openssh tricks
Post on 29-Nov-2014
1.451 Views
Preview:
DESCRIPTION
TRANSCRIPT
. . . . . .
.
......OpenSSH tricks
Assem Chelli
assem.ch@gmail.com (@assem_ch)
Hacknowledge Contest Algeria 2013
Assem Chelli OpenSSH tricks
. . . . . .
.. What is SSH?
SSH: Secure SHell, a Network protocol Created by TatuYlonen (1995)Secure logging into remote computer
Public key authentication (!Password),Authentication of the server (!MAN-IN-THE-MIDDLE )Encryption,Integrity
more features:
Stream CompressionPort forwardingX11 sessions forwardingFile transfer
Assem Chelli OpenSSH tricks
. . . . . .
.. WHY SSH IS SO IMPORTANT?
IP spoofingIP source routingDNS spoofingPassword sniffingManipulation of transfer data Atack on X11 (sniffing onauthorization)
Assem Chelli OpenSSH tricks
. . . . . .
.. Install Open SSH
SSH is so resricted , OPEN SSH is free!openssh-client , openssh-server
sudo apt-get install openssh-client openssh-serversudo yum install openssh-client openssh-server
WINDOWS: download & install PuTTY
http://www.chiark.greenend.org.uk/ sgtatham/putty/
Assem Chelli OpenSSH tricks
. . . . . .
.. Basic SSH usage
Remote login
ssh hostnamessh -l user hostnamessh user@hostname
cd:41:70:30:48:07:16:81:e5:30:34:66:f1:56:ef:dbRSA key fingerprint —> yes / no (Public Keyauthentification)host’s password: _______ (Password authentification)
known hosts
~/.ssh/known_hosts
Assem Chelli OpenSSH tricks
. . . . . .
.. Basic SSH usage
Remote login
ssh hostnamessh -l user hostnamessh user@hostname
cd:41:70:30:48:07:16:81:e5:30:34:66:f1:56:ef:dbRSA key fingerprint —> yes / no (Public Keyauthentification)host’s password: _______ (Password authentification)
known hosts
~/.ssh/known_hosts
Assem Chelli OpenSSH tricks
. . . . . .
.. Omar in the middle!
let’s play SERVER role!
We put Server offlineSomeone fix his IP as the same IP of server
Now try login again
ssh host@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middleattack)!It is also possible that the RSA host key has just been changed.
Assem Chelli OpenSSH tricks
. . . . . .
.. Omar in the middle!
let’s play SERVER role!
We put Server offlineSomeone fix his IP as the same IP of server
Now try login again
ssh host@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middleattack)!It is also possible that the RSA host key has just been changed.
Assem Chelli OpenSSH tricks
. . . . . .
.. SSH replaces telnet.
ssh host.domena.plssh user@host.domena.plssh -l user host.domena.pl
Assem Chelli OpenSSH tricks
. . . . . .
.. SSH replaces FTP.
sftp host.domena.pl
sftp> dir
Assem Chelli OpenSSH tricks
. . . . . .
.. SSH replaces r-command .
rexec
ssh host "cat /etc/passwd"
rlogin
ssh user@host
rcp
scp file host.domena.pl
Assem Chelli OpenSSH tricks
. . . . . .
.. Executing commands remotely
ssh host netstatssh host "ls -C /bin"ssh host “cat /etc/passwd”ssh host “vi /tmp/foo ”
ssh -t host vi /tmp/foo
Assem Chelli OpenSSH tricks
. . . . . .
.. Executing commands remotely
ssh host netstatssh host "ls -C /bin"ssh host “cat /etc/passwd”ssh host “vi /tmp/foo ”
ssh -t host vi /tmp/foo
Assem Chelli OpenSSH tricks
. . . . . .
.. Redirecting commands input and output
ssh host "ls /bin | grep -i rm"ssh host "ls /bin" | grep -i rmssh host "cat /etc/passwd" > remote_passwdssh host "psql billing" < billing.sql | grep -v ^INFO
Assem Chelli OpenSSH tricks
. . . . . .
.. Redirecting commands input and output
ssh host "ls /bin | grep -i rm"ssh host "ls /bin" | grep -i rmssh host "cat /etc/passwd" > remote_passwdssh host "psql billing" < billing.sql | grep -v ^INFO
Assem Chelli OpenSSH tricks
. . . . . .
.. File transfer
scpscp [user1@]host1:/path/to/source/file[user2@]host2:/path/to/destination/filescp -r
sftpsftp host
sftp> cd /usr/share/gamessftp> lssftp> lcd /tmpget c*quit
tar-over-sshssh host "cd /usr/share/games ; tar cf - ./a*" | \> (cd /tmp ; tar xpvf -)
rsyncrsync -ve ssh host:/bin/c* /tmp
Assem Chelli OpenSSH tricks
. . . . . .
.. Public Keys
Generate a public key
ssh-keygen -t rsacat ~/.ssh/id_rsa.pub
Authentification
ssh-add -l
Restrictions
cat ~/.ssh/authorized_keys
Assem Chelli OpenSSH tricks
. . . . . .
.. Default Config Files and SSH Port
/etc/ssh/sshd_config - OpenSSH server configuration file./etc/ssh/ssh_config - OpenSSH client configuration file.~/.ssh/ - Users ssh configuration directory.~/.ssh/authorized_keys - Lists the public keys (RSA orDSA) that can be used to log into the users account/etc/nologin - If this file exists, sshd refuses to let anyoneexcept root log in./etc/hosts.allow and /etc/hosts.deny : Access controlslists that should be enforced by tcp-wrappers are defined here.SSH default port : TCP ??
Assem Chelli OpenSSH tricks
. . . . . .
.. Default Config Files and SSH Port
/etc/ssh/sshd_config - OpenSSH server configuration file./etc/ssh/ssh_config - OpenSSH client configuration file.~/.ssh/ - Users ssh configuration directory.~/.ssh/authorized_keys - Lists the public keys (RSA orDSA) that can be used to log into the users account/etc/nologin - If this file exists, sshd refuses to let anyoneexcept root log in./etc/hosts.allow and /etc/hosts.deny : Access controlslists that should be enforced by tcp-wrappers are defined here.SSH default port : TCP ??
Assem Chelli OpenSSH tricks
. . . . . .
.. Default Config Files and SSH Port
/etc/ssh/sshd_config - OpenSSH server configuration file./etc/ssh/ssh_config - OpenSSH client configuration file.~/.ssh/ - Users ssh configuration directory.~/.ssh/authorized_keys - Lists the public keys (RSA orDSA) that can be used to log into the users account/etc/nologin - If this file exists, sshd refuses to let anyoneexcept root log in./etc/hosts.allow and /etc/hosts.deny : Access controlslists that should be enforced by tcp-wrappers are defined here.SSH default port : TCP ??
Assem Chelli OpenSSH tricks
. . . . . .
.. Default Config Files and SSH Port
/etc/ssh/sshd_config - OpenSSH server configuration file./etc/ssh/ssh_config - OpenSSH client configuration file.~/.ssh/ - Users ssh configuration directory.~/.ssh/authorized_keys - Lists the public keys (RSA orDSA) that can be used to log into the users account/etc/nologin - If this file exists, sshd refuses to let anyoneexcept root log in./etc/hosts.allow and /etc/hosts.deny : Access controlslists that should be enforced by tcp-wrappers are defined here.SSH default port : TCP ??
Assem Chelli OpenSSH tricks
. . . . . .
.. Default Config Files and SSH Port
/etc/ssh/sshd_config - OpenSSH server configuration file./etc/ssh/ssh_config - OpenSSH client configuration file.~/.ssh/ - Users ssh configuration directory.~/.ssh/authorized_keys - Lists the public keys (RSA orDSA) that can be used to log into the users account/etc/nologin - If this file exists, sshd refuses to let anyoneexcept root log in./etc/hosts.allow and /etc/hosts.deny : Access controlslists that should be enforced by tcp-wrappers are defined here.SSH default port : TCP ??
Assem Chelli OpenSSH tricks
. . . . . .
.. Default Config Files and SSH Port
/etc/ssh/sshd_config - OpenSSH server configuration file./etc/ssh/ssh_config - OpenSSH client configuration file.~/.ssh/ - Users ssh configuration directory.~/.ssh/authorized_keys - Lists the public keys (RSA orDSA) that can be used to log into the users account/etc/nologin - If this file exists, sshd refuses to let anyoneexcept root log in./etc/hosts.allow and /etc/hosts.deny : Access controlslists that should be enforced by tcp-wrappers are defined here.SSH default port : TCP ??
Assem Chelli OpenSSH tricks
. . . . . .
.. Default Config Files and SSH Port
/etc/ssh/sshd_config - OpenSSH server configuration file./etc/ssh/ssh_config - OpenSSH client configuration file.~/.ssh/ - Users ssh configuration directory.~/.ssh/authorized_keys - Lists the public keys (RSA orDSA) that can be used to log into the users account/etc/nologin - If this file exists, sshd refuses to let anyoneexcept root log in./etc/hosts.allow and /etc/hosts.deny : Access controlslists that should be enforced by tcp-wrappers are defined here.SSH default port : TCP ??
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 1
...1 Copy ssh keys to user@host to enable password-less ssh loginsssh-copy-id user@host
...2 Start a tunnel from some machines port 80 to your local post2001
ssh -N -L2001:localhost:80 somemachine
...3 Output your microphone to a remote computers speakerdd if=/dev/dsp | ssh -c arcfour -C username@host ddof=/dev/dsp
...4 Compare a remote file with a local filessh user@host cat /path/to/remotefile | diff /path/to/localfile-
...5 Mount folder/filesystem through SSHss hfs name@server:/path/to/folder /path/to/mount/point
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 1
...1 Copy ssh keys to user@host to enable password-less ssh loginsssh-copy-id user@host
...2 Start a tunnel from some machines port 80 to your local post2001
ssh -N -L2001:localhost:80 somemachine
...3 Output your microphone to a remote computers speakerdd if=/dev/dsp | ssh -c arcfour -C username@host ddof=/dev/dsp
...4 Compare a remote file with a local filessh user@host cat /path/to/remotefile | diff /path/to/localfile-
...5 Mount folder/filesystem through SSHss hfs name@server:/path/to/folder /path/to/mount/point
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 1
...1 Copy ssh keys to user@host to enable password-less ssh loginsssh-copy-id user@host
...2 Start a tunnel from some machines port 80 to your local post2001
ssh -N -L2001:localhost:80 somemachine
...3 Output your microphone to a remote computers speakerdd if=/dev/dsp | ssh -c arcfour -C username@host ddof=/dev/dsp
...4 Compare a remote file with a local filessh user@host cat /path/to/remotefile | diff /path/to/localfile-
...5 Mount folder/filesystem through SSHss hfs name@server:/path/to/folder /path/to/mount/point
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 1
...1 Copy ssh keys to user@host to enable password-less ssh loginsssh-copy-id user@host
...2 Start a tunnel from some machines port 80 to your local post2001
ssh -N -L2001:localhost:80 somemachine
...3 Output your microphone to a remote computers speakerdd if=/dev/dsp | ssh -c arcfour -C username@host ddof=/dev/dsp
...4 Compare a remote file with a local filessh user@host cat /path/to/remotefile | diff /path/to/localfile-
...5 Mount folder/filesystem through SSHss hfs name@server:/path/to/folder /path/to/mount/point
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 1
...1 Copy ssh keys to user@host to enable password-less ssh loginsssh-copy-id user@host
...2 Start a tunnel from some machines port 80 to your local post2001
ssh -N -L2001:localhost:80 somemachine
...3 Output your microphone to a remote computers speakerdd if=/dev/dsp | ssh -c arcfour -C username@host ddof=/dev/dsp
...4 Compare a remote file with a local filessh user@host cat /path/to/remotefile | diff /path/to/localfile-
...5 Mount folder/filesystem through SSHss hfs name@server:/path/to/folder /path/to/mount/point
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 2
...1 SSH connection through host in the middle
ssh -t reachable_host ssh unreachable_host
...2 Copy from host1 to host2, through your host
ssh root@host1 cd /somedir/tocopy/ && tar -cf . | sshroot@host2 cd /samedir/tocopyto/ && tar -xf -
...3 Run any GUI program remotely
ssh -fX @
...4 Create a persistent connection to a machine
ssh -MNf @
...5 Attach screen over ssh
ssh -t remote_host screen -r
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 2
...1 SSH connection through host in the middle
ssh -t reachable_host ssh unreachable_host
...2 Copy from host1 to host2, through your host
ssh root@host1 cd /somedir/tocopy/ && tar -cf . | sshroot@host2 cd /samedir/tocopyto/ && tar -xf -
...3 Run any GUI program remotely
ssh -fX @
...4 Create a persistent connection to a machine
ssh -MNf @
...5 Attach screen over ssh
ssh -t remote_host screen -r
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 2
...1 SSH connection through host in the middle
ssh -t reachable_host ssh unreachable_host
...2 Copy from host1 to host2, through your host
ssh root@host1 cd /somedir/tocopy/ && tar -cf . | sshroot@host2 cd /samedir/tocopyto/ && tar -xf -
...3 Run any GUI program remotely
ssh -fX @
...4 Create a persistent connection to a machine
ssh -MNf @
...5 Attach screen over ssh
ssh -t remote_host screen -r
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 2
...1 SSH connection through host in the middle
ssh -t reachable_host ssh unreachable_host
...2 Copy from host1 to host2, through your host
ssh root@host1 cd /somedir/tocopy/ && tar -cf . | sshroot@host2 cd /samedir/tocopyto/ && tar -xf -
...3 Run any GUI program remotely
ssh -fX @
...4 Create a persistent connection to a machine
ssh -MNf @
...5 Attach screen over ssh
ssh -t remote_host screen -r
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 2
...1 SSH connection through host in the middle
ssh -t reachable_host ssh unreachable_host
...2 Copy from host1 to host2, through your host
ssh root@host1 cd /somedir/tocopy/ && tar -cf . | sshroot@host2 cd /samedir/tocopyto/ && tar -xf -
...3 Run any GUI program remotely
ssh -fX @
...4 Create a persistent connection to a machine
ssh -MNf @
...5 Attach screen over ssh
ssh -t remote_host screen -r
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 3
...1 Run complex remote shell cmds over sshssh host -l user $(ssh host -l user cat cmd.txt
...2 Resume scp of a big filersync partial progress rsh=ssh $file_source$user@$host:$destination_file
...3 Analyze traffic remotely over ssh w/ wiresharkssh root@server.com tshark -f port !22 -w - | wireshark -k -i -
...4 Have an ssh session open foreverautossh -M50000 -t server.example.com screen -raAdmysession
...5 Harder, Faster, Stronger SSH clientsssh -4 -C -c blowfish-cbc
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 3
...1 Run complex remote shell cmds over sshssh host -l user $(ssh host -l user cat cmd.txt
...2 Resume scp of a big filersync partial progress rsh=ssh $file_source$user@$host:$destination_file
...3 Analyze traffic remotely over ssh w/ wiresharkssh root@server.com tshark -f port !22 -w - | wireshark -k -i -
...4 Have an ssh session open foreverautossh -M50000 -t server.example.com screen -raAdmysession
...5 Harder, Faster, Stronger SSH clientsssh -4 -C -c blowfish-cbc
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 3
...1 Run complex remote shell cmds over sshssh host -l user $(ssh host -l user cat cmd.txt
...2 Resume scp of a big filersync partial progress rsh=ssh $file_source$user@$host:$destination_file
...3 Analyze traffic remotely over ssh w/ wiresharkssh root@server.com tshark -f port !22 -w - | wireshark -k -i -
...4 Have an ssh session open foreverautossh -M50000 -t server.example.com screen -raAdmysession
...5 Harder, Faster, Stronger SSH clientsssh -4 -C -c blowfish-cbc
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 3
...1 Run complex remote shell cmds over sshssh host -l user $(ssh host -l user cat cmd.txt
...2 Resume scp of a big filersync partial progress rsh=ssh $file_source$user@$host:$destination_file
...3 Analyze traffic remotely over ssh w/ wiresharkssh root@server.com tshark -f port !22 -w - | wireshark -k -i -
...4 Have an ssh session open foreverautossh -M50000 -t server.example.com screen -raAdmysession
...5 Harder, Faster, Stronger SSH clientsssh -4 -C -c blowfish-cbc
Assem Chelli OpenSSH tricks
. . . . . .
.. BEST SSH Tricks 3
...1 Run complex remote shell cmds over sshssh host -l user $(ssh host -l user cat cmd.txt
...2 Resume scp of a big filersync partial progress rsh=ssh $file_source$user@$host:$destination_file
...3 Analyze traffic remotely over ssh w/ wiresharkssh root@server.com tshark -f port !22 -w - | wireshark -k -i -
...4 Have an ssh session open foreverautossh -M50000 -t server.example.com screen -raAdmysession
...5 Harder, Faster, Stronger SSH clientsssh -4 -C -c blowfish-cbc
Assem Chelli OpenSSH tricks
. . . . . .
.. Best SSH tricks 4
...1 Disable OpenSSH Serverapt-get remove openssh-server (ubuntu )chkconfig sshd off && yum erase openssh-server (fedora)
...2 Force to use SSH protocole 2 because SSH-1 is vulnerable(Man-in-the-middle attacks)
in /etc/ssh/sshd_config add the line: Protocol 2...3 Limit root or Users’ SSH Access
in /etc/ssh/sshd_configfind&modify the line: AllowUsers root assemor find&modify the line: DenyUsers omar zaki ali-babaor find&modify the line: PermitRootLogin no
or create /etc/nologin...4 Enable a Warning Banner
in /etc/ssh/sshd_config add the line: Banner /etc/issue
Assem Chelli OpenSSH tricks
. . . . . .
.. Best SSH tricks 4
...1 Disable OpenSSH Serverapt-get remove openssh-server (ubuntu )chkconfig sshd off && yum erase openssh-server (fedora)
...2 Force to use SSH protocole 2 because SSH-1 is vulnerable(Man-in-the-middle attacks)
in /etc/ssh/sshd_config add the line: Protocol 2...3 Limit root or Users’ SSH Access
in /etc/ssh/sshd_configfind&modify the line: AllowUsers root assemor find&modify the line: DenyUsers omar zaki ali-babaor find&modify the line: PermitRootLogin no
or create /etc/nologin...4 Enable a Warning Banner
in /etc/ssh/sshd_config add the line: Banner /etc/issue
Assem Chelli OpenSSH tricks
. . . . . .
.. Best SSH tricks 4
...1 Disable OpenSSH Serverapt-get remove openssh-server (ubuntu )chkconfig sshd off && yum erase openssh-server (fedora)
...2 Force to use SSH protocole 2 because SSH-1 is vulnerable(Man-in-the-middle attacks)
in /etc/ssh/sshd_config add the line: Protocol 2...3 Limit root or Users’ SSH Access
in /etc/ssh/sshd_configfind&modify the line: AllowUsers root assemor find&modify the line: DenyUsers omar zaki ali-babaor find&modify the line: PermitRootLogin no
or create /etc/nologin...4 Enable a Warning Banner
in /etc/ssh/sshd_config add the line: Banner /etc/issue
Assem Chelli OpenSSH tricks
. . . . . .
.. Best SSH tricks 4
...1 Disable OpenSSH Serverapt-get remove openssh-server (ubuntu )chkconfig sshd off && yum erase openssh-server (fedora)
...2 Force to use SSH protocole 2 because SSH-1 is vulnerable(Man-in-the-middle attacks)
in /etc/ssh/sshd_config add the line: Protocol 2...3 Limit root or Users’ SSH Access
in /etc/ssh/sshd_configfind&modify the line: AllowUsers root assemor find&modify the line: DenyUsers omar zaki ali-babaor find&modify the line: PermitRootLogin no
or create /etc/nologin...4 Enable a Warning Banner
in /etc/ssh/sshd_config add the line: Banner /etc/issue
Assem Chelli OpenSSH tricks
. . . . . .
.. Best SSH tricks 5
...1 Change SSH port
in /etc/ssh/sshd_config find&modify the line: Port 300
...2 Deny empty passwords
in /etc/ssh/sshd_config find&modify the line:PermitEmptyPasswords no
...3 Use SSH as an Internet Proxy
Google it !
Assem Chelli OpenSSH tricks
. . . . . .
.. Best SSH tricks 5
...1 Change SSH port
in /etc/ssh/sshd_config find&modify the line: Port 300
...2 Deny empty passwords
in /etc/ssh/sshd_config find&modify the line:PermitEmptyPasswords no
...3 Use SSH as an Internet Proxy
Google it !
Assem Chelli OpenSSH tricks
. . . . . .
.. Best SSH tricks 5
...1 Change SSH port
in /etc/ssh/sshd_config find&modify the line: Port 300
...2 Deny empty passwords
in /etc/ssh/sshd_config find&modify the line:PermitEmptyPasswords no
...3 Use SSH as an Internet Proxy
Google it !
Assem Chelli OpenSSH tricks
. . . . . .
.. Best SSH tricks 5
...1 Change SSH port
in /etc/ssh/sshd_config find&modify the line: Port 300
...2 Deny empty passwords
in /etc/ssh/sshd_config find&modify the line:PermitEmptyPasswords no
...3 Use SSH as an Internet Proxy
Google it !
Assem Chelli OpenSSH tricks
. . . . . .
.. Thwart SSH Crackers
DenyHostsFail2bansecurity/sshguardsecurity/sshblock
Assem Chelli OpenSSH tricks
. . . . . .
.. SSH via Proxy!
Proxy Problem!/etc/ssh/ssh_config
host *proxyCommand connect -H 10.0.0.1:80 %h %p
Assem Chelli OpenSSH tricks
. . . . . .
.. SSH via Proxy!
Proxy Problem!/etc/ssh/ssh_config
host *proxyCommand connect -H 10.0.0.1:80 %h %p
Assem Chelli OpenSSH tricks
. . . . . .
.. forwarding over SSH
Agent forwarding
ssh -A trustedhost (your privatekeys can be stolen)
X11 forwarding
ssh -X user@host firefoxssh -Y user@host
Port forwarding
ssh -L8000:anotherhost:80 somehost
Assem Chelli OpenSSH tricks
. . . . . .
.. Tunneling types
LocalForwardRemoteForwardDynamicForwardProxyCommandForwardX11/ForwardX11Trusted TunnelControlMaster
Assem Chelli OpenSSH tricks
. . . . . .
.. Security
ssh-agentX11GatewayPortsMITMSSH-1.99SSH timing attack
Assem Chelli OpenSSH tricks
. . . . . .
Appendix
.. Questions
Questions?
Assem Chelli OpenSSH tricks
. . . . . .
Appendix For Further Reading
.. For Further Reading I
SSH tips, tricks & protocol tutorial.Damien Miller , AUUG Winter 2002 .
25 Best SSH Commands / Tricks.http://www.newitperson.com/2012/01/25-ssh-commands-tricks/
SSH manpage
Assem Chelli OpenSSH tricks
top related