maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-ssh.md

308 lines
19 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 22 - Pentesting SSH/SFTP
{{#include ../banners/hacktricks-training.md}}
## Basic Information
**SSH (Secure Shell au Secure Socket Shell)** ni protokali ya mtandao inayowezesha muunganisho salama kwa kompyuta kupitia mtandao usio salama. Ni muhimu kwa kudumisha usiri na uadilifu wa data unapofikia mifumo ya mbali.
**Port ya kawaida:** 22
```
22/tcp open ssh syn-ack
```
**SSH servers:**
- [openSSH](http://www.openssh.org) OpenBSD SSH, iliyotolewa katika BSD, usambazaji wa Linux na Windows tangu Windows 10
- [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) utekelezaji wa SSH kwa mazingira yenye rasilimali chache za kumbukumbu na processor, iliyotolewa katika OpenWrt
- [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/) utekelezaji wa SSH kwa Windows, mteja hutumiwa mara nyingi lakini matumizi ya seva ni nadra
- [CopSSH](https://www.itefix.net/copssh) utekelezaji wa OpenSSH kwa Windows
**SSH libraries (implementing server-side):**
- [libssh](https://www.libssh.org) maktaba ya C ya majukwaa mengi inayotekeleza protokali ya SSHv2 yenye viambatisho katika [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) na [R](https://github.com/ropensci/ssh); inatumika na KDE kwa sftp na na GitHub kwa miundombinu ya git SSH
- [wolfSSH](https://www.wolfssl.com/products/wolfssh/) maktaba ya seva ya SSHv2 iliyoandikwa kwa ANSI C na iliyolengwa kwa mazingira yaliyo na rasilimali chache, RTOS, na zilizozuiliwa
- [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) maktaba ya java ya Apache SSHD inategemea Apache MINA
- [paramiko](https://github.com/paramiko/paramiko) maktaba ya protokali ya Python SSHv2
## Enumeration
### Banner Grabbing
```bash
nc -vn <IP> 22
```
### Automated ssh-audit
ssh-audit ni chombo cha ukaguzi wa usanidi wa ssh server na mteja.
[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) ni toleo lililosasishwa kutoka [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)
**Features:**
- Msaada wa protokali za SSH1 na SSH2;
- changanua usanidi wa mteja wa SSH;
- pata banner, tambua kifaa au programu na mfumo wa uendeshaji, gundua compression;
- kusanya funguo za kubadilishana, funguo za mwenyeji, algorithms za usimbaji na msimbo wa uthibitishaji wa ujumbe;
- toa taarifa za algorithm (zinapatikana tangu, zimetolewa/zimezimwa, zisizo salama/dhaifu/za zamani, nk);
- toa mapendekezo ya algorithm (ongeza au ondoa kulingana na toleo la programu lililotambuliwa);
- toa taarifa za usalama (masuala yanayohusiana, orodha ya CVE iliyotolewa, nk);
- changanua ulinganifu wa toleo la SSH kulingana na taarifa za algorithm;
- taarifa za kihistoria kutoka OpenSSH, Dropbear SSH na libssh;
- inafanya kazi kwenye Linux na Windows;
- haina utegemezi
```bash
usage: ssh-audit.py [-1246pbcnjvlt] <host>
-1, --ssh1 force ssh version 1 only
-2, --ssh2 force ssh version 2 only
-4, --ipv4 enable IPv4 (order of precedence)
-6, --ipv6 enable IPv6 (order of precedence)
-p, --port=<port> port to connect
-b, --batch batch output
-c, --client-audit starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-n, --no-colors disable colors
-j, --json JSON output
-v, --verbose verbose output
-l, --level=<level> minimum output level (info|warn|fail)
-t, --timeout=<secs> timeout (in seconds) for connection and reading
(default: 5)
$ python3 ssh-audit <IP>
```
[See it in action (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
### Funguo za SSH za umma za seva
```bash
ssh-keyscan -t rsa <IP> -p <PORT>
```
### Algorithimu za Cipher Zenye Ukatili
Hii inagundulika kwa default na **nmap**. Lakini unaweza pia kutumia **sslcan** au **sslyze**.
### Skripti za Nmap
```bash
nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
nmap -p22 <ip> --script ssh2-enum-algos # Retrieve supported algorythms
nmap -p22 <ip> --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
```
### Shodan
- `ssh`
## Brute force usernames, passwords and private keys
### Username Enumeration
Katika toleo zingine za OpenSSH unaweza kufanya shambulio la muda ili kuhesabu watumiaji. Unaweza kutumia moduli ya metasploit ili kutumia hii:
```
msf> use scanner/ssh/ssh_enumusers
```
### [Brute force](../generic-hacking/brute-force.md#ssh)
Baadhi ya akidi za kawaida za ssh [hapa](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt) na [hapa](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) na chini.
### Private Key Brute Force
Ikiwa unajua baadhi ya funguo za kibinafsi za ssh ambazo zinaweza kutumika... hebu jaribu. Unaweza kutumia skripti ya nmap:
```
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
```
Au moduli wa msaada wa MSF:
```
msf> use scanner/ssh/ssh_identify_pubkeys
```
Au tumia `ssh-keybrute.py` (python3 asilia, nyepesi na ina algorithimu za zamani zilizowekwa): [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute).
#### Badkeys zinazojulikana zinaweza kupatikana hapa:
{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}
#### Funguo dhaifu za SSH / PRNG inayoweza kutabirika ya Debian
Mifumo mingine ina kasoro zinazojulikana katika mbegu za nasibu zinazotumika kuunda vifaa vya cryptographic. Hii inaweza kusababisha kupungua kwa kiwango cha funguo ambacho kinaweza kufanywa kwa nguvu. Seti za funguo zilizoundwa awali kwenye mifumo ya Debian iliyoathiriwa na PRNG dhaifu zinapatikana hapa: [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh).
Unapaswa kutazama hapa ili kutafuta funguo halali za mashine ya mwathirika.
### Kerberos
**crackmapexec** kutumia itifaki ya `ssh` inaweza kutumia chaguo `--kerberos` ili **kujiandikisha kupitia kerberos**.\
Kwa maelezo zaidi, endesha `crackmapexec ssh --help`.
## Akida za Kawaida
| **Mtoa huduma** | **Majina ya watumiaji** | **Maneno ya siri** |
| ---------- | ----------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| APC | apc, kifaa | apc |
| Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, mtumiaji | private, admin, mtumiaji |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
| EMC | admin, root, sysadmin | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc |
| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin |
| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
| Juniper | netscreen | netscreen |
| NetApp | admin | netapp123 |
| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |
## SSH-MitM
Ikiwa uko kwenye mtandao wa ndani kama mwathirika ambaye atajiunga na seva ya SSH kwa kutumia jina la mtumiaji na nenosiri, unaweza kujaribu **kufanya shambulio la MitM ili kuiba akida hizo:**
**Njia ya shambulio:**
- **Uelekezaji wa Trafiki:** Mshambuliaji **anahamisha** trafiki ya mwathirika kwenye mashine yao, kwa ufanisi **akikamata** jaribio la kuungana na seva ya SSH.
- **Kukamata na Kurekodi:** Mashine ya mshambuliaji inafanya kazi kama **proxy**, **ikikamata** maelezo ya kuingia ya mtumiaji kwa kujifanya kuwa seva halali ya SSH.
- **Utendaji wa Amri na Uhamasishaji:** Hatimaye, seva ya mshambuliaji **inakumbuka akida za mtumiaji**, **inasambaza amri** kwa seva halisi ya SSH, **inafanya** hizo, na **inatuma matokeo nyuma** kwa mtumiaji, ikifanya mchakato huo kuonekana kuwa wa kawaida na halali.
[**SSH MITM**](https://github.com/jtesta/ssh-mitm) inafanya hasa kile kilichoelezwa hapo juu.
Ili kukamata kufanya MitM halisi unaweza kutumia mbinu kama ARP spoofing, DNS spoofing au nyingine zilizoorodheshwa katika [**Mashambulizi ya Spoofing ya Mtandao**](../generic-methodologies-and-resources/pentesting-network/#spoofing).
## SSH-Snake
Ikiwa unataka kupita mtandao kwa kutumia funguo za SSH za kibinafsi zilizogunduliwa kwenye mifumo, ukitumia kila funguo ya kibinafsi kwenye kila mfumo kwa ajili ya mwenyeji mpya, basi [**SSH-Snake**](https://github.com/MegaManSec/SSH-Snake) ndiyo unayohitaji.
SSH-Snake inatekeleza kazi zifuatazo kiotomatiki na kwa kurudiarudia:
1. Kwenye mfumo wa sasa, pata funguo zozote za kibinafsi za SSH,
2. Kwenye mfumo wa sasa, pata mwenyeji au marudio yoyote (mtumiaji@host) ambayo funguo za kibinafsi zinaweza kukubaliwa,
3. Jaribu kuungana na SSH kwenye marudio yote kwa kutumia funguo zote za kibinafsi zilizogunduliwa,
4. Ikiwa marudio yameunganishwa kwa mafanikio, rudia hatua #1 - #4 kwenye mfumo uliounganishwa.
Ni ya kujirudia kabisa na kujiendeleza - na haina faili kabisa.
## Makosa ya Mipangilio
### Kuingia kwa Root
Ni kawaida kwa seva za SSH kuruhusu kuingia kwa mtumiaji wa root kwa default, ambayo inatoa hatari kubwa ya usalama. **Kuzima kuingia kwa root** ni hatua muhimu katika kulinda seva. Upatikanaji usioidhinishwa na mamlaka ya usimamizi na mashambulizi ya nguvu yanaweza kupunguziliwa mbali kwa kufanya mabadiliko haya.
**Ili Kuzima Kuingia kwa Root katika OpenSSH:**
1. **Hariri faili ya mipangilio ya SSH** kwa: `sudoedit /etc/ssh/sshd_config`
2. **Badilisha mipangilio** kutoka `#PermitRootLogin yes` hadi **`PermitRootLogin no`**.
3. **Reload mipangilio** kwa kutumia: `sudo systemctl daemon-reload`
4. **Anzisha tena seva ya SSH** ili kutekeleza mabadiliko: `sudo systemctl restart sshd`
### SFTP Brute Force
- [**SFTP Brute Force**](../generic-hacking/brute-force.md#sftp)
### Utendaji wa amri za SFTP
Kuna makosa ya kawaida yanayotokea na mipangilio ya SFTP, ambapo wasimamizi wanakusudia kwa watumiaji kubadilishana faili bila kuwezesha ufikiaji wa shell ya mbali. Licha ya kuweka watumiaji na shells zisizoingiliana (k.m., `/usr/bin/nologin`) na kuwafunga kwenye directory maalum, kuna pengo la usalama. **Watumiaji wanaweza kupita vizuizi hivi** kwa kuomba utendaji wa amri (kama `/bin/bash`) mara tu baada ya kuingia, kabla shell yao isiyoingiliana haijachukua. Hii inaruhusu utendaji wa amri zisizoidhinishwa, ikikandamiza hatua za usalama zilizokusudiwa.
[Mfano kutoka hapa](https://community.turgensec.com/ssh-hacking-guide/):
```bash
ssh -v noraj@192.168.1.94 id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 192.168.1.94 ([192.168.1.94]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0
$ ssh noraj@192.168.1.94 /bin/bash
```
Hapa kuna mfano wa usanidi salama wa SFTP (`/etc/ssh/sshd_config` openSSH) kwa mtumiaji `noraj`:
```
Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no
```
Hii usanidi itaruhusu tu SFTP: kuzuia ufikiaji wa shell kwa kulazimisha amri ya kuanza na kuzuia ufikiaji wa TTY lakini pia kuzuia aina zote za upitishaji bandari au tunneling.
### SFTP Tunneling
Ikiwa una ufikiaji wa seva ya SFTP unaweza pia kupitisha trafiki yako kupitia hii kwa mfano ukitumia upitishaji wa bandari wa kawaida:
```bash
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
```
### SFTP Symlink
The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** (for example, if you can access the symlink from the web), you could **open the symlinked files through the web**.
For example, to create a **symlink** from a new file **"**_**froot**_**" to "**_**/**_**"**:
```bash
sftp> symlink / froot
```
Ikiwa unaweza kufikia faili "_froot_" kupitia wavuti, utaweza kuorodhesha folda ya mzizi ("/") ya mfumo.
### Njia za uthibitishaji
Katika mazingira ya usalama wa juu, ni kawaida kuwezesha tu uthibitishaji wa msingi wa funguo au uthibitishaji wa hatua mbili badala ya uthibitishaji wa msingi wa nenosiri rahisi. Lakini mara nyingi njia za uthibitishaji zenye nguvu zinawezeshwa bila kuzima zile dhaifu. Kesi ya kawaida ni kuwezesha `publickey` kwenye usanidi wa openSSH na kuipanga kama njia ya default lakini bila kuzima `password`. Hivyo kwa kutumia hali ya verbose ya mteja wa SSH, mshambuliaji anaweza kuona kwamba njia dhaifu imewezeshwa:
```bash
ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
```
Kwa mfano, ikiwa kikomo cha kushindwa kwa uthibitishaji kimewekwa na hujapata nafasi ya kufikia njia ya nywila, unaweza kutumia chaguo la `PreferredAuthentications` kulazimisha kutumia njia hii.
```bash
ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password
```
Kukagua usanidi wa seva ya SSH ni muhimu kuhakikisha kwamba njia pekee zinazotarajiwa zimeidhinishwa. Kutumia hali ya verbose kwenye mteja kunaweza kusaidia kuona ufanisi wa usanidi.
### Config files
```bash
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa
```
## Fuzzing
- [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
- [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2)
## References
- Unaweza kupata miongozo ya kuvutia juu ya jinsi ya kuimarisha SSH katika [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)
- [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
## HackTricks Automatic Commands
```
Protocol_Name: SSH
Port_Number: 22
Protocol_Description: Secure Shell Hardening
Entry_1:
Name: Hydra Brute Force
Description: Need Username
Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh
Entry_2:
Name: consolesless mfs enumeration
Description: SSH enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'
```
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink