22 - Pentesting SSH/SFTP
SSH or Secure Shell or Secure Socket Shell, is a network protocol that gives users a secure way to access a computer over an unsecured network.
Default port: 22
22/tcp open ssh syn-ack
nc -vn <IP> 22
ssh-audit is a tool for ssh server & client configuration auditing.
​https://github.com/jtesta/ssh-audit is an updated fork from https://github.com/arthepsy/ssh-audit/​
Features:
SSH1 and SSH2 protocol server support;
analyze SSH client configuration;
grab banner, recognize device or software and operating system, detect compression;
gather key-exchange, host-key, encryption and message authentication code algorithms;
output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
output algorithm recommendations (append or remove based on recognized software version);
output security information (related issues, assigned CVE list, etc);
analyze SSH version compatibility based on algorithm information;
historical information from OpenSSH, Dropbear SSH and libssh;
runs on Linux and Windows;
no dependencies
usage: ssh-audit.py [-1246pbcnjvlt] <host>​-1, --ssh1 force ssh version 1 only-2, --ssh2 force ssh version 2 only-4, --ipv4 enable IPv4 (order of precedence)-6, --ipv6 enable IPv6 (order of precedence)-p, --port=<port> port to connect-b, --batch batch output-c, --client-audit starts a server on port 2222 to audit clientsoftware config (use -p to change port;use -t to change timeout)-n, --no-colors disable colors-j, --json JSON output-v, --verbose verbose output-l, --level=<level> minimum output level (info|warn|fail)-t, --timeout=<secs> timeout (in seconds) for connection and reading(default: 5)$ python3 ssh-audit <IP>
​See it in action (Asciinema)​
ssh-keyscan -t rsa <IP> -p <PORT>
This is discovered by default by nmap. But you can also use sslcan or sslyze.
ssh
In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:
msf> use scanner/ssh/ssh_enumusers
​Brute force​
Some common ssh credentials here and here and below.
If you know some ssh private key that could be used... lets try it. You can use the nmap script:
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
Or the MSF auxiliary module:
msf> use scanner/ssh/ssh_identify_pubkeys
You should look here in order to search for valid keys for the victim machine.
crackmapexec using the ssh protocol can use the option --kerberos to authenticate via kerberos.
For more info run crackmapexec ssh --help.
Vendor | Usernames | Passwords |
APC | apc, device | apc |
Brocade | admin | admin123, password, brocade, fibranne |
Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
D-Link | admin, user | private, admin, user |
Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
EMC | admin, root, sysadmin | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc |
HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC_op, !manage, !admin |
Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
Juniper | netscreen | netscreen |
NetApp | admin | netapp123 |
Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |
ssh_configsshd_configauthorized_keysssh_known_hostsknown_hostsid_rsa
You can find interesting guides on how to harden SSH in https://www.ssh-audit.com/hardening_guides.html​
You can configure SSH to behave as a SFTP server. So, some users will connect to SFTP service (in port 22) instead of to the SSH service.
You can even set a chroot to the SFTP users. A configuration example of SFTP users inside the file /etc/ssh/sshd_config can be seen in the following images.
All the ots-* users will be jailed inside a chroot.
If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
The sftp have the command "symlink". Therefor, if you have writable rights in some folder, you can create symlinks of other folders/files. As you are probably trapped inside a chroot this won't be specially useful for you, but, if you can access the created symlink from a no-chroot service (for example, if you can access the symlink from the web), you could open the symlinked files through the web.
For example, to create a symlink from a new file "froot" to "/":
sftp> symlink / froot
If you can access the file "froot" via web, you will be able to list the root ("/") folder of the system.
