GitBook: [#3127] No subject

This commit is contained in:
CPol 2022-04-27 08:21:36 +00:00 committed by gitbook-bot
parent bf7aef781b
commit 00d000975e
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 71 additions and 55 deletions

View file

@ -3,14 +3,13 @@
{% hint style="warning" %}
**Support HackTricks and get benefits!**
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
{% endhint %}
@ -295,7 +294,7 @@ In modern switches this vulnerability has been fixed.
#### Dynamic Trunking
Many switches support the Dynamic Trunking Protocol (DTP) by default, however, which an adversary can abuse to **emulate a switch and receive traffic across all VLANs**. The tool [_**dtpscan.sh**_](https://github.com/commonexploits/dtpscan) can sniff an interface and **reports if switch is in Default mode, trunk, dynamic, auto or access mode** (this is the only one that would avoid VLAN hopping). The tool will indicate if the switch is vulnerable or not.
Many switches support the Dynamic Trunking Protocol (DTP) by default, however, which an adversary can abuse to **emulate a switch and receive traffic across all VLANs**. The tool [_**dtpscan.sh**_](https://github.com/commonexploits/dtpscan) can sniff an interface and **reports if switch is in Default mode, trunk, dynamic, auto or access mode** (this is the only one that would avoid VLAN hopping). The tool will indicate if the switch is vulnerable or not.
If it was discovered that the the network is vulnerable, you can use _**Yersinia**_ to launch an "**enable trunking**" using protocol "**DTP**" and you will be able to see network packets from all the VLANs.
@ -430,7 +429,7 @@ You could also use [scapy](https://github.com/secdev/scapy/). Be sure to install
Although intended for use by the employees Voice over Internet Protocol (VoIP) phones, modern VoIP devices are increasingly integrated with IoT devices. Many employees can now unlock doors using a special phone number, control the rooms thermostat...
The tool [**voiphopper**](http://voiphopper.sourceforge.net) mimics the behavior of a VoIP phone in Cisco, Avaya, Nortel, and Alcatel-Lucent environments. It automatically discovers the correct VLAN ID for the voice network using one of the device discovery protocols it supports, such as the Cisco Discovery Protocol (CDP), the Dynamic Host Configuration Protocol (DHCP), Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), and 802.1Q ARP.
The tool [**voiphopper**](http://voiphopper.sourceforge.net) mimics the behavior of a VoIP phone in Cisco, Avaya, Nortel, and Alcatel-Lucent environments. It automatically discovers the correct VLAN ID for the voice network using one of the device discovery protocols it supports, such as the Cisco Discovery Protocol (CDP), the Dynamic Host Configuration Protocol (DHCP), Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), and 802.1Q ARP.
**VoIP Hopper** supports **three** CDP modes. The **sniff** mode inspects the network packets and attempts to locate the VLAN ID. To use it, set the **`-c`** parameter to `0`. The **spoof** mode generates custom packets similar to the ones a real VoIP device would transmit in the corporate network. To use it, set the **`-c`** parameter to **`1`**. The spoof with a **pre-madepacket** mode sends the same packets as a Cisco 7971G-GE IP phone. To use it, set the **`-c`** parameter to **`2`**.
@ -502,7 +501,7 @@ You can use Responder DHCP script (_/usr/share/responder/DHCP.py_) to establish
Here are some of the attack tactics that can be used against 802.1X implementations:
* Active brute-force password grinding via EAP
* Attacking the RADIUS server with malformed EAP content _**_(exploits)
* Attacking the RADIUS server with malformed EAP content _\*\*_(exploits)
* EAP message capture and offline password cracking (EAP-MD5 and PEAP)
* Forcing EAP-MD5 authentication to bypass TLS certificate validation
* Injecting malicious network traffic upon authenticating using a hub or similar
@ -539,9 +538,9 @@ Most Open Shortest Path First (OSPF) implementations use MD5 to provide authenti
For more information about how to attack this protocol go to the book _**Network Security Assessment: Know Your Network (3rd edition).**_
__
\_\_
You can find some more information about network attacks [here](https://github.com/Sab0tag3d/MITM-cheatsheet). _**(TODO: Read it all and all new attacks if any)_
You can find some more information about network attacks [here](https://github.com/Sab0tag3d/MITM-cheatsheet). _\*\*(TODO: Read it all and all new attacks if any)_
## **Spoofing**
@ -552,6 +551,10 @@ Ettercap
yersinia dhcp -attack 2 #More parameters are needed
```
### ARP Spoofing
Check the [previous section](./#arp-spoofing).
### ICMPRedirect
ICMP Redirect consist on sending an ICMP packet type 1 code 5 that indicates that the attacker is the best way to reach an IP. Then, when the victim wants to contact the IP, it will send the packet through the attacker.

View file

@ -6,20 +6,20 @@
**Default port:** 22
```text
```
22/tcp open ssh syn-ack
```
**SSH servers:**
* [openSSH](http://www.openssh.org/) OpenBSD SSH, shipped in BSD, Linux distributions and Windows since Windows 10
* [openSSH](http://www.openssh.org) OpenBSD SSH, shipped in BSD, Linux distributions and Windows since Windows 10
* [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) SSH implementation for environments with low memory and processor resources, shipped in OpenWrt
* [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/) SSH implementation for Windows, the client is commonly used but the use of the server is rarer
* [PuTTY](https://www.chiark.greenend.org.uk/\~sgtatham/putty/) SSH implementation for Windows, the client is commonly used but the use of the server is rarer
* [CopSSH](https://www.itefix.net/copssh) implementation of OpenSSH for Windows
**SSH libraries \(implementing server-side\):**
**SSH libraries (implementing server-side):**
* [libssh](https://www.libssh.org/) multiplatform C library implementing the SSHv2 protocol with bindings in [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) and [R](https://github.com/ropensci/ssh); its used by KDE for sftp and by GitHub for the git SSH infrastructure
* [libssh](https://www.libssh.org) multiplatform C library implementing the SSHv2 protocol with bindings in [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) and [R](https://github.com/ropensci/ssh); its used by KDE for sftp and by GitHub for the git SSH infrastructure
* [wolfSSH](https://www.wolfssl.com/products/wolfssh/) SSHv2 server library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments
* [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) Apache SSHD java library is based on Apache MINA
* [paramiko](https://github.com/paramiko/paramiko) Python SSHv2 protocol library
@ -44,9 +44,9 @@ ssh-audit is a tool for ssh server & client configuration auditing.
* analyze SSH client configuration;
* grab banner, recognize device or software and operating system, detect compression;
* gather key-exchange, host-key, encryption and message authentication code algorithms;
* output algorithm information \(available since, removed/disabled, unsafe/weak/legacy, etc\);
* output algorithm recommendations \(append or remove based on recognized software version\);
* output security information \(related issues, assigned CVE list, etc\);
* output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
* output algorithm recommendations (append or remove based on recognized software version);
* output security information (related issues, assigned CVE list, etc);
* analyze SSH version compatibility based on algorithm information;
* historical information from OpenSSH, Dropbear SSH and libssh;
* runs on Linux and Windows;
@ -73,7 +73,7 @@ usage: ssh-audit.py [-1246pbcnjvlt] <host>
$ python3 ssh-audit <IP>
```
[See it in action \(Asciinema\)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
[See it in action (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
### Public SSH key of server
@ -105,7 +105,7 @@ nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check a
In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:
```text
```
msf> use scanner/ssh/ssh_enumusers
```
@ -117,45 +117,59 @@ Some common ssh credentials [here ](https://github.com/danielmiessler/SecLists/b
If you know some ssh private key that could be used... lets try it. You can use the nmap script:
```text
```
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
```
Or the MSF auxiliary module:
```text
```
msf> use scanner/ssh/ssh_identify_pubkeys
```
#### Known badkeys can be found here:
{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" caption="" %}
{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}
You should look here in order to search for valid keys for the victim machine.
### Kerberos
**crackmapexec** using the `ssh` protocol can use the option `--kerberos` to **authenticate via kerberos**.
**crackmapexec** using the `ssh` protocol can use the option `--kerberos` to **authenticate via kerberos**.\
For more info run `crackmapexec ssh --help`.
## Default Credentials
| **Vendor** | **Usernames** | **Passwords** |
| :--- | :--- | :--- |
| APC | apc, device | apc |
| Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, user | private, admin, user |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
| EMC | admin, root, sysadmin | EMCPMAdm7n, Password\#1, Password123\#, sysadmin, changeme, emc |
| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V\#rpar, procurve, badg3r5, OpC\_op, !manage, !admin |
| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12\#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
| Juniper | netscreen | netscreen |
| NetApp | admin | netapp123 |
| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |
| **Vendor** | **Usernames** | **Passwords** |
| ---------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| APC | apc, device | apc |
| Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, user | private, admin, user |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
| EMC | admin, root, sysadmin | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc |
| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC\_op, !manage, !admin |
| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
| Juniper | netscreen | netscreen |
| NetApp | admin | netapp123 |
| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |
## SSH-MitM
If you are in the local network as the victim which is going to connect to the SSH server using username and password you could try to **perform a MitM attack to steal those credentials:**
**Attack path:**
* user traffic is redirected to the attacking machine
* the attacker monitors attempts to connect to the SSH server and redirects them to its SSH server
* the attacker's SSH server is configured, firstly, to log all entered data, including the user's password, and, secondly, send commands to the legitimate SSH server to which the user wants to connect, to execute them, and then return the results to the legitimate user
****[**SSH MITM**](https://github.com/jtesta/ssh-mitm) **** does exactly what is described above.
In order to capture perform the actual MitM you could use techniques like ARP spoofing, DNS spoofin or others described in the [**Network Spoofing attacks**](pentesting-network/#spoofing).
## Config Misconfigurations
@ -172,9 +186,9 @@ By default most SSH server implementation will allow root login, it is advised t
### SFTP command execution
Another common SSH misconfiguration is often seen in SFTP configuration. Most of the time when creating a SFTP server the administrator want users to have a SFTP access to share files but not to get a remote shell on the machine. So they think that creating a user, attributing him a placeholder shell \(like `/usr/bin/nologin` or `/usr/bin/false`\) and chrooting him in a jail is enough to avoid a shell access or abuse on the whole file system. But they are wrong, **a user can ask to execute a command right after authentication before its default command or shell is executed**. So to bypass the placeholder shell that will deny shell access, one only has to ask to execute a command \(eg. `/bin/bash`\) before, just by doing:
Another common SSH misconfiguration is often seen in SFTP configuration. Most of the time when creating a SFTP server the administrator want users to have a SFTP access to share files but not to get a remote shell on the machine. So they think that creating a user, attributing him a placeholder shell (like `/usr/bin/nologin` or `/usr/bin/false`) and chrooting him in a jail is enough to avoid a shell access or abuse on the whole file system. But they are wrong, **a user can ask to execute a command right after authentication before its default command or shell is executed**. So to bypass the placeholder shell that will deny shell access, one only has to ask to execute a command (eg. `/bin/bash`) before, just by doing:
```text
```
$ ssh -v noraj@192.168.1.94 id
...
Password:
@ -197,9 +211,9 @@ debug1: Exit status 0
$ ssh noraj@192.168.1.94 /bin/bash
```
Here is an example of secure SFTP configuration \(`/etc/ssh/sshd_config` openSSH\) for the user `noraj`:
Here is an example of secure SFTP configuration (`/etc/ssh/sshd_config` openSSH) for the user `noraj`:
```text
```
Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
@ -215,27 +229,27 @@ This configuration will allow only SFTP: disabling shell access by forcing the s
If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:
```text
```
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
```
### SFTP Symlink
The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** \(for example, if you can access the symlink from the web\), you could **open the symlinked files through the web**.
The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** (for example, if you can access the symlink from the web), you could **open the symlinked files through the web**.
For example, to create a **symlink** from a new file **"**_**froot**_**" to "**_**/**_**"**:
```text
```
sftp> symlink / froot
```
If you can access the file "_froot_" via web, you will be able to list the root \("/"\) folder of the system.
If you can access the file "_froot_" via web, you will be able to list the root ("/") folder of the system.
### Authentication methods
On high security environment its a common practice to enable only key-based or two factor authentication rather than the simple factor password based authentication. But often the stronger authentication methods are enabled without disabling the weaker ones. A frequent case is enabling `publickey` on openSSH configuration and setting it as the default method but not disabling `password`. So by using the verbose mode of the SSH client an attacker can see that a weaker method is enabled:
```text
```
$ ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
...
@ -244,19 +258,19 @@ debug1: Authentications that can continue: publickey,password,keyboard-interacti
For example if an authentication failure limit is set and you never get the chance to reach the password method, you can use the `PreferredAuthentications` option to force to use this method.
```text
```
$ ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password
```
Review the SSH server configuration is necessary to check that only expected
methods are authorized. Using the verbose mode on the client can help to see
Review the SSH server configuration is necessary to check that only expected\
methods are authorized. Using the verbose mode on the client can help to see\
the effectiveness of the configuration.
### Config files
```text
```
ssh_config
sshd_config
authorized_keys
@ -268,16 +282,16 @@ id_rsa
## Fuzzing
* [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
* [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2)
* [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2)
## References
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening_guides.html)
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
## HackTricks Automatic Commands
```text
```
Protocol_Name: SSH
Port_Number: 22
Protocol_Description: Secure Shell Hardening
@ -294,4 +308,3 @@ Entry_2:
Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'
```