hacktricks/network-services-pentesting/pentesting-ssh.md

# 22 - SSH/SFTP 渗透测试

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 你在一家**网络安全公司**工作吗？想要在 HackTricks 中**宣传你的公司**吗？或者你想要**获取最新版本的 PEASS 或下载 HackTricks 的 PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品 - [**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向** [**hacktricks 仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud 仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交 PR 来分享你的黑客技巧。**

</details>

<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">

如果你对**黑客职业**感兴趣并且想要攻破不可攻破的东西 - **我们正在招聘！**（需要流利的波兰语书写和口语能力）。

{% embed url="https://www.stmcyber.com/careers" %}

## 基本信息

**SSH 或 Secure Shell 或 Secure Socket Shell** 是一种网络协议，为用户提供了一种在不安全网络上安全访问计算机的方式。

**默认端口：**22
```
22/tcp open  ssh     syn-ack
```
**SSH服务器：**

* [openSSH](http://www.openssh.org) - OpenBSD SSH，在BSD、Linux发行版和Windows 10中提供
* [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) - 适用于内存和处理器资源较低环境的SSH实现，在OpenWrt中提供
* [PuTTY](https://www.chiark.greenend.org.uk/\~sgtatham/putty/) - 适用于Windows的SSH实现，客户端常用，但服务器的使用较少
* [CopSSH](https://www.itefix.net/copssh) - 用于Windows的OpenSSH实现

**SSH库（实现服务器端）：**

* [libssh](https://www.libssh.org) - 多平台C库，实现SSHv2协议，支持[Python](https://github.com/ParallelSSH/ssh-python)、[Perl](https://github.com/garnier-quentin/perl-libssh/)和[R](https://github.com/ropensci/ssh)绑定；KDE用于sftp，GitHub用于git SSH基础设施
* [wolfSSH](https://www.wolfssl.com/products/wolfssh/) - 使用ANSI C编写的SSHv2服务器库，针对嵌入式、RTOS和资源受限环境
* [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) - 基于Apache MINA的Apache SSHD Java库
* [paramiko](https://github.com/paramiko/paramiko) - Python SSHv2协议库

## 枚举

### 横幅抓取
```bash
nc -vn <IP> 22
```
### 自动化的ssh-audit

ssh-audit是一个用于ssh服务器和客户端配置审计的工具。

[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) 是从[https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)更新的分支。

**特点:**

* 支持SSH1和SSH2协议服务器;
* 分析SSH客户端配置;
* 获取横幅，识别设备或软件和操作系统，检测压缩;
* 收集密钥交换，主机密钥，加密和消息认证代码算法;
* 输出算法信息（可用自，已删除/禁用，不安全/弱/遗留等）;
* 输出算法建议（根据识别的软件版本追加或删除）;
* 输出安全信息（相关问题，分配的CVE列表等）;
* 基于算法信息分析SSH版本兼容性;
* 来自OpenSSH，Dropbear SSH和libssh的历史信息;
* 在Linux和Windows上运行;
* 无依赖项
```bash
usage: ssh-audit.py [-1246pbcnjvlt] <host>

-1,  --ssh1             force ssh version 1 only
-2,  --ssh2             force ssh version 2 only
-4,  --ipv4             enable IPv4 (order of precedence)
-6,  --ipv6             enable IPv6 (order of precedence)
-p,  --port=<port>      port to connect
-b,  --batch            batch output
-c,  --client-audit     starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-n,  --no-colors        disable colors
-j,  --json             JSON output
-v,  --verbose          verbose output
-l,  --level=<level>    minimum output level (info|warn|fail)
-t,  --timeout=<secs>   timeout (in seconds) for connection and reading
(default: 5)
$ python3 ssh-audit <IP>
```
### 服务器的公共SSH密钥

```plaintext
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZz6Xz3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z3z
```bash
ssh-keyscan -t rsa <IP> -p <PORT>
```
### 弱密码算法

这是默认由**nmap**发现的。但你也可以使用**sslcan**或**sslyze**。

### Nmap脚本
```bash
nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
```
### Shodan

* `ssh`

## 暴力破解用户名、密码和私钥

### 用户名枚举

在某些版本的OpenSSH中，您可以使用时序攻击来枚举用户。您可以使用Metasploit模块来利用此漏洞：
```
msf> use scanner/ssh/ssh_enumusers
```
### [暴力破解](../generic-methodologies-and-resources/brute-force.md#ssh)

一些常见的ssh凭证[在这里](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)和[在这里](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt)以及下面。

### 私钥暴力破解

如果你知道一些可以使用的ssh私钥...让我们试试吧。你可以使用nmap脚本：
```
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
```
或者使用MSF辅助模块：
```
msf> use scanner/ssh/ssh_identify_pubkeys
```
或者使用`ssh-keybrute.py`（原生python3，轻量级且启用了传统算法）：[snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute)。

#### 已知的不安全密钥可以在这里找到：

{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}

#### 弱SSH密钥/Debian可预测PRNG

某些系统在生成加密材料时使用的随机种子存在已知缺陷。这可能导致密钥空间大大减少，从而可以进行暴力破解。在此处提供了在受弱PRNG影响的Debian系统上生成的预生成密钥集：[g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh)。

您应该在此处搜索受害机器的有效密钥。

### Kerberos

**crackmapexec**使用`ssh`协议可以使用`--kerberos`选项来**通过Kerberos进行身份验证**。\
有关更多信息，请运行`crackmapexec ssh --help`。

## 默认凭据

| **供应商** | **用户名**                                                                                                 | **密码**                                                                                                                                                                                              |
| ---------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| APC        | apc, device                                                                                                 | apc                                                                                                                                                                                                        |
| Brocade    | admin                                                                                                       | admin123, password, brocade, fibranne                                                                                                                                                                      |
| Cisco      | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin                                           | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix     | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin                                                            | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler                                                                                                                       |
| D-Link     | admin, user                                                                                                 | private, admin, user                                                                                                                                                                                       |
| Dell       | root, user1, admin, vkernel, cli                                                                            | calvin, 123456, password, vkernel, Stor@ge!, admin                                                                                                                                                         |
| EMC        | admin, root, sysadmin                                                                                       | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc                                                                                                                                              |
| HP/3Com    | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op                                                    | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC\_op, !manage, !admin                                                   |
| Huawei     | admin, root                                                                                                 | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123                                                                                             |
| IBM        | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer                                                                                                                               |
| Juniper    | netscreen                                                                                                   | netscreen                                                                                                                                                                                                  |
| NetApp     | admin                                                                                                       | netapp123                                                                                                                                                                                                  |
| Oracle     | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user                                           | changeme, ilom-admin, ilom-operator, welcome1, oracle                                                                                                                                                      |
| VMware     | vi-admin, root, hqadmin, vmware, admin                                                                      | vmware, vmw@re, hqadmin, default                                                                                                                                                                           |

## SSH-MitM

如果您在与将使用用户名和密码连接到SSH服务器的受害者处于同一局域网中，您可以尝试**执行中间人攻击以窃取这些凭据**：

**攻击路径：**

* 用户流量被重定向到攻击机器
* 攻击者监视连接到SSH服务器的尝试，并将其重定向到其自己的SSH服务器
* 攻击者的SSH服务器被配置为首先记录所有输入的数据，包括用户的密码，其次发送命令到用户想要连接的合法SSH服务器以执行这些命令，然后将结果返回给合法用户

\*\*\*\*[**SSH MITM**](https://github.com/jtesta/ssh-mitm) \*\*\*\*正是上述描述的操作。

为了捕获实际的中间人攻击，您可以使用ARP欺骗、DNS欺骗或其他在[**网络欺骗攻击**](../generic-methodologies-and-resources/pentesting-network/#spoofing)中描述的技术。

## 配置错误

### Root登录

默认情况下，大多数SSH服务器实现将允许root登录，建议禁用它，因为如果此帐户的凭据泄漏，攻击者将直接获得管理员权限，这还将允许攻击者对该帐户进行暴力破解攻击。

**如何禁用openSSH的root登录：**

1. 编辑SSH服务器配置 `sudoedit /etc/ssh/sshd_config`
2. 将 `#PermitRootLogin yes` 改为 `PermitRootLogin no`
3. 考虑配置更改：`sudo systemctl daemon-reload`
4. 重新启动SSH服务器 `sudo systemctl restart sshd`

### SFTP命令执行

另一个常见的SSH配置错误通常出现在SFTP配置中。大多数情况下，当创建SFTP服务器时，管理员希望用户具有SFTP访问以共享文件，但不希望用户在机器上获得远程shell。因此，他们认为创建一个用户，为其分配一个占位符shell（如`/usr/bin/nologin`或`/usr/bin/false`），并将其chroot到一个jail中足以避免对整个文件系统的shell访问或滥用。但是，他们是错误的，**用户可以在身份验证之后，在默认命令或shell执行之前要求执行命令**。因此，要绕过将拒绝shell访问的占位符shell，只需在之前要求执行一个命令（例如`/bin/bash`），只需执行以下操作：
```
$ ssh -v noraj@192.168.1.94 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 192.168.1.94 ([192.168.1.94]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0

$ ssh noraj@192.168.1.94 /bin/bash
```
以下是用户`noraj`的安全SFTP配置示例（`/etc/ssh/sshd_config` - openSSH）：

```plaintext
# Only allow SFTP access for the user noraj
Match User noraj
    ForceCommand internal-sftp
    ChrootDirectory /home/noraj
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
```

这是一个安全的SFTP配置示例，仅允许用户`noraj`访问。配置文件`/etc/ssh/sshd_config`中的设置如下：

```plaintext
# 仅允许用户noraj进行SFTP访问
Match User noraj
    ForceCommand internal-sftp
    ChrootDirectory /home/noraj
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
```
```
Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no
```
这个配置只允许SFTP：通过强制启动命令和禁用TTY访问来禁用shell访问，同时禁用所有类型的端口转发或隧道。

### SFTP隧道

如果您可以访问SFTP服务器，您还可以通过使用常见的端口转发将流量隧道化。
```
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
```
### SFTP 符号链接

**sftp** 命令中有一个 "**symlink**" 命令。因此，如果你在某个文件夹中具有 **可写权限**，你可以创建 **其他文件夹/文件** 的 **符号链接**。由于你可能被**限制**在一个 chroot 环境中，所以这对你来说**不会特别有用**，但是，如果你可以从一个 **非 chroot 服务**（例如，如果你可以从 web 访问符号链接）中**访问**创建的 **符号链接**，你可以通过 web **打开符号链接的文件**。

例如，要将一个新文件 **"**_**froot**_**"** 创建为指向 "**_**/**_**"** 的 **符号链接**：
```
sftp> symlink / froot
```
如果您可以通过网络访问文件"_froot_"，您将能够列出系统的根("/")文件夹。

### 身份验证方法

在高安全环境中，通常会启用基于密钥或双因素身份验证，而不是简单的基于密码的身份验证。但是，通常在启用更强的身份验证方法的同时，不禁用较弱的方法。一个常见的情况是在openSSH配置中启用`publickey`并将其设置为默认方法，但不禁用`password`。因此，通过使用SSH客户端的详细模式，攻击者可以看到启用了较弱的方法：
```
$ ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
```
例如，如果设置了身份验证失败限制，并且您从未有机会到达密码方法，您可以使用`PreferredAuthentications`选项来强制使用此方法。
```
$ ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password
```
### 配置文件

The SSH server configuration files are located in the `/etc/ssh/` directory. The main configuration file is `sshd_config`, which contains the settings for the SSH server.

To review the SSH server configuration, open the `sshd_config` file using a text editor:

```bash
$ sudo nano /etc/ssh/sshd_config
```

### 配置文件

SSH服务器的配置文件位于`/etc/ssh/`目录中。主要的配置文件是`sshd_config`，其中包含了SSH服务器的设置。

要查看SSH服务器的配置，请使用文本编辑器打开`sshd_config`文件：

```bash
$ sudo nano /etc/ssh/sshd_config
```

### Authentication Methods

### 身份验证方法

The `sshd_config` file allows you to specify which authentication methods are allowed for SSH connections. It is important to review and configure these methods to ensure that only the expected methods are authorized.

Look for the `AuthenticationMethods` directive in the `sshd_config` file. By default, it is set to `password` and `publickey`, which means both password and public key authentication methods are allowed.

To restrict the authentication methods, modify the `AuthenticationMethods` directive accordingly. For example, to only allow public key authentication, set it to:

```
AuthenticationMethods publickey
```

Save the changes and restart the SSH service for the new configuration to take effect:

```bash
$ sudo service ssh restart
```

### 身份验证方法

`sshd_config`文件允许您指定SSH连接所允许的身份验证方法。重要的是要检查和配置这些方法，以确保只有预期的方法被授权。

在`sshd_config`文件中查找`AuthenticationMethods`指令。默认情况下，它设置为`password`和`publickey`，这意味着密码和公钥身份验证方法都是允许的。

要限制身份验证方法，请相应地修改`AuthenticationMethods`指令。例如，要仅允许公钥身份验证，请将其设置为：

```
AuthenticationMethods publickey
```

保存更改并重新启动SSH服务以使新配置生效：

```bash
$ sudo service ssh restart
```
```
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
```
## Fuzzing

* [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
* [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2)

## References

* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)

<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">

如果你对**黑客职业**感兴趣并想要攻破不可攻破的系统 - **我们正在招聘！**（需要流利的波兰语书写和口语能力）。

{% embed url="https://www.stmcyber.com/careers" %}

## HackTricks自动命令
```
Protocol_Name: SSH
Port_Number: 22
Protocol_Description: Secure Shell Hardening

Entry_1:
Name: Hydra Brute Force
Description: Need Username
Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 -u {IP} ssh

Entry_2:
Name: consolesless mfs enumeration
Description: SSH enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'

```
<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 你在一家**网络安全公司**工作吗？想要在HackTricks中**宣传你的公司**吗？或者你想要**获取PEASS的最新版本或下载HackTricks的PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**

</details>