Windows-u;
* bez zavisnosti
```bash
usage: ssh-audit.py [-1246pbcnjvlt] <host>

-1,  --ssh1             force ssh version 1 only
-2,  --ssh2             force ssh version 2 only
-4,  --ipv4             enable IPv4 (order of precedence)
-6,  --ipv6             enable IPv6 (order of precedence)
-p,  --port=<port>      port to connect
-b,  --batch            batch output
-c,  --client-audit     starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-n,  --no-colors        disable colors
-j,  --json             JSON output
-v,  --verbose          verbose output
-l,  --level=<level>    minimum output level (info|warn|fail)
-t,  --timeout=<secs>   timeout (in seconds) for connection and reading
(default: 5)
$ python3 ssh-audit <IP>
```
[See it in action (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)

### Javni SSH ključ servera
```bash
ssh-keyscan -t rsa <IP> -p <PORT>
```
### Slabi šifarski algoritmi

Ovo se otkriva podrazumevano pomoću **nmap**. Ali možete koristiti i **sslcan** ili **sslyze**.

### Nmap skripte
```bash
nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
```
### Shodan

* `ssh`

## Bruteforce korisnička imena, lozinke i privatne ključeve

### Enumeracija korisničkih imena

U nekim verzijama OpenSSH možete izvršiti vremenski napad za enumeraciju korisnika. Možete koristiti Metasploit modul kako biste iskoristili ovo:
```
msf> use scanner/ssh/ssh_enumusers
```
### [Brute force](../generic-methodologies-and-resources/brute-force.md#ssh)

Neki uobičajeni ssh kredencijali [ovde](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt) i [ovde](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) i ispod.

### Private Key Brute Force

Ako znate neke ssh privatne ključeve koji bi mogli biti korišćeni... hajde da probamo. Možete koristiti nmap skriptu:
```
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
```
Ili MSF pomoćni modul:
```
msf> use scanner/ssh/ssh_identify_pubkeys
```
Or use `ssh-keybrute.py` (native python3, lightweight and has legacy algorithms enabled): [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute).

#### Known badkeys can be found here:

{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}

#### Weak SSH keys / Debian predictable PRNG

Neki sistemi imaju poznate greške u nasumičnom semenu koje se koristi za generisanje kriptografskog materijala. To može rezultirati dramatično smanjenim prostorom ključeva koji se može probiti. Pre-generisani setovi ključeva generisanih na Debian sistemima pogođenim slabim PRNG-om dostupni su ovde: [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh).

Trebalo bi da pogledate ovde kako biste tražili važeće ključeve za žrtvinsku mašinu.

### Kerberos

**crackmapexec** koristeći `ssh` protokol može koristiti opciju `--kerberos` za **autentifikaciju putem kerberos-a**.\
Za više informacija pokrenite `crackmapexec ssh --help`.

## Default Credentials

| **Vendor** | **Usernames**                                                                                               | **Passwords**                                                                                                                                                                                              |
| ---------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| APC        | apc, device                                                                                                 | apc                                                                                                                                                                                                        |
| Brocade    | admin                                                                                                       | admin123, password, brocade, fibranne                                                                                                                                                                      |
| Cisco      | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin                                           | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix     | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin                                                            | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler                                                                                                                       |
| D-Link     | admin, user                                                                                                 | private, admin, user                                                                                                                                                                                       |
| Dell       | root, user1, admin, vkernel, cli                                                                            | calvin, 123456, password, vkernel, Stor@ge!, admin                                                                                                                                                         |
| EMC        | admin, root, sysadmin                                                                                       | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc                                                                                                                                              |
| HP/3Com    | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op                                                    | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC\_op, !manage, !admin                                                   |
| Huawei     | admin, root                                                                                                 | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123                                                                                             |
| IBM        | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer                                                                                                                               |
| Juniper    | netscreen                                                                                                   | netscreen                                                                                                                                                                                                  |
| NetApp     | admin                                                                                                       | netapp123                                                                                                                                                                                                  |
| Oracle     | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user                                           | changeme, ilom-admin, ilom-operator, welcome1, oracle                                                                                                                                                      |
| VMware     | vi-admin, root, hqadmin, vmware, admin                                                                      | vmware, vmw@re, hqadmin, default                                                                                                                                                                           |

## SSH-MitM

Ako ste u lokalnoj mreži kao žrtva koja će se povezati na SSH server koristeći korisničko ime i lozinku, mogli biste pokušati da **izvršite MitM napad kako biste ukrali te kredencijale:**

**Napadni put:**

* **Preusmeravanje saobraćaja:** Napadač **preusmerava** saobraćaj žrtve na svoju mašinu, efikasno **presrećući** pokušaj povezivanja na SSH server.
* **Presretanje i logovanje:** Mašina napadača deluje kao **proxy**, **hvatajući** korisničke podatke za prijavu pretvarajući se da je legitimni SSH server.
* **Izvršenje komandi i prosleđivanje:** Na kraju, server napadača **loguje korisničke kredencijale**, **prosleđuje komande** pravom SSH serveru, **izvršava** ih i **šalje rezultate nazad** korisniku, čineći proces da izgleda besprekorno i legitimno.

[**SSH MITM**](https://github.com/jtesta/ssh-mitm) radi tačno ono što je opisano iznad.

Da biste uhvatili stvarni MitM, mogli biste koristiti tehnike kao što su ARP spoofing, DNS spoofing ili druge opisane u [**Network Spoofing attacks**](../generic-methodologies-and-resources/pentesting-network/#spoofing).

## SSH-Snake

Ako želite da pretražujete mrežu koristeći otkrivene SSH privatne ključeve na sistemima, koristeći svaki privatni ključ na svakom sistemu za nove hostove, onda je [**SSH-Snake**](https://github.com/MegaManSec/SSH-Snake) ono što vam treba.

SSH-Snake automatski i rekurzivno obavlja sledeće zadatke:

1. Na trenutnom sistemu, pronađite sve SSH privatne ključeve,
2. Na trenutnom sistemu, pronađite sve hostove ili odredišta (user@host) koja privatni ključevi mogu prihvatiti,
3. Pokušajte da se SSH povežete na sve odredišta koristeći sve otkrivene privatne ključeve,
4. Ako se uspešno povežete na odredište, ponovite korake #1 - #4 na povezanom sistemu.

Potpuno se replicira i širi -- i potpuno je bez datoteka.

## Config Misconfigurations

### Root login

Uobičajeno je da SSH serveri po defaultu dozvoljavaju prijavu korisnika root, što predstavlja značajan sigurnosni rizik. **Onemogućavanje prijave root-a** je kritičan korak u obezbeđivanju servera. Neovlašćen pristup sa administrativnim privilegijama i brute force napadi mogu se ublažiti ovom promenom.

**Da biste onemogućili prijavu root-a u OpenSSH:**

1. **Izmenite SSH konfiguracionu datoteku** sa: `sudoedit /etc/ssh/sshd_config`
2. **Promenite podešavanje** sa `#PermitRootLogin yes` na **`PermitRootLogin no`**.
3. **Ponovo učitajte konfiguraciju** koristeći: `sudo systemctl daemon-reload`
4. **Ponovo pokrenite SSH server** da primenite promene: `sudo systemctl restart sshd`

### SFTP Brute Force

* [**SFTP Brute Force**](../generic-methodologies-and-resources/brute-force.md#sftp)

### SFTP command execution

Postoji uobičajena greška koja se dešava sa SFTP podešavanjima, gde administratori nameravaju da korisnici razmenjuju datoteke bez omogućavanja daljinskog pristupa shell-u. Iako su korisnici postavljeni sa neinteraktivnim shell-ovima (npr., `/usr/bin/nologin`) i ograničeni na određeni direktorijum, ostaje sigurnosna rupa. **Korisnici mogu zaobići ova ograničenja** tražeći izvršenje komande (kao što je `/bin/bash`) odmah nakon prijavljivanja, pre nego što njihov dodeljeni neinteraktivni shell preuzme. Ovo omogućava neovlašćeno izvršenje komandi, potkopavajući nameravane sigurnosne mere.

[Primer odavde](https://community.turgensec.com/ssh-hacking-guide/):
```bash
ssh -v noraj@192.168.1.94 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 192.168.1.94 ([192.168.1.94]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0

$ ssh noraj@192.168.1.94 /bin/bash
```
Evo primera sigurne SFTP konfiguracije (`/etc/ssh/sshd_config` – openSSH) za korisnika `noraj`:
```
Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no
```
Ova konfiguracija će omogućiti samo SFTP: onemogućavanje pristupa shell-u prisiljavanjem start komande i onemogućavanjem TTY pristupa, ali takođe onemogućava sve vrste prosleđivanja portova ili tunelovanja.

### SFTP Tunneling

Ako imate pristup SFTP serveru, možete takođe tunelovati svoj saobraćaj kroz ovo, na primer, koristeći uobičajeno prosleđivanje portova:
```bash
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
```
### SFTP Symlink

The **sftp** have the command "**symlink**". Zbog toga, ako imate **prava za pisanje** u nekom folderu, možete kreirati **symlinks** drugih **foldera/fajlova**. Kako ste verovatno **zarobljeni** unutar chroot-a, ovo **neće biti posebno korisno** za vas, ali, ako možete **pristupiti** kreiranom **symlink-u** iz **no-chroot** **servisa** (na primer, ako možete pristupiti symlink-u sa veba), mogli biste **otvoriti symlinkovane fajlove putem veba**.

Na primer, da kreirate **symlink** iz novog fajla **"**_**froot**_**" u "**_**/**_**"**:
```bash
sftp> symlink / froot
```
Ako možete pristupiti datoteci "_froot_" putem veba, moći ćete da prikažete root ("/") folder sistema.

### Metode autentifikacije

U okruženju sa visokom bezbednošću, uobičajena praksa je omogućiti samo autentifikaciju zasnovanu na ključevima ili dvostruku autentifikaciju umesto jednostavne autentifikacije zasnovane na lozinkama. Ali često se jače metode autentifikacije omogućavaju bez onemogućavanja slabijih. Čest slučaj je omogućavanje `publickey` u openSSH konfiguraciji i postavljanje kao podrazumevanu metodu, ali ne onemogućavanje `password`. Tako da korišćenjem verbose moda SSH klijenta, napadač može videti da je slabija metoda omogućena:
```bash
ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
```
Na primer, ako je postavljen limit za neuspehe autentifikacije i nikada ne dobijete priliku da dođete do metode lozinke, možete koristiti opciju `PreferredAuthentications` da primorate korišćenje ove metode.
```bash
ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password
```
Pregled konfiguracije SSH servera je neophodan da bi se proverilo da su samo očekivane metode autorizovane. Korišćenje verbose moda na klijentu može pomoći da se vidi efikasnost konfiguracije.

### Config files
```bash
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
```
## Fuzzing

* [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
* [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2)

## References

* Možete pronaći zanimljive vodiče o tome kako ojačati SSH na [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)

<figure><img src="../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**Bug bounty tip**: **prijavite se** za **Intigriti**, premium **bug bounty platformu koju su kreirali hakeri, za hakere**! Pridružite nam se na [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) danas, i počnite da zarađujete nagrade do **$100,000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

## HackTricks Automatic Commands
```
Protocol_Name: SSH
Port_Number: 22
Protocol_Description: Secure Shell Hardening

Entry_1:
Name: Hydra Brute Force
Description: Need Username
Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh

Entry_2:
Name: consolesless mfs enumeration
Description: SSH enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'

```
{% hint style="success" %}
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Podržite HackTricks</summary>

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>
{% endhint %}
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:58:46 +00:00
+								# 22 - Pentesting SSH/SFTP
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								{% hint style="success" %}
 								Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								<details>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								<summary>Support HackTricks</summary>
-												arte

											
										
										
											2024-01-02 18:28:27 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 								* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								{% endhint %}
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:58:46 +00:00
+								<figure><img src="../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:58:46 +00:00
+								{% embed url="https://go.intigriti.com/hacktricks" %}
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								## Basic Information
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								**SSH (Secure Shell or Secure Socket Shell)** je mrežni protokol koji omogućava sigurnu vezu sa računarom preko nesigurne mreže. Ključan je za očuvanje poverljivosti i integriteta podataka prilikom pristupa udaljenim sistemima.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								**Podrazumevani port:** 22
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+/tcp open  ssh     syn-ack
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								**SSH сервери:**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								* [openSSH](http://www.openssh.org) – OpenBSD SSH, испоручен у BSD, Linux дистрибуцијама и Windows од Windows 10
 								* [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) – SSH имплементација за окружења са малом меморијом и ресурсима процесора, испоручена у OpenWrt
 								* [PuTTY](https://www.chiark.greenend.org.uk/\~sgtatham/putty/) – SSH имплементација за Windows, клијент се често користи, али је употреба сервера ређа
 								* [CopSSH](https://www.itefix.net/copssh) – имплементација OpenSSH за Windows
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								**SSH библиотеке (имплементирање на серверској страни):**
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								* [libssh](https://www.libssh.org) – мултиплатформска C библиотека која имплементира SSHv2 протокол са везама у [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) и [R](https://github.com/ropensci/ssh); користи се од стране KDE за sftp и од стране GitHub за git SSH инфраструктуру
 								* [wolfSSH](https://www.wolfssl.com/products/wolfssh/) – SSHv2 серверска библиотека написана у ANSI C и намењена за уграђене, RTOS и окружења ограничена ресурсима
 								* [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) – Apache SSHD java библиотека је заснована на Apache MINA
 								* [paramiko](https://github.com/paramiko/paramiko) – Python SSHv2 протокол библиотека
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								## Енумерација
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### Узимање банера
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								nc -vn <IP> 22
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### Automated ssh-audit
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								ssh-audit je alat za reviziju konfiguracije ssh servera i klijenta.
-												GitBook: [master] 2 pages modified
											
										
										
											2020-09-25 08:37:19 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) je ažurirani fork sa [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)
-												GitBook: [master] 2 pages modified
											
										
										
											2020-09-25 08:37:19 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								**Karakteristike:**
-												Adding mention of ssh-audit.py

For ssh audit, https://github.com/jtesta/ssh-audit is a very complete & fast python script.
+ Add a demo (Asciinema)
											
										
										
											2020-09-23 15:36:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								* Podrška za SSH1 i SSH2 protokol servera;
 								* analizira konfiguraciju SSH klijenta;
 								* uzima banner, prepoznaje uređaj ili softver i operativni sistem, detektuje kompresiju;
 								* prikuplja algoritme za razmenu ključeva, host-key, enkripciju i kod za autentifikaciju poruka;
 								* izlazne informacije o algoritmima (dostupno od, uklonjeno/onemogućeno, nesigurno/slabo/legacy, itd);
 								* izlazne preporuke za algoritme (dodati ili ukloniti na osnovu prepoznate verzije softvera);
 								* izlazne informacije o bezbednosti (povezani problemi, dodeljena CVE lista, itd);
 								* analizira kompatibilnost verzija SSH na osnovu informacija o algoritmima;
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:58:46 +00:00
+								* istorijske informacije iz OpenSSH, Dropbear SSH i libssh;
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								* radi na Linux-u i Windows-u;
 								* bez zavisnosti
-												Adding mention of ssh-audit.py

For ssh audit, https://github.com/jtesta/ssh-audit is a very complete & fast python script.
+ Add a demo (Asciinema)
											
										
										
											2020-09-23 15:36:14 +00:00
+								```bash
 								usage: ssh-audit.py [-1246pbcnjvlt] <host>
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								-1,  --ssh1             force ssh version 1 only
 								-2,  --ssh2             force ssh version 2 only
 								-4,  --ipv4             enable IPv4 (order of precedence)
 								-6,  --ipv6             enable IPv6 (order of precedence)
 								-p,  --port=<port>      port to connect
 								-b,  --batch            batch output
 								-c,  --client-audit     starts a server on port 2222 to audit client
 								software config (use -p to change port;
 								use -t to change timeout)
 								-n,  --no-colors        disable colors
 								-j,  --json             JSON output
 								-v,  --verbose          verbose output
 								-l,  --level=<level>    minimum output level (info|warn|fail)
 								-t,  --timeout=<secs>   timeout (in seconds) for connection and reading
 								(default: 5)
-												Adding mention of ssh-audit.py

For ssh audit, https://github.com/jtesta/ssh-audit is a very complete & fast python script.
+ Add a demo (Asciinema)
											
										
										
											2020-09-23 15:36:14 +00:00
+								$ python3 ssh-audit <IP>
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								[See it in action (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								### Javni SSH ključ servera
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								ssh-keyscan -t rsa <IP> -p <PORT>
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### Slabi šifarski algoritmi
 								Ovo se otkriva podrazumevano pomoću **nmap**. Ali možete koristiti i **sslcan** ili **sslyze**.
-												GitBook: [master] one page modified
											
										
										
											2021-07-06 18:15:59 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### Nmap skripte
-												GitBook: [master] one page modified
											
										
										
											2021-07-06 18:15:59 +00:00
+								```bash
 								nmap -p22 <ip> -sC # Send default nmap scripts for SSH
 								nmap -p22 <ip> -sV # Retrieve version
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms
-												GitBook: [master] one page modified
											
										
										
											2021-07-06 18:15:59 +00:00
+								nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
 								nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
 								```
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								### Shodan
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								* `ssh`
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								## Bruteforce korisnička imena, lozinke i privatne ključeve
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								### Enumeracija korisničkih imena
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								U nekim verzijama OpenSSH možete izvršiti vremenski napad za enumeraciju korisnika. Možete koristiti Metasploit modul kako biste iskoristili ovo:
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								msf> use scanner/ssh/ssh_enumusers
 								```
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								### [Brute force](../generic-methodologies-and-resources/brute-force.md#ssh)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Neki uobičajeni ssh kredencijali [ovde](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt) i [ovde](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) i ispod.
-												Added Debian PRNG keys and ssh-keybrute
											
										
										
											2023-01-21 22:13:23 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### Private Key Brute Force
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Ako znate neke ssh privatne ključeve koji bi mogli biti korišćeni... hajde da probamo. Možete koristiti nmap skriptu:
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
 								```
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								Ili MSF pomoćni modul:
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								msf> use scanner/ssh/ssh_identify_pubkeys
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Or use `ssh-keybrute.py` (native python3, lightweight and has legacy algorithms enabled): [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute).
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								#### Known badkeys can be found here:
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								#### Weak SSH keys / Debian predictable PRNG
-												GITBOOK-4035: change request with no subject merged in GitBook

											
										
										
											2023-08-16 04:32:29 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Neki sistemi imaju poznate greške u nasumičnom semenu koje se koristi za generisanje kriptografskog materijala. To može rezultirati dramatično smanjenim prostorom ključeva koji se može probiti. Pre-generisani setovi ključeva generisanih na Debian sistemima pogođenim slabim PRNG-om dostupni su ovde: [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh).
-												Added Debian PRNG keys and ssh-keybrute
											
										
										
											2023-01-21 22:13:23 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Trebalo bi da pogledate ovde kako biste tražili važeće ključeve za žrtvinsku mašinu.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								### Kerberos
-												GitBook: [master] one page modified
											
										
										
											2020-09-20 21:47:09 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								**crackmapexec** koristeći `ssh` protokol može koristiti opciju `--kerberos` za **autentifikaciju putem kerberos-a**.\
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								Za više informacija pokrenite `crackmapexec ssh --help`.
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								## Default Credentials
 								| **Vendor** | **Usernames**                                                                                               | **Passwords**                                                                                                                                                                                              |
 								| ---------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 								| APC        | apc, device                                                                                                 | apc                                                                                                                                                                                                        |
 								| Brocade    | admin                                                                                                       | admin123, password, brocade, fibranne                                                                                                                                                                      |
 								| Cisco      | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin                                           | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
 								| Citrix     | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin                                                            | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler                                                                                                                       |
 								| D-Link     | admin, user                                                                                                 | private, admin, user                                                                                                                                                                                       |
 								| Dell       | root, user1, admin, vkernel, cli                                                                            | calvin, 123456, password, vkernel, Stor@ge!, admin                                                                                                                                                         |
 								| EMC        | admin, root, sysadmin                                                                                       | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc                                                                                                                                              |
 								| HP/3Com    | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op                                                    | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC\_op, !manage, !admin                                                   |
 								| Huawei     | admin, root                                                                                                 | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123                                                                                             |
 								| IBM        | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer                                                                                                                               |
 								| Juniper    | netscreen                                                                                                   | netscreen                                                                                                                                                                                                  |
 								| NetApp     | admin                                                                                                       | netapp123                                                                                                                                                                                                  |
 								| Oracle     | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user                                           | changeme, ilom-admin, ilom-operator, welcome1, oracle                                                                                                                                                      |
 								| VMware     | vi-admin, root, hqadmin, vmware, admin                                                                      | vmware, vmw@re, hqadmin, default                                                                                                                                                                           |
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## SSH-MitM
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Ako ste u lokalnoj mreži kao žrtva koja će se povezati na SSH server koristeći korisničko ime i lozinku, mogli biste pokušati da **izvršite MitM napad kako biste ukrali te kredencijale:**
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								**Napadni put:**
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								* **Preusmeravanje saobraćaja:** Napadač **preusmerava** saobraćaj žrtve na svoju mašinu, efikasno **presrećući** pokušaj povezivanja na SSH server.
 								* **Presretanje i logovanje:** Mašina napadača deluje kao **proxy**, **hvatajući** korisničke podatke za prijavu pretvarajući se da je legitimni SSH server.
 								* **Izvršenje komandi i prosleđivanje:** Na kraju, server napadača **loguje korisničke kredencijale**, **prosleđuje komande** pravom SSH serveru, **izvršava** ih i **šalje rezultate nazad** korisniku, čineći proces da izgleda besprekorno i legitimno.
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								[**SSH MITM**](https://github.com/jtesta/ssh-mitm) radi tačno ono što je opisano iznad.
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Da biste uhvatili stvarni MitM, mogli biste koristiti tehnike kao što su ARP spoofing, DNS spoofing ili druge opisane u [**Network Spoofing attacks**](../generic-methodologies-and-resources/pentesting-network/#spoofing).
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Update pentesting-ssh.md

Add SSH-Snake info.
											
										
										
											2024-01-10 03:55:52 +00:00
+								## SSH-Snake
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Ako želite da pretražujete mrežu koristeći otkrivene SSH privatne ključeve na sistemima, koristeći svaki privatni ključ na svakom sistemu za nove hostove, onda je [**SSH-Snake**](https://github.com/MegaManSec/SSH-Snake) ono što vam treba.
-												Update pentesting-ssh.md

Add SSH-Snake info.
											
										
										
											2024-01-10 03:55:52 +00:00
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								SSH-Snake automatski i rekurzivno obavlja sledeće zadatke:
-												Update pentesting-ssh.md

Add SSH-Snake info.
											
										
										
											2024-01-10 03:55:52 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+. Na trenutnom sistemu, pronađite sve SSH privatne ključeve,
 . Na trenutnom sistemu, pronađite sve hostove ili odredišta (user@host) koja privatni ključevi mogu prihvatiti,
 . Pokušajte da se SSH povežete na sve odredišta koristeći sve otkrivene privatne ključeve,
 . Ako se uspešno povežete na odredište, ponovite korake #1 - #4 na povezanom sistemu.
-												Update pentesting-ssh.md

Add SSH-Snake info.
											
										
										
											2024-01-10 03:55:52 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Potpuno se replicira i širi -- i potpuno je bez datoteka.
-												Update pentesting-ssh.md

Add SSH-Snake info.
											
										
										
											2024-01-10 03:55:52 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								## Config Misconfigurations
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### Root login
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Uobičajeno je da SSH serveri po defaultu dozvoljavaju prijavu korisnika root, što predstavlja značajan sigurnosni rizik. **Onemogućavanje prijave root-a** je kritičan korak u obezbeđivanju servera. Neovlašćen pristup sa administrativnim privilegijama i brute force napadi mogu se ublažiti ovom promenom.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								**Da biste onemogućili prijavu root-a u OpenSSH:**
-												GitBook: [master] 2 pages modified
											
										
										
											2020-09-25 08:37:19 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+. **Izmenite SSH konfiguracionu datoteku** sa: `sudoedit /etc/ssh/sshd_config`
 . **Promenite podešavanje** sa `#PermitRootLogin yes` na **`PermitRootLogin no`**.
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+. **Ponovo učitajte konfiguraciju** koristeći: `sudo systemctl daemon-reload`
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+. **Ponovo pokrenite SSH server** da primenite promene: `sudo systemctl restart sshd`
-												GitBook: [master] 2 pages modified
											
										
										
											2020-09-25 08:37:19 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### SFTP Brute Force
-												GITBOOK-4219: change request with no subject merged in GitBook

											
										
										
											2023-12-26 20:51:20 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								* [**SFTP Brute Force**](../generic-methodologies-and-resources/brute-force.md#sftp)
-												GITBOOK-4219: change request with no subject merged in GitBook

											
										
										
											2023-12-26 20:51:20 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### SFTP command execution
-												a

											
										
										
											2024-02-08 03:08:28 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Postoji uobičajena greška koja se dešava sa SFTP podešavanjima, gde administratori nameravaju da korisnici razmenjuju datoteke bez omogućavanja daljinskog pristupa shell-u. Iako su korisnici postavljeni sa neinteraktivnim shell-ovima (npr., `/usr/bin/nologin`) i ograničeni na određeni direktorijum, ostaje sigurnosna rupa. **Korisnici mogu zaobići ova ograničenja** tražeći izvršenje komande (kao što je `/bin/bash`) odmah nakon prijavljivanja, pre nego što njihov dodeljeni neinteraktivni shell preuzme. Ovo omogućava neovlašćeno izvršenje komandi, potkopavajući nameravane sigurnosne mere.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:58:46 +00:00
+								[Primer odavde](https://community.turgensec.com/ssh-hacking-guide/):
-												GITBOOK-4219: change request with no subject merged in GitBook

											
										
										
											2023-12-26 20:51:20 +00:00
+								```bash
 								ssh -v noraj@192.168.1.94 id
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								...
 								Password:
 								debug1: Authentication succeeded (keyboard-interactive).
 								Authenticated to 192.168.1.94 ([192.168.1.94]:22).
 								debug1: channel 0: new [client-session]
 								debug1: Requesting no-more-sessions@openssh.com
 								debug1: Entering interactive session.
 								debug1: pledge: network
 								debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
 								debug1: Sending command: id
 								debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
 								debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
 								uid=1000(noraj) gid=100(users) groups=100(users)
 								debug1: channel 0: free: client-session, nchannels 1
 								Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
 								Bytes per second: sent 43133.4, received 44349.5
 								debug1: Exit status 0
 								$ ssh noraj@192.168.1.94 /bin/bash
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Evo primera sigurne SFTP konfiguracije (`/etc/ssh/sshd_config` – openSSH) za korisnika `noraj`:
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								```
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								Match User noraj
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								ChrootDirectory %h
 								ForceCommand internal-sftp
 								AllowTcpForwarding no
 								PermitTunnel no
 								X11Forwarding no
 								PermitTTY no
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Ova konfiguracija će omogućiti samo SFTP: onemogućavanje pristupa shell-u prisiljavanjem start komande i onemogućavanjem TTY pristupa, ali takođe onemogućava sve vrste prosleđivanja portova ili tunelovanja.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### SFTP Tunneling
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Ako imate pristup SFTP serveru, možete takođe tunelovati svoj saobraćaj kroz ovo, na primer, koristeći uobičajeno prosleđivanje portova:
-												GITBOOK-4219: change request with no subject merged in GitBook

											
										
										
											2023-12-26 20:51:20 +00:00
+								```bash
-												GitBook: [master] 2 pages modified
											
										
										
											2020-09-25 08:37:19 +00:00
+								sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### SFTP Symlink
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								The **sftp** have the command "**symlink**". Zbog toga, ako imate **prava za pisanje** u nekom folderu, možete kreirati **symlinks** drugih **foldera/fajlova**. Kako ste verovatno **zarobljeni** unutar chroot-a, ovo **neće biti posebno korisno** za vas, ali, ako možete **pristupiti** kreiranom **symlink-u** iz **no-chroot** **servisa** (na primer, ako možete pristupiti symlink-u sa veba), mogli biste **otvoriti symlinkovane fajlove putem veba**.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Na primer, da kreirate **symlink** iz novog fajla **"**_**froot**_**" u "**_**/**_**"**:
-												GITBOOK-4219: change request with no subject merged in GitBook

											
										
										
											2023-12-26 20:51:20 +00:00
+								```bash
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								sftp> symlink / froot
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Ako možete pristupiti datoteci "_froot_" putem veba, moći ćete da prikažete root ("/") folder sistema.
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### Metode autentifikacije
 								U okruženju sa visokom bezbednošću, uobičajena praksa je omogućiti samo autentifikaciju zasnovanu na ključevima ili dvostruku autentifikaciju umesto jednostavne autentifikacije zasnovane na lozinkama. Ali često se jače metode autentifikacije omogućavaju bez onemogućavanja slabijih. Čest slučaj je omogućavanje `publickey` u openSSH konfiguraciji i postavljanje kao podrazumevanu metodu, ali ne onemogućavanje `password`. Tako da korišćenjem verbose moda SSH klijenta, napadač može videti da je slabija metoda omogućena:
-												GITBOOK-4219: change request with no subject merged in GitBook

											
										
										
											2023-12-26 20:51:20 +00:00
+								```bash
 								ssh -v 192.168.1.94
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
 								...
 								debug1: Authentications that can continue: publickey,password,keyboard-interactive
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Na primer, ako je postavljen limit za neuspehe autentifikacije i nikada ne dobijete priliku da dođete do metode lozinke, možete koristiti opciju `PreferredAuthentications` da primorate korišćenje ove metode.
-												GITBOOK-4219: change request with no subject merged in GitBook

											
										
										
											2023-12-26 20:51:20 +00:00
+								```bash
 								ssh -v 192.168.1.94 -o PreferredAuthentications=password
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								...
 								debug1: Next authentication method: password
 								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								Pregled konfiguracije SSH servera je neophodan da bi se proverilo da su samo očekivane metode autorizovane. Korišćenje verbose moda na klijentu može pomoći da se vidi efikasnost konfiguracije.
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								### Config files
-												GITBOOK-4219: change request with no subject merged in GitBook

											
										
										
											2023-12-26 20:51:20 +00:00
+								```bash
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								ssh_config
 								sshd_config
 								authorized_keys
 								ssh_known_hosts
 								known_hosts
 								id_rsa
 								```
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:58:46 +00:00
+								## Fuzzing
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
 								* [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								* [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2)
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								## References
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								* Možete pronaći zanimljive vodiče o tome kako ojačati SSH na [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:58:46 +00:00
+								<figure><img src="../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								**Bug bounty tip**: **prijavite se** za **Intigriti**, premium **bug bounty platformu koju su kreirali hakeri, za hakere**! Pridružite nam se na [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) danas, i počnite da zarađujete nagrade do **$100,000**!
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2024-02-18 14:58:46 +00:00
+								{% embed url="https://go.intigriti.com/hacktricks" %}
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								## HackTricks Automatic Commands
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								```
-												Update pentesting-ssh.md
											
										
										
											2021-09-13 15:32:29 +00:00
+								Protocol_Name: SSH
 								Port_Number: 22
 								Protocol_Description: Secure Shell Hardening
 								Entry_1:
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								Name: Hydra Brute Force
 								Description: Need Username
 								Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh
-												consoleless mfs enumeration

	Description: SSH enumeration without the need to run msfconsole
  	Note: sourced from https://github.com/carlospolop/legion
											
										
										
											2021-10-27 16:00:25 +00:00
+								Entry_2:
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								Name: consolesless mfs enumeration
 								Description: SSH enumeration without the need to run msfconsole
 								Note: sourced from https://github.com/carlospolop/legion
 								Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Serbian

											
										
										
											2024-02-10 13:11:20 +00:00
+								```
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								{% hint style="success" %}
 								Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								<details>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								<summary>Podržite HackTricks</summary>
-												arte

											
										
										
											2024-01-02 18:28:27 +00:00
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
 								* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['macos-hardening/macos-security-and-privilege-escalation/mac

											
										
										
											2024-07-19 11:41:39 +00:00
+								{% endhint %}