hacktricks/network-services-pentesting/pentesting-ssh.md

# 22 - 对SSH/SFTP的渗透测试

<details>

<summary><strong>通过</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS 红队专家)</strong></a><strong>从零到英雄学习AWS黑客攻击！</strong></summary>

支持HackTricks的其他方式：

* 如果你想在**HackTricks中看到你的公司广告**或**下载HackTricks的PDF**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 获取[**官方的PEASS & HackTricks商品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm**](https://twitter.com/carlospolopm)**。**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享你的黑客技巧。

</details>

<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">

如果你对**黑客职业**感兴趣，并且想要黑入不可黑的系统 - **我们正在招聘！** (_需要流利的波兰语书写和口语能力_).

{% embed url="https://www.stmcyber.com/careers" %}

## 基本信息

**SSH或Secure Shell或Secure Socket Shell，** 是一种网络协议，为用户提供了一种通过不安全网络安全访问计算机的**安全方式。**

**默认端口：** 22
```
22/tcp open  ssh     syn-ack
```
**SSH服务器：**

* [openSSH](http://www.openssh.org) – OpenBSD SSH，包含在BSD、Linux发行版和Windows 10以后的Windows版本中
* [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) – 为内存和处理器资源有限的环境设计的SSH实现，包含在OpenWrt中
* [PuTTY](https://www.chiark.greenend.org.uk/\~sgtatham/putty/) – Windows平台的SSH实现，客户端常用，但服务器端使用较少
* [CopSSH](https://www.itefix.net/copssh) – Windows平台的OpenSSH实现

**SSH库（实现服务器端）：**

* [libssh](https://www.libssh.org) – 多平台C语言库，实现SSHv2协议，提供[Python](https://github.com/ParallelSSH/ssh-python)、[Perl](https://github.com/garnier-quentin/perl-libssh/) 和 [R](https://github.com/ropensci/ssh)的绑定；它被KDE用于sftp，也被GitHub用于git SSH基础设施
* [wolfSSH](https://www.wolfssl.com/products/wolfssh/) – 用ANSI C编写的SSHv2服务器库，针对嵌入式、RTOS和资源受限环境
* [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) – 基于Apache MINA的Apache SSHD Java库
* [paramiko](https://github.com/paramiko/paramiko) – Python SSHv2协议库

## 枚举

### Banner 抓取
```bash
nc -vn <IP> 22
```
### 自动化 ssh-audit

ssh-audit 是一个用于 ssh 服务器和客户端配置审计的工具。

[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) 是从 [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/) 更新的分支。

**特点：**

* 支持 SSH1 和 SSH2 协议服务器；
* 分析 SSH 客户端配置；
* 抓取横幅，识别设备或软件和操作系统，检测压缩；
* 收集密钥交换、主机密钥、加密和消息认证码算法；
* 输出算法信息（自何时可用，何时移除/禁用，不安全/弱/遗留等）；
* 输出算法建议（根据识别的软件版本添加或移除）；
* 输出安全信息（相关问题，分配的 CVE 列表等）；
* 根据算法信息分析 SSH 版本兼容性；
* 来自 OpenSSH、Dropbear SSH 和 libssh 的历史信息；
* 在 Linux 和 Windows 上运行；
* 无依赖
```bash
usage: ssh-audit.py [-1246pbcnjvlt] <host>

-1,  --ssh1             force ssh version 1 only
-2,  --ssh2             force ssh version 2 only
-4,  --ipv4             enable IPv4 (order of precedence)
-6,  --ipv6             enable IPv6 (order of precedence)
-p,  --port=<port>      port to connect
-b,  --batch            batch output
-c,  --client-audit     starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-n,  --no-colors        disable colors
-j,  --json             JSON output
-v,  --verbose          verbose output
-l,  --level=<level>    minimum output level (info|warn|fail)
-t,  --timeout=<secs>   timeout (in seconds) for connection and reading
(default: 5)
$ python3 ssh-audit <IP>
```
[查看动作演示 (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)

### 服务器的公共SSH密钥
```bash
ssh-keyscan -t rsa <IP> -p <PORT>
```
### 弱密码算法

**nmap** 默认会发现这个问题。但你也可以使用 **sslcan** 或 **sslyze**。

### Nmap 脚本
```bash
nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
```
### Shodan

* `ssh`

## 暴力破解用户名、密码和私钥

### 用户名枚举

在某些版本的OpenSSH中，您可以进行时序攻击来枚举用户。您可以使用metasploit模块来利用这一点：
```
msf> use scanner/ssh/ssh_enumusers
```
### [暴力破解](../generic-methodologies-and-resources/brute-force.md#ssh)

一些常见的ssh凭据在[这里](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)和[这里](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt)，以及下面。

### 私钥暴力破解

如果你知道一些可能会用到的ssh私钥...让我们尝试一下。你可以使用nmap脚本：
```
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
```
或者MSF辅助模块：
```
msf> use scanner/ssh/ssh_identify_pubkeys
```
或使用 `ssh-keybrute.py`（原生 python3，轻量级且启用了传统算法）：[snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute)。

#### 已知的不安全密钥可以在这里找到：

{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}

#### 弱SSH密钥 / Debian可预测的PRNG

一些系统在生成加密材料时使用的随机种子存在已知缺陷。这可能导致密钥空间大幅减少，可以被暴力破解。在受到弱PRNG影响的Debian系统上预生成的密钥集合可在此处获取：[g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh)。

你应该在这里查找受害机器的有效密钥。

### Kerberos

**crackmapexec** 使用 `ssh` 协议可以使用 `--kerberos` 选项**通过kerberos认证**。\
更多信息请运行 `crackmapexec ssh --help`。

## 默认凭证

| **供应商** | **用户名**                                                                                               | **密码**                                                                                                                                                                                              |
| ---------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| APC        | apc, device                                                                                                 | apc                                                                                                                                                                                                        |
| Brocade    | admin                                                                                                       | admin123, password, brocade, fibranne                                                                                                                                                                      |
| Cisco      | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin                                           | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix     | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin                                                            | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler                                                                                                                       |
| D-Link     | admin, user                                                                                                 | private, admin, user                                                                                                                                                                                       |
| Dell       | root, user1, admin, vkernel, cli                                                                            | calvin, 123456, password, vkernel, Stor@ge!, admin                                                                                                                                                         |
| EMC        | admin, root, sysadmin                                                                                       | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc                                                                                                                                              |
| HP/3Com    | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op                                                    | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC\_op, !manage, !admin                                                   |
| Huawei     | admin, root                                                                                                 | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123                                                                                             |
| IBM        | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer                                                                                                                               |
| Juniper    | netscreen                                                                                                   | netscreen                                                                                                                                                                                                  |
| NetApp     | admin                                                                                                       | netapp123                                                                                                                                                                                                  |
| Oracle     | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user                                           | changeme, ilom-admin, ilom-operator, welcome1, oracle                                                                                                                                                      |
| VMware     | vi-admin, root, hqadmin, vmware, admin                                                                      | vmware, vmw@re, hqadmin, default                                                                                                                                                                           |

## SSH-MitM

如果你与将要使用用户名和密码连接到SSH服务器的受害者处于同一本地网络，你可以尝试**执行中间人攻击来窃取这些凭证：**

**攻击路径：**

* 用户流量被重定向到攻击机器
* 攻击者监控尝试连接到SSH服务器的尝试，并将它们重定向到其SSH服务器
* 攻击者的SSH服务器首先配置为记录所有输入的数据，包括用户的密码，其次，向用户想要连接的合法SSH服务器发送命令以执行它们，然后将结果返回给合法用户

[**SSH MITM**](https://github.com/jtesta/ssh-mitm) 正是执行上述描述的操作。

为了捕获实际的中间人攻击，你可以使用ARP欺骗、DNS欺骗或在 [**网络欺骗攻击**](../generic-methodologies-and-resources/pentesting-network/#spoofing) 中描述的其他技术。

## 配置错误

### Root登录

默认情况下，大多数SSH服务器实现将允许root登录，建议禁用它，因为如果这个账户的凭证泄露，攻击者将直接获得管理权限，这也将允许攻击者对这个账户进行暴力破解攻击。

**如何为openSSH禁用root登录：**

1. 编辑SSH服务器配置 `sudoedit /etc/ssh/sshd_config`
2. 将 `#PermitRootLogin yes` 改为 `PermitRootLogin no`
3. 考虑配置更改：`sudo systemctl daemon-reload`
4. 重启SSH服务器 `sudo systemctl restart sshd`

### SFTP暴力破解

* [**SFTP暴力破解**](../generic-methodologies-and-resources/brute-force.md#sftp)

### SFTP命令执行

SFTP配置中的另一个常见SSH配置错误通常可以看到。大多数时候，当创建一个SFTP服务器时，管理员希望用户有一个SFTP访问权限来共享文件，但不希望在机器上获得远程shell。所以他们认为创建一个用户，给他分配一个占位符shell（如 `/usr/bin/nologin` 或 `/usr/bin/false`）并将他限制在一个监狱中足以避免shell访问或对整个文件系统的滥用。但他们错了，**用户可以在默认命令或shell执行之前，请求在认证后立即执行一个命令**。因此，为了绕过将拒绝shell访问的占位符shell，只需在之前请求执行一个命令（例如 `/bin/bash`），只需这样做：
```bash
ssh -v noraj@192.168.1.94 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 192.168.1.94 ([192.168.1.94]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0

$ ssh noraj@192.168.1.94 /bin/bash
```
以下是针对用户`noraj`的安全SFTP配置示例（`/etc/ssh/sshd_config` - openSSH）：
```
Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no
```
这种配置将仅允许SFTP：通过强制启动命令禁用shell访问，并禁用TTY访问，但也禁用所有类型的端口转发或隧道。

### SFTP 隧道

如果你可以访问SFTP服务器，你也可以通过它隧道转发你的流量，例如使用常见的端口转发：
```bash
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
```
### SFTP 符号链接

**sftp** 支持 "**symlink**" 命令。因此，如果你在某个文件夹中拥有**可写权限**，你可以创建指向**其他文件夹/文件**的**符号链接**。由于你可能被限制在一个 chroot 环境中，这**并不特别有用**，但是，如果你能够通过一个**非 chroot** **服务**访问创建的**符号链接**（例如，如果你能够通过网页访问该符号链接），你可以**通过网页打开链接的文件**。

例如，创建一个从新文件 **"**_**froot**_**" 到 "**_**/**_**"** 的**符号链接**：
```bash
sftp> symlink / froot
```
如果您可以通过网络访问文件 "_froot_"，您将能够列出系统的根目录（"/"）。

### 认证方法

在高安全环境中，通常的做法是仅启用基于密钥或双因素认证，而不是简单的基于密码的单因素认证。但往往在启用了更强的认证方法时，并没有禁用较弱的方法。一个常见的情况是在openSSH配置中启用`publickey`并将其设置为默认方法，但没有禁用`password`。因此，通过使用SSH客户端的详细模式，攻击者可以看到启用了较弱的方法：
```bash
ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
```
例如，如果设置了认证失败限制，并且你永远无法达到密码方法，你可以使用 `PreferredAuthentications` 选项来强制使用这种方法。
```bash
ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password
```
### 配置文件

检查SSH服务器配置是必要的，以确保只有预期的方法被授权。在客户端上使用详细模式可以帮助查看配置的有效性。
```bash
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
```
## Fuzzing

* [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
* [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2)

## 参考资料

* 你可以在[https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)找到关于如何加固SSH的有趣指南
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)

<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">

如果你对**黑客职业**感兴趣，并且想要黑进那些不可黑的系统 - **我们正在招聘！**（_需要流利的波兰语书写和口语_）。

{% embed url="https://www.stmcyber.com/careers" %}

## HackTricks 自动命令
```
Protocol_Name: SSH
Port_Number: 22
Protocol_Description: Secure Shell Hardening

Entry_1:
Name: Hydra Brute Force
Description: Need Username
Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh

Entry_2:
Name: consolesless mfs enumeration
Description: SSH enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'

```
<details>

<summary><strong>从零到英雄学习AWS黑客技术，通过</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>！</strong></summary>

支持HackTricks的其他方式：

* 如果您想在**HackTricks中看到您的公司广告**或**以PDF格式下载HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 获取[**官方PEASS & HackTricks商品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm**](https://twitter.com/carlospolopm)**。**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								# 22 - 对SSH/SFTP的渗透测试
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								<summary><strong>通过</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS 红队专家)</strong></a><strong>从零到英雄学习AWS黑客攻击！</strong></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								支持HackTricks的其他方式：
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								* 如果你想在**HackTricks中看到你的公司广告**或**下载HackTricks的PDF**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								* 获取[**官方的PEASS & HackTricks商品**](https://peass.creator-spring.com)
 								* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm**](https://twitter.com/carlospolopm)**。**
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享你的黑客技巧。
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								如果你对**黑客职业**感兴趣，并且想要黑入不可黑的系统 - **我们正在招聘！** (_需要流利的波兰语书写和口语能力_).
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
 								{% embed url="https://www.stmcyber.com/careers" %}
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 基本信息
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								**SSH或Secure Shell或Secure Socket Shell，** 是一种网络协议，为用户提供了一种通过不安全网络安全访问计算机的**安全方式。**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								**默认端口：** 22
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+/tcp open  ssh     syn-ack
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								**SSH服务器：**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								* [openSSH](http://www.openssh.org) – OpenBSD SSH，包含在BSD、Linux发行版和Windows 10以后的Windows版本中
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								* [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) – 为内存和处理器资源有限的环境设计的SSH实现，包含在OpenWrt中
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								* [PuTTY](https://www.chiark.greenend.org.uk/\~sgtatham/putty/) – Windows平台的SSH实现，客户端常用，但服务器端使用较少
 								* [CopSSH](https://www.itefix.net/copssh) – Windows平台的OpenSSH实现
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								**SSH库（实现服务器端）：**
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								* [libssh](https://www.libssh.org) – 多平台C语言库，实现SSHv2协议，提供[Python](https://github.com/ParallelSSH/ssh-python)、[Perl](https://github.com/garnier-quentin/perl-libssh/) 和 [R](https://github.com/ropensci/ssh)的绑定；它被KDE用于sftp，也被GitHub用于git SSH基础设施
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								* [wolfSSH](https://www.wolfssl.com/products/wolfssh/) – 用ANSI C编写的SSHv2服务器库，针对嵌入式、RTOS和资源受限环境
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								* [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) – 基于Apache MINA的Apache SSHD Java库
 								* [paramiko](https://github.com/paramiko/paramiko) – Python SSHv2协议库
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 枚举
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								### Banner 抓取
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								nc -vn <IP> 22
 								```
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								### 自动化 ssh-audit
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								ssh-audit 是一个用于 ssh 服务器和客户端配置审计的工具。
-												GitBook: [master] 2 pages modified
											
										
										
											2020-09-25 08:37:19 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) 是从 [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/) 更新的分支。
-												GitBook: [master] 2 pages modified
											
										
										
											2020-09-25 08:37:19 +00:00
-												Translated ['README.md', 'forensics/basic-forensic-methodology/specific-

											
										
										
											2023-08-30 09:57:28 +00:00
+								**特点：**
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								* 支持 SSH1 和 SSH2 协议服务器；
 								* 分析 SSH 客户端配置；
 								* 抓取横幅，识别设备或软件和操作系统，检测压缩；
 								* 收集密钥交换、主机密钥、加密和消息认证码算法；
 								* 输出算法信息（自何时可用，何时移除/禁用，不安全/弱/遗留等）；
 								* 输出算法建议（根据识别的软件版本添加或移除）；
 								* 输出安全信息（相关问题，分配的 CVE 列表等）；
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								* 根据算法信息分析 SSH 版本兼容性；
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								* 来自 OpenSSH、Dropbear SSH 和 libssh 的历史信息；
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								* 在 Linux 和 Windows 上运行；
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								* 无依赖
-												Adding mention of ssh-audit.py

For ssh audit, https://github.com/jtesta/ssh-audit is a very complete & fast python script.
+ Add a demo (Asciinema)
											
										
										
											2020-09-23 15:36:14 +00:00
+								```bash
 								usage: ssh-audit.py [-1246pbcnjvlt] <host>
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								-1,  --ssh1             force ssh version 1 only
 								-2,  --ssh2             force ssh version 2 only
 								-4,  --ipv4             enable IPv4 (order of precedence)
 								-6,  --ipv6             enable IPv6 (order of precedence)
 								-p,  --port=<port>      port to connect
 								-b,  --batch            batch output
 								-c,  --client-audit     starts a server on port 2222 to audit client
 								software config (use -p to change port;
 								use -t to change timeout)
 								-n,  --no-colors        disable colors
 								-j,  --json             JSON output
 								-v,  --verbose          verbose output
 								-l,  --level=<level>    minimum output level (info|warn|fail)
 								-t,  --timeout=<secs>   timeout (in seconds) for connection and reading
 								(default: 5)
-												Adding mention of ssh-audit.py

For ssh audit, https://github.com/jtesta/ssh-audit is a very complete & fast python script.
+ Add a demo (Asciinema)
											
										
										
											2020-09-23 15:36:14 +00:00
+								$ python3 ssh-audit <IP>
 								```
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								[查看动作演示 (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
-												Adding mention of ssh-audit.py

For ssh audit, https://github.com/jtesta/ssh-audit is a very complete & fast python script.
+ Add a demo (Asciinema)
											
										
										
											2020-09-23 15:36:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								### 服务器的公共SSH密钥
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								ssh-keyscan -t rsa <IP> -p <PORT>
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 弱密码算法
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								**nmap** 默认会发现这个问题。但你也可以使用 **sslcan** 或 **sslyze**。
-												GitBook: [master] one page modified
											
										
										
											2021-07-06 18:15:59 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								### Nmap 脚本
-												GitBook: [master] one page modified
											
										
										
											2021-07-06 18:15:59 +00:00
+								```bash
 								nmap -p22 <ip> -sC # Send default nmap scripts for SSH
 								nmap -p22 <ip> -sV # Retrieve version
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms
-												GitBook: [master] one page modified
											
										
										
											2021-07-06 18:15:59 +00:00
+								nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
 								nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
 								```
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								### Shodan
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								* `ssh`
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 暴力破解用户名、密码和私钥
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 用户名枚举
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								在某些版本的OpenSSH中，您可以进行时序攻击来枚举用户。您可以使用metasploit模块来利用这一点：
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								msf> use scanner/ssh/ssh_enumusers
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### [暴力破解](../generic-methodologies-and-resources/brute-force.md#ssh)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								一些常见的ssh凭据在[这里](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)和[这里](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt)，以及下面。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 私钥暴力破解
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								如果你知道一些可能会用到的ssh私钥...让我们尝试一下。你可以使用nmap脚本：
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
 								```
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								或者MSF辅助模块：
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								msf> use scanner/ssh/ssh_identify_pubkeys
 								```
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								或使用 `ssh-keybrute.py`（原生 python3，轻量级且启用了传统算法）：[snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute)。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology

											
										
										
											2023-08-16 05:11:08 +00:00
+								#### 已知的不安全密钥可以在这里找到：
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								#### 弱SSH密钥 / Debian可预测的PRNG
-												Translated ['backdoors/salseo.md', 'forensics/basic-forensic-methodology

											
										
										
											2023-08-16 05:11:08 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								一些系统在生成加密材料时使用的随机种子存在已知缺陷。这可能导致密钥空间大幅减少，可以被暴力破解。在受到弱PRNG影响的Debian系统上预生成的密钥集合可在此处获取：[g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh)。
-												Added Debian PRNG keys and ssh-keybrute
											
										
										
											2023-01-21 22:13:23 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								你应该在这里查找受害机器的有效密钥。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								### Kerberos
-												GitBook: [master] one page modified
											
										
										
											2020-09-20 21:47:09 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								**crackmapexec** 使用 `ssh` 协议可以使用 `--kerberos` 选项**通过kerberos认证**。\
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								更多信息请运行 `crackmapexec ssh --help`。
-												GitBook: [master] one page modified
											
										
										
											2020-09-20 21:47:09 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								## 默认凭证
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								| **供应商** | **用户名**                                                                                               | **密码**                                                                                                                                                                                              |
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								| ---------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 								| APC        | apc, device                                                                                                 | apc                                                                                                                                                                                                        |
 								| Brocade    | admin                                                                                                       | admin123, password, brocade, fibranne                                                                                                                                                                      |
 								| Cisco      | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin                                           | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
 								| Citrix     | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin                                                            | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler                                                                                                                       |
 								| D-Link     | admin, user                                                                                                 | private, admin, user                                                                                                                                                                                       |
 								| Dell       | root, user1, admin, vkernel, cli                                                                            | calvin, 123456, password, vkernel, Stor@ge!, admin                                                                                                                                                         |
 								| EMC        | admin, root, sysadmin                                                                                       | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc                                                                                                                                              |
 								| HP/3Com    | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op                                                    | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC\_op, !manage, !admin                                                   |
 								| Huawei     | admin, root                                                                                                 | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123                                                                                             |
 								| IBM        | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer                                                                                                                               |
 								| Juniper    | netscreen                                                                                                   | netscreen                                                                                                                                                                                                  |
 								| NetApp     | admin                                                                                                       | netapp123                                                                                                                                                                                                  |
 								| Oracle     | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user                                           | changeme, ilom-admin, ilom-operator, welcome1, oracle                                                                                                                                                      |
 								| VMware     | vi-admin, root, hqadmin, vmware, admin                                                                      | vmware, vmw@re, hqadmin, default                                                                                                                                                                           |
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## SSH-MitM
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								如果你与将要使用用户名和密码连接到SSH服务器的受害者处于同一本地网络，你可以尝试**执行中间人攻击来窃取这些凭证：**
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								**攻击路径：**
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								* 用户流量被重定向到攻击机器
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								* 攻击者监控尝试连接到SSH服务器的尝试，并将它们重定向到其SSH服务器
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								* 攻击者的SSH服务器首先配置为记录所有输入的数据，包括用户的密码，其次，向用户想要连接的合法SSH服务器发送命令以执行它们，然后将结果返回给合法用户
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								[**SSH MITM**](https://github.com/jtesta/ssh-mitm) 正是执行上述描述的操作。
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								为了捕获实际的中间人攻击，你可以使用ARP欺骗、DNS欺骗或在 [**网络欺骗攻击**](../generic-methodologies-and-resources/pentesting-network/#spoofing) 中描述的其他技术。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 配置错误
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### Root登录
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								默认情况下，大多数SSH服务器实现将允许root登录，建议禁用它，因为如果这个账户的凭证泄露，攻击者将直接获得管理权限，这也将允许攻击者对这个账户进行暴力破解攻击。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								**如何为openSSH禁用root登录：**
-												GitBook: [master] 2 pages modified
											
										
										
											2020-09-25 08:37:19 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+. 编辑SSH服务器配置 `sudoedit /etc/ssh/sshd_config`
 . 将 `#PermitRootLogin yes` 改为 `PermitRootLogin no`
 . 考虑配置更改：`sudo systemctl daemon-reload`
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+. 重启SSH服务器 `sudo systemctl restart sshd`
-												GitBook: [master] 2 pages modified
											
										
										
											2020-09-25 08:37:19 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								### SFTP暴力破解
 								* [**SFTP暴力破解**](../generic-methodologies-and-resources/brute-force.md#sftp)
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### SFTP命令执行
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								SFTP配置中的另一个常见SSH配置错误通常可以看到。大多数时候，当创建一个SFTP服务器时，管理员希望用户有一个SFTP访问权限来共享文件，但不希望在机器上获得远程shell。所以他们认为创建一个用户，给他分配一个占位符shell（如 `/usr/bin/nologin` 或 `/usr/bin/false`）并将他限制在一个监狱中足以避免shell访问或对整个文件系统的滥用。但他们错了，**用户可以在默认命令或shell执行之前，请求在认证后立即执行一个命令**。因此，为了绕过将拒绝shell访问的占位符shell，只需在之前请求执行一个命令（例如 `/bin/bash`），只需这样做：
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								```bash
 								ssh -v noraj@192.168.1.94 id
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								...
 								Password:
 								debug1: Authentication succeeded (keyboard-interactive).
 								Authenticated to 192.168.1.94 ([192.168.1.94]:22).
 								debug1: channel 0: new [client-session]
 								debug1: Requesting no-more-sessions@openssh.com
 								debug1: Entering interactive session.
 								debug1: pledge: network
 								debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
 								debug1: Sending command: id
 								debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
 								debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
 								uid=1000(noraj) gid=100(users) groups=100(users)
 								debug1: channel 0: free: client-session, nchannels 1
 								Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
 								Bytes per second: sent 43133.4, received 44349.5
 								debug1: Exit status 0
 								$ ssh noraj@192.168.1.94 /bin/bash
 								```
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								以下是针对用户`noraj`的安全SFTP配置示例（`/etc/ssh/sshd_config` - openSSH）：
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								```
 								Match User noraj
 								ChrootDirectory %h
 								ForceCommand internal-sftp
 								AllowTcpForwarding no
 								PermitTunnel no
 								X11Forwarding no
 								PermitTTY no
 								```
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								这种配置将仅允许SFTP：通过强制启动命令禁用shell访问，并禁用TTY访问，但也禁用所有类型的端口转发或隧道。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								### SFTP 隧道
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								如果你可以访问SFTP服务器，你也可以通过它隧道转发你的流量，例如使用常见的端口转发：
 								```bash
-												GitBook: [master] 2 pages modified
											
										
										
											2020-09-25 08:37:19 +00:00
+								sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### SFTP 符号链接
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								**sftp** 支持 "**symlink**" 命令。因此，如果你在某个文件夹中拥有**可写权限**，你可以创建指向**其他文件夹/文件**的**符号链接**。由于你可能被限制在一个 chroot 环境中，这**并不特别有用**，但是，如果你能够通过一个**非 chroot** **服务**访问创建的**符号链接**（例如，如果你能够通过网页访问该符号链接），你可以**通过网页打开链接的文件**。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								例如，创建一个从新文件 **"**_**froot**_**" 到 "**_**/**_**"** 的**符号链接**：
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								```bash
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								sftp> symlink / froot
 								```
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								如果您可以通过网络访问文件 "_froot_"，您将能够列出系统的根目录（"/"）。
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								### 认证方法
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								在高安全环境中，通常的做法是仅启用基于密钥或双因素认证，而不是简单的基于密码的单因素认证。但往往在启用了更强的认证方法时，并没有禁用较弱的方法。一个常见的情况是在openSSH配置中启用`publickey`并将其设置为默认方法，但没有禁用`password`。因此，通过使用SSH客户端的详细模式，攻击者可以看到启用了较弱的方法：
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								```bash
 								ssh -v 192.168.1.94
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
 								...
 								debug1: Authentications that can continue: publickey,password,keyboard-interactive
 								```
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								例如，如果设置了认证失败限制，并且你永远无法达到密码方法，你可以使用 `PreferredAuthentications` 选项来强制使用这种方法。
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								```bash
 								ssh -v 192.168.1.94 -o PreferredAuthentications=password
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								...
 								debug1: Next authentication method: password
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								### 配置文件
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								检查SSH服务器配置是必要的，以确保只有预期的方法被授权。在客户端上使用详细模式可以帮助查看配置的有效性。
-												Translated ['generic-methodologies-and-resources/brute-force.md', 'netwo

											
										
										
											2023-12-26 21:49:09 +00:00
+								```bash
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								ssh_config
 								sshd_config
 								authorized_keys
 								ssh_known_hosts
 								known_hosts
 								id_rsa
 								```
-												GitBook: [#3160] No subject

											
										
										
											2022-05-01 13:25:53 +00:00
+								## Fuzzing
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
 								* [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								* [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2)
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								## 参考资料
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								* 你可以在[https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)找到关于如何加固SSH的有趣指南
-												GitBook: [master] 411 pages modified
											
										
										
											2020-12-14 16:53:57 +00:00
+								* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
-												Translated ['forensics/basic-forensic-methodology/specific-software-file

											
										
										
											2023-12-26 02:11:12 +00:00
+								如果你对**黑客职业**感兴趣，并且想要黑进那些不可黑的系统 - **我们正在招聘！**（_需要流利的波兰语书写和口语_）。
-												GitBook: [#3220] No subject

											
										
										
											2022-05-24 00:07:19 +00:00
 								{% embed url="https://www.stmcyber.com/careers" %}
-												Translated ['README.md', 'backdoors/salseo.md', 'forensics/basic-forensi

											
										
										
											2023-12-16 14:32:12 +00:00
+								## HackTricks 自动命令
-												GitBook: [#3127] No subject

											
										
										
											2022-04-27 08:21:36 +00:00
+								```
-												Update pentesting-ssh.md
											
										
										
											2021-09-13 15:32:29 +00:00
+								Protocol_Name: SSH
 								Port_Number: 22
 								Protocol_Description: Secure Shell Hardening
 								Entry_1:
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								Name: Hydra Brute Force
 								Description: Need Username
-												Translated ['network-services-pentesting/pentesting-ssh.md'] to cn

											
										
										
											2023-09-12 08:54:57 +00:00
+								Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
-												consoleless mfs enumeration

	Description: SSH enumeration without the need to run msfconsole
  	Note: sourced from https://github.com/carlospolop/legion
											
										
										
											2021-10-27 16:00:25 +00:00
+								Entry_2:
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								Name: consolesless mfs enumeration
 								Description: SSH enumeration without the need to run msfconsole
 								Note: sourced from https://github.com/carlospolop/legion
 								Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								```
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
+								<details>
-												Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat

											
										
										
											2024-01-10 06:29:36 +00:00
+								<summary><strong>从零到英雄学习AWS黑客技术，通过</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>！</strong></summary>
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
 								支持HackTricks的其他方式：
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

											
										
										
											2024-01-02 22:21:01 +00:00
+								* 如果您想在**HackTricks中看到您的公司广告**或**以PDF格式下载HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
 								* 获取[**官方PEASS & HackTricks商品**](https://peass.creator-spring.com)
 								* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
 								* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm**](https://twitter.com/carlospolopm)**。**
 								* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>